PROCESSING OF PERSONAL DATA POLICY

INVERSIONES VALLEJUELO SAS

Inversiones Vallejuelo SAS (hereinafter ” The Business” or “The Company“), is a commercial society with NIT. 900655932-5, incorporated as a simplified stock company under Colombian law, through a private document registered in the Chamber of Commerce of the Eastern region of Antioquia on September 18  of 2013 and whose main address is at Km 6.5 vía La Unión, Sonsón, La Unión-Antioquia.

In accordance with the provisions of Law 1581 of 2012, in the Decree 1377 of 2013 and other rules that complement, add, modify, or replace them. The Company, in its capacity of Responsible for personal information and owner of the Website www.picados.com.co  (hereinafter “The Webpage” or “The Website“) adopts this policy for the processing of personal data (hereinafter “The Policy”) in order to protect the personal data provided by its customers, employees, contractors, suppliers, shareholders and strategic allies.

Contact information

Adress:La Unión Antioquia Km. 6,5 Vereda Mazorcal vía a Sonsón.
Telephone:568 80 13
E-mail:info@picados.com.co
  1. LEGAL FRAMEWORK
  1. Political Constitution of Colombia, articles 15 and 20.
  2. Law 1581 of 2012.  
  3. National Decree 1377 of 2013, compiled in Decree 1074 of 2015.
  4. Newsletter of the Superintendence of Industry and Commerce, Title V “Protection of Personal Data”.
  5. Sentence C-748 of 2001 of the Constitutional Court; M.P.: Jorge Ignacio Pretelt Chaljub.
  1. SCOPE OF APPLICATION

The Policy shall be applicable to personal data contained in The Company’s personal databases. Pursuant to Article 2 of Law 1581 of 2012, the following are excluded from the Data Protection Regime contained in the aforementioned Law and in this Policy: (i) databases or files kept in an exclusively personal or domestic environment; (ii) databases and files whose purpose is national security and defense, as well as the prevention, detection, monitoring and control of money laundering and financing of terrorism; iii) databases whose purpose is and contain intelligence and counterintelligence information; iv) databases and files of journalistic information and other editorial content; v) databases and files regulated by Law 1266 of 2008 and; v) databases and files regulated by Law 79 of 1993.

  1. DEFINITIONS

For interpretation purposes of The Policy, and in accordance with current legislation, the following definitions are adopted:

  • Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of personal data.
  • Privacy Notice: Verbal or written communication generated by the Responsible Party, addressed to the Data Subject for the Processing of his/her personal data, by means of which he/she is informed about the existence of the information related to Processing policies that will be applicable, the way to access to them and the purposes of Processing that is intended to be given to the personal data.
  • Database: Organized set of personal data that is subject to Processing.
  • Personal data: Any information linked or that may be associated to one or several determined or determinable natural persons. Data, according to their nature, may be public, semi-private, private, or sensitive.
  • Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data related to the marital status of individuals, their profession or job, and their status as merchants or public servants. Due to their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality. 
  • Semi-private data: Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as the financial and credit data of commercial activity or services referred to in Title IV of this law.
  • Private data: It is the data which, due to its intimate or reserved nature, is only relevant to the owner.
  • Sensitive data: Sensitive data is understood as that which affects the privacy of the Holder or whose improper use may generate discrimination, such as that which reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
  • Data Subject or Holder of the information: Natural person whose personal data are subject to processing.
  • Data Processor: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of data.
  • Data Controller: Natural or legal person, public or private, that by himself or in association with others, decides on the database and/or the processing of the data.
  • Transfer: The transfer of data takes place when The Controller and/or  The Processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is the Data Controller and is located inside or outside the country.
  • Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is the performance of a Processing by the Processor on behalf of the Controller.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or suppression.
  1. PRINCIPLES  

The Company shall comply with the following principles in the processing of personal data:

Principle of legality in matters of Data Processing: The Processing of Personal Data must be subject to the provisions of Law 1581 of 2012 and other regulations in force.

Principle of purpose: The processing must obey a lawful purpose in accordance with the constitution and the law, which must be informed to the owner.

Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.

Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. The Processing of partial, incomplete, fractioned or misleading data is prohibited.

Principle of transparency: The right of the Data Subject to obtain from The Company or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the Processing.

Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the Constitution, and the Law.

Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties.

Security Principle: The information subject to Processing by The Company or the Data Processor shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

Confidentiality Principle: All persons involved in the Processing of personal data that are not of a public nature are responsible for ensuring the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the Processing and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law.

  1. RIGHTS OF THE HOLDERS OF THE INFORMATION

The Holders of personal data have the rights established in the regulations in force, especially those set forth in Article 8 of Law 1581 of 2012 and 21 of Decree 1377 of 2013. In this sense, the holders have the following rights:

  1. To know, update and rectify their personal data against The Company or against the Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose Processing is expressly prohibited or has not been authorized.
  2. To request proof of the authorization granted to The Company except when expressly exempted as a requirement for The Treatment in accordance with the provisions of Article 10 of Law 1581 of 2012 and the Policy.
  3. To be informed by the Company or the Data Processor, upon request, regarding the use that has been made of their personal data.
  4. To revoke the authorization and request the deletion of the data when the Processing does not respect the principles, rights, and constitutional and legal guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Processing the Controller or Processor has incurred in conduct contrary to the Law and the Constitution.
  5. To consult, free of charge, the personal data that have been subject to Processing.
  6. To the rights established in articles 15 of the Political Constitution of Colombia.
  7. To file complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other rules that modify, add or complement it.
  1. THE COMPANY’S DUTIES AND OBLIGATIONS AS PERSONAL DATA CONTROLLER

Without prejudice to other obligations under the law, The Company is obliged to comply with the provisions of Article 17 of Law 1581 of 2012:

  1. Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
  2. Request and keep, under the conditions set forth in Law 1581 of 2012, a copy of the respective authorization granted by the Data Subject.
  3. Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
  4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  5. Ensure that the information provided to the Data Processor is true, complete, accurate, current, verifiable, and understandable.
  6. Update the information, communicating in a timely manner to the Data Processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to this is kept up to date.
  7. Rectify the information when it is incorrect and communicate the relevant information to the Data Processor.
  8. To keep and provide to the Data Processor as the case may be, only data whose Processing is previously authorized.
  9. Guarantee the respect of the security and privacy conditions of the data subject’s information.
  10. Process queries and claims made by the Data Subject.
  11. Adopt an internal manual of policies and procedures to ensure proper compliance with the law and especially for the attention of queries and claims.
  12. Inform the Data Processor when certain information is under discussion by the Data Subject once the claim has been filed and the respective process has not been completed.
  13. Inform the Data Processor when certain information is under discussion by the Data Subject once the claim has been filed and the respective process has not been completed.
  14. Inform at the request of the Data Subject about the use given to his/her data.
  15. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Subject.
  16. Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.
  1. DUTIES OF THOSE IN CHARGE OF PERSONAL DATA

Without prejudice to other obligations under the law, those responsible for the Processing of personal data must comply with the provisions of Article 18 of Law 1581 of 2012, which are as follows:

  1. Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
  2. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  3. Timely update, rectify or delete of data according to the terms of the law.
  4. Update the information reported by the Data Controllers within five (5) business days from its receipt.
  5. To process the queries and claims made by the Data Holders under the terms set forth in the law.
  6. Adopt an internal manual of policies and procedures to ensure proper compliance with Law 1581 of 2012 and, in particular for the handling of queries and claims by the Holders.
  7. Register in the database the caption “claim in process” in the manner regulated by law.
  8. Insert in the database the caption “information under judicial discussion” once notified by the competent authority about judicial proceedings related to the quality of the personal data.
  9. Avoid circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
  10. Allow access to the information only to the persons who may have access to it.
  11. Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Holders.
  12. Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.

In any case, when the same person is both responsible and in charge, he/she shall comply with the duties of both.

  1. PROCESSING OF PERSONAL DATA AND PURPOSES

The processing of personal data carried out by The Company shall be framed within the Data Protection Regime set forth in the regulations in force and in this Policy. The processing may be carried out on any personal data that the Company has, derived from a permanent or occasional relationship.

The processing of personal data will consist of collecting, capturing, storing, using, treating, capturing, processing, verifying, consulting, reporting, modifying, updating, suppressing, circulating, exchanging, transferring and transmitting the personal data collected.

Purpose applicable to our customers

  • The creation of accounting and computer systems.
  • The verification of commercial background.
  • Management of collections and payments arising from the business relationship.
  • Administrative management of customers in the development of the contractual or commercial relationship.
  • Informing, updating, communicating, organizing, attending, and accrediting the activities in its condition.
  • To Send information or communications related to the Company to comply with contractual obligations and to promote marketing and advertising activities.
  • To consult and report commercial and/or credit information to information operators or credit risk centers.
  • Evaluate the provision of services and products, as well as conduct studies and analyses for internal use.
  • Facilitate the implementation of loyalty programs.
  • Follow up on the compliance of commercial and contractual relationships.
  • Allow access to services provided on the Web Site, including content downloads.
  • Offering promotions.
  • Other activities complementary to or derived from the above.

Purpose applicable to our Suppliers and Contractors

  • The creation of accounting and computer systems.
  • The verification of commercial, reputational, and eventual background, relationship risks with third parties.
  • Management of collections and payments derived from the commercial relationship.
  • Administrative management of suppliers and contractors in the development of the contractual or commercial relationship.
  • Informing, updating, communicating, organizing, attending, and accrediting the activities in their condition as contractors.
  • To consult and report commercial and/or credit information to information operators or credit risk centers.
  • Evaluate the provision of services and products, as well as perform studies and analysis for internal use.
  • Follow up on the compliance of commercial and contractual relationships.
  • Allow access to services provided on the website, including content downloads.
  • Other activities complementary to or derived from the above.

Purpose applicable to our collaborators

  • Manage directly or through a third party the personnel selection processes.
  • Manage the data to make the correct payment of payroll and other values derived from the labor relationship, including discounts for payments to duly authorized third parties.
  • Incorporate the data in the labor contract and other documents required in the labor relationship and derived from it.
  • Manage the personal data and that of your family nucleus to carry out affiliation procedures to the social security entities.
  • Notifications in case of emergency, both to employees and their authorized contacts.
  • Manage and carry out trainings and/or professional and labor development activities.
  • Manage and designate work tools and/or allow access to computer or physical resources.
  • Manage obligations arising from contractual termination.
  • Manage compliance with legal, conventional, or contractual obligations, such as compliance with the Occupational Health and Safety Management System.
  • Other activities complementary to or derived from the above.

Purpose applicable to our shareholders

  • To guarantee the rights and duties derived or consequent to their quality of shareholder.
  • To inform about the activities carried out by the Company in relation to their status as shareholders.
  • Other activities complementary to or derived from the above.

Purpose applicable to all holders

  • Transmit or transfer to national or foreign third parties for their administrative, commercial, legal, accounting, or regulatory compliance management related to the development of its operations.
  • Transmit or transfer to administrative or judicial authorities in compliance with the order of a competent authority or regulatory provision.
  • Allow access to facilities.
  • Respond to complaints, petitions, claims, queries and requirements in general.
  • Notifications derived from regulatory compliance, such as updating this Policy.

Data processing of children and teenagers

The data processing of children and teenagers  is prohibited to avoid violating their rights; however, in accordance with article 12 of Decree 1377 of 2013, the Company may process data of a public nature provided that it complies with the following:

  1. That the processing responds to and respects the best interests of children and teenagers.
  2. That it ensures the respect of their fundamental rights.
  3. That the authorization of the legal representative of the minor is obtained.
  4. The Company must listen to the minor, respecting his or her opinion, which will be assessed considering his or her maturity, autonomy and capacity to understand the matter.

Processing of sensitive data

The Processing of sensitive personal data shall be subject exclusively to the legal exceptions; in this sense, the Company shall only carry out its Processing in the following cases:

  1. The Data Subject has given his/her explicit authorization to such Processing, except in cases whereby law the granting of such authorization is not required.
  2. The Processing is necessary to safeguard the vital interest of the Data Subject and he/she is physically or legally disabled. In these events, the legal representatives must grant their authorization.
  3. The Processing refers to data that are necessary for the recognition, exercise, or defense of a right in a judicial process.
  4. The processing has a historical, statistical, or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Holders must be adopted.
  1. AUTHORIZATIONS

The Company may carry out the Processing of Personal Data provided that it has the express, prior, free and informed consent of the Data Subject.

The authorization for the processing may be obtained by any means established by the Company, such as physical documents, websites, data messages, e-mails, sound and/or video recording, through a suitable technical or technological mechanism by means of which it may be unequivocally concluded that, if the consent of the Data Subject had not been obtained, the data would never have been collected and stored in the Database, among others. Likewise, the existence of the authorization shall be understood when the unequivocal consent of the Data Subject is evidenced, and it may be subsequently consulted.

The content of the authorization shall comply with the following particularities:

  • It must be understandable, and it may not have technical barriers that hinder its access.
  • It shall inform the processing and purposes to which the personal data may be submitted.
  • It shall expressly include a caption informing the optional nature of the answers that deal with sensitive data.
  • State the rights of the Data Subject.
  • The identification of the Controller, including his mailing and/or e-mail address and telephone number.

Cases in which the authorization of the subject is not required

The Company may carry out the processing of personal data without prior authorization of the Subject, provided that it is the assumptions set forth in Article 10 of Law 1581 of 2013. The following are the cases in which prior authorization will not be required.

  1. Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  2. Public nature Data.
  3. Cases of medical or health emergency.
  4. Processing of information authorized by law for historical, statistical or scientific purposes.
  5. Data related to the Civil Registry of Persons.

In accordance with the provisions of Sentence C-748 of 2001 issued by the Constitutional Court, with respect to cases of medical or health urgency, the Company shall seek prior authorization from the Data Subject. However, the Company may process such cases when it is demonstrably impossible to obtain the authorization or when its management would be particularly problematic.

  1. MECHANISMS FOR THE HANDLING OF REQUESTS, QUERIES AND CLAIMS FROM THE OWNERS OF THE INFORMATION

The Data Holders or their assignees may consult, rectify, update, or request the deletion of the personal information of the Data Subject contained in any database owned by The Company.

The area in charge of receiving the requests, complaints or claims from the Personal Data Holders shall be Customer Service. For this purpose, written or telephone communication may be sent to the following communication channels:

Address:La Unión Antioquia Km. 6,5 Vereda Mazorcal vía a Sonsón. 
E-mail:info@picados.com.co
Web Page Link:www.picados.com.co
Telephone:568 80 13

QUERIES

The queries will be answered within ten (10) working days from the date of receipt of the same, extendable for a period of five (5) working days when the reasons for not attending within the initial term are stated.

CLAIMS

The claim shall be made with respect to data that must be corrected, updated, or deleted, or when there is a warning of non-compliance with the Company’s legal duties. 

The maximum term to address the claim shall be of fifteen (15) business days from the day following the date of its receipt. When it is not possible to address the claim within such term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be addressed, which, in no case, may exceed eight (8) business days following the expiration of the first term.

The claim shall be addressed to the Company or the Data Processor, with the identification of the Data Subject, the description of the facts that give rise to the claim, the address, and accompanied by the documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned.

If the person receiving the claim is not competent to resolve it, he/she will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.

Once the complete claim has been received, a caption will be included in the database stating, “claim in process” and the reason for the claim, within a term no longer than two (2) business days. Such caption shall be maintained until the claim is decided.

Suppression of Personal Data and Revocation of Authorization

The Subject of the information may request to The Company at any time to proceed with the deletion of its personal data in whole or in part, however, the deletion shall not proceed when the Subject has a legal or contractual duty that requires the information contained in the database to achieve its full compliance.

Information to attend requests, queries and/or claims

To protect the confidentiality of the Data Holders and to provide a correct response to a request, query or claim related to the Processing of Personal Data, the Data Subject shall provide the following:

  1. Names, surnames, and the capacity in which he/she acts.
  2. When acting as representative or assignee of a Data Subject, he/she must prove such capacity.
  3. Contact information, to receive a response to your request.
  4. Reasons for your request, query, or claim.
  5. Description of the rights you wish to exercise and the data to be exercised.
  6. Any attachments that may be necessary, in accordance with the reasons given, the rights to be exercised or the capacity in which you are acting.

The following documents shall be considered to prove the capacity in which the applicant is acting:

  • Identification of the subject or assignee.
  • Civil registry of birth, civil registry of death, civil registry of marriage or other document that certifies the capacity of the assignee.
  • Power of attorney granted by acknowledgment of signature and content before a notary if it is the case of representation.
  1. INFORMATION SECURITY

The Company has the tools to help protect the confidentiality, security and integrity of the Personal Data stored in our system. Nevertheless, and although no computer system is completely secure, the measures implemented to reduce the likelihood of security problems are appropriate for the type of data handled within the Company.

  1. VALIDITY AND RELATIONSHIP

Validity and Relationship

The Policy is applicable to all Company personnel, as well as to its suppliers, shareholders, business partners and any third party acting on behalf of the Data Controller.

This Policy shall be effective as of September three (03), 2020. The Policy may be modified, clarified, replaced, added, or updated.

*********

____________________________

Laura Patiño Mejía

Legal Representive

Inversiones Vallejuelo SAS