Gómez Consultores S.A.S (hereinafter, The Firm), domiciled in Bogotá D.C., with physical address Carrera 13 No. 93 – 67 office 101 and e-mail address info@gomezlegal.co , is responsible for the Personal Data provided by the Data Controllers.

This Personal Data Processing Policy (hereinafter, Processing Policy) sets forth the purposes and the procedure for the Processing of the Firm’s Databases, as well as the mechanisms available to the Data Controllers to know, update, rectify and/or delete the data provided or revoke the Authorization granted with the acceptance of the Processing Policy.

Authorization for the Processing of Personal Data is given with the acceptance of this Processing Policy. The conclusion of employment or service contracts with the Firm, as well as the application to enter into such contracts, implies the acceptance by the Data Controllers of this Processing Policy.

In accordance with the provisions of article 3 of Law 1581 of 2012, capitalized expressions in the Processing Policy shall have the meaning given to them herein. Any difference that exists between the terms indicated herein and those established in the Law, those indicated in the Law shall be preferred.

• Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data.
• Database: Organized set of personal data that is the object of Processing.
• Personal Data: Any information linked or that may be associated to one or several determined or determinable natural persons.
• Sensitive Data: Personal data that affect the privacy of the Data Subject or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social organizations, human rights organizations or organizations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data.
• Data Processor: Natural or legal person, public or private, who by himself or in association with others, carries out the Processing of personal data on behalf of the Data Controller.
• Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the Processing of the data.
• Data Subject or Data Controllers: Natural person(s) whose personal data are the object of Processing.
• Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

Pursuant to Article 8 of Law 1581 of 2012, the Holders of Personal Data shall have the following rights:

• To know, update and rectify their personal data vis-à-vis the Data Controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
• To request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the Processing.
• To be informed by the Data Controller, upon request, regarding the use made of his or her personal data.
• To file complaints with the Superintendence of Industry and Commerce regarding breaches of the provisions of the law and this Processing Policy.
• To know, free of charge, the personal data that has been the object of Processing.
• Any other rights established by law.

Without prejudice to the exceptions provided for in the Law, the Processing requires the prior and informed authorization of the Data Subject, which must be obtained by any means that may be subject to subsequent consultation.

Personal Data is collected, stored, used, circulated, transmitted, transferred, updated, rectified and managed in accordance with the purpose of each type of Processing.

The Firm shall Process Sensitive Data in accordance with the provisions of article 6 of Law 1581 of 2012. The Firm may request the Sensitive Data expressly required in each Authorization.

When the Processing of Sensitive Data is required, the Firm shall require the express Authorization of the Data Subject to such Processing, except in cases where the Law does not require the granting of such Authorization. The Firm shall act with the utmost diligence in the Processing and shall not condition any of its activities to the provision of such data.

Data related to the health status of the Firm’s employees or contractors are Sensitive Data. Therefore, in accordance with the Law, Data Controllers are not obliged to provide them or to authorize their Processing. Should such data be provided and having granted the corresponding consent, they will be collected and processed solely for the purpose of mitigating, controlling and carrying out the appropriate management of diseases, particularly, due to the current situation of the pandemic caused by Covid-19.

In the event that La Firme collects Personal Data from minors, the Firm will act with the utmost diligence in its Processing and will ensure that the prevailing rights of children and adolescents are respected. To this end, it will ensure that the fundamental rights of children and adolescents are respected and that their opinion is heard and properly valued.

For the Processing of Personal Data of a minor under 18 years of age, The Firm will require the prior and express Authorization of the parents or legal guardian, as appropriate.

The Firm shall have mechanisms in place for Data Controllers, their successors in title, representatives and/or attorneys-in-fact, those who have stipulated in favor of or for another and/or the representatives of minors, to make queries regarding the Personal Data contained in the Firm’s Databases.

Queries may be made electronically to info@gomezlegal.co or through written communication filed at the Firm’s physical address Carrera 13 No. 93-67, office 101.

The request will be analyzed to verify the identification of the Data Subject. If the request is made by a person other than the Data Subject and it is not accredited that the applicant is acting on behalf of the Data Subject in accordance with the Law, the request will be rejected. The Controller or Data Processor shall provide the Data Subjects, their assignees, representatives and/or attorneys-in-fact with all the information contained in the individual record or that is linked to the identification of the Data Subject.

The query shall be answered within a maximum period of ten (10) working days from the date of receipt thereof. When it is not possible to answer the query within this period, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the query will be answered, which, in no case, may exceed five (5) working days following the expiry of the first period.

The Data Subject, his/her assignees, representatives and/or proxies who consider that the information contained in a database should be corrected, updated or deleted, or who notice the alleged breach of any of the duties contained in this Processing Policy or in the Law, may file a complaint with the Controller or Data Processor, which shall be processed under the following rules:

• The claim shall be formulated by means of a request addressed to the Controller or Data Processor, with the identification of the Data Subject, the description of the facts that give rise to the claim, the contact address and accompanied by the documents that he/she wishes to assert. If the claim is incomplete, the data subject shall be required within five (5) working days of receipt of the claim to rectify the faults. After two (2) months have elapsed from the date of the request without the applicant having responded to the request for information, The Firm shall consider that the claim has been withdrawn.
• Once the complete claim has been received, within a period of no more than two (2) working days, a legend will be included in the database stating “Claim being processed” and the reason for the claim. This legend shall be maintained until the claim is decided.
• The maximum term for dealing with the complaint shall be fifteen (15) working days from the day following the date of receipt. When it is not possible to deal with the claim within this period, the interested party will be informed of the reasons for the delay and the date on which the claim will be dealt with, which, in no case, may exceed eight (8) working days following the expiry of the first period.

The Firm will handle the information subject to Processing with the technical, human and administrative measures necessary to provide security to the records, avoiding their adulteration, loss, consultation, fraudulent use or access by unauthorized persons.

Thus, the Data Controllers expressly authorize the Firm to store their personal data in the manner and with the security measures it deems most appropriate, relevant, useful and adequate, based on the prevalence of the principle of security.

Given that the right to revoke and delete Personal Data is not absolute, the Controller may deny the exercise thereof when: (i) the Data Subject has a legal or contractual duty to remain in the database, (ii) the deletion of the Personal Data would hinder judicial or administrative proceedings and/or (iii) the Personal Data is necessary to protect the legally protected interests of the Data Subject.

• To comply with commercial, accounting, labor and civil obligations within the framework of contractual relationships with The Firm.
• To store, manage, send or publish information in relation to business, commercial, labor, administrative, advertising and social activities of The Firm.
• Manage information for compliance with the Firm’s tax obligations and commercial and accounting records.
• To comply with the objectives and results agreed with the Firm’s clients, as well as to prepare the corresponding invoicing.
• To comply with the Firm’s internal processes for the administration of suppliers and contractors.
• Use Personal Data for marketing and commercialization of new services or products, as well as sending advertising related to services offered by The Firm.
• Verification of information relating to disciplinary, administrative or criminal sanctions imposed on contractors or employees of The Firm.
• Protecting the health and integrity of the Firm’s employees, clients and contractors or suppliers.
• Analyze possible conflicts of interest of new employees, contractors or clients of The Firm, as well as their inabilities or incompatibilities.
• Transmit, transfer and provide the information and personal data of the Data Controllers to third parties, in order to provide employment and/or professional references about the Data Controllers.
• The socialization of the Firm’s policies, projects, programmer and organizational changes, as well as the dissemination of the Firm’s success stories, provided that the express authorization of the related client is obtained.
• The performance of statistical, commercial, strategic, financial and social analyses of the Firm.
• The transmission and transfer of data to third parties with whom contracts have been entered into for this purpose, in which case the third parties shall be bound by the terms of this Processing Policy. These third parties may be, among others, subjects in charge of administering the social security system, insurance companies or subjects with respect to which there is an employer substitution or where The Firm assigns its contractual position.
• To maintain and process Personal Data related to the client’s business in order to offer the services and products that best suit the client’s needs.
• LOther purposes determined by The Firm in order to develop and comply with its corporate purpose, as well as to offer its services and comply with contractual, legal and regulatory obligations, always within the parameters established in the Processing Policy.