Processing of personal data

PERSONAL DATA PROCESSING POLICY

Presentation

With the objective to comply with the current legislation on data protection, especially Law 1581 of 2012 (and other norms that modify, add, complement or develop it) and Decree 1377 of 2013, we hereby inform you of the relevant aspects regarding the collection, use and transfer of personal data that SECPRO S.A.S. (hereinafter “SecPro” or the “Company”), makes of your personal data, by virtue of the authorization granted by you to carry out such treatment, as well as the handling.

In this personal data processing policy (the “Policy”) you will find the corporate and legal guidelines under which the Company performs the processing of your data, the purpose, your rights as owner, as well as the internal and external procedures for the exercise of such rights.

In accordance with the foreseen in Article 15 of the Political Constitution of Colombia and applicable legislation (Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013 and all those norms that regulate, add to, repeal or modify them), we have a clear policy of privacy and protection of your personal data: we do not obtain personal information from third  parties that have a business or legal relationship with the Company, including you, Customers, Employees or Suppliers, unless they have provided it voluntarily through their prior, expressed and qualified consent.

Definitions

For the interpretation of this policy, we ask you to have in mind the next definitions:

  • Personal data: Any information linked or likely to be linked to one or more specific or identifiable natural persons.
  • Sensitive data: Those data that affect the privacy of the holder or whose misuse may generate discrimination.
  • Treatment manager: Natural or legal person, public or private, who by himself/herself or in association with others, carries out the processing of personal data on behalf of the Company as data responsible.
  • Processing policy: It refers to the present document, as a personal data processing policy applied by the Company in accordance with the guidelines of the current legislation on the matter.
  • Supplier: Any natural or legal person that provides any service to the Company under a contractual/obligatory relationship.
  • Responsible of the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the processing of the data, for the purposes of this policy, will exercise as responsible, in principle, the Companies.
  • Holder: Natural person whose personal data is subject to processing, whether it is a customer, supplier, employee, or any third party that, due to a commercial or legal relationship, provides personal data to the Company.
  • Worker: Any natural person who provides a service to the Company under an employment contract.
  • Transfer: Refers to the sending by the Company, as responsible of the treatment or Data manager, to a third party agent or natural/legal person (receptor), within or outside the national territory for the effective processing of personal data.
  • Trasmission: This refers to the communication of personal data by the responsible to the manager, located inside or outside the national territory, so that the person in charge, on behalf of the person responsible , processes personal data.
  • Treatment: Any operation or set of operations involving personal data, such as collection, storage, use, circulation or deletion.

To understand the terms that are not included in the above list, you should refer to the legislation in force, especially Law 1581 of 2012 and Decree 1377 of 2013, giving the meaning used in that regulation to the terms whose definition is in doubt.

Type of Information Subject to treatment

The Company recognizes that its customers, employees, shareholders and Board members are entitled to have a reasonable expectation of their privacy, having in any case account of their responsibilities, rights and obligations with the Company.

By virtue of the relationship established with the Company, it collects, stores, uses and transfers personal data, to companies located in and outside of Colombia. Said personal data and information include amongst others:


Customers

    • Client’s name or company name, identification number, place of residence, address, telephones, fax, e-mail;
    • Name of general manager or legal representative and address, telephone, fax, e-mail;
    • Customer’s contacts names, phone number and email;
    • Number of permanent employees and time of operation of the business;
    • Tax information;
    • Bank information including name of bank account holder, bank account number and bank name or code.


Suppliers

    • Supplier’s name or business name, identification number, place of residence, address, telephones, fax, e-mail;
    • Name of general manager or legal representative and address, telephone, fax, e-mail;
    • Name of manager or sales coordinator, address, phone, fax, email;
    • Name of the person assigned to collect the portfolio, e-mail;
    • Number of permanent employees and business operation time;
    • Tax information;
    • Bank information including name of bank account holder, bank account number and bank name or code.


Employees

    • Worker and Family Group: name, ID, address, phone number, spouse’s and children’s name and ID, medical history, social security affiliations, medical policy, age, date of birth, studies information, health status, medications used, medical authorizations, participation in recreation and sports activities;
    • Resume, education, experience, links with entities, links with companies;
    • Salary and other payments;
    • Affiliations;
    • Pension contributions;
    • Constitution and contributions to voluntary pension funds, food vouchers, etc;
    • Judicial proceedings, seizure;
    • Loans throughout working life;
    • Laboral contract;
    • Changes in the employment contract;
    • Links with previous employers;
    • Work history of the worker;
    • Aid payment and benefits;
    • Beneficiaries of the worker for the purpose of payment of aid and benefits;
    • Affiliation EPS (Health promoter) , pension fund, ARL (occupational risk manager), compensation fund;
    • Training received;
    • Occupational health history of the worker;
    • Workplace accidents;
    • Fingerprint;
    • Photographic record;
    • Annual evaluation of competence.

If within the information collected there are sensitive data, SecPro will inform you of the quality of such sensitive data and the purpose of the treatment, and they will only be treated with your prior, express and informed consent. Please note that because sensitive data is involved, you are not obliged to give your consent to its processing.


Use and purpose of treatment

Personal data is used for:

  • Execution of the contract signed with any of the Company.
  • Payment of contractual obligations.
  • Sending of information to government or judicial entities by expressed request.
  • Support in external/internal audit processes.
  • Sending/Receiving messages for commercial purposes, advertising and/or customer service purposes.
  • Registration of customer, employee and supplier information in the Company’s database.
  • Contact with clients, employees or suppliers for the sending of information related to the contractual, commercial and obligatory relationship that takes place.
  • Collection of data for the fulfillment of the duties that as Responsible of the information and personal data, corresponds to the Company.
  • For security or fraud prevention purposes.
  • To provide effective customer service.
  • Any other purpose that results in the development of the contract or the relationship between you and the Company.

If you provide us with Personal Data, it will be used only for the purposes stated herein, and we will not sell, license, transmit or otherwise disclose it outside the Company unless (i) you expressly authorize us to do so, (ii) it is necessary to enable our contractors or agents to provide the services we have entrusted to them, (iii) in order to provide you with our products or services, (iv) is disclosed to entities that provide marketing services on our behalf or to other entities with whom we have joint marketing agreements, (v) relates to a merge, consolidation, acquisition, disinvestment or other restructuring process, or (vi) as required or permitted by law.

The Company may subcontract third parties for the processing of certain functions or information. When we do outsource the processing of your personal information to third parties or provide your personal information to third party service providers, we advise those third parties of the need to protect that personal information with appropriate security measures, prohibit them from using your personal information for their own purposes, and prevent them from disclosing your personal information to others.

Similarly, the Company may transfer or transmit (as appropriate) your personal data to other companies abroad for reasons of security, administrative efficiency and better service, in accordance with the authorizations of each of these persons. SecPro has adopted measures so that these companies implement in their jurisdiction and in accordance with the laws applicable to them, security standards and protection of personal data even similar to those provided in this document and in general in the Company’s policy on the matter. In the case of transmission of personal data, the transmission contract will be signed in accordance with the terms of Decree 1377 of 2013.

In addition, we inform you that once the need to process your data ceases, your data may be deleted from SecPro’s databases or stored in a secure manner so that they are only disclosed when required by law. Such data will not be deleted despite the owner’s request, when the preservation of such data is necessary for the fulfilment of an obligation or contract.


Holder’s Rights

In accordance with Article 8 of Law 1581 of 2012, the rights you have as a holder of personal data are:

    • To know, update and rectify your personal data before SecPro as the Responsible of the Treatment or in charge of the Treatment. This right may be exercised, amongst others before partial data, inaccurate, incomplete, fractional, misleading, or those whose processing is expressly prohibited or has not been authorized;
    • Request proof of authorization given to the Company as the Treatment responsible except where expressly waived as a requirement for Treatment;
    • To be informed by the Company, as Data responsible or by the data manager, upon request, regarding the use that has been made of their personal data;
    • To submit to the Superintendence of Industry and Commerce complaints for violations in accordance of the present law and other norms that modify, add or complement it;
    • Revoke the authorization and/or request the deletion of the data when the treatment does not respect the constitutional and legal principles, rights and guarantees;
    • Access in a free manner your personal data that have been subject to treatment;
    • Within this policy you will find the procedure through which the Company guarantees the exercise of all your rights;
    • Procedure for the exercise of your rights as owner.

If you have any questions about this Policy, or any concerns or complaints, or in the event of a complaint, correction, update, inquiry, or request for access or deletion of data, or with respect to the administration of the Policy, please contact us by any of the following means:

Phone: +57 (1) 7293165
Contact: [email protected]

Please note that once you inform the responsible area within the Company, depending on which one your request is addressed to, the consultation, request or complaint will be processed.

You can consult SecPro regarding the personal data that SecPro has stored in its databases, in which it will be necessary that the applicant or his legal representative proves his identity beforehand. Such consultation will be attended by SecPro in a maximum term of ten (10) working days from the date of receipt of the consultation. This period may be extended by SecPro on one occasion only, in which case you will be informed of the reasons for the delay and the date your request will be dealt with, which in no case will be more than five (5) working days after the expiry of the first term.

When it is not possible to attend the consultation within this term, SecPro will make it known to you, expressing the reasons for the delay and indicating the date when your consultation will be attended, which in no case can exceed five (5) working days after the expiration of the first term.

Your request or petition related to claims, updates, corrections, or deletion of your personal data must be attended to within a maximum term of fifteen (15) working days from the receipt of the request or petition. For the correct and complete consideration of your request, application or claim, we ask you to provide the identity of the applicant, his identification number, the address of notifications/responses and the documents you wish to assert.

If your application or request does not have sufficient data and facts to enable SecPro to deal with it correctly and completely, you will be required within five (5) days of receipt of the application, request or claim to rectify its faults. After two (2) months from the date of the request, if you as the applicant has not rectified as required, the Company receiving your request understands that you have withdrawn your request.

Modification of this Policy

This policy may be changed at any time, notifying you of the change and the latest version of this policy or mechanisms for obtaining a copy of this policy will be made available to you.

Effective Date: January 1, 2015 Last Modified: July 1, 2018 Period of validity of the database: The validity of the database will be the reasonable and necessary time to comply with the purposes of information treatment.