Personal Data Processing Policy
A. Introduction
The Political Constitution of Colombia of 1991 established in its Article 15 the right to protection of personal data as the right of every person to know, update, rectify and/or cancel the information and personal data collected and/or processed in public or private databases.
By Law 1581 of October 17, 2012, the Congress of the Republic of Colombia regulated the aforementioned right by establishing the General Provisions for the Protection of Personal Data in Colombia, which were also regulated by Decrees 1377 of 2013 and 886 of 2014 (nowadays incorporated in the Single Decree 1074 of 2015), among others.
In compliance with the above provisions, SILEO, aware of the responsibility that assists them regarding the Personal Data Processing of the owners, guarantees the constitutional right of all people and companies to know, update, rectify, delete and revoke the authorization in relation to the information collected about them in the databases that the Company has gathered for the purposes provided by law and the respective authorizations, which have been treated in accordance with the provisions of the national regime of the protection of personal data.
SILEO has prepared this PERSONAL DATA PROCESSING POLICY for such purposes, which application is mandatory for all natural or legal persons that treat and record personal data in the databases of the Company, in order to provide the necessary guidelines for compliance with legal obligations regarding the protection of personal data.
The Company informs all interested parties that the personal data obtained due to the operations requested by or entered into with SILEO will be treated in accordance with the principles and duties defined in the Law 1581 of October 17, 2012 and other rules that treat and regulate this matter.
For all relevant purposes, the domicile of the Company SILEO is CR 6 24 SUR 2 30, Medellín, Colombia.
_____________________________________________________________
B. Object
The purpose of this Policy is to provide the necessary and sufficient information to the different stakeholders, as well as to establish the guidelines that guarantee the protection of personal data that are subject to personal data processing through SILEO's measures in order to comply with the law, policies and procedures regarding the fulfillment of the rights of the owners, as well as the criteria for the collection, storage, use, circulation and suppression of personal data.
_____________________________________________________________
C. Recipients
This Policy shall apply to all databases, both physical and digital, containing personal data which are subject to processing by SILEO so the Company is considered responsible. Likewise, in those cases in which they operate as a responsible party for the processing of personal data.
This Policy is aimed at ensuring that employees, suppliers, contractors, and all natural and legal persons related to SILEO along with other companies and citizens in general have at their disposal the necessary and sufficient information about the different treatments and purposes for which their data will be collected and processed, as well as the rights that they, as owners of personal data, can exercise against SILEO when it has the role of a responsible party for the processing of their personal data. This Policy is of mandatory knowledge and compliance by all natural or legal persons responsible for the administration of SILEO's personal databases, especially the administrators of SILEO's data base management and by those employees and contractors who receive, assist and respond directly or indirectly to requests (such as queries or claims) for information related to the protection of personal data law.
_____________________________________________________________
D. Scope
To ensure an expeditious and legal processing of the different requests and claims made by the Information Owners, as well as by their successors in title or any other person with the required authorization. To comply with the requirements of the regulations in force regarding Protection of Personal Data, as well as any requirements arising from the principle of accountability. To provide due protection to the interests and needs of the owners of the Personal Information processed by SILEO.
_____________________________________________________________
E. Glossary
In the development, interpretation and application of the law, regulations, and standards in force, the following definitions shall be applied in a harmonious and integral manner:
CHILDREN AND TEENAGERS RIGHTS: Respect for the prevailing rights of children and teenagers shall be ensured in the data processing activities. If some information includes details of an underage person or some underage people, only data of a public nature may be processed.
CONFIDENTIALITY: The element of security of the information that allows data owners and third parties to establish who, when and under what circumstances it can be accessed and stored.
DATA OWNER: A natural person whose personal data are subject to Processing.
DATA PROCESSING: Any operation or set of operations on Personal Data carried out by SILEO or the Data Processors, such as collection, storage, use, circulation or deletion.
DATA QUALITY: The Personal Data subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. When in possession of partial, incomplete, fractioned or misleading personal data, SILEO shall refrain from submitting it for processing, or request the owner to complete or correct the information.
DATABASE: An organized set of Personal Data that are subject to processing. It includes both physical and electronic files.
DIGITAL INFORMATION: All information that is stored or transmitted by electronic and digital means such as e-mail or other information systems.
PERSON THAT IS IN CHARGE OF PROCESSING: A natural or legal person, public or private, who on their own or in association with others, performs the Personal Data Processing on behalf of the Controller. SILEO acts as a personal data processor in those cases, in which by itself or in association with others, performs the personal data processing on behalf of a data owner or controller.
PERSON THAT IS RESPONSIBLE FOR THE PROCESSING: A natural or legal person, public or private, who on their own or in association with others, decides on the database and/or the processing of data. SILEO acts as a responsible party for the personal data processing of all personal data on which it decides directly, in compliance with its own legally recognized functions.
PERSONAL DATA: Any information that is linked or that can be associated to one or several determined or determinable natural persons. Then Personal Data should be understood as information related to a natural person (a human individually considered).
PUBLIC DATA: Any information that is not semi-private, private or sensitive. Public Data includes, but is not limited to, data related to the marital status of individuals, their profession or trade, and their status as merchants or public servants. Due to its nature, public data may be found, for instance, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality measures.
RESPONSIBLE AREA FOR ASSISTANCE TO PETITIONS, COMPLAINTS, CLAIMS AND QUERIES: It is the area within SILEO, which function is to assist data owners who make requests such as petitions, complaints, claims and queries. It is included in the Commercial Management division through the figure of the Data Protection Officer assigned to it.
RESPONSIBLE AREA FOR DATA PROTECTION: It is the area within SILEO, which function is to monitor and control the application of the Personal Data Processing Policy and the implementation of the Integral Personal Data Protection Program.
RESTRICTED ACCESS: Level of access to information limited to previously defined parameters. SILEO shall not make Personal Data available for access through the Internet or other mass media, unless technical measures are established to control access and restrict it only to Authorized Persons.
RESTRICTED CIRCULATION: Personal Data shall only be processed by SILEO's personnel or by those who, within their functions, are in charge of carrying out such activities. Personal Data may not be given to those who do not have authorization or have not been authorized by SILEO to process it.
SEMIPRIVATE DATA: Any information that is not of an intimate, reserved or public nature and which knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of natural and legal persons or to society in general, as it is the case of financial, credit or commercial activities data.
SENSITIVE DATA: Any information that affects the privacy of the owner or which improper use may generate discrimination, such as those pieces of information that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data.
_____________________________________________________________
F. Guiding Principles
In the development, interpretation and application of the law, regulations and standards in force, the following principles shall be applied in a harmonious and integral manner:
1. Principle of Legality in the Matter of Data Processing: Data Processing is a regulated activity that must be subject to the provisions of Law 1581 of October 17, 2012, other regulatory decrees and other provisions that develop it.
2. Principle of Purpose: Data Processing must obey a legitimate purpose in accordance with the Colombian Constitution and the Law, which must be informed to the Data Owner.
3. Principle of Freedom: Data Processing may only be carried out with the prior, express and informed consent of the Data Owner. Personal Data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.
4. Principle of Truthfulness or Quality: The information subject to Data Processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
5. Principle of Transparency: The right of the Data Owner to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning them, must be guaranteed in the Data Processing.
6. Principle of Access and Restricted Circulation: Data Processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Colombian Constitution. In this sense, the Data Processing may only be carried out by natural or legal persons authorized by the owner and/or by the persons provided by law. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or authorized third parties.
7. Principle of Security: The information subject to Data Processing by the Data Controller or Data Processor referred to in the law, shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
8. Principle of Confidentiality: All employees and contractors involved in the Personal Data Processing that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the Data Processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law and under the terms of the same. SILEO undertakes to treat the personal data of the owners as defined in paragraph g) of Article 3 of Law 1581 of October 17, 2012 in an absolutely confidential manner, using them exclusively for the purposes indicated in the preceding paragraph, provided that the owner has not objected to such treatment. SILEO informs the Data Owners and their successors that it has implemented the necessary technical and organizational security measures to ensure the safety of your personal data and prevent their alteration, loss, treatment and/or unauthorized or fraudulent access.
9. Principle of Temporality: Personal Data will be kept only for the reasonable and necessary time to fulfill the purposes that justified the data processing, considering the provisions applicable to the matter in question and the administrative, accounting, fiscal, legal and historical aspects of the information. The personal data will be kept when this is necessary to comply with a legal or contractual obligation. Once the purpose of the processing and the terms set forth above have been fulfilled, the data will be deleted.
10. Principle of Integral Interpretation of Constitutional Rights: The rights shall be interpreted in harmony and in balance with the right to information provided in Article 20 of the Colombian Constitution and with the applicable constitutional rights.
11. Principle of Necessity: The personal data processed must be strictly necessary for the fulfillment of the purposes pursued with the database.
_____________________________________________________________
G. Special Data
Sensitive Data
Sensitive data are understood as those pieces of information that affect the privacy of the Data Owner or which improper use may generate discrimination, such as those pieces of information that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data.
Sensitive Data Processing: The processing of sensitive data is prohibited, except when:
a. The Data Owner has given their explicit authorization to such Data Processing, except in cases where the granting of such authorization is not required by law.
b. The Data Processing is necessary to safeguard the vital interest of the Data Owner and the individual is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
c. The Data Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
d. The Data Processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Controllers must be adopted.
Special authorization of sensitive personal data processing: SILEO will inform through the various means of obtaining authorization to all its owners, that under the Law 1581 of October 17, 2012 and regulatory standards these are not required to grant authorization for the sensitive data processing.
In case of health-related data processing, SILEO will implement the necessary measures to protect the confidentiality of the information. The sensitive biometric data processed are intended for the identification of individuals, security, compliance with legal obligations and the proper provision of products.
Children and Teenagers' Data
The children and teenagers' personal data processing is prohibited, except in the case of data of a public nature and when such processing complies with the following parameters and/or requirements:
-That they respond to and respect the best interests of children and teenagers.
-That it ensures their fundamental rights will be respected.
Once the above requirements have been met, the legal representative of the children or teenagers will grant the authorization, after the minor has exercised their right to be heard, an opinion that will be assessed considering the maturity, autonomy and capacity to understand the matter.
_____________________________________________________________
H. Data Processing and Purposes
In accordance with the provisions of Law 1581 of October 17, 2012 and in accordance with the authorizations given by the Data Owners, SILEO will carry out operations or a set of operations that include data collection, storage, use, circulation and/or deletion. This data processing will be carried out exclusively for the purposes authorized and provided for in this Policy and in the specific authorizations granted by the owner. In the same way, Personal Data Processing will be carried out when there is a legal or contractual obligation to do so, always under the guidelines of the Information Security policies.
Due to the legal person nature of SILEO, in all cases the personal data may be processed for the purpose of advancing the control processes as well as internal and external audits and evaluations carried out by national or multilateral control agencies.
Likewise, in execution of the corporate purpose of SILEO, personal data will be processed in accordance with the group of interest and in proportion to the purpose or purposes of each treatment, as described below:
Users, customers or citizens in general
The processing of Personal Data by SILEO will have the following purposes:
a. Controlling the requests related to the products and services provided by SILEO.
b. Sending the answers of the queries and rights of petition to the pleaders.
c. Carrying out the formalities, products and services sales and other procedures that are executed directly or indirectly by SILEO.
d. Sending communications and notifications associated with the procedures issued by the mission and support areas of SILEO.
e. Updating databases, including cases in which it is required to transmit or transfer data to a third party, using the information for validation, debugging, enrichment and homogenization of data, ensuring prior compliance with legal requirements.
f. Handling of information by suppliers and/or contractors for procedures related to formalities, products and services sales defined in their respective links with the Company and whenever strictly necessary.
g. Elaborating studies, statistics, surveys, trend analysis, and other activities related to the products and services provided by SILEO.
h. Submitting reports to external entities, which allow compliance with the legal, contractual and statistical analysis requirements required to SILEO.
i. Managing the necessary information to comply with tax, contractual and commercial obligations, as well as commercial, corporate and accounting records.
j. Transmitting the information to national or international agents with whom it has an operational relationship that provide the products and services necessary for the proper operation of SILEO.
k. Providing information of products and services through the different means of contact.
l. Evaluating the quality of the products and services provided.
m. Other purposes that are determined in processes of obtaining Personal Data for processing, in any case in accordance with the Law and within the framework of the functions established in SILEO's mission statements.
n. Storing, organizing, classifying and cataloguing the personal data within the formats, systems, files and databases of SILEO.
o. Conducting credit record studies, consulting credit bureaus prior to the approval of a credit application, as well as the corresponding negative report in case of non-compliance with its obligations.
p. Carrying out the pertinent steps to guarantee the fulfillment of contracts.
q. Managing procedures (such as petitions, requests, complaints, and claims), performing risk analysis, conducting satisfaction surveys regarding the Company's services, as well as those of its commercial allies.
r. Providing contact information and relevant documents to the sales force and/or distribution network, telemarketing, market research and any third party which has a contractual relationship of any kind.
s. Providing necessary and sufficient information about the items or services marketed by SILEO, which allow you to complete their purchase.
t. Disclosing, transferring and/or transmitting the owner's personal data to third parties inside and outside the country as a result of a contract, law or lawful link that requires it for providing or obtaining the respective services, under business agreements or commercial alliances.
u. Providing the information to third parties that have a contractual relationship with SILEO and only when it is necessary to deliver it to them for the fulfillment of the contracted object.
v. Sending information such as news, promotions, newsletters and advertising about the products and services marketed by SILEO or its allies which have a signed contract with the Company, through text messages, physical documents, emails, offers published on the Internet and push notifications.
x. Carrying out market strategies by studying user behavior in relation to the offers and thus improve their content, personalizing presentations and services.
y. Conducting behavioral studies of offers and purchases, and make improvements and changes in the way of providing the service based on these studies.
z. Elaborating commercial prospecting plans and carrying out market segmentation activities.
aa. Submitting reports to the inspection, surveillance and control authorities, and process the requirements made by administrative or judicial entities.
bb. Transferring or transmitting data nationally or internationally to suppliers with whom SILEO develops activities in compliance with its corporate purposes. Likewise, transfers may be made to the Company's strategic allies to carry out marketing, advertising, data analysis and promotional activities associated with its commercial activity, all in accordance with the provisions of Colombian regulations.
cc. Control and prevent fraud in any of its modalities.
Employees, suppliers and contractors
a. Carrying out the necessary activities to comply with legal obligations in relation to employees and former employees of SILEO.
b. Ensuring compliance with requirements related to the General Social Security System in Colombia.
c. Publishing the corporate directory with the purpose of contacting employees.
d. In case of biometric data captured through video surveillance or recording systems, its processing and treatment will have the purpose of identification, security and prevention of internal and external fraud.
e. Personal Data of minors will be processed only in order to comply with legal obligations.
f. In the case of participants in selection processes, the personal data processed will be used for the purpose of advancing the management of the selection processes, the resumes will be managed ensuring the principle of restricted access.
g. Informing the public and communicating the generalities of the events developed by SILEO through the means and in the ways deemed appropriate by its management team or contracted third parties for marketing and advertising purposes.
h. Managing SILEO's budget chain, SILEO's payments, issuance of income and withholding certificates (natural and legal persons in Colombia) and payment relations.
i. To manage the accounting process of SILEO.
j. For all purposes related to the object of selection, contractual or related human resources processes.
k. Performing all internal procedures and compliance with accounting, tax and legal obligations.
l. Carrying out all the necessary activities for the compliance of the different contractual stages in the relations with employees, suppliers and contractors.
m. Issuance of the contractual certifications requested by the Company's contractors or requests from the control entities.
n. Maintaining a digital file that allows the Company to have the information corresponding to each contract and project.
o. For all other purposes determined in processes of obtaining Personal Data for its processing and treatment, in any case in accordance with the Law and within the framework of the functions established in SILEO's mission statements.
_____________________________________________________________
I. Personal Data Transference and Transmission
SILEO may transfer and transmit personal data to third parties with whom it has an operational relationship that provide products and services which are necessary for its proper operation, or in accordance with the functions established by Law. In such cases, the necessary measures will be adopted so that the natural or legal persons who have access to your personal data comply with this Personal Data Processing Policy and with the principles of personal data protection and obligations established in the Law.
In any case, when SILEO transmits the data to one or more data processors located within or outside the territory of the Republic of Colombia, it shall establish contractual clauses or sign a contract for the transmission of personal data which shall indicate:
a. The scope of the data processing.
b. The activities that the person or team in charge will perform on behalf of the data controller for the personal data processing.
c. The obligations of the processor towards the owner and the data controller.
By means of such contract, the person or team in charge shall undertake to implement the obligations of the data controller under the information processing policy established by the latter and to carry out the data processing in accordance with the purpose authorized by the Data Controllers and with the applicable laws in force.
In addition to the obligations imposed by the applicable regulations within the aforementioned contract, the following obligations shall be included for the respective data processor:
1. Providing processing and treatment to the personal data in accordance with the principles that protect them on behalf of the data controller.
2. Safeguarding the security of the databases containing personal data.
3. Keeping confidentiality with respect to the processing of personal data.
In case of transfer, the obligations stipulated in Law 1581 of October 17, 2012 and regulatory standards shall be complied with.
_____________________________________________________________
J. Rights and Legality Conditions for the Data Processing
Rights of the Data Owners
In the Personal Data Processing by SILEO or third parties authorized by it, the rights of the Personal Data Owners will be respected at all times, which are:
a. To know, update and rectify the Data against it or the Data Processors.
b. To request proof of the granted authorization, or any other activity that the owner of the Personal Data carries out for the corporate purposes, except when expressly exempted as a requirement for the Data Processing in accordance with the Law.
c. To be informed by SILEO as the Data Processor, upon request, regarding the use that has been made of the data.
d. To file before the Competent Authority complaints for violations of the provisions of the law and other rules that modify, replace or add to it.
e. To revoke the authorization and/or request the deletion of the data when the processing does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion shall proceed when the Competent Authority has determined that, in the Processing SILEO or those in charge of the Processing of Personal Data, have incurred in conduct contrary to the law and the Constitution. The revocation shall proceed as long as there is no legal or contractual obligation to keep the personal data.
f. To have access free of charge to the Personal Data that have been subject to Processing under the conditions set forth in the Law.
Authorization of the Data Owners
Notwithstanding the exceptions provided by Law, the data processing requires the prior and informed authorization of the Data Owner, which must be obtained by any means that may be subject to subsequent consultation. It shall be understood that the authorization complies with these requirements when it is expressed (i) in writing, (ii) orally or (iii) through unequivocal conduct of the owner that allows to reasonably conclude that they granted the authorization, such as when, for example, a resume is sent to the Company to participate in selection processes or when entering the facilities knowing the existence of video surveillance systems.
Cases in which authorization is not required: The authorization of the Data Owner shall not be necessary when dealing with:
a. Data of a public nature.
b. Cases of medical, sanitary or humanitarian emergency.
c. Data Processing authorized by law for historical, statistical or scientific purposes.
d. Data related to the Civil Registry of People or Legal Persons Registry in Colombia.
e. Whoever accesses personal data without a prior authorization must in any case comply with the provisions contained in Law 1581 of October 17, 2012 and other concordant with current regulations.
Information Supply
The information requested by the owners of personal information will be provided mainly by electronic means, or by any other means only if so required by the owner. The information provided to/by SILEO will be delivered without technical barriers that prevent its access; its content will be easy to read, it will be easy for the owners or the third parties authorized by Law to access it and it will have to correspond in its entirety to the information contained in the database.
Information Duty
SILEO shall provide the following information to the Data Owner clearly and expressly at the time of requesting the authorization:
a. The processing to which their personal data will be subjected and the purpose thereof.
b. The optional nature of the answer to the questions asked, when they deal with sensitive data or data of children and teenagers.
c. The rights they have as Data Owners.
d. The identification, physical or electronic address and telephone number of the data controller.
e. SILEO, as the data controller, shall keep proof of compliance with the provisions of this paragraph and shall provide the data owners with a copy thereof when requested by them.
People or Entities that can be informed
The information that meets the conditions established by law may be provided to the following people or entities:
a. To the Data Owners, their successors in title or their legal representatives, who shall be accredited accordingly.
b. To public or administrative entities in the exercise of their legal functions or by court order.
c. To third parties authorized by the Data Owner or by law.
_____________________________________________________________
K. Duties of Data Processors
Duties of responsible parties of Data Processing
SILEO, as the data controller, shall comply with the following duties, without prejudice to the other provisions set forth in the law and in other decrees governing its activity:
a. Guaranteeing the Data Owner the full and effective exercise of the right of habeas data at all times.
b. Requesting and keeping a copy of the respective authorization granted by the Data Owner under the conditions provided by law.
c. Duly informing the Data Owners about the purpose of the data collection and the rights they have by virtue of the authorization granted.
d. Keeping the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
e. Guaranteeing that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.
f. Updating the information, communicating in a timely manner to the Data Processor all developments with respect to the data previously provided and taking other necessary measures to ensure that the information provided to it is kept up to date.
g. Rectifying the information when it is incorrect and communicating the relevant information to the Data Processor.
h. Providing the Data Processor, as the case may be, only with personal data which processing is previously authorized in accordance with the provisions of the law.
i. Demanding respect for the security and privacy conditions of the Data Owner's information from the Data Processor at all times.
j. Processing the queries and claims formulated by the Data Owners in the terms set forth in the law.
k. Adopting specific procedures to ensure proper compliance with the law and, in particular, for the handling of queries and claims from the Data Owners.
l. Informing the Data Controller when certain information is under discussion by the Data Owner, once the claim has been filed and the respective process has not been completed.
m. Informing the Data Owners about the use of their data following their requests.
n. Informing the data protection authority when there are violations to the security codes and there are risks in the administration of the data owner's information.
Duties of parties in charge of Data Processing
The Data Processors, and in the event that SILEO acts as a data processor, shall comply with the following duties, without prejudice to the other provisions set forth in the law and other decrees governing their activity:
a. Guaranteeing the Data Owner the full and effective exercise of the right of habeas data at all times.
b. Keeping the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. Those parties in charge shall comply with the minimum security conditions defined in the National Registry of Databases.
c. A timely update, rectification or deletion of personal data under the terms of Law 1581 of October 17, 2012 and other concordant and current regulations.
d. Updating the information reported by the data controllers within five (5) business days from receiving it.
e. Processing queries and claims made by the Data Owners and Data Controllers under the terms set forth in this policy.
f. Adopting an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, for the handling of queries and claims by the Data Owners.
g. Registering in the databases the legend "claim in process" in the manner regulated by law.
h. Inserting in the database the legend "information under judicial discussion" once notified by the competent authority about judicial proceedings related to the quality of the personal data.
i. Refraining from circulating information that is being disputed by the Data Owner and which blocking has been ordered by the Colombian Superintendence of Industry and Commerce or by the Data Owner or Data Controller.
j. Allowing access to the information only to the natural or legal persons who may have access to it lawfully.
k. Informing the Data Controller when there are violations to the security codes and there are risks in the administration of the information of the Data Owners.
l. Comply with the instructions and requirements issued by the Colombian Superintendence of Industry and Commerce.
m. Verify that the Data Controller has the authorization for the processing of personal data of the Data Owner.
_____________________________________________________________
L. General Actions for the Personal Data Protection
The following are the general guidelines applied by SILEO in order to comply with its obligations and committing to the principles for the administration of personal data.
These guidelines are complementary to the policies, procedures or general instructions currently existing and implemented, among which are the data and information security policies and at no time are intended to replace or disregard them.
Data Processing and Information Treatment
All members of SILEO, when performing the activities inherent to their position, will assume the responsibilities and obligations that they have in the proper handling of personal information, from its collection, storage, use, circulation and until its final disposal.
Information Use
The personal information contained in the databases must be used and processed in accordance with the purposes described in this policy.
In the event that any area identifies new uses different from those described in this Personal Data Processing Policy, the situation must be informed to the Personal Data Protection Officer, who will evaluate and manage, when applicable, its inclusion in this policy. Likewise, the following assumptions must be taken into consideration:
a. In the event that an area other than the one that initially collected the personal data requires to use the personal data that has been obtained, this may be done as long as it is a foreseeable use in the corporate purposes stablished in SILEO's mission statements and for a purpose contemplated within this Personal Data Processing Policy.
b. Each area must ensure that in the recycling practices of physical documents no confidential information or personal data is disclosed. Therefore, it shall not be possible to recycle resumes, academic degrees, academic or labor certifications, medical examination results or any document containing information that allows unauthorized third parties to identify a person.
c. In the event that a person in charge of data processing has provided personal data or databases to any area for a specific purpose, the area that requested the personal data must not use such information for a purpose other than that related to the Personal Data Processing Policy; at the end of the activity, it is the duty of the area that requested the information to eliminate the database or the personal data used, avoiding the risk of outdated information or cases in which during that time a data owner has filed a claim and the authorization has been revoked.
d. Employees may not make decisions that have a significant impact on personal information, or that have legal implications, based exclusively on the information provided by the information system, so they must validate the information through other physical instruments or manually, and even directly by the data owner in cases where it is necessary.
e. Only authorized officers and contractors may enter, modify or cancel the data contained in the databases or documents subject to protection. User access permissions are granted by the area defined in the applicable protocols, according to the established profiles, which will be previously defined by the leaders of the processes where the use of personal information is required.
f. Any use of the information other than that established ones will be previously consulted with the Personal Data Protection Officer.
Information Storage
The storage of both digital and physical information is performed in media or environments that have adequate controls for data protection. This involves different kinds of security controls such as physical and digital, technological and environmental in restricted areas, in our own facilities and/or computer centers or document centers managed by authorized third parties.
Information Destruction
The destruction of physical and electronic media is carried out through mechanisms that do not allow their reconstruction. It is carried out only in those cases in which it does not constitute the disregard of any legal norm, always leaving the respective traceability of the action.
Destruction includes information held by third parties as well as in the Company's own facilities.
Information Security Breach Incidents
An incident is understood to be any anomaly that affects or could affect the security of the databases or information contained therein.
In case of knowing about any incident, the user must report it to the Data Protection Officer, who will take the appropriate measures to deal with the aforementioned incident.
The Personal Data Protection Officer shall report the incident to the Personal Data Protection Office of the COLOMBIAN SUPERINTENDENCE OF INDUSTRY AND COMMERCE, in the module enabled for such purpose within fifteen (15) business days from the knowledge of the incident.
Incidents may affect both digital and physical databases and will generate the following activities:
* Incident Notification: When it is presumed that an incident may affect or has affected databases with personal information or personal data, it shall be reported to the Personal Data Protection Officer who will manage its report in the National Database Registry.
* Incident Management: It is the responsibility of each officer, contractor, consultant or authorized third party to report any suspicious event, weakness or violation of policies that may affect the confidentiality, integrity and availability of SILEO's assets and personal information in a timely manner.
* Incident Identification: All suspicious or abnormal events, such as those situations where the potential for loss of confidentiality or secrecy of information is observed, should be evaluated to determine whether or not they are an incident and should be reported to the appropriate level in the organization. Any decisions involving investigative and judicial authorities should be made jointly between the Personal Data Protection Officer and the SILEO's Legal Department. Communication with such authorities will be made by the latter.
* Incident Reporting: All incidents and suspicious events should be reported as soon as possible through SILEO's established internal channels.
If sensitive or confidential information is lost, disclosed to unauthorized personnel or any of these events are suspected, the Personal Data Protection Officer must be notified immediately.
Employees must report to their line manager and to the Personal Data Protection Officer any damage or loss of computers or any other devices when they store personal data in SILEO's possession.
Unless there is a duly reasoned and justified request from the competent authority, no employee or contractor must disclose information on computer systems and networks that have been affected by a computer crime or system abuse. For the release of information or data pursuant to an order of authority, the SILEO's Legal Department shall intervene in order to provide appropriate advice.
* Incident containment, investigation and diagnosis: The Personal Data Protection Officer must ensure that actions are taken to investigate and diagnose the causes that generated the incident, as well as ensure that the entire incident management process is properly documented, supported with the Technology area and the IT Office.
In the event that a computer crime is identified, in the terms established in Law 1273 of 2009, the Personal Data Protection Officer and the Legal Department will report such information to the respective judicial investigation authorities.
During the investigation processes, the "Chain of custody" must be guaranteed in order to preserve it in case a legal action is required.
* Incident Resolution: Any compromised area and those people directly responsible for the management of personal data, must prevent the security incident from recurring, correcting all existing vulnerabilities.
* Incident Closure and Follow-up: The Personal Data Protection Officer and the areas that use or require the information will initiate and document all tasks to review the actions that were executed to remediate the security incident.
The Personal Data Protection Officer will prepare an annual analysis of reported incidents. The findings of this report will be used in the development of awareness campaigns to help minimize the likelihood of future incidents.
* Incident Reporting: Security incidents affecting the database will be reported as new developments in accordance with the following rules:
The violation of security codes or the loss, theft and/or unauthorized access of information from a database managed by the Data Controller or its Data Processor, shall be reported to the National Database Registry within fifteen (15) business days from the time they are detected and brought to the attention of the person or area in charge of dealing with them.
The process leaders and/or data assets owners shall report the incidents associated with personal data to the Personal Data Protection Officer internally, who within the legal term and with the SILEO's Legal Department intervention shall proceed to report them to the National Database Registry.
_____________________________________________________________
M. Assisting Data Owners with Petitions, Complaints, Claims and Queries
Petitions, complaints, claims and queries formulated by the Personal Data Owners under Processing by SILEO in order to exercise their rights to know, update, rectify and delete data, or revoke the authorization should be addressed to:
- Personal Data Protection Officer: Juliana Gómez Sánchez
- E-mail address: sileotj@gmail.com
The aforementioned role will be the person that the Personal Data Owners need to contact for all the purposes set forth in this Policy.
Petitions, Complaints, Claims and Queries Assistance Procedure
The Personal Data Owners, regardless of the type of relationship they have with SILEO, may exercise their rights to know, update, rectify and delete information and/or revoke the authorization granted, in accordance with the "Procedure to update, rectify and delete information and/or revoke authorizations" and this Personal Data Processing Policy.
Responsible party of assisting queries
The Personal Data Protection Officer of SILEO will be responsible for receiving and processing the submitted queries, in the terms, intervals and conditions set forth in Law 1581 of October 17, 2012 and in this Policy.
Queries addressed to SILEO must have been submitted through the contact means enabled by the Company and they must contain at least the following information:
a. Names and surnames of the Data Owners and/or their representative(s) and/or assignee(s).
b. What is intended to be QUERIED.
c. Physical and electronic address and contact telephone number of the Data Owners and/or their representative(s) and/or assignee(s).
d. Signature, identification number or corresponding identity validation procedure.
Once the request for a QUERY of information is received from the Data Owners and/or their representative(s) and/or duly authorized assignee(s) through the channels established by the respective area of SILEO, the request will be forwarded to the Personal Data Protection Officer, who will proceed to verify that the request contains all the required specifications in order to assess that the right is exercised by data owners or their representative(s), thereby proving that they have the legal legitimacy to do so.
Timeframe for assisting queries
Requests received through the above means and under the above conditions will be answered within a maximum term of ten (10) business days from the date of receipt.
In case of impossibility to assist the Data Owners with their query within such term, the interested party will be informed before the expiration of the ten (10) business days, stating the reasons for the delay and indicating the date on which the query will be processed and answered, which in no case may exceed five (5) business days following the expiration of the first term.
Claims Procedure
The following rights are guaranteed through the claims procedure:
a. Correction or Update: SILEO and/or the Data Processors shall guarantee the Owners whose Personal Data is stored in their databases (or their assignees) the right to correct or update the personal data contained in their databases, by filing a claim when they consider that the parameters established by law or those indicated in this Personal Data Processing Policy are met in order for the request for Correction or Update to be admissible.
b. Revocation of Authorization or Suppression of Personal Data: SILEO and/or the Data Processors shall guarantee the Owners whose Personal Data is stored in their databases (or their assignees) the right to request the revocation of the authorization or request the suppression of the information stored in their individual record or all that is linked to their identification when they consider that the parameters established by law or those indicated in this Personal Data Processing Policy are met. Likewise, they are guaranteed the right to file claims when they notice the alleged breach of Law 1581 of October 17, 2012 or of the present Personal Data Processing Policy.
Responsible party of assisting claims
The Personal Data Protection Officer of SILEO will be responsible for receiving and processing the submitted claims, in the terms, intervals and conditions set forth in Law 1581 of October 17, 2012 and in this Policy.
Claims addressed to SILEO must have been submitted through the contact means enabled by the Company and they must contain at least the following information:
a. Names and surnames of the Data Owners and/or their representative(s) and/or assignee(s).
b. What is intended to be UPDATED or RECTIFIED.
c. Physical and electronic address and contact telephone number of the Data Owners and/or their representative(s) and/or assignee(s).
d. Signature, identification number or corresponding identity validation procedure.
Once the request for an UPDATE or a RECTIFICATION of information is received from the Data Owners and/or their representative(s) and/or duly authorized assignee(s) through the channels established by the respective area of SILEO, the request will be forwarded to the Personal Data Protection Officer, who will proceed to verify that the request contains all the required specifications in order to assess that the right is exercised by data owners or their representative(s), thereby proving that they have the legal legitimacy to do so.
Unlawful Requests
In the event that the request (for a query or a claim) is filed without compliance with the above legal requirements, the interested party will be asked to correct the faults and submit the missing information or documents within five (5) business days following receipt of the request.
After two (2) months from the date of the initial request without the interested party submitting the required information, it will be understood that the request has been abandoned.
Including a legend in the database
Once the lawful claim has been received in full, within a maximum term of two (2) business days from its receipt, SILEO will include a legend that reads "claim in process" and the reason for the claim in the database entry where the personal data of the Data Owner is stored. Such legend shall be kept in the proper place until the answer to the claim is decided and communicated to the Data Owner.
Timeframe for assisting claims
The maximum term to process and answer the claim will be fifteen (15) business days from the date after the receipt.
In case of impossibility to assist the Data Owners with their claim within such term, the interested party will be informed before the expiration of the fifteen (15) business days, stating the reasons for the delay and indicating the date on which the claim will be processed and answered, which in no case may exceed eight (8) business days following the expiration of the first term.
Personal Data Deletion Procedure
In the event that the deletion of the owner's personal data from the database is appropriate in accordance with the claim filed, SILEO shall operationally perform the deletion in such a way that the deletion does not allow the recovery of the information; however, the Data Owner shall take into account that in some cases certain information shall remain in historical records in compliance with the organization's legal duties, so that its deletion shall be related to the active processing thereof and in accordance with the owner's request.
_____________________________________________________________
N. Access Control and Video Surveillance
Access Control
The areas where processes related to confidential or restricted information are carried out must have access controls that only allow authorized collaborators to enter and a system that allows SILEO to keep the traceability of information about incoming and outgoing people.
Video Surveillance
SILEO has video surveillance cameras which purpose is to comply with the physical security policies, complying with the parameters established in the Guide for the Protection of Personal Data in Video Surveillance Systems, issued by the Colombian Superintendence of Industry and Commerce as the control authority.
The images and videos shall be kept for a maximum period of ninety (90) days. In the event that the respective image or video is the object or support of a claim, complaint, or any judicial process, they shall be kept until such time as it is resolved.
_____________________________________________________________
O. Training for Employees and Contractors
SILEO shall develop annual training and awareness programs on Personal Data Protection and information security. SILEO must make this Personal Data Processing Policy known by the means it deems appropriate and thereby train its employees and contractors in the management of personal data at least annually, in order to measure their knowledge on the subject.
New employees and contractors must receive training on Personal Data Protection and information security leaving a record of their attendance and knowledge at the time of joining SILEO.
In the development of training and awareness programs, it shall be ensured that employees, contractors and third parties are aware of their responsibilities with respect to personal data protection and information security.
Training programs shall be updated periodically.
The Human Resources area, together with the Personal Data Protection Officer, will define training and evaluation plans for employees in accordance with regulatory changes as they arise.
_____________________________________________________________
P. Auditing and Control
SILEO will carry out review processes or audits on Personal Data Protection, verifying directly or through third parties that the policies and procedures have been properly implemented in SILEO. The necessary improvement plans (preventive, corrective and improvement activities) will be designed and implemented based on the results obtained during the reviews or audits.
As a general rule, SILEO will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents affecting the integrity of the personal information databases.
The results of the review, together with any improvement plans, will be submitted by the Personal Data Protection Officer to the Legal Representative for assessment and approval.
_____________________________________________________________
Q. Databases Validity Period
SILEO's Databases will have the period of validity that corresponds to the purpose for which its processing was authorized and the special rules that regulate the matter, as well as those rules that establish the exercise of SILEO's legal functions or duties.
_____________________________________________________________
R. National Database Registry
In accordance with Article 25 of Law 1581 of October 17, 2012 and its regulatory decrees, SILEO will register its databases along with this Personal Data Processing Policy in the National Registry of databases administered by the Colombian Superintendence of Industry and Commerce, in accordance with the procedure established for that purpose.
_____________________________________________________________
S. Validity, Versions and Updates
This Personal Data Processing Policy is effective as of the moment of its signature and it complements the associated policies, with indefinite validity. Any substantial change in the Personal Data Processing Policy will be communicated in a timely manner to the data owners through the usual means of contact and/or through the website of SILEO.
For data owners who do not have access to electronic means or those ones who cannot be contacted, it will be communicated through notices posted at the Company's headquarters.
This Policy will have a summarized version, which will be published to be read by the general public and users of the products and services of the Company, in compliance with the provisions of Law 1581 of October 17, 2012, regulatory decrees and other concordant and current regulations.
_____________________________________________________________
T. Changes Summary regarding the previous version
This Policy is the Version 1.0, adjusted to the national protection standard of the Republic of Colombia for the year 2023. This Policy will become effective on June 01, 2023.
Juliana Gómez Sánchez
Legal Representative
SILEO TIMELESS JEWELRY SAS
NIT 901705771 – 5