personal data protection policy

DATA PROTECTION POLICY

FUNCTIONAL BEVERAGE COMPANY

 

 FUNCTIONAL BEVERAGE COMPANY Simplified Public Limited Company, commercial company identified with tax number payer 900391740-3, with main domicile at street 52 #47-42 33rd floor of the city of Medellín Antioquia, hereinafter The Company as a company responsible for the treatment of personal data, recognizes the importance of security, privacy and confidentiality of personal data of its employees, customers, suppliers and in general of all its stakeholder therefore, in compliance with the constitutional and legal mandates, the company presents the following document that contains its policies for the treatment and protection of personal data, for all its activities that involve the processing of personal information at the national level, as well as the processing of personal data in accordance with international legislation, agreements and treaties.

 

CHAPTER I

 

DEFINITIONS

 

 For a comprehensive understanding and application of the content of this policy, the following concepts are defined according to the content of Law 1581 of 2012 and its implementing regulations. Therefore, they must be interpreted comprehensively and in accordance with the fundamental right protected a)   Personal Data: Any information related with one or several physical persons determined or determinable. b)   Private Personal Data: Data whose knowledge is restricted to the public. c)    Sensitive Data: Data associated with the Owner’s privacy or whose inappropriate use may cause discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, organizations social rights, or promote the interests of any political party as well as data related to health, sexual life and biometric data, among others, the capture of a fixed image or in movement, fingerprints, photographs, iris, voice recognition, facial or palm, etc. d)   Public Data: Data that is not semi-private, private or sensitive, that can be treated by any person, without the need for authorization. Among others, the information contained in the civil registry of persons (for example, if one is single or married, male or female) and those contained in public documents (e.g, contained in Public Deeds), are public. public registers (e.g the record of disciplinary records of the Attorney General’s Office), in official gazettes and bulletins and in enforceable judicial sentences that are not subject to reservation.

 

e)   Data Processing: Any operation on personal data, such as collection, storage, use, circulation or deletion.

 

f)     Controller of data processor: Physical or legal person, public or private, that by itself or in association with others, decides on the database and / or the treatment of the data.

 

g)   Processor: Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of Controller. h)     Authorization: Prior, express and informed consent of the Information Owner for the Processing of personal data. The consent may be granted in writing, orally or through unequivocal conduct of the Owner that allows concluding that the authorization was granted. i)       Privacy Notice: Verbal or written communication to inform the owner of the data about the existence of a manual of treatment policies that will be applicable to the processing of information. j)      Transfer: Sending data, inside or outside the national territory, whose sender and recipient is a Controller. k)     Transmission: Data Communication, inside or outside the Colombian territory, whose sender is Controller and its receiver is the Processor. l)       Data Protection Officer: Responsible for monitoring, controlling and promoting the application of the Personal Data Protection Policy within the Company.

 

CHAPTER II

 

Legal Framework

Under this policy, the following normative referents and the procedures / guidelines issued by the Company for the treatment of personal data will be applied. –      Political Constitution of Colombia-      Law 1581 of 2012-      Law 1266 of 2008-      Decree 1074 of 2015-      Doctrine and circulars of the Superintendence of Industry and Commerce.-      Applicable jurisprudence

 

CHAPTER III

 

General Principles, Postulates And Specific Principles

GENERAL PRINCIPLES AND POSTULATED.

The Company guarantees the protection of rights such as Habeas Data, privacy, privacy, good name, honor and personal image, for this purpose, all actions will be governed by the principles of good faith, legality, self-determination computing, freedom and transparency. Anyone who, in the exercise of their activity, provides any type of information or personal data to the Company in its capacity as manager or controller, may exercise their rights as owner of the information to know, update and rectify it in accordance with the procedures established in the Applicable law and this policy. The Company recognizes that its legitimate right to the processing of the personal data of the owners of information must be exercised within the specific framework of the legality and the consent of the owner, striving always to preserve the balance between the rights and duties of owner, controllers and the processors.

 

SPECIFIC PRINCIPLES.

The Company will apply the following specific principles set forth below, which constitute the rules to be followed in the collection, handling, use, treatment, storage, exchange and deletion of personal data: a) Principle of legality: In the use, capture, collection and processing of personal data, will be applied to the current and applicable provisions governing the processing of personal data and other related fundamental rights. b) Principle of freedom: The use, capture, collection and processing of personal data can only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal, statutory, or judicial mandate that relieves consent. c) Principle of purpose: The use, capture, collection and processing of personal data to which it has access and are collected and collected in the development of the activities of the Company, will be subordinated and serve a legitimate purpose, which should be informed to the respective owner of the personal data. d) Principle of truth or quality: The information subject to use, capture, collection and processing of personal data must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited. e) Principle of transparency: In the use, capture, collection and processing of personal data must guarantee the right of the Owner to obtain from the Company, at any time and without restrictions, information about the existence of any type of information or personal data that is of interest or ownership. f) Principle of access and restricted circulation: Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless the access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties. For these purposes the obligation of the Company, will be medium. g) Principle of security: The personal data and information used, captured, collected and subject to treatment in the development of the Company’s activities, will be subject to protection insofar as the technical resources and minimum standards allow it, to through the adoption of technological protection measures, protocols, and all kinds of administrative measures that are necessary to grant security to the physical and electronic registries and repositories, avoiding their adulteration, modification, loss, consultation, and in general against any use or unauthorized access. h) Principle of confidentiality: Each and every person who manages, updates or has access to information of a personal nature, undertakes to keep in a strictly confidential manner and not disclose to third parties, personal, commercial information, accounting, technical, or any other type provided in the execution and exercise of their functions. This duty is extended to all those third allies, collaborators or related parties that are related through any conventional or contractual relation with the Company. i) Systematic incorporation: The principles of Personal Data Protection will be implemented and will radiate the interpretation of all the processes and procedures of the Company.

 

CHAPTER IV

 

Main Scenarios and Purposes Of The Processing Of Personal Information

 

According with the nature and purpose of the Company, the mains scenarios that give rise to the processing of personal information and its purposes are described below: 1. Suppliers / purchases and acquisitions: a) Verify business, reputational and potential risks of relationships associated with Money Laundering and Terrorist Financing. b) Establish a commercial and legal relationship with the Company, allowing its registration in the management systems of the Company for the development of the accounting, logistic and financial procedures of the operation. c) Formalize the contractual relationship with the supplier, controlling the full execution of the assumed obligations. d) Evaluate the performance and results of the supplier with a view to strengthening contracting or sourcing procedures. 2. Human Talent Management and Labor Relations: a) Evaluate the job profile of the applicants with a view to the selection and formalization of the employment relationship, filling the vacancies or personnel requirements of the different areas and functions of the Company. b) Verify academic, labor, personal, family, business and other significant socioeconomic elements of the job applicant, according to the requirements of the position to be provided. c) To manage before the administrative authorities, the connection, affiliation or report of developments associated with the general social security system, as well as other assistance obligations and work-related benefits. d) Register the employee in the Company’s computerized management systems, allowing the development of the accounting, administrative and financial activities of the labor relation. e) Manage work developments with an impact on payroll settlement and payment. f) Promote the development of welfare activities and integral development of the worker and their work and family environment. g) Manage training and training programs in accordance with the requirements of the position and Corporate guidelines. h) Manage the occupational health and safety management system, focusing on mitigating risks, as well as providing adequate care for work-related accidents or occupational diseases i) Evaluate the performance and analyze the functional competences of the workers with the objective of determining the career plan and integral development. j) Manage the procedures of labor retirement, as well as the fulfillment of the corresponding economic obligations. k) Manage the development and fulfillment of operational and functional tasks associated with the profile of the position. l) Manage the procurement of tickets for air or multimodal transportation required by Company personnel to carry out their duties. 4. Distribution and sales force: a) Manage the process of linking distributors and their work team, evaluating their background and profile for the development of sales and distribution activities. b) Manage the allocation of incentives associated with meeting marketing objectives c) Control and coordinate the development of operational and logistical tasks associated with the commercialization and distribution of the Company’s products. 5. Administrative management and compliance: a) Register and control access to the Company’s facilities mitigating physical security and information risks. b) Verify, control and monitor the development of processes, activities and products in accordance with the guidelines and objectives set by the corporate audit. c) Verify, control and monitor the development of processes, activities and products in accordance with the guidelines and objectives established by the control and quality assurance function. d) Manage compliance with the obligations and legal requirements associated with the development of the Company’s operation. e) Managing complaints channeled through the Company’s transparency line in order to mitigate risks associated with bad corporate practices or that affect business ethics or transparency. f) Support the development of the operation through the granting, management and maintenance of the tools and computer applications of the Company. g) Manage the development of jurisdictional or extra-procedural actions or actions associated with alternative dispute resolution mechanisms. h) Manage compliance with corporate obligations

 

TITLE V

RIGHTS AND DUTIES OF PROCESSING OF PERSONAL DATA 

In accordance with the normative provisions on personal data, the Owner has the following rights:

 

  1. a) Request to know, update and rectify the personal data to the Controller.

 

  1. b) Request proof of the authorization granted.

 

  1. c) Be informed, virtual request, regarding the use that is given to personal data.

 

  1. d) Submit to the Superintendency of Industry and Commerce (SIC) complaints for infractions of the provisions on personal data regulations.

 

  1. e) Request the deletion of personal data.

 

  1. f) Revoke the approval by submitting a request for recovery. This does not apply when the Owner has a legal or contractual duty to remain in the database.

 

  1. g) Request the Superintendence of Industry and Commerce (SIC) to order the revocation of the authorization and / or the deletion of the data.

 

  1. h) Consult your personal data free of charge, at least once each calendar month and whenever there are substantial modifications of the information processing policies.

 

  1. RIGHTS OF CHILDREN, GIRLS AND ADOLESCENTS.

 

The personal information of children and adolescents has special protection by the Company. This information may be processed in the development of social activities, internal or external communication strategies, as well as the execution of programs or campaigns associated with the management of traditional or digital media seeking the promotion, development or sustainability of the main purpose of the Company.

 

The processing of this special type of data will require the development and disclosure by the Company of the specific terms and conditions of the respective activity, defining, among others, the requirements, conditions and restrictions for the processing of information of children and adolescents, taking into consideration at all times the best interests and respect for the prevailing rights of minors. In the absence of specific terms and conditions for the development of a specific program or activity that involves the processing of special data of minors, the provisions of this policy and the relevant special rules shall apply.

Whenever it is necessary to process the personal data of children and adolescents, the opinion of the minor will be taken into account according to the reasonable determination of their level of maturity and understanding of the specific case, which is presumed with the authorization conferred by the legal representative of the minor.

 

  1. DUTIES OF THE COMPANY AS RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA.

 

The Company, when acting as Controller for the processing of personal data, will comply with the following duties:

 

  1. Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data.

 

  1. Request and keep, copy of the respective authorization granted by the owner.

 

  1. Properly inform the Owner about the purpose of the collection and the rights that assist him by virtue of the authorization conferred.

 

  1. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

 

  1. Ensure that the information provided to the processor of processing is true, complete, accurate, updated, verifiable and understandable.

 

  1. Update the information, communicating in a timely manner to the data processor, all the news regarding the data previously provided and adopt the other necessary measures so that the information provided to it is kept up-to-date.

 

  1. Rectify the information when it is incorrect and communicate the pertinent information to the person in charge of the treatment.

 

  1. Only provide the Processor with the information whose processing is previously authorized.

 

  1. To demand from processor, respect for the security and privacy conditions of the Owner’s information.

 

  1. Process the queries and claims made.

 

  1. Inform the processor when certain information is under discussion by the Owner, once the claim has been filed and the respective procedure has not been completed.

 

  1. Inform the Owner’s request about the use given to their data.

 

  1. Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the Owner.

 

TITLE VI

 

APPLICATION FOR AUTHORIZATION AND CONSENT OF THE OWNER

 

The collection, storage, use, circulation or deletion of personal data during the development of the activities described in this policy requires the free, prior, express and informed consent of the owner of the personal data.

 

Medium and demonstrations to grant authorization.

 

The authorization for the processing of the personal information required in the different scenarios described in this policy, must be obtained through the requests and privacy notices made available to the owner in each of the means or points of capture of physical, verbal or digital information associated with the operation of the Company, which have been arranged through forms, notices or statements that inform the owner about the capture and subsequent processing of their personal data, their purposes, rights, means for the exercise of their rights and If appropriate, the way to access this policy.

 

The authorization of the Owner for will be conferred expressly under the different modalities established in the law according to the nature of the means of capture of information, such as written, verbal or through unequivocal actions or behavior of the Owner.

 

Proof of authorization

 

Authorization to process the data collected in the development of the activities described in this policy will depend on the nature of the means for information collection point. The means of proof to accredit the effective authorization for the process data will depend on the type of mechanism used to obtain the authorization, an example being the subscribed format, the registration of acceptance or entry to the website, the recording of the conversation among others. In the acceptance events by means of unequivocal behaviors, the integrated set of the following elements will be taken as sufficient proof of acceptance by the owner:

 

  1. a) The authorization request model made available to the Owner at the moment of capturing his data.

 

  1. b) The express indication in the authorization request form, of the unequivocal conduct of the owner that constitutes authorization to process data.

 

  1. c) Evidence of the conduct of the unequivocal conduct on the part of the owner, being feasible to accredit the information provided by the owner or other type of evidence of express acceptance according to the nature of the mean.

 

TITLE VII

 

OF THE PROCEDURES FOR THE ATTENTION OF CONSULTATIONS, CLAIMS, RECTIFICATIONS AND UPDATES

 

  1. QUERIES

 

Owners or their successors in title may consult the personal information of the Owners that rests in any database of The Company. Consequently, the Company will guarantee the right of consultation, providing the Owners with all the information related to the identification of the Owner.

 

The consultations must be presented through the channels of protection of personal data using any of the means of contact described in this policy and following the procedure described below

 

Procedure for conducting consultations:

 

  • At any time and for free, the owner or his representative may make inquiries regarding the personal data that are the object of treatment by The Company after proof of identity.

 

  • When the consultation is made by a person other than the owner, the mandate to act must be accredited in due form

 

  • The consultation must contain at least the following information:

 

  1. The name and contact address of the owner or any other means to receive the response.

 

  1. Documents proving the identity and capacity of its representative, as indicated in the following cases:

 

  • Owner: Identification document.
  • Succesors: Civil registration and identification document.
  • Legal representative in case of minors:
  • Parents: Birth registration and identity document.
  • Tutors: Judicial sentence that confers legal representation.
  • Legal representative authorized by the owner: Authenticated power.

 

  1. The clear and precise description of the personal data with respect to which the owner seeks to exercise the right of consultation.

 

  1. The clear and precise description of the query made by the information owner, his successors or representatives.

 

  1. Provide the documentation that supports your request if the nature of the data is appropriate.

 

  1. If necessary, other elements or documents that facilitate the location of personal data.

 

If the query made by the owner is incomplete, the Company will require the interested party within five (5) days after receiving the query to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn his request. In the case of queries submitted in full, the Company will respond to the petitioners within ten (10) business days counted from the date of receipt of the same. When it is not possible to attend the consultation within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term. If required, the Data Owner may communicate through the Company’s data protection channels, in order to request the format for the completion of the query, which should be considered as an aid or support to the owner, but not as a mandatory requirement for the exercise of rights.

 

2.   CLAIMS (Correction, update, deletion). 

The Owner or his successors who consider that the information contained in a database must be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in the Law, may present their claim through the Personal data protection channels of the Company using any of the means of contact defined in this Policy: Procedure for making claims: ·     At any time and for free, the owner or his representative may make claims associated with corrections, updates or deletion of personal data that are subject to treatment by the Company, after proof of identity. ·     When the claim is made by a person other than the owner, the mandate to act must be accredited in due form

 

·     The consultation, rectification, update or deletion must contain at least the following information: a) The name and contact address of the owner or any other means to receive the response. b) The documents that prove the identity and capacity of its representative. As indicated for the following cases: ·     Owner: Identification document.·     Successors: Civil registration and identification document.-      Legal representative in case of minors:-      Parents: Birth registration and identity document.·     Tutors: Judicial sentence that confers legal representation.·     Legal representative authorized by the owner: Authenticated power.·     By stipulation in favor of another: Manifestation in this sense. c) The clear and precise description of the type of claim made by the information owner (correction, update or deletion). d) The clear and precise description of the personal data with respect to which the Owner seeks to exercise the right of claim as well as the facts that give rise to it. e) Provide the documentation that supports the request if the nature of the data is appropriate. f) If necessary, other elements or documents that facilitate the location of personal data. If the claim made by the owner is incomplete, the Company will require the interested party within five (5) days following receipt of the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn his request.

 

In the case of claims (corrections, updates and deletions), the Company will respond to the owners of information within the term of (15) business days from the date of receipt of the claim, when it is not possible to meet the claim within of said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which his consultation will be attended, which in no case may exceed eight (8) working days following the expiration of the first term.If required, the Data Owner may previously communicate through the Company’s data protection channels, in order to request the format for the realization of their claim, which should be considered as an aid or support to the owner, more not as a mandatory requirement for the exercise of rights

 

3. CHANNEL PROTECTION OF DATA AND MEANS OF CONTACT

For the exercise of the right to make inquiries, claims, corrections, updates or deletion of personal data, the owner may contact the person in charge of the protection of personal data of the Company or privacy officer, through the following means of contact:

• Email: cumplimiento@postobon.com.co

• Address: Street 52 #47 – 42 25th Floor

• Phone: (4) 2655151

In case of use of other contact channels by the Owners of information for the exercise of their rights regarding the protection of personal data, the Company reserves the right to send or inform the owner of the existence of the previously described channels to initiate the consultation or complaint procedure in a timely and complete manner.

TITLE VIII

SHARED SERVICES CENTRE

Within the framework of the shared services scheme managed by the Company with its other related companies, it is necessary to develop transactional operations that involve the processing of personal data of the different Owners of personal information associated with the units or shared services with in order to a better use of resources and optimization of processes. The Company with his other related companies that manage this service scheme are subject to the following guidelines regarding the processing of their personal data:

1.    Postobón and the related companies, collectively called “The Companies”, recognize the importance of privacy, security and adequate process of personal data for the development of their operations.

2.    Transactions, operations and, in general, any process of personnel information implies the joint responsibility of the Companies, for which all of them express and assume the commitment to reach and maintain adequate levels of compliance with the data protection law.

3.    Each of the Companies holds the status of Controller of the process of the personal information of the Owners associated with its operation, and must certify the integral fulfillment of the obligations of the law.

4.    The sending or sharing of personal information will be developed as a transfer of personal data

5.    The companies undertake to articulate their channels of attention and internal procedures for the process of personal information, as well as to participate actively in its execution in accordance with the postulates established in this policy and other internal provisions.

TITLE IX

ABOUT THE SPECIAL PROVISIONS FOR THE PROCESSING OF PERSONAL DATA AND ACCREDITATION OF THE PRINCIPLE OF “ACCOUNTABILITY”

 

1. IDENTIFICATION AND UPDATING OF THE PERSONAL INFORMATION CYCLE

For the adequate compliance with the personal data protection regulatory, the Company will identify and keep updated the understanding of the life cycle of the personal information of its operation, defining and validating especially the following elements:

a) Activities or processes that start or justify the processing of personal data

b) Channels or points of capture of personal information, detailing the type of information collected, the means of collection and its purpose.

c) Databases and other information repositories where the collected personal information is stored, specifying the means of processing the physical or automated information.

d) Users or internal areas of the Company with access to the information of the databases and other repositories of personal information, specifying the purposes of the use or access to the information.

e) Nodes or points of departure of personal information, identifying third party recipients, typology of responsibility of the third party, as well as the national or international scope of the transmission or transfer of information.

f) Mechanisms for the disposal of personal information collected. The previously mentioned elements, henceforth identified as a whole “life cycle of the personal data or information cycle”, will be the basis for determining the legal, technical and organizational coverage that will allow the Company to promote the appropriate process and protection of personal information, therefore, its verification, validation and permanent updating will be the direct responsibility of the workers, collaborators, allies and other stakeholders with conventional or contractual connection with the Company, under the coordination of the privacy officer.

2. RELATIONSHIP WITH THIRD PARTIES.

In line with its internal policies and provisions regarding the protection of personal data, the Company will tend to relate labor and commercially with those third parties that reflect its commitment to the observance and application of the general regulation of protection of personal data in their respective operation. Therefore, without prejudice to the use of the formats or models of request for authorization of treatment, privacy notices and contractual coverage, the Company may request from its third parties the pertinent information that allows it to verify compliance with the provisions contained in the present policy, as well as those enshrined in its own internal policies and procedures regarding the protection of personal data when it deems necessary. Third parties who, upon the development of their contractual or conventional object, have an impact on the process or have an impact on the life cycle of the Company’s personal information, must prove prior to the time of their connection the fulfillment of the requirements of the data protection regime, including, but not limited to, the existence and application of a personal data processing policy, the enabling of channels for the attention of inquiries and complaints for Owners of personal information, as well as the effective realization and update of the National Registry of Personal Databases before the Superintendence of Industry and Commerce in the established legal terms. Likewise, the Company reserves the right to supervise eventually or periodically compliance with the legal and contractual requirements associated with the regime of protection of personal data by its third parties, for which it may request evidence or support for compliance. , make visits to the facilities or headquarters of the third party, among other measures that it deems reasonable according to the criticality of the operation, the volume of the data or the nature of the contractual object.

3. EVALUATION OF THE PRIVACY IMPACT

 

The Company recognizes the importance of privacy and the protection of the information of its owners in the framework of the development of their operations. In order to promote the sustainability and continuous improvement of the current legal, technical and organizational coverage, the Company has adopted an internal procedure and prior to the development of its new operations or initiatives with an impact on the current cycle of the processing of its personal data, In order to determine Ex ante or in advance, the actions, measures and coverages necessary for the protection of information and the appropriate treatment of personal data. The development of this initiative of accountability is coordinated by the privacy officer, without prejudice to the transversal responsibility that concerns the entire human resource related to the organization according to the procedures described in the internal manual of policies and procedures for the processing of the Company’s personal information. Without prejudice to the specific requirements of each case in particular, the impact assessment of privacy must take into consideration the impact, implications and legal, technical and organizational coverage associated with the following central elements:

a) Owner: Analyze the impact of the initiative or project against the owner’s consent, specifically with regard to aspects such as the type of data involved, the type and purposes of the process, the means to obtain the authorization, the need to create, modify or delete existing authorization requests or privacy notices.

b) Impact on third parties: Analyzes the impact of a certain operation or initiative, specifically against technical and legal coverage in the relationship with the third party, as well as the mechanisms of prior verification, during and subsequent link with the Company, the type of responsibility of the third party regarding the disposition of the information, the national or international scope of the eventual transmission or transfer of the information. Among others.

c) Impact on the authority: Determines compliance measures or actions against the authorities that exercise control and surveillance in matters of personal data protection such as registration, reporting or updating of the National Registry of Personal Databases before the Superintendency of Industry and Commerce.

d) Impact within the organization: Determines the measures, coverage or adjustments coming from the understanding and validation of the information cycle of the Company, implementing the coverage and legal, technical and organizational internal measures or making the pertinent adjustments to the existing ones.

4. MANAGEMENT OF THE RISK OF PRIVACY AND SECURITY OF PERSONAL INFORMATION:

 

Based on the identification of the flow of the personal information cycle, the Company continuously analyzes the level of criticality of its information assets associated with the handling, administration or processing of personal data, developing at least the following activities:

a) Determination of databases and other repositories with personal information: It implies the determination of the concept of personal databases in accordance with the applicable regulations and international standards, in order to determine and classify the different databases with personal information and other assets with personal data.

b) Determination of the level of risk: It involves the determination and classification of the risk level of each information asset according to its criticality.

c) Definition of controls: It involves the determination, progressive implementation and evaluation of information security controls in order to mitigate the inherent risk of each database with personal information.The above activities are developed within the framework of the progressive implementation and continuous improvement, taking as criteria of prioritization the availability of resources, the criticality of the risks and the demands of the operation.

5. COMPREHENSIVE CORPORATE DATA PROTECTION PROGRAM:

 

The Company has developed a comprehensive corporate program for the sustainability of the management and compliance model in terms of personal data protection. The aforementioned program has the following minimum elements:

a) Organic component: ·       It includes the definition of the roles and responsibilities of the entire administrative structure of the Company in terms of data protection, articulating the different internal procedures with the functional duties and responsibilities for the different levels of the organization. ·

Without prejudice to the transversal responsibility of each employee and director of the Company, the privacy officer assumes the role of coordinating the corporate model for the protection of personal data. ·

The Privacy Officer will report to legal representative, Committee privacy or other entity that represents senior management, in order to enable strategic planning and management of information governance and in particular the policy of protection of personal data and privacy.

b) Programmatic component: It includes the annualized definition of the main programs, activities and initiatives to be developed by the Company for the sustainability of the management and compliance model regarding the protection of personal data within the framework of the “Accountability” principle and continuous improvement.

The corporate annual personal data protection program will be presented by the privacy officer and approved by the legal representative, the privacy committee or any other instance that the Company determines for the representation of senior management. Notwithstanding the inclusion of other elements, the corporate annual personal data protection program will include and develop the following activities: ·       Training for Company personnel.·       Support for the operation in the analysis of legal, technical and organizational Coverages associated with the relationship with owners, third parties and authorities.·       Internal verification, control and measurement.·       Formulation of improvement plans and actions, as well as follow-up and support for their implementation.·       Compliance with external reports and monitoring of the regulatory environment.·       Presentation of annual internal reports to senior management that deal with the current status of the management and compliance model of personal data protection

TITLE X OTHER ASPECTS ASSOCIATED WITH THE PROCESSING OF PERSONAL DATA

 

1. USE OF THE COMPANY’S BRAND FOR ACTIVITIES INVOLVING PROCESS OF PERSONAL INFORMATION. Users, customers, workers, suppliers or any third party with direct or indirect relationship with The Company, must refrain from carrying out without prior authorization and in writing, any initiative or activity that involves the use of their name, brand, company name, symbol, logo symbol, trademark or any other distinctive sign that involves the processing of personal information. Any activity or initiative that is carried out without complying with this requirement will be the sole responsibility of its author (s) and / or promoter (s) and will not generate effects, commitments or any responsibility for The Company.

2. USE OF INTERNET, APLICATIONS, WEB PAGES AND OTHER DIGITAL COMMUNICATION MEDIA. The Company may develop applications, platforms, web pages or in general any type of internal or external computer system for one or multiple users, hereinafter referred to collectively or generically as “Applications”. The development of the applications may be carried out directly by the Company or through third party developers who supply, support or advise in the different phases of the development or in the technological infrastructure for its operation and maintenance.

The development, operation, maintenance and updating of Applications will be done taking into consideration the standards, procedures and controls necessary to promote security, privacy and proper treatment of the personal data involved. Each Application will require the development of the special terms and conditions of use, including a specific section for the conditions of privacy and protection of personal data. In the absence of terms of conditions or specific section on the protection of personal data, will be applied to the principles, postulates and other elements described in this policy.

The Company shall refrain from publishing or disclosing, through the Internet or any other mass media, personal information of a sensitive nature of the Owners with respect to which it exercises processing data, except in those cases in which it is ensured that the access is technically controllable to provide a restricted knowledge only for the Owners or authorized third parties according to the legal terms. Likewise, the Company will refrain from disclosing or publishing information of a discriminatory, offensive nature or that may affect the particular conditions of vulnerability or defenselessness of the information Owner. Regarding the use of cookies: Cookies are text sequences that are installed on the hard drive of the user’s terminal equipment when visiting a website or application in general.

The use of these cookies will allow, for example, to indicate if the user has already entered before or if it is the first time, as well as to identify which features of the site are the most interesting for the user. In this order of ideas, cookies may be used by the Company to improve the user’s online experience by saving their preferences when visiting the Company’s Applications.

The Company in the development of its activities, particularly in relation to the management of digital media, may make use of its own or third party cookies on its own platforms or those managed by order, for the purpose of determining, for example, how many users visited the accessed applications. Eventually, the use of cookies by the Company will focus on the use of “personalization cookies”, which are used to identify visitors who return to visit the websites, as well as “analytical cookies”, which control the use of cookies. What visitors do of websites and applications, helping to better understand what content they spend more time reading users and visitors. Thus, the main cookies to be used by the Company correspond to the following:

a)    Analytics: These cookies help to improve the Websites over time, providing information on how the different sections of the Websites are used and how users interact with said Sites. The information collected is anonymous and statistical in nature.

b)    Authentication: These cookies are used to individually identify visitors to the websites. When a user initiates a session in the Websites, these are the cookies that allow to remember who is to be able to give him access to his preferences or personal configurations. These cookies help to preserve the security of the site.

c)    Session: These are cookies designed to ensure that the visit to the Applications is as pleasant as possible. Its main functions are the following: •    Allow to identify a device when accessing the Application, so that the user is not considered as a new visitor each time he accesses another section of the application.•   Be sure that each of the servers used to host the application serves the same number of users, allowing you to navigate more efficiently.•   Record the functions of your browser. Similarly, cookies are used to remember preferences of users of the applications, which implies: •   If the user of the application deletes all their cookies, they will have to update their preferences again.•   If the user uses a different device, computer profile or browser, they will have to re-communicate their preferences. All information obtained through cookies is encrypted and with them personal data such as credit card numbers or other information of a financial or credit nature are not collected. Most browsers indicate how to reject new cookies, how to receive notifications of new cookies and how to disable existing cookies. However, it is important to emphasize that without cookies the user will not be able to take full advantage of the benefits of the Company’s Applications.Any other additional or complementary use of cookies by the applications of the Company, will be informed to the user or owner in the respective terms and conditions of web browsing. Regarding the use of Web Beacons (Web beacons) Eventually, the Company may use “web beacons” (also known as “internet tags”, “pixel tags” or “transparent GIFs”) in its applications. These web beacons allow third parties to obtain information such as the IP address of the computer that has downloaded the page where the beacon is located, the URL of the page on which the beacon is located, the time when the page was displayed where the beacon, the type of browser used to view the page and the information of the cookies established by said third party. Whenever the Company uses these tools, the owner will be informed in the respective terms and conditions of the respective Application. Regarding the use of IP AddressesAn IP address is a unique identifier that some electronic devices use to detect and communicate through the internet. Eventually when visiting, using or accessing an Application of the Company, whether it is managed directly or through a third party, the IP address of the device used by the user or information Owner to connect to the Internet may be displayed. This information will be used to determine the general physical location of the device and to know from which geographic regions the visitors or users of the Applications come from in order to facilitate or allow the provision of a service, for example, for the georeferencing of the user or owner of the information in order to facilitating the process of distribution or delivery of products. Whenever the Company uses this type of tool, the owner will be informed in the respective terms and conditions of the Application.

TITLE XI

FINAL PROVISIONS AND ENFORCEMENT

 

1.    MODIFICATIONS TO THE POLICY The Company reserves the right to modify this policy at any time. For this purpose, it will publish a notice on its website with (5) business days before its implementation and during the term of the policy. In case of not agreeing with the new personal information management policies, the Owners of the information or their representatives may exercise their rights as Owners of the information in the terms previously described.

2.    ENFORCEMENT  This policy enters into force as of October (26) 2015.