POLICIES FOR THE PROCESSING OF PERSONAL DATA HERRAJES ANDINA SAS 1. OBJECTIVE To guarantee the proper processing of personal data handled by the company in compliance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, Single Regulatory Decree No. 1074 of 2015 and other regulations that repeal, modify or complement them. 2. SCOPE This policy applies to databases and files containing personal information of suppliers, clients, collaborators, or any other person whose information is processed by Herrajes Andina SAS. 3. GENERAL PROVISIONS 3.1 DEFINITIONS For the purposes of this policy, the definitions in Law 1581 of 2012 shall apply, which mean the following: Authorization: Prior, express, and informed consent of the data subject to carry out the processing of their personal data. Database: An organized set of personal data that is subject to processing. Personal data: Information linked to or that can be associated with one or more identified or identifiable natural persons. Sensitive data: Data that affects the privacy of the data subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, membership in social or human rights organizations, data relating to health, sex life, and biometric data. Data Processor: The natural or legal person, public or private, who, alone or jointly with others, processes personal data on behalf of the Data Controller. Data Controller: The natural or legal person, public or private, who, alone or jointly with others, determines the purposes and means of the processing of personal data. Data Subject: The natural person whose personal data is being processed. Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or erasure. 3.2 PRINCIPLES The company will apply the following principles in the processing of personal data, in accordance with current regulations: Principle of legality in data processing: Processing will be governed by the provisions of Law 1581 of 2012 and other applicable regulations. Principle of Purpose: Processing will be for a legitimate purpose in accordance with the Constitution and the law, which will be communicated to the Data Subject. Principle of Freedom: Processing will only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that overrides the requirement for consent. Principle of accuracy or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data will not be permitted. Principle of transparency: The processing of personal data shall guarantee the data subject's right to obtain information from the data controller or the data processor, at any time and without restriction, regarding the existence of data concerning them. Principle of restricted access and circulation: The processing of personal data is subject to the limits derived from the nature of the personal data, the provisions of this law, and the Constitution. In this regard, processing may only be carried out by persons authorized by the data subject and/or by the persons provided for in this law. Personal data, except for public information, may not be available on the internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted access only to data subjects or authorized third parties in accordance with current law. Security Principle: Information subject to Processing by the Data Controller or Data Processor referred to in this Law must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent consultation, use, or access. Confidentiality Principle: All persons involved in the Processing of personal data that is not publicly available are obligated to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the Processing has ended. They may only supply or communicate personal data when it corresponds to the development of the activities authorized by current Law and in accordance with its terms. 4. POLICY 4.1. General Herrajes Andina SAS, hereinafter the Company, identified with NIT 802003931-5, main address at Cra. 53 No. 42 - 08 in the city of Barranquilla, Atlántico and web address: www.herrajesandina.com.co, is responsible for the processing of personal data that appear registered in its databases and files in accordance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, Single Regulatory Decree No. 1074 of 2015 and other regulations that repeal, modify or complement them. For any request or claim related to this policy, please contact us at datospersonales@herrajesandina.com or by phone at 3720236. Any area or employee of the Company whose duties involve processing databases containing personal information must comply with the policy and procedures outlined in this document. The Company must register all databases containing personal data subject to processing with the National Database Registry. 4.2. Information Processing Compliance with the Law: The Company strictly complies with the legal requirements regarding Personal Data Protection, especially Law 1581 of 2012, Regulatory Decree 1377 of 2013, Single Regulatory Decree No. 1074 of 2015, and any other regulations that repeal, modify, or supplement them. Purpose: The Company informs data subjects of the specific purpose for processing their personal data, which in all cases will have as its primary objective the management of the Company's accounting, tax, administrative, commercial, operational, and human resources functions; as well as the development of activities related to well-being, health, education, and culture, and ensuring the safety of persons and property related to the Company's activities. Furthermore, the personal data collected will be deleted when it is no longer necessary or relevant for the purpose for which it was obtained. Authorization: The Company will process information with the prior, express, and informed consent of the data subject, which will be obtained through any means that can be subsequently verified. Authorization is not required when it involves: Information required by a public or administrative entity in the exercise of its legal functions or by court order. Data that is of a public nature. Cases of medical or health emergencies. Processing of information authorized by law for historical, statistical, or scientific purposes.
Data related to the person's Civil Registry. Truthfulness: the information provided by the data subject must be truthful, complete, accurate, verifiable, and up-to-date. The data subject guarantees the authenticity of all data communicated to the Company. Access to and circulation of information: in processing information, the Company adheres to the limitations arising from the nature of the personal data, the provisions of the Law, and the Constitution. In this regard, the Company will only process data with the data subject's authorization and in the cases provided for by Law. Information security: the Company has the necessary technical, human, and administrative measures in place to guarantee the security of the personal data obtained and stored in its databases and files, preventing its alteration, loss, unauthorized or fraudulent access or consultation. Confidentiality: the Company guarantees the confidentiality of the information, even after the processing activities have been completed. Company employees responsible for processing personal information are committed to complying with the policy and procedures outlined in this document. Sensitive Data: The Company may only process sensitive data when: The data subject has given explicit consent for such processing. It is necessary to protect the vital interests of the data subject, and the data subject is physically or legally incapable of giving consent. In these cases, authorization from legal representatives is required. It refers to data necessary for the establishment, exercise, or defense of a legal claim in court proceedings. It has a historical, statistical, or scientific purpose, provided that measures are taken to anonymize the data subjects. Rights of Data Subjects: Data subjects whose information is processed by the Company have the following rights: To know, update, and rectify their personal data.
Request proof of authorization granted to the Company, except in the cases specified by law that do not require authorization: o Information required by a public or administrative entity in the exercise of its legal functions or by court order; o Data of a public nature; o Medical or health emergency; o Processing of information authorized by law for historical, statistical, or scientific purposes; o Data related to the civil registry of persons.
Be informed of the use that has been made of your personal data.
File complaints with the Superintendency of Industry and Commerce for non-compliance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, Single Regulatory Decree No. 1074 of 2015, and other regulations that repeal, modify, or complement them.
Revoke the authorization and/or request the deletion of data when the Company does not respect constitutional and legal principles, rights, and guarantees.
Access your personal data processed by the Company.
The data subject may submit requests, inquiries, and complaints via email to datospersonales@herrajesandina.com. 5. PROCEDURE 5.1 Authorizations The Company requests written authorization, either electronically or physically, from all suppliers, clients, or collaborators whose personal data it processes, provided they are natural persons, so that their data may be processed in accordance with the purpose established in each case. 5.2 Inquiries Data subjects or their legal representatives who wish to make inquiries about their personal information may do so via email to datospersonales@herrajesandina.com. At the data subject's request, the Company will provide all the information contained in the individual record or linked to the data subject's identification. The Company will respond to the inquiry within a maximum of ten (10) business days from the date of receipt. If it is not possible to respond within this timeframe, the Company will inform the interested party of the reasons for the delay and indicate the response date, which may not exceed five (5) business days following the initial deadline. 5.3 Complaints The data subject or their successor may file a complaint with the Company to have their personal information corrected, updated, deleted, or when they believe that the Company is not complying with Law 1581 of 2012, Regulatory Decree 1377 of 2013, Single Regulatory Decree No. 1074 of 2015, and other regulations that repeal, modify, or supplement them. They may also revoke the authorization granted for the processing of their personal data. Complaints are submitted via email to datospersonales@herrajesandina.com. Complaints must include: Identification of the data subject. Description of the facts giving rise to the complaint. Address.
Attached documents (if applicable). If the person responsible for receiving the complaint finds that the information is incomplete, they will request the necessary corrections from the interested party within five (5) business days of receiving the complaint. The person responsible for receiving the complaint will respond to it. If they are not authorized to do so, they will forward it within a maximum of two (2) business days to the appropriate party and inform the interested party of this situation. The Company will respond to the complaint within fifteen (15) business days from the day after receiving it. If it is not possible to respond within this timeframe, the Company will inform the interested party of the reasons for the delay and indicate the response date, within eight (8) business days following the initial deadline. Complaints submitted by data subjects must be registered in the National Database Registry. 5.4 Exceptions This policy does not apply to databases and files that: Are intended for national security and defense, as well as the prevention, detection, monitoring, and control of money laundering and the financing of terrorism. Are intended for and contain intelligence and counterintelligence information. Are intended for journalistic information and other editorial content. 5.5 Effective Date This Policy and Procedure is effective as of June 28, 2017, and its period of validity will be governed by the applicable regulations in accordance with the requirements regarding the purpose and retention period of the information. Issued in Barranquilla on the 28th day of June, 2017. Requests via WhatsApp are processed in the order they are received. A response will be provided as soon as possible. DATA PROCESSING USAGE POLICIES Address: Carrera 53 # 42 - 08, Barranquilla Telephone(s): ( 57) 605 372 0238 ( 57) 605 379 4948 ( 57) 605 372 0236 Fax: ( 57) 605 349 0864 Email: mercadeo@herrajesandina.com www.herrajesandina.com www.herrajeselectricos.
