SOCYA FOUNDATION.

POLICIES AND PROCEDURES ON PERSONAL DATA PROTECTION.

1. PURPOSE.

Adopt and establish rules applicable to the processing of personal data collected, processed and/or stored by SOCYA in development of its corporate purpose, as manager and/or controller; complying with the Constitutional, Legal and Regulatory norms on the matter.

2. AREA OF APPLICATION.

The provisions of this policy will apply to any database or personal information that is in the custody of SOCYA, either as the person in charge or in charge of it. Likewise, they will apply to all SOCYA organizational processes that involve the processing of personal data.

3. RECIPIENTS.

This policy will be of mandatory observance, compliance and application for the managerial staff, advisor, employee, contractor, supplier and in general, any natural or legal person that by virtue of the legal, contractual, statutory and / or regulatory relationship with SOCYA must collect, process, access and / or store databases for which SOCYA is responsible or in charge.

4. PRINCIPLES.

The protection of personal data for which SOCYA is responsible or in charge of its treatment, will be guided by the principles established by the Constitution, Law 1581 of 2012 and other regulations related to the matter, especially the principles of: Legality, Freedom, Truthfulness or Quality, Transparency, Restricted Access, Restricted Circulation, Security and Confidentiality; in order to ensure and guarantee the rights of the owner of the data.

5. RIGHTS OF THE DATA HOLDERS.

The holders of personal data for which SOCYA is responsible or in charge of their collection, treatment and / or storage, will have the rights enshrined in the Constitution, the Law, the Regulations and, in particular, the following:

5.1. Access at any time and free of charge to the personal data provided that have been the object of collection, treatment and / or storage by SOCYA.

5.2. Know, update and rectify your information in the face of partial, inaccurate, incomplete, fractioned, misleading data, or those whose treatment is prohibited or has not been authorized.

5.3. Request proof of authorization granted.

5.4. Submit complaints to the Superintendency of Industry and Commerce (SIC) for violations of the provisions of current regulations on the processing of personal data.

5.5. Revoke the authorization and / or request the deletion or cancellation of the data, provided that there is no legal or contractual duty that prevents them from being deleted.

5.6. Refrain from answering questions about sensitive data. Answers that deal with sensitive data of girls, boys and adolescents will be voluntary or optional.

6. DUTIES OF THOSE RESPONSIBLE AND IN CHARGE OF DATA PROCESSING: DE DATOS:

 When SOCYA and/or any of the recipients indicated in Numeral 3 of this policy, acts as the person in charge and/or in charge of the personal data collected, processed and/or stored by SOCYA, they must strictly comply with the consecrated duties in Articles 17 and 18 of Law 1581 of 2012. In addition, all recipients must give special application to the following duties:

6.1. Apply security measures according to the classification of personal data processed by SOCYA.

6.2. Adopt disaster recovery procedures applicable to databases containing those of a personal nature.

6.3. Adopt backup procedures for databases.

6.4. Periodically audit compliance with this policy by its recipients.

6.5. Securely manage databases containing personal data.

6.6. Apply this policy on the protection of personal data in harmony with the “Information Security Policy”.

6.7. Keep a central registry of the databases that contain personal data that includes the history since its creation, treatment of the information and cancellation of the databases.

6.8. Securely manage access to personal databases contained in information systems, in which SOCYA acts as the controller or processor.

6.9. Have a procedure to manage security incidents regarding databases containing personal data.

6.10. Regulate access to databases containing personal data in contracts with third parties.

6.11. Consult the binding, restrictive, sanctioning lists, and others, national and international, in a safe way, thus ensuring the proper use of the data provided by the client.

7. ATTENTION OF REQUESTS, CONSULTATIONS AND CLAIMS.

In compliance with what is established in the Constitutional, Legal and Regulatory norms on the matter, the owner of the data that rests in Socya's information systems, will have the right to file complaints, claims or take actions. For the exercise of rights alluded to in Numeral 5 of this policy, the following channels are established for filing or requesting information related to the exercise of rights over personal data:

7.1 Internal control is in charge of collecting, treating and / or storing personal data and it will be in charge of forwarding the request, query and / or claim to each area to respond and make your rights effective.

7.2 Administrative Headquarters in Medellín (30 Street No. 55 – 198).

7.3 Email Address: socya@socya.org.co

7.4 Phone number in Medellin: 444 – 2088.

8. PROCEDURE FOR THE EXERCISE OF THE RIGHT OF HABEAS DATA.

In compliance with the Constitutional, Legal and Regulatory norms on the protection of personal data and the Fundamental Right of Habeas Data, the SOCYA Foundation, presents the procedure and minimum requirements for the exercise of the rights of the holders of personal information:

8.1. For the filing and attention of applications, the following information must be indicated:

• Full name and surname.
• Contact information (physical and / or electronic address and contact telephone numbers).
• Means to receive notification of the response to your request.
• Reason (s) and / or fact (s) that give rise to the claim with a brief description of the right you wish to exercise (know, update, rectify, request proof of the authorization granted, revoke it, delete it, access the information among others).
• Signature (if applicable) and identification number.
• Copy of the citizenship card. (Physical or Digital).
• In case of acting through a proxy, the proxy must present a duly authenticated power of attorney at a Notary Public and a copy of the identity document of the proxy and the principal. If the person who intends to exercise the rights is the successor or representative of the owner of the data, he must prove the quality in which he acts, by means of the document that the Law indicates as suitable for the effect.

8.2. The communication must be filed through the channels indicated in Number 7.

8.3. If any of the requirements indicated here are missing, SOCYA will notify the interested party within 5 business days of receiving the request, so that they can correct them, proceeding to respond to the request once it has been corrected.

If after two (2) months without submitting the required information, it will be understood that the application has been withdrawn.

8.4. The maximum term provided by Law to resolve the claim is fifteen (15) business days, counted from the day following the date of receipt and compliance with the minimum requirements established herein. When it is not possible to attend the claim within said term, the area or agency in charge will inform the interested party of the reasons for the delay and the date on which their claim will be attended, which in no case may exceed the following eight (8) business days at the expiration of the first term.

8.5. Once the terms indicated by Law 1581 of 2012 and the other rules that regulate or complement it have been fulfilled, the owner who is denied, in whole or in part, the exercise of the rights of access, update, rectification, deletion and revocation, You can bring your case to the attention of the Superintendency of Industry and Commerce - Delegation for the Protection of Personal Data.

8.6. SOCYA will document and store the requests made by the owners of the data or by the interested parties in the exercise of any of the rights, as well as the responses to such requests.

8.7. SOCYA may have physical and / or digital formats for the exercise of these rights and will indicate in them if it is a question or a claim from the interested party.

9. CENTRAL REGISTRY OF PERSONAL DATABASES.

SOCYA, as the person responsible for the processing of personal data in its custody, as well as with respect to those in which it is in charge of the treatment, will have a central registry, in which it will list each of the databases contained in its systems. information and other files. The central registry of personal databases must meet the following requirements:

9.1. Include all personal databases contained in the information systems and other SOCYA files. Each base will be assigned a registration number.

9.2. The registration of the personal databases will indicate:

9.2.1. The type of personal data it contains.

9.2.2. The purpose and intended use of the database.

9.2.3. Identification of the SOCYA area that handles the database.

9.2.4. Treatment system used (automated or manual) in the database.

9.2.5. Indication of the level and security measures that apply to the database by virtue of the type of personal data it contains.

9.2.6. Location of the database in SOCYA's information systems.

9.2.7. The group of people or interest groups whose data is contained in the database.

9.2.8. The condition of SOCYA as RESPONSIBLE or RESPONSIBLE for the treatment of the databases.

9.2.9. Authorization of communication or transfer of the database, if it exists.

9.2.10. Origin of the data and procedure in obtaining consent.

9.2.11. SOCYA server custodian of the database.

9.3. In order to update the central database registry, in the months of April, July, October and January of each year, the area in charge of obtaining personal data will send a monthly report with the changes made to the databases. of personal data, in relation to the requirements mentioned in the previous paragraph. In the event that the databases have not undergone changes, this will be recorded by the custodian of the same.

9.4. The occurrence and history of security incidents that occur against any of the personal databases guarded by SOCYA will be documented in this central registry.

9.5. The registry will indicate the sanctions that may be imposed with respect to the use of the personal database, indicating the origin of the same.

9.6. The cancellation of the personal database will be recorded indicating the reasons and the technical measures adopted by SOCYA to make the cancellation effective.

10. TREATMENT OF PERSONAL DATA.

10.1. PROCESSING OF PERSONAL DATA RELATED TO THE MANAGEMENT OF HUMAN RESOURCES. GESTIÓN DEL RECURSO HUMANO.

SOCYA will process the personal data of the human resource in three moments, namely:

10.1.1. BEFORE: 1. When the selection process is carried out directly by SOCYA: Persons interested in the entity's calls will be informed in advance of the rules applicable to data processing. 2. When the selection process is carried out by a third party: The treatment that must be given to the data of the applicants will be regulated in the corresponding Contract. 3. If not selected, the information collected in the selection process may not be used for any other purpose than the purposes pursued with participation in the selection process.

10.1.2. DURING: 1. The personal data of the collaborator will be stored in their personal folder, their access and treatment must be monitored and authorized by the Human Management Directorate, in accordance with the procedures that it establishes. 2. The use of the personal information of the collaborators for purposes other than those strictly labor is prohibited.

10.1.3. AFTER: 1. After the employment relationship, the personal data of the former collaborator will be stored under high levels of security. 2. The total or partial transfer of personal data to third parties outside the organization is prohibited, unless requested and / or prior authorization of the data owner.

10.2. PROCESSING OF PERSONAL DATA OF SUPPLIERS AND CONTRACTORS. CONTRATISTAS.

The personal data of natural and / or legal persons that are collected, processed and stored by virtue of a legal, contractual or statutory relationship with a supplier and / or contractor, whether it is data whose ownership belongs to said supplier, contractor or its dependents or collaborators will be used exclusively for the purposes of the selection, evaluation and / or execution of the obligations derived from the legal, contractual and / or statutory bond.

The data of the employees, dependents and / or collaborators of the suppliers and / or contractors will only be collected, processed and stored for the purposes derived from the selection, evaluation and / or execution and fulfillment of the obligations of the supplier and / or contractor.

The above data will also be used to review and consult, in a safe way, the binding, restrictive, sanctioning lists, and others, national and international, in order to know the reports, antecedents, processes and other activities that are reported in You are in the name of the supplier or contractor.

Likewise, the data may be used by SOCYA for the purposes of carrying out any type of judicial and / or extrajudicial action against the aforementioned persons, their dependents and / or collaborators derived from the business relationship, by virtue of which they were collected, treated and stored.

When by virtue of its relations with its suppliers and / or contractors, SOCYA must deliver to them any type of personal, confidential or privileged information, it must stipulate within the contractual conditions under which conditions it delivers personal data to the supplier or contractor.

In case of non-compliance by the suppliers or contractors of SOCYA, in the handling of the personal data of SOCYA, its employees and / or its databases, it will be considered as serious cause to terminate the contract, without prejudice to the actions judicial and / or extrajudicial where appropriate.

In contracts with suppliers, where the contracted object is related to personal data, a provision will be agreed in relation to the damages that may be caused to SOCYA as a result of the imposition of fines, operational sanctions, among others, by the competent authorities and as a consequence of the reckless or negligent act of the supplier. The transfer or communication of personal data must be registered in the central registry of personal data of SOCYA and have the authorization of the custodian of the database.

10.3. PROCESSING OF PERSONAL DATA WITH SOCYA CONTRACTORS. SOCYA.

SOCYA contractors who access, use, process and / or store personal data of SOCYA employees and / or third parties related to said contractual processes, will adopt as appropriate the provisions of this policy, as well as the security measures indicated. SOCYA according to the type of personal data processed. Similarly, when SOCYA has access to personal data derived from the development of the contractual object, it must comply with the data protection policy established by the contracting party, if the contractual terms so establish it, or, failing that, apply a treatment equal to that established. in this policy for personal data of the community in general.

10.4. TREATMENT OF PERSONAL DATA OF THE COMMUNITY IN GENERAL. GENERAL.

The collection of data from natural or legal persons that SOCYA deals with in the development of its corporate purpose, related to the community, will be subject to the provisions of this rule. For this purpose, previously SOCYA will inform and obtain the authorization of the owners of the data in the documents and instruments that it uses for the purpose and related to these activities. In each of the cases described above, the areas of the Entity that develop the processes that involve personal data, must consider in their action strategies the formulation of rules and procedures that allow compliance with and make effective the provisions adopted here, in addition to prevent possible legal sanctions.

11. MISCELLANEOUS PROVISIONS.

11.1. All the above stipulations are understood to be established without prejudice to the requirements validly made by the judicial and / or administrative authorities and the other exceptions established in the Constitution, the Law and the Regulations on the matter. In these cases, it will correspond to the Legal Area, to establish the viability, veracity and origin of these exceptions and access requirements to personal data. In case of agreeing to the delivery of the information, it will leave a record of the request and the delivery of personal data to the requesting authority, advising the latter about the protection, confidentiality and / or privilege of the personal information sent to it.

11.2. The international transfer of personal data will be governed by Article 26 of Law 1581 of 2012 and its regulatory decrees.

11.3. SOCYA prohibits the processing of personal data of underage children and adolescents, unless expressly authorized by their legal representatives. Any treatment that is made regarding the data of minors must ensure the prevailing rights that the Political Constitution recognizes to them, in harmony with the Code of Childhood and Adolescence.

11.4. What is not provided for in this policy will be supplemented and understood in accordance with the provisions of Article 15 of the Political Constitution, Law 1581 of 2012, Decree 886 of 2014, as appropriate Decree 1074 of 2015 and the other concordant regulations who rule matter.

11.5. The personal data of the members of the Board of Directors will be collected, processed and crenellated in accordance with the general data processing regulations and may only be used for the purposes related to the statutory function they perform.

11.6. Any collection, treatment and / or storage of personal data carried out by SOCYA collaborators must be done with the prior written authorization of the owner. Failure to comply with this duty will entail the sanctions established by the Law or the Contract.

11.7. The permanence of the data in SOCYA's information systems will be determined by the purpose of said treatment. Consequently, once the purpose for which the data was collected has been exhausted, SOCYA will proceed to its destruction or return, as the case may be, or to keep it according to the provisions of the Law, in the act or contract by virtue of which it was obtained, adopting technical measures that prevent inappropriate treatment.

11.8. SOCYA has adopted physical, logical and administrative security measures, which are classified in high, medium and low level, in accordance with the risk of the personal data processed.

11.9. The notification of any investigation procedure by any authority, related to the processing of personal data, must be communicated immediately to the Executive Directorate of SOCYA, in order to take the measures to defend the actions of the entity and avoid the imposition of the sanctions provided for in Colombian legislation, in particular those set forth in Title VII, Chapter II of Law 1581 of 2012. As a consequence of the risks assumed by SOCYA, either as the person in charge and / or in charge of the treatment of personal data; Failure to comply with this policy by its recipients is considered a serious offense and will lead to the termination of the respective contract without prejudice to other legal actions.

11.10. When the purpose of collection, treatment and / or storage of personal data has not been foreseen, it will be understood that they are collected solely and exclusively for the purposes of the act or contract by virtue of which their collection, treatment was authorized by the owner. and / or storage.

11.11. The data provided by the provider and / or client of the SOCYA Foundation may be used to make inquiries of criminal, fiscal, disciplinary records and in the United States Office of Foreign Assets Control (OFAC list) prior to their hiring and / or conducting any legal business.

11.12. This policy will be valid indefinitely as of June 6, 2020. It is clarified that this policy does not make substantial changes with respect to its predecessor, it is simply issued in order to make it shorter and understandable to the general public.

Socya intellectual property
Code: DAPC 09 Version: 03 Date: February 2020