WhatsApp Image 2021-01-25 at 10.44.21 AM (4).jpeg

TREATMENT AND PROCEDURE POLICY IN
DATA PROTECTION MATTER

1. OBJECTIVE


Protect and guarantee based on this manual, the fundamental right of HABEAS DATA, regulated by Law 1581 of 2012 that regulates the procedures and criteria on the obtaining, collection, use, treatment, processing, exchange, transfer and transmission of personal data . that performs DISTRIBUTION, STORAGE AND LOGISTICS SERVICES SEDIAL SAS.

 

2. REACH


This manual will be applied to the treatment of personal data collected and handled by SERVICIOS DE DISTRIBUCION, ALMACENAMIENTO Y LOGISTICA SEDIAL SAS, both of its workers, as well as of its customers and suppliers.

 

3. RESPONSIBILITIES


It is the responsibility of the leaders of the Human Management, Administrative, Financial and Improvement Management processes to verify compliance with and application of this document, as well as to carry out the necessary updates and / or modifications of SEDIAL SAS.


These policies are mandatory and strict compliance for the person in charge, as well as all third parties who act on behalf of the Company, or who, without acting on behalf of the person in charge, process personal data at its disposal as managers. Both the person in charge and those in charge, it is understood, employees, contractors and third parties must observe and respect these policies in the fulfillment of their functions and / or activities even after the legal, commercial, labor or any kind of ties have ended. Similarly, they undertake to keep strict confidentiality in relation to the data processed. Any breach of the obligations and, in general, of the policies contained in this document must be reported to the Directorate of Asset Protection "E-Mail" In accordance with number 1 of article 58 of the Substantive Labor Code, the worker "observe the precepts of the regulation and abide by and comply with the orders and instructions given in a particular way by the employer or his representatives

3.1 Administrative Structure on Protection and Processing of Personal Data


The person in charge has an administrative infrastructure destined, among other functions, to ensure due attention to requirements, requests, queries, complaints and claims related to data protection, in order to guarantee the exercise of the rights contained in the Constitution and the law. , especially the right to know, update, rectify and delete personal information; as well as the right to revoke the consent granted for the processing of personal data.

For the purposes described above, we present the roles of the administrative structure for the protection of data of the holders of the information.

 

Administrative Department Director

 

The person in charge has a Human Management department, in charge of handling requests, inquiries, complaints and claims; trained to attend to the holders of personal data in relation to their requests, derived from the exercise of the rights on protection of personal data conferred by law.

 

The person in charge puts at your disposal the telephone number 333 033 3335 in Tocancipá, the email: servicioalcliente @ sedialgroup. com.co and the service office at the Acropolis headquarters for the care and exercise of the aforementioned rights.

Patrimonial Protection Directorate

 

The person in charge has an Asset Protection Directorate which is based on three essential pillars: (1) the provision of information; (2) due care and protection of employees, contractors and third parties.

 

For the fulfillment of these purposes, the person in charge has implemented a Service System, which aims to consolidate an environment of care, protection and respect for said people.

 

The Care System is aimed at:

  • Consolidate within the company a culture of care, respect and service to employees, contractors and third parties.

  • Adopt tools for the provision of adequate information.

  • Strengthen the procedures for the attention of your complaints, requests and claims.

  • To strive for the protection of the rights of employees, contractors and third parties, as well as their education

Operational Risk and Information Security

 

The Operational Risk area of the Responsible Party, among others, fulfills the function of protection of personal data and attends to the violations of rights contained in Law 1581/2012, in the second instance.

 

Additionally, the Responsible has an operational risk management system and an Information Security officer, who is in charge, among other functions, of enforcing minimum security conditions, risk prevention and implementation of controls that prevent adulteration. , loss, consultation, use or unauthorized or fraudulent access to the information.

Board of Directors

 

The board of directors of El Responsable is the body in charge of approving the creation and / or updating of policies, manuals and guidelines on data protection.

 

Control and Surveillance Entities

 

Next, we present the Control Entities that the company has.

  • Internal audit

  • External audit

  • Superintendencies

  • Internal control.

4. ASSOCIATED OR REFERENCE DOCUMENTS

 

  • Political Constitution of Colombia, Article 15

  • Law 1266 of 2008

  • Decree 1727 of 2009

  • Law 1273 of 2009 Article 269F

  • Law 1581 of 2012

  • Decree 1377 of 2013

  • Decree 886 of 2014

5. DEFINITIONS
For the purposes of interpreting and applying this policy, the following concepts must be taken into account:

  • Authorization: Prior, express and informed consent of the owner of the data to carry out the processing of your personal information.

  • Database: Set of personal data that is the object of treatment.

  • Consultation: Request from the owner of the data or the persons authorized by it or by law, to know the information that the owner rests on it in databases or files.

  • Personal data: Any information that directly or indirectly refers to a natural person and that allows them to be identified. Some examples of personal data are the following: name, citizen identification number, postal address, email address, telephone number, marital status, health data, fingerprint, salary, assets, financial statements, etc. These data are classified into:

    • Sensitive personal data: Information that affects the privacy of the person or whose improper use can generate discrimination, such as, for example, those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, organizations social, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data (fingerprints, photos)

    • Public personal data: It is the data classified as such by law or the Political Constitution or that which is not private, semi-private or sensitive. They are public, among others, the data related to the civil status of the people, their profession or trade and their quality of merchant or public servant, the data contained in the RUNT or the data contained in the public mercantile registry of the Chambers of Commerce. Commerce. By its nature, public data may be contained, among others, in public registers, public documents, gazettes and official gazettes and duly executed judicial decisions that are not subject to reservation. These data can be obtained and offered without any reservation and regardless of whether they refer to general, private or personal information.

  • Private personal data. It is the data that due to its intimate or reserved nature is only relevant for the person who owns the data. Examples: merchants' books (accounting), information extracted from the home inspection, telephone number as long as it is not found in public databases or the salary.

  • Semi-private personal data. Data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest not only to its owner but to a certain sector or group of people or to society in general is semi-private, such as, among others, the data regarding compliance. or breach of financial obligations or data relating to relationships with social security entities.

  1. Responsible for the treatment: Person who decides on the collection and purposes of the treatment, among others. It may be, by way of example, the company that owns the databases or information system that contains personal data.

  2. Person in charge of the treatment: Person who carries out the data processing on behalf of the person responsible for the treatment.

  3. Claim: Request from the owner of the data or the persons authorized by it or by law to correct, update or delete their personal data or to revoke the authorization in the cases established by law.

  4. Data owner: He is a natural person to whom the data refers.

  5. Treatment: Any operation or set of operations on personal data such as, among others, the collection, storage, use, circulation or deletion of that kind of information.

  6. Transfer: Sending of personal data made by the Responsible or the Person in Charge from Colombia to a Responsible who is inside (national transfer) or outside the country (international transfer).

  7. Transmission: Processing of personal data that implies the communication of the same within (national transmission) or outside of Colombia (international transmission) and whose purpose is to carry out a treatment by the Person in Charge on behalf of the Responsible.

  8. NNA: Refers to those under 18 years of age, and corresponds to the acronym for Boys, Girls and Adolescents.

  9. STIPULATION IN FAVOR OF ANOTHER OR FOR ANOTHER: Stipulation in favor of another, article 1506 of the civil code, which states the following: Anyone can stipulate in favor of a third person, even if they do not have the right to represent it; but only this third person will be able to demand what is stipulated; and as long as its express or tacit acceptance does not intervene, the contract is revocable by the sole will of the parties that attended it. The acts that could only have been executed by virtue of the contract constitute tacit acceptance. "The express acceptance of the third party is required to ratify the stipulation.

6. GENERAL CONDITIONS
6.1. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

The principles established below constitute the general parameters that will be respected by SERVICIOS DE DISTRIBUCION, ALMACENAMIENTO Y LOGISTICA SEDIAL SAS in the processes of collection, use and processing of personal data.

  1. Principle of legality in the matter of Data Processing: The Treatment referred to in the 1581 of 2012 is a regulated activity that must be subject to what is established in it and in the other provisions that develop it.

  2. Principle of purpose: The Treatment of personal data collected by SERVICIOS DE DISTRIBUCION, ALMACENAMIENTO Y LOGISTICA SEDIAL SAS must be informed to the Owner.

  3. Principle of freedom: Treatment can only be exercised with the prior, express and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.

  4. Principle of truthfulness or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. Processing of partial, incomplete, fractional or misleading data is prohibited.

  5. Principle of transparency: In the Treatment, the right of the Holder to obtain from the person in charge of the Treatment or the Person in Charge of the Treatment, at any time and without restrictions, information about the existence of data that concerns him must be guaranteed.

  6. Principle of access and restricted circulation: Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or authorized third parties. .

  7. Security principle: The information subject to Treatment by the Responsible Party, must be handled with the technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

  8. Principle of confidentiality: All persons who intervene in the processing of personal data that are not public in nature are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks that the processing comprises.

6.2 Treatment to which the Personal Data and its Purpose will be Submitted

The data that is collected will be treated in a transparent, loyal and lawful manner with the main purpose of contracting, executing and marketing the goods and services of the Data Controller, as well as contact through telephone, electronic means (SMS, chat, mail electronic and other means considered electronic) physical and / or personal.

The Responsible Party may process personal data for the following purposes:

1. Necessary purposes for the execution of the contract and / or provision of the Service

  • Carry out the pertinent steps for the development of the pre-contractual, contractual and post-contractual stage with the person in charge, with respect to any of the products or services offered by the person in charge, that they have acquired or with respect to any underlying business relationship that they have with them, as well how to comply with Colombian or foreign law and the orders of judicial or administrative authorities.

  • Manage procedures, such as requests, complaints and claims, and carry out risk analysis

  • Make known, transfer and / or transmit my personal data as a result of a contract, law or legal link that requires it and implement cloud computing services and / or manage the information in systems and / or technological platforms, in accordance for the other purposes described in this document.

  • Provide authorities, control entities, trade associations and the systems managed by them, the personal data necessary to carry out studies and in general the administration of information systems of the corresponding sector, when applicable.

  • Consult, collect, provide third parties with whom the person in charge has a commercial, legal and / or contractual link and report the information that resides in operators of information databases referred to in Law 1266 of 2008 or the regulations that modify it or substitute for the following purposes: commercial purposes, maintenance of the contractual relationship with the Responsible, market studies, research, statistics, reporting to public entities and compliance with the regulations applicable to the Risk Management System for Money Laundering and Financing of the Terrorism;

  • Access, consult the personal data that rest or are contained in databases or files of any Private or Public Entity (among others, the Ministries, Control Entities, Administrative Departments, DIAN, the Prosecutor's Office, National Police, National Registry of the Civil Status, Courts, Tribunals and High Courts) whether national, international or foreign; as well as, treat my personal data and supply them to them.

  • Create databases for the purposes described in the information processing policy and privacy notice, available at https://www.sedialgroup.com.co/proteccion-de-datos/Paginas/Aviso-de-Privacidad

  • Sending notifications through electronic means or data transmission such as mail and SMS, as well as informing me about activities related to corporate education programs.

  • Consolidate the financial information, information on statements and / or products offered by Sedial SAS companies in a single document together with the statement or when viewing them in the transactional customer portal, where applicable.

  • To consult any doctor, hospital, insurance company, prepaid medicine company or health promotion entity (EPS) so that, at any time, whether in my lifetime or after my death, Sedial can access the information about my state of health and my medical history; Consequently, I authorize said entities to provide Sedial SAS with a copy of all the information that is required (Applicable only for Sedial products).

2. Data processing carried out by Sedial SAS partner companies

  • Make known, transfer and / or transmit personal data as a result of a contract of any kind, law or legal link that requires it for commercial, marketing and cross-selling purposes of companies allied to Sedial, its subsidiaries, subordinates, or linked.

  • Carry out satisfaction surveys regarding the goods and services carried out by companies allied to Sedial, its subsidiaries, subordinates, or related parties.

  • Carry out activities for the commercialization of products, verification and updating of information of companies allied to Sedial, its subsidiaries, subordinates, or related parties.

3. Strategic relationship

  • Make invitations to events, improve products and services or offer new products and all those activities associated with the commercial relationship or existing link or the one that will have with the person in charge.

  • Carry out satisfaction surveys regarding the goods and services of your business partners

  • Carry out customer segmentation and intelligence activities.

  • Transfer or transmit my personal data to third parties other than Sedial SAS for commercial or marketing purposes.

The data collected through security points, as well as, the data taken from the documents provided by the owner to the security personnel and those obtained from the video recordings that are made inside or outside the facilities of the person in charge, will be used for purposes of security and surveillance of the people, goods and facilities of The Responsible and may be used as evidence in any type of process.

The third party as provider (manager or manager) must obtain authorizations directly from those who are entitled to give consent, these are:

  • The Holder, who must sufficiently prove his identity by the different means made available to him by the person in charge.

  • The successors in title of the Holder, who must prove such quality.

  • The representative and / or attorney-in-fact of the Holder, prior accreditation of the representation or power of attorney.

6.2. AUTHORIZATION OF THE USE OF DATA

SEDIAL SAS, as the person responsible for the processing of personal data, has provided the necessary mechanisms to obtain the authorization of the holders, guaranteeing in any case that it is possible to verify the granting of said authorization.

  • FORM AND MECHANISMS TO GRANT THE AUTHORIZATION.

The FR-SF-035 Protection and Use of Data and FR-CO-012 Authorization for the Processing of Personal Data presents the authorization format defined by SEDIAL SAS, said format will be made available to the Holder prior to the processing of their data personal, in accordance with the provisions of Law 1581 of 2102 and Decree 1377 of 2013.

  • NOTICE OF PRIVACY

It has been defined for SEDIAL SAS, for the storage of the format, DISTRIBUTION SERVICES, STORAGE AND LOGISTICS SEDIAL SAS may use computer, electronic or any other technology.

6.3. RIGHTS AND DUTIES

  • RIGHTS OF THE INFORMATION HOLDERS

In accordance with the provisions of article 8 of Law 1581 of 2012 and articles 21 and 22 of Decree 1377 of 2013, the Holder of personal data has the following rights:

  1. Know, update and correct your Personal Data. With the power to exercise this right, among others, in relation to information, partial, inaccurate, incomplete, divided, misleading information or whose treatment is prohibited or unauthorized.

  2. Require proof of consent granted for the collection and processing of Personal Data.

  3. Be informed by SERVICIOS DE DISTRIBUCION, ALMACENAMIENTO Y LOGISTICA SEDIAL SAS of the use that has been given to Personal Data.

  4. File complaints with the Superintendency of Industry and Commerce in the event that there is a violation by SEDIAL SAS, of the provisions of Law 1581 of 2012, Decree 1377 of 2013 and other regulations that modify, add or complement them, of in accordance with the provisions on the procedural requirement established in article 16 of Law 1581 of 2012.

  5. Revoke the authorization granted for the processing of Personal Data.

  6. Request to be removed from your database. This deletion or elimination implies the total or partial elimination of the personal information in accordance with what is requested by the owner in the databases of SERVICIOS DE DISTRIBUCION, ALMACENAMIENTO Y LOGISTICA SEDIAL SAS It is important to bear in mind that the right of deletion is not absolute and the person in charge can deny the exercise of the same when: The owner has a legal and / or contractual duty to remain in the database, the deletion of the data hinders judicial or administrative actions or the investigation and prosecution of crimes, the data that are necessary to comply with an obligation legally acquired by the owner.

  7. Have access to the Personal Data that SERVICIOS DE DISTRIBUCION, ALMACENAMIENTO Y LOGISTICA SEDIAL SAS has collected and processed.

  • DUTIES OF THE RESPONSIBLE FOR THE INFORMATION

As responsible for the processing of personal data, and in accordance with the provisions of Law 1581 of 2012, SEDIAL SAS, undertakes to comply with the following duties, in relation to the processing of personal data:

  1. Guarantee the owner of the information, at all times, the full and effective exercise of the right to Habeas Data.

  2. Keep a copy of the respective authorization granted by the owner.

  3. Properly inform the owner about the purpose of the collection and the rights that assist him by virtue of the authorization granted.

  4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

  5. Process the queries and claims made by the holders of the information in the terms indicated by articles 14 and 15 of Law 1581 of 2012.

  6. Inform at the request of the Owner about the use given to their data.

  7. Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders.

  8. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

  9. Insert in the database the legend "information in judicial discussion" once notified by the competent authority, on judicial processes related to the quality or details of personal data.

  10. Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.

  11. Allow access to information only to authorized persons.

  12. Inform through the means that it considers pertinent the new mechanisms that it implements so that the holders of the information make their rights effective.

6.4. PROCEDURE FOR THE EXERCISE OF THE RIGHTS OF THE INFORMATION HOLDER

The holders of the information may exercise their rights at any time and free of charge, after proof of their identity.

The request must be made by any of the following means: Email: servicioalcliente@sedialgroup.com.co or directly with the commercial area.

SECURITY OF THE INFORMATION

In development of the security principle established in Law 1581 of 2012, SEDIAL SAS will adopt the technical, human and administrative measures that are necessary to grant security to the physical and / or virtual records; avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access.

 

In the case of the transmission of data to those in charge, it is done with password-protected files.

Every worker and / or contractor of SEDIAL SAS who has access to the database and / or confidential information must sign the form FR-CO-011 Confidentiality Agreement for Suppliers.

DESIGNATION

SERVICIOS DE DISTRIBUCION, ALMACENAMIENTO Y LOGISTICA SEDIAL SAS appoints the Director (a) Administrative Department (a) and person in charge of human management, to fulfill the function of protection of personal data who will process the requests of the Holders, for the exercise of the rights of access, consultation, rectification, updating, deletion and revocation referred to in Law 1581 of 2012. The above, if necessary, will be done with the support of the Financial Area that is in charge of the accountant. .

VALIDITY

This policy came into effect in August 2018, in accordance with Law 1581 of 2012 and Decree 1388 of 2013 to document the creation of policies and procedures on data protection and information management.