PERSONAL DATA PROCESSING POLICY sivar s.a.s.

1. Information about the company responsible for the processing of personal information

SIVAR S.A.S., a company identified with Tax ID No. 901.292.678-3, hereby informs all interested parties that the personal data obtained by virtue of the transactions entered into with the company will be processed in accordance with the principles and duties defined in Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, Single Decree 1074 of 2015, and all other regulations governing this matter. In view of its capacity as Data Controller in accordance with the aforementioned regulations, it hereby discloses this PERSONAL DATA PROCESSING POLICY (hereinafter, the “Policy”), whose application is mandatory for all natural or legal persons who process personal data recorded in SIVAR S.A.S.’s databases.

For all relevant purposes, the address of SIVAR S.A.S. shall be Carrera 30 #7AA-207, Torre Scaglia Building, Medellín, telephone: (57) 3128039189. Email: proyectos@sivargroup.com – info@sivargroup.com and website: http://www.sivargroup.co.

2. Purpose

The purpose of this Policy is to provide the necessary and sufficient information to different stakeholder groups, such as customers, users, prospective customers, suppliers, employees, contractors, business partners, and shareholders; as well as to establish the guidelines that guarantee the protection of personal data subject to processing through SIVAR S.A.S.’s procedures, in order to comply with the law, policies, and procedures for handling the rights of data subjects, as well as the criteria for collection, storage, use, circulation, and deletion of personal data.

3. Recipients

This policy shall apply to all physical and digital databases containing personal data that are processed by SIVAR S.A.S., acting as Data Controller. Likewise, it shall apply in those cases in which it acts as Data Processor of personal data. The policy is intended so that SIVAR’s customers, users, prospective customers, suppliers, employees, contractors, business partners, and shareholders have at their disposal the necessary and sufficient information regarding the different types of processing and purposes for which their data will be used, as well as the rights they may exercise against SIVAR when it acts as controller of their personal data.

This policy is mandatory knowledge and compliance for all natural or legal persons responsible for managing SIVAR’s personal databases, and for those employees who receive, process, and respond directly or indirectly to requests (consultations or claims) for information related to personal data protection law.

4. Scope

• To guarantee the exercise of the right to privacy and habeas data through the protection of personal data contained in SIVAR’s databases and which fall within the framework of Law 1581 of 2011, Decree 1373 of 2013, and other rules that amend or regulate them.

• To provide an expedited and lawful process for the various requests and claims made by Data Subjects, as well as by their successors or any other duly authorized person.

• To comply with the requirements of current regulations on Personal Data Protection, as well as any requirement arising from the principle of accountability.

• To provide proper protection for the interests and needs of the Data Subjects whose personal information is processed by SIVAR.

5. Definitions

In the development, interpretation, and application of the Law, regulations, and current rules, the following definitions shall apply harmoniously and comprehensively:

a) Data protection area: The area within SIVAR responsible for monitoring and controlling the application of the Personal Data Protection Policy.
b) Area responsible for handling requests, complaints, claims, and inquiries: Requests, complaints, claims, and inquiries submitted by data subjects shall be handled by SIVAR through the Data Protection Officer, attached to said area.
c) Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing of personal data.
d) Privacy Notice: Verbal or written communication generated by the Controller and addressed to the Data Subject for the processing of personal data, informing them of the existence of the information processing policies applicable to them, how to access them, and the purposes of the intended data processing.
e) Database: Organized set of personal data subject to Processing.
f) Data quality: Personal data subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. When partial, incomplete, fragmented, or misleading personal data are held, SIVAR must refrain from processing them or request their completion or correction from the Data Subject.
g) Restricted circulation: Personal data shall only be processed by SIVAR personnel or those who, within their duties, are responsible for carrying out such activities. Personal Data may not be delivered to persons who are not authorized or enabled by SIVAR to process them.
h) Confidentiality: Information security element that determines who may access the information and under what circumstances.
i) Personal data: Any information linked or that may be associated with one or more identified or identifiable natural persons.
j) Public data: Data that are not semi-private, private, or sensitive. Public data include, among others, data relating to people’s marital status, profession or occupation, and status as merchants or public servants. Due to their nature, public data may be contained, among others, in public registries, public documents, official gazettes and bulletins, and duly enforceable court judgments not subject to confidentiality.
k) Semi-private data: Information that is not intimate, reserved, or public, and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector, group of people, or society in general, such as financial, credit, or commercial activity data.
l) Sensitive data: Data affecting the privacy of the data subject or whose improper use may generate discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or organizations promoting interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.
m) Data Processor: Natural or legal person, public or private, who by itself or in association with others carries out the processing of personal data on behalf of the Data Controller.
n) Digital information: Any information stored or transmitted by electronic and digital means such as email or other information systems.
o) Data Controller: Natural or legal person, public or private, who by itself or in association with others decides on the database and/or data processing.
p) Data Subject: Natural person whose personal data are subject to processing.
q) Transmission: Processing of personal data that involves communication thereof within or outside the territory of the Republic of Colombia when intended for Processing by the Processor on behalf of the Controller.
r) Transfer: The Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is a Data Controller and is located within or outside the country.
s) Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

6. Governing principles

Within SIVAR’s legal and corporate commitment to clearly define the framework for personal data protection, the exercise of the right to habeas data, and to guarantee the confidentiality of personal information, it adheres to the general principles for the processing, transfer, and transmission of personal data to which it has access.

a) Principle of legality in data processing: Processing is a regulated activity that must be subject to the provisions of Law 1581 of October 17, 2012, its regulatory decrees, and other provisions that develop it.
b) Principle of purpose: Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
c) Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives consent.
d) Principle of truthfulness or quality: Information subject to Processing must be truthful, complete, accurate, updated, verifiable, and understandable. The Processing of partial, incomplete, fragmented, or misleading Data is prohibited.
e) Principle of transparency: In Processing, the right of the Data Subject to obtain from the Controller or Processor, at any time and without restrictions, information about the existence of data concerning them must be guaranteed.
f) Principle of restricted access and circulation: Processing is subject to the limits arising from the nature of the personal data, the provisions of the law, and the Constitution. In this sense, Processing may only be carried out by persons authorized by the Data Subject and/or persons provided for by law.
g) Principle of security: Information subject to Processing by the Controller or Processor referred to in the law must be handled with the technical, human, and administrative measures necessary to provide security to records and prevent their alteration, loss, consultation, unauthorized or fraudulent use or access.
h) Principle of confidentiality: All employees and contractors involved in the Processing of Personal Data that are not public in nature are required to guarantee the confidentiality of the information, even after their relationship with any of the tasks involving Processing has ended, and may only supply or communicate personal data when this corresponds to the development of activities authorized by law and under its terms. SIVAR undertakes to process the personal data of data subjects as defined in paragraph g) of article 3 of Law 1581 of 2012 in an absolutely confidential manner, using them exclusively for the purposes contained in this policy, provided that the data subject has not objected to such processing. SIVAR states that it has implemented the necessary technical and organizational security measures to guarantee the security of personal data and prevent unauthorized alteration, loss, processing, and/or access.
i) Principle of temporality: Personal data shall be retained only for the reasonable and necessary time to fulfill the purposes that justified the processing, taking into account the applicable provisions of the matter concerned and the administrative, accounting, tax, legal, and historical aspects of the information. Data shall be retained when necessary for compliance with a legal or contractual obligation. Once the purpose of processing and the terms established above have been fulfilled, the data shall be deleted.
j) Comprehensive interpretation of constitutional rights: Rights shall be interpreted harmoniously and in balance with the right to information provided for in article 20 of the Constitution and with the applicable constitutional rights.
k) Principle of necessity: The personal data processed must be strictly necessary for fulfilling the purposes pursued by the database.

7. Responsibility

Any person who has access to consult and carry out any type of processing of personal data contained in databases under SIVAR’s responsibility is personally responsible and must comply with the Policy.

Any person who has access to consult and carry out any type of processing of personal data contained in databases under SIVAR’s responsibility is personally responsible and therefore must comply with the policy.

8. Processing of sensitive data

The Processing of sensitive data is prohibited, except when:

a) The Data Subject has given explicit authorization for such Processing, except in cases where such authorization is not required by law.
b) The Processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapable. In these events, legal representatives must grant authorization.
c) The Processing refers to data necessary for the recognition, exercise, or defense of a right in a judicial proceeding.
d) The Processing has a historical, statistical, or scientific purpose. In such event, measures must be taken to suppress the identity of the Data Subjects.

Special authorization for sensitive personal data: SIVAR S.A.S. will inform all its Data Subjects, through the various means of obtaining authorization, that by virtue of Law 1581 of 2012 and its regulations, they are not obliged to grant authorization for the processing of sensitive data. The biometric sensitive data processed are intended for the identification of individuals, security, and the proper provision of services.

Rights of children and adolescents: The processing of personal data of children and adolescents is prohibited, except when such data are public in nature, in accordance with article 7 of Law 1581 of 2012, and when such Processing complies with the following parameters and requirements:

1. It responds to and respects the best interests of children and adolescents.

2. It ensures respect for their fundamental rights.

Once the above requirements are met, the legal representative of the child or adolescent shall grant authorization, after the minor has exercised the right to be heard, whose opinion shall be assessed taking into account maturity, autonomy, and capacity to understand the matter.

9. Processing and purposes

In accordance with Law 1581 of 2012 and with the authorizations granted by data subjects, SIVAR S.A.S. will carry out operations or sets of operations including data collection, storage, use, transmission, transfer, circulation, and/or deletion. This data processing shall be carried out exclusively for the purposes authorized and provided for in this Policy and in the specific authorizations granted by the Data Subject. Personal data shall be processed according to the stakeholder group and in proportion to the purpose or purposes of each processing activity; likewise, Personal Data shall be processed when there is a legal or contractual obligation to do so, always under the guidelines of Information Security policies.

In view of the different relationships it has with holders of personal data, SIVAR may process them for special purposes; the different types of data subjects may be: customers, users, prospective customers, suppliers, employees, contractors, business partners, and shareholders of SIVAR.

a. Customers, users, and prospective customers

The processing of Personal Data by SIVAR S.A.S. shall have the following purposes:

a) To control requests related to the services provided by the Company.
b) To send responses to petitions, complaints, and claims to customers and users.
c) To carry out procedures related to service provision or product delivery.
d) To carry out collection management.
e) To send commercial and advertising information related to the products and services offered by the company.
f) To conduct campaigns, outreach activities, training sessions, and webinars.
g) To update databases.
h) To prepare studies, statistics, surveys, and trend analyses related to customer and user preferences.
i) To transfer information to third parties. The transfer of data to third parties may entail financial compensation from the third party in favor of SIVAR S.A.S.
j) To contact prospective customers for business development.
k) To provide the services and market the products offered by SIVAR.
l) To conduct campaigns and outreach activities related to promotions, offers, special rates, events, and other advertising of interest to the customer.
m) To prepare studies, statistics, surveys, trend analyses, and consumption behavior analyses related to the products and services provided by SIVAR.
n) To manage the information necessary for compliance with tax, contractual, commercial, commercial registry, corporate, and accounting obligations.
o) To evaluate the quality of the services provided.
p) To improve promotional initiatives for service offerings and product updates of SIVAR.
q) Any other purposes determined in the processes of obtaining Personal Data for processing, and in any case, in accordance with the Law.

b. Employees

a) To verify compliance with requirements related to the General Social Security System.
b) To carry out workplace wellness campaigns.
c) In the case of biometric data captured through video surveillance or recording systems, processing shall have the purpose of identification, security, and prevention of internal and external fraud.
d) In the case of participants in recruitment processes, processed personal data shall be used to carry out selection procedures; résumés shall be managed under the principle of restricted access.
e) To report company payments and issue income and withholding certificates.
f) To carry out Occupational Health and Safety Management System campaigns.

c. Suppliers, contractors, and business partners

a) For all purposes related to selection processes, due diligence of counterparties, contractual matters, or matters related thereto.
b) To carry out all internal procedures and comply with accounting, tax, and legal obligations.
c) To report payments and issue certificates.
d) To consult reports in financial credit bureaus.
e) To manage SIVAR’s budgeting chain with regard to payments, issuance of income and withholding certificates (for natural and legal persons), and payment relationships.
f) To manage SIVAR’s accounting process.
g) To carry out all activities necessary for compliance with the different contractual stages in relationships with suppliers, contractors, distributors, and business partners.
h) To issue contractual certificates requested by contractors or by oversight entities.
i) To issue purchase orders for the request of services and/or products.
j) For the processing, receipt, and payment of services and/or products provided and marketed by contractors, suppliers, distributors, and business partners.
k) To maintain a digital archive containing the information corresponding to each contract.
l) Any other purposes determined in the processes of obtaining Personal Data for processing, and in any case, in accordance with the Law and within the framework of SIVAR’s functions.

d. Shareholders

For all purposes related to the company’s corporate governance, especially those involving shareholder, economic, financial, commercial, and strategic activities, as well as those defined in the Commercial Code and commercial regulations with respect to shareholders.

The personal data and information of SIVAR’s shareholders are considered confidential information, as they are recorded in commercial books and are subject to confidentiality by legal provision. Consequently, access to such personal information shall be carried out in accordance with the rules contained in the Commercial Code governing the matter. SIVAR shall only use shareholders’ personal data for the purposes arising from the existing corporate relationship.

10. Transfer and transmission of personal data

SIVAR may transfer and transmit personal data to third parties with whom it has an operational relationship and who provide services necessary for its proper operation, or in accordance with the functions established by law. In such cases, the necessary measures shall be adopted so that persons who have access to personal data comply with this Policy and with the principles and obligations established by law regarding personal data protection.

In any case, when SIVAR transmits data to one or more processors located within or outside the territory of the Republic of Colombia, it shall establish contractual clauses or enter into a personal data transmission agreement stating:

1. Scope of the processing.

2. The activities the processor will carry out on behalf of the controller for the processing of personal data.

3. The processor’s obligations toward the data subject and the controller.

Through such contract, the Processor undertakes to comply with SIVAR’s obligations as Controller under the information processing policy established by it and to process data according to the purpose authorized by the Data Subjects and applicable law.

In addition to the obligations imposed by applicable rules in such contract, the following obligations must be included for the respective Processor:

1. To process personal data on behalf of the Controller in accordance with the governing principles.

2. To safeguard the security of databases containing personal data.

3. To maintain confidentiality regarding the processing of personal data.

International transmissions of personal data shall not require notification to the data subject nor their consent or authorization when a transmission agreement exists.

In case of transfer, compliance shall be given to the obligations set forth in Law 1581 of 2012 and its regulations.

SIVAR shall adopt the prohibition on transferring personal data to countries that do not provide adequate levels of data protection. Data may only be transferred in the exceptional cases provided by law, or whenever the Superintendence of Industry and Commerce has issued a declaration of conformity, or whenever a contract or other legal instrument is signed for the international transfer, for which there shall be a presumption of viability and declaration of conformity when the following requirements are demonstrated:

1. The conditions governing the international transfer must be stated, guaranteeing compliance with the principles governing personal data processing.

2. The obligations of the parties must be determined.

3. The Delegation for Personal Data Protection of the Superintendence of Industry and Commerce must be informed of the intended operation.

4. It must be declared that a transfer agreement or other legal instrument guaranteeing personal data protection has been signed.

11. Data collection

Data are provided directly by the data subject, as follows:

a. Customer and user information

a) By completing the customer opening request form.
b) In brand positioning activities such as webinars, training sessions, and others.
c) When updating and creating user records in the different applications and platforms managed by SIVAR S.A.S.
d) During telephone and virtual contact with users and customers.

b. Employee information

a) By submitting the documentation requested in the employee documents list.
b) Information contained in résumés submitted during hiring processes.
c) Information obtained during Occupational Health and Safety campaigns.
d) Information obtained to carry out workplace wellness programs.

c. Supplier information

a) By submitting the documentation requested in the service provider documents list.
b) Request for documents to create database records (Tax Registration Certificate, Certificate of Existence and Legal Representation, Bank Certification).
c) Sending supplier circularizations.
d) Updating contact data.

PARAGRAPH: Data collection and processing are carried out with the prior authorization of the data subject.

12. Type of information stored in our databases

The data stored in our databases are as follows:

a) Identification data: First name, last name, type of identification, identification number, date and place of issue, name, marital status, sex, signature, nationality, family data, other identification documents, place and date of birth, age, fingerprint, etc.
b) Location data: Such as those related to people’s commercial or private activity, such as address, phone number, mobile number, email, etc.
c) Socioeconomic content data: Such as socioeconomic stratum, home ownership, financial, credit, and/or economic data, asset data such as movable and immovable property, income, expenses, investments, employment history, work experience, position, dates of hire and termination, annotations, warnings, educational level, training and/or academic history, tax responsibilities, etc.
d) Sensitive data: Such as those related to a person’s health regarding occupational medical exams.
e) Product specifications and prices of our customers: Such as prices of products and services offered by our customers, quantity and characteristics of offered and sold products.

13. Processing to which personal data are subject

All members of SIVAR, when performing the activities inherent to their position, shall assume the responsibilities and obligations involved in the proper handling of personal information, from its collection, storage, use, and circulation, to its final disposal.

This is the processing we give to the personal data you provide:

Information security. We restrict access to the personal information of our customers, prospective customers, users, employees, contractors, suppliers, and providers. Employees who need to know such information in order to process it on our behalf are required to sign a confidentiality agreement and may be sanctioned or dismissed if they fail to comply with the obligations established therein.

Storage of personal data.
The storage of digital and physical information is carried out in media or environments that have adequate controls for data protection. This involves physical, computer, technological, and environmental security controls in restricted areas, in our own facilities and/or computer centers or document centers managed by third parties.

Use of information.
Personal information contained in databases must be used and processed in accordance with the purposes described in this policy.

If any area identifies new uses different from those described in this personal data processing policy, it must inform the Personal Data Protection Officer or the area acting in its place, who will assess and manage, when applicable, its inclusion in this policy.

Likewise, the following assumptions must be taken into consideration:

a. In the event that an area other than the one that initially collected the personal data requires using the personal data obtained, this may be done provided that it is a foreseeable use according to the type of services offered by SIVAR and for a purpose contemplated in this Personal Data Processing Policy.

b. Each area must guarantee that confidential information or personal data are not disclosed in the recycling of physical documents. Therefore, résumés, academic degrees, academic or employment certificates, medical exam results, or any document containing information allowing a person to be identified may not be recycled.

c. If a processor has provided personal data or databases to an area for a specific purpose, the area that requested the personal data must not use such information for a purpose different from that stated in the Personal Data Processing Policy; once the activity is completed, it is the duty of the requesting area to delete the database or personal data used, thus avoiding the risk of outdated information or cases in which, during that time, a data subject may have filed a claim.

d. Employees may not make decisions that have a significant impact on personal information, or that have legal implications, based exclusively on information generated by the information system; therefore, they must validate the information through other physical instruments or manually, and, if necessary, directly with the data subject, in cases where this is required.

e. Only authorized employees and contractors may enter, modify, or delete data contained in databases or documents under protection. User access permissions are granted by the Technology and IT Area or whoever acts in its place, according to established profiles, which shall be previously defined by the leaders of the processes where the use of personal information is required.

f. Any use of information different from that established shall be previously consulted with the Personal Data Protection Officer or the area responsible for data protection.

Destruction.
The destruction of physical and electronic media shall be carried out through mechanisms that do not allow their reconstruction. It shall only be carried out in cases where it does not constitute a breach of any legal provision, always leaving the respective traceability of the action.

Destruction includes information held by third parties as well as in own facilities.

14. Rights of data subjects

In accordance with article 8 of Law 1581 of 2012 and Decree 1377 of 2013, the data subject has the following rights vis-à-vis the company responsible for data processing:

a) To know, update, and rectify personal data before SIVAR S.A.S. as controller and processor. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.
b) To request proof of the authorization granted to SIVAR S.A.S. as controller and processor, except where expressly exempted as a requirement for processing in accordance with article 10 of Law 1581 of 2012.
c) To be informed by SIVAR S.A.S., upon request, regarding the use given to the data subject’s personal data.
d) To file complaints before the Superintendence of Industry and Commerce for violations of Law 1581 of 2012 and any rules that amend it, once the consultation or claim process before the Data Controller has been exhausted.
e) To revoke authorization and/or request deletion of data when processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the controller or processor has engaged in conduct contrary to Law 1581 of 2012 and the Constitution. Revocation shall proceed provided there is no legal or contractual obligation to retain the personal data.
f) To access free of charge personal data that have been subject to processing.

Without prejudice to the exceptions provided by law, prior and informed authorization from the data subject is required for processing, which must be obtained by any means that may later be consulted. Authorization shall be understood to meet these requirements when expressed: (i) in writing, (ii) orally, or (iii) by unequivocal conduct by the data subject that reasonably allows concluding that authorization was granted.

The information requested by personal data subjects shall be supplied mainly by electronic means, or by any other means only if so required by the data subject. The information provided by SIVAR shall be delivered without technical barriers preventing access; its content shall be easy to read and access and shall fully correspond to the information stored in the database.

At the time of requesting authorization from the data subject, SIVAR must clearly and expressly inform them of the following:

a) The processing to which their personal data will be subjected and its purpose.
b) The optional nature of responses to questions dealing with sensitive data.
c) The rights of the data subject.
d) The identification, physical or electronic address, and telephone number of the data controller.

SIVAR, as controller, must keep proof of compliance with the provisions of this section, and when requested by the data subject, provide them with a copy thereof.

15. Persons to whom information may be supplied

Information meeting the conditions established by law may be supplied to the following persons:

a) The Data Subjects, their successors, or their legal representatives.
b) Public or administrative entities in the exercise of their legal functions or by court order.
c) Third parties authorized by the Data Subject or by law.

16. Duties of data controllers

SIVAR, as controller, shall comply with the following duties, without prejudice to other provisions established by law and others governing its activity:

a) To guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.
b) To request and retain, under the conditions provided by law, a copy of the corresponding authorization granted by the Data Subject.
c) To duly inform the Data Subject about the purpose of collection and the rights arising from the authorization granted.
d) To preserve information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.
e) To guarantee that the information supplied to the Processor is truthful, complete, accurate, updated, verifiable, and understandable.
f) To update the information, timely informing the Processor of all changes regarding previously supplied data and adopting other necessary measures so that the information supplied remains updated.
g) To rectify information when incorrect and communicate the relevant matters to the Processor.
h) To supply the Processor, as the case may be, only with data whose Processing has been previously authorized in accordance with the law.
i) To require the Processor at all times to respect the security and privacy conditions of the Data Subject’s information.
j) To process consultations and claims submitted under the terms established by law.
k) To adopt specific procedures to guarantee proper compliance with the law and especially for handling consultations and claims.
l) To inform the Processor when certain information is under dispute by the Data Subject, once the claim has been submitted and the respective process has not ended.
m) To inform the data subject, upon request, about the use of their data.
n) To inform the data protection authority when security code violations occur and there are risks in the management of Data Subjects’ information.
o) To adopt and retain the Privacy Notice in order to comply with the duty to inform data subjects of the existence of information processing policies and how to access them, while personal data are processed accordingly and obligations arising therefrom remain in force.

17. Duties of data processors

Processors, and in the event SIVAR acts as Processor, shall comply with the following duties, without prejudice to the other provisions established by law and others governing their activity:

a) To guarantee the data subject, at all times, the full and effective exercise of the right to habeas data.
b) To preserve information under the necessary security conditions to prevent alteration, loss, consultation, unauthorized or fraudulent use or access. Processors must comply with the minimum security conditions defined in the National Database Registry, which can be consulted at: https://www.sic.gov.co/
c) To timely update, rectify, or delete data in accordance with Law 1581 of 2012 and other applicable regulations.
d) To update information reported by controllers within five (5) business days from receipt.
e) To process consultations and claims submitted by Data Subjects under the terms established in this policy.
f) To adopt an internal manual of policies and procedures to guarantee proper compliance with the law, and especially the handling of consultations and claims by Data Subjects.
g) To record in databases the note “claim in process” in the manner regulated by law.
h) To insert in the database the note “information under judicial dispute” once notified by the competent authority of judicial proceedings related to the quality of the personal data.
i) To refrain from circulating information being contested by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
j) To allow access to information only to persons authorized to access it.
k) To inform the Superintendence of Industry and Commerce when security code violations occur and there are risks in the management of Data Subjects’ information.
l) To comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
m) To verify that the Data Controller has the authorization for processing the Data Subject’s personal data.

18. Area before which the data subject may exercise rights

SIVAR S.A.S. has an administrative structure intended, among other functions, to ensure proper attention to requests, consultations, complaints, and claims related to data protection, in order to guarantee the exercise of the rights contained in the Constitution and the law, especially the right to know, update, rectify, and delete personal information; as well as the right to revoke consent granted for the processing of personal data.

For requests, consultations, complaints, and claims, or for the exercise of the rights you hold as data subject, you may contact SIVAR S.A.S. by telephone: (57) 3128039189 and email: info@sivargroup.com or through the website http://www.sivargroup.com

19. Procedure for data subjects to exercise their rights

SIVAR S.A.S. guarantees the exercise of the rights of data subjects as follows:

a) Consultations

SIVAR S.A.S., and/or the Processors, guarantee the data subjects whose personal data are contained in their databases, or their successors or authorized persons, the right to consult all information contained in their individual record or all information linked to their identification as established in this Personal Data Processing Policy.

Person responsible for handling consultations:
The Personal Data Protection Officer or whoever acts in their place shall be responsible for receiving and processing submitted requests, under the terms, deadlines, and conditions established in Law 1581 of 2012 and in these policies.

Consultations addressed to SIVAR must contain at least the following information:

a. First and last names of the Data Subject and/or representative and/or successors.
b. What is intended to be consulted.
c. Physical and electronic address and contact phone number of the Data Subject and/or successors or representatives.
d. Signature, identification number, or corresponding validation procedure.
e. Submission through the consultation means enabled by SIVAR.

For handling personal data consultation requests, SIVAR S.A.S. has made available the telephone: (57) 3128039189 and email: info@sivargroup.com.

In any case, regardless of the mechanism implemented for handling consultation requests, they shall be answered within a maximum term of ten (10) business days from receipt. When it is not possible to attend to the consultation within said term, the interested party shall be informed before the expiration of the 10 days, stating the reasons for the delay and the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.

Claims

Rights guaranteed through the claims procedure

a) Correction or Updating: SIVAR and/or the Processors shall guarantee data subjects whose personal data are contained in their databases, or their successors, the right to correct or update personal data stored in their databases by filing a claim when they consider that the parameters established by law or by this Personal Data Processing Policy are met for the request for Correction or Updating to be applicable.

b) Revocation of authorization or deletion of personal data: SIVAR and/or the Processors shall guarantee data subjects whose personal data are contained in their databases, or their successors, the right to request revocation of authorization or deletion of the information contained in their individual record or all information linked to their identification when they consider that the parameters established by law or by this Personal Data Processing Policy are met. Likewise, the right to file claims is guaranteed when a presumed breach of Law 1581 of 2012 or of this Personal Data Processing Policy is noticed.

Person responsible for handling claims:
The Personal Data Protection Officer or whoever acts in their place shall be responsible for receiving and processing submitted requests, under the terms, deadlines, and conditions established in Law 1581 of 2012 and in these policies.

Submitted claims must contain at least the following information:

a. First and last names of the Data Subject and/or representative and/or successors.
b. What is intended to be consulted.
c. Physical and electronic address and contact phone number of the Data Subject and/or successors or representatives.
d. Signature, identification number, or corresponding validation procedure.
e. Submission through the consultation means enabled by SIVAR.

The claim shall be filed through a request addressed to the Controller or Processor, with the Data Subject’s identification, a description of the facts giving rise to the claim, the address, and accompanied by any documents the claimant wishes to submit. If the claim is incomplete, the interested party shall be required within five (5) days following receipt of the claim to remedy the deficiencies. If two (2) months pass from the date of such request without the applicant submitting the required information, it shall be understood that the claim has been withdrawn.

If the person receiving the claim is not competent to resolve it, they shall forward it to the appropriate person within a maximum of two (2) business days and inform the interested party of the situation.

Once the complete claim is received, a note stating “claim in process” and its reason shall be included in the database within no more than two (2) business days. Said note must remain until the claim is decided.

The maximum term for handling the claim shall be fifteen (15) business days counted from the day following its receipt. When it is not possible to attend to the claim within that term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.

Procedure for deletion of personal data

If the deletion of the personal data of the database Data Subject is deemed appropriate according to the filed claim, SIVAR shall operationally carry out the deletion in such a way that the elimination does not allow information recovery; however, the Data Subject must bear in mind that in some cases certain information must remain in historical records in compliance with the organization’s legal duties, therefore deletion shall apply to the active processing thereof and according to the data subject’s request.

PARAGRAPH: The Data Subject or successor may only file a complaint before the Superintendence of Industry and Commerce once the consultation or claim process before SIVAR S.A.S. has been exhausted.

20. Procedure for managing incidents involving personal data

An incident is understood as any anomaly that affects or could affect the security of the databases or information contained therein, and it materializes when the appropriate preventive measures to safeguard the confidentiality of the information fail or are not taken.

The incident may have a variety of adverse effects on data subjects, which may lead to problems of discrimination, identity theft, fraud, financial losses, reputational damage, loss of confidentiality of data subject to professional secrecy, or any other significant economic or social harm.

Incidents may affect both digital and physical databases and shall generate the following activities:

a. Incident notification

When it is presumed that an incident may affect or has affected databases containing personal information or personal data, the Personal Data Protection Officer must be informed, who shall manage its report in the National Database Registry.

b. Incident management

It is the responsibility of each employee, contractor, consultant, or third party to timely report any suspicious event, weakness, or policy violation that may affect the confidentiality, integrity, and availability of SIVAR’s assets and personal information.

c. Identification

All suspicious or abnormal events, such as those in which there is potential loss of confidentiality of information, must be assessed to determine whether or not they are incidents and must be reported to the appropriate level within the organization. Any decision involving investigative and judicial authorities must be made jointly by the Personal Data Protection Officer and the responsible legal area. Communication with such authorities shall be carried out by them.

d. Reporting

All incidents and suspicious events must be reported as soon as possible through the internal channels established by the Superintendence of Industry and Commerce.

If sensitive or confidential information is lost, disclosed to unauthorized personnel, or either of these events is suspected, the Personal Data Protection Officer must be notified immediately.

Employees must report to their direct supervisor and to the Personal Data Protection Officer any damage or loss of computers or any other device when these contain personal data under SIVAR’s control.

Unless there is a duly reasoned and justified request from a competent authority, no employee shall disclose information about computer systems and networks affected by computer crime or system abuse. For the delivery of information or data by order of an authority, the Legal Advisory Office must intervene in order to provide proper advice.

e. Containment, investigation, and diagnosis

The Personal Data Protection Officer or whoever acts in their place must ensure that actions are taken to investigate and diagnose the causes that generated the incident, and must also ensure that the entire incident management process is properly documented, with support from the Technology and IT Area.

If a computer crime is identified, under the terms established in Law 1273 of 2009, the Personal Data Protection Officer and the responsible legal area shall report such information to the corresponding judicial investigation authorities.

During investigation processes, the “Chain of Custody” must be guaranteed in order to preserve it in case legal action is required.

SIVAR shall inform the data subjects of the incident related to their personal data and its possible consequences, and shall also provide them with tools to minimize the potential or caused damage.

The communication must be sufficient, clear, and precise to allow data subjects to understand the significance of the incident and take measures to protect themselves and reduce risks.

Once measures have been taken to mitigate the risks associated with the incident, SIVAR shall execute a prevention plan to avoid future events that may affect the personal data processed.

f. Solution

The Technology and IT Area or whoever acts in its place, as well as any involved area and those directly responsible for personal data management, must prevent the security incident from occurring again by correcting all existing vulnerabilities.

g. Incident closure and follow-up

The Technology and IT Area or whoever acts in its place, together with the Personal Data Protection Officer and the areas that use or require the information, shall initiate and document all review tasks of the actions carried out to remedy the security incident.

The Personal Data Protection Officer shall prepare an annual analysis of the reported incidents. The conclusions of this report shall be used in developing awareness campaigns to help minimize the likelihood of future incidents.

h. Reporting incidents to the SIC as control authority

Security incidents affecting the database shall be reported as updates according to the following rules:

At the bottom of the menu of each database registered in the system, there are two (2) options for reporting updates.

Violation of security codes or the loss, theft, and/or unauthorized access to information in a database managed by the Controller or its Processor must be reported to the National Database Registry within fifteen (15) business days following the moment in which they are detected and brought to the attention of the person or area in charge of handling them.

Process leaders and/or owners of information assets shall internally report incidents associated with personal data to the Personal Data Protection Officer, who within the legal term shall proceed to report them to the National Database Registry.

21. Validity period of the database

SIVAR’s databases shall remain in force for the period corresponding to the purpose for which their processing was authorized and according to the special rules regulating the matter.

22. Legal

In accordance with article 25 of Law 1581 of 2012 and its regulatory decrees, SIVAR shall register its databases together with this Personal Data Processing Policy in the National Database Registry administered by the Superintendence of Industry and Commerce, in accordance with the procedure established for such purpose.

23. Validity of the information processing policy

This personal data processing policy shall be effective from the date of its signature and complements related policies, with indefinite validity.

Any substantial change in personal data processing policies shall be timely communicated to data subjects through the usual contact means.

For data subjects who do not have access to electronic means or those who cannot be contacted, such communication shall be made through open notices at the main office of the establishment.

Carlos Augusto Gallego Salazar
Legal Representative
SIVAR S.A.S