PERSONAL DATA PROCESSING POLICY
Our company hereby informs the Data Subjects whose Personal Data is processed in any way by the company of this data processing policy, in compliance with the Law. The main purpose of this Policy is to inform Data Subjects of their rights, the procedures and mechanisms established by the company to enforce those rights, and to explain the scope and purpose of the Processing to which their Personal Data will be subjected should they grant their express, prior, and informed consent. The company also reaffirms its commitment to the various stakeholders with whom it interacts and its clear intention to respect all their rights, especially, through this instrument, their right to Habeas Data, privacy, and other related rights.
CHAPTER I
General Provisions
ARTICLE ONE: DEFINITIONS The following definitions relate to the meanings that should be given to the terms within this document.
a) Authorization: This is the prior, express, and informed consent of the Data Subject to carry out the Processing of their personal data.
b) Database: This is the set of personal data that is subject to Processing, regardless of the method of Processing.
c) Financial Data: This is all Personal Data related to the creation, execution, and termination of monetary obligations, regardless of the nature of the contract that gives rise to them, the Processing of which is governed by the corresponding regulations.
d) Personal Data: This is any information related to or relatable to a natural person.
e) Public Data: This is data that the law designates as such, or that is contained in publicly available records, certificates, documents, or databases.
f) Sensitive Data: This is personal data related to the privacy of the Data Subject or that may give rise to discrimination or differential treatment. Biometric data also falls into this category.
g) Data Processor: This is the natural or legal person, public or private, who, alone or jointly with others, processes Personal Data on behalf of the Data Controller.
h) Authorized Party: This is the person and their dependents who, by virtue of the Authorization and these Policies, are authorized to process the Data Subject's Personal Data. The Authorized Party includes those who are Authorized.
i) Authorization: This is the express written authorization granted by the Company to third parties, in compliance with applicable law, for the Processing of Personal Data, thereby making such third parties Data Processors of the Personal Data provided or made available.
j) Data Controller: This is the person, authorized by the Data Subject, who manages and makes decisions regarding the Database.
k) Data Subject: This is the natural person to whom the data contained in the Database refers, and who is the object of protection under the Law and related regulations.
l) Transfer: This is the communication of personal data between the Processor and the Controller.
m) Transmission: This is the Personal Data Processing activity by which such data is communicated, internally or with third parties, within or outside the country, when such communication is for the purpose of carrying out any Personal Data Processing activity.
n) Personal Data Processing: This is any activity aimed at processing Databases, as well as their transfer to third parties.
ARTICLE TWO: PURPOSE. The purpose of the Database and Information Processing Policy is to develop the procedure for collecting, storing, using, and carrying out any activity related to personal data, and other constitutional rights, freedoms, and guarantees; as well as the right to information about such data, as stipulated by law and other related regulations.
ARTICLE THREE: COMPLIANCE WITH LEGAL PROVISIONS. The Company states that the guidelines for the Processing of personal data will be those established by the applicable regulations.
ARTICLE FOURTH: PURPOSES OF THE DATA COLLECTED. All data collected by the Company is intended to: i) Generate and manage the body of all information necessary for compliance with tax, commercial, civil, labor, legal obligations, and in general, all obligations pertaining to the Company; ii) Manage the Company with respect to its clients, suppliers, shareholders, and other stakeholders; with respect to clients, the information collected may be used, without limitation, for: providing information to financial entities for the management of financial services; customer loyalty; customer service management; advertising; marketing; business management and contact; contacts for informational emails; sending physical and email correspondence; portfolio management; offers for the purchase, sale, rental, and exchange of real estate; receiving and sending real estate offers; transferring information for contractual purposes; updating or correcting property data; information on our business partners; making calls (call center) for administrative, commercial, and advertising purposes; and in general, information related to the activities involved in the contracts signed between the parties; developing technologies, services, or plans that represent better service for clients; iii) Complying with the company's legal and contractual obligations; iv) Acting within the framework of legal requirements to verify the legal nature and status of certain clients, contractors, or suppliers; v) Maintaining the physical or digital file for the legally required period so that it can be consulted later by the Data Subject or an authority; vi) Transferring and transmitting the Databases when necessary to carry out collection actions, credit processing, legal actions, and in general, the other purposes provided for in this section; vii) Managing employee information related to payroll, social management, social security, selection processes, contractual affiliation, and employee well-being; ix) Other activities necessary for the effective provision of any of the company's regular or occasional services.
ARTICLE FIVE: PRINCIPLES. The principles outlined in this article are the guidelines that the company will respect in the processes of collecting, storing, using, and managing personal data:
Principle of legality in the processing of personal data: The processing referred to in this Policy is an activity regulated by law and must comply with its provisions and other applicable regulations.
Principle of purpose: The processing is carried out for the purposes established in Article Four of this document.
Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives the requirement for consent.
Principle of accuracy: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable.
Principle of transparency: In the processing of personal data, the data subject's right to obtain information from the data controller or data processor, at any time and without restriction, regarding the existence of data concerning them must be guaranteed.
Principle of access and restricted circulation: The processing of personal data and databases may only be carried out by the company or its delegate, in accordance with the authorization granted by the data subject. Personal data may not be available through public access or mass dissemination channels. If stored in the cloud, software, or similar mechanisms, access to this data will be restricted and it will not be publicly accessible.
Principle of security: The company will provide minimum security conditions to protect the information contained in its databases. To this end, basic archiving measures will be implemented for physical documents, and digital security systems such as antivirus software and/or cloud storage will be used for digital files.
Principle of Confidentiality: As a general rule, and except as provided by law, in the respective contract, or in this Policy (with the Data Subject's authorization in the latter two cases), personal information and data will be treated confidentially.
CHAPTER II
Rights and Duties
ARTICLE SIXTH: RIGHTS OF THE PERSONAL DATA SUBJECT. In accordance with the Law, Personal Data Subjects have the following rights: i) To know, update, and rectify their Personal Data held by the company or the Data Processors. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized; ii) To request proof of the authorization granted to the company, unless the Law indicates that such authorization is not necessary; iii) To submit requests to the company or the Data Processor regarding the use made of their personal data, and to receive such information; iv) To file complaints with a competent supervisory body for violations of the Law; v) Revoke their Authorization and/or request the deletion of their Personal Data from the company's databases, when the Superintendency of Industry and Commerce has determined through a final administrative act that the company or the Data Processor has engaged in conduct contrary to the Law in the Processing, or when there is no legal or contractual obligation to maintain the personal data in the Controller's database; vi) Request and access, free of charge, their personal data that has been processed in accordance with the Law; vii) Be informed of modifications to the terms of this Policy in advance and efficiently before the implementation of the new modifications or, failing that, of the new information processing policy; viii) Have easy access to the text of this Policy and its modifications; ix) Easily and simply access the personal data that is under the control of the company to effectively exercise the rights that the Law grants to Data Subjects; x) To know the department or person authorized by the company to whom they may submit complaints, inquiries, claims, and any other requests regarding their personal data.
Data Subjects may exercise their legal rights and carry out the procedures established in this Policy by presenting their original identification document. Minors may exercise their rights personally, or through their parents or legal guardians, who must demonstrate this through the relevant documentation. Likewise, the Data Subject's successors who prove their status, the Data Subject's representative and/or attorney with the corresponding accreditation, and those who have made a stipulation in favor of or for another may exercise their rights. Requests may be submitted physically or via email according to the information in the header.
ARTICLE SEVENTH: DATA PROCESSOR AND CONTROLLER. The company will directly act as both the Controller and the Processor of personal data; The company may delegate any area or department for such purposes. In general, the company commits to: i) Receive requests from data subjects, process and respond to those based on the Law or this document, such as: requests to update personal data; requests to access personal data; requests for deletion of personal data when the data subject presents a copy of the decision of a competent supervisory body in accordance with the Law; requests for information on the use given to their personal data; requests to update personal data; and requests for proof of the authorization granted, when applicable under the Law; ii) Respond to data subjects regarding requests that are not based on the Law. The company's contact information is provided in the corresponding section.
CHAPTER III
Procedures
ARTICLE EIGHT: DATA SUBJECT PROTECTION MECHANISMS The data subject may exercise their rights, following the procedures outlined below:
8.1. Inquiries: The company will provide mechanisms for data subjects, their successors, representatives and/or agents, those to whom a power of attorney has been granted, and/or the representatives of minor data subjects, to submit inquiries regarding the data subject's personal data held in the company's databases.
Regardless of the method used, the company will keep a record of the inquiry and its response. a) If the requester has the legal capacity to submit the inquiry, in accordance with the accreditation criteria established by law, the company will compile all information about the Data Subject contained in that person's individual record or linked to the Data Subject's identification within the company's databases and will provide it to the requester. b) The person responsible for handling the inquiry will respond to the requester provided they have the right to do so because they are the Data Subject, their successor, attorney-in-fact, representative, or if the request has been stipulated by or for another, or if they are the legal guardian in the case of minors. This response will be sent within ten (10) business days from the date the request was received by the company. c) If the request cannot be addressed within ten (10) business days, the requester will be contacted to inform them of the reasons why their request is still being processed. For this purpose, the same or a similar means will be used as that used by the Data Subject to communicate their request. d) The final response to all requests will not take more than fifteen (15) business days from the date the initial request was received by the company.
8.2. Complaints: The company has mechanisms in place for Data Subjects, their successors, representatives and/or agents, those who stipulated on behalf of or for another, and/or the representatives of minor Data Subjects, to file complaints regarding (i) Personal Data processed by the company that must be corrected, updated, or deleted, or (ii) the alleged breach of the company's legal obligations. The complaint must be submitted by the Data Subject, their successors or representatives, or duly authorized persons in accordance with the Law, as follows:
• It must be submitted to the company electronically to the email address provided in the relevant section; or physically to the address provided by the company.
• It must include the name and identification document of the Data Subject.
• It must include a description of the facts giving rise to the claim and the objective pursued (update, correction, or deletion, or fulfillment of obligations).
• It must indicate the address and contact and identification information of the claimant.
• It must be accompanied by all supporting documentation that the claimant wishes to submit.
8.2.1 Before processing the claim, the company will verify the identity of the Data Subject, their representative and/or attorney-in-fact, or proof that there was a stipulation on behalf of or for another party. For this purpose, the company may require the Data Subject's original national identity card or identification document, and any special or general powers of attorney or other documents required as applicable.
8.2.2 If the claim or supporting documentation is incomplete, the company will request the claimant to correct the deficiencies once, within five (5) days of receiving the claim. If the claimant does not submit the required documentation and information within two (2) months of the initial claim date, the claim will be considered withdrawn.
8.2.3 Once the claim is received with complete documentation, a note stating “claim in process” and the reason for the claim will be added to the company's database containing the claimant's data within two (2) business days. This note will remain until the claim is resolved.
8.2.4 The maximum time to address the claim will be fifteen (15) business days, starting from the day after the date of receipt. If it is not possible to address the claim within the aforementioned timeframe, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial timeframe.
EFFECTIVE DATE. This Policy is effective as of July 1, 2017. Personal data that is stored, used, or transmitted will remain in our Database, based on the criteria of temporality and necessity, for as long as necessary for the purposes mentioned in this Policy, for which it was collected.
