PRIVACY NOTICE

This Privacy Notice (“Notice”) states the commitment of Corporación América Airports S.A. (“CAAP”) to comply with the General Data Protection Regulation of the European Union (“GDPR”). This Notice provides and defines the key terms and answers relevant questions regarding how CAAP complies with the provisions of GDPR.


Fundamental aspects:

CAAP, with its registered office at 4, rue de la Grêve, L-1643 Luxembourg, Tel +352 26 25 82 74, informs you that the processing of the personal data you provide will be carried out in accordance with the principles of correctness, legality, transparency and protection of your privacy and rights, all in accordance with the provisions of GDPR.

In order to facilitate reading the sections of this Notice that directly concern you, we have divided it into three sections. Although we encourage you to read the entire Notice, please refer to Section 3 (General Information) as well as any other sections that may apply to you.


Terminology:

In this Notice, the following terms have the meaning set forth below:

Personal Data: any information related to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly (first and last name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person). Intermediary: any person, company or institution (or any of its employees, members and/or representatives) involved in CAAP ́s financial transactions (generally banks involved in the transaction and/ or specialized consultants).

Investor: any person, company or institution (or any of its employees, members and/or representatives) that allocates its own capital with the expectation of a future financial return through the CAAP ́s shares transactions.

Potential investor: any person, company or institution (or any of its employees, members and/or representatives) who may be interested in making a financial investment in CAAP.

Processor: means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller.

Supplier: refers to any entity other than CAAP that enters into a contract to providesupplies, products or services to CAAP.


SECTION 1 - Data collected through our website (for visitors of CAAP ́s Website: Analysts and other data subjects third parties)

What personal information do we collect?

We collect and process only contact details of the data subject or other natural persons of its organization, such as first and last name, work phone number, work e-mail address and job title, in order to ensure the correct information delivery.

As in other cases, we maintain a record that details the contacts generated and the various interactions with the analysts.

How do we use your personal information?

We process the personal data to send relevant financial information of CAAP on a periodic basis.


SECTION 2 - Data collected through our services (for Investors or Potential Investors, Suppliers and Intermediaries)

What personal information do we collect?

Investors or potential investors:

We collect only contact details (such as first and last name, work phone number, work e-mail address and job title).

The data may be collected in events or in funding rounds organized by banks or other intermediaries, by information, analysis and/or technological financial services suppliers, and/or through our website.

We maintain a record that details the contacts generated and the various interactions with the investors and potential investors. Intermediaries:

We collect and process only the necessary data of intermediaries for the correct execution of the intermediary contract. In the case of legal persons, the data required will be the contact details of the relevant natural persons of the organization concerned, for the described purposes. We maintain a record that details the contacts generated and the various interactions with the intermediaries.


Suppliers:

The Suppliers ́ personal data is the necessary to carry out the contractual relation and the administrative-accounting and fiscal records and invoice process. In the case of legal persons, the collection will consist on the labor contact details of the relevant natural persons of the organization concerned, for the described purposes. If applicable, bank information is collected in order to execute payments for the services provided.

In some cases (when appropriate and in accordance applicable laws and/or CAAP ́s internal policies) we also collect information related to the suppliers from other sources. A due diligence procedure is performed on the supplier and relevant natural persons of its organization, including commercial / corporate / credit reports.

How do we use your personal information?

We may collect personal data for the following purposes:

Administrative-accounting purposes. To develop organizational, administrative, financial and accounting activities, as well as to comply with legal, contractual or pre-contractual obligations.

Legal obligations. To comply with obligations stated by laws, authorities, regulations or European legislation.

Alerts of E-mail / Newsletter. To provide information related to CAAP ́s activities and to deliver newsletters. If there is an explicit authorization by the data subjects, CAAP may optionally process data for commercial or advertising communications delivery.


SECTION 3 - General Information (For everyone)

Which type of personal data we collect during the navigation on our website?

Some of the data obtained during the navigation in the website are the following:

The Internet Protocol Address (IP), browser type and name of the Internet Service Provider (ISP).

The date and time of the visit, the website referral and exit of the user.

The numerical code that may represent the status of the response given by the server (successful responses/ error, etc.).


How we share your information?

Your personal data may be shared with the following third parties, for the purposes described herein:

Authorized staff of the Company’s subsidiaries and/or affiliates. This information will be kept in CAAP ́s database, which is secure and available only to authorized employees who require access for the purposes of the tasks mentioned in this Notice.

Any competent law enforcement, regulatory or state agency, court or other related third party, where it is certain that disclosure is necessary as an applicable legal or regulatory matter; to exercise, establish or defend the rights of CAAP.

Third party service providers or “data processors” (own providers) that perform functions on behalf of CAAP (including external consultants, business partners and professional advisors). In these cases, we include contractual clauses that bind these providers to comply with GDPR.

Potential buyers (and their agents and advisors) in relation to any proposed purchase, merger or acquisition of any part of the CAAP ́s business, as long as the potential buyer has committed to use the shared personal data only for the purposes stated in this Notice. In these cases, CAAP enters into agreements with these counterparties, which include clauses that bind them to comply with GDPR. Agencies or intermediaries that could carry out communications on behalf of CAAP (e.g. in the context of the organization of events)

Personal data may be shared with any other person not included in this list, only with the prior data subject consent.

CAAP shall not sell the personal data collected to third parties or use it for purposes other than those established in this Notice.


International data transfers

Personal data may be transferred and processed in countries other than the country in which the data subject resides. These countries may have different data protection laws and regulations (and in some cases, they may be less strict).

However, we take appropriate measures to ensure that personal data remains protected in accordance with GDPR and that there are no security breaches of the personal data for which the Company is a data controller. Among them, the application of the European Commission's standard contractual clauses (SSC) of personal data transfer, which require that all processors protect the personal data processed from the EEA in accordance with the EU data protection regulation.


Legal basis for the processing of personal data (if you reside in the EU)

The legal basis for collecting and processing the personal data of the data subjects described in this Notice (who are EU residents) will depend on the personal data and the specific context in which it was collected.

Regarding investors, potential investors, analysts and other interested third parties, the legal basis for processing is the freely expressed consent (according to section 6.1.a of GDPR).

In relation to the purpose of intermediaries, the legal basis of the processing is, in fact, the execution of the contracts entered into by the data subject (according to section 6.1.b of GDPR).

Finally, for suppliers, the legal basis of the processing is the fulfilment of CAAP ́s legal obligation as controller (according to section 6.1.c of GDPR).


Your data protection rights.

The following data subject rights can be exercised at any time:

Access, rectification, update or erasure of the personal data by the data subject. When the erasure of a registry from a database is required, CAAP may retain a minimum of personal data to avoid future contacts and to preserve its interest in relation to any applicable legal requirement.

If the data subject is an EU resident, he/she may object to processing his/her personal data, requesting that the processing be limited, and/or object the transfer of his/her personal data. However, CAAP reserves the possibility to deny the requirement and therefore continuing with the processing, in case there are legitimate reasons, derived from the regulations in force, to carry out with the processing as long as the reasons prevail over the interests, rights and freedom of data subject.

Unsubscribe from the marketing communications that the Company delivers.

Withdraw the consent when appropriate. Withdrawing consent will not affect neither the legality of any prior processing, nor its retroactivity.

File a claim before a data protection authority related to CAAP ́s collection and use of personal data.


How long do we keep your personal information?

We strictly collect and process the personal data provided, with a logic related to the purpose described in this Notice. Consequently, we keep them for the necessary time to serve that purpose, and subsequently erase or anonymizes it. If that is not possible, it may be safely stored and isolated from any other processing until it can be erased.

Likewise, the data may be kept to comply with specific legal obligations and / or to exercise the legal defense of CAAP.


How do we keep your personal information secure?

Internet data transmissions are not completely secure or error-free. However, we take appropriate technical and organizational measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration and destruction. To achieve these purposes, we designed methods to provide appropriate personal data security processing and to ensure that the data is safe, secure and only available to the user and those with authorized access.


Updates to this Notice

This Privacy Notice will be reviewed and updated periodically according to the regulation in force, in order to ensure that it contains the minimum elements required and is duly updated to guarantee the data subject rights.


How to contact us?

We have established an exclusive communication channel to exercise the rights to protect personal data: privacy@caaiports.com.

Any data subject may request (via e-mail) the possibility to exercise of his/her rights (according to description in the section "Your data protection rights" herein).

If you have any questions or concerns about our use of your personal information, please contact us using the contact details listed in the Section titled "How to contact us?" above.