PERSONAL DATA PROTECTION POLICY

Personal Data Protection Policy at Sepulveda & Sepulveda Abogados S.A.S.

This Personal Data Protection Policy (hereinafter, the “Policy") governs the collection, storage, use, circulation and deletion (hereinafter, the “Processing") of Personal Data by Sepúlveda & Sepúlveda Abogados S.A.S. (hereinafter “S&S"), in accordance with the provisions of Statutory Law 1581 of 2012, Decree 1074 of 2015 and other concordant norms, which establish general provisions for the protection of Personal Data. 

1. Information on the Party Responsible for Handling Personal Information

The Entity Responsible for Handling of Personal Data is:

– Company Name: Sepúlveda & Sepúlveda Abogados S.A.S.
– Main Office: Calle 93B No. 17-25, Office 313, Bogotá D.C., Colombia
– Address: Calle 93B No. 17-25, Office 313, Bogotá D.C., Colombia
– Email: contacto@syslegal.co
– Phone: +571 7 56 8574

2. Processing of Personal Data

Personal information of current and potential employees, clients and suppliers will be collected, stored, organized, used, circulated, transmitted, transferred, updated, corrected, deleted, eliminated and managed according to the nature of said data and in accordance with the purposes established in this Policy.

2.1. Purposes of Data Processing by S&S

The purposes of Personal Data Processing by S&S are the following:

2.1.1. Purposes for Processing Candidate Data: 

a) Analysis of a candidate’s information to initiate the hiring process.
b) Contacting the candidate to express the firm’s interest in initiating a hiring process.
c) Verifying the veracity and authenticity of the information provided in a resume with the entities in which the candidate completed studies and held positions.
d) Initiating a study of a candidate’s housing and security conditions to determine their entry into S&S as an employee.
e) Providing data to S&S partners and clients who are interested in contacting people with the candidate’s profile to explore possible employment.

2.1.2. Purposes for Processing Employee Data: 

a) Complying with legal obligations by S&S as an employer, e.g.: registration in the Social Security System and payment of contributions; registration in the Compensation Fund and payment of contributions; payment of withholdings to the DIAN (Colombian tax authority); issuing employment certificates and certificates of income and withholdings requested by the employee; and/or providing any information required by a national entity or authority that requires Personal Data; in accordance with current regulations.
b) Full identification of the employee, through filing and managing contact, professional and academic information, among others.
c) Depositing payments to the bank account or financial entity(ies) expressly indicated by the employee.
d) If applicable, obtaining life and medical insurance or granting any other benefit resulting from employment with S&S.
e) Maintaining the safety and health of employees in the workplace, in accordance with standards applicable to the Occupational Health and Safety Management System (hereinafter “SG-SST", Spanish acronym) and maintenance of records required by Article 2.2.4.6.13, Decree 1072 of 2015.
f) Providing instructions upon execution of the employment contract.
g) Evaluating the employee’s work performance.
h) Collecting information and evidence for workplace disciplinary processes, if applicable.
i) Storing the employees’ personal data in internal S&S physical and computer files.
j) Notifying employees’ families of emergencies during working hours or upon their occurrence.
k) Using the information for procedures and documentation related to the employment relationship with S&S.
l) Sending information about S&S to our employees.
m) Conducting wellness activities for S&S employees within the company.
n) Maintaining exact employees’ residence information when home visits are required as a hiring procedure.
o) Maintaining a record of income dates and age of employees contributing to the AFP (Pension Fund Administrator), as support in the pension application process.
p) Decision-making in employment matters regarding performance and termination of the work contract, by either the Company’s legal department or its external advisor.
q) Other needs and requirements in the work environment.

Employees’ Personal Data will be subject to Processing even after the employment contract is terminated, to maintain historical and/or statistical information regarding compliance with labor obligations, such as:

a) Issuing employment certifications
b) Payment of contributions to the Comprehensive Social Security System.
c) Payment of salaries, social benefits and other legal and extralegal entitlements.
d) Compliance with safety and health regulations at work.
e) Reports of workplace health issues and accidents.
f) Any other necessary items for S&S to comply with its employer obligations.

2.1.3. Purposes for Processing Clients Data:

a) Providing commercial offers for services to S&S clients.
b) Performance and fulfillment of contracts concluded between S&S and its clients.
c) Fulfillment of commercial contractual obligations.
d) Processing and ensuring compliance and delivery of products and/or services acquired by S&S clients.
e) Billing for services provided and products marketed by S&S to its clients.
f) Delivering advertising for S&S services.
g) Communicating activities and events organized by S&S.
h) Sending satisfaction surveys or any other mechanism to assess the quality of the products and services provided by S&S.
i) Answering and managing clients service requests.
j) Validating background in security, OFAC and anti-terrorism lists, among others.

2.1.4. Purposes for Processing Vendor/Supplier Data:

a) Negotiation, selection and contracting of suppliers.
b) Making deposits and payments for services provided by vendors.
c) Internal accounting records and account control.
d) Organizing supplier information for issuance and delivery of purchase orders.
f) Communication, consolidation, organization, updating, monitoring, accreditation, insurance, statistics, reporting, maintenance, interaction, and management actions, information and activities relating or linking suppliers and contractors to S&S.
g) Validating background in security, OFAC and anti-terrorism lists, among others.

2.2. Processing of Financial Information

S&S may consult, request, supply, report process and disclose all the information related to the credit, financial and commercial behavior of clients and suppliers before information operators, to analyze the viability and continuity of their contractual relationships. S&S will comply strictly with the obligations set forth in Law 1266 of 2008 and other applicable provisions.

2.3. Treatment of Sensitive Data 

“Sensitive Data" shall mean any information that may affect the Owner’s privacy or whose use may generate discrimination. These include those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, union membership, social or human rights organizations or that promote the interests of any political party, or guarantee the rights of opposition political parties, as well as data related to health, sex life and biometric data.

In the Treatment of Sensitive Data, S&S will strictly observe the limitations and obligations established by Law 1581 of 2012, its regulatory decrees and other concordant norms. Therefore, when processing Sensitive Data, S&S will:

a) obtain the Data Owner’s express consent;
b) inform the Owner that he/she/it is not obliged to authorize processing of Sensitive Data;
c) inform the Owner explicitly and in advance which data to be handled are sensitive and the purpose of the processing.

S&S collects Sensitive Data related to employees’ health, as well as biometric data (video and photography), for the following purposes:

a) Verifying if the employee meets the physical requirements necessary to perform the job for which he/she was hired.
b) Having the necessary information to attend any medical emergency occurring during the provision of services in S&S facilities or during work related to the employment contract.
c) Complying with health and safety standards at work and implementing the SG-SST, and any other program, system and/or plan that seeks to protect the health of employees and people in the workplace.
d) Identifying personnel with access to S&S facilities.
e) Providing access to S&S facilities.
f) Verifying employees’ presence at S&S premises.
g) Complying with the legal obligations arising from the employment relationship, such as performing all necessary procedures for registering beneficiaries with the Social Security System, or any other activity mandated by applicable legislation.
h) Providing appropriate security in the training sessions and activities carried out by S&S for its employees.

2.4. Processing Personal Data of Minors

When S&S processes the Personal Data of children and/or adolescents, it will comply strictly with the limitations and obligations established in Law 1581 of 2012, its regulatory decrees and other concordant norms. Accordingly, in processing personal data of children and/or adolescents S&S will ensure that:

a) Processing responds to and respects the best interests of children and adolescents.
b) Processing ensures respect for the fundamental rights of children and adolescents.
c) The opinion of the minor, when he has the maturity, autonomy and ability to understand the matter, is considered.

S&S can process data on the children of employees who are under 18 years of age. This information will be collected with the authorization of parents or legal guardians, under the provisions of data protection regulations. Accordingly, the purposes of collecting these data are:

a) Complying with legal obligations arising from the employment relationship, such as performing all necessary procedures for enrolling beneficiaries in the Social Security System and other corresponding authorities, or any other activity required by applicable legislation.
c) Informing employees about the wellness activities S&S has organized for their minor children. 

3. Rights of Data Owners

In accordance with the provisions of Article 8, Law 1581 of 2012 and Decree 1074 of 2015 (Chapter 25), the Owner of Personal Data has the following rights:

a) Knowing, updating and rectifying Personal Data held by S&S in its capacity as Entity Responsible for Data Processing. This right may be exercised on partial, inaccurate, incomplete, fractioned, or misleading data, or data whose Processing is expressly prohibited or has not been authorized.
b) Requesting proof of the authorization granted to S&S.
c) Being informed by S&S, upon request, on the use given to his or her Personal Data.
d) Submitting to the Superintendence of Industry and Commerce (hereinafter, “SIC") complaints for infractions of the provisions in Law 1581 of 2012, once the process of consultation or claims before S&S has been exhausted, in accordance with the provisions of this Policy.
e) Revoking the authorization and/or requesting the deletion of data when its Processing does not respect constitutional and legal principles, rights and guarantees. Such revocation and/or suppression will apply when the SIC determines that, during the data processing, the Responsible or Managing Entity has incurred in conduct contrary to the law and to the Constitution.
f) Having free access to personal data that have been processed by S&S.

These rights may be exercised only by the following persons:

a) The Data Holder, who must sufficiently prove his identity.
b) His or her successors, who must prove that status.
c) The Owner’s representative and/or agent, with prior accreditation of representation or power of attorney.
d) By stipulation, in favor of another or for another.

4. Area Responsible for Petitions, Queries and Claims

The S&S Legal Representative will be responsible for addressing requests, queries, claims, or complaints, and for the exercise of the Owner’s rights on Personal Data subject to Processing.

5. Procedure for Exercising Rights, Inquiries and Claims by the Owner of the Personal Data

5.1. Procedure for Access to and Consultation of Personal Data

The Owner of the Personal Data, or any of the persons authorized under the provisions of Chapter 4 of this Policy, may consult the information stored in the S&S databases. The request must be sent via email to contacto@syslegal.co, or by phone at 571 7568574. These requests may also be filed in writing Monday through Friday, 8:00 AM – 5: 00 PM, at Calle 93B No. 17-25, Office 313 in Bogotá.

To prevent unauthorized third parties from accessing the Data Owner’s personal information, the Owner’s identity must be previously established. When the request is brought by a person other than the Owner, and there is insufficient proof he or she acts on behalf of the Owner, it will be deemed as not filed.

The inquiry will be attended within a maximum term of ten (10) working days from the date of receipt. When it is not possible to resolve the query within said term, the interested party will be informed, stating the reasons for the delay and the date on which the consultation will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.

5.2. Procedure to Request Update, Correction, Deletion, or Revocation of Authorization, or to Submit Claims

The Owner, or any authorized person who considers that the information contained in the S&S databases should be subject to correction, update or deletion, or who wishes to warn of an alleged breach of any of the duties in Law 1581 of 2012, Decree 1074 of 2015 or other complementary regulations, may file a claim with S&S. Said claim will be processed in accordance with the following:

a) The claim may be filed by an email to contacto@syslegal.co, or by delivering a written communication at Calle 93B No. 17-25, Office 313 in Bogotá, Monday through Friday, 8:00 AM – 5: 00 pm.
b) To prevent unauthorized third parties from accessing the Data Owner’s personal information, the Owner’s identity must be previously established. When the request is brought by a person other than the Owner, and there is insufficient proof he or she acts on behalf of the Owner, it will be deemed as not filed.
c) The request must contain the following information:

i. The Owner’s identification.
ii. Contact information (physical and/or electronic address and contact telephone numbers).
iii. Documents that prove the identity of the Owner, or his representative’s authority.
iv. A clear and precise description of the Personal Data for which the Owner seeks to exercise any rights.
v. A description of the facts that give rise to the claim.
vi. Any documents to assert the claim.
vii. Signature, identification number and fingerprint.
viii. Original copy.

d) If the claim is incomplete, S&S will require the interested party to correct the faults within five (5) days following receipt of the claim. If the applicant does not submit the required information within two (2) months from the date of request, the claim shall be deemed abandoned.
e) If the area receiving the claim is not competent to resolve it, it will notify the appropriate area within a maximum period of two (2) business days, and inform the requesting party of the situation.
f) Once the complete claim has been received, a tag stating “Claim in Process" and the reason thereof will be included in the database, within a term not exceeding two (2) business days. This tag must be maintained until the claim is decided.
g) The maximum term to resolve the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to resolve the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term.

5.3. Data Suppression

The Holder has the right, at all times, to request that S&S delete (remove) his or her Personal Data if:

a) He or she considers the data are not being treated in accordance with the principles, duties and obligations set forth in Law 1581 of 2012, Decree 1074 of 2015 and other regulations that complement or modify them.
b) The data have ceased to be necessary or pertinent for the purpose for which they were collected.
c) The period for fulfillment of the purposes for which the data were collected has been exceeded.

This deletion implies partial or total removal of Personal Data, as requested by the Owner, in S&S records, files, databases or Processing. The right of removal is not absolute, and the Responsible Entity may deny the same when:

a) The Owner has a legal or contractual duty to remain in the S&S database.
b) The suppression of Personal Data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
c) The Personal Data is necessary to uphold the legally protected interests of the Owner, to carry out an action in the public interest, or to comply with an obligation legally acquired by the Owner.

5.4. Revocation of Authorization 

The Owner of the Personal Data may revoke the consent for processing his or her Personal Data at any time, as long as the revocation is not legally prohibited. 

6. Information Security 

In compliance with security principles, S&S has adopted reasonable technical, administrative and human measures to protect the Owners’ information and prevent its adulteration, loss, unauthorized consultation or use, or fraudulent access. Access to Personal Data is restricted to its Owners, and S&S will not allow third parties to access said information under conditions other than those set forth in this Policy, except with an express request by the Data Owner or by legally authorized persons in accordance with national regulations. Notwithstanding the above, S&S will not be responsible for actions taken by third parties to violate the security measures established for the protection of Personal Data.

7. Retention Period for Personal Data 

The Personal Data collected by S&S will be maintained for a period of time necessary and proportional to the Processing purposes indicated in this policy. The term of the Authorizations on the use of the personal data shall be equal to the term of the commercial service relationship and the fulfillment of the S&S corporate purpose, except in cases where the law provides a different term.

Additionally, S&S will suppress Personal Data when the Owner so requires, in accordance with the provisions in Law 1581 of 2012 and its regulatory decrees, and in this Policy. 

8. Term of the Policy 

This Policy applies as of January 2, 2019. Any substantial change in this policy will be announced by publication on the website www.syslegal.co.