Cox

Cox / Data Protection

Data protection

1. Scope of application This Personal Data Protection Policy applies to COX ABG GROUP, S.A., as the parent company, and establishes the general framework of principles governing the processing of personal data in the course of its activities. Likewise, this Policy applies to all companies forming part of the Cox Group, regardless of the country in which they operate, as well as to all their centers, organizational units and business lines, insofar as they process personal data in the performance of their functions.

The principles set out in this Policy shall guide the actions of all persons providing services to the Group, including employees, executives and members of governing bodies, as well as those third parties acting on behalf of or in the name of Cox who, within the framework of a contractual or collaborative relationship, have access to personal data for which the organization is responsible.

Without prejudice to the foregoing, Group companies may adapt their internal procedures relating to personal data protection in order to comply with the local regulations applicable in each jurisdiction, ensuring that such adaptations remain compatible with the principles and guidelines established in this Policy and are carried out under the coordination of the corporate Data Protection function. This Policy and the internal corporate regulations on Data Protection are, a priori, more restrictive than individually considered local regulations.

Cox shall also promote alignment with the basic principles of this Policy in those entities in which it holds a participation but which do not form part of the Group, as well as in joint ventures, temporary business associations and other forms of business collaboration in which it assumes management responsibilities or has significant influence, insofar as this is legally possible.

Processing of personal data carried out by natural persons in the exercise of purely personal or household activities, as well as processing activities which, in accordance with applicable regulations, fall outside the scope of European Union law or the applicable national data protection legislation, are excluded from the scope of this Policy.

2. Purpose The purpose of this Personal Data Protection Policy is to establish the general principles of action governing COX ABG GROUP, S.A. and all companies forming part of the Group in matters relating to personal data protection, ensuring compliance at all times with applicable regulations.

Through this Policy, Cox reaffirms its commitment to protecting the personal data of all natural persons with whom it interacts in the course of its activities, including, among others, employees, executives, candidates, clients, suppliers, collaborators and any other data subjects, ensuring that personal data is processed in a manner respectful of fundamental rights, particularly the right to privacy and the protection of personal data.

This Policy also aims to integrate personal data protection into the Group’s corporate governance and compliance model, promoting responsible and transparent conduct aligned with the principles of business ethics and good governance that inspire the organization’s activities.

In this regard, the Policy constitutes the common reference framework for the design, development and implementation of internal regulations, procedures, and technical and organizational measures necessary to ensure proper processing of personal data, fostering a corporate culture of privacy and diligent management of risks associated with data processing.

3. Basic principles of action in personal data protection Cox adopts and promotes the following basic principles of action, which shall guide all activities involving the processing of personal data within the organization and across the companies forming part of the Group.

Personal data shall be processed lawfully, fairly and transparently, in accordance with applicable regulations at all times. Personal data shall only be processed where a valid legal basis exists and always with full respect for the rights of data subjects. Where required by law, Cox shall obtain the data subjects’ consent prior to processing their data, ensuring that such consent is freely given, informed, specific and unambiguous.

Personal data shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes. Cox shall ensure that the purposes of processing are clear and known to data subjects from the moment the data is collected, avoiding excessive or unjustified processing.

In accordance with the principle of data minimization, processing shall be limited to personal data that is adequate, relevant and strictly necessary for the purpose pursued in each case. Cox shall also adopt the necessary measures to ensure that personal data is accurate and kept up to date, proceeding with rectification or erasure where data becomes inaccurate or outdated.

Personal data shall not be retained for longer than necessary to fulfill the purposes for which it was collected or processed, without prejudice to retention periods required by legal obligations or for the establishment, exercise or defense of legal claims. Retention criteria and periods consistent with this principle shall be established.

Cox shall guarantee the integrity and confidentiality of personal data through the adoption of appropriate technical and organizational measures to protect it against unauthorized or unlawful processing and against accidental loss, destruction or damage. Personal data shall be processed with the utmost diligence and may not be used for purposes other than those that justified its collection, nor disclosed to third parties outside the cases permitted by applicable regulations.

In accordance with the principles of data protection by design and by default, Cox shall integrate privacy safeguards into processes, systems, products and services from their initial design stage, ensuring that, by default, only personal data necessary for each specific purpose is processed.

Cox assumes the principle of accountability, being responsible for compliance with the principles set out in this Policy and in data protection regulations, and commits to being able to demonstrate such compliance when required. To this end, it shall assess the risks associated with personal data processing activities and adopt the necessary measures to prevent, mitigate or eliminate such risks.

The collection of personal data from illegitimate sources or from sources that do not adequately guarantee lawfulness is expressly prohibited. Cox shall ensure that personal data is obtained lawfully and in accordance with applicable regulations.

Prior to engaging third parties who will have access to personal data for which Cox is responsible, the organization shall adopt the necessary measures to ensure that such third parties provide sufficient guarantees regarding data protection and act in accordance with instructions and applicable regulations throughout the contractual relationship.

Any processing involving international data transfers shall be carried out in strict compliance with applicable legal requirements, ensuring an adequate level of protection of personal data.

Finally, Cox shall ensure that data subjects can effectively exercise their data protection rights by establishing the necessary mechanisms to address requests diligently, transparently and within legally established timeframes.

3.1 Processing of data in corporate tools and systems In order to ensure the proper functioning, security and operability of corporate

IT systems and digital services, certain basic personal data of employees may be processed through tools, platforms and technological systems used within the work environment.

These tools may involve access to or processing of personal data by internal or external technology providers to the Group, who generally act as data processors on behalf of Group companies and in accordance with their instructions, under appropriate contracts and guarantees of confidentiality and security.

Such processing activities are carried out exclusively for operational, technical and corporate service management purposes (for example, email administration, collaborative tools, reporting platforms, training and IT support), and are governed by the principles and safeguards set out in this Policy and applicable data protection regulations.

The updated list of corporate tools and platforms through which employee personal data may be processed, as well as their main purposes, is available in Connecta and shall be kept up to date by the competent information systems and data protection areas.

4. Coordination and governance within the Group Personal data protection forms an integral part of the Cox Group’s corporate governance and compliance system. For this purpose, a coordination and governance model shall be established to ensure consistent and homogeneous application of the principles set out in this Policy across all Group companies, without prejudice to necessary adaptations required to comply with applicable local regulations in each jurisdiction.

The management body, in the exercise of its supervisory and control functions, is responsible for approving this Policy and ensuring that an appropriate

framework exists to guarantee compliance with personal data protection regulations throughout the organization.

The Compliance function, in coordination with the Data Protection Officer (DPO) and the relevant corporate and operational areas, shall be responsible for promoting, coordinating and supervising the proper application of this Policy, as well as fostering a data protection culture within the Group.

The Data Protection Officer shall perform their duties with the necessary independence and resources, acting as guarantor of compliance with personal data protection regulations, advising the organization on this matter and cooperating, where necessary, with the competent supervisory authorities.

The companies forming part of the Group shall actively collaborate in the implementation of this Policy, designating the necessary internal contacts and facilitating coordination with the responsible corporate functions, in order to ensure proper and consistent management of personal data processing activities.

The different areas, departments and organizational units of the Group shall integrate personal data protection into their processes and activities, acting in a coordinated manner and under the supervision of the competent functions, and promptly communicating any relevant circumstance that may affect compliance with regulations or with the principles established in this Policy.

5. Implementation, monitoring and review of the Policy For the proper implementation and application of this Policy, Cox shall rely on the competent corporate functions in the areas of compliance, data protection and information security, which shall develop and maintain updated internal regulations, procedures and measures necessary to ensure its effectiveness.

This Policy shall be mandatory for all persons and entities within its scope of application and shall be integrated into the Group’s processes, systems and activities in a manner consistent with its corporate governance and risk management model.

Periodic monitoring of the level of compliance and effectiveness of this Policy shall be carried out in order to verify its proper application and identify potential areas for improvement. Such monitoring may include, among other actions, internal reviews, specific assessments and audits, without prejudice to the powers corresponding to supervisory authorities.

The Policy shall be reviewed and, where appropriate, updated whenever relevant changes occur in applicable regulations, in the Group’s structure or activities, or when recommended by the conclusions derived from supervision and control processes. In any case, the Policy shall be subject to periodic review to ensure its continued adequacy and validity.

Any amendments to this Policy shall be approved by the management body of Cox and appropriately communicated to the persons and entities to whom it applies.

Luis Arizaga Zárate

Independent Director

Member of the Audit Committee

Date of appointment: September 17, 2024

Shareholding in Cox Abg Group, S.A.: 11,514 shares

Partner of Exus Management Partners (Exus) and GenuX Power, a global renewable energy platform with offices in nine countries, managing 11GW of installed capacity, including 2.6GW in Mexico between wind and solar energy projects. Holds a Master of Business Administration (MBA) from the Leonard N. Stern School of Business at NYU in New York, and a bachelors degree in Accounting and Finance from ITESM in Mexico.

Prior to joining EXUS in 2019, he founded EIRA Capital, an investment platform focused on Energy and Infrastructure transactions in Mexico, and Latin America. He was also part of Australia’s Macquarie Group in Latin America, where he spent more than 7 years in the Macquarie Capital and Macquarie Funds divisions, working on fund capital raising, equity investments, asset management activities, as well as third party advisory roles on energy and infrastructure transactions in Mexico and Latin America. During his years at Macquarie, he also held board positions in the several investments made by Macquarie which covered energy, public private partnerships, roads, and telecom companies. In addition, his previous involvement at financial institutions include positions in the investment banking teams of Deutsche Bank’s M&A group in New York, and Citibank’s M&A group in Mexico.

Other former relevant positions include his role as independent member of the investment committee of the Instituto del Fondo Nacional de la Vivienda para los Trabajadores (Mexican mortgages and housing government agency).

Enrique Riquelme Vives

Presidente Ejecutivo

Fecha de nombramiento: 17 de septiembre de 2024

Participación en el capital social de Cox Abg Group, S.A.: 50.612.744  acciones

COX

Presidente Ejecutivo de Cox, tras iniciar su andadura profesional en el sector inmobiliario y de la construcción, en 2010 fundó Grupo El Sol en Panamá, especializado en operaciones de minería, cemento, infraestructuras y energía. Con el tiempo, la empresa se convertiría en el mayor proveedor de arena de la UTE responsable de la ampliación del canal de Panamá. Posteriormente, pasó a liderar las fases de oferta y desarrollo de Rainbow 50: el proyecto fotovoltaico de mayor envergadura ejecutado en América Latina hasta aquel momento.

Ha recibido varios galardones por su contribución al mundo empresarial en España, entre ellos el Premio del Certamen Nacional de Jóvenes Emprendedores 2018. También ha sido distinguido como uno de los «100 latinos más influyentes comprometidos con la acción climática» y uno de los «100 españoles más creativos del mundo de los negocios» según la revista Forbes. Actualmente, es miembro del Consejo Internacional de la San Telmo Business School y preside el Consejo Asesor de la Fundación Scholas para Panamá, Centroamérica y Caribe.