INFORMATION PROCESSING POLICY

Scroll

The company BéndiksenLaw S.A.S. domiciled in Bogotá, with physical address: Calle 103A # 21 – 93 OF 201, e-mail: [email protected] and telephone (+57) 3106843785 (hereinafter the “Firm”) presents the owners of Personal Data that are processed in any way by the Firm, this information processing policy (the “Policy”), in compliance with Law 1581 of 2012 and Decree 1377 of 2013 of the Republic of Colombia. The main purpose of this Policy is to inform the owners of the Personal Data (hereinafter “Owner”) of their rights, the procedures and mechanisms provided by the Firm to make those rights of the Owners effective, and to inform them of the scope and purpose of the Processing to which the Personal Data will be submitted in case the Owner grants his express, prior, and informed authorization.   

Main definitions

The expressions used in capital letters in this Policy shall have the meaning given to them herein, or the meaning given to them by applicable law or jurisprudence, as such law or jurisprudence is modified from time to time.

a) “Authorization”: Is the prior, express, and informed consent of the Owner to carry out the Processing of their Personal Data.

b) “Database”: Is the organized set of Personal Data that are subject to Processing, electronic or not, whatever the modality of its formation, storage, organization, and access.

c) “Financial Data”: Is any Personal Data referring to the origin, performance, and extinction of monetary obligations, regardless of the nature of the contract that gives rise to them, whose Processing is governed by Law 1266 of 2008 or the rules that complement, modify or amend it.

d) “Personal Data”: Is any information of any kind, associated or that may be associated with one or more individuals or entities.

e) “Public Data”: Is Personal Data qualified as such according to the mandates of the law or the Constitution and that are not not semi-private, private or sensitive. Public Data includes, among other, those relating to the civil status of individuals, their profession or trade, their status as a merchant or public servant and those that can be obtained without reserve. By its nature, Public Data may be contained, among others, in public registers, public documents, gazettes and official documents, and duly enforceable court rulings that are not subject to reserve.

f) “Sensitive Data”: Is Personal Data that affects the privacy of the Owner or whose improper use may generate discrimination, such as those that reveal trade union affiliations, racial or ethnic origin, political orientation, religious, moral or philosophical convictions, membership of trade unions, social or human rights organizations or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data.

g) “Data Processor in Charge”: Is the individual or entity, public or private, that by itself or in partnership with others, performs the Processing of Personal Data on behalf of the Liable Data Processor.

h) “Authorized”: Is the Firm and all persons under the responsibility of the Firm, who by virtue of the Authorization and these Policies have legitimacy to Process the Personal Data of the Owner. The Authorized includes the category of the Enabled.

i) “Habilitation”: Is the legitimation that the Firm grants to third parties, expressly and in writing, by means of a contract or similar document, in compliance with applicable law, for the Processing of Personal Data, making such third parties in Data Processor in Charge of the Processing of Personal Data delivered or made available.

j) “Liable Data Processor”: Is the individual or entity, public or private, that by itself or in partnership with others, decides on the Database and / or the Processing of Personal Data.

k) “Owner” of the Personal Data: Is the individual or entity to whom the information that rests in a Database refers to, and who is the subject of the right of habeas data.

l) “Transfer”: Is the Processing of Personal Data that involves the communication of said data inside or outside the territory of the Republic of Colombia with the purpose of Processing by the Data Processor in Charge on behalf of the Liable Data Processor.

m) “Transmission”: Is the activity of Processing of Personal Data through which they are communicated, internally or with third parties, inside or outside the territory of the Republic of Colombia, when such communication is intended to carry out any processing activity by the recipient of the Personal Data.

n) “Processing of Personal Data”: Is any operation and systematic procedure, electronic or not, that allows for the collection, conservation, ordering, storage, modification, relation, use, circulation, evaluation, blocking, destruction and in general, the processing of Personal Data, as well as its transfer to third parties through communications, queries, interconnections, assignments, data messages.

Principles

The Firm, in the performance of its commercial activities will collect, use, store, transmit and carry out various operations on the personal data of the Owners. In any Processing of Personal Data carried out by the Firm, the Liable Data Processors, Data Processor in Charge and / or third parties to whom Personal Data is transferred to, must comply with the principles and rules established in the Law and in this Policy, to guarantee the right to habeas data of the Owners and to comply with the Firm’s legal obligations. These principles are:

a) Prior authorization: All Processing of Personal Data will be carried out once the prior, express, and informed Authorization of the Owner has been obtained, unless the Law establishes an exception to this rule. If Personal Data has been obtained prior to the coming into force of the Law, the Firm will seek the relevant ordinary and alternative means to petition the Owner and obtain their retroactive authorization, following the provisions of Decree 1377 and its concordant norms.

b) Authorized purpose: Any activity of Processing of Personal Data must be done in accordance with the purposes mentioned in this Policy or in the Authorization granted by the Owner of the Personal Data, or in the specific documents where each type or process of Processing of Personal Data is regulated. The purpose of the particular Processing of a Personal Data must be informed to the Owner of the Personal Data at the time of obtaining their Authorization. Personal Data may not be processed outside the purposes informed and consented to by the Data Owners.

c) Data Quality: The Personal Data submitted for Processing must be truthful, complete, accurate, updated, verifiable and understandable. When in possession of partial, incomplete, fractional, or misleading Personal Data, the Firm must refrain from treating them, or request that the Owner complete or correct the information.

d) Delivery of information to the Owner: When the Owner requests it, the Firm must provide the information about the existence of Personal Data that concerns the petitioner. This delivery of information will be carried out by the Firm’s division in charge of the protection of personal data

e) Restricted circulation: Personal Data can only be processed by the Firm’s personnel who are authorized to do so, or who, within their functions, are in charge of carrying out such activities. No Personal Data may be given to those who do not have Authorization or have not been authorized by the Firm to carry out the Processing.

f) Temporality: The Firm will not use the information of the owner beyond the reasonable period required for the purpose that was informed to the Owner of the Personal Data.

g) Restricted access: Except for expressly authorized Data, the Firm may not make Personal Data available for access through the Internet or other mass means of communication, unless technical and security measures are established to control access and restrict it only to Authorized persons.

h) Confidentiality: The Firm must always carry out the Processing providing the technical, human and administrative measures that are necessary to maintain the confidentiality of the data and to prevent it from being adulterated, modified, consulted, used, accessed, deleted, or known by unauthorized persons or by Authorized and unauthorized persons in a fraudulent manner, or from losing the Personal Data. Any new project that involves the Processing of Personal Data must consulted this Processing Policy to ensure compliance with this rule.

i) Confidentiality and Later Processing: Any Personal Data that is not Public Data must be treated by the Liable Data Processor as confidential, even if the contractual relationship or the link between the Owner of the Personal Data and the Firm has ended. Upon termination of such link, such Personal Data must continue to be Treated in accordance with this Policy and the Law.

j) Individuality: The Firm will maintain separately the databases for which it is the Data Processor in Charge from those databases for which it is the Liable Data Processor.

k) Necessity: Personal Data can only be Processed for as long as and to the extent that the purpose of its Processing justifies it.

Processing and Purposes

The Personal Data processed by the Firm must be subjected only to the purposes indicated below. Likewise, the Data Processors or third parties that have access to the Personal Data by virtue of law or contract, will maintain the Processing within the following purposes:

a) Manage all the information necessary for compliance with the tax obligations and commercial, corporate, and accounting records of the Firm.

b) Comply with the internal processes of the Firm in terms of administration of suppliers and contractors.

c) Comply with service contracts executed with customers.

d) Provide its services in accordance with the needs of the Firm’s clients, in order to fulfill the service contracts entered into, including but not limited to, verifying affiliations and rights of the individuals to whom the Firm’s clients will provide their services, use of Personal Data for marketing of new services or products.

e) Other purposes determined by the Liable Data Processor in processes for obtaining Personal Data for Processing and that are communicated to the Owners at the time of the collection of personal data.

f) The control and prevention of fraud and money laundering, including but not limited to consultation on restrictive lists, and all necessary information required for the SARLAFT.

g) The process of archiving, updating systems, protection and custody of information and databases of the Firm.

h) Processes within the Firm, for development or operational purposes and/or systems administration.

i) The Transmission of Data to third parties with whom contracts have been executed for this purpose, for commercial, administrative, marketing and/or operational purposes, including but not limited to, the issuance of identification cards, personalized certificates and certifications to third parties, in accordance with the legal provisions in force.

j) Maintain and process by computer or other means, any type of information related to the client’s business in order to provide the relevant services and products.

k) Other purposes determined by the Liable Data Processor in processes of obtaining Personal Data for Processing, in order to comply with the legal and regulatory obligations, as well as the policies of the Firm.

Rights of the Owner of the Personal Data

In accordance with the Law, Owners of Personal Data have the following rights:

a) Know, update, and rectify their Personal Data before the Firm or the Data Processor in Charge. This right may be exercised, among others, against partial, inaccurate, incomplete, fractional, or misleading data, or data whose Processing is expressly prohibited or has not been authorized.

b) Request proof of the Authorization granted to the Firm, unless the Law indicates that such Authorization is not necessary.

c) Submit requests to the Firm or the Data Processor in Charge regarding the use that has been given to their Personal Data, and that such information be delivered.

d) Submit complaints to the Superintendency of Industry and Commerce for non-compliance with the Law.

e) Revoke their Authorization and/or request the deletion of their Personal Data from the databases of the Firm when the Superintendency of Industry and Commerce has determined by enforceable administrative decision that in the Processing, the Firm or the Data Processor in Charge has incurred in conduct contrary to the Law or when there is no legal or contractual obligation to keep the Personal Data in the database of the Liable Data Processor.

f) Request access to and access free of charge their Personal Data that has been subject to Processing in accordance with article 21 of Decree 1377 of 2013.

g) Have knowledge of the amendments to the terms of this Policy in an efficient way before these are or a new policy Information Processing Policy is implemented.

h) Have easy access to the text of this Policy and its modifications.

i) Access in an easy and simple way the Personal Data that are under the control of the Firm to effectively exercise the rights that the Law grants to the Owners.

j) Have knowledge of the division or individual authorized by the Firm before whom they may file complaints, queries, claims and any other request about their Personal Data.

The Owners may exercise their rights under the law and carry out the procedures established in this Policy, by presenting their citizenship card or original identification document. Minors may exercise their rights personally, or through their parents or adults who have parental authority, who must prove it through the relevant documentation. Likewise, the rights of the Owner may be exercised by the successors in title who accredit this quality, the representative and / or agent of the Owner with the corresponding accreditation and those who have made a stipulation in favor of another or for another.

Liable Data Processor

The firm has designated its Customer Service division as Liable Data Processor for the reception and processing of requests, complaints, claims and queries of all kinds related to Personal Data. The individual in charge of Customer Service will process queries and complaints regarding Personal Data in accordance with the Law and this policy.

Some of the functions of this division in relation to Personal Data are:

a) Receive requests from Owners of Personal Data, process and respond to those that are in accordance with the Law or these Policies, such as: requests to update Personal Data; requests to know Personal Data; requests for the deletion of Personal Data when the Owner submits a copy of the decision of the Superintendency of Industry and Commerce in accordance with the provisions of the Law, requests for information on the use given to their Personal Data, or requests for proof of the Authorization granted when it has proceeded in accordance with the Law.

b) Respond to the Owners of Personal Data on those requests that do not proceed in accordance with the Law.

Customer Service contact details are:

Physical address: Calle 103A # 21 – 93 OF 201

E-mail: [email protected]

Phone: (+57) 3106843785

 

Procedures to exercise the rights of the Owners of Persona Data

6.1. Queries

The Firm has mechanisms for the Owner, their successors, representatives and/or proxies, assignees, and/or the representatives of Owners not of legal age, to formulate queries regarding what Personal Data of the Owner is stored in the Firm’s Databases.

These mechanisms may be in person, electronically through the Customer Service e-mail [email protected] or by telephone at the Customer Service line (+57) 3106843785.

Whatever the medium, the Firm will save proof of the query and its response.

a) If the applicant has the legal capacity to formulate the query, in accordance with the criteria established in Law 1581 and Decree 1377, the Firm will collect all the information about the Owner that is contained in the individual registry of that person or that is linked to the identification of the Owner stored in the Databases of the Firm and will make it known to the petitioner.

b) The Liable Data Processor responsible for answering the query will respond to the petitioner as long as they have the right to do so because they are the Owner, successor, proxy, representative, assignee, or is the legal representative in the case of minors. This response will be sent within ten (10) business days from the date on which the request was received by the Firm.

c) In the event that the query cannot be answered in ten (10) business days, the petitioner will be contacted to inform him or her of the reasons why the status of the application is in process. For this purpose, the same or similar means to the one that was used by the Owner to communicate his request, will be used.

d) The final response to all requests shall not take more than fifteen (15) business days from the date on which the initial request was received by the Firm.

6.2. Claims

The Firm has mechanisms for the Owner, their successors, representatives and/or proxies, assignees, and/or the representatives of Owners not of legal age, to formulate claims regarding (i) Personal Data Processed by the Firm that must be subject to correction, update or deletion, or (ii) the alleged breach of legal duties of the Firm.

These mechanisms may be in person, electronically through the Customer Service e-mail [email protected] or by telephone at the Customer Service line (+57) 3106843785.

a) The claim must be submitted by the Owner, their successors, representatives, or accredited party in accordance with Law 1581 and Decree 1377, as follows:

Contact BéndiksenLaw S.A.S. by electronic means at the email: [email protected], physically at Calle 103A # 21 – 93 OF 201; or by telephone at the line (+57) 3106843785.

It must contain the name and identification document of the Owner.

It must contain a description of the facts that gave rise to the claim and the intended objective (updating, correction or deletion, or fulfillment of duties).

The address and contact details of the claimant must be included.

It must be accompanied by all the documentation that the claimant wishes to assert.

The Firm, before attending to the claim, will verify the identity of the Owner of the Personal Data, his representative and/or proxy, or the proof that there was an assignment. As such, the citizenship card or original identification document of the Owner can be requested by the Firm, and the special or general power of attorney or other documents that are required, as the case may be.

b) If the claim or additional documentation is incomplete, the Firm will request, only a single time, within five (5) days of receipt of the claim, that the claimant correct the defects. If the claimant fails to submit the required documentation and information within one month of the date of the initial claim, the claimant shall be deemed to have waived the claim.

c) If for any reason the individual who receives the claim within the Firm is not competent to resolve it, it will be transferred to a Customer Service Analyst within two (2) business days of receiving the claim and the claimant will be informed of such referral.

d) Once the claim has been received with the complete documentation, a note stating “claim in process” will be included in the Firm’s Database where the Data of the Owner subject to claim is stored along with the reason for the claim, within a term not exceeding two (2) business days. This note shall remain until the claim is resolved.

e) The maximum term to respond the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to respond the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be answered, which in no case may exceed eight (8) business days following the expiration of the first term.

Entry into Force

This Policy is enforceable as of September 20, 2021. The Personal Data that are stored, used or transmitted will remain in our Database, based on the criterion of temporality and necessity, for as long as necessary for the purposes mentioned in this Policy, for which they were collected.