ES In accordance with the concepts and criteria of the Statutory Law 1581 of 2012 and the regulatory decree 1377 of 2103 and/or for the purposes of this Policy, the words defined below shall have the meaning assigned in this chapter, whether or not they are written in capital letters, or whether they are in plural or singular, the same shall be developed and applied under a systematic and comprehensive interpretation established in the aforementioned regulations.
Definitions
i) Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the Processing of his personal data, by means of which he is informed about the existence of the information processing policies that will be applicable to him, the way to access them and the purposes of the Processing that is intended to be given to the personal data.
ii) Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of Personal Data.
iii) Database: Organized set of Personal Data that is subject to Processing, which may be stored and/or processed in servers located in computer centers or physical stationery, either our own or contracted with third parties, located in the national territory or in different countries.
iv) Personal Data: Any information linked or that can be associated to one or several determined or determinable natural persons.
v) Public data: is data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the civil status of persons, their profession or trade and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed judicial decisions that are not subject to confidentiality.
vi) Sensitive Data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sex life and biometric data, among others.
vii) Data Processor: Natural or legal person, public or private, that by itself or in association with others, carries out the Processing of Personal Data on behalf of the Controller of the Processing of Personal Data.
(viii) Data Controller: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the processing of the data. For the purposes of this Policy, the Controller shall be [email protected].
(ix) Holder: Natural person whose personal data are subject to processing and legal entity in the event of processing their financial data, whether they hold the status of customers, employees, suppliers or any other type of denomination before the company.
x) Transfer: The transfer of data takes place when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.
xi ) Transmission: processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when the purpose of the processing is to be carried out by the processor on behalf of a single responsible party.
(xii) Treatment: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.
PRINCIPLES
In the development, interpretation and application of Law 1581 of two thousand and twelve (2012) by which general provisions for the protection of personal data and the rules that complement, modify or add to it, the following guiding principles shall be applied in a harmonious and comprehensive manner:
Principle of Finality: the treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the holder. Principle of Freedom: the treatment can only be exercised with the prior, express and informed consent of the holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.
Principle of Truthfulness or Quality: the information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
Principle of Transparency: The right of the data subject to obtain from the controller or processor, at any time and without restriction, information about the existence of data relating to him or her must be guaranteed in the processing.
Principle of Access and Restricted Circulation: the processing is subject to the limits deriving from the nature of the personal data, from the provisions of the law and the Constitution. In this sense, the processing may only be carried out by persons authorized by the owner and/or by the persons provided for by law. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or authorized third parties.
Safety Principle: the information subject to treatment by Stratelic S.A.S. shall be handled with the technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
Principle of Confidentiality: Stratelic S.A.S. is obliged to guarantee the confidentiality of the information, even after the end of its relationship with any of the tasks included in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law.
AUTHORIZATION TO PROCESS PERSONAL DATA
Authorization. The collection, storage, use, circulation or suppression of personal data by Stratelic S.A.S. requires the free, prior, express and informed consent of the owner of such data. Stratelic S.A.S., in its condition of being responsible for the processing of personal data, has provided the necessary mechanisms to obtain the authorization of the owners, always guaranteeing the possibility of verifying the granting of such authorization.
Form and Mechanisms for Granting Authorization: The authorization shall be requested at the latest at the time of collection of the personal data, this authorization may be recorded in a physical, electronic or any other format, which allows guaranteeing its subsequent consultation. The authorization may be granted by the holder (i) in writing, (ii) orally or (iii) through unequivocal conduct of the holder that allows to reasonably conclude that he/she granted the authorization. In no case may silence be assimilated to unequivocal conduct. The authorization forms and texts will be issued by Stratelic S.A.S. and will be made available to the holder, prior to the processing of his/her personal data, in accordance with the provisions of Law 1581 of 2102 and its regulatory decrees. In order for the holder to make informed decisions regarding their personal data and control the use of their personal information. The formats and texts of authorization are a statement that informs the holder of the personal data: 1. Identification, physical or electronic address and telephone number of the Data Controller. 2. The mention of the present policy of treatment of personal data and its location in the institutional website. 3. Discrimination of personal data collected. 4. Purpose of the personal data being collected. 5. How to exercise rights of access, correction, updating or deletion of personal data provided With the consented authorization procedure it is guaranteed that the holder of the personal data has been made aware of the fact that his personal information will be collected and used for specific and known purposes, as that he has the option to know any alternation to the same and the specific use that has been given to them. Proof of authorization: The areas responsible for data processing in Stratelic S.A.S. must have the necessary measures to keep records of when and how authorization was obtained by the holders of personal data for the processing of the same.
Privacy Notice: The Privacy Notice is the physical document, electronic or in any other format, which is made available to the Data Subject for the processing of personal data, when the privacy policy cannot be made available. This document communicates to the Data Subject the information regarding the existence of the information processing policies that will be applicable to him/her, the way to access them and the characteristics of the processing that is intended to be given to the personal data. In order to guarantee in all cases that the authorization includes all the elements that allow the holder to duly exercise his/her rights, Stratelic S.A.S.'s Privacy Notice must include the following information: 1. Stratelic S.A.S.'s corporate name and its contact information. 2. The treatment to which the data will be submitted and the purpose of the same. 3. The rights that the holder has. 4. The mechanisms provided by Stratelic S.A.S. so that the owner is aware of the Data Processing policy. Sensitive Data. Sensitive data are considered to be those that affect the privacy of the Data Owner or whose improper use may generate discrimination. Among them are those that reveal a person's racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data. Stratelic S.A.S. is committed to protect privacy during the processing of your identifiable and sensitive personal data. Therefore, in the event that the owners of the information expressly authorize the use of sensitive data, Stratelic S.A.S. is obliged to use such data in accordance with the rules established in its regulatory decrees. In the case of sensitive data collection events, the following actions shall always be guaranteed: 1. Inform the owner that since the data is sensitive, he/she is not obliged to authorize its processing. 2. In the event that the Data Subject is physically or legally incapacitated, it shall be verified whether the treatment is necessary to safeguard the vital interest of the Data Subject and if so, the legal representatives shall be asked for authorization; 3. Inform the Data Subject explicitly and in advance, in addition to the general requirements for authorization for the collection of any type of personal data, which of the data to be processed are sensitive and the purpose of the Processing. 4. Obtain express consent for the processing of sensitive data. 5. No activity may be conditioned to the provision of sensitive personal data by the Data Subject.
RIGHTS OF THE HOLDER
The holder of the personal data shall have the following rights: 1. To know, update and rectify his/her personal data against Stratelic S.A.S. in its capacity as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized. 2. Consult your personal data free of charge at least once every calendar month, and every time there are substantial modifications to the Data Processing Policies. To request proof of the authorization granted to Stratelic S.A.S., in its capacity as data controller, except when expressly excepted as a requirement for the processing (cases in which the authorization is not necessary). 4. To be informed by Stratelic S.A.S., upon request, regarding the use it has made of its personal data. 5. To file before the Superintendence of Industry and Commerce complaints for violations to the provisions of Law 1581 of two thousand twelve (2012) and other regulations that modify, add or complement it. 6. To revoke the authorization and/or request the deletion of the data when the treatment does not respect the principles, rights and constitutional and legal guarantees. 7. Access free of charge to your personal data that have been subject to processing.
DUTIES OF THE HOLDER
The Holder of the Personal Data shall have the duty to keep his/her information updated and to guarantee, at all times, the veracity of the same. Stratelic S.A.S. shall not be responsible, in any case, for any type of liability derived from the inaccuracy of the information.
DUTIES OF STRATELIC S.A.S.
By virtue of the present policy of treatment and protection of personal data, Stratelic S.A.S. has the following duties: 1. To guarantee the holder, at all times, the full and effective exercise of the right of habeas data. 2. To request and keep a copy of the respective authorization granted by the holder. 3. To duly inform the owner about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted. 4. Respect the security and privacy conditions of the holder's information. 5. Allow access to the information only to the persons who may have access to it. 6. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. 7. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the owners. 8. Guarantee that the information is truthful, complete, accurate, updated, verifiable and understandable. 9. Inform at the request of the owner about the use given to their data. 10. Update the information, attending in this way all the news regarding the holder's data, within 5 working days following the receipt of the news. Additionally, all necessary measures must be implemented to keep the information updated. 11. To process the queries and claims made by the owners. 12. Register in the database the legend "claim in process" within two working days following the receipt of the completed claim. 13. Rectify the information when it is incorrect and communicate the pertinent. 14. Comply with the requirements and instructions given by the Superintendence of Industry and Commerce on the particular subject. 15. Identify when certain information is under discussion by the owner. 16. Insert in the database the legend "information under judicial discussion" once notified by the competent authority about judicial processes related to the quality of the personal data. 17. Refrain from circulating information that is being disputed by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce. 18. To use only data whose processing is previously authorized in accordance with the provisions of Law 1581 of two thousand and twelve (2012).
EVENTS IN WHICH THE AUTHORIZATION OF THE HOLDER OF THE PERSONAL DATA IS NOT NECESSARY
The authorization of the owner of the information will not be necessary when it concerns: 1. Information required by a public or administrative entity in the exercise of its legal functions or by court order. 2. Data of a public nature. 3. Cases of medical or sanitary urgency. 4. Processing of information authorized by law for historical, statistical or scientific purposes. 5. Data related to the Civil Registry of persons.
Legitimacy for the exercise of the holder's right.
The rights of the owners may be exercised by the following persons: 1. By the owner, who must prove his/her identity sufficiently by the different means made available by Stratelic S.A.S. 2. By the assignees of the owner (in cases where the owner is missing due to death or disability), who must prove such capacity. 3. By the representative and/or attorney-in-fact of the owner, prior accreditation of the corresponding representation or power of attorney. 4. By stipulation in favor of or for another. The rights of children and adolescents shall be exercised by the persons empowered to represent them.
TREATMENT TO WHICH THE PERSONAL DATA WILL BE SUBJECTED
The processing of data collected under the provisions of this policy will be carried out and will be in force while the purpose for which the personal data were collected is maintained and may, among others, i) appoint one or more Data Processors, ii) transfer and/or transmit the Personal Data subject to processing to the companies that are part of its business group, that is, to parent companies, affiliates or subsidiaries, as well as to any other third party, within or outside the national territory, whether they are legal or natural persons, national or foreign, even when in the country of location of the recipient there are no rules that establish a standard of data protection similar to those in force in the national territory, iii) provide such Personal Data to agents, subcontractors and other third parties for the achievement of the purposes related to the following paragraph, and iv) disclose the information when so required by public authorities duly empowered by administrative or judicial order. The personal data will be processed for pre-contractual, contractual, post-contractual, commercial, customer service, marketing, advertising, processing, research, training, accreditation, consolidation, organization, updating, reporting, statistics, surveys, attention and processing, granting of benefits as well as the control and preservation of security in Stratelic S.A.S. for the performance of statistical, commercial, strategic, financial, social, technical and risk rating analysis. Likewise, to be shared or sent to its parent company, affiliates and subsidiaries, as well as with third parties with whom it makes alliances or contracts for commercial purposes related to the execution of the activities included within its corporate purpose or entrust it with the performance of studies or the processing of data, as well as for the report and consultation to credit risk centers legally constituted in Colombia. All of the above includes the transfer of this data to third countries such as, but not limited to the U.S.A.; Ecuador, Peru, Chile, Argentina, Brazil, Panama, Mexico for storage and processing purposes.
SECURITY MEASURES FOR THE PROCESSING OF PERSONAL DATA Stratelic S.A.S.
shall adopt the necessary security techniques to ensure the security of the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. Said measures will respond to the minimum requirements made by the current legislation and their effectiveness will be periodically evaluated. However, Stratelic S.A.S. will not be liable in the event of a violation of its security systems when there is force majeure or an act of God.
AREA RESPONSIBLE FOR THE ATTENTION OF PETITIONS, CONSULTATIONS, COMPLAINTS AND CLAIMS Stratelic S.A.S.
has designated as the person responsible for ensuring compliance with this policy within the institution the Customer Service area, who will be available for the attention of requests, inquiries and complaints by the owners and to make any update, rectification and deletion of personal data. Likewise, the Customer Service area or the legal area will answer any questions or concerns that any of our employees may have, through the e-mail address listed in the heading of this document.
ACCESS, CONSULTATION AND COMPLAINT PROCEDURE
Right of access: The power of disposition or decision that the holder has over the information that concerns him/her, necessarily entails the right to access and know if his/her personal information is being processed, as well as the scope, conditions and generalities of such processing. In order to comply with the above, Stratelic S.A.S. will guarantee the right of access as follows: - The holder will be able to know the effective existence of the treatment to which his personal data is subjected. - The holder will be able to access his/her personal data that is in Stratelic S.A.S. possession - To know the purposes that justify the processing of his/her data. For the exercise of this right, Stratelic S.A.S. will require the previous accreditation of the identity of the holder or the personality of its representative, once this is exhausted, the details of the personal data will be made available to the holder, free of charge, through electronic means that allow the direct access of the Holder to them. For consultations whose periodicity is greater than one per calendar month, Stratelic S.A.S. will only charge the costs of sending, reproduction, or certification of documents.
INQUIRY
The holders or those authorized according to the present policy may consult the personal information of the Holder that is contained in any database managed by Stratelic S.A.S. For the attention of requests for consultation of personal data, Stratelic S.A.S. guarantees that it has the following channels enabled: 1. The e-mail [email protected], where the requests will be received, which must contain the necessary documents that sufficiently prove the identity of the holder. Inquiries will be answered within a maximum term of ten (10) working days from the date of receipt. When it is not possible to attend the consultation within such term, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.
CLAIMS
The owners or those authorized in this policy who consider that the information contained in one of the Stratelic S.A.S. databases should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012 or in this policy, may file a claim before Stratelic S.A.S. which will be processed under the following rules: 1. The claim may be submitted directly to the e-mail address [email protected], The claims must contain the necessary documents that sufficiently prove the identity of the owner, the description of the facts that give rise to the claim, the address, and accompanying documents that you want to assert, the interested party will be required within five (5) days of receipt to remedy the faults. After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that the claim has been abandoned. If for any circumstance Stratelic S.A.S. receives a claim regarding personal information for whose treatment it is not responsible, it will transfer it to the corresponding person within a maximum term of two (2) working days and will inform the interested party of the situation. Once the complete claim is received, it will be included in the database that maintains a legend that says "claim in process" and the reason for it, within a period not exceeding two (2) business days. Said legend shall be maintained until the claim is decided. The maximum term to attend the claim will be fifteen (15) working days from the day following the date of its receipt. When it is not possible to attend it within said term, the interested party will be informed before the expiration of said term the reasons for the delay and the date on which the claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.
DELETION OF DATA
The holder has the right, at any time, to request Stratelic S.A.S. the suppression (elimination) of his/her personal data when: a) He/she considers that such data is not being processed in accordance with the principles, duties and obligations set forth in Law 1581 of 2012. b) It is no longer necessary or relevant for the purpose for which it was collected. c) The period necessary for the fulfillment of the purposes for which it was collected has been exceeded. This suppression implies the elimination of the personal information as requested by the holder in the records and databases of Stratelic S.A.S. Stratelic S.A.S. will not proceed with the suppression of the information and the revocation of the authorization will not proceed when the Holder has a legal or contractual duty to remain in the database. It is important to take into account that the right of cancellation is not absolute Stratelic S.A.S. may deny the exercise of the same when: 1. The request for the suppression of the information will not proceed when the holder has a legal or contractual duty to remain in the database. 2. The elimination of data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions. 3. The data is necessary to protect the legally protected interests of the owner; to carry out an action in the public interest, or to comply with an obligation legally acquired by the owner. In the event that the cancellation of the personal data is appropriate, Stratelic S.A.S. will operationally carry out the deletion in such a way that the deletion does not allow the recovery of the information. In order to exercise this right, the detailed request must be sent to the following e-mail address: [email protected]
MODIFICATION OF THE POLICY
Stratelic S.A.S. may modify or amend this Policy at its discretion. When modifications or changes are made to this Policy, the date of the same will be updated, and such modification or amendment will be effective as of the date of update. You are encouraged to periodically review this Policy to be informed of any modifications that may be made.
VALIDITY OF THE POLICY
This Policy shall become effective as of its publication, that is, June 26, 2022. Both the Policy as well as the Databases containing the information provided may remain in force for the term of duration of Stratelic S.A.S. Without prejudice that this policy may be modified at any time and unilaterally by Stratelic S.A.S.
