Personal data processing policy

**POLICY FOR PERSONAL DATA PROCESSING INFODEC SAS**

**I. OBJECTIVE**

Establish the policy and guidelines for information security, for the processing and confidentiality of personal data by INFODEC SAS.

**II. GENERALITIES**

The Political Constitution of Colombia in its article 15 states that “All persons have the right to their personal and family privacy and to their good name, and the State must respect and ensure respect for these. Likewise, they have the right to know, update, and rectify the information that has been collected about them in data banks and in public and private entity files.”

The national government issued Law 1581 of 2012, which regulates the collection and processing of personal data by public or private entities, within the country or when the person responsible for or in charge of the information is not established in the national territory, the Colombian legislation applies by virtue of international norms and treaties.

Through Ruling C-748 of October 6, 2011, the Constitutional Court declared the Statutory Law Project number 184 of 2010 Senate, 046 of 2010 Chamber, constitutional.

In Decree 1074 of 2015, Sole Regulatory of the Commerce, Industry and Tourism Sector, in its chapter 25, which regulates Law 1589 of 2012, establishes the objectives and aspects related to the authorization of the information holder, the processing policies of the responsible and in charge parties, the exercise of the rights of the information holders, the transfer of personal data and the demonstrated responsibility regarding the processing of personal data.

To facilitate the implementation and compliance with Law 1581 of 2012 and Decree 1074 of 2015, aspects related to the authorization of the information holder for the processing of their personal data, the processing policies of the responsible and in charge parties, the exercise of the rights of the information holders, the transfer of personal data and the responsibility for the processing of these must be defined at INFODEC.

Based on the above, the policy and guidelines for information security and for the processing and confidentiality of personal data handled by INFODEC are established.

**III. SCOPE OF APPLICATION**

The following policy applies to all information contained in the various databases obtained through the information systems available to INFODEC, in compliance with its legal and regulatory duty, aiming to effectively guarantee the constitutional protection of the personal and family privacy of all citizens, establishing instruments and expedited controls to adequately process the information it manages. This policy establishes the terms, conditions, and purposes under which INFODEC, as the person responsible for personal data obtained through its different service channels, processes the information of all persons who, at some point due to the activity it develops, have provided personal data (hereinafter “Data Holder”).

The principles and provisions contained in this personal data protection policy will apply to all databases that are within INFODEC, whether as owner, user, responsible, or in charge of processing.

**IV. IDENTIFICATION**

Entity Name: INFODEC SAS
NIT: 900337 757 9
Address: Carrera 24 F No. 3-63 Oeste, Cali, Colombia
Switchboard: (602) 4879860
Email: The email for submitting PQRS is: administracion@infodeclat.com
Contact: Steven Bedoya
Website: www.infodeclat.com

**V. RECIPIENTS**

This policy applies and obligates the following persons in INFODEC:

1. Legal representative.
2. INFODEC staff who collect, store, keep, process, and use databases with personal information.
3. Contractors and natural or legal persons who provide their services to INFODEC under any contractual modality and based on that relationship perform any processing of the personal information contained in the databases.
4. Other natural and legal persons with whom there is a legal or contractual relationship, who on behalf of INFODEC, manage or process databases with personal information.
5. Public and private persons in the capacity of personal data holders.
6. Other persons defined by law.

**VI. DEFINITIONS**

Based on the content of Law 1581 of 2012 and Chapter 25 of Decree 1074 of 2015, the following definitions apply to the personal data processing policy at INFODEC:

**Authorization:** It is the permission or consent given by the data holder for the specific processing of these, according to the functions of the entity.

**Privacy Notice:** Verbal or written communication generated by the Responsible Party, directed to the Data Holder, for the Processing of their personal data, through which they are informed about the existence of the Data Processing Policies that will apply to them, how to access them, and the purposes of the intended data processing.

**Database:** An organized set of personal data that is subject to processing.

**Personal Database:** An organized set of personal data, created, stored, organized, processed, and accessed manually or through computer programs or software.

**Personal Data:** Information that identifies a person or that can be associated with and make them identifiable; this data can be numerical, alphabetical, graphic, visual, biometric, or of any other type.

**Sensitive Data:** Sensitive data is understood as those that affect the privacy of the Data Holder or whose misuse can generate discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations, or those promoting interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

**Semi-private Personal Data:** Data that is neither intimate nor public in nature, the knowledge or disclosure of which may interest not only its holder but a group of people or society in general. Its processing requires the express authorization of the data holder. (e.g., Financial and credit data).

**Public Personal Data:** Personal information that the Constitution and the norms have determined as public, and for its collection and processing does not require the authorization of the data holder and can be offered or obtained without any reservation.

**Data Processing Manager:** Natural or legal person, public or private, who by themselves or in association with others, performs the Processing of personal data on behalf of the Responsible for the Processing.

**Habeas Data:** Fundamental right that assists every person to know, update, rectify, and/or cancel the information and personal data that have been collected in public or private databases, according to the law and other applicable norms.

**Database Owner:** INFODEC is the owner of the personal databases that it has organized through the information it collects through its information systems and is responsible for their processing, management, and safeguarding.

**Database Responsible:** The person or official who has the personal databases under their safeguard within INFODEC.

**Responsible for Processing:** Natural or legal person, public or private, who by themselves or in association with others, decides on the database and/or the processing of data.

**Holder:** Natural or legal person whose personal data is subject to processing.

**Data Transfer:** Occurs when the person responsible for or in charge of the direct processing of personal data, located in Colombia, sends or delivers the information or personal data to another person or public or private entity that in turn is responsible for processing the data which may be inside or outside the country.

**Transmission:** Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when its purpose is the realization of a Processing by the Manager on behalf of the responsible party.

**Data Processing:** Defined as the manipulation or set of operations and technical procedures of a manual or automated nature, performed on personal data, such as collection, recording, storage, conservation, use, analysis, circulation, modification, blocking, cancellation, and transfer, among others.

**User:** Natural or legal person who has an interest in the use of personal information.

The present terms and conditions apply to any registration of personal data carried out in person and/or virtually for the linkage to any product, service, or relationship with INFODEC. The data holder registers or provides their information freely and voluntarily and acknowledges that they have read and expressly accept these terms and conditions.

INFODEC directly handles the processing of Personal Data; however, it reserves the right to delegate such processing to a third party. At the end of this document, the Procedure for the Treatment and Protection of Personal Data of INFODEC is available for consultation.

**VII. PURPOSE OF DATA PROCESSING**

The authorization for the processing of your personal data allows INFODEC to collect, store, use, circulate, suppress, share, and update them, for the purpose of complying with the following objectives:

– Validate the information in compliance with the legal requirement of customer knowledge.
– Carry out accounting and administrative actions.

The scope of the authorization includes the power for INFODEC to send messages with institutional content, notifications, billing information, payment requests, and other information related to our product and service portfolio, through email and/or text messages to the mobile phone.

**VIII. RIGHTS OF THE PERSONAL DATA HOLDER**

**Inquiries and Claims**

The Data Holder is informed of the rights offered by the personal data protection laws, which are listed below and guaranteed by INFODEC through the fulfillment of the defined procedures:

– Know, update, and rectify your personal data. This right can be exercised, among others, regarding partial, inaccurate, fragmented data that induces error, or those whose Processing is expressly prohibited or has not been authorized.
– Request proof of the authorization granted to INFODEC when expressly exempted as a requirement for Processing, according to Article 10 of Law 1581 of 2012.
– Be informed by INFODEC, upon request, about the use given to their Personal Data.
– Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add to, or complement it.
– Revoke the authorization and/or request the deletion

of the data when the Processing does not respect constitutional and legal principles, rights, and guarantees.

To submit a request for correction, update, or deletion of data, or to file a complaint for alleged non-compliance with INFODEC’s duties related to Data Protection, you can make the request in writing via email. The request or claim must be addressed to INFODEC, with the full name of the holder, a description of the facts that give rise to the request or claim, and the contact phone number.

The inquiry will be answered within a maximum term of ten (10) business days from the date of receipt. When it is not possible to address the inquiry within this term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which the inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.

If the claim is incomplete, the interested party will be required within five (5) days following the receipt of the claim to remedy the deficiencies. Two (2) months after the date of the request, without the applicant providing the required information, it will be understood that they have withdrawn the claim.

In case the recipient of the claim is not competent to resolve it, they will forward it to the appropriate party within a maximum term of two (2) business days and inform the interested party of the situation.

Once the complete claim is received, a legend stating “claim in process” and the reason for it will be included in the database, within no more than two (2) business days. This legend must be maintained until the claim is decided.

**IX. INFORMATION SECURITY**

INFODEC is committed to making proper use and processing of the personal data contained in its databases, preventing unauthorized access by third parties who may know, alter, disclose, and/or destroy the information stored there. For this purpose, it has security protocols and access to information systems, storage, and processing, including physical risk control measures.

Additionally, it has implemented a top-level perimeter security system “Firewall” and proactive intrusion detection to keep our customers’ information safeguarded. The system is constantly monitored through vulnerability analysis.

Access to the different databases is restricted even for employees and collaborators. All employees are committed to the confidentiality and proper handling of the databases following the established information processing guidelines.

INFODEC is not responsible for any consequences arising from unauthorized or fraudulent access by third parties to the database and/or any technical failure in its operation.

**X. STORAGE OF YOUR PERSONAL DATA**

INFODEC requests the necessary data for the creation of customers, suppliers, employees to offer its products or services and interact with its customers, as well as that required by the government for the billing and payment process.

Once your personal data is voluntarily and freely provided, it is stored in the relevant database according to the acquired service or product. The servers hosting the databases are physically protected in a secure location.

Only authorized personnel who have signed confidentiality agreements of the information can access it and therefore the personal data of our customers and/or users.

**XI. MODIFICATIONS TO THE PERSONAL DATA PROCESSING POLICIES**

INFODEC reserves the right to unilaterally modify its policies and procedures for personal data processing at any time. Any changes will be published and announced. In addition, previous versions of these personal data processing policies will be kept. These may also be subject to internal or external audits by companies specializing in this type of control. This is subject to the confidentiality of the information.

**XII. VALIDITY OF THE PERSONAL DATA PROCESSING POLICY**

This Personal Data Processing and Protection Policy is effective from July 2013 and will be published on the INFODEC website.

**XIII. INQUIRIES AND CLAIMS HANDLING**

To receive inquiries, complaints, claims, or exercise your rights as a user or customer, you can contact administracion@infodeclat.com, and they will be handled within the times established by Law 1581.