PERSONAL DATA PROCESSING POLICY

SUPPORT SOLUTIONS

 

This Personal Data Processing Policy (hereinafter, the “Policy”) regulates the collection, storage, use, circulation, and deletion of personal data carried out by Support Solutions, in accordance with the provisions established in Law 1581 of 2012, Decree 1377 of 2013, and all other current regulations.

I. Identification of the Responsible Party

Serrano Martínez S.A.S. is a company duly incorporated according to the laws of the Republic of Colombia, identified with N.I.T. 901.017.985 – 2, with its main office in the city of Bogotá, located at Carrera 5b #27-02, with email administracion@serranomartinez.com, and phone number 7466072, (hereinafter, “Serrano Martínez” or “the Responsible Party”).

II. Purpose of the Personal Data Processing Policy

Through this Personal Data Processing Policy, Serrano Martínez aims to establish the rules applicable to the processing of personal data collected, processed, and stored by this company in the development of its corporate purpose, in the capacity of Responsible for the Processing of Personal Data.

III Principles Applicable to the Processing of Personal Data

3.1. Principle of Legality

The Processing of Personal Data carried out by Serrano Martínez will be subject to the provisions established in the current regulations in the Republic of Colombia.

3.2.Principle of Purpose

Serrano Martínez collects, stores, uses, and deletes personal data with the exclusive purpose of carrying out its activity, consisting of legal advice in corporate law and competition law.

3.3.Principle of Freedom

The Processing of Personal Data by Serrano Martínez can only be done with the prior, express, and informed consent of the data subject.

3.4.Principle of Truthfulness or Quality

The information subject to the Processing by the Responsible must be truthful, complete, accurate, up-to-date, verifiable, and understandable.

3.5.Principle of Transparency

Serrano Martínez guarantees the data subject the right to obtain at any time and without restrictions, information about the data subject to Processing by the Responsible, concerning the data subject.

3.6.Principle of Access and Restricted Circulation

The Processing carried out by Serrano Martínez on Personal Data is subject to the limits that arise from the nature of the Personal Data, established in Law 1581 of 2012, Decree 1377 of 2013, the Political Constitution, and other existing provisions on the subject.

3.7.Principle of Security

The Personal Data subject to Processing by Serrano Martínez are collected, stored, used, and deleted using technical, human, and administrative measures necessary to provide security to the records, avoiding their alteration, loss, consultation, use or unauthorized or fraudulent access.

Serrano Martínez has measures and secure software for the Processing of Personal Data, adequate and proportional to the type of information being processed.

3.8.Principle of Confidentiality

All the persons involved in the Processing of Personal Data collected by Serrano Martínez are obligated to guarantee the confidentiality of the information, even after their relationship with any of the tasks that comprise the Processing of the data has ended.

3.2.Principle of Purpose

Serrano Martínez collects, stores, uses, and deletes personal data with the sole purpose of carrying out its activity, consisting of legal advice in corporate law and competition law.

3.3.Principle of Freedom

The Processing of Personal Data by Serrano Martínez can only be carried out with the prior, express, and informed consent of the Data Subject.

3.4.Principle of Truthfulness or Quality

The information subject to Processing by the Responsible party must be truthful, complete, accurate, updated, verifiable, and understandable.

3.5.Principle of Transparency

Serrano Martínez guarantees the Data Subject the right to obtain at any time and without restrictions, information about the data subject to Processing by the Responsible party, and that concern the Data Subject.

3.6.Principle of Access and Restricted Circulation

The Processing of Personal Data by Serrano Martínez is subject to the limits derived from the nature of the Personal Data, established in Law 1581 of 2012, Decree 1377 of 2013, the Political Constitution, and other existing provisions on the matter.

3.7.Principle of Security

The Personal Data subject to Processing by Serrano Martínez are collected, stored, used, and deleted using the necessary technical, human, and administrative measures to provide security to the records, avoiding their alteration, loss, consultation, unauthorized or fraudulent use or access.

Serrano Martínez has measures and secure software for the Processing of Personal Data, suitable and proportional to the type of information being processed.

3.8.Principle of Confidentiality

All persons involved in the Processing of Personal Data collected by Serrano Martínez are obliged to ensure the confidentiality of the information, even after their relationship with any of the tasks comprising the Processing of data has ended.

IV. Definitions

For the purposes of this Policy, and unless expressly stated otherwise, words beginning with a capital letter will have the meaning assigned to such terms in this Section IV, whether expressed in singular or plural, or in feminine or masculine.

Authorization” means the prior, express, and informed consent given by the Personal Data Subject to Serrano Martínez for the processing of their Personal Data.

Candidate” means the person who aspires to be hired by Serrano Martínez to perform a certain position.

Client” means the natural or legal person who hires Serrano Martínez for the provision of its services.

Personal Data” means any information linked or that can be associated with one or several determined or determinable persons.

Public Data” means data that is not semi-private, private, or sensitive. Public data includes, among others, data related to the marital status of individuals, their profession or occupation, and their status as a merchant or public servant. By its nature, public data may be located in public records, public documents, gazettes and official bulletins, and judicial decisions that have been duly executed and are not subject to confidentiality.

Sensitive Data” means data that affects the privacy of the Owner or whose improper use can generate discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social organizations, human rights or that promote interests of any political party or guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life, and biometric data.

Employee” means the natural person who works at Serrano Martínez under an employment contract.

In Charge” means the natural or legal person, public or private, who by itself or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller.

Supplier” means the natural or legal person that provides products to Serrano Martínez in exchange for an economic remuneration.

Responsible” means the natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the Processing of the data, who for the purposes of this Policy, will be Serrano Martínez.

Holder” means the natural person whose personal data is subject to Processing by the Responsible party.

Transfer” means the process by which the Responsible of the Personal Data, located in Colombia, sends information or the Personal Data to a recipient, who in turn is Responsible for the Processing and is located inside or outside the country.

Transmission” means the Processing of Personal Data that implies the communication of the same within or outside the Colombian territory when it aims at the performance of a Processing by the In Charge on behalf of the Responsible.

Processing” means any operation or set of operations on personal data, such as collection, storage, use, circulation, and/or deletion, which for the purposes of this Policy will be the one established in the Section V below.

V. Processing to which Personal Data will be subjected

The processing of the Data Subject’s Personal Data will be carried out by Serrano Martínez, as the Responsible party, and will consist of collecting, storing, organizing, using, transmitting, transferring, updating, rectifying, deleting, eliminating, and managing the Personal Data of the Data Subject according to their nature, and based on the purposes established below (hereinafter, the “Processing”).

  • Purposes for the Processing of Personal Data of Candidates

The following will be Personal Data of the Candidate:

  • Copy of the Candidate’s identification document.
  • Telephone number, email address and/or address of the Candidate.
  • Contact person(s) of the Candidate.
  • Resume of the Candidate.
  • Other information that Serrano Martínez deems necessary and proportional to request to comply with the process of linking the Candidate to the company.

The Responsible party may do everything established in the Processing of Section V of this Policy, prior Authorization of the Data Subject, provided that it is done for the following purposes: (i) to analyze the information of a Candidate with the purpose of starting a linking process, (ii) to contact the Candidate to express the interest in initiating a linking process, (iii) to verify the veracity and authenticity of the information provided in their resume with the entities where they have completed their studies and held job positions, and (iv) to send their data to partners and clients of Serrano Martínez who are interested in contacting people with their profile to explore a possible employment hiring.

5.2.Purpose for the Processing of Personal Data of the Client

The following will be Personal Data of the Client:

  • Copy of the Client’s identification document.
  • Telephone number, email address, and/or address of the Client.
  • Contact person(s) of the Client.
  • The contract linking the Client and Serrano Martínez.
  • All Public Data of the Client, such as their profession and/or trade.

The Responsible party may do everything established in the Processing of Section V of this Policy, prior Authorization of the Data Subject, and provided that it is done for the following purposes: (i) to fulfill the commercial obligations established within the framework of the contract signed between the Client and Serrano Martínez, (ii) to process and ensure the compliance and delivery of the products and/or services purchased by the Client from Serrano Martínez, (iii) sending advertising about new services of Serrano Martínez, (iv) performing analysis and profiling of the Client that allows defining the services that suit their tastes and preferences, (v) communicating the realization of activities and events organized by Serrano Martínez in Colombia, (vi) sending satisfaction surveys or any other mechanism to evaluate the quality of the services provided by Serrano Martínez.

5.3.Purposes for the Processing of Personal Data of Serrano Martínez’s Employee

The following will be Personal Data of Serrano Martínez’s Employee:

  • Copy of the Employee’s identification document.
  • Telephone number, email address, and/or address of the Employee.
  • Contact person(s) of the Employee.
  • Resume of the Employee.
  • All Public Data of the Employee.
  • The employment contract linking the Employee with the employer.
  • Bank account of which the Employee is the holder.
  • And any other information that Serrano Martínez deems necessary and proportional to request to comply with the employment contract between Employee and employer.

The Responsible party may do everything established in the Processing of Section V of this Policy, prior Authorization of the Data Subject, provided that it is done for the following purposes: (i) to comply with the employer’s labor obligations, as established in labor legislation, the employment contract, and the company’s internal work regulations, such as: affiliation to the Comprehensive Social Security System and payment of contributions, affiliation to the Compensation Fund and payment of contributions, among others, (ii) to make the necessary payments to the bank account indicated by the Employee, or entities expressly indicated by the latter, (iii) to contract life insurance and/or medical expenses or for granting any other benefit that derives from the employment relationship with the employer, (iv) to notify the contact person(s) in case of emergencies during working hours, (v) to maintain the safety and health of workers in the workplace, (vi) to use the information for procedures and documents related to the Employee’s employment relationship with the employer.

5.4.Purposes for the Processing of Personal Data of Suppliers

The following will be Personal Data of the Suppliers:

  • Copy of the identification document of the Supplier, and in the case of a legal entity, its Certificate of Existence and Legal Representation must be provided.
  • Telephone number, email address, and/or address of the Supplier.
  • Supply contract between Serrano Martínez and the Supplier.

The Responsible party may perform the Processing established in Section V of this Policy, prior Authorization of the Data Subject, provided that it is done for the following purposes: (i) to organize the record of supplier information and then execute purchase orders, (ii) to research, verify, and/or validate the information provided by the Supplier, against international lists of crime and money laundering, (iii) to prepare semi-annual reports related to the performance and compliance of the Supplier.

VI. Processing of Sensitive Data

In accordance with Article 6 of Law 1581 of 2012 and Article 6 of Decree 1377 of 2013, the Processing of Sensitive Data may be carried out when the Data Subject has given explicit authorization to such Processing, for which the Responsible party must inform the Data Subject: (i) that being Sensitive Data they are not obliged to authorize its Processing, and therefore, no activity can be conditioned on the provision of Sensitive Data by the Data Subject, and (ii) indicate which of the data subject to Processing are sensitive and the purpose of the Processing itself.

  • Processing of Sensitive Data of the Candidate

The following will be Sensitive Data of the Candidate:

  • Videos, photographs, and fingerprints where biometric data of the Employee are revealed.
  • Information of the Candidate related to his family, and/or the conditions of his housing and security.
  • Medical examinations revealing the health status of the Candidate.
  • And any other data that affects his privacy or whose improper use may generate discrimination.

The Responsible party may collect, store, organize, update, rectify, delete, and eliminate, the Sensitive Data of the Candidate, prior Authorization from the latter, provided that it is done for the following purposes: (i) to identify the Candidate entering the premises of Serrano Martínez, (ii) to allow the Candidate access to the facilities of Serrano Martínez, (iii) to start the study of housing and security conditions to determine entry to Serrano Martínez as an employee, and (iv) to verify if the Candidate meets the physical requirements necessary to perform the job he aspires to.

6.2. Processing of Sensitive Data of Serrano Martínez’s Employee

The following will be Sensitive Data of the Employee of Serrano Martínez:

  • Videos, photographs, and fingerprints where biometric data of the Employee are revealed.
  • The medical history of the Employee.
  • And any other data that affects his privacy or whose improper use may generate discrimination.

The Responsible party may perform the Processing established in the Section III of this Policy, prior Authorization from the latter, provided that it is done for the following purposes: (i) to identify the Employee entering the premises of Serrano Martínez, (ii) to allow the Employee access to the facilities of Serrano Martínez, (iii) to monitor the Employee’s stay in the facilities of Serrano Martínez, (iv) to verify that the Employee is complying with the legal obligations arising from the employment relationship, (v) to provide the necessary security during the trainings and activities carried out by Serrano Martínez for its Employees, (v) to have the necessary medical information of the Employee in case of any medical emergency during working hours at the Serrano Martínez facilities, and (vi) to comply with occupational safety and health regulations.

6.3. Processing of Sensitive Data of the Client 

The following will be Sensitive Data of the Client:

  • All confidential information provided by the Client to Serrano Martínez for the proper development of the Client’s case.
  • Videos and photographs where biometric data of the Client are revealed.

The Responsible party may collect, store, organize, update, rectify, delete, use, and eliminate, the Sensitive Data of the Client, prior Authorization from the latter, provided that it is done for the following purposes: (i) to develop the legal advice or service for which Serrano Martínez was hired, (ii) storage of the confidential information given by the Client to Serrano Martínez for any other advice or service that the Client wishes to acquire from Serrano Martínez in the future, (iii) to identify the Client entering the facilities of Serrano Martínez, and (iv) to allow the entry of the Client to the facilities of Serrano Martínez.

VII. Processing of Personal Data of children and adolescents

Serrano Martínez may collect, store, organize, update, rectify, delete, and/or eliminate Personal Data of the minor children of the Candidate, Employee, or underage Client, prior Authorization from the parents or legal representative of the child or adolescent, in accordance with what is established in Article 7 of Law 1581 of 2012, and in Article 12 of Decree 1377 of 2013.

The purposes for this will be solely and exclusively the following: (i) to identify the child or adolescent during the visits and interviews conducted with a Candidate at their home, (ii) to comply with the employer’s legal labor obligations, such as the registration of the Employee’s beneficiaries in the Social Security System, among others that may arise, (iii) to inform the Employees of Serrano Martínez about recreational and welfare activities that Serrano Martínez organizes for their children, and (iv) to identify the underage Client and provide a service appropriate to their level of maturity and understanding.

VIII. Transfer and Transmission of Personal Data

Serrano Martínez transfers Personal Data of its Clients to firms, entities, and international companies hired by the Client in order to develop the business determined by the Client, and the legal advice for which Serrano Martínez was hired.

  1. Rights of the Personal Data Subject

According to Article 8 of Law 1581 of 2012, the Personal Data Subject has the right to:

  • Know, update, and rectify their personal data with Serrano Martínez, as the Responsible for the Processing of Personal Data.
  • Request proof of the authorization granted to Serrano Martínez, as the Responsible for the Processing.
  • Be informed by Serrano Martínez, upon request, of the use that has been made of their Personal Data.
  • Submit complaints to the Superintendence of Industry and Commerce for the infringement of Law 1581 of 2012 and other norms that modify, add, or complement it.
  • Access their Personal Data provided to the Data Subject for free.
  • Request Serrano Martínez to delete their Personal Data.

X. Duties of Serrano Martínez as Responsible for the Processing of Personal Data

Serrano Martínez, as the Responsible for the Processing of Personal Data provided by the Data Subject, complies with the following duties established in Law 1581 of 2012:

10.1. Guarantees the Data Subject, at all times, the full and effective exercise of the right of habeas data.

 

10.2. Requests and keeps, in the terms established in Law 1581 of 2012, a copy of the authorization granted by the Personal Data Subject.

 

10.3. Properly informs the Data Subject about the purpose of the collection and the rights corresponding to them by the granted authorization.

 

10.4. Keeps the information under the necessary conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.

 

10.5. Updates the information, and in case of substantial changes in the Processing of the databases, informs the Data Subjects of it.

 

  • Rectifies the information when it is incorrect.
  • Processes the inquiries and claims made by the data subjects within the terms indicated in the law and this Policy.
  • On request of the Data Subject, informs about the use made of their data.
  • Reports to the personal data protection authority when there are breaches of information security standards.
  • Complies with the instructions and requirements issued by the Superintendence of Industry and Commerce.

XI. Policy for handling inquiries and complaints by Serrano Martínez

11.1.      Serrano Martínez guarantees to the Data Subjects, their representatives or proxies, or their successors, the right to consult the personal information of the Data Subject that is contained in any database that is subject to Processing by Serrano Martínez. For which Serrano Martínez has done the following:

 

  • Enabled the email administracion@serranomartinez.com so that the Data Subjects, their representatives or proxies, or their successors, can request Serrano Martínez to consult the information contained in the databases of Serrano Martínez, in the terms of Article 14 of Law 1582 of 2012.
  • Responds to the information inquiries contained in its databases within a maximum term of ten (10) business days from the date of receipt of the same.

 

11.2. Support Solutions guarantees the Data Subject, their representatives or proxy, or their successors, who consider that the information contained in one of the databases of Serrano Martínez should be subject to correction, update or deletion, or when they notice the alleged non-compliance with any of the duties contained in Law 1581 of 2012 and other concordant norms, the right to file a claim, which will be processed under the following rules:

 

    • The claim must be formulated through a request addressed to Serrano Martínez, with the identification of the Data Subject, the description of the facts that give rise to the claim, the address, and accompanied by the documents intended to be enforced. The claim should be directed to administracion@serranomartinez.com. If the claim is incomplete, the interested party will be required within five (5) days following the receipt of the claim to correct the faults. If two (2) months pass from the date of the request without the applicant providing the required information, it will be assumed that they have withdrawn the claim.
    • Once the complete claim is received, a legend stating “claim in process” and the reason for it will be included in the database within no more than two (2) business days. This legend must be maintained until the claim is resolved.
    • Serrano Martínez will address the claim within a maximum period of fifteen (15) business days from the day following the date of its receipt.

     

    XII. Deletion of Data

    The Data Subject has the right to request Serrano Martínez to delete their Personal Data, especially when:

    • They consider that it is not being processed in accordance with the principles, duties, and obligations established in this Policy and the Law.
    • It is no longer necessary or useful for the purpose for which it was collected.
    • The time period necessary for the fulfillment of the purposes for which it was collected has been exceeded.

    The deletion of Personal Data requested by the Data Subject will imply the total or partial elimination of the personal information provided by the Data Subject from the records, files, databases, or processes performed by Serrano Martínez.

    The right of the Data Subject to delete or cancel their Personal Data is not absolute; therefore, there will be events where the request for deletion of information will not be appropriate, and the Responsible for the Processing of Personal Data may deny the exercise of this right:

    • In those events where the Data Subject has a legal or contractual duty to remain in the database of Serrano Martínez.
    • When the deletion of data impedes judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
    • When the data are necessary to protect the legally protected interests of the Data Subject, to perform an action in the public interest, or to comply with a legal obligation acquired by the Data Subject.

    XIII. Revocation of Authorization

    The Data Subject may revoke at any time the consent they have given to Serrano Martínez for the Processing of their Personal Data, provided that it is not prohibited by legal provision.

    XIV. Information Security

    In the development of the Security Principle established in Law 1581 of 2012, Serrano Martínez has adopted reasonable technical, administrative, and human measures to protect the information supplied by the Data Subjects, in order to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access. Access to Personal Data is restricted to its Data Subjects and Serrano Martínez.

    XV. Validity of the Personal Data Processing Policy

    This Policy has been approved by Serrano Martínez as Responsible for the Processing of Personal Data provided by the Data Subject, accepting its content, ordering its implementation and compliance, generally for all individuals linked to the company, and in particular for those referred to in this Policy.

    Serrano Martínez will periodically review this Policy and reserves the right to update it at any time to incorporate any changes and legal requirements that may arise, making such changes public on the website serranomartinez.com.co.