Data Protection Regulation Policy

GUTIERREZ MARQUEZ ASESORES S.A.S

The following policy is prepared in accordance with Law 1581 of 2012 and its regulatory decrees, and is being apply for the processing of personal data, which will be informed to the Data Subject for information obtained or that will be obtained in the future related to the development of the company´s activity. GUTIERREZ MARQUEZ ASESORES S.A.S. identify with NIT;900.127.403-6 , further, GMA guaranteed the privacy rights, discretion  and good name of personal data, consequently  its actions will be under the principles of legality, purpose, freedom, veracity or quality, transparency, restricted access and exchange, security and confidentiality.

GMA and its subsidiaries, associates and related companies, collect data such as general information, identification, location, sensible data, socioeconomic, information´s system access, among others mainly for the development of the commercial activity; the data gets collected usually as follow: quoting or contracting a service, performing contracted services, previous requirement, and update process, also when getting in contact with the company in any way, visiting the company, or any other circumstance; besides in the case of applicants and collaborators: when they participate in a hiring process, subscribe and develop  a contract. In any way, data collection is limited to personal data that is relevant and appropriate to the purpose for which it is collected.

1. IDENTIFICATION OF THE CONTROLLER OF TREATMENT OF THE DATA

Name: GUTIERREZ MARQUEZ ASESORES S.A.S.

NIT: 900.217.403-6

Address: Calle 7 Sur 42-70 of 1609- Ed. Forum, Medellín – Colombia

Email: asesores@gutierrezmarquez.com

Phone Number: (604) 444 5044

2. SCOPE OF APPLICABILITY

This policy of processing and protection of Data is applicable to all and any database and or any file that holds personal data that can be secondary to any person and that are being treated by GMA

3 .DEFINITIONS

This policy acknowledge the definitions laid down in the regulations in force in the field of protection:

Authorization: Previous consent from the Data Subject to proceed with the processing of personal data.

Privacy Notice: Verbal or written communication whereas the company informs the Data Subject about the processing of personal data, about the existence of the privacy policy, the rights of the Data Subject and the procedure to exercise them and the purpose of the processing.

Database: Set of personal data that is undergoing processing;

Personal Data: Any information that can be associated or link to any person or individuals determined or determinable.

Public data: it´s the data that is not considered semi-private, private or sensible. They are considered Public data, among others, marital status, profession or trade, if the person is a businessman or a public server. Due to its nature, public data can be containing in the following, public register, gazette, official bulletins, and court judgements duly executed that are not subject to reservation;

Sensible data: sensible data are those that affect the confidentiality of the Data Subject, or if used in the wrong way can cause discrimination against the subject, such as race, political orientation, religion, philosophy, belonging to union, social organizations, human rights organizations, political parties or organizations that promote guarantees for political opponents, as well as data pertinent to health and sexual orientation of the subject.

Agent of Processing: public or private individual or company, either on its own or associated to others will be processing personal data for the Controller of the processing.

Controller of Processing: Public or private individual or company, either on its own or associated to others, makes decisions about the database and /or processing of data;

Data Subject: individual whose personal data is being process;

Data transfer: Data transfer occurs when the Controller and/or the Agent of the Processing of personal data, located in Colombia, send the information or personal data to a receptor, whom is also Controller of the Processing and could be in or out of the country;

Transmission: processing of personal data that implies communication of such, inside or out of the Republic of Colombia territory, when is aimed to be process by the Agent commissioned by the Responsible;

Processing; any activity or set of activities about personal data, such as collection, storage, use, circulation or suppression.

4. PROCESSING AND PUORPOSE

Among the processing that GMA perform to personal data of clients, providers, contractors, employees, former employees, shareholders, and in general any individual, that GMA have, had or were to set a permanent or occasional affiliation, are, collection, actualization, gather in, storage, use, circulation, suppression, handling, compilation, interchange, transmission, transfer, and in general, any processing that is required for the purposes describe as follow:

  • Preservation, development, management and implementation of contractual or commercial relations;
  • Compliance with obligations, duties and contractual commitments and legal provisions;
  • Purposes related with the social object;
  • Security, control, monitoring;
  • To provide, send, share, and/or deliver personal data to subsidiaries, affiliates, associated and/or related companies to GMA, located in Colombia or any country, for the sole purpose indicated in this policy.
  • Constant, timely and effective communication with the Data Subject, including sending contractual, advertising or informative material.
  • When is related to collaborators or applicants, besides the development of selection, recruitment, evaluation process, as well as matters related to various entities of the System of Integrated Social Security.

GMA may subcontract third parties to work in some of the functions when processing personal data, in this case, GMA warns about the necessity to protect said information with the security measures appropriate, that the use of the information for their own benefit, is prohibited, and request that the personal data cannot be disclosed to others, this with the purpose to comply with the policy of confidentiality and security.

Sensitive Data: it could be handled by GMA in the following scenarios:

  1. The Data Subject authorizes its use;
  2. Processing will be necessary to safeguard the vital interest of the Data Subject, and the Data Subject is physically or legally incapacitated, previous authorization of a legal representative;
  3. The processing it’s going to be done in the course of legit activities and with the proper security from the foundation, NGO, association or any other non-profit organism, with a political, philosophy, religion, or union purpose, where it concerns exclusively to their members or people that keep contact due to their purpose. In such cases, personal data cannot be share with third parties without the Data Subject consent;
  4. Processing of data necessary for the recognition, exercise or defense of a right in a judicial process;
  5. Processing is related to historic, statistics, or scientific purposes, when the identity of the Data Subjects has been previously suppressed.

Children and adolescents´ Data: In case of personal data for Children and adolescents, GMA could use and process only public data, or when the processing respond and respect the best interest of the minor and assurance respect the minor´s fundamental rights, previous authorization of the legal representative who must hear the minor´s opinion, and evaluated taking into account their maturity, autonomy and capacity of understanding. In any case GMA will apply the principles and obligations established in the regulations in force.

5. DATA SUBJECT OF PERSONAL DATA AUTHORIZATION

No later than the collection of personal data, GMA will request from the data´s Data Subject an authorization for processing, indicating all the purposes for which the consent will be enforced, using any tool that that can be subject of subsequent inquiry. The authorization will be requested for the time needed and for the necessary and adequate information required to accomplish the purpose of the database, and in all cases, complying with the regulations in force. Exceptions are made in cases, that for legal regulations, authorizations are not required.

The Data Subject could, at any time, revoke the authorization given to GMA for processing of personal data, requiring the elimination from the database, or limiting the purpose for which the personal data could be use; or suppressing them, unless there is not an impairment due to a legal or contractual order.

6. RIGHTS OF THE DATA SUBJECT

The Data Subject has the following rights, as well as the rights that will be set by the Colombian legislation:

  • To know, update, and correct the personal data for GMA. This right could be exerting, among others, when the data is incomplete, fractional, inaccurate, misleading, or those whose treatment was explicitly prohibited or has not been authorized.
  • To Request proof of authorization given to GMA except when specifically, the processing is exempt of the requirement by law;
  • Upon Data Subject´s request, GMA should inform the Data Subject of the use given to the Data Subject´s data;
  • Submit to the SIC complaints for violations to the regulations to Law 1581 of 2012, and the subsequent rules that could change it;
  • Withdraw the authorization and/or request the suppression of data when the processing violate the principles, rights and constitutional and legal rights. Withdrawal and/or suppression will proceed when the SIC has determined that in the processing GMA has incurred in conducts against the law and the Constitution.
  • Have access to his personal data that has been treated, without cost.

7. OBLIGATIONS OF GMA WITH PROCESSING

GMA been Controller for the processing of personal data, should fulfill the following obligations:

  1. Guarantee the Data Subject at all times, full and effective compliance of the Habeas Data right;
  2. Request and keep, copy of the authorization given by the Data Subject;
  3. Inform to the Data Subject the purposes of the recollection of data, and the rights to which is entitled by virtue of the granted authorization;
  4. Keep the information under security conditions to prevent it from adulteration, loss, query, unauthorized access or fraudulent use.
  5. Update the information, attending developments to previously supplied data, and implement mechanisms to keep the information up-to-date.
  6. Rectify the information when is inaccurate and communicate the pertinent,
  7. Promote at all times for the respect of the conditions of security and privacy of the information;
  8. Deal with queries and complaints made in accordance with the terms of this policy;
  9. Inform the appropriate person when certain information is in discussion on the part of the Data Subject, once you have submitted the claim and has not completed the respective action;
  10. Upon request, inform the Data Subject about the use of personal data;
  11. Communicate the Data Protection Authority when a violation of the security codes had occurred and there are risks in the administration of the Data Subject´s Information.
  12. Comply with rules and regulations imposed by the SIC.

As commissioned of the processing of personal data, GMA has also the following obligations;

  1. Update the reported information by the Responsible of Processing within the next five (5) working days counting from when it was received;
  2. Register in the database the caption “Claim in process” according with the law regulations;
  3.  Insert in the database the caption “information in judicial discussion” once the commissioned has been notify by the authority in charge about legal process related to the quality of the personal data;
  4. Refrain from run information being challenged by the Dara Subject and the barring had been order by the SIC;
  5. Grant access to the information only to authorized individuals;

8 . AREA RESPONSIBLE FOR THE ATTENTION OF REQUEST, QUERIES AND COMPLAINTS

The area responsible for the attention of request, queries, complaints, and claims before which the data Subject can exercise their rights to access, update, correct and delete the data and withdraw the authorization, is Management of GMA or whom represent it.

9. PROCEDURE FOR EXCERSING THE RIGHTS OF THE DATA SUBJECT

GMA implements the following procedures for the attention of requests, queries, and complaints, thus the data Subject can exercise their rights to access, update, correct and delete the data and withdraw the authorization:

General aspects: Any request, queries or complaint should be direct it to the Responsible Area, including identification of the Data Subject, accreditation of the representation applying to the person presenting the request, clear description of the facts, address or email for notifications, and any documents related to the request. In order to keep proof if the request, it must be done in written to the Responsible area and using one of the following channels:

By Mail: Calle 7 sur 42-70 of 1609. Medellín, Colombia

Email: asesores@gutierrezmarquez.com

  • Specific aspects: According to whether it is arequest,query or complaint the Area Responsible will keep the following guidelines set by the regulations in force:

Requests: The Data Subject or their representatives could make requests in a formal way to GMA regarding their personal data, this requests will be conducted in the same terms of a Right of Petition, except in those cases which by their contents belong to queries or complaints in nature, therefore they will be conducted under the terms explain as follow.

Queries: The Data Subject or their representatives could make queries about their personal data that is content in any database or file that repose in GMA, whom will provide them all the information included in their individual record or that is related to the Data Subject identification.

The query will be conducted in a maximum term of ten (10) working days counting from the day it was received. In case that the query could not be process on time, the petitioner will be notified, explaining the reasons for the delay and to give a new date to comply with an answer to the query, which could not exceed five (5) working days after the first term expired.

Complaints: The Data Subject or their representatives that consider the information content in database or file that repose in GMA should be corrected, updated or suppressed, or when they detect alleged failure to comply with any of the obligations contents in the law, could file a complaint to the area responsible of GMA.

The maxim term to response the complaint is of 15 (15) working days counting from the next day form the date received it. When the complaint could not be process on time, the petitioner will be notified, explaining the reasons for the delay and to give a new date to answer their complaint, which could not exceed eight (8) working days after the first term expired.

However, if the complaint was incomplete, the petitioner will be notify within the next five (5) days following the reception of the complaint to rectify the failures. After two (2) months from the date of the requirement, if the petitioner didn´t give the missing information, it shall be reasoned that the complaint have been withdrawn. In case that the recipient of the complaint is no competent to resolve it, will send it to whom it correspond in a maxim term of two (2) working days and will notify the petitioner.

Once the complaint is completed, it will be registered in the database with a caption “Claim in process” and the reason of such, in a maximum term of two (2) working days. Said caption should stay in place until the complaint is resolved.

10. INFORMATION SECURITY AND SAFETY MEASURES

In regards to the principle of security enshrined in Law 1581 of 2012, GMA expresses that implements the technical, human and administrative measures needed to provided security to the records to avoid their adulteration, loss, queries, unauthorized access or fraudulent use. GMA personnel in charge of the processing of personal data, will follow the established protocols, guidelines and measures to guarantee the security of the information.

GMA, protects the personal data that are preserved physical using file cabinets place in offices that are closed and with restricted access; only authorized personnel and that needs access to the information for any of the purposes before mentioned and that guarantee the right treatment of personal data have the right to use. In the same way, information keep digitally is file in restricted dossers which are only available to determined employees that are authorized, this is to preserve the security of the data.

11. PRIVACY NOTICE:

In some cases, when GMA cannot make available this Data Protection Regulation Policy to the Data Subject, GMA will published a privacy notice advising the Data Subject about the information related to the policies that will be applied, how-to-access to them and the kind of treatment that will be done to personal data. Copy of said notice will be keep as proof for future inquires for the Data Subject or the SIC.

12. TRANSFER AND TRANSMISION OF PERSONAL DATA:

GMA in compliance with the purposes mentioned before, could perform partial or total transfer and transmission of personal data of the Data Subjects. For International transfer of personal data, GMA will implement measures to assure that the third party will know, and comply with this Policy, with the agreement that the personal data that they received, can only be use for purposes related with GMA and cannot be use or designated for different purposes that those established in the Policy, offering the proper levels of protection of data according to the Colombian legislation.  For international transfer of personal data, it will be noted as provided by Law 1581 of 2012. For International transmissions of personal data done by GMA will not require an authorization from the Data Subject when an agreement is in place and in accordance with the regulation in force.

13. TERM OF APPLICABILITY

The present policy  For an undefined term even for data that previously were the object of treatment and leaves without effect the regulations or special manuals that have been previously adopted. Any changes that occur in respect of the present policy, will be informed through the media that GMA deems most suitable for these effects.