PERSONAL DATA PROCESSING POLICY OF SHAREHOLDERS, CUSTOMERS, USERS, AND/OR SUPPLIERS
INTRODUCTION
This policy is issued in compliance with Law 1581 of 2012, Decree 1377 of 2013, of Colombia, and regulations that modify or add to the personal data protection regime and seek to guarantee that the company ARKIX S.A.S., in its capacity as responsible and charge of the managing personal information, carry out the Treatment of the same in strict compliance with the applicable regulations, guaranteeing the rights that the Holders of the information assist them.
DEFINITIONS
1. Personal data: Any information linked or that can be associated with one or more specific or determinable natural persons.
2. Private data: It is the data that due to its intimate or reserved nature is only relevant to the Holder.
3. Semi-private data: Semi-private data is data that does not have an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its Owner but to a certain sector or groups of people or society in general, such as financial data and business credit.
4. Public data: It is the data classified as such according to the mandates of the Law or the Political Constitution and all those that are not semi-private or private, under Law 1266 of 2008. They are public, among others, the data contained in public documents, duly executed judicial sentences that are not subject to reservation, and those related to the civil status of the people.
5. Authorization: Prior, express, and informed consent of the Owner to carry out the processing of personal data.
6. Database: Organized set of personal data that is subject to Treatment.
7. Person in charge of the Treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of personal data on behalf of the person in charge of the Treatment.
8. Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data.
9. Holder: Natural person whose personal data is subject to Treatment.
10. Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
11. Sensitive data: Are those that affect the privacy of the Holder or whose improper use can generate discrimination, such as those that reveal the origin of racial or ethnic, political orientation, religious or philosophical convictions, membership in trade unions, social, human rights organizations or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as the data relating to health, sexual life, and biometric data.
OBJECTIVE
The objective of this policy is to define and establish clear and mandatory guidelines, applicable to the processing of personal data collected, processed, and/or stored by the company ARKIX S.A.S., by the development of its corporate purpose, in its capacity as responsible and in charge of the treatment.
All the precepts contained in this policy are established to guarantee each one of the rights of the owners of the information and thus prevent their rights and/or guarantees from being violated.
AREA OF APPLICATION
These policies will apply to the processing of personal data carried out by the company ARKIX S.A.S., in all places where it has a presence, and to any database that is created by the company for the development of its commercial activity.
All organizational processes of the company ARKIX S.A.S., which involve the processing of personal data, must be subject to the provisions of this Policy.
POLICIES
1. INFORMATION OF THE RESPONSIBLE AND IN CHARGE OF THE TREATMENT OF PERSONAL INFORMATION.
The company responsible and in charge of processing personal data is:
- Company name: ARKIX S.A.S.
- Address: Medellín.
- Address: ST 30a #74-69 5th floor.
- Email: [email protected]
- Telephone: 444 88 99.
2. TREATMENT TO WHICH THE PERSONAL DATA WILL BE SUBJECTED AND ITS PURPOSE
In the exercise of its corporate purpose, the company ARKIX S.A.S. performs directly, that is, it holds the quality of responsible and is in charge of the processing of personal data of its shareholders, suppliers, customers, and users of its products.
Likewise, in compliance with the applicable legislation, the company ARKIX S.A.S. may require to transmit or transfer said data to the indicated platforms and/or to the security systems implemented by it.
In the development of the principles of purpose and freedom, the collection of personal data by ARKIX S.A.S. will be limited to those personal data that are relevant and adequate for the purpose for which they are collected or required, under current regulations. Except in the cases expressly provided for in the Law, personal data may not be collected without the authorization of the Owner.
Personal data is collected, stored, organized, used, circulated, transmitted, transferred, updated, rectified, deleted, eliminated, and managed according to the purpose or purposes of each type of treatment, as indicated in the third numeral of this Politics.
2.1. Treatment of personal data of clients
The personal information of the clients will be treated in a completely confidential manner and will only be used for the development of the previously established commercial relationship unless the client authorizes its use for another use.
The personal data of the clients will be stored digitally and physically in a folder identified with the name of each one of them, where only the information strictly necessary for the subject of analysis, granting and administration of business credit will be stored. location data, commercial and/or financial references, and other data that allow for creating and maintaining a solid and lasting business relationship.
2.2. Treatment of personal data of suppliers
The company ARKIX S.A.S, will only collect the strictly necessary data, for the selection, evaluation, and development of the contract that is signed with the respective supplier, in said agreement a provision must be included where both parties agree to provide treatment, adequate and authorized to the personal data that they reciprocally exchange.
The company ARKIX S.A.S., will collect from its suppliers the personal data of its employees, which is necessary, for security reasons must be analyzed and evaluate, taking into account the characteristics of the services contracted with the supplier.
The personal data of employees of the suppliers collected by the company ARKIX S.A.S. will have the sole purpose of verifying the suitability of the supplier’s employees, for the development of the object of the previously signed contract.
Therefore, once such a situation has been verified, the information will be returned to the supplier, except when it is necessary to have the aforementioned personal data.
All employees of the company ARKIX S.A.S., who have access to supplier information, must treat it under the provisions of this document.
2.3. Treatment of Personal Data of Shareholders
The personal data of the people who become shareholders of ARKIX S.A.S. will be considered reserved and confidential information since it is registered in the trade books and is reserved by law.
Therefore, access to such personal information will be carried out under the rules contained in the Commercial Code that regulate the matter.
2.4. Processing of personal data of girls, boys, and/or adolescents
The processing of personal data of children and/or adolescents that are public will comply with the following parameters and requirements:
a) That response to and respects the best interests of children and adolescents.
b) To ensure respect for their fundamental rights.
c) Assessment of the opinion of the minor when he/she has the maturity, autonomy, and capacity to understand the matter.
Once the above requirements have been fulfilled, the legal representative of the child or adolescent may grant authorization for the Treatment, after exercising the right of the minor to be heard, an opinion that must be assessed taking into account the maturity, autonomy, and ability to understand the case.
2.5. Treatment of sensitive data:
The company ARKIX S.A.S. will strictly observe the legal limitations to the Treatment of sensitive data, for which it will ensure that:
A. The Holder has given his explicit authorization to said treatment, except in cases where the granting of said authorization is not required by law.
B. The Treatment is necessary to safeguard the vital interest of the Holder, and he is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
C. The Treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association, or any other non-profit organization, whose purpose is political, philosophical, religious, or trade union, provided that it is referred exclusively to its members or to the people who maintain regular contact because of its purpose. In these events, the data may not be provided to third parties without the authorization of the Holder.
D. The Treatment refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial process.
E. The Treatment has a historical, statistical, or scientific purpose. In this event, the measures leading to the suppression of the identity of the Holders must be adopted.
2.6. Video surveillance
The company, ARKIX S.A.S., uses various means of video surveillance installed in different places of its facilities or offices.
The information collected will be used for security purposes of people, goods, and facilities. This information can be used as evidence in any type of process before any type of authority and organization.
3. PURPOSES OF TREATMENT
The purposes of the processing of Personal Data, carried out by ARKIX S.A.S., are the following:
- Provision of the services offered by ARKIX S.A.S.
- Execution of the contracts signed with ARKIX S.A.S.
- Customer service and marketing.
- Sending information related to legal and regulatory news of interest to clients of ARKIX S.A.S.
- Sending information related to the contractual relationship.
- Registration of statistical information of clients of ARKIX S.A.S.
- Registration of supplier and contractor information.
- Registration of information of the employees of contractors who provide services in ARKIX S.A.S.
- Contract statistics and services offered or provided.
- Communication, consolidation, organization, updating, control, accreditation, assurance, statistics, reporting, maintenance, interaction, and management of the actions, information, and activities in which suppliers, contractors, and their employees are related or linked to ARKIX S.A.S.
- Execution of the corresponding employment contract.
- To notify family members, the 123 hotlines, and any priority care service in case of emergencies during your stay at the ARKIX S.A.S.
- Communication, registration, filing, organization, processing, and management of the actions, strategies, and activities in which the shareholders of ARKIX S.A.S.
- Access, consult, compare and evaluate all the information about the Holders that is stored in the databases of any legitimately constituted credit, financial, legal background, or security risk center, of a state or private, national, or foreign nature.
- Investigate, verify and validate the information provided by the Holders, with any information that ARKIX S.A.S. legitimately has. – Consult, compare and evaluate all the information on the Holders that is stored in the databases of legitimately constituted credit, financial, judicial, or security risk centers, of a state or private, national, or foreign nature.
- If ARKIX S.A.S., is not able to carry out the treatment by its means, it may transfer the collected data to be processed by a third party, prior notification to the Holders of the collected data, which will be in charge of the treatment and must guarantee suitable conditions of confidentiality and security of the information transferred for the treatment.
4. RIGHTS THAT ASSIST YOU AS THE HOLDER OF THE DATA
Under the provisions of article 8 of Law 1581 of 2012 and decree 1377 of 2013, the Holder of personal data has the following rights:
a) Know, update and rectify your data against ARKIX S.A.S., in its capacity as responsible and in charge of the Treatment. This right may be exercised against partial, inaccurate, incomplete, fragmented, misleading data, or those whose treatment is expressly prohibited or has not been authorized.
b) Request proof of the authorization granted to ARKIX S.A.S., in its capacity as responsible and charge of the Treatment, except when expressly excepted as a requirement for the Treatment, under the provisions of article 10 of Law 1581 of 2012 (or in the rules that regulate, add, complement, modify or repeal it), or when the continuity of the treatment has been presented as provided in numeral 4 of article 10 of Decree 1377 of 2013.
c) Be informed by ARKIX S.A.S., upon request, regarding the use that has been given to your data.
d) Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012, once the consultation or claim process has been exhausted before ARKIX S.A.S.
e) Revoke the authorization and/or request the deletion of the data when the principles, rights, and constitutional and legal guarantees are not respected in the Treatment. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Treatment the Responsible or Person in Charge has incurred conduct contrary to the law and the Constitution.
f) Free access to your data that has been subject to Treatment.
5. DUTIES OF THE COMPANY ARKIX S.A.S. AS RESPONSIBLE FOR THE TREATMENT
The duties of those responsible for the Treatment are those established in article seventeen (17) of Law 1581 of 2012:
a) Guarantee the Holder, at all times, the full and effective exercise of the right of habeas data.
b) Request and keep, under the conditions outlined in this law, a copy of the respective authorization granted by the Holder.
c) Duly inform the Holder about the purpose of the collection and the rights that assist him under the authorization granted.
d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
e) Guarantee that the information provided to the Treatment Manager is true, complete, accurate, updated, verifiable, and understandable.
f) Update the information, promptly communicate to the Person in Charge of the Treatment, all the news regarding the data that has previously been provided, and adopt the other necessary measures so that the information provided to it is kept up to date.
g) Rectify the information when it is incorrect and communicate what is pertinent to the Treatment Manager.
h) Provide the Person in Charge of Treatment, as the case may be, only data whose Treatment is previously authorized under the provisions of this law. i) Require the Treatment Manager at all times to respect the security and privacy conditions of the Holder’s information.
j) Process queries and claims formulated in the terms indicated in this law.
k) Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, in particular, for dealing with queries and claims.
l) Inform the Person in Charge of Treatment when certain information is under discussion by the Holder, once the claim has been filed and the respective procedure has not been completed.
m) Inform at the request of the Owner about the use given to their data.
n) Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the Holders’ information.
o) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
6. AREA RESPONSIBLE FOR THE ATTENTION OF REQUESTS, INQUIRIES, AND CLAIMS
The data processing area, of the company ARKIX S.A.S., will be responsible for the attention of requests, queries, claims, complaints, or for the exercise of the rights of the Holder of personal information.
7. PROCEDURE TO EXERCISE THE RIGHTS OF THE DATA HOLDER
7.1. Procedure for access and consultation
The Owner of the data, or their assignees, may consult the information that rests in the databases in the possession of ARKIX S.A.S., for which they must make the corresponding request, in writing, and file it before the Area in charge of ARKIX S.A.S., on Monday to Friday from 7:30 a.m. to 5:30 p.m. at Calle 30a #74-69, 5th floor, in the city of Medellín.
To prevent unauthorized third parties from accessing the personal information of the Owner of the data, it will be necessary to previously establish the identification of the Owner. When the request is made by a person other than the Holder, and it is not proven that the same acts on behalf of the former, it will be considered as not submitted.
The query will be answered within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which his query will be attended, which in no case may exceed five (5) business days following the expiration of the first term.
7.2. Procedure to request updating, correction, deletion, revocation of authorization or to submit claims
The Holder, or his successors in title, who consider that the information contained in the databases of ARKIX S.A.S., should be subject to correction, updating, or deletion, or when they notice the alleged breach of the duties contained in this law, may present a claim before ARKIX S.A.S., which will be processed under the following rules, under article 15 of Law 1581 of 2012:
a) The claim will be formulated through a request filed before the Administrative Area of ARKIX S.A.S., from Monday to Friday from 7:30 am to 5:30 pm, at Calle 30a #74-69 floor 5 of the city of Medellín.
b) To prevent unauthorized third parties from accessing the personal information of the Holder of the data, it will be necessary to previously establish the identification of the Holder. When the request is made by a person other than the Holder, and it is not proven that the same acts on behalf of the former, it will be considered as not submitted.
c) The request must contain the following information:
(i) The identification of the Holder.
(ii) Contact information (physical and/or electronic address and contact telephone numbers). (iii) The documents that prove the identity of the Holder, or the representation of his representative.
(iv) The clear and precise description of the personal data concerning which the Holder seeks to exercise any of the rights.
(v) The description of the facts that give rise to the claim.
(vi) The documents that you want to assert.
(vii) Signature, identification number, and fingerprint.
(viii) Filing in the original.
d) If the claim is incomplete, ARKIX S.A.S., will require the interested party within five (5) days after receiving the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn the claim.
e) If the Area that receives the claim is not competent to resolve it, it will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.
f) Once the complete claim is received, a legend will be included in the database that says “claim in process” and the reason for it, within a term, not exceeding two (2) business days. Said legend must be kept until the claim is decided. g) The maximum term to address the claim will be fifteen (15) business days, counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first finished.
7.3. Data Deletion
The Holder has the right, at all times, to request ARKIX S.A.S., the deletion (elimination) of his data when:
a) Consider that they are not being treated under the principles, duties, and obligations outlined in Law 1581 of 2012.
b) They are no longer necessary or relevant for the purpose for which they were collected.
c) The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.
d) This suppression implies the total or partial elimination of the personal information under the request of the Holder in the records, files, databases, or treatments carried out by ARKIX S.A.S.
e) It is important to bear in mind that the cancellation right is not absolute and the person in charge can deny the exercise of the same when:
(i) The request to delete the information will not proceed when the Holder has a legal or contractual duty to remain in the database.
(ii) The elimination of data hinders judicial or administrative actions related to tax obligations, the investigation, and prosecution of crimes, or the updating of administrative sanctions.
(iii) The data is necessary to protect the legally protected interests of the Holder, to carry out an action based on the public interest, or to comply with an obligation legally acquired by the Holder.
7.4. Revocation of Authorization
The Holder of the personal data may revoke the consent to the processing of their data at any time, as long as it is not prevented by a legal provision.
8. INFORMATION SECURITY
In the development of the security principle, ARKIX S.A.S. has adopted reasonable technical, administrative, and human measures to protect the information of the Holders and prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access.
Access to personal data is restricted to their owners.
ARKIX S.A.S., will not allow access to this information by third parties under conditions other than those announced, except for an express request from the Owner of the data or legitimate persons under national regulations. Notwithstanding the foregoing, ARKIX S.A.S., will not be responsible for any action tending to infringe the security measures established for the protection of Personal Data.
9. VALIDITY OF THE POLICY
The Policy is effective as of January 1, 2022.
As a general rule, the term of the authorizations on the use of personal data is understood as the term of the commercial relationship or the connection to the service and during the exercise of the company’s corporate purpose.
________________________________
FEDERICO PELÁEZ RODRÍGUEZ
legal representative
ARKIX S.A.S
