Data Processing Policy

DATA PROCESSING

Statutory Law 1581 of 17 October 2012 establishes the minimum conditions for the legitimate processing of the personal data of customers, employees and any other natural person. Both paragraphs k) of article 17 and f) of article 18 of that law oblige those responsible for and responsible for the processing of personal data to "adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the handling of queries and complaints".  

Article 25 of the same law orders that data processing policies are mandatory and that ignorance of them will lead to sanctions. These policies cannot guarantee a lower level of treatment than that established in Law 1581 of 2012.

Chapter III of Decree 1377 of 27 June 2013 regulates some aspects related to the content and requirements of the Information Processing Policies and Privacy Notices.

E GLOBAL TECHNOLOGY S.A.S. hereinafter "E-Global" is committed to respecting the rights of its customers, employees and third parties in general. For this reason, it adopts the following Data Processing Policy (DPP), which is mandatory for all activities involving the processing of personal data.

ENFORCEABILITY

These policies are mandatory and strictly enforced by all employees, contractors and third parties acting on behalf of E-Global.

All E-Global employees must observe and respect these policies in the performance of their duties. In cases where there is no employment relationship, a contractual clause must be included so that those who act on behalf of E-Global are obliged to comply with our DPPs.

Failure to comply with them will result in labour penalties or contractual liability, as the case may be. The foregoing is without prejudice to the duty to respond patrimonially for damages caused to the holders of the data or to E-Global for non-compliance with these policies or improper processing of personal data.

DATA CONTROLLER

The person responsible for data processing is E GLOBAL TECHNOLOGY S.A.S. identified with NIT. 900.113.592 - 9, headquartered at Carrera 16 A No 137 - 74 Bogotá, Colombia Telephones (57) (1) 7460090. E-mail: datospersonales@eglobalt.com

PERMANENCE

The policies and procedures set forth in this PTD apply to the databases owned and to be owned by E-Global pursuant to Regulatory Decree 1377 of 2013.

With regard to the permanence of the data, E-Global will keep indefinitely the records of all its customers, employees or suppliers in order to maintain contact with them; notwithstanding the foregoing, the data will be removed from the database at the request of the owner for which the respective channels of attention have been designated.

DEFINITIONS

Some terms used within the policy are related, which are of total relevance:

1. Authorization: It is the express manifestation on your part, allowing E-Global to process your data, in accordance with the principles and purposes described in this DPP.

2. Holder of the data: It is you, when you authorize us to treat your data.

3. Treatment: Any operation or set of operations that we do with your data. The processing may include collection, storage, use, circulation or deletion of your data.

4. Database: An organized set of personal data to be processed. This meaning also applies to our physical and electronic records.

5. Personal Data: Any information that identifies you or, taken together, may cause you to be identified. Data are classified as public, private and semi-private, and sensitive.

6. Public Personal Data: All those that concern a general interest, and that are generally contained in public documents, public registries, and duly executed judicial sentences that are not subject to reservation. Your public information may include your name, identification, marital status, profession or trade.

7. Private Personal Data: Information that only concerns you as the Holder, and that has an intimate and reserved nature. Your private details include your home address and telephone number, information extracted during an inspection of your home, health conditions and sexual orientation.

8. Semiprivate Personal Data: These are private data, which in certain situations could be of interest to a certain group of people. Information relating to compliance with and non-compliance with financial obligations, among others, is semi-private.

9. Sensitive Personal Data: Information that affects privacy and the misuse of which could lead to discrimination, such as information revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of trade unions, social organisations, human rights organisations or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data (fingerprints, photographs, DNA, among others).

10. Special Data: Refers to the treatment of information on children and adolescents, and the treatment of sensitive data.

11. Person Responsible for Treatment: Person who decides on, among others, the collection and purposes of treatment. E-Global is responsible for the information contained in its database, especially the data of its customers, employees and suppliers.

12. Processor: Person who processes the data on behalf of the Processor.

13. Transmission: Processing of personal data which involves the communication of the same within (national transmission) or outside Colombia (international transmission), and which is intended for processing by the person in charge, on behalf or in the name of the person responsible.

14. Transference: Sending of personal data that the person in charge or the person in charge carries out from Colombia to a person in charge that is inside (national transference) or outside the country (international transference).

PRINCIPLES OF INFORMATION PROCESSING

Principles for the treatment of personal data. In the development, interpretation and application of this law, the following principles shall be applied harmoniously and comprehensively:

1. Data Processing Legality Principle: We will always process your data in accordance with the provisions of law.

 

2. Principle of Purpose: We will never treat your information for purposes other than those stated in the law and as authorized by you.

 

3. Principle of Freedom: We will always ask for your consent to treat the information.

 

4. Principle of Truthfulness or Quality: Information subject to Treatment must be truthful, complete, accurate, up to date, verifiable and understandable. Processing of partial, incomplete, fractioned or misleading data is prohibited.

 

5. Principle of Transparency: You can always ask us for information about your personal data.

 

6. Principle of Access and Restricted Circulation: Your data may only be processed in accordance with your authorization, either by persons directly linked to our company or authorized third parties. Your personal data, other than public information, will not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to you or authorized third parties.

 

7. Security Principle: In our company we handle your data with the technical, human and administrative measures that are necessary to provide security to the records avoiding adulteration, loss, consultation, use or unauthorized or fraudulent access.

 

8. Principle of Confidentiality: All persons involved in the Processing of your personal data, which do not have the nature of public, guarantee the confidentiality of your information, even after the end of their relationship with any of the tasks involved in the Treatment.

AUTHORIZATION

In accordance with law 1581 of 2012 and regulatory decree 1377 of 2013, the use, collection and storage of personal data by E-Global, must have the authorization of the holder stating their prior, express and informed consent to carry out the processing of their personal data. However, E-Global will make use of the provisions of article 10 of regulatory decree 1377 of 2013, which refers to data collected before 27 June 2013.

Article 10. "Data collected prior to the issuance of this decree. For data collected prior to the issuance of this decree, the following shall be taken into account: 1. The Officers shall request the authorization of the Owners to continue with the Processing of their personal data in the manner provided for in Article 7 above, through efficient communication mechanisms, as well as to inform them of their information Processing policies and how to exercise their rights. 2. For the purposes of the provisions of numeral 1, efficient communication mechanisms shall be considered to be those that the Responsible or Responsible uses in the ordinary course of their interaction with the Registered Holders in their databases. 3. If the mechanisms mentioned in numeral 1 impose a disproportionate burden on the Responsible or it is impossible to request each Owner's consent for the Processing of his/her personal data and to make him/her aware of the information Processing policies and the way to exercise his/her rights, the Responsible may implement alternative mechanisms for the purposes set forth in numeral 1, such as newspapers of wide national circulation, local newspapers or magazines, the website of the responsible party, informative posters, among others, and inform the Superintendence of Industry and Commerce of the matter within five (5) days following its implementation. In order to establish when there is a disproportionate burden on the Controller, account will be taken of his economic capacity, the number of owners, the age of the data, the territorial and sectoral scope of operation of the Controller and the alternative communication mechanism to be used, in such a way that the "fact of requesting the consent of each of the Owners implies an excessive cost and that this compromises the financial stability of the Controller, the performance of activities inherent to his business or the viability of his programmed budget. At the same time, it will be considered that there is an impossibility to request each Registrant's consent to the Processing of their personal data and to make them aware of the Information Processing policies and the way to exercise their rights when the person in charge does not have the contact details of the Registrants, either because they do not appear in their files, registers or databases, or because they are outdated, incorrect, incomplete or inaccurate. 4. If within thirty (30) working days, counted from the implementation of any of the communication mechanisms described in paragraphs 1, 2 and 3, the Registrant has not contacted the Responsible or Responsible to request the deletion of their personal data under the terms of this Decree, the Responsible Party and the Manager may continue to process the data contained in their databases for the purpose or purposes indicated in the Information Processing policy, informing the Owners by means of such mechanisms, without prejudice to the Owner's right to exercise at any time his right and request the deletion of the data. 5. In all cases the Controller and the Manager must comply with all applicable provisions of Law 1581 of 2012 and this Decree. Likewise, it will be necessary that the purpose or purposes of the Treatment in force are the same, analogous or compatible with that or those for which the personal data were initially collected. ”

Paragraph. The implementation of the alternative communication mechanisms provided for in this regulation shall take place no later than one month following the publication of this decree.

PROOF OF AUTHORISATION

Respecting the rights of the data subjects, E-Global will put into operation all the suitable mechanisms in order to allow the data subjects access to the means of proof leading to the verification of the authorisation issued for the processing of their personal data.

PRIVACY NOTICE

The privacy notice is the physical or electronic document that will be made available to the holder in which the holder is informed of the existence of the information treatment policies that will be applied to their personal data, the way to access them and the type of treatment that will be carried out.

RIGHTS OF THE HOLDERS OF THE INFORMATION

In accordance with this DPP and the normative guidelines that support it, the holders of the data handled by the company have the following rights:

1. Know the information to be protected.

 

2. Update and rectify the information whenever its inaccuracy may lead to error.

 

3. Ask E-Global for proof of authorization to handle personal data, except when expressly exempted as a requirement for Processing, in accordance with the provisions of Article 10 of Statutory Law 1581 of 2012.

 

4. Be informed by E-Global, upon request, regarding the use you have made of your personal data.

 

5. Submit complaints to the Superintendence of Industry and Commerce for possible E-Global violations of legal provisions protecting the processing of personal data.

 

6. Request the revocation of such authorization in case the Superintendence of Industry and Commerce defines that the entity does not enjoy the suitability for data processing.

 

7. Request deletion of information if you do not want it to rest in the E-Global databases.

 

8. Access, free of charge, to your personal data that have been processed.

 

9. Have easy access to the data processing policy.

 

10. To know which is the person in charge of the entity before whom it will be able to proceed with respect to the treated information.

E-GLOBAL DUTIES

At all times E-Global, in its capacity as the party responsible for the information, is aware of the importance of observing the policies and protocols aimed at protecting the personal data of the owners, given that they are the property of the persons to whom they refer and that only they themselves can decide on the use to be made of said data. Strictly speaking, E-Global will only use personal data for the purposes expressed by it to the holder and authorised by it, guaranteeing at all times compliance with the legal provisions concerning the protection of personal data. Next, the duties that E-Global has with respect to the treatment of the information that rests in its databases are presented.

1. To guarantee the holder indefinitely and permanently the full and effective respect of his or her rights regarding his or her personal data.

 

2. Request and keep, under the conditions set forth in this law, a copy of the respective authorization granted by the Proprietor.

 

3. Duly inform the Owner about the purpose of the collection and the rights that assist him by virtue of the authorization granted.

 

4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

 

5. Ensure that the information provided to the Treatment Manager is truthful, complete, accurate, current, verifiable and understandable.

 

6. To update the information, communicating in a timely manner to the person in charge of the Treatment, all the novelties with respect to the data that previously I have supplied him and to adopt the other necessary measures so that the information supplied to this one is kept updated.

 

7. Rectify information when it is inaccurate and communicate the pertinent to the Treatment Manager.

 

8. To provide the Data Processor, as the case may be, with only data the Processing of which has been previously authorised in accordance with the provisions of this law.

 

9. Demand at all times that the Data Controller respect the conditions of security and privacy of the Owner's information.

 

10. To deal with queries and complaints formulated in the terms indicated in the law related to the treatment of data.

 

11. Adopt an internal manual of policies and procedures to ensure proper compliance with data processing and especially for handling queries and complaints.

 

12. To inform the Responsible of the Treatment when certain information is in discussion on the part of the Holder, once the claim has been presented and the respective procedure has not finished.

 

13. Inform at the request of the Holder about the use given to their data

 

14. To inform the Superintendence of Industry and Commerce when security codes are violated and there are risks in the administration of the information of the Owners.

 

15. Comply strictly with Law 1581 of 2012, with the decrees that regulate it as well as with all the requirements made by the Superintendence of Industry and Commerce.

PURPOSES IN THE PROCESSING OF PERSONAL DATA

The purpose of processing personal data is to facilitate the management, administration, improvement and extension of the different services, the preparation of statistics, the management or monitoring of incidents, as well as the sending of communications, and any other purpose in the exercise of the corporate purpose of E-Global.

Depending on the quality of the owner of the information, i.e. whether it is about customers, suppliers and employees, personal data are used exclusively by authorized persons within the company, specifically for the following purposes:

a) CUSTOMERS:

1. Adaptation of our products and services to better respond to your interests.

 

2. To keep the holders of the information up to date on the matters that are of interest to them, as well as to present improvements in their services.

 

3. Provide services according to the needs of the owner, use the Personal Data for marketing and / or marketing of new services or products.

 

4. The process of archiving, updating systems, protection and custody of information and E-Global databases.

 

5. Keeping necessary records within the company, such as accounting, financial and statistical records.

 

6. Submit reports to control and surveillance authorities.

 

7. The other purposes determined by the Responsible Persons in the process of obtaining Personal Data for Processing and which are communicated to the Owners at the time of collection of personal data.

 

8. Send letters and communications in general.

b) SUPPLIERS:

1. Adaptation of our products and services to better respond to your interests.

 

2. Send letters and communications in general.

 

3. To receive the contracted services adequately, as well as to inform and keep the holders of the information updated on the matters that are of interest to them.

 

4. The other purposes determined by the Responsible Persons in the process of obtaining Personal Data for Processing and which are communicated to the Owners at the time of collection of personal data.

 

5. Maintain an efficient communication of information that is useful in the contractual links to which the Information Provider is a party.

c) EMPLOYEES:

1. Creation and conservation of documents legally required by accounting standards.

 

2. Creation and conservation of documents and records legally required by the standards in Occupational Safety and Health.

 

3. Internal management of lists of collaborators according to their dependency.

 

4. Treatment of your personal data in the programs that are required within the company.

 

5. Control, follow-up and fulfillment of our obligations as employers.

 

6. Registration and control of your contributions as well as your salaries and bonuses.

 

7. Submit reports to control and surveillance authorities.

 

8. The other purposes determined by the Responsible Persons in the process of obtaining Personal Data for Processing and which are communicated to the Owners at the time of collection of personal data.

SENSITIVE DATA

E-Global does not handle within its database information that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data relating to health, sexual life and biometrics; considered "sensitive data", however, and in the exercise of our commercial activity there may be cases in which this type of data is required.

If it becomes necessary, due to actions or facts of judicial, disciplinary or fiscal interest, the private activities and the development of the private life of its partners, guests and visitors is kept under caution and the private reserve of the right to privacy and image.

However, the holder of the personal information, is not obliged to provide sensitive data, therefore any request for them will require express authorization.

INFORMATION SECURITY

Currently, E-Global manages and stores the information in its own servers in the interior of Colombia, which are managed under the highest security standards for the protection of systems and unauthorized persons who seek access without the corresponding authorization.

CONSULTATION AND COMPLAINT PROCEDURES

OBJECTIVE

To define the methodology for consultation of personal data and treatment of claims; presented by the holders of the information that is under the responsibility of E-Global.

PROCEDURE

• Consultations: The Owners or their successors in title may consult the personal information of the Owner that reposes in any database, whether in the public or private sector. The Data Controller or Data Processor must provide them with all the information contained in the individual record or linked to the identification of the Data Subject.

   

  The consultation is made by the means enabled by the Responsible of the Treatment or Responsible of the Treatment, as long as it is possible to maintain proof of this.  In the case of E-Global, the e-mail address datospersonales@eglobalt.com has been set up as a service channel.

   

  The consultation will be attended in a maximum term of ten (10) working days counted from the date of receipt of the same one. When it is not possible to attend the consultation within said term, the interested party is informed, expressing the reasons for the delay and indicating the date on which his consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

   

  Paragraph. The provisions contained in special laws or regulations issued by the National Government may establish lower terms, depending on the nature of the personal data.

 

• Claims: The Owner or his successors in title who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in this law, may file a complaint with the Responsible for Treatment or the Responsible for Treatment which will be processed under the following rules:

   

  1. The claim is formulated by means of a request addressed to the Responsible of the Treatment, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and attaching the documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) days of receipt of the claim to remedy the deficiencies. After two (2) months from the date of the request, without the applicant submitting the required information, it shall be understood that the claim has been withdrawn.

      

     In the event that the person receiving the claim is not competent to resolve it or is not the person in charge of such purpose, it shall transfer the corresponding person within a maximum term of two (2) working days and shall inform the interested party of the situation.

   

  2. Upon receipt of the completed claim, a legend that says "claim in process" and the reason for the claim will be included in the database within two (2) business days. This legend must be maintained until the claim is decided.

   

  3. The maximum term to deal with the claim shall be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to deal with the claim within said term, the interested party shall be informed of the reasons for the delay and the date on which his claim shall be dealt with, which in no case may exceed eight (8) working days following the expiration of the first term.

ADMISSIBILITY REQUIREMENT

The Titleholder or successor in title may only file a complaint with the Superintendency of Industry and Commerce once he has exhausted the procedure for consultation or complaint with the Responsible for Treatment or Responsible for Treatment.

VALIDITY OF THE DATA PROCESSING POLICY

This policy is effective from the date of publication. E-Global's databases are kept for the time necessary to guarantee compliance with its corporate purpose, those mandated by law and any other regulations regarding document retention.

PERSON OR AREA RESPONSIBLE FOR THE PROTECTION OF PERSONAL DATA

E-Global will be responsible for the processing of personal data, for any information related to your data, and the status of them can be contacted by e-mail at datospersonales@eglobalt.com

CHANGES TO THE DATA PROCESSING POLICY

Any substantial change in the treatment policies will be communicated in a timely manner to the holders who reside in our databases by means of mass communication addressed to the e-mails delivered to our company.

HUGO CORTES RODRIGUEZ     

Legal Representative