SIMETRIK INC PERSONAL DATA PROCESSING POLICY

In compliance with the provisions of Law 1266 of 2008, the Statutory Law 1581 of 2012 and its Regulatory Decrees, the Demonstrated Responsibility Guide of the Superintendence of Industry and Commerce and other complementary guides, as well as the guidelines established by the General Data Protection Regulation (GDPR) and the General Personal Data Protection Law (LGPD),the company SIMETRIK INC, SIMETRIK SAS, its affiliates and subsidiaries (hereinafter "SIMETRIK"), adopts this policy for the treatment of Personal Data, which will be informed to all Data Subjects or that in the future will be obtained in the exercise of their business activities.

This document describes the mechanisms through which SIMETRIK guarantees an adequate management of the Personal Data collected in its databases, in order to allow the Data Subjects to exercise their fundamental right to habeas data and privacy protection.


OBLIGATIONS:This policy is of mandatory and strict compliance for SIMETRIK.

GENERAL PROVISIONS

  1. OF THE INTERVENING PARTIES.

    1. RESPONSIBLE OR IN CHARGE OF THE TREATMENT OF INFORMATION OR PERSONAL DATA:

      2. SIMETRIK INC., a Delaware corporation domiciled in the city of San Francisco, California, identified by EIN No. 61-1863197, as parent company.

      SIMETRIK S.A.S., a Colombian company, incorporated under the laws of the Republic of Colombia, domiciled in the city of Bogotá D.C., identified with TIN. 901.030.030-8, in its capacity as a subsidiary.

      • Corporate purpose of SIMETRIK INC and SIMETRIK S.A.S: Development of software in the cloud and provision of cloud technology services (SaaS).
      • Website: simetrik.com
      • Telephone: +57 312 8865624

      Paragraph. For cases in which personal data is collected from non-citizens or non-residents of Colombia or the collection activity takes place outside the Colombian territory, the regulatory framework and technical tools of the jurisdiction where the main domicile of SIMETRIK SAS is defined, as the main responsible for the treatment of the personal data. The exercise of rights of the data subjects shall be in accordance with the provisions of this policy including the applicable reference standards and best practices.

    2. 1.2. DATA SUBJECTS INFORMATION:

      3. Customers, Suppliers, Contractors, Subcontractors, Visitors, Collaborators or Employees of SIMETRIK, who have provided the information or Personal Data by virtue of the service provided by SIMETRIK.

  2. OBJECT.

    3. This Policy establishes the general guidelines for the protection and treatment of Personal Data within SIMETRIK, thus allowing to strengthen the level of trust between the Controller and the Data Subjects, and other persons in charge of the handling and treatment of personal data, in relation to the collection, registration, handling, transfer and treatment of identifiable personal data carried out by SIMETRIK in the ordinary exercise of its corporate purpose.

  3. SCOPE.

    4. This Policy of Treatment and Protection of Personal Data will be applied to all databases and/or files that include Personal Data that are subject to Treatment by SIMETRIK as Responsible for the Treatment of Personal Data.

  4. DEFINITIONS.
    1. Authorization: Prior, express and informed consent of the Data Subject to carry out the treatment of Personal Data.
    2. Data Protection Authority: It is the authority in charge of monitoring and supervising that in the treatment of Personal Data the principles, rights and guarantees of the Data Subjects are respected.
    3. Privacy Notice: It is the physical, electronic document or in any other known or to be known format, which is made available to the Data Subject in order to inform about the Treatment of his Personal Data. The Privacy Notice communicates to the Data Controllers the information regarding the existence of the information treatment policies that will be applicable, the way to access them and the characteristics of the treatment that is intended to be given to the Personal Data.
    4. Data Base: Organized set of Personal Data that is subject to treatment.
    5. Successor: A person who by succession or transmission acquires the rights of another person.
    6. Personal Data: Any information linked or that can be associated to one or several determined or determinable natural persons.
    7. Sensitive Data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data.
    8. Data Protection Officer: It is the natural person who meets the profile established by law and whose function is to monitor and control the application of the Personal Data treatment Policy.
    9. Data Processor:Natural or legal person, public or private, that by itself or in association with others, performs the treatment of Personal Data on behalf of the Data Controller.
    10. Habeas Data: The right of every person to know, update and rectify the information that has been collected about him/her in files and data banks of a public or private nature.
    11. Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the treatment of the data.
    12. Data Subject(s): Natural person whose Personal Data is the object of treatment.
    13. Treatment: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.
    14. Breach of security of Personal Data: Any breach of security that results in the accidental or unlawful destruction, loss or alteration of Personal Data stored or processed, or the unauthorized communication of or access to such data.
  5. GUIDING PRINCIPLES APPLICABLE TO PERSONAL DATA.

    6. The principles set forth below constitute the general parameters that SIMETRIK applies and safeguards in the exercise of the processes of capture, registration, management, use and treatment of Personal Data:

    1. Principle of legality in matters of data treatment: The treatment of Personal Data shall be carried out within the legal framework in force and in the other provisions that develop it, in accordance with the authorization granted by the Data Subject.

    2. Principle of purpose: The treatment must obey a legitimate purpose in accordance with the Constitution and the law, which must be informed to the Data Subject.

      3. The treatment of Personal Data will be carried out for the time that is reasonable and necessary, in accordance with the purposes that justify the treatment.

      Once the purposes of the treatment have been fulfilled and notwithstanding any legal regulations to the contrary, the Personal Data provided will be deleted.

    3. Principle of freedom: treatment may only be carried out with the prior, express and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.

    4. Principle of truthfulness or quality: The information subject to treatment must be truthful, complete, accurate, updated, verifiable and understandable. The treatment of partial, incomplete, fractioned or misleading data is prohibited.
    5. Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed.
    6. Principle of restricted access and circulation: Treatment is subject to the limits derived from the nature of the Personal Data, the provisions of the law and the Constitution. In this sense, the treatment may only be carried out by persons authorized by the Data Subject and/or by the persons provided for by law. Personal Data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to Data Controllers or third parties authorized by law.
    7. Security Principle: The information subject to treatment by the Controller or Data Processor must be handled with the technical, human and administrative measures that are necessary to ensure the security of the information.
      necessary to ensure the security of the records to prevent their adulteration, loss, consultation, unauthorized or fraudulent use or access.
    8. Principle of confidentiality: All persons involved in the treatment of Personal Data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the treatment and may only supply or communicate Personal Data when this corresponds to the development of the activities authorized by law and under the terms of this.
    9. Principle of temporality: Personal data will be kept only for the reasonable and necessary time to fulfill the purposes that justified the treatment, taking into account the provisions applicable to the matter in question and the administrative, accounting, fiscal, legal and historical aspects of the information. The data will be kept when this is necessary for the fulfillment of a legal or contractual obligation. Once the purpose of the treatment and the terms established above have been fulfilled, the data will be deleted.

    10. Integral interpretation of constitutional rights: The rights shall be interpreted in harmony and in balance with the right to information provided for in Article 15 of the Constitution and with the applicable constitutional rights.
    11. Principle of Necessity: The personal data processed must be strictly necessary for the fulfillment of the purposes pursued with the database.
  6. SPECIAL CATEGORIES OF DATA
    1. Personal Data:

      2. It is any information linked to one or several determined or determinable persons or that may be associated with a natural or legal person. Impersonal data are not subject to the data protection regime of the present law.

      Personal data can be public, semi-private or private and Sensitive.

      1. Private Data: It is any information that refers to the private life of a person such as personal data, such as personal e-mail, telephone, home address, employment data, education level, administrative or criminal offenses, data administered by some entities such as tax, financial or social security, photographs, videos, and any other data that refer to the lifestyle of the person.

        2. The Data Subject has the right to control when and who can access this information that is part of his or her private life.

      2. Semi-private data: Data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as financial and credit data of commercial or service activity.

        3. Semi-private data has a limitation, which is that it requires an order from an administrative or judicial authority and that it is for the purposes of its own functions.
        such as, for example: credit histories, financial data, reports in credit bureaus, specifying that this type of data requires prior authorization from the Data Subject to be reported to databases or credit bureaus.

      3. Sensitive Data This category refers to all those data that are related to the most intimate level of the person and whose improper use can generate discrimination. It cannot be processed unless it is required to safeguard a vital interest of the Data Subject or if the Data Subject is incapacitated and its collection has been expressly authorized.

        4. Sensitive data are considered those that reveal characteristics such as ethnic or racial origin, health data, sexual preference, political affiliation, religion, ideology, union membership, social organizations, biometric data, among others.

        The treatment of sensitive data is prohibited with the exception of the following cases:

        • When the Data Subject grants consent.
        • The treatment is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapacitated.
        • The treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that it concerns exclusively its members or persons in regular contact with them by reason of their purpose.
        • The treatment refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
        • The treatment has a historical, statistical or scientific purpose, in the latter case, measures must be taken to suppress the identity of the Data Subjects.

      4. Biometric Data: Biometrics refers to any information concerning identified or identifiable individuals and to technologies that measure and analyze the parameters and characteristics of the human body, physical parameters that are unique to each person in order to be able to The most common ways to verify identity are fingerprints or eye iris, photographs, video surveillance cameras, dental records, but scientists are also able to identify an individual by voice, palm print or facial features.

      5. Data of children and tennagers: Regarding the personal data of children and tennagers, it must be considered that their treatment is prohibited, except for those that by their nature are public. The treatment of children and adolescents may be provided, as long as the purpose of such treatment responds to the best interests of the children and adolescents and ensures, without exception, respect fortheir prevailing rights.

  7. PURPOSE

    8. The information collected by SIMETRIK has as main purpose to allow the proper development of the company's corporate purpose in what has to do with the fulfillment of the object of the contract with the Data Subject information, as well as other purposes are taken into account such as:

    • To comply with the obligations undertaken by Simetrik with the Data Subject.
    • Transfer personal data outside the country to Simetrik's parent company.
    • To provide the services offered by Simetrik accepted in the contract signed.
    • Transmit personal data outside the country to third parties with whom Simetrik has entered into a data treatment contract and it is necessary to deliver it to them for the fulfillment of the contractual object.

    To provide information to third parties with which Simetrik has a contractual relationship and that it is necessary to deliver it to them for the fulfillment of the contracted object.

    Therefore, whoever accesses the services and / or products of SIMETRIK, must voluntarily provide certain physical or personal identification data, such as among others: name, surname, ID, age, gender, telephone, physical and electronic address, country, city and other necessary data requested in the registration process as an employee, supplier, visitor or customer of SIMETRIK.

  8. LIMITATIONS

    9. Limitation in the possibilities of disclosure, publication or transfer of the same, in accordance with the principles that regulate the process of personal data management.

    Limitation on the use of information. Personal data and user data sent through the platforms and in general the information generated, produced, stored, sent or shared in the provision of Simetrik's services, may not be subject to marketing or economic exploitation of any kind, except with the express authorization of the owner of the data and in accordance with the limits imposed by the Personal Data Protection Act.

  9. PROHIBITIONS
    • The Data Subject has given his/her explicit authorization to such treatment, except in those cases where by law the granting of such authorization is not required;
    • The treatment is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapacitated. In these events, the legal representatives must give their authorization.
    • The treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they relate exclusively to its members or to persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the authorization of the Data Subject;

    • The treatment refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.

    • The treatment has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Subjets shall be adopted.

    • Personal data will not be used for commercial or marketing purposes unless expressly authorized to do so.

  10. TREATMENT
    1. DATA TREATMENT

      2. SIMETRIK declares to be responsible for the treatment of the Personal Data that have been provided by the Data Subject and that are stored in databases or storage media owned or managed by SIMETRIK.
      The information contained in SIMETRIK's databases is subjected to different forms of treatment, such as collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization and organization, all of them partially or totally in compliance with the established purposes.
      The information may be given, transmitted or transferred to public entities, business partners, contractors, affiliates, subsidiaries and affiliates, as long as it is to fulfill the established purposes.
      In any case, the delivery, transmission or transfer will be made after the execution of the necessary documents to safeguard the confidentiality of the information. Likewise, in compliance with legal duties, SIMETRIK may provide personal information to judicial or administrative entities.
      When SIMETRIK processes Personal Data of Data Subjects residing abroad, it will adopt the provisions in compliance with the General Data Protection Regulation (GDPR). Conduct a prior impact assessment, when it is likely that a particular Data treatment, due to its nature, scope, purposes or context, entails a high risk to the rights of Data Subjects.
      The assessment shall: (i) contain a description of the treatment operations and the purposes thereof; (ii) an assessment of the necessity and proportionality of the treatment; (iii) an assessment of the risks to the rights of the Data Controllers; and (iv) the measures envisaged to ensure the protection of the Personal Data.
      Consult the Data Protection Authority before carrying out a treatment, when the prior impact assessment shows that the treatment would entail a high risk to the rights of the Data Subjects, if the necessary measures are not taken to mitigate it.


    2. TYPES OF PERSONAL DATA TREATMENT

      1. TREATMENT OF EMPLOYEES' PERSONAL DATA

        2. The information collected by SIMETRIK from its employees is primarily for the following purposes:

        1. To store the personal data of employees, including those obtained in the course of the selection process.
        2. To comply with the obligations imposed by labor law on employers and to comply with the orders issued by the competent Colombian authorities for such purposes.
        3. Issue certifications regarding the employee's relationship with SIMETRIK.
        4. Comply with the obligations and the Occupational Safety and Health Management System (OSHMS) and other Management Systems.

        5. Manage the functions performed by the workers.
        6. Consult memos or reminders.
        7. To advance the corresponding disciplinary processes.
        8. Contact family members in case of emergency.
        9. To carry out personnel hiring procedures and comply with contractual obligations.
        10. Register your registration to trainings, events, etc., attendance lists.
        11. For the treatment of Sensitive Personal Data, SIMETRIK will collect such information with the respective Authorization. The Sensitive Personal Data collected will be stored in databases and/or files independent from the other Personal Data that are subject to treatment by SIMETRIK.
        12. The information collected, stored and treated by SIMETRIK shall not exceed twenty (20) years counted from the termination of the employment relationship, or according to the legal or contractual circumstances that make necessary the handling of the information, as provided by Law 594 of 2000 General Law of Archives.

      2. TREATMENT OF SHAREHOLDERS' PERSONAL DATA

        3. The information collected by SIMETRIK from its shareholders is mainly for the purpose of

        1. To allow the exercise of the duties and rights derived from the quality of Shareholder.
        2. Send invitations to events scheduled by the company and in general contact the Shareholder.
        3. To issue certifications related to the relationship of the owner of the data with the Company (commercial and credit operations in which the shareholder composition of SIMETRIK must be known).
        4. Any others specifically established in the authorizations granted by the Shareholders.
        5. For the treatment of Sensitive Personal Data, SIMETRIK will collect such information with the respective Authorization. The Sensitive Personal Data collected will be stored in databases and/or files independent from the other Personal Data that are subject to treatment by SIMETRIK.
        6. The information collected, stored and treated by SIMETRIK shall not exceed five (5) years from the date on which you lose your status as a shareholder of the company.

      3. TREATMENT OF PERSONAL CUSTOMER DATA

        4. SIMETRIK collects the Personal Data of its Clients and users through the subscription of contracts for the provision of services in the cloud and/or through the domain simetrik.com domain, where for purposes of authentication and access to the service, the Customer and/or user will be asked for certain personally identifiable information that can be used to contact or identify him/her ("Personal Data"). Personally identifiable information may include, but is not limited to: email address, name, address, country, zip code, city, cookies and usage data.

        SIMETRIK stores the data in a database, which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.

        The purposes for which the Personal Data of SIMETRIK's Customers are used are:

        1. Performing the pre-contractual, contractual and post-contractual stages.
        2. Sending invitations to events scheduled by the company.
        3. Sending of software updates and news.
        4. To corroborate any requirement that may arise in the development of the executed contract.
        5. To comply with the object of the contract, including mailing activities, compliance, among others.
        6. Provide customer support.
        7. Monitor software usage.
        8. Detect, prevent and address technical problems.
        9. Verify cases of non-compliance by any of the parties.
        10. General relationship with each client.
        11. To carry out customer loyalty activities and marketing operations, in which case the Personal Data may be processed directly or indirectly by the Data Controller or a Data Processor.
        12. For the purposes of this treatment of sensitive data, the respective authorization is collected, which in any case will be express and optional, clearly indicating the sensitive data to be processed and its purpose.
        13. The sensitive data collected will be stored in databases and/or files separate from the other Personal Data that are subject to treatment. Likewise, it will have adequate security systems for the handling of sensitive data and its confidentiality.
        14. In any case, the information will not be processed for a period exceeding the duration of the customer's relationship with the company, and the additional time required according to the legal or contractual circumstances that make necessary the management of information, which in no case may exceed five (5) years from the time of termination of the relationship.

      4. TREATMENT OF SUPPLIERS' PERSONAL DATA

        5. SIMETRIK, collects the Personal Data of its Suppliers and stores them in a database which, although it is composed mostly of public data, is qualified by the company as of

        The company will only disclose private data with the express authorization of the owner or when requested by a Competent Authority.The purposes for which the Personal Data of SIMETRIK's Suppliers are used are:

        1. Sending invitations to contract and making arrangements for the pre-contractual, contractual and post- contractual stages.
        2. Sending invitations to events scheduled by the Company or its affiliates.
        3. Others specifically established in the authorizations granted by the suppliers themselves.
        4. SIMETRIK, will only collect from its suppliers the data that are necessary, relevant and not excessive for the purpose of selection, evaluation and execution of the contract.
        5. The collection of Personal Data of employees of the suppliers by SIMETRIK, will have in any case the purpose of verifying the suitability and competence of the employees; that is, once this requirement is verified, SIMETRIK will return such information to the Supplier, except when its conservation is expressly authorized.
        6. Likewise, it will have adequate security systems for the handling of sensitive data and its confidentiality.
        7. In any case, the information will not be subject to treatment for a period longer than the duration of the Supplier's relationship with the company, and the additional time required according to the legal or contractual circumstances that make it necessary to handle the information, which in no case may be longer than ten (10) years from the time the Supplier's relationship with the company ends.

      5. TREATMENT OF PERSONAL DATA FROM VIDEO SURVEILLANCE RECORDINGS

        6. SIMETRIK collects biometric data of its employees and visitors through its Surveillance Cameras and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.
        The purposes for which the Personal Data contained in SIMETRIK's Surveillance Cameras are used are:

        1. Ensuring safety in the work environment.
        2. To provide adequate work environments for the safe development of the company's work activities.
        3. Control the entry, stay and exit of employees and contractors in the company's facilities.
        4. In order to comply with the duty of information that corresponds to SIMETRIK as administrator of Personal Data, the company will implement Privacy Notices in the areas where the capture of images that involve Personal Data treatment is carried out.
        5. In any case, the information will not be processed for a period exceeding thirty (30) days from its collection in accordance with the legal or contractual circumstances that make it necessary to handle the information.
      6. DATA ON CHILDREN AND ADOLESCENTS

        7. SIMETRIK does not directly process Personal Data of minors. However, in particular, the company collects and processes the Personal Data of its employees' minor children for the sole purpose of complying with the obligations imposed by law on employers in relation to affiliations to the social security and parafiscal systems, and in particular to allow the enjoyment of children's fundamental rights to health and recreation.

        In any case, SIMETRIK will collect, when appropriate, the respective authorization for its treatment, always bearing in mind the best interest of the minor and the respect of the prevailing rights of children and adolescents.

  11. INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA

    12. The company currently performs International Transmission of Personal Data, to perform the International Transmission of Personal Data, in addition to informing the Data Subject and having his authorization SIMETRIK will ensure that the action of transmitting is regulated by a contract and the technical annex that SIMETRIK develops for this purpose both for the transmission and transfer and that contemplates the requirements set in Colombia by the Statutory Law 1581 of 2012, its regulatory decrees and other applicable regulations.

  12. PROTECTION OF THE INFORMATION PROVIDED

    13. SIMETRIK protects the Personal Data provided by the Data Controllers, through the adoption of guidelines and controls aimed at preventing unauthorized access, modification, disclosure or destruction of the information stored in its databases.

    In compliance with the obligation described above, SIMETRIK adopts the following protocols:

    • Security protocols, through the restriction of access to information, such as the use of Personal Data encryption.

    • Controls in the information systems to ensure the reliability, integrity and permanent availability of Personal Data.

    • Constant processes of verification, evaluation and assessments on the technical and security measures adopted for the protection of Personal Data.

    Security protocols to prevent unauthorized access to databases, stored both physically and electronically. Implementation and improvement of controls in the physical facilities, to protect the data contained in physical form, in order to mitigate the harmful effect that could originate the materialization of any risk faced by the sensitive data managed by SIMETRIK.

    Notwithstanding the foregoing, SIMETRIK may disclose personal information when required to do so by a Data Protection Authority and/or by a public or administrative entity in the exercise of its legal functions. In this case, SIMETRIK shall notify the Data Subjects three (3) business days prior to the date on which the information is to be delivered.

    In the event of a breach of security of Personal Data of Data Subjects residing in the European Union, the Controller shall notify the competent Data Protection Authority, at the latest within 72 hours after becoming aware of the breach, unless such breach of security is unlikely to constitute a risk to the rights of the Data Subjects.

    If the notification to the competent Data Protection Authority does not take place within 72 hours, the notification shall contain the reasons for the delay in time.

    The notification shall include at least the following:

    Describe the nature of the Personal Data security breach and, when possible, the approximate number of Personal Data and data subjects affected, and the type of Personal Data breached.
    The name and contact details of the Data Protection Officer or other contact with whom further information can be obtained.
    Describe the possible consequences of a breach of Personal Data security.Describe the measures taken by the Data Controller to mitigate the security breach and its possible negative effects. In turn, the Data Processor shall promptly notify the Controller of any breach of security of the Personal Data Subject residing abroad.

  13. AUTHORIZATION OF THE DATA SUBJECTS OF PERSONAL DATA

    14. For the treatment of Personal Data, SIMETRIK will request prior and informed authorization from the Data Subject, which may be obtained by any means that may be subject to subsequent consultation.

    1. The identification of the Data Controller and the area responsible for the protection of Personal Data.
      • The type of Personal Data to be processed.
      • The purpose for which the Personal Data will be processed.
      • The rights of the Data Subjects.
      • The communication channels through which the Data Controllers may submit queries and/or complaints to the Data Controller.
      • Data Protection Officer contact details
    2. Events in which authorization is not required:
      • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
      • Data of a public nature.
      • Cases of medical or sanitary emergency.
      • treatment of information authorized by law for historical, statistical or scientific purposes.
      • Data related to the Civil Registry of Persons.

  14. RIGHTS AND CONDITIONS OF LAWFULNESS FOR DATA TREATMENT

    1. RIGHTS OF THE OWNERS

      2. The Owners of Personal Data shall enjoy the following rights, and those granted to them by law:

      1. The Data Subjects have the right to know what personal data we have about you, what it is used for and the conditions of the use we make of it (Access). Likewise, it is your right to request the correction of your personal information in case it is outdated, inaccurate or incomplete (Rectification); that we remove it from our records or databases when you consider that it is not being used in accordance with the principles, duties and obligations provided by law (Cancellation); as well as to oppose the use of your personal information for specific purposes (Opposition).
      2. To know, update and rectify your Personal Data before the Data Controller or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose treatment is expressly prohibited or has not been authorized.
      3. Limit or oppose at any time, to the treatment of your Personal Data before the Controller or Data Processor. In case of requesting the limitation, the Controller must obtain a new authorization from the Data Subject, which is in accordance with the limitation requested by the Data Subject.
      4. Obtain confirmation from the Data Controller that your Personal Data is being processed in accordance with the authorized purposes.
      5. Request to the Data Controller, the portability of the Personal Data provided to him/her and to transmit them to another Data Controller.
      6. Request proof of the authorization granted to the Data Controller except when expressly exempted as a requirement for the treatment
      7. To be informed by the Controller or the Data Processor, upon request, regarding the use that has been made of their Personal Data.
      8. File before the Superintendence of Industry and Commerce or the competent Data Protection Authority, complaints for violations to the provisions of the law and other regulations that modify, add or complement it.
      9. To revoke the authorization and/or request the deletion of the data when the treatment does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or suppression will proceed when the Superintendence of Industry and Commerce has determined that the Controller or Processor has incurred in conduct contrary to the law and the Constitution. Notwithstanding the foregoing, the Data Subject may request the deletion of the data when: (i) the treatment is no longer necessary according to the purposes for which they were collected; (ii) the authorization for the treatment is revoked; and (iii) the Data Subject objects to the treatment.
      10. Access free of charge to your Personal Data that has been subject to treatment.

  15. 15. DUTIES OF DATA CONTROLLERS AND PROCESSORS

    1. DUTIES OF SIMETRIK AS CONTROLLER OF PERSONAL DATA TREATMENT

      2. SIMETRIK as Responsible for the treatment of Personal Data, shall comply with the following duties:

      1. Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data.
      2. Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject
      3. Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
      4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
      5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.
      6. If applicable, inform the Data Controller of any rectification, deletion or limitation of the treatment made by the Data Subject.
      7. To guarantee that only the Personal Data that is necessary for each of the specific purposes of the treatment is processed.
      8. Update the information, communicating in a timely manner to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.
      9. Rectify the information when it is incorrect and communicate the pertinent to the Data Processor.
      10. To provide to the Data Processor, as the case may be, only data whose treatment is previously authorized in accordance with the provisions of the law.
      11. When the treatment is carried out by a Processor, try to choose the one that offers sufficient guarantees in accordance with the provisions of this Data Treatment Policy.
      12. Sign with the Data Processor a confidentiality agreement and/or the document that takes its place, establishing, but not limited to, the obligations and rights of the Data Controller, the purpose, duration, nature, types of Personal Data to be processed, the purpose of the treatment and the commitment to process the Personal Data in accordance with the Law and this policy.
      13. To demand from the Data Processor at all times, respect for the security and privacy conditions of the Data Subject's information, as well as his or her rights.
      14. Process queries and claims formulated in the terms set forth in the Statutory Law 1581 of 2012.
      15. Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to deal with queries and complaints.
      16. Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.
      17. Inform upon request of the Data Subject about the use given to his/her data.
      18. Inform the Data Protection Authority when there are violations to the security codes and there are risks in the administration of the information of the Data Subjects.
      19. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
    2. DUTIES OF OPERATORS OF PERSONAL DATA RELATING TO DATA BANKS

      3. Databank operators are obliged to:

      1. Guarantee, at all times to the owner of the information, the right to habeas data and the right to petition.
      2. It must guarantee the Data Subject the possibility of knowing the information about him/her that exists or is in the database, and to request the updating or correction of data, all of which will be done through the mechanisms of consultations or claims, as provided in this law.
      3. Guarantee that, in the collection, treatment and circulation of data, the rights of the owner and other rights enshrined in the law will be respected.
      4. Allow access to information only to those persons authorized to access it.
      5. Adopt policies and procedures to ensure proper compliance.
      6. Attending to inquiries and complaints from the owners.
      7. Request certification from the source of the existence of the authorization granted by the Data Subject, when such authorization is necessary, in accordance with the provisions of this law.
      8. Keep stored records in a secure manner to prevent their deterioration, loss, alteration, unauthorized or fraudulent use.
      9. Periodically and timely update and rectify the data, each time the sources report new information, under the terms of this law.
      10. To process the petitions, queries and claims formulated by the owners of the information, under the terms set forth in this law.
      11. Indicate in the respective registry about the information is under discussion by its owner, when the request for rectification or update has been submitted and the process has not been completed, in the manner regulated by this law.
      12. Circulate information to users within the established parameters.
      13. Comply with the instructions and requirements given by the supervisory authority in relation to compliance with this law.
    3. DUTIES OF INFORMATION SOURCES

      4. Sources of information shall comply with the following obligations:

      1. Ensure that the information provided to database operators or users is truthful, complete, accurate, up to-date and verifiable.
      2. Report, on a regular and timely basis to the operator, all new developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to the operator is kept up to date.
      3. Rectify the information when it is incorrect and inform the operators accordingly.
      4. Design and implement effective mechanisms for timely reporting of information to the operator.
      5. Request, when applicable, and keep a copy or evidence of the respective authorization granted by the owners of the information, and make sure not to provide the operators with any information whose supply is not previously authorized, when such authorization is necessary, in accordance with the provisions of this law.
      6. Certify, on a semi-annual basis to the operator, that the information provided is authorized.
      7. Resolve the claims and petitions of the Data Subject in the manner regulated in the present law.
      8. Inform the operator that certain information is under discussion by its owner, when a request for rectification or update has been submitted, so that the operator includes in the database a mention to that effect until the process has been completed.

      9. Comply with the instructions issued by the supervisory authority in relation to the compliance
    4. DUTIES OF USERS

      5. Users of the information shall:

      1. To keep confidential the information provided to them by the operators of the data banks, by the sources or the owners of the information and to use the information only for the purposes for which it was given to them.
      2. Inform the owners, at their request, about the use that is being made of the information.
      3. Keep the information received with the appropriate security measures to prevent its deterioration, loss, alteration, unauthorized or fraudulent use.
      4. Comply with the instructions given by the control authority.



    page 1 of 2

    Next page