Process: Legal Management

PERSONAL DATA PROCESSING POLICY

Documento No: PL-LGL-01
Versión: 05
Fecha: 23/12/2020
DOCUMENTO APROBADO POR
RevisoAprobó
Nombre Jose CruzIngrith Angarita
CargoSenior LawyerLegal Manager & Deputy Secretary General
Fecha18/12/202021/12/2020

1. ÍNDICE

2. VERSION HISTORY

FechaVersiónAutorDescripción
18/02/201601Lina Marcela
Lozano Carvajal
Creating the Document
11/12/201802Risks & ProcessesThe document is updated due to the change of company name by adjusting “Sophos Banking” by “Sophos Solutions”.
24/04/201903Risks & ProcessesBiometric information is included
23/10/201904Risks & ProcessesDocument is updated due to corporate image logo change
18/12/202005Legal AreaThe document is updated in relation to the purposes for processing. This version shall apply from 20 November 2020.

3. PERSONAL DATA PROCESSING POLICY

In compliance with Article 15 of the Political Constitution of Colombia, Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, the Personal Data Processing Policy of SOPHOS SOLUTIONS S.A.S. (“The Company” and / or “SOPHOS”), establishes the general guidelines for the proper handling of the personal data collected in the databases administered by The Company, in which it has the capacity of Information Controller.In this way, SOPHOS has defined the following Objectives:Establish the criteria for the collection, gathering, storage, use, circulation, deletion, processing, compilation, exchange, updating and to share and dispose of the data that have been provided and that have been incorporated in different databases or data bank, or in electronic repositories of all types that SOPHOS has because of its activities.Establish the responsibilities of SOPHOS and its controllers with regard to the processing of personal data.Communicate the purposes for which the processing of information is carried out, as well as the rights of the holders of the information and the procedures to exercise them.Establish appropriate measures to ensure the processing of personal data in a secure, confidential and subject to the established purpose, in accordance with the provisions of Law 1581 of 2012.
3.1 DEFINITIONS
SOPHOS shall apply the following principles for the processing of the bases:
  • Principle of legality in matters of data processing: the processing of information will be governed by the provisions of Law 1581 of 2012, Decree 1377 of 2013 and the rules that develop, add or modify them.
  • Purpose principle: the processing of data subject to this policy is for a legitimate purpose in accordance with the Constitution and the Law.
  • Principle of freedom: processing shall only be carried out with consent, prior,express and informed consent of the holder.
  • Principle of transparency: the right of the holder to obtain from SOPHOS, at any time and without restrictions, information about the existence of data concerning him or her should be guaranteed in the processing.
  • Principle of access and restricted circulation: Personal data, except public information, may not be available on the Internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to the holders or third parties authorized by them.
  • Principle of truthfulness or quality: the information subject to treatment will be considered truthful, complete, accurate, updated, verifiable and understandable. SOPHOS shall refrain from processing partial, incomplete, split or error-inducing data.
  • Principle of security: The information subject to processing by the Company, will be subject to protection, to the extent that the technical resources of SOPHOS allow, through the adoption of technological measures of protection and all kinds of administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, and in general any use or access not authorized.
  • Principle of confidentiality: all persons involved in the processing of personal data that are not public, undertake to keep and maintain them strictly confidential and not to disclose them to third parties, and only to provide or communicate personal data where appropriate. Persons involved in the processing of personal data will maintain the reservation even after their relationship with any of the tasks covered by the processing has ended.
3.2 PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

SOPHOS shall apply the following principles for the processing of the bases:

  • Principle of legality in matters of data processing: the processing of information will be governed by the provisions of Law 1581 of 2012, Decree 1377 of 2013 and the rules that develop, add or modify them.
  • Purpose principle: the processing of data subject to this policy is for a legitimate purpose in accordance with the Constitution and the Law.
  • Principle of freedom: processing shall only be carried out with consent, prior, express and informed consent of the holder.
  • Principle of transparency: the right of the holder to obtain from SOPHOS, at any time and without restrictions, information about the existence of data concerning him or her should be guaranteed in the processing.
  • Principle of access and restricted circulation: Personal data, except public information, may not be available on the Internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to the holders or third parties authorized by them.
  • Principle of truthfulness or quality: the information subject to treatment will be considered truthful, complete, accurate, updated, verifiable and understandable. SOPHOS shall refrain from processing partial, incomplete, split or error-inducing data.
  • Principle of security: The information subject to processing by the Company, will be subject to protection, to the extent that the technical resources of SOPHOS allow, through the adoption of technological measures of protection and all kinds of administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, and in general any use or access not authorized.
  • Principle of confidentiality: all persons involved in the processing of personal data that are not public, undertake to keep and maintain them strictly confidential and not to disclose them to third parties, and only to provide or communicate personal data where appropriate. Persons involved in the processing of personal data will maintain the reservation even after their relationship with any of the tasks covered by the processing has ended.
3.3 RESPONSIBLE
The controller of the databases is SOPHOS SOLUTIONS S.A.S., a commercial company duly incorporated and domiciled in Bogota D.C., with the following contact details:

Main Office: Cr 11 # 71 – 73 – Office 404, Bogota D.C.
Phone: 7433001 Ext. 1041
Email: habeasdata@sophossolutions.com
3.4 DATABASE CONTENT
In the SOPHOS databases, general information such as full name, identification number and type, gender, image or any other physical trait that may be recorded in audio, photographs and video recording, fingerprint, signature and contact data (e-mail, physical address, landline and mobile) are stored. In addition to these, and depending on the nature of the database, The Company may have specific data, related to information about employment history, academic, and sensitive data required by the nature of the employment relationship.
3.5 TREATMENT
The information contained in SOPHOS databases is subject to different forms of processing, such as collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization and organization, all of them partially or totally in compliance with the purposes established here.

The information may be delivered, transmitted or transferred to public entities, business partners, contractors, affiliates, subsidiaries, solely for the purpose of fulfilling the purposes of the corresponding database. In any case, the delivery, transmission or transfer shall be made after underwriting the commitments that are necessary to safeguard the confidentiality and security of the information.
3.6 PROCESSING OF SENSITIVE DATA AND DATA ON CHILDREN AND ADOLESCENTS
In the processing of sensitive data, SOPHOS will strictly observe the limitations and obligations established by Law 1581 of 2012, its regulatory decrees and other related rules. Therefore, in case of sensitive data processing, SOPHOS will ensure that:
  • Obtain the express consent of the holder.
  • Inform the holder that, because sensitive data are involved, he/she is not obliged to authorize their processing.
  • To inform the holder explicitly and in advance, which of the data to be processed are sensitive and the purpose of the processing.

Additionally, in the processing of personal data of children and / or adolescents carried out by SOPHOS, the limitations and obligations established in Law 1581 of 2012, its regulatory decrees and other concordant regulations will be strictly observed. Therefore, in case of processing of personal data of children and/or adolescents, SOPHOS will ensure the following:
  • Treatment should be in the best interests of children and adolescents.
  • Treatment should ensure respect for the fundamental rights of children and adolescents.
  • To assess the child’s opinion when the child has the maturity, autonomy and capacity to understand the matter.
3.7 PURPOSES FOR THE PROCESSING OF SENSITIVE DATA AND DATA ON CHILDREN AND ADOLESCENTS
SOPHOS collects and processes images, audio recordings, photographs and videos, fingerprints, signatures and information related to the health of the holders, among others, for the following purposes:
  • Verify whether the holders meet the physical requirements necessary to perform the position and/or obligations for which they are applying or were engaged.
  • To have the necessary information to attend any medical emergency that arises during the provision of services in the facilities of SOPHOS.
  • Comply with occupational safety and health regulations and implement the SG-SST, and any other program, system and/or plan that seeks to protect the health of the worker, caregivers and persons in the workplace.
  • To carry out epidemiological surveillance activities within the framework of the Occupational Health program.
  • Compliance with the legal obligations arising from the employment and/or contractual relationship, such as carrying out all the necessary formalities for the registration of beneficiaries with the Social Security System, or any other activity derived from the applicable legislation.
  • Provide respective security in SOPHOS training and activities. Identify personnel accessing SOPHOS facilities.

In addition, the Company will process personal data of members of the family human resource group, including sensitive information of beneficiaries who are of legal age and children and adolescents, in order to grant the benefits offered by SOPHOS or for the registration of members of the family group in the events and welfare activities organized by SOPHOS.
3.8 TRANSFER AND TRANSMISSION OF PERSONAL DATA
SOPHOS may transfer and transfer, including at international level, personal data that it has in its databases, mainly to other companies of the SOPHOS group, to public entities when these require, to customers who need to validate the personal information of SOPHOS collaborators, among other third parties, provided that the Company has the express authorization of the holder and / or has signed the contracts required by the Colombian regulations on personal data protection.

Therefore, SOPHOS will implement appropriate mechanisms that allow compliance with the provisions of this Policy by third parties, on the understanding that the personal information that theyreceive solely will be used for matters related to SOPHOS and in accordance with the purposes authorized by the owner.
3.9 PURPOSES OF TREATMENT
SOPHOS will process the personal data of the owners for the following purposes:
  • Customers
    • Develop all the activities and administrative procedures specific to the services provided by SOPHOS.
    • To conduct surveys and/or research studies to evaluate the care process and the satisfaction of the service provided.
    • Send information (e.g. to emails and contact numbers) about SOPHOS products, services, events and/or promotions.
    • Transfer and/or transmit corporate contact information to other SOPHOS group entities and to third parties, for the purposes described above.
    • Transfer the personal data of customers in the framework of the definition, structuring and execution of strategic transactions, such as the sale of assets or shares in case The Company or parts of its business are sold, merged or acquired by third parties.
  • Candidates
    • Request media and related information in the resume.
    • Send and receive by email communications and requests related to the selection process.
    • Verify and consult with third parties the information on the resume (authenticity of documents, work and academic certifications, home visit). This includes the company RISK SAS. identified with NIT 8300978716-2, or any company acting in its capacity, to verify and/or consult the information in Datacredito in the financial or commercial risk centers.
    • Record the selection process in the SOPHOS database in order to have support with internal and external authorities.
    • Communicate to contact phones in order to schedule the interviews and tests required for SOPHOS workers or third parties to perform the validations of the information indicated in your resume and evaluations of all tests advanced in the selection process.
    • Keep personal data for one year for possible selection processes.
    • Evaluate the suitability of the candidate, taking into account the characteristics of the vacancy that needs to be hired.
    • Carry out the necessary checks and consultations on different restrictive lists.
    • Consult and access at any time the databases of risk, credit, financial, judicial or security registers legitimately constituted, state or private, national or foreign.
    • To carry out the relevant procedures for the development of the pre-contractual, contractual and post-contractual phase.
    • Contact them in compliance with the provisions of the contract and for the administrative management thereof.
    • Ensure security at the premises where appropriate.
    • Be invited to training, reinforcements, or the development of institutional activities.
    • Conduct satisfaction surveys.
    • Transfer the personal data of the candidates in the framework of the definition, structuring and execution of strategic transactions, such as the sale of assets or shares in case The Company or parts of its business are sold, merged or acquired by third parties.
  • Collaborators
    • Identify staff as SOPHOS collaborators.
    • Communicate to staff and make their knowledge relevant information according to the quality of SOPHOS collaborator.
    • Verify the fulfillment of the employee’s employment and/or contractual obligations.
    • Review of the criminal, contractual and tax records of the holders before the relevant authorities.
    • Full identification of the owners, by archiving and handling their contact data, professional and academic information, among others.
    • Conclude the contract of employment, apprenticeship, provision of services or any other contract that it applies.
    • To comply with SOPHOS obligations, such as: membership of the social security system, payment of contributions, membership of the compensation fund, holidays, delivery of bonds, payments to DIAN, issuing income certificates and withholding and employment certificates requested by the holders, and / or any entity or national authority that requires personal data, in accordance with current rules.
    • To comply with any other service that derives from the contractual relationship between the collaborators and SOPHOS.
    • Provide instructions on the occasion of the contract with partners, if applicable.
    • Evaluate the performance of the collaborators.
    • Manage the payroll, the payment of financial support, among others, by the Company or a third party; manage and make the necessary payments in the bank account indicated by the employees.
    • Contracting life and medical expenses insurance with SOPHOS or a third party.
    • Notify family members of employees in cases of emergency during working hours or during the development of the contract.
    • The communication, reproduction and publication of photographs of the collaborators by SOPHOS for marketing, advertising, internal SOPHOS or other purposes.
    • Maintain the safety and health of employees in the workplace directly by The Company or by a third party, in accordance with the rules applicable to the System of Management of Safety and Health at Work (hereinafter “SG-SST”) and keep the documents indicated in article 2.2.4.6.13 of Decree 1072 of 2015.
    • Collect information and evidence in order to perform disciplinary processes, if applicable.
    • Store the personal data of the collaborators in the internal physical and computer file of SOPHOS, the other companies of the group and / or third parties in charge of storage.
    • Transfer and / or transmit the information of the collaborators to other entities of the SOPHOS group, to public entities and to third parties for the purposes described above.
    • Transfer the personal data of the collaborators in the framework of the definition, structuring and execution of strategic transactions, such as the sale of assets or shares in case The Company or parts of its business are sold, merged or acquired by third parties.
  • Providers
    • To carry out the relevant procedures for the development of the pre-contractual, contractual and post-contractual phase with SOPHOS, regarding the commercial relationship with the supplier.
    • Report to credit risk centers legally constituted in Colombia, in the terms of Law 1266 of 2008.
    • Request information from suppliers and contractors for the purpose of concluding the applicable contract with SOPHOS.
    • Fulfillment of SOPHOS obligations in the context of the contractual relationship.
    • Investigation, verification and validation of information provided by suppliers and contractors, with any information from SOPHOS that is legitimately held, and international lists on crime and money laundering for the purpose of initiating, executing, developing and terminating the contractual relationship.
    • Management of supplier and contractor information for authorization and submission of purchase orders and payment of invoices.
    • Contact, meetings and visits with suppliers and contractors, their collaborators, shareholders and/or any person representing them in the framework of the contractual relationship.
    • Communication, consolidation, organization, updating, control, accreditation, assurance, statistics, reporting, maintenance, interaction and management of the actions, information and activities in which suppliers and contractors are related or linked with SOPHOS.
    • Other purposes which are necessary and which are provided in the context of the contractual relationship for the purpose of fulfilling the object and obligations arising therefrom.
    • Transfer and/or transmit the personal information of providers to other entities of the SOPHOS Group and to third parties for the purposes described above.
    • Transfer the personal data of suppliers in the framework of the definition, structuring and execution of strategic transactions, such as the sale of assets or shares in case The Company or parts of its business are sold, merged or acquired by third parties.
3.10 RIGHTS OF HOLDERS
In accordance with the provisions of Article 8 of Law 1581 of 2012, The Company undertakes to carry out all the activities necessary to guarantee the following rights of the owners of personal data:
  • Know, update, and rectify his/her personal data in front of the Company or the Processors. This right may be exercised, inter alia, against partial, inaccurate, incomplete, fragmented, misleading data, or those whose processing is expressly prohibited or has not been authorized.
  • Request proof of the authorization granted to SOPHOS, except when expressly exempted as a requirement for processing.
  • To be informed by the Company or the Data Controller, upon request, about the use that has been given to his/her personal data.
  • Revoke the authorization and / or request the deletion of the data when the processing does not respect the principles, rights and guarantees of the rights and rights. The revocation and/or suppression will proceed when the Superintendency of Industry and Commerce has determined that SOPHOS or the Entrant has engaged in contrary conduct to the laws of the Superintendent of Industry and Commerce.
  • Access free of charge to your personal data that has been subject to Treatment. The information requested by the holder may be provided by any means, including electronic ones, as required by the holder.
3.11 COMPANY OBLIGATIONS
Sophos Solutions S.A.S as a Data Controller shall perform the following duties:
  • Guarantee to the holder, at all times, the full and effective exercise of the Habeas Data Right.
  • Request and keep, under the conditions provided for in the Law, a copy of the respective authorization granted by the holder.
  • Duly inform the holder about the purpose of the collection and the rights granted to him/her by virtue of the authorization granted.
  • Retain information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  • Ensure that the information provided to the Processor is truthful, complete, accurate, current, verifiable and understandable.
  • Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data previously provided to him/her and take the other necessary measures to keep the information provided to him/her updated.
  • Rectify the information when it is incorrect and communicate the relevant to the Processor.
  • Provide the Data Processor, as the case may be, with only data that has been previously authorized to be processed in accordance with the Law.
  • Require the Data Processor at all times to respect the security and privacy conditions of the information holder.
  • Handle inquiries and complaints made in terms set in.
  • Inform the Processor when certain information is in dispute by the holder once the claim has been filed and has not completed the respective procedure.
  • Inform the holder on request about the use of their data.
  • Inform the data protection authority when breaches of security codes occur and there are risks in managing the information of the data subjects.
  • To comply with the instructions and requirements that are given by the Superintendency.
3.12 RESPONSIBLE AREA
Any request, complaint or claim related to the handling of personal data, in application of the provisions of Article 15 of the Political Constitution of Colombia, Law 1581 of 2012 and Decree 1377 of 2013, must be sent to:

Administrative Facilities: Carrera 11 # 71-73 Office 404, Bogotá D.C.
Email: habeasdata@sophossolutions.com
Tel Phone: 7433001 Ext 1041.
3.13 PERSONS WHO MAY EXERCISE THE RIGHTS OF THE OWNER
According to Article 20 of Decree 1377 of 2013, the rights of the holders may be exercised by the following persons:
  • By the holder, who must prove his/her identity in sufficient form by the different means established by the Company.
  • By their successors, who must prove such quality in accordance with legal standards.
  • By the representative and/or agent of the holder, after accreditation of the representation or proxy, in accordance with the legal provisions.
  • By stipulation in favor of another or for another according to the legal provisions.
3.14 PROCEDURESOFPRESENTATION AND ANSWER A INQUIRIES
The holders of the information or authorized person under the terms of paragraph 3.15. of this Policy, may exercise their right to know, update, correct or delete information contained in the database, as well as may revoke the authorization granted to the Data Controller.

Any request for consultation, correction, updating or deletion shall be made in writing or by e-mail, in accordance with the information contained herein.

The consultations will be attended within ten (10) working days from the date of receipt of the respective request. If it is not possible to attend the consultation within this term, the interested party will be informed, stating the reasons for the delay and indicating the date on which his/her consultation will be attended, which in no case may exceed five (5) working days after the expiry of the first term.
3.15 PROCEDURESOFPRESENTATION AND ANSWER COMPLAINTS AND GRIEVANCES
The claims are intended to correct, update, or delete data or to file a complaint about the alleged breach of any of the duties contained in Law 1581 of 2012 and this policy. In this regard, claims must be made in writing or by e-mail, in accordance with the information contained herein, and must contain at least the following information:
  • Identification of the holder.

  • Description of the facts giving rise to the complaint.

  • Address of the holder.

  • Documentation to be submitted as evidence.

If the claim is incomplete, the interested party shall be required within five days of receipt of the claim to remedy the deficiencies. Two (2) months after the date of the request, without the applicant providing the required information, it will be understood that he has withdrawn the claim.

If the person receiving the complaint is not competent to resolve it, the person concerned shall provide a transfer within a maximum of two (2) working days and shall inform the person concerned of the situation. Upon receipt of the complete claim, a legend stating “claim in progress” and the reason for it will be included in the database, in a term no longer than two (2) business days. This legend must be maintained until the claim is decided.

The maximum term to attend the claim will be of fifteen (15) working days counted on the date of receipt. Where it is not possible to meet the complaint within that period, the interested party shall be informed of the reasons for the delay and the date on which his/her co
3.16 DATABASE LIFETIME
The Company reserves the right to modify the content of this document, in the terms and with the limitations provided in the Law. Undertaking in such a way to inform the holders of personal data in a timely manner, any substantial changes.

The databases managed by The Company will be maintained indefinitely as long as they are necessary or relevant for the purpose for which they were collected, or for the term established in a current legal provision, however, the personal data may be deleted at any time at the request of its owner, as long as this request does not breach contractual or legal obligations.