Data policy

PERSONAL DATA PROCESSING POLICY


1. DEFINITIONS:
a) Database: It is the organized set of Personal Data that are subject to Treatment.
b) Company: Promotora Qu4tro S.A.S.
c) Personal Data: Any information of any kind, linked or that may be associated with one or more specific or determinable natural persons.
d) Responsible for the Treatment: It is the natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of Personal Data on behalf of the Responsible for the Treatment. For the purposes of this policy, the Company is one of the Treatment Managers.
e) Permission: It is the legitimation that expressly and in writing by means of a contract or document that takes its place, the Company grants to third parties, in compliance with the applicable Law, for the Treatment of Personal Data, making such third parties in Charge of Data Treatment Personal delivered or made available to you.
f) Responsible for the Treatment: It is the natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of Personal Data on behalf of the Responsible for the Treatment. For the purposes of this policy, the Company is one of the Treatment Managers.
g) Owner: It is the natural person whose Personal Data are subject to Treatment.
h) Transfer: It is the Treatment of Personal Data that implies the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a Treatment by the Person in Charge on behalf of the Responsible Party.
i) Transmission: It is the Personal Data Processing activity through which they are communicated, internally or with third parties, within or outside the territory of the Republic of Colombia, when said communication is intended to carry out any Treatment activity by the recipient of the Personal Data.
j) Treatment: Any operation or set of operations on Personal Data, such as the collection, storage, use, circulation or deletion.


2. PURPOSE:
The purpose of this document is to regulate the policies and procedures that will be applicable in the handling of Personal Data information by the Company, in compliance with the provisions contained in Law 1581 of 2012 and Decree 1377 of 2013, in view of that PROMOTORA QU4TRO SAS collects personal data in development of its corporate purpose. Therefore, the Holders of the Personal Data that are treated in any way by the Company are made aware of this Personal Data Treatment Policy, in order for them to know the purpose of the Treatment, the rights, the procedure and the mechanisms that exist at your disposal to enforce your rights.


3. RESPONSIBLE AND RESPONSIBLE FOR THE TREATMENT:
The Company is Responsible for the Treatment of the Personal Data Base and will also be Responsible for the reception and attention of requests, complaints, claims and queries of all kinds related to Personal Data. The person in charge of the Processing of Personal Data, for all legal purposes, is the Company. The data of the Company, as Responsible for the Treatment, are the following:
Address: Calle 12 sur # 18-113 interior 5
Email: [email protected]
Phone: 034 3174166


4. TREATMENT TO WHICH THE PERSONAL DATA AND THE PURPOSE OF THE TREATMENT WILL BE SUBMITTED:
Treatment: Any operation or set of operations on Personal Data, such as the collection, storage, use, circulation or deletion.
The information that the Company collects in the provision of its services and in general in the development of its corporate purpose, is used mainly to identify, maintain a record and control the suppliers, customers, shareholders, contractors, employees of the Company, with the purpose of complying with the obligations arising from the legal, commercial, contractual or any other relationship with the Company, as well as the enforceability of the rights that the parties have by virtue of them, to maintain informed the Holders of Personal Data regarding the goods and services provided by the Company, to send them information of an advertising, commercial and marketing nature, events and in general information related to the development of the Company's corporate purpose, and finally to transfer the Personal Data to third parties designated by them for the provision of the services offered and the enforceability of those of Rights generated by virtue of the existing legal, contractual or commercial relationship.


4.1. TREATMENTS AND GENERAL PURPOSES OF THE INFORMATION:
a) Processing and confirmation of personal data.
b) Provide services and / or products purchased directly or with the participation of third parties.
c) Promote and advertise our activities, products and services
d) Carry out accounting and administrative transactions derived from the ordinary course of the Company's business.
e) Make reports with the different administrative national control and surveillance authorities, police or judicial authorities, financial entities and / or insurance companies.
f) Internal administrative and / or commercial purposes such as: market research, audits, accounting reports, statistical analysis or billing.
g) Make the accounting records related to the operations carried out in the company's business line.
h) Sending and receiving correspondence.
i) Identification of fraud and prevention of money laundering and other criminal activities.


4.2. INFORMATION FROM SHAREHOLDERS AND MEMBERS OF THE BOARD OF DIRECTORS:
a) Control of the shareholding and publication of the shareholders with greater participation in accordance with the regulations issued for this purpose by the Financial Superintendence of Colombia.
b) Compliance with judicial decisions and administrative and legal, fiscal and regulatory provisions.
c) Compliance with legal obligations and exercise of the rights derived from being a shareholder and member of the Company's Board of Directors.
d) Sending information related to the Company, as well as the summons to meetings of the General Assembly of Shareholders and of the Board of Directors.


4.3. INFORMATION FROM SUPPLIERS AND CREDITORS:
a) Compliance with judicial decisions and administrative and legal, fiscal and regulatory provisions.
b) Compliance with contractual obligations and enforceability of the rights derived from the contractual relationship, for which the information may be transferred to third parties, such as financial institutions, notaries, restrictive lists for the prevention of money laundering and terrorist financing, lawyers, among others.
c) Consultation of the provider in restrictive lists of prevention of LAFT, judicial records and others that contain public information and that are considered pertinent to evaluate the relevance of the contracting of the provider.
d) Carrying out the accounting and administrative processes in which the suppliers are linked.
e) Transmission of information and Personal Data in audit processes.
f) Collection, storage and use of personal information of employees and contractors of suppliers in order to comply with the obligations derived from the existing contractual or legal relationship in relation to them.
g) Any other use that the provider or creditor authorizes in writing for the use of your information.


4.4. CUSTOMER AND VISITOR INFORMATION:
a) Sending commercial, advertising and marketing information.
b) Compliance with contractual or legal obligations, for which the information may be transferred to third parties, such as financial entities, notaries, restrictive lists for the prevention of money laundering and financing of terrorism, lawyers, among others.
c) Compliance with judicial decisions and administrative and legal, fiscal and regulatory provisions.
d) Transmission of information and personal data in audit processes.
e) Billing of goods and services provided by the Companies to customers.
f) Access control and video surveillance of people who visit the facilities of the Companies as a security measure.


4.5. INFORMATION ON EMPLOYEES, PENSIONED WORKERS AND CANDIDATES TO FILL VACANCIES: RETIRED,
a) For purposes pertinent to the employment relationship (Affiliation and compliance with obligations derived from affiliation to EPS, ARL, pension and severance funds, family compensation funds, among others).
b) Compliance with judicial, administrative and legal requirements.
c) Accounting and payroll.
d) Recruit and select personnel who will fill the vacancies, directly or through third parties hired for this purpose.
e) Process, confirm and comply with legal and extra-legal labor obligations derived from the employment contract.
f) Make transactions.
g) Payment of extralegal benefits.
h) Carrying out audits and evaluation of skills to our workers and candidates to fill vacancies.
i) Consultation of employees and candidates to fill vacancies on restrictive lists for money laundering and terrorist financing.
j) Statistical analysis.
k) Development of training and education programs directly or through third parties hired for this purpose.
l) Share personal data with banks and other companies that offer benefits and wellness programs to our active workers, among others.
The Company recognizes the importance of the security, privacy and confidentiality of Personal Data, for which it is committed to its protection and proper handling, in accordance with the legal regime for the protection of Personal Data and in particular the provisions of this policy. For this reason, the information contained in the Databases will only have access to the Company officials who, by virtue of the functions of their position, must know it and use it for the fulfillment of the indicated purposes. The Companies will keep the personal information of the Holders of the information in the aforementioned Databases, as long as it is used to fulfill the purpose indicated in this policy, once said use ends, the information will be blocked in the information system of the Company, remaining only as historical data of the operations carried out with the Holder, but no transaction or use of said data may be carried out.


5. RIGHTS OF THE HOLDER:
The Owner is a natural person whose personal data is collected, stored or used by the Data Controller.
The Holder will have the following rights:
a) Know, update and rectify your personal data in front of the Responsible, when the data is partial, inaccurate, incomplete, fractioned, and misleading. In any case, the Holder is obliged to supply truthful information.
b) Request proof of the authorization granted to the Data Controller, unless it is expressly excepted as a requirement for the treatment.
c) Be informed, upon request addressed to the Data Controller, regarding the use that has been given to your Personal Data.
d) Present before the Superintendency of Industry and Commerce complaints for infractions to the provisions of Law 1581 of 2012 and its regulatory decrees and other regulations that modify, add or complement it.
e) Revoke the authorization and / or request the deletion of your Personal Data from the Company's Databases when the Treatment does not respect the principles, rights and constitutional and legal guarantees, as long as the Holder does not have a legal or contractual duty. to remain in the Database.
f) Free access to your Personal Data that have been subject to Treatment by the Responsible.


6. PROCEDURE FOR INQUIRIES, CLAIMS AND COMPLAINTS:


6.1. INQUIRIES:
The Owner, his successors in title, their representatives and / or attorneys-in-fact, may make inquiries regarding the content of the Owner's Personal Data that rest in the Company's Databases, and the Company will supply the information it has on the Owner. To carry out the query, the following is required:
a) Submit the request in writing at the Company's offices located at Calle 12 sur # 18-113 interior 5 or send them to the email [email protected]
b) A copy of the Holder's identity document must be attached to the application. When the request is made by an assignee, attorney-in-fact and / or representative of the Holder, it must prove said quality, in accordance with the current applicable Law on the matter.
c) The application must indicate the address and contact details of the applicant.
d) The Responsible for attending the query will respond to the applicant as long as he has the right to do so as the Holder of the Personal Data, his successor, attorney, representative, or is the legal responsible in the case of minors. This response will be sent within ten (10) business days from the date the request was received by the Company.
e) In the event that the request cannot be attended within ten (10) business days from the date the request was received by the Company, the applicant will be contacted to communicate the reasons for the delay and to point out another date on which your query will be answered, which will not exceed five (5) business days following the expiration of the first term. For this, the same means or one similar to that used by the Holder to communicate his request will be used. Whatever the means used to make the query, the Company will keep proof of it and its response.


6.2. CLAIMS:
The Holder, his successors, representative and / or proxies who consider that the information contained in a Database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012 or in this policy, they may file a written claim with the Company, which will be processed under the following rules:
a) The claim will be formulated by email addressed to [email protected]
b) A copy of the Holder's identity document must be attached to the application. When the request is made by an assignee, attorney-in-fact and / or representative of the Holder, it must prove said quality, in accordance with the current applicable Law on the matter.
c) The claim must contain a description of the facts that give rise to the claim and what is intended with it, that is, the updating, correction, deletion of the information or compliance with the duties of the Law or this policy.
d) The application must indicate the address and contact details of the applicant.
e) It must be accompanied by all the documentation that the claimant wants to assert.
f) Before addressing the claim, the Company will verify the identity of the Owner of the Personal Data about which the claim is made, his / her representative and / or attorney-in-fact, and for that purpose it may require the Owner's original identification document, and the special, general powers of attorney. or documents that are required as the case may be.
g) If the documentation or claim is incomplete, the claimant will be required within five (5) days after receiving the claim to correct the faults. After two (2) months from the date of the request, without submitting the required information, it will be understood that the claim has been withdrawn.
h) In the event that the Company is not competent to resolve the claim, it will transfer it to the corresponding party within a maximum term of two (2) business days and will inform the claimant of the situation.
i) Once the claim is received with the complete documentation, it will be included in the Company's Database where the Personal Data subject to the claim rests, a legend that says “claim in process” and the reason for it, in a term no longer than two (2) business days. This legend should be kept until the claim is decided.
j) The maximum term to attend the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first finished.

6.3. COMPLAINTS:
The Holder or successor in title may only file a complaint with the Superintendency of Industry and Commerce once they have exhausted the consultation or claim process before the Company.


7. MODIFICATIONS TO THE POLICY:
La Compañía se reserva el derecho de efectuar en cualquier momento modificaciones o actualizaciones a esta política, para la atención de novedades legislativas, políticas internas o nuevos requerimientos para la prestación u ofrecimiento de sus servicios o productos. Estas modificaciones estarán disponibles al público a través de la página web https://www.cantagirone.com

8. ACCEPTANCE: The holders of the information accept the treatment of their Personal Data in accordance with the terms of this policy, at the time of providing their data.


9. VALIDITY: This policy applies as of August 1, 2018. The Personal Data that is stored, used or transmitted will remain in our Database, in accordance with the criteria of temporality and necessity, for as long as is necessary for the purposes mentioned in this policy, for which they were collected.