PERSONAL DATA PRIVACY POLICY DEMETALICOS S.A.S.

By virtue of the entry into force of the Statutory Law 1581 of 2012, by which the general provisions for the protection of personal data, and its Regulatory Decree 1377 of 2013, the company DEMETALICOS S.A.S., identified with NIT 890.936.560-1, regulates the policies, processes and procedures aimed at achieving effective protection to the development of the constitutional right of habeas data that all persons have to know, update and rectify their personal data, in order to ensure and keep informed of the use that will be given to all information provided.

It will be applied to all the Databases and/or Files that contain personal data and that are object of treatment by DEMETALICOS S.A.S., considered as responsible and/or in charge of the treatment of the personal data, will carry out this treatment on behalf, and previous authorization of the holder and based on the information that this one has reported us in development of the different activities carried out by our company.

DEFINITIONS

DEMETALICOS S.A.S., retakes the definitions contemplated in the Law and makes them known as follows:

  1. Authorization: Consent that, in a previous, express and informed way, the holder of some personal data emits so that DEMETALICOS S.A.S., carries out the treatment of its personal data.
  2. Privacy notice: Verbal or written communication generated by DEMETALICOS S.AS. that is made available to the holder for the treatment of their personal data, which informs the existence of the treatment policies that will be applicable, how to access them and the characteristics of the treatment that is intended to give to personal data.
  3. Data base: Set of personal data that are object of treatment by DEMETALICOS S.A.S.
  4. Substantial changes to a Database: These are those related to the purpose of the database, the Data Processor, the channels of attention to the Data Subject, the classification or types of personal data stored in each database, the information security measures implemented, the Information Processing Policy and the international transfer and transmission of personal data, if any.
  5. Personal data: Information that is linked to one or more specific or determinable persons that can be associated with a natural or legal person. Personal data may be public, semi-private or private.
  6. Sensitive data: Data related to racial or ethnic origin, membership in trade unions, social or human rights organizations, political, religious, sex life, biometric or health data. This information may not be provided by the Holder of this data.
  7. Habeas Data: It is the right that every holder of information has to know, update, rectify or oppose to the information concerning his personal data. The habeas data confers a group of faculties to the individual so that, in exercise of the general clause of freedom, he may control the information that has been compiled about him by an information center. In this sense, this fundamental right is aimed at preserving the interests of the owner of the information in the face of the potential abuse of computer power.
  8. Data processor: Natural or legal person, public or private, which by itself or in association with others, performs any processing of personal data on behalf of the controller. DEMETALICOS S.A.S., may carry out the processing of your personal data through data processors.
  9. Person in charge of the treatment: Natural or legal, public or private person, that by itself or in association with others, decides on the database and/or the treatment of the data DEMETALICOS S.A.S., according to the law is responsible for the treatment of personal data contained in its databases.
  10. Holder: Natural person whose data are processed by DEMETALICOS S.AS.
  11. Treatment: Any operation or set of operations on personal data that DEMETALICOS S.AS. must handle, within which can be included its collection, storage, consultation, exchange, transfer, use, circulation or suppression.

 

PURPOSES OF TREATMENT

The treatment that will be given to all the information collected and stored by DEMETALICOS S.A.S. for the development of its corporate purpose and the contractual relationship that links it with the Personal Data Holder, if any, and in particular for:

  1. Information about your commercial payment habits
  2. Develop business relationships with third parties.
  3. Inform about new products or services.
  4. Perform statistical processing of your data.
  5. Evaluate the quality of products or services.
  6. Develop marketing and promotional activities.
  7. To send by means of publication in the web of DEMETALICOS S.A.S., physical mail, electronic, cellular or mobile device, – via text messages (SMS and/or MMS) commercial, advertising or promotional information about the products and/or services, events and/or promotions, in order to promote, invite, direct, execute, inform and in a general way, to carry out campaigns, promotions or contests.
  8. Conduct internal studies on compliance with commercial relations and market research.
  9. Attending services through Call Center
  10. To comply with obligations contracted with the Holder.
  11. Respond to legal requirements of administrative and judicial entities.
  12. Execute the employment contract.
  13. To guarantee the security of DEMETALICOS S.A.S.
  14. Develop training activities.
  15. Sharing, including the transfer and transmission of your personal data to third countries for purposes related to the operation of DEMETALICOS S.A.S., in accordance with the provisions of law and always ensuring compliance with the minimum established in the Colombian regulations.
SENSITIVE DATA

For the case of sensitive personal data, DEMETALICOS S.A.S., will be able to make use and treatment of them when:

  1. The owner has given his explicit authorization, except in cases where the law does not require the granting of such authorization.
  2. The processing is necessary to safeguard the vital interest of the Data Subject and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
  3. The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or to persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the owner’s authorization.
  4. The Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
  5. The processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the owners must be adopted. Notwithstanding the exceptions provided by law, the processing of sensitive data requires the prior, express and informed authorization of the holder, which must be obtained by any means that may be subject to consultation and subsequent verification.
DUTIES OF THE COMPANY AS CONTROLLER AND PROCESSOR OF PERSONAL DATA.

DEMETALICOS S.A.S., recognizes the ownership of personal data held by individuals and therefore they can exclusively decide on them. Therefore, it will use the personal data for the fulfillment of the purposes expressly authorized by the holder or by the effective norms. In the treatment and protection of personal data, DEMETALICOS S.A.S., will have the following duties, without prejudice to others provided in the provisions that regulate or come to regulate this matter:

  1. Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data.
  2. Request and keep, under the conditions set forth in the aforementioned law, a copy of the respective authorization granted by the Holder.
  3. Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
  4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.
  6. Update the information, communicating in a timely manner to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.
  7. Rectify the information when it is incorrect and communicate the pertinent to the Data Processor.
  8. To provide to the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of the aforementioned law.
  9. To require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.
  10. To process the consultations and claims formulated in the terms set forth in the aforementioned law.
  11. Adopt an internal manual of policies and procedures to ensure adequate compliance with the aforementioned law and, in particular, to deal with queries and complaints.
  12. Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.
  13. Inform upon request of the Data Subject about the use given to his/her data.
  14. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Holders.
  15. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
HOLDER’S AUTHORIZATION.

Notwithstanding the exceptions provided by law, the processing requires the prior and informed authorization of the Data Subject, which must be obtained by any means that may be subject to subsequent consultation.

Cases in which authorization is not required. The authorization of the Holder shall not be necessary in the following cases:

  1. Information required by a public or administrative entity in the exercise of its legal functions or by court order;
  2. Data of a public nature;
  3. Cases of medical or sanitary emergency;
  4. Processing of information authorized by law for historical, statistical or scientific purposes;
  5. Data related to the Civil Registry of Persons.

Whoever accesses personal data without prior authorization must in any case comply with the provisions contained in this law.

MEANS FOR GRANTING AUTHORIZATION

DEMETALICOS S.A.S. will obtain the authorization by different means, among them the physical document, electronic, data message, Internet, Web sites, or in any other format that in any case allows the obtaining of the consent by means of unequivocal conducts through which it is concluded that of not having taken place on the part of the holder or the person legitimized for it, the data would not have been stored or captured in the database.

 

RIGHTS YOU HAVE AS OWNER

The holders of the personal data must take into account that all the processes that entail a data treatment by any area of the company, whether of clients, suppliers, employees and in general any third party with which DEMETALICOS S.A.S., sustains or has sustained some labor or commercial relation, and in this way they know the rights that attend to that holder of the data, which are enunciated next:

  1. To know, update and rectify your personal data at any time before DEMETALICOS S.A.S., with respect to the data that you consider partial, inaccurate, incomplete, fractioned, that induce to error, or those whose Treatment is expressly prohibited or has not been authorized.
  2. To request proof of the authorization granted to DEMETALICOS S.A.S., except when expressly excepted as a requirement for the Treatment.
  3. Be informed by DEMETALICOS S.A.S., upon request, regarding the use that has been given to their own data.
  4. To file before the Superintendence of Industry and Commerce complaints that it considers pertinent to enforce the regulations that modify, add or complement it.
  5. To revoke the authorization and/or to request the suppression of the data when it considers that DEMETALICOS S.A.S., is not respecting the principles, rights and constitutional and legal guarantees.
  6. Access free of charge to your personal data that you have voluntarily decided to share with DEMETALICOS S.A.S., and in this way the company assures you to keep reliably the authorization forms duly granted.
  7. Rights of children and adolescents: The processing of personal data of children and adolescents is prohibited, except in the case of data of a public nature. Areas that, due to the nature of their management, must process this type of personal data, must apply the principles for the protection of the fundamental rights of this type of Personal Data Holders.
THESE RIGHTS MAY BE EXERCISED BY:
  1. The holder, who will have to prove his identity in sufficient form by the different means that DEMETALICOS S.A.S. makes available to him.
  2. The assignees of the holder, who must prove their status as such.
  3. The holder’s representative and/or attorney-in-fact, upon proof of representation or power of attorney.
  4. Other in favor of or for which the holder has stipulated.

Any substantial change in the Information Processing Policy that may affect the content of the authorization granted by the holder will be communicated to the holder in the terms established by the regulations in force. In addition, the previous versions of the Information Processing Policy will be kept.

The holder’s non-opposition to the use of his/her data, within thirty (30) days following the notification of the new Information Processing Policy constitutes acceptance of the same.

INFORMATION SECURITY AND SECURITY MEASURES

Giving fulfillment to the principle of security established in the effective normativity, DEMETALICOS S.A.S., will adopt the technical, human and administrative measures that are necessary to grant security to the registries avoiding its adulteration, loss, consultation, use or not authorized or fraudulent access.

RESPONSIBLE FOR AND IN CHARGE OF THE PROCESSING OF PERSONAL DATA.

DEMETALICOS S.A.S., will be responsible for the processing of personal data. The administrative area will be responsible for handling requests, complaints and claims made by the owner of the data in exercise of the rights under this policy.

DEMETALICOS S.A.S., is committed to give a correct use and treatment of the personal data of its clients and users, avoiding the unauthorized access to third parties that allows to know or to violate, to modify, to divulge and/or to destroy the information that rests in the data bases of the company. For this reason, DEMETALICOS S.A.S., has security protocols and access to their information systems, storage and processing including physical measures to control security risks. DEMETALICOS S.A.S., will also subscribe confidentiality obligations with each and every one of its employees, in order to avoid that the data stored in their databases can be used by unauthorized third parties.

DEMETALICOS S.A.S., will maintain its Data Bases in physical files with key, the electronic Data Bases under controls of security of the information. The files that are handled by third parties contracted for such purpose, will be controlled by our organization, in such a way that the person in charge of the treatment assures its confidentiality, use and restricted access.