1. SCOPE

This Personal Data Protection Policy will apply to all Databases and / or Files containing Personal Data that are subject to Treatment by IMAAS S in C, considered as responsible and / or responsible for the processing of Personal Data, (in Ahead THE COMPANY).

  1. IDENTIFICATION OF PERSON RESPONSIBLE FOR THE TREATMENT OF PERSONAL DATA

IMAAS S in C, domiciled in the industrial zone la Macarena II manufactures 6 Dosquebradas – Risaralda, Colombia. Email imaas@imaas.com, telephone 57 6 3301000.

  1. TREATMENT

THE COMPANY, acting as Responsible for the Processing of Personal Data, for the proper development of its commercial activities, as well as for the strengthening of its relations with third parties, collects, stores, uses, circulates and deletes Personal Data corresponding to natural persons with Who have or have had a relationship, such as, but not limited to, workers and their families, shareholders, consumers, customers, distributors, suppliers, creditors and debtors.

  1. PURPOSE

The Personal Data are object of Treatment by the COMPANY with the following purposes:

4.1. To send information to their workers and family;

4.2. For the provision of health services to the relatives of the employees of the COMPANY who are beneficiaries of the health service;

4.3. For the recognition, protection and exercise of the rights of the shareholders of THE COMPANY;

4.4. In order to strengthen relations with its consumers and customers, by sending relevant information, taking orders and the attention of Petitions, Complaints and Complaints (PQR’s) by the customer service area, the evaluation of the quality of Its customer service and the invitation to events organized or sponsored by THE COMPANY, among others;

4.5. For verification of balances of your creditors;

4.6. For the determination of outstanding obligations, the consultation of financial information and credit history and the reporting to information centers of unfulfilled obligations, with respect to their debtors;

4.7. For marketing activities and other commercial purposes that do not contravene the legislation in force in Colombia;

4.8. For the attention of judicial or administrative requirements and the fulfillment of judicial or legal mandates;

4.9. In order to be able to contact, by email or by any other means, natural persons with whom you have or have had a relationship, such as, without limitation, workers and their relatives, shareholders, customers, suppliers, creditors and debtors , For the aforementioned purposes.

  1. RIGHTS OF THE HOLDERS OF THE PERSONAL DATA

Natural persons whose personal data are processed by THE COMPANY have the following rights, which may be exercised at any time:

5.1. Know the Personal Data on which THE COMPANY is performing the Treatment. Similarly, the Holder may at any time request that his data be updated or rectified, for example, if he finds that his data are partial, inaccurate, incomplete, fractioned, misleading, or those whose Treatment is expressly prohibited or not Has been authorized.

5.2. Request proof of the authorization granted to THE COMPANY for the Treatment of your Personal Data.

5.3. Be informed by THE COMPANY, upon request, regarding the use that it has given to your Personal Data.

5.4. Submit to the Superintendency of Industry and Commerce complaints for violations of the provisions of the Law on Protection of Personal Data.

5.5. Request the COMPANY to delete their Personal Data and / or revoke the authorization granted for the Treatment of the same, by submitting a claim, in accordance with the procedures established in number 10 of this Policy. However, the request for deletion of the information and the revocation of the authorization will not proceed when the Holder of the information has a legal or contractual duty to remain in the Database and / or Archives, or while the relationship between The Holder and THE COMPANY, by virtue of which their data were collected.

5.6. Free access to your Personal Data object of Treatment.

  1. AREA RESPONSIBLE FOR THE IMPLEMENTATION AND OBSERVANCE OF THIS POLICY

The Administrative Division is in charge of the development, implementation, training and enforcement of this Policy. For this purpose, all officials who perform the processing of personal data in the different areas of THE COMPANY, are obliged to report these Databases to the Administrative Directorate and to immediately transfer all of the requests, complaints or Claims that they receive from the Personal Data Holders.

The Administrative Management. Has also been designated by THE COMPANY as an area responsible for the attention of petitions, consultations, complaints and claims to which the Holder of the information may exercise their rights to know, update, rectify and delete the data and revoke the authorization.

 

  1. AUTHORIZATION

 

THE COMPANY must request previous, express and informed consent to the Owners of the Personal Data on which it requires to carry out the Treatment.

7.1. Prior authorization means that the consent must be granted by the Holder, at the latest at the time of collection of Personal Data.

7.2. Express authorization means that the consent of the Holder must be explicit and specific, are not valid open and non-specific authorizations. The Holder is required to express his / her willingness to authorize THE COMPANY to process the Personal Data.

This manifestation of will of the Holder can take place through different mechanisms made available by THE COMPANY, such as:

In writing, for example, filling out an authorization format as indicated in Annex 1.

Orally, for example, in a telephone conversation or videoconference.

Through unequivocal conduct that allows to conclude that it granted its authorization, for example, through its express acceptance of the Terms and Conditions of an activity within which the participants’ authorization is required for the Processing of their Personal Data.

IMPORTANT: In no case THE COMPANY will assimilate the silence of the Owner to an unequivocal conduct.

Whatever the mechanism used by THE COMPANY, it is necessary that the authorization be retained so that it can be consulted at a later date.

7.3. Informed Authorization means that at the moment of requesting consent to the Holder, it must be clearly informed:

The Personal Data that will be collected.

The identification and contact details of the Responsible and the Care Manager.

The specific purposes of the intended Treatment, ie how and for what purpose the collection, use and circulation of Personal Data will be done.

What are the rights you have as the holder of the Personal Data; For the effect see number 5 of this Policy.

The optional nature of the answer to the questions that are asked, when they are about sensitive data or about the data of children and adolescents.

 

  1. SPECIAL PROVISIONS FOR THE TREATMENT OF PERSONAL DATA OF SENSITIVE NATURE.

According to the Law on the Protection of Personal Data, sensitive data are those that affect privacy or whose abuse may lead to discrimination, such as those related to:

Racial or ethnic origin.

Political orientation.

Religious / philosophical beliefs.

Membership of trade unions, social organizations, human rights organizations or political parties.

Health.

Sex life.

Biometric data (such as fingerprint, signature and photo).

Treatment of Personal Data of a sensitive nature is prohibited by law, unless there is prior express authorization from the Card Holder, among other exceptions set forth in Article 6 of Law 1581 of 2012.

In this case, in addition to complying with the requirements established for the authorization, THE COMPANY shall:

Inform the Cardholder that because it is sensitive data, it is not obliged to authorize its Treatment.

Inform the Holder which of the data that will be subject to Treatment are sensitive and the purpose of the Treatment.

IMPORTANT: No activity may be conditional on the Holder providing Sensitive Personal Data.

 

  1. SPECIAL PROVISIONS FOR THE PROCESSING OF PERSONAL DATA ON CHILDREN AND ADOLESCENTS

According to the provisions of Article 7 of Law 1581 of 2012 and article 12 of Decree 1377 of 2013, THE COMPANY will only carry out the Treatment, that is, the collection, storage, use, circulation and / or suppression of Personal Data corresponding to Children and adolescents, provided that this Treatment responds and respects the best interests of children and adolescents and ensures respect for their fundamental rights.

Once the above requirements have been fulfilled, THE COMPANY must obtain the authorization of the legal representative of the child, prior to the child’s exercise of their right to be heard, an opinion that will be valued taking into account the maturity, autonomy and capacity to understand the matter.

  1. PROCEDURE FOR ATTENTION AND RESPONSE TO PETITIONS, CONSULTATIONS, COMPLAINTS AND CLAIMS OF PERSONAL DATA HOLDERS

The Holders of Personal Data that are being collected, stored, used, put into circulation by THE COMPANY, may at any time exercise their rights to know, update, rectify and delete information and revoke the authorization.

For this purpose, the following procedure shall be followed, in accordance with the Law on Protection of Personal Data:

10.1. ATTENTION AND RESPONSE TO PETITIONS AND CONSULTATIONS:

What is the process?

The Holder or his successors, may request the COMPANY, through the means indicated below:

Information on the Personal Data of the Holder who are subject to Treatment.

Request proof of the authorization granted to THE COMPANY for the Treatment of your Personal Data.

Information regarding the use that has been given by THE COMPANY to your personal data.

Means enabled to submit requests and queries:

THE COMPANY has arranged the following means for the reception and attention of requests and inquiries, all of which allow to keep proof of them:

Communication addressed to IMAAS S in C. Administrative Direction, industrial area la macarena II manufactures 6 Dosquebradas – Risaralda Request submitted to the e-mail: imaas@imaas.com

Attention and response by the COMPANY:

The requests and consultations will be answered within a maximum term of ten (10) working days from the date of receipt of the same. When it is not possible to attend the request or consultation within that term, the interested party will be informed, stating the reasons for the delay and indicating the date on which his request or consultation will be attended, which in no case may exceed five (5) Business days following the expiration of the first term.

10.2. ATTENTION AND RESPONSE TO COMPLAINTS AND COMPLAINTS:

What is the procedure?

The Holder or his successors, may request to THE COMPANY, through a complaint or claim submitted through the channels indicated below:

Correction or updating of information.

The deletion of your Personal Data or the revocation of the authorization granted for the Treatment of the same.

That the alleged breach of any of the duties contained in the Personal Data Protection Law be corrected or corrected.

The application must contain the description of the facts that give rise to the complaint or claim, the address and contact details of the applicant, and must be accompanied by the documents that you want to enforce.

Means for filing complaints and complaints:

THE COMPANY has arranged the following means for the reception and attention of complaints and claims, all of which allow us to keep proof of its presentation:

Communication addressed to IMAAS S in C. Administrative Direction, industrial area la macarena II manufactures 6 Dosquebradas – Risaralda Request submitted to the e-mail: imaas@imaas.com

Attention and response by the COMPANY:

If the complaint or claim is incomplete, THE COMPANY shall require the interested party within five (5) days of receipt of the complaint or claim to remedy the faults. After two (2) months from the date of the request, without the applicant submitting the requested information, it will be understood that he has withdrawn from the complaint or claim.

In the event that the person receiving the complaint or claim is not competent to resolve it, it will transfer to the Administrative Management of IMAAS S in C., within a maximum term of two (2) business days and inform the interested party.

Once the complaint or complete complaint has been received, a legend that says “complaint in process” and the reason for it, in a term no longer than two (2) business days will be included in the Database. This legend must be maintained until the complaint or claim is decided.

The maximum term to deal with the complaint or claim will be fifteen (15) business days from the day after the date of receipt. When it is not possible to deal with the complaint or claim within that term, the interested party will be informed of the reasons for the delay and the date on which the complaint or claim will be dealt with, which in no case may exceed eight (8) days Following the expiration of the first term.

  1. SECURITY OF PERSONAL DATA

THE COMPANY, in strict application of the Security Principle in the Processing of Personal Data, shall provide the technical, human and administrative measures necessary to provide security for the records, preventing their adulteration, loss, consultation, use or unauthorized or fraudulent access. The obligation and responsibility of THE COMPANY is limited to having the appropriate means for this purpose. THE COMPANY does not guarantee the total security of its information nor is it responsible for any consequences derived from technical failures or from improper entry by third parties to the Database or File on which the Personal Data object of Treatment by the COMPANY And their Managers. THE COMPANY shall require service providers to contract, adopt and comply with appropriate technical, human and administrative measures for the protection of Personal Data in relation to which such suppliers act as Managers.

  1. TRANSFER, TRANSMISSION AND DISCLOSURE OF PERSONAL DATA

THE COMPANY may deliver Personal Data to third parties not related to THE COMPANY when: a. They are contractors in execution of contracts for the development of the activities of THE COMPANY; B. Transfer by any title of any line of business to which the information relates.

In any case, in the contracts for the transmission of Personal Data, signed between THE COMPANY and the Managers for the Processing of Personal Data, it will be required that the information be treated in accordance with this Personal Data Protection Policy and include the following Obligations at the head of the respective Manager:

Give Treatment, on behalf of THE COMPANY to the Personal Data according to the principles that guard them.

Safeguard the security of databases containing Personal Data.

To maintain confidentiality regarding the Treatment of Personal Data.

  1. APPLICABLE LAW

This Personal Data Protection Policy, the Privacy Notice and the Authorization Format that forms part of this Policy as Annex 1, are governed by the provisions in the current legislation on the protection of Personal Data referred to in Article 15 Of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013, Decree 1727 of 2009 and other norms that modify, repeal or replace them.

  1. EFFECTIVENESS

This Policy of Protection of Personal Data has been in force since September 2016.