PERSONAL DATA TREATMENT POLICY

GENERAL

Gómez Consultores S.A.S (hereinafter, The Firm), domiciled in Bogotá D.C., with physical address Carrera 13 No. 93 – 67 office 101 and e-mail address info@gomezlegal.co , is responsible for the Personal Data provided by the Data Controllers.

This Personal Data Processing Policy (hereinafter, Processing Policy) sets forth the purposes and the procedure for the Processing of the Firm’s Databases, as well as the mechanisms available to the Data Controllers to know, update, rectify and/or delete the data provided or revoke the Authorization granted with the acceptance of the Processing Policy.

Authorization for the Processing of Personal Data is given with the acceptance of this Processing Policy. The conclusion of employment or service contracts with the Firm, as well as the application to enter into such contracts, implies the acceptance by the Data Controllers of this Processing Policy.

DEFINITIONS

In accordance with the provisions of article 3 of Law 1581 of 2012, capitalized expressions in the Processing Policy shall have the meaning given to them herein. Any difference that exists between the terms indicated herein and those established in the Law, those indicated in the Law shall be preferred.

  • Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data.
  • Database: Organized set of personal data that is the object of Processing.
  • Personal Data: Any information linked or that may be associated to one or several determined or determinable natural persons.
  • Sensitive Data: Personal data that affect the privacy of the Data Subject or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social organizations, human rights organizations or organizations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data.
  • Data Processor: Natural or legal person, public or private, who by himself or in association with others, carries out the Processing of personal data on behalf of the Data Controller.
  • Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the Processing of the data.
  • Data Subject or Data Controllers: Natural person(s) whose personal data are the object of Processing.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

GUIDING PRINCIPLES

In the development, interpretation and application of this Processing Policy, the following principles shall be applied in a harmonious and comprehensive manner:

  • Principle of legality in matters of Data Processing: The Processing referred to in this Processing Policy is a regulated activity that must be subject to the provisions herein and in the Laws that develop it.
  • Principle of purpose: The Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
  • Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject, unless the Law establishes an exception to this rule. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
  • Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.
  • Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the Processing.
  • Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, from what is indicated in the Processing Policy, from the provisions contained in the law and the Constitution. In this sense, the Processing may only be carried out by persons authorized by the Data Controller and/or by the persons provided for in the Law.
  • Principle of security: The information subject to Processing by the Data Controller or Data Processor shall be handled with the technical, human and administrative measures necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Principle of confidentiality: All persons involved in the Processing of personal data that are not public are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the Processing and may only supply or communicate personal data when this corresponds to the development of the activities authorized by the Law and under the terms of the same.

DATA CONTROLLER AND DATA PROCESSOR

The Data Controller and Data Processor of the Personal Data of the Data Controllers is:

• Gómez Consultores S.A.S
• NIT. 800.100.876-6
• Address: Bogotá D.C
• Physical address: Carrera 13 No. 93-67, office 101 in the city of Bogotá D.C, Colombia
• E-mail address: info@gomezlegal.co
• Telephone: (57-1) 6360037

RIGHTS OF THE OWNERS

Pursuant to Article 8 of Law 1581 of 2012, the Holders of Personal Data shall have the following rights:

  • To know, update and rectify their personal data vis-à-vis the Data Controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
  • To request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the Processing.
  • To be informed by the Data Controller, upon request, regarding the use made of his or her personal data.
  • To file complaints with the Superintendence of Industry and Commerce regarding breaches of the provisions of the law and this Processing Policy.
  • To know, free of charge, the personal data that has been the object of Processing.
  • Any other rights established by law.

Without prejudice to the exceptions provided for in the Law, the Processing requires the prior and informed authorization of the Data Subject, which must be obtained by any means that may be subject to subsequent consultation.

PROCESSING OF PERSONAL DATA

Personal Data is collected, stored, used, circulated, transmitted, transferred, updated, rectified and managed in accordance with the purpose of each type of Processing.

PROCESSING OF SENSITIVE DATA

The Firm shall Process Sensitive Data in accordance with the provisions of article 6 of Law 1581 of 2012. The Firm may request the Sensitive Data expressly required in each Authorization.

When the Processing of Sensitive Data is required, the Firm shall require the express Authorization of the Data Subject to such Processing, except in cases where the Law does not require the granting of such Authorization. The Firm shall act with the utmost diligence in the Processing and shall not condition any of its activities to the provision of such data.

Data related to the health status of the Firm’s employees or contractors are Sensitive Data. Therefore, in accordance with the Law, Data Controllers are not obliged to provide them or to authorize their Processing. Should such data be provided and having granted the corresponding consent, they will be collected and processed solely for the purpose of mitigating, controlling and carrying out the appropriate management of diseases, particularly, due to the current situation of the pandemic caused by Covid-19.

PROCESSING OF PERSONAL DATA OF CHILDREN AND ADOLESCENTS

In the event that La Firme collects Personal Data from minors, the Firm will act with the utmost diligence in its Processing and will ensure that the prevailing rights of children and adolescents are respected. To this end, it will ensure that the fundamental rights of children and adolescents are respected and that their opinion is heard and properly valued.

For the Processing of Personal Data of a minor under 18 years of age, The Firm will require the prior and express Authorization of the parents or legal guardian, as appropriate.

DUTIES OF THE DATA CONTROLLER

The Controller shall comply with the following duties, without prejudice to the provisions set forth in the Law:

  • Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
  • Request and keep, under the conditions provided for in this Processing Policy and the Law, a copy of the respective authorization granted by the Data Subject.
  • Duly inform the Data Subject about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted.
  • Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Guarantee that the information provided is truthful, complete, accurate, up-to-date, verifiable and comprehensible.
  • Update the information and adopt the necessary measures to ensure that the information provided is kept up to date.
  • Rectify the information when it is incorrect.
  • Process queries and claims made under the terms set out in this Processing Policy.
  • At the request of the Data Subject, to report on the use made of their data.
  • Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the data subject’s information.
  • Any others indicated in the Law.

PROCEDURE FOR CONSULTATIONS

The Firm shall have mechanisms in place for Data Controllers, their successors in title, representatives and/or attorneys-in-fact, those who have stipulated in favor of or for another and/or the representatives of minors, to make queries regarding the Personal Data contained in the Firm’s Databases.

Queries may be made electronically to info@gomezlegal.co or through written communication filed at the Firm’s physical address Carrera 13 No. 93-67, office 101.

The request will be analyzed to verify the identification of the Data Subject. If the request is made by a person other than the Data Subject and it is not accredited that the applicant is acting on behalf of the Data Subject in accordance with the Law, the request will be rejected. The Controller or Data Processor shall provide the Data Subjects, their assignees, representatives and/or attorneys-in-fact with all the information contained in the individual record or that is linked to the identification of the Data Subject.

The query shall be answered within a maximum period of ten (10) working days from the date of receipt thereof. When it is not possible to answer the query within this period, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the query will be answered, which, in no case, may exceed five (5) working days following the expiry of the first period.

PROCEDURE FOR CLAIMS

The Data Subject, his/her assignees, representatives and/or proxies who consider that the information contained in a database should be corrected, updated or deleted, or who notice the alleged breach of any of the duties contained in this Processing Policy or in the Law, may file a complaint with the Controller or Data Processor, which shall be processed under the following rules:

  • The claim shall be formulated by means of a request addressed to the Controller or Data Processor, with the identification of the Data Subject, the description of the facts that give rise to the claim, the contact address and accompanied by the documents that he/she wishes to assert. If the claim is incomplete, the data subject shall be required within five (5) working days of receipt of the claim to rectify the faults. After two (2) months have elapsed from the date of the request without the applicant having responded to the request for information, The Firm shall consider that the claim has been withdrawn.
  • Once the complete claim has been received, within a period of no more than two (2) working days, a legend will be included in the database stating “Claim being processed” and the reason for the claim. This legend shall be maintained until the claim is decided.
  • The maximum term for dealing with the complaint shall be fifteen (15) working days from the day following the date of receipt. When it is not possible to deal with the claim within this period, the interested party will be informed of the reasons for the delay and the date on which the claim will be dealt with, which, in no case, may exceed eight (8) working days following the expiry of the first period.

STORAGE AND SECURITY OF PERSONAL DATA

The Firm will handle the information subject to Processing with the technical, human and administrative measures necessary to provide security to the records, avoiding their adulteration, loss, consultation, fraudulent use or access by unauthorized persons.

Thus, the Data Controllers expressly authorize the Firm to store their personal data in the manner and with the security measures it deems most appropriate, relevant, useful and adequate, based on the prevalence of the principle of security.

REVOCATION AND DELETION PROCEDURE

The Data Subject may revoke the Authorization for the Processing of his or her Personal Data at any time, provided that this is not prevented by a legal provision or if there is a legal or contractual obligation that does not allow it. Therefore, the Data Subject has the right to request The Firm to delete his or her Personal Data, especially when he or she considers that the Personal Data is not being processed in accordance with the purposes of this Processing Policy or with the principles, duties and obligations set forth in Law 1581 of 2012 and other concordant rules.

Given that the right to revoke and delete Personal Data is not absolute, the Controller may deny the exercise thereof when: (i) the Data Subject has a legal or contractual duty to remain in the database, (ii) the deletion of the Personal Data would hinder judicial or administrative proceedings and/or (iii) the Personal Data is necessary to protect the legally protected interests of the Data Subject.

PURPOSES OF THE DATABASE

The Data Processor and the Data Controller shall maintain the Processing of Personal Data in accordance with the following purposes:

  • To comply with commercial, accounting, labor and civil obligations within the framework of contractual relationships with The Firm.
  • To store, manage, send or publish information in relation to business, commercial, labor, administrative, advertising and social activities of The Firm.
  • Manage information for compliance with the Firm’s tax obligations and commercial and accounting records.
  • To comply with the objectives and results agreed with the Firm’s clients, as well as to prepare the corresponding invoicing.
  • To comply with the Firm’s internal processes for the administration of suppliers and contractors.
  • Use Personal Data for marketing and commercialization of new services or products, as well as sending advertising related to services offered by The Firm.
  • Verification of information relating to disciplinary, administrative or criminal sanctions imposed on contractors or employees of The Firm.
  • Protecting the health and integrity of the Firm’s employees, clients and contractors or suppliers.
  • Analyze possible conflicts of interest of new employees, contractors or clients of The Firm, as well as their inabilities or incompatibilities.
  • Transmit, transfer and provide the information and personal data of the Data Controllers to third parties, in order to provide employment and/or professional references about the Data Controllers.
  • The socialization of the Firm’s policies, projects, programmer and organizational changes, as well as the dissemination of the Firm’s success stories, provided that the express authorization of the related client is obtained.
  • The performance of statistical, commercial, strategic, financial and social analyses of the Firm.
  • The transmission and transfer of data to third parties with whom contracts have been entered into for this purpose, in which case the third parties shall be bound by the terms of this Processing Policy. These third parties may be, among others, subjects in charge of administering the social security system, insurance companies or subjects with respect to which there is an employer substitution or where The Firm assigns its contractual position.
  • To maintain and process Personal Data related to the client’s business in order to offer the services and products that best suit the client’s needs.
  • LOther purposes determined by The Firm in order to develop and comply with its corporate purpose, as well as to offer its services and comply with contractual, legal and regulatory obligations, always within the parameters established in the Processing Policy.

CHANGES TO THE PROCESSING POLICY

The Firm reserves the right to make changes to the Processing Policy whenever necessary in accordance with current regulations. Any substantial change in the Processing Policy that modifies the scope of the guarantees and rights of the Data Subjects will be communicated in a timely manner to the Data Subjects via email and published on the website of The Firm.

PERIOD OF VALIDITY

The Personal Data included in the Database will be valid for the period of time necessary to fulfill its purposes and to allow The Firm to comply with its legal and contractual obligations.