1. INTRODUCTION

NEW STETIC S.A, welcomes this Data Protection Policy, to comply with the provisions of the statutory Act 1581 of 2012, its Regulatory Decree 1377 of 2013 and other related rules, to guarantee the right to privacy, privacy and good name of individuals in the processing of their personal data, which will be conducted taking into account the principles of legality, purpose, freedom, truthfulness or quality, transparency, access and restricted circulation, security and confidentiality.The company is committed to safeguarding the information and complying with the regulations on data protection and the obligations derived from it, treating the data responsibly and in accordance with the consent of the owner, to act with prudence and reserve.

2. SCOPE

This policy applies to all NEW STETIC’s databases and/or files which contain Personal Data and are subject to processing by the party responsible and/or in charge of the processing.

The company shall treat personal data under the terms, conditions, and scopes that the information owner had authorized, except for special rules when a legal exception is applicable.

3. DEFINITIONS

Authorization: It is the consent given by any person so that the companies or persons responsible for the processing of information, can use their personal data. Database: Organized set of personal data that are subject to processing. 

Data controller: The natural or legal person, public or private, who decides on the purpose of the databases and/or the processing thereof. Data subject: The natural person whose personal data is the object of processing. 

Data processor: The natural or legal person who conducts the processing of personal data, based on a delegation made by the data controller, receiving instructions on how the data should be managed. 

Personal data: This is any information that is linked to or can be associated with a specific person, such as their name or identification number, or that can make them identifiable, such as their physical features. 

Privacy notice: It is one of the verbal or written communication options provided by law to inform the owners of the information, the existence and ways to access the policies of processing of information and the purpose of its collection and use. 

Private data: It is data which, due to its intimate or reserved nature, is only relevant to the owner. The tastes or preferences of individuals, for example, correspond to private data. 

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.

Public data: Data relating to the civil status of persons, their profession or trade and their status as merchants or public servants, among others, are considered public data. Due to their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality. 

Semi-private data: Data that are not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to the owner but also to a certain sector or society in general. Financial and credit data from commercial or service activities are some examples. 

Sensitive data: Are those that affect the data subject’s privacy or may result in discrimination, i.e., those that reveal their racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights, as well as data relating to health, sex life, and biometric data, among others. 

Transfer: This is the operation conducted by the person responsible or in charge of the processing of personal data, when he/she sends the information to another recipient, which, in turn, becomes responsible for the processing of such data and is located inside or outside the country.

Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when the purpose is the performance of a processing operation by the processor on behalf of the data controller.

4. PROCESSING OF PERSONAL DATA AND PURPOSES OF COLLECTION

4.1. PROCESSING OF EMPLOYEES PERSONAL DATA

NEW STETIC, will process personal and sensitive data, which includes the collection, storage, use, circulation, transmission, updating, rectification, and deletion, for the following purposes:

4.2. EMPLOYEES PURPOSES

• Comply with the obligations arising from the employment relationship, agreements and / or service contracts.

• Manage procedures, requests, certification of documents, communicating information, registration of income, updating information, training and other administrative procedures and activities in which employees, pensioners and their families are related or linked to NEW STETIC.

• Collect information for company events that include employees and family members, with pre-event information and photographic record.

• Perform administrative management, provide information for affiliation to social security, compensation fund, photographic record and company events for minors.

• Contact family members in case of emergency or any eventuality that may require it.

• Keep medical concepts for employee follow-up and/or procedures with competent medical personnel of the ARL (Occupational Risk Management company, Spanish acronym). 

• Evaluate the qualification to perform a position or function, validate study certificates, confirm references and communicate available positions.

• Communicate personal data to temporary companies on the occasion of their employment.

• Contact through electronic means, cell phone or mobile device, physical and/or personal, or through any analog and/or digital means of communication, known or to be known, to send information.

• Transmit personal data to national third parties.

• Collect biometric data such as fingerprints and images recorded in photographs and videos.

• Use their image in the company’s media.

• Perform tests to detect the consumption of alcohol, drugs and other addictions prior to hiring, when there is justifiable suspicion and randomly when deemed necessary.

4.3. PROCESSING OF CUSTOMER’S PERSONAL DATA

The company will collect, store, and use its customers personal data with the following purposes:

4.4. CUSTOMERS PURPOSES:

• To conduct the relevant actions for the development of the company’s corporate purpose in relation to the fulfillment of the contractual object and/or commercial relationship with the Data Subject. 

• Conduct invitations to events and offer new products and services; manage procedures (requests, complaints, claims). Conduct satisfaction surveys regarding the goods and/or services offered by NEW STETIC.

• Provide contact information to the sales force and/or distribution network, telemarketing, market research and any third party with which NEW STETIC S.A. has a contractual relationship for the development of such activities (market research and telemarketing, etc.) for the execution thereof. 

• Contact the Data Subject through telephone means to conduct surveys, studies and/or confirmation of personal data necessary for the execution of a contractual and/or commercial relationship. 

• Contact the Data subject through electronic means – SMS or chat to send news related to loyalty campaigns or service improvement. 

• Contact the Data Subject through e-mail to send account statements or invoices in relation to the obligations arising from the contract entered into between the parties, Transmit personal data outside the country to third parties with whom NEW STETIC S.A. has entered into a data processing contract and it is necessary to deliver it to them for the fulfillment of the contractual object, Provide the services offered by NEW STETIC S.A. and accepted in the contract entered into.

• Taking photographic images.

4.5. PROCESSING OF SUPPLIERS DATA

NEW STETIC S.A shall be responsible for the collection, storage, and use of its supplier’s personal data with the following purposes:

4.6. SUPPLIERS PURPOSES

• Comply with the obligations arising from the legal relationship established with the supplier.

• Integrate their file as a supplier of the organization.

• Make requests for the service or products it provides.

• Prepare purchase orders for goods and services.

• Evaluate the performance, level of compliance and quality of the services or products provided.

• Monitoring of own vehicles (merchandise).

• Sending invoices, payments, and certificates.

• Registration of internal procedures and compliance with accounting, tax, and legal obligations.

• Requesting commercial references, updating information and internal control. 

• Perform supplier qualification; assurance (purchase orders) and audits.

• Management of indicators and legal advice on contracts.

• Information in which contractors and their employees are related or linked to NEW STETIC S.A.

5. PRINCIPLES FOR PERSONAL DATA PROCESSING

For an appropriate application of the law, compliance with the following principles shall be a fundamental basis:

Principle of purpose: The purpose of the Processing must obey a legitimate purpose in accordance with the Constitution and the Law, where the Data subject of the information must be informed.

Principle of legality in data processing: The Processing referred to in the law is a regulated activity that must be subject to the provisions set forth therein and in the other provisions that develop it.

Principle of Freedom: Data may only be processed with the prior, express and informed consent of the Data Subject. In addition, the collection and disclosure of personal data may not be conducted without prior authorization and will only be allowed through a legal or judicial order that relieves the consent.

Principle of truthfulness or quality: The data to be processed must be truthful, complete, accurate, updated, verifiable and understandable. Partial, incomplete, fractioned or misleading data may not be processed.

Principle of transparency: The data controller or data processor must guarantee, without restrictions, the right to obtain information about the existence of data that corresponds to him/her, informing clearly, expressly and keeping proof of compliance with this duty:

• The treatment to which your data will be submitted and its purpose.

• The optional nature of the answer of the Data Subject to the questions asked when they deal with sensitive data or data of children or adolescents.

• The rights of the Data Subject.

• The identification, physical address, e-mail and telephone number of the data controller.

Principio de acceso y circulación restringida: El tratamiento de los datos personales, sólo podrá realizarse por las personas autorizadas por el titular y/o por las personas previstas en ley 1581 de 2012. El Tratamiento se sujeta a los límites que se derivan de la naturaleza de los datos personales, de las disposiciones de la presente ley y la Constitución. Los datos personales, salvo la información pública, no podrán estar disponibles en Internet u otros medios de divulgación o comunicación masiva, salvo que el acceso sea técnicamente controlable para brindar un conocimiento restringido sólo a los Titulares o terceros autorizados conforme a la presente ley.

Principle of restricted access and circulation: The processing of personal data may only be conducted by persons authorized by the data subject and/or by the persons provided for in Act 1581 of 2012. The treatment is subject to the limits arising from the nature of personal data, the provisions of this law and the Constitution. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Data subjects or authorized third parties in accordance with this law.

Security Principle: The information subject to Processing by NEW STETIC S.A. or the Data Processor, is done under the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, inquiry, use or unauthorized or fraudulent access. The company will ensure to have all the corresponding security measures and to make them known to all persons who have direct or indirect access to the data. Users accessing the information systems of NEW STETIC S.A. must know and comply with the security rules and measures corresponding to their functions. These rules and security measures are included in the Internal Security Manual, which must be complied with by all users and company personnel. Any modification of the rules and measures regarding the security of personal data by the data controller must be made known to the users.

Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized in this law and under the terms thereof.

6. RIGHTS OF DATA SUBJECTS OF PERSONAL DATA

The following are the rights of the data subjects of personal data, which can be exercised at any time as stated in Act 1581 of 2012:

• Right to know, update and rectify their personal data against the data controllers or data processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.

• The right to request proof of the authorization granted to the data controller, except when expressly exempted as a requirement for the processing, in accordance with the provisions of Article 10 of Act 1581 of 2012.

• Right to be informed by the Data Controller or the Data Processor, upon request, regarding the use given to their personal data.

• Right to file complaints before the Superintendence of Industry and Commerce for violations of the provisions of this law and other rules that modify, add or complement it.

• Right to revoke the authorization and/or request the deletion of the data when the processing does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the data controller or processor has engaged in conduct contrary to this law and the Constitution.

• Right to access free of charge to your personal data that have been subject to processing.

6.1. THOSE RIGHTS MAY BE EXERTED BY:

• The data subject, who must prove his/her identity sufficiently by the different means made available by NEW STETIC S.A.

• The assignees of the data subject, who must prove such capacity. 

• The representative and/or attorney-in-fact of the data subject, prior accreditation of the representation or power of attorney. 

• Other in favor or for whom the data subject has stipulated.

6.2. RIGHTS OF CHILDREN AND ADOLESCENTS:

It is forbidden to process personal data of children and adolescents, except in the case of data of a public nature, and when such processing complies with the following parameters and/or requirements: 

• That they respond to and respect the best interests of children and adolescents. 

• That it ensures respect for their fundamental rights. 

The legal representative of the children or adolescents will grant the authorization, after the minor has exercised his or her right to be heard, an opinion that will be assessed considering the maturity, autonomy, and capacity to understand the matter, after having complied with the above requirements.

7. DATA SUBJECT´S AUTHORIZATION

NEW STETIC, to conduct the proper processing of personal data, will require the prior and informed authorization of the Data Subject, which must be obtained by any means that may be subject to subsequent inquiry, without prejudice to the exceptions provided by law. These mechanisms may be predetermined through technical means that facilitate the automated manifestation to the Data subject.

7.1. THE AUTHORIZATION SHALL MEET THE REQUIREMENTS WHEN IT IS DONE:

• In written form

• Orally

• Through unequivocal conduct by the data subject that allows the reasonable conclusion that he/she granted the authorization.

7.2. IT SHALL NOT BE NECESSARY TO HAVE THE DATA SUBJECT’S AUTHORIZATION, IN THESE CASES:

• Information required by a public or administrative entity in the exercise of its legal functions or by court order.

• Data of a public nature

• Cases of medical or health emergency.

• Processing of information authorized by law for historical, statistical, or scientific purposes.

• Data related to the Civil Registry of Persons.

The delivery of the requested personal information shall be recorded, indicating the obligation to guarantee the rights of the Data Subject, both to the officer who makes the request, to the person who receives it, as well as to the requesting entity.

Whoever accesses personal data without prior authorization must in any case comply with the provisions contained in the law.

8. DUTY TO INFORM THE DATA SUBJECT

When authorization is requested for data processing, NEW STETIC, as the party responsible for such processing, shall clearly and expressly state the following:

•The processing to which personal data will be subjected and the purpose thereof.

•The optional nature of the answer to the questions asked, when they deal with sensitive data or data of children and adolescents.

•The rights that assist the data subject.

•The identification, physical or electronic address and telephone number of the data controller.

In all cases it will be essential to keep proof of compliance with the provisions of the paragraph above, and in cases where the data subject so requests, provide a copy thereof.

9. PERSONS TO WHOM THE INFORMATION CAN BE PROVIDED

NEW STETIC can provide information to others, when the conditions established in Act 1581 of 2012 are met: 

• To the data subjects, their assignees, or legal representatives.

• To public or administrative entities exercising their legal functions or by means of court order.

• To third parties authorized by the Data subject or the law. 

10. RIGHT TO ACCESS AND INQUIRY

• The Data Controllers or their assignees may consult the personal information of the Data Subject contained in any of NEW STETIC’s databases. The Data Controller or Data Processor shall provide them with all the information contained in the individual record or that is linked to the identification of the Data Subject.

• The inquiry shall be formulated by the means enabled by the company to maintain proof of this.

• The inquiry shall be answered within a maximum term of ten (10) business days from the date of receipt thereof. When it is not possible to attend the inquiry within such term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the inquiry will be attended, which in no case may exceed five (5) business days following the expiration of the first term.

10.1. RIGHT TO COMPLAINTS AND CLAIMS

When it is considered that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach, the Data Subject or their assignees may file a complaint with NEW STETIC, which will be processed under the following rules:

• The claim shall be formulated by means of a request addressed to the company with the identification of the Data subject, the description of the facts that give rise to the claim, the address, and accompanying the documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned.

• If the person receiving the claim is not competent to resolve it, he/she will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.

• Once the complete claim has been received, a legend will be included in the database stating “claim in process” and the reason for the claim, within a term not exceeding two (2) business days. Said legend shall be maintained until the claim is decided.

• The company shall have a maximum term of fifteen (15) business days from the day following the date of receipt of the claim. When it is not possible to attend the claim within such term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.

The data subject or assignee may only file a complaint before the Superintendency of Industry and Commerce once he/she has exhausted the inquiry or complaint process before the Data Controller or Data Processor.

10.2. EXERCISE OF THE RIGHTS OF THE OWNERS 

10.2.1. RIGHT TO ACCESS

NEW STETIC, will maintain mechanisms that are always available and that are simple and agile at the time of accessing the information of your personal data to exercise your rights over them. In addition, you will be able to consult your personal data free of charge in two cases:

1. At least once every calendar month, 

2. Whenever there are substantial modifications to the Information Processing Policies that motivate new inquiries. 

For inquiries, whose periodicity is greater than one per calendar month, NEW STETIC S.A., may only charge the data subject the costs of shipping, reproduction and, where appropriate, certification of documents. Reproduction costs may not be higher than the costs of recovery of the corresponding material. For such purpose, the responsible party shall demonstrate to the Superintendence of Industry and Commerce, when so required, the support of such expenses.

The requested information may be provided by any means, including electronic ones, as required by the Data subject. The information must be easy to read, without technical barriers that prevent its access and must correspond in its entirety to the information contained in the database.

11. PROCEDURE TO ADDRESS THE RIGHTS OF THE DATA SUBJECTS

11.1. PROCEDURE FOR INQUIRIES:

NEW STETIC and/or its Agents, guarantee the data subjects of personal data contained in its databases, their assignees or authorized persons, the right to consult all the information contained in their individual record or all that which is linked to their identification as established in this Personal Data Processing Policy.

11.2. RESPONSIBLE FOR INQUIRY SERVICES:

The company’s Personal Data Protection Officer shall be responsible for receiving and processing the requests submitted, under the terms, deadlines and conditions established in Act 1581 of 2012 and in this policy. 

Minimum information that must contain the queries addressed to the company:

1. Name and surname of the Data subject.

2. Photocopy of the Data subject’s ID card and, if applicable, of the person representing him/her, as well as the document proving such representation.

3. Request in which the request for access or inquiry is specified.

4. Address for notifications, date and signature of the applicant.

5. Supporting documents of the request made, when applicable.

Once the request for INQUIRY of information is received by the Data Subject or his/her representative or duly authorized third party, through the channels established by NEW STETIC, the Personal Data Protection Officer will proceed to verify that the request contains all the required specifications to assess that the right is exercised by a data subject or his/her representative, thus proving that he/she has the legal legitimacy to do so. 

11.3. RESPONSE TIMES TO INQUIRIES:

Inquiries will be answered within a maximum term of ten (10) business days from the date of receipt, requests received through the above means will be answered within ten (10) business days from the date of receipt.

11.4. EXTENSION TO THE RESPONSE TIME:

In case of impossibility to attend the inquiry within such term, NEW STETIC will inform the interested party before the expiration of ten (10) days, stating the reasons for the delay and indicating the date on which the inquiry will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

12. COMPLAINTS PROCEDURE

12.1. RIGHTS GUARANTEED BY MEANS OF THE COMPLAINTS PROCEDURE:

Correction or Update: NEW STETIC and/or the Data Processors will guarantee the data subjects of personal data contained in its databases or their assignees, the right to correct or update the personal data contained in its databases, by filing a claim, when they consider that the parameters established by law or those indicated in this Policy for the Processing of Personal Data are met in order for the request for Correction or Update to be valid. 

Revocation of Authorization or Suppression of Personal Data: NEW STETIC and/or the Data Processors shall guarantee the data subjects of personal data contained in its databases or their assignees, the right to request the revocation of the authorization or request the suppression of the information contained in their individual record or any information related to their identification when they consider that the parameters established by law or those indicated in this Personal Data Processing Policy are met. Likewise, the right to file claims is guaranteed when they notice the alleged breach of Act 1581 of 2012 or of the present Personal Data Processing Policy. 

Attention to Claims: The Company’s Personal Data Protection Officer shall be responsible for receiving and processing the requests submitted, in the terms, terms and conditions established in Act 1581 of 2012 and in the present policies. 

12.2. MINIMUM INFORMATION TO BE CONTAINED IN CLAIMS:

1. Data subject’s name and surnames. 

2. Photocopy of the Data subject’s ID card, and, if applicable, of the person representing him/her, as well as the document proving such representation.

3. Request in which the request for access or inquiry is specified.

4. Address for notifications, date and signature of the applicant.

5. Supporting documents of the request made, when applicable.

Once the information CLAIM request is received from the Data Subject or his/her representative or duly authorized third party, through the channels established by NEW STETIC, the Personal Data Protection Officer will proceed to verify that the request contains all the required specifications to assess that the right is exercised by a data subject or his/her representative, thereby proving that he/she has the legal legitimacy to do so. 

Claims without compliance with legal requirements: In the event that the claim is filed without compliance with the above legal requirements, the company will request the claimant within five (5) days after receipt of the claim, to correct the faults and submit the missing information or documents. 

Withdrawal of the Claim: After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that the claim has been withdrawn. 

Receipt of claims that do not correspond to the Entity: In the event that the company receives a claim addressed to another organization, it will transfer it to the corresponding party within a maximum term of two (2) business days and will inform the claimant of the situation. 

Inclusion of legend in the database: Within a maximum term of two (2) business days from the receipt, the company will include in the database where the personal data of the Data subject are located, a legend that reads “claim in process” and the reason for the claim. Said legend shall be maintained until the claim is decided. 

Deadlines for Responding to Claims: The maximum term to address the claim shall be fifteen (15) business days counted from the day following the date of its receipt. 

Extension of the Response Deadline: When for any circumstance it is not possible to respond to the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. 

Procedure for the Suppression of Personal Data: When the Suppression of the personal data of the data subject of the database is appropriate according to the claim filed, the company shall operationally perform the suppression in such a way that the elimination does not allow the recovery of the information, however, the Data subject must take into account that in some cases certain information must remain in historical records in compliance with legal duties of the organization, so its suppression will be related to the active treatment thereof and according to the request of the data subject.

13. RIGHT TO UPDATE, RECTIFY, AND DELETE

In compliance with the principle of truthfulness or quality, in the processing of personal data, reasonable measures must be taken to ensure that the personal data contained in the databases are accurate and sufficient and, when so requested by the Data Subject or when the data controller has been able to notice it, are updated, rectified or deleted, in such a way as to satisfy the purposes of the processing.

14. SPECIAL CATEGORIES OF DATA

14.1. SENSITIVE DATA

Sensitive data are those that affect the data subject’s privacy or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data.

14.2. PROCESSING OF SENSITIVE DATA

Cases in which NEW STETIC may process sensitive data:

• When the Data Subject has given his explicit authorization to such Processing, except in cases where, according to legislation, the granting of such authorization is not required.

• When the Processing is necessary to safeguard the vital interest of the Data Subject and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization. 

• When the Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process. 

• When the Processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Controllers must be adopted.

In any case, NEW STETIC S.A., will abide by what is defined in the current regulations on data protection according to the guidelines established in the cases foreseen as exceptions in which data processing is applicable.

15. ATTENTION TO DATA OWNERS

NEW STETIC S.A, has designated a Data Protection Officer who will be responsible for the attention of requests, queries and claims before which the Data Subject may exercise his/her rights, in the following channels:

Digital channel: The data subjects of the information may exercise their rights through electronic means to the address [email protected] or on the website www.newstetic.com.

Physical channel: Data owners may go to the address Carrera 53 # 50 – 09 in Guarne, Antioquia, to submit queries and claims.

16. DUTIES OF NEW STETIC AND DATA PROCESSORS

16.1. DUTIES OF NEW STETIC:

The company, as the data controller, shall comply with the following duties, without prejudice to the other provisions of the law and others governing its activity: 

• Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data. 

• Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject. 

• Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted. 

• Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. 

• Ensure that the information provided to the Data Processor is truthful, complete, accurate, current, verifiable and understandable. 

• Update the information, communicating in a timely manner to the Data Processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to this is kept up to date. 

• Rectify the information when it is incorrect and communicate the relevant information to the Data Processor. 

• To provide the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of the law. 

• Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information. 

• To process the queries and claims formulated in the terms set forth in the law. 

• Adopt specific procedures to ensure proper compliance with the law and especially for the attention of queries and claims. 

• Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed. 

• Inform at the request of the Data Subject about the use of his/her data. 

• Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Controllers.

16.2. DUTIES OF THE DATA PROCESSORS:

The Data Processors shall comply with the following duties, without prejudice to the other provisions set forth in the law and others governing their activity: 

• Guarantee the Data Subject, always, the full and effective exercise of the right of habeas data. 

• Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. The persons in charge shall comply with the minimum-security conditions defined in the National Registry of Databases.

• Timely update, rectification, or deletion of data under the terms of Act 1581 of 2012 and other concordant and current regulations. 

• Update the information reported by the data controllers within five (5) business days from its receipt. 

• Process queries and claims made by the Data Controllers under the terms set forth in this policy. 

• Adopt an internal Manual of policies and procedures to ensure proper compliance with the law and for the handling of queries and claims by the Data subjects. 

• Register in the databases the legend “claim in process” in the manner regulated by law. 

• Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of the personal data. 

• Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.

• Allow access to the information only to the persons who may have access to it. 

• Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Data subjects. 

• Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.

• Verify that the data controller has the authorization for the processing of personal data of the Data Subject.

17. SECURITY MEASURES

NEW STETIC manages the information stored in its databases with the technical, human and administrative measures necessary to provide security to the records, avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access. 

In addition, the company, in the signing of the transmission contracts, has requested to the data processors the implementation of security measures to ensure the security and confidentiality of information in the processing of personal data.

18. PERSONAL DATA INCIDENT MANAGEMENT PROCEDURE

NEW STETIC, will ensure compliance with the due process for security incidents that may occur in the organization and that may jeopardize the confidentiality, availability and integrity of the information contained in the databases and which will generate the following activities:

Incident Notification: The Data Protection Officer must be informed when a security incident occurs that is putting the personal information of the owners at risk, so that he/she can inform the owners according to the type of incident and also report it in the National Database Registry.

Incident Management: All those responsible for the organization that have personal data under their custody, must report any activity that jeopardizes the confidentiality, integrity and availability of the information and that goes against the defined policies.

Identification: Any suspicious activity that may threaten the information of the owners, must be analyzed to establish whether or not it is a security incident, also to follow the due process and report as established in the regulations.

Report: Whatever the action that violates or jeopardizes the information of the owners, it must be immediately reported to the data protection officer, to initiate the appropriate procedures through the areas in charge and thus, make the corresponding verifications that lead us to manage the incident in a timely and appropriate manner. 

Containment, Investigation and Diagnosis: We must ensure that investigations are initiated to determine the reasons that caused the incident, and also ensure that everything is properly documented to have proof of it. It is also important if so required to request support from the legal area, if legal action follows.

Solution: The person in charge, as well as those responsible for the care and custody of the information of the owners, must ensure that the security incident does not happen again, which is why it must be ensured to manage and change everything that violates the information. 

Incident Closure and Follow-up: All actions that lead to solve the security incidents will be analyzed and implemented through the areas in charge, and an annual report of the incidents presented will be made, to prevent any other eventuality.

Reporting of incidents to the SIC as control authority: All security incidents that put the information of the owners at risk must be reported to the National Database Registry within fifteen (15) working days following the moment in which the incident is identified, which will be managed by the data protection officer.  

Finally, the company shall notify the data subjects of the incident, when it is identified that they may be affected by the incident.

19. RISK MANAGEMENT ASSOCIATED WITH DATA PROCESSING

NEW STETIC has implemented within this policy the processes and procedures to manage risks to mitigate their causes through internal security policies contained in the manual.

The company contemplates the tools, indicators and resources necessary for its administration, taking into account its organizational structure; internal processes and procedures, the amount of database and types of personal data processed by the organization that could be exposed to frequent or high impact events or situations that affect the proper provision of the service or threaten the information of the owners. 

The policy takes into account sources such as: technology, human resources, infrastructure and processes that require protection, their vulnerabilities and threats, to assess their level of risk. Therefore, to guarantee the protection of personal data, the type or group of internal and external persons, the different levels of access authorization will be taken into account. Likewise, the possibility of occurrence of any type of event or action that may cause damage (material or immaterial) will be observed, such as: 

Criminality: Understood as actions, caused by human intervention, which violate the law and are penalized by it.

Events of physical origin: Understood as natural and technical events, as well as events indirectly caused by human intervention.

Negligence and institutional decisions: Understood as actions, decisions or omissions on the part of people who have power and influence over the system. At the same time, they are the least predictable threats because they are directly related to human behavior.

The company establishes within the policy the protection measures to avoid or minimize damages in case a threat materializes.

20. DATA TRANSFER TO THIRD COUNTRIES

As provided in Article 26 of Act 1581 of 2012, the transfer of personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it complies with the standards set by the Superintendence of Industry and Commerce on the matter, which in no case may be lower than those required by this law to its recipients.

20.1. THIS PROHIBITION SHALL NOT RULE IN THE CASES OF:

• Information with respect to which the Data Subject has given express and unequivocal authorization for the transfer.

• Exchange of medical data, when so required by the Processing of the Data Subject for reasons of health or public hygiene.

• Banking or stock exchange transfers, in accordance with the applicable legislation.

• Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.

• Transfers necessary for the execution of a contract between the Data Subject and the Data Controller, or for the execution of pre-contractual measures, as long as the Data Subject’s authorization is obtained.

• Transfers legally required to safeguard the public interest, or for the recognition, exercise or defense of a right in a judicial process.

• In cases not contemplated as an exception, the Superintendence of Industry and Commerce shall be responsible for issuing the declaration of conformity regarding the international transfer of personal data.

21. BIOMETRIC DATA PROCESSING

The biometric data contained in the company’s databases are collected and processed for strictly security purposes, to identify personnel and perform access control to employees, customers and visitors. Biometric identification mechanisms capture, process and store information related to the physical traits of individuals (fingerprints and facial features), to establish or “authenticate” the identity of each subject.

The management of biometric databases is conducted with technical security measures that guarantee the due compliance with the principles and obligations derived from the Statutory Law on Data Protection, also ensuring the confidentiality and reserve of the information of the owners.

22. NATIONAL DATA BASES REGISTRY

NEW STETIC S.A., registered its databases along with this Personal Data Processing Policy, in the National Registry of databases administered by the Superintendence of Industry and Commerce, as established in the regulations and will make updates to the changes that may occur in the same, as contemplated in Article 25 of Law 1581 and its regulatory decrees.

23. PROTECTION, SECURITY, AND CONFIDENTIALITY OF INFORMATION AND PERSONAL DATA

The company has established policies, guidelines, procedures and processes focused on data protection, which may vary if there are changes in the regulations or if it is required to apply any change that the company determines to safeguard the information, always focusing on security, confidentiality and reserve. 

In addition, NEW STETIC guarantees that, in the collection, storage, use, treatment, destruction or elimination of the information provided, it is conducted using technological tools focused on secure mechanisms in the transmission and storage, as well as in the restriction of access to the information and backup.

In cases where it is necessary to transfer the information to a person in charge due to a contractual relationship, NEW STETIC, subscribes data transmission contracts, with the purpose of always guaranteeing the security, confidentiality and reserve of the information, thus complying with the normative guidelines, policies, information security manuals and protocols of attention to the data subjects.

24. SCOPE OF APPLICATION

The data processing policy shall be applicable to all the organization’s stakeholders, including employees, customers, suppliers, and others.

25. EFFECTIVENESS

The databases held by NEW STETIC S.A. will be processed for as long as it is reasonable and necessary for the defined purpose. Once these purposes of treatment are fulfilled, and without prejudice to legal regulations that provide otherwise, the personal information will be deleted, except if there is a legal or contractual obligation that requires its preservation. These databases have been created without a defined period of validity.

When there are substantial changes in the personal data treatment policies, the owners will be informed so that they can consult it through the different means enabled by the company for such purpose, or through open notices in NEW STETIC’s offices. 

This processing policy remains in force since November 02, 2016, and was updated on November 11, 2021.