DATA PROCESSING POLICY

INTRODUCTION

DNSS SAS has decided to voluntarily adopt this Policy, which establishes the organizational conditions, obligations of those involved and intervening in the treatment and use of personal information, operating regime, and procedures applicable to the treatment of personal data that in the development of its functions it must request, use, store, correct, transfer or delete. The above has been resolved, in order to fully comply with the provisions of the Colombian Political Constitution and Law 1581 of 2012, as well as other regulations that regulate and complement the treatment for the Protection of Personal Data in Colombia. 

DNSS SAS is the Controller of Personal Data and in compliance with the provisions of Article 13 of Regulatory Decree 1377 of 2013, adopts and makes public to all interested parties this Policy that contains all the essential, simple and secure elements for compliance with the legislation corresponding to the Protection of Personal Data.

The entity responsible for the processing of personal data is DNSS SAS , a private entity, identified with NIT . 900.988.771-5, with address at Av. 7N # 23N-12 floor 2, Cali, Valle del Cauca, Colombia.

1. DEFINITIONS

  • Privacy notice: Verbal or written communication generated by the controller, addressed to the owner for the processing of his/her personal data, through which he/she is informed about the existence of the information processing policies that will be applicable to him/her, the way to access them and the purposes of the processing that is intended to be given to the personal data.
  • Authorization: Prior, express and informed consent of the owner of the personal data to carry out the processing of personal data.
  • Database: Organized set of personal data that is subject to processing.
  • Personal data: Any information linked to or capable of being associated with one or more specific or identifiable natural persons. “Personal data” should therefore be understood as information related to a natural person (an individual considered individually).
  • Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the civil status of persons, their profession or trade and their status as a merchant or public servant. By its nature, public data may be contained in, among others, public registers, public documents, official gazettes and bulletins, and duly enforced court decisions that are not subject to reservation. It is also understood that all data contained in public registers will have this same nature.
  • Public personal data: All personal information that is freely and openly known to the general public.
  • Private personal data: All personal information that has restricted knowledge, and is in principle private to the general public.
  • Sensitive data: Data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data.
  • Data processor: DNSS SAS acts as the data processor in cases where, by itself or in association with others, it processes personal data on behalf of a data controller.
  • Data controller: DNSS SAS, acts as the controller of personal data for all personal data over which it directly decides, in compliance with its legally recognized functions.
  • Owner: Natural person whose personal data is subject to processing:
    1. By the Holder, who must prove his/her identity sufficiently by the different means made available to him/her by the person responsible.
    2. By their successors in title, who must prove such status.
    3. By the representative and/or agent of the Owner, upon prior accreditation of the representation or power of attorney.
    4. By stipulation in favor of another or for another.
  • Transfer: Data transfer occurs when the person responsible for and/or in charge of processing personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is located within or outside the country.
  • Transmission : Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the person in charge on behalf of the person responsible.
  • Processing: Any operation or set of operations that DNSS SAS carries out on personal data, such as collection, processing, advertising, storage, use, circulation or deletion. The above will only apply exclusively to natural persons.
  • Data Protection Officer : This is the person within DNSS SAS whose function is to monitor and control the application of the Personal Data Protection Policy.
  • The above definition refers to a role or function that must be performed by an official designated by DNSS SAS.

2. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

DNSS SAS is committed to maintaining the freedom, integrity, transparency, confidentiality, veracity and availability of the personal data of its shareholders, employees and candidates for vacancies, suppliers of goods and services and/or contractors, clients and any other natural person who keeps their data in our databases and files. DNSS SAS guarantees the application of the general principles for the treatment of this type of data, contemplated in Law 1581 and regulatory decrees, which are:

2.1. Principle of restricted access and circulation

The processing is subject to the limits arising from the nature of the personal data, the provisions of this Policy, the Law, and the Constitution. In this regard, processing may only be carried out by persons authorized by the Owner and/or by persons provided for by law.

Personal data, except those of a public nature, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge to the Data Subjects or authorized third parties. For these purposes, DNSS SAS 's obligation will be one of means and not of results.

2.2. Confidentiality principle

All persons involved in the processing of personal data that are not public in nature are obliged to ensure the confidentiality of the information, even after their relationship with any of the tasks that comprise the processing has ended, and may only provide or communicate personal data when this corresponds to the development of the activities authorized by the Law and in the terms thereof.

Consequently, they undertake to keep and maintain in a strictly confidential manner and not to reveal to third parties, the personal, accounting, technical, commercial or any other type of information provided in the execution and exercise of functions other than registration. All persons who currently work or are linked in the future for such purpose, in the administration and management of databases, must sign an additional document or addendum to their employment or service provision contract in order to ensure such commitment. This obligation persists and is maintained even after their relationship with any of the tasks that comprise the Treatment has ended.

2.3. Principle of purpose

The processing of personal data carried out by DNSS SAS complies with the legitimate purpose in accordance with the Political Constitution, Law 1581 of 2012 and Decree 1377 of 2013.

2.4. Principle of legality

The Processing of Personal Data is a regulated activity governed by Statutory Law 1581 of 2012, Decree 1377 of 2013 and other regulations that complement, modify or repeal them.

2.5. Principle of freedom

DNSS SAS may process and transfer personal data stored in its databases without the prior consent of the owner, provided that such data comes from public records or, although not contained therein, is of a public nature or is found in databases excluded by law (e.g. journalistic, statistical and research). In other cases, DNSS SAS must obtain the prior, express and informed consent of the Owner when processing their personal data.

2.6. Safety principle

DNSS SAS, as the party responsible for and/or in charge of processing personal data, provides the technical, human and administrative measures necessary to ensure the security of the records, preventing their alteration, loss, consultation, use or unauthorized or fraudulent access.

2.7. Principle of transparency

DNSS SAS guarantees that natural persons who are the owners of personal data may obtain, at any time, free of charge and without restrictions, information about the existence of data that concerns them and that is stored in the DNSS SAS databases, under the parameters established in article 21 of Regulatory Decree 1377 of 2013.

2.8. Principle of truthfulness or quality

DNSS SAS guarantees that the information contained in databases other than those from public registries, which are subject to processing, will be true, complete, accurate, up-to-date, verifiable and understandable. The veracity and quality of the personal data that has been captured through public registries is guaranteed by each of the holders of the same, and DNSS SAS is exempt from any type of responsibility regarding its quality.

3. PROCESSING OF PERSONAL DATA

3.1. Processing of public data

DNSS SAS warns that it processes personal data of a public nature and those contained in public records without prior authorization from the Owner. This situation does not imply that the necessary measures are not adopted to guarantee compliance with the other principles and obligations contemplated in Law 1581 of 2012 and other regulations that regulate this matter by DNSS SAS.

3.2. Processing of sensitive data

DNSS SAS only processes sensitive personal data for what is strictly necessary, requesting prior and express consent from the owners (legal representatives, agents, successors in title) and informing them of the exclusive purpose for its processing.

DNSS SAS uses and processes data classified as sensitive when:

The processing has been expressly authorized by the Owner of the sensitive data, except in cases where, by Law, the granting of such authorization is not required.

The Treatment is necessary to safeguard the vital interest of the holder and he or she is physically or legally incapacitated. In these events, the legal representatives must grant authorization.

The Processing refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process;

The Processing has a historical, statistical or scientific purpose or, within the framework of improvement processes; the latter, provided that measures are adopted leading to the suppression of the identity of the Holders or the data is dissociated, that is, the sensitive data is separated from the identity of the holder and is not identifiable or the person Holder of the sensitive data or data cannot be identified.

In addition to the above, DNSS SAS complies with the following obligations:

  1. Inform the owner that since the data is sensitive, he or she is not required to authorize its processing.
  2. Inform the owner explicitly and in advance, in addition to the general requirements for authorization to collect any type of personal data, which data subject to processing is sensitive and the purpose of the processing, and obtain express consent.
  3. Not to condition any activity on the owner providing sensitive personal data (unless there is a legal or contractual reason to do so).

3.3. Processing of data of minors

DNSS SAS only processes personal data of minors when they are public in nature or come from information provided by employees or contractors, at the time of their employment or provision of DNSS SAS services. The above, in accordance with the provisions of article 7 of Law 1581 of 2012 and, when the treatment complies with the following parameters and requirements:

  1. That responds to and respects the best interests of children and adolescents.
  2. Ensure that their fundamental rights are respected.

Once the above requirements have been met, DNSS SAS will require the minor's legal representative or guardian to authorize the minor, prior to the minor giving his or her opinion regarding the treatment that will be given to his or her data, an opinion that will be assessed taking into account the maturity, autonomy and capacity to understand the matter, as indicated by law.

DNSS SAS and any person involved in the processing of personal data of children and adolescents shall ensure the proper use of said data. In compliance with the above, the principles and obligations established in Law 1581 of 2012 and Decree 1377 of 2013 are applied and developed.

4. RIGHTS OF THE OWNERS

DNSS SAS recognizes and guarantees the following rights to the holders of personal data:

  • Access, know, update and rectify your personal data before DNSS SAS, as the controller of personal data.
  • Request proof of the existence of the authorization granted to DNSS SAS, except in cases where the Law exempts the authorization.
  • Receive information from DNSS SAS, upon request, regarding the use it has made of your personal data.
  • Submit complaints for violations of current regulations to the Superintendency of Industry and Commerce (SIC).
  • Modify and revoke the authorization and/or request the deletion of personal data, when the Treatment does not respect the principles, rights and constitutional and legal guarantees in force. This Right to revoke the authorization is not absolute as long as there is a legal or contractual obligation that limits this right.
  • Have knowledge and access free of charge to your personal data that have been processed.

Note: These rights are only recognized and guaranteed for personal data of natural persons that are stored in databases other than public registries.

5. PRIVACY NOTICE.

DNSS SAS, in accordance with article 14 of Decree 1377 of 2013, informs all holders of personal information contained in its databases of the purposes applicable to the processing of information defined for each of the company's interest groups, namely: Shareholders, employees and candidates for vacancies, suppliers or contractors, customer prospects and clients. The holders of the information, through their consent, freely, expressly, informedly and unequivocally accept that their personal data be processed by DNSS SAS, to carry out the purposes indicated below, this, without prejudice to the fact that at any time they may effectively exercise their right to habeas data so that their rights of access, rectification, deletion and proof of authorization are guaranteed:

  • Purposes applicable to all Personal Data Holders
    The purposes of the processing of personal data described below will apply to all personal data holders who have given their prior, express and informed authorization to DNSS SAS: To inform about substantial changes in the POLICY adopted by the company; establish and manage the pre-contractual and contractual commercial, labor, civil and any other relationship that arises by virtue of compliance with a legal or contractual obligation on the part of the company ; respond to requests, queries, claims or complaints made by the holders of personal information through any of the channels enabled for this purpose, transfer or transmit your personal data to judicial or administrative entities or authorities, when these are required in relation to its purpose and necessary for the fulfillment of its functions and inform about substantial changes in this POLICY .
  • Purposes applicable to shareholders
     With regard to natural persons who are data owners and who are also shareholders and directors of DNSS SAS , we inform you that the processing of their personal data will be carried out in accordance with the provisions of the Colombian Commercial Code and other regulations governing the same matter. Therefore, the purposes to be applied to the personal data of the shareholders will be the following: To identify them as a shareholder of DNSS SAS; to allow the exercise of the duties and rights derived from the status of shareholder and director of DNSS SAS , and to collect, record and update their personal data in order to inform, communicate, organize, control, attend to, and accredit the activities in relation to their status as a shareholder of DNSS SAS.
  • Purposes applicable to suppliers or contractors of goods and services
    Collect, record and update your personal data in order to inform, communicate, organize, control, serve, accredit the activities in relation to your status as a supplier or third party of DNSS SAS ., manage your data to carry out the different processes of payment of invoices and collection accounts presented to DNSS SAS ., and other actions that are in charge of the entity , provide assistance and / or information of general and / or commercial interest to the suppliers or contractors of DNSS SAS ., develop and apply selection processes, evaluation, preparation of responses to a request for information, prepare requests for quotation and proposal, and / or award of contracts, evaluate the services offered or provided to DNSS SAS ., use in the event that it is necessary, the personal data of the supplier or contractor in order to establish access controls to the logical or physical infrastructure, manage personal data to make payments to contractors and / or suppliers, including the administration of bank account numbers for the correct management of payments to be made by DNSS SAS ., comply with any other legal obligation that is the responsibility of DNSS SAS .

6. DUTIES OF DNSS SAS IN RELATION TO THE PROCESSING OF PERSONAL DATA

DNSS SAS is aware that personal data is the property of the persons to whom it refers and only they can decide on it. Likewise , DNSS SAS clarifies that it will use said data only in compliance with the purposes for which it is duly authorized and previously authorized by the owner, or by the Law in compliance with its regulated public functions; and at all times it respects the current regulations on Personal Data Protection.

DNSS SAS, as the Controller or Manager of the processing of personal data, complies with the duties and obligations set forth in Article 17 and 18 of Law 1581 of 2012, and regulations that regulate or modify it, namely:

a) Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data;
b) Request and retain, under the conditions provided for in this law, a copy of the respective authorization granted by the Owner;
c) Duly inform the Owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted;
d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
e) Ensure that the information provided to the Data Processor is true, complete, accurate, up-to-date, verifiable and understandable;
f) Update the information, communicating in a timely manner to the Data Processor all new developments regarding the data previously provided and adopt the other measures necessary to ensure that the information provided to it remains up to date;
g) Rectify the information when it is incorrect and communicate the relevant information to the Data Processor;
h) Provide the Data Processor, as the case may be, only with data whose processing has been previously authorized in accordance with the provisions of this law;
i) Demand that the Data Processor at all times respect the security and privacy conditions of the Owner's information;
j) Process queries and complaints made under the terms set out in this law;
k) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and in particular, to address queries and complaints;
l) Inform the Data Processor when certain information is being disputed by the Owner, once the claim has been submitted and the respective process has not been completed;
m) Inform the Owner, upon request, about the use given to his/her data;
n) Inform the data protection authority (Superintendence of Industry and Commerce – Data Protection Delegation -) when security code violations occur and there are risks in the management of the information of the Holders.
o) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

Duty of secrecy and confidentiality 

DNSS SAS guarantees and requires that any person involved in any phase of the processing of private, sensitive or minor personal data, maintain professional secrecy regarding said data and the duty to safeguard them, obligations that will continue to exist even after the end of their contractual relations with DNSS SAS.

Failure to comply with the duty of confidentiality will be sanctioned in accordance with the provisions of the Internal Work Manual and current legislation.

7. INFORMATION PROCESSING POLICIES

7.1. General information on authorization

When dealing with data other than those of a public nature, as defined in numeral 2 of article 3 of Regulatory Decree 1377 of 2013, DNSS SAS will request prior authorization for the processing of personal data by any means that allows it to be used as evidence. Depending on the case, said authorization may be part of a broader document such as a contract, or a specific document (format, form, addendum, etc.).

In the case of private personal data corresponding to natural persons, the description of the purpose of the data processing will be reported through the same specific document or attached. DNSS SAS will inform the data owner of the following:

  • The processing to which your personal data will be subjected and the specific purpose thereof.
  • The period for which your personal data will be processed.
  • The rights that you have as the owner.
  • The website, email, physical address and other communication channels through which you may submit queries and/or complaints to the Data Controller or Data Processor.

7.2. Right of access

DNSS SAS guarantees the right of access, in accordance with Law 1581 of 2012, only to the Holders of private personal data that correspond to natural persons, upon prior accreditation of the identity of the holder, legitimacy, or personality of his representative, making available to the latter, without cost or expense, in a detailed and detailed manner, the respective personal data processed, through any means of communication, including electronic means that allow direct access by the holder. Such access is subject to the limits established in article 21 of Regulatory Decree 1377 of 2013.

7.3. On the right to consultation

The holders of personal data may consult the personal information stored in any DNSS SAS database. Consequently, DNSS SAS guarantees the right to consultation in accordance with the provisions of Law 1581 of 2012 exclusively on private, sensitive and minor personal data corresponding to natural persons, providing the Holders of this personal data with the information contained in each of the corresponding databases and that are under the control of DNSS SAS.

DNSS SAS will establish the authentication measures that allow the secure identification of the owner of the personal data that makes the query or request. This obligation does not apply to the databases of public registries managed by DNSS SAS.

With respect to the attention of requests for consultation of personal data other than those contained in the public registry databases, DNSS SAS guarantees:

  • Enable electronic or other means of communication that it considers relevant and secure;
  • Establish forms, systems and other methods that will be reported in the Privacy Notice;
  • Use the customer service or complaints services that are in operation.

Regardless of the mechanism implemented to handle consultation requests, these will be processed within a maximum period of ten (10) business days from the date of receipt. In the event that a consultation request cannot be attended to within the aforementioned period, the interested party will be informed before the expiration of the period of the reasons why his/her query has not been answered, which in no case may exceed five (5) business days following the expiration of the first period.

7.4. Right to claim

The Holder of private personal data that corresponds to a natural person and considers that the information contained or stored in a database that does not correspond to the public records of DNSS SAS, may be subject to correction, updating or deletion, or when they notice the alleged non-compliance of any of the duties and principles contained in the regulations on Personal Data Protection. In this regard, they may file a claim with the Responsible or Processor of DNSS SAS

DNSS SAS has the necessary authentication measures that allow the secure identification of the owner of the personal data who makes the claim.

The claim may be filed by the owner, taking into account the information indicated in article 15 of Law 1581 of 2012.

If the claim is incomplete, the holder may complete it within five (5) business days following receipt of the claim, in order to correct any errors or deficiencies. After two (2) months from the date of the request, if the applicant does not submit the requested information, it will be understood that he has withdrawn the claim.

In the event of receiving a claim that is not within the jurisdiction of DNSS SAS, in order to resolve it, it will be forwarded to the appropriate party within a maximum period of two (2) business days and the interested party will be informed of the situation.

Once DNSS SAS has received the complete claim, a legend stating " claim in process " and the reason for it will be included in the database within a period of no more than two (2) business days. This legend will remain until the claim is decided. The maximum term to resolve the claim is fifteen (15) business days, counted from the day following the date of receipt. When it is not possible to address the claim within this period, DNSS SAS will inform the interested party of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

Note: When dealing with data contained in public registry databases, the procedure for processing the right to claim will be governed by the terms and opportunities established in the General Code of Procedure.

7.5. Right to rectification and updating of data

DNSS SAS undertakes to rectify and update, at the request of the Owner, the personal information corresponding to natural persons that is incomplete or inaccurate, in accordance with the procedure and terms indicated above. The above, provided that it is not data contained in public records, which will be governed by special regulations. In this regard, DNSS SAS will take into account the following:

  • In requests for rectification and updating of personal data, the Owner must indicate the corrections to be made and provide documentation supporting their request.
  • DNSS SAS is free to enable mechanisms that facilitate the exercise of this right, as long as they benefit the owner of the personal data. Consequently, electronic or other means that DNSS SAS considers pertinent and secure may be enabled.
  • DNSS SAS may establish forms, formats, systems and other methods, which will be reported in the Privacy Notice and which will be made available to interested parties on the DNSS SAS website or offices.

Note: When dealing with data contained in the databases of public registries, the data update procedure will be carried out at the times, in the forms and with the procedures expressly authorized by the legal and regulatory provisions and in the sole circular of the Superintendency of Industry and Commerce.

7.6. Right to data deletion.

The owner of personal data has the right at any time to request DNSS SAS to delete (eliminate) his/her personal data, provided that it is not data contained in public records, which will be governed by special regulations. For the rest of the data, the following assumptions will be taken into account:

  • That they are not being treated in accordance with the principles, duties and obligations provided for in the current regulations on Personal Data Protection.
  • That they are no longer necessary or relevant for the purpose for which they were collected.
  • That the period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

This deletion involves the total or partial elimination or secure erasure of personal information as requested by the owner in the records, files, databases or treatments carried out by DNSS SAS

The right to erasure is not an absolute right, and DNSS SAS, as the controller of personal data, may deny or limit the exercise thereof when:

  • The data owner has a legal or contractual obligation to remain in the database.
  • The deletion of data hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
  • The data is necessary to protect the legally protected interests of the owner; to carry out an action based on public interest, or to comply with a legal obligation acquired by the owner.
  • The data is data of a public nature and corresponds to public records, the purpose of which is to be made public.

Note: When dealing with data contained in public registry databases, DNSS SAS is obliged to keep them public under the conditions and terms established in the legal and regulatory standards.

7.7. Right to revoke authorization

Any owner of personal data corresponding to natural persons may revoke at any time the consent to the processing of said data, provided that this is not prevented by a legal or contractual provision. To this end, DNSS SAS has established simple and free mechanisms that allow the owner to revoke his or her consent.

In cases where revocation of authorization is possible, it will be handled under the following two modalities:

  • Total: Regarding the totality of consented purposes, that is, DNSS SAS must completely stop processing the data of the Personal Data Owner.
  • Partial: For certain purposes consented to, such as advertising or market research purposes. In this case, DNSS SAS must partially suspend the processing of the data subject's data. Other processing purposes are then maintained, which the Controller, in accordance with the authorization granted, may carry out and with which the subject agrees.

The right of revocation is not an absolute right and DNSS SAS , as the controller of personal data, may deny or limit the exercise thereof when:

  • The data owner has a legal or contractual obligation to remain in the database.
  • The revocation of the authorization for processing hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
  • The data is necessary to protect the legally protected interests of the owner; to carry out an action based on public interest, or to comply with a legal obligation acquired by the owner.
  • The data is data of a public nature and corresponds to public records, the purpose of which is to be made public.

7.8. Data protection in contracts.

In employment contracts, DNSS SAS has included clauses to authorize in advance and generally the processing of personal data related to the execution of the contract, which includes the authorization to collect, modify or correct, at future times, personal data of the Holder corresponding to natural persons. It has also included the authorization for some of the personal data, if applicable, to be delivered or transferred to third parties with whom DNSS SAS has service provision contracts, for the performance of outsourced tasks. In these clauses, mention is made of this Policy and its location, for due consultation.

In contracts for the provision of external services that involve the processing of data, DNSS SAS will carry out the transmission with the Data Processor and its contracts will include clauses that specify the purposes, means, applicable security measures and treatments authorized by DNSS SAS, and will precisely delimit the use that these third parties can give to them, as well as the obligations and duties established in Law 1581 of 2012 and Regulatory Decree 1377 of 2013, including the necessary security measures to guarantee at all times the confidentiality, integrity and availability of the personal information entrusted for processing.

For its part, DNSS SAS, when receiving data from third parties and acting as the Data Controller, verifies that the purpose or purposes of the processing authorized by the owner or permitted for legal, contractual or jurisprudential reasons are in force and that the content of the purpose is related to the reason for which said personal information is to be received from the third party, since only in this way will it be authorized to receive and process said personal data.

7.9. Transfer of personal data to third countries

The transfer of personal data to third countries will only be carried out when there is corresponding authorization from the owner and prior authorization from the Personal Data Delegation of the SIC if it is carried out to one of the countries that is not contemplated in the external circular of August 5, 2017.

Any processing that involves the transmission of data outside of Colombian territory is considered an international transfer, whether it is a transfer of data or if its purpose is to provide a service to the controller outside of Colombia.

Likewise, prior authorization must be obtained from the Personal Data Protection Officer of the Superintendency of Industry and Commerce, when international data transfers are planned to be made to countries that do not provide a certain level of protection. This authorization may only be granted if adequate guarantees are obtained, such as contracts based on the standard clauses approved by the SIC, or the Binding Corporate Rules.

The international transfer of data may be carried out by request of DNSS SAS, establishing the purpose, the groups of interested parties or holders of the personal information, the data subject to transfer and the documentation that includes the guarantees required to obtain the authorization; which includes a description of the specific security measures that will be adopted, both by DNSS SAS, and by the Data Controller or Data Processor at its destination.

DNSS SAS will not request authorization when the international transfer of data is covered by any of the exceptions provided for in the Law and its Regulatory Decree. An example of this is the consent of the affected party to the transfer, the transfer is necessary to establish the contractual relationship between the affected party and the person responsible for the Database and the transfer refers to a monetary transaction.

7.10. General rules applicable.

DNSS SAS has established the following general rules for the protection of personal, sensitive and minor data, such as the care of databases, electronic files and personal information:

  • DNSS SAS guarantees the authenticity, confidentiality and integrity of the information under its responsibility.
  • DNSS SAS has adopted all necessary and possible technical measures to guarantee the protection and control of the database existing and under its control.
  • In cases where the infrastructure depends on a third party, it will be ensured that both the availability of information and the protection of personal, sensitive and minor data is a fundamental objective.
  • DNSS SAS will periodically perform audits and controls to ensure the correct implementation of Law 1581 of 2012 and its regulatory decrees.
  • It is the responsibility of DNSS SAS officials to immediately report to the Superintendency of Industry and Commerce - Personal Data Delegation - any incident of information leakage, computer damage, violation of personal data, data commercialization, use of personal data of children or adolescents, identity theft, security incidents, violation of security codes or any type of conduct that may violate a person's privacy or lead to any type of discrimination.
  • The training and education of officials, suppliers and contractors will be a fundamental duty and complement to this Policy.
  • DNSS SAS must identify and promote the authorizations of the holders, privacy notices, notices on the website, awareness campaigns, complaint legends and other procedures to comply with Law 1581 of 2012 and Decree 1377 of 2013.

8. PROCEDURE FOR INFORMATION OWNERS TO EXERCISE THE RIGHTS TO KNOW, UPDATE, RECTIFY AND DELETE INFORMATION AND REVOKE AUTHORIZATION.

  • DNSS SAS guarantees that the exercise of the right to Habeas Data (access, rectify, cancel and request proof of authorization for processing) promoted by the owners of personal data will be carried out within the terms and conditions established in Law 1581 on the protection of personal data, its regulatory decrees and this PERSONAL DATA PROCESSING POLICY. To exercise your right to habeas data, you may direct your query or claim to any of the channels enabled by DNSS SAS , which are identified below: email customerservice@danielasalcedo.com or to the company's address located at Av. 7N # 23N-12, 2nd floor, Santiago de Cali, Valle del Cauca, Colombia.
  • The rights of access, updating, rectification, deletion and revocation of authorization of personal data are personal and may only be exercised by the Owner. However, the Owner may act through a legal representative or agent when the former is incapacitated or a minor, which makes it impossible for him or her to exercise such rights personally, in which case it will be necessary for the legal representative or agent to prove such status.
  • No fee or charge will be required for the exercise of the rights of access, updating, rectification, deletion or revocation of authorization when it concerns personal data of natural persons that are not part of the public records. (The provisions of Article 21 of Regulatory Decree 1377 of 2013 shall be taken into account)
  • In order to facilitate the exercise of these rights, DNSS SAS makes available to interested parties the physical or electronic formats appropriate for this purpose.
  • Once the terms indicated by Law 1581 of 2012 and other regulations or supplements have been met and exhausted, the Owner who is totally or partially denied the exercise of the rights of access, updating, rectification, deletion and revocation by DNSS SAS, may notify the National Authority for the Protection of Personal Data (Superintendence of Industry and Commerce - Delegation for the Protection of Personal Data -) of the denial or disagreement with the right exercised.

9. THE NATIONAL DATABASE REGISTRY

Pursuant to Decree 090 of 2018, DNSS SAS is not required to register its databases and this Policy in the National Registry of Databases administered by the Superintendency of Industry and Commerce.

10. SECURITY MEASURES APPLIED TO DATABASES AND FILES.

DNSS SAS , in order to comply with the security principle enshrined in article 4, letter g) of Law 1581, has internal information security mechanisms to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access, which are mandatory for the recipients of these policies.

DNSS SAS and its affiliated and/or related companies, by signing the corresponding transmission contracts, have required the data processors with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the processing of personal data.

It is the obligation of the recipients of these policies to inform DNSS SAS of any suspicion that may imply a violation of the security measures adopted by the organization to protect the Personal Data entrusted to it, as well as any inappropriate processing thereof, once they become aware of this situation.

In these cases, DNSS SAS will notify the Colombian data protection authority of the situation and will proceed to manage the respective security incident regarding the Personal Data, in order to establish the legal repercussions thereof, whether at the criminal, labor, disciplinary or civil level.

11. VALIDITY

Personal data will be processed for as long as is reasonable and necessary for the purpose for which the data are collected. Once the purpose or purposes of the processing have been fulfilled, and without prejudice to legal regulations that provide otherwise, DNSS SAS will proceed to suspend the personal data in its possession unless there is a legal or contractual obligation that requires its conservation.

This Policy is effective as of December 2019.

Policy Updates : DNSS SAS may modify the terms and conditions of this policy as part of our effort to comply with the obligations established by Law 1581 of 2012, regulatory decrees and other regulations that complement, modify or repeal this policy, in order to reflect any change in our operations or functions. In cases where this occurs, the new policy will be published on the organization's website.

12. CONTACT INFORMATION

If you have any questions about this policy, please contact DNSS SAS , or send your query directly through any of the following communication channels:

  • Email : you can contact us via email at customerservice@danielasalcedo.com
  • Main Office Address: You can go to the offices of the main address located at Av. 7N # 23N-12, 2nd floor, Santiago de Cali – Valle del Cauca.

13. REFERENCE TO OTHER DOCUMENTS

This Personal Data Protection Manual has been prepared in accordance with the following standards and documents:

  • Political Constitution of Colombia
  • Law 1581 of 2012.
  • Decree 1377 of 2013.
  • Law 1273 of 2009.
  • DNSS SAS Privacy Notices
  • DNSS SAS data protection clauses