Purpose

For Tecnofactory S.A.S.-BIC, committed to the strictest compliance with the law and the protection of individuals' rights, such as habeas data, privacy, intimacy, good name, and image; and in furtherance of our policy of total responsibility, the preservation, protection, and integrity of the personal data you have provided to us is very important.

To this end, this policy establishes the terms, conditions, and purposes under which Tecnofactory S.A.S.-BIC will process the personal data freely and voluntarily provided, in person or virtually, collected directly from national and international branches, or through consortia or temporary unions of which it is a member.

Scope

This Personal Data Protection Policy will apply to all databases and/or files containing personal data that are processed by Tecnofactory S.A.S.-BIC, considered the data controller and/or processor.

Identification of the personal data controller:
Tecnofactory S.A.S.-BIC Identified NIT. 901184760-7

Contractual address:
Carrera 13 No. 96-67. Office 309
Bogotá D.C.

Telephone:
+ 57 601 7434850.

Emails
comercial@tecnofactory.com.co
administracion@tecnofactory.com.co

DEFINITIONS

Authorization

The consent given by any person for companies or individuals responsible for information processing to use their personal data.

Privacy Notice

This is one of the verbal or written communication options provided by law to inform data subjects of the existence and ways to access information processing policies and the purpose of their collection and use.

Database

An organized set of personal data that is subject to processing.

Personal data

This refers to any information linked to or that can be associated with a specific person, such as their name or identification number, or that can make them identifiable, such as their physical characteristics.

Private Data

Data that, due to its intimate or reserved nature, is only relevant to the data subject.

Public Data

Public data includes, among others, data relating to a person's marital status, their profession or occupation, and their status as a businessperson or public servant.

Semi-Private Data

Data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest not only to the data subject but also to a certain sector or society in general.

Sensitive Data

Data that affects the data subject's privacy or may lead to discrimination, that is, data that reveals their racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, or human rights organizations, as well as data relating to health, sexual life, and biometric data, among others.

Data Processor

The natural or legal person who processes personal data, based on a delegation from the data controller, receiving instructions on how the data should be managed.

Data Controller

The natural or legal person, public or private, who decides on the purpose of the databases and/or their processing.

Data Owner

The natural person whose personal data is being processed.

Transfer

This is the operation carried out by the controller or processor of personal data, located in Colombia, sending the information or personal data to a recipient, who is in turn the controller and is located within or outside the country.

Transmission

Processing of personal data involves communicating it within or outside the territory of the Republic of Colombia when the purpose is to carry out processing by the processor on behalf of the controller.

Processing

Any operation or set of operations involving personal data, such as collection, storage, use, circulation, or deletion.

GUIDED PRINCIPLES

1. Principle of legality in data processing.

The processing referred to in this policy is a regulated activity that must be subject to the provisions of the rules and regulations that implement it.

2. Principle of purpose

The processing must comply with a legitimate purpose in accordance with the Constitution and the law, which must be communicated to the data subject.

3. Principle of Freedom

Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial order that waives consent.

4. Principle of Truthfulness or Quality

The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

5. Principle of Transparency

In the processing process, the data subject's right to obtain from the data controller or the data processor, at any time and without restrictions, information about the existence of data concerning them must be guaranteed.

6. Principle of Restricted Access and Circulation

The processing is subject to the limits derived from the nature of the personal data, the provisions of this law, and the Constitution. In this regard, processing may only be carried out by people authorized by the data subject and/or by the persons specified in this policy. Personal data, except for public information, may not be made available on the internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the data subject or authorized third parties.

7. Security Principle

The information subject to processing by the data controller or data processor referred to in this policy must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent access, use, or consultation.

8. Confidentiality Principle

All persons involved in the processing of non-public personal data are required to guarantee the confidentiality of this information, even after their relationship with any of the tasks involved in the processing has ended. They may only provide or communicate personal data when it corresponds to the development of the activities authorized in this policy and under the terms of this policy.

PROCESSING AND PURPOSE

The collection, storage, use, and circulation of the personal data provided by the data subjects by Tecnofactory S.A.S.-BIC, as the data controller, will be used to carry out the company's functions in accordance with the legal relationship with each of these:

Visitors

Personal data will be used to securely record and control entries and exits from our offices; Likewise, they may be used to address internal emergency plans in risk situations that arise during their stay at the Tecnofactory S.A.S.- BIC facilities.

Clients and Suppliers

Personal data that forms part of contracts and/or documents covering services and/or business relationships and that are provided to all areas of the company will be used for the purposes of receiving or providing services related to the contractual relationship, informing about changes or new services, fulfilling obligations with our clients and suppliers, evaluating service quality, and conducting internal studies, as well as for its transmission.

Employees

Personal data will be used during participation in the recruitment process and will be used for the following purposes: identification, location, communication, contact, and sending information related to the potential hiring process and/or, in the case of an employment relationship, civil or commercial, in relation to the payment of salaries, social benefits, and other remuneration stipulated in the employment contract, as well as its transmission to branches within and outside the country for the same purposes.

PROCESSING OF SENSITIVE DATA

The processing of sensitive personal data is prohibited by law, unless expressly authorized in advance by the data subject, among other exceptions established in Article 6 of Law 1581 of 2012. In this case, in addition to complying with the requirements established for authorization,Tecnofactory S.A.S.- BIC must: (I) Inform the data subject that, since the data is sensitive, they are not required to authorize its processing. (II) Inform the data subject which of the data to be processed is sensitive and the purpose of the processing.

DUTIES OF THE PERSONAL DATA CONTROLLER

1. To guarantee the data subject the full and effective exercise of the right to habeas data at all times.
2. Request and retain, under the conditions provided for in the aforementioned law, a copy of the respective authorization granted by the data subject.
3. Duly inform the data subject about the purpose of the collection and the rights they have by virtue of the authorization granted.
4. To keep the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, use, or consultation.
5. Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
6. Update the information, promptly communicating to the data processor all developments regarding the data previously provided and adopt other necessary measures to ensure that the information provided remains up-to-date.
7. Rectify information when it is incorrect and notify the data controller accordingly.
8. Provide the data controller, as applicable, only with data whose processing has been previously authorized in accordance with Statutory Law 1581 of 2012.
9. Require the data controller to respect the security and privacy conditions of the data subject's information at all times.
10. Process inquiries and complaints under the terms set forth in Statutory Law 1581 of 2012.
11. Adopt an internal manual of policies and procedures to ensure proper compliance with Statutory Law 1581 of 2012, and specifically for handling inquiries and complaints.
12. Inform the data controller when certain information is being disputed by the data subject, once the complaint has been filed and the respective process has not been completed.
13. Inform the data subject, upon request, about the use of their data.
14. Report to the data protection authority when security code violations occur and risks arise in the management of data subjects' information.
15. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
    

DUTIES OF PERSONAL DATA PROCESSORS

1. To guarantee the data subject the full and effective exercise of the right to habeas data at all times.
2. To keep the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, use, or consultation.
3. To promptly update, rectify, or delete the data in accordance with the provisions of this Personal Data Processing Policy.
4. To update the information reported by the data controllers within five (5) business days of receipt.
5. To process inquiries and complaints made by data subjects under the terms indicated, in accordance with the provisions of this Personal Data Processing Policy.
6. Adopt an internal manual of policies and procedures to ensure proper compliance with the provisions of this Personal Data Processing Policy, especially for addressing inquiries and complaints from data subjects.
7. Record the "complaint in process" legend in the database in accordance with Statutory Law 1581 of 2012.
8. Insert the legend "information under judicial dispute" into the database once notified by the competent authority about judicial proceedings related to the quality of personal data.
9. Refrain from circulating information that is being disputed by the data subject and that has been blocked by the Superintendency of Industry and Commerce.
10. Only allow access to information to those who may have access to it.
11. Inform the Superintendency of Industry and Commerce when security code violations occur and risks arise in the management of data subjects' information.
12. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
    

Tecnofactory S.A.S.- BIC, as the data controller, may contract or delegate a legal or natural person as the data processor. Such delegation or contracting must be established in a written document indicating the instructions and responsibilities to be performed by the data processor.

In the event that Tecnofactory S.A.S.- BIC acts as the data processor in the collection of personal data, in order to fulfill its contractual obligations with public or private entities, it will proceed in accordance with the guidelines stipulated in the contracts entered into and, within a reasonable period of notice prior to the end of the contract, will initiate the migration and delivery process of the collected digital and physical information. This will be done in accordance with the procedures and criteria stipulated by the contracting entity for receiving the information. At no time will Tecnofactory S.A.S.-BIC store, archive, or process personal data collected during the execution of contractual relationships in its systems.

RIGHTS OF DATA SUBJECTS

To know, update, and rectify their personal data with respect to data controllers or data processors. This right may be exercised, among others, in the case of partial, inaccurate, incomplete, fragmented, or misleading data, or data whose processing is expressly prohibited or unauthorized.

To request proof of the authorization granted to the data controller, except when expressly exempted as a requirement for processing.

To be informed by the data controller or data processor, upon request, regarding the use of their personal data.

To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of Statutory Law 1581 of 2012 and other regulations that modify, supplement, or complement it.

To revoke authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will be appropriate when the Superintendency of Industry and Commerce has determined that, in the processing, the data controller or data processor has engaged in conduct contrary to the law and the Constitution.

Free access to your personal data that has been processed.

HANDLING PETITIONS, COMPLAINTS, INQUIRIES, AND CLAIMS

The Human Talent Administrative Department of Tecnofactory S.A.S.- BIC is responsible for handling requests, complaints, inquiries, and claims made by the data subject in exercising the rights contemplated in Section 10 of this Policy.

For such purposes, the data subject or their representative may send their request, complaint, inquiry, or claim from Monday to Friday, from 8:00 a.m. to 5:00 p.m., to the following email address:

comercial@tecnofacotry.com.co, or call +57 601 7434850. They may also file a physical copy of the request at Carrera 13 No. 96-67, Office 309, Bogotá D.C.

PROCEDURE FOR EXERCISING HABEAS DATA

In compliance with personal data protection regulations, Tecnofactory S.A.S.- BIC, as the data controller, presents the procedure and minimum requirements for exercising your rights.

To submit and address your request, we request that you provide the following information:

1. Full name and surname.
2. Contact information (physical and/or email address and telephone numbers).
3. Means of receiving a response to your request.
4. Reason(s)/fact(s) giving rise to the claim, with a brief description of the right you wish to exercise (to know, update, rectify, request proof of the authorization granted, revoke, delete, access information).
5. Signature (if applicable) and identification number.
6. The maximum period established by law to resolve your claim is fifteen (15) business days, counted from the day following the date of receipt.
7. When it is not possible to address the claim within this period, Tecnofactory S.A.S.-BIC, as the data controller, will inform the interested party of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first period.

Once the terms established by Law 1581 of 2012 and other regulations or supplements have been met, the data subject who is denied, in whole or in part, the exercise of the rights of access, update, rectification, deletion, and revocation may bring their case to the attention of the Superintendency of Industry and Commerce - Office for the Protection of Personal Data.

VALIDITY

This Policy is effective as of May 26, 2020.