PRIVACY POLICY TREATMENT OF PERSONAL DATA

PRIVACY POLICY TREATMENT OF PERSONAL DATA OF ARUKAY S.A.S.

IN ITS CAPACITY AS RESPONSIBLE

 

ARUKAY S.A.S, company with NIT. No. 900.753.991-1, hereinafter "The Company", is responsible for the personal data and information provided by its employees, aspiring employees, former employees, contractors and former contractors, as well as its current, former and potential customers, suppliers and former suppliers, shareholders, end consumers and users.

This Privacy Policy and Treatment of Personal Data establishes the purposes, treatment and procedures of our databases, as well as the mechanisms that the Data Controllers have to know, update, rectify, delete the data provided or revoke the authorization granted with the acceptance of this policy through our website, or through any other suitable means to express their willingness to accept this policy. The execution of employment and service contracts with the Company, the application to enter into these contracts and/or the express or tacit acceptance of this policy, implies the acceptance of the Holders of this Privacy Policy and Processing of Personal Data and their authorization for the uses and other treatments described herein.

  1. RESPONSIBLE FOR DATA PROCESSING.

The responsible for the processing of personal data and other information of the Holders is ARUKAY S.A.S, company with NIT. No. 900.753.991-1, its domicile and address is at Carrera 15 #127B-78, apartment 403, in the city of Bogotá D.C., D, Colombia; telephone: +1 (646) 675-7650 ; E-mail for legal notification: [email protected]

  1. GENERAL ASPECTS OF THE RULES ON PERSONAL DATA PROTECTION AND VALIDITY.

2.1. Legislation in force: The National legislation in force regarding Personal Data Protection is Law 1581 of 2012, Law 1266 of 2008, Decree 1377 of 2013, Decree 1074 of 2015 and the rules that regulate, replace or modify them.

DEFINITIONS: For a better understanding and compliance with this Policy, the following legal definitions must be taken into account:

  • Privacy notice: is one of the verbal or written communication options provided by the Company to inform the owners of the information, the existence and ways to access the policies of treatment of information and the purpose of its collection and use.
  • Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.
  • Database: Organized set of personal data that is subject to Processing.
  • Consultation: request of the Personal Data Subject, of the persons authorized by him/her, or those authorized by law, to know the information about him/her in the Company's Databases.
  • Personal data: Any information linked or that can be associated to one or several determined or determinable natural persons.
  • Private personal data: data that due to its intimate or reserved nature is only relevant to the Data Subject.
  • Public personal data: It is the data qualified as such according to the provisions of the law or the Political Constitution and that which is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, their status as merchants or public servants, and data that may be obtained without any reservation whatsoever. Due to their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, duly executed court rulings that are not subject to confidentiality.
  • Semi-private personal data: data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons, or to society in general. For example: data referring to the fulfillment and non-fulfillment of financial obligations or data relating to relations with social security entities.
  • Sensitive Data: Data that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data, such as fingerprints.
  • Data Processor: Natural or legal person, public or private, that by itself or in association with others, performs the Processing of personal data on behalf of the Data Controller.
  • Security incident: Refers to the violation of security codes or the loss, theft and/or unauthorized access of information from a database.
  • Platform: Refers to Arukay identified with the domain arukay.com.
  • Claim: request from the Data Subject or the persons authorized by him/her or by law to correct, update or delete his/her Personal Data or when they notice that there is an alleged non-compliance with the data protection regime.
  • Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of the data.
  • Procedural requirement: prior step to be taken by the Data Subject before filing a complaint before the Superintendence of Industry and Commerce. This consists of a direct complaint to the person in charge of or responsible for the Personal Data.
  • Data Subject: Natural person whose personal data is the object of processing.
  • Processing: Any operation or set of operations on Personal Data, such as the collection, storage, use, circulation, transfer, transmission, updating or deletion of Personal Data, among others. The Processing may be national (within Colombia) or international (outside Colombia).
  • Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is the performance of a Processing by the Processor on behalf of the Controller.
  • Transfer: Processing of Personal Data that takes place when the Controller and/or Data Processor sends the Personal Data to a recipient, which in turn is the Data Controller and is located inside or outside Colombia.

 

Principles governing the processing of personal data: All activities related to the processing of personal data contained in the Company's database must comply with the principles recognized by law and the jurisprudence of the Colombian Constitutional Court, which are summarized below:

  • Principle of purpose: The processing made to the data must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.

 

  • Principle of Necessity and Proportionality: The personal data recorded in the database must be strictly necessary to fulfill the purposes of the Processing. In this sense, they must be adequate, relevant and in accordance with the purposes for which they were collected.

 

  • Principle of temporality: The period of conservation of personal data in our database must be the necessary to achieve the purpose for which we have collected them.

 

  • Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Therefore, personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate.

 

  • Principle of truthfulness: The information subject to processing must be true, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is not allowed.

 

  • Principle of transparency: The right of the Data Subject to obtain from the Company, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the Processing.

 

  • Principle of restricted access and circulation: Personal data, except for public information, may only be on the Internet when access is technically controllable in order to grant restricted knowledge only to the Owners of the personal data or to authorized third parties.

 

  • Principle of security: The person responsible and in charge of the processing of personal data shall comply with all technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

 

  • Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing.

 

  • Non-discrimination: It is forbidden to carry out any act of discrimination based on the information collected in the databases or files.

 

  • Reparation: It is an obligation to compensate the damages caused by possible failures in the processing of personal data.

 

  • Principle of limitation in the collection: Only Personal Data that are strictly necessary for the fulfillment of the purposes of the Processing must be collected, in such a way that the recording and disclosure of data that are not closely related to the purpose of the Processing is prohibited. Consequently, every reasonable effort should be made to limit the processing of personal data to the minimum necessary. In other words, the data must be: (i) adequate, (ii) relevant and (iii) in accordance with the purposes for which they were intended.

 

2.4. Penalties for non-compliance with the Legislation in Force: Failure to comply with this policy and the obligations disclosed herein may result in sanctions for The Company ranging from fines of up to two thousand (2,000) current minimum monthly wages, to the immediate and definitive closure of the company.

2.5. Validity: This policy shall be effective as of 01/01/2021.

  1. PURPOSE OF THE DATABASE.

3.1. In relation to the database of candidates for employees, employees, contractors, former employees and former contractors of The Company:

  1. Fulfill the purpose of the labor, civil or commercial relationship acquired with the Holders.
  2. To keep and manage the information of the labor or commercial relationship with the Holders.
  3. To publish and disseminate on the Company's website, on the Platform or any other means of dissemination, the professional academic profiles of the Holders.
  4. Conduct historical, administrative or statistical studies of the Company's personnel.
  5. Keep a record of disciplinary sanctions imposed on contractors and employees of the Company.
  6. Maintain the safety of the Company's facilities and those who work there.
  7. Maintain direct communication with the Holders for issues related to their labor or commercial relationship.
  8. The control and preservation of the security of people, property and information of the Company.
  9. Verification and verification of the identity and criminal, financial disciplinary and credit history of the holders.
  10. Verify conflicts of interest in new employees or contractors of the Company and its subsidiaries, as well as their inabilities and incompatibilities.
  11. Keep a record of disciplinary sanctions imposed on contractors and employees of the Company.
  12. To protect the health of the Company's employees and contractors.
  13. Fulfill the corporate purpose of the Company.
  14. Prevent and verify the commission of crimes or criminal conduct by employees, contractors and applicants, for which different databases and sources may be consulted, such as databases of the National Police, Comptroller's Office, Interpol, FBI, SDNT list (or "Clinton List"), SARLAFT, SAGRAFT, as well as the corresponding social networks, in the form in which they are available.
  15. Transmit, transfer and provide the information and personal data of the Holders to those third parties in charge of administering the social security system in Colombia, as well as to insurance companies.
  16. Transmit, transfer and provide the information and personal data of the Holders to third parties, in those cases in which there is an employer substitution or in those cases in which the Company assigns its contractual position.
  17. Transmit, transfer and provide the information and personal data of the Data Controllers to third parties, with the purpose of providing labor and/or professional references about the Data Controllers.
  18. To verify labor, professional and commercial background and any reference concerning your professional and commercial suitability.
  19. For the evaluation and development of selection processes and their history.
  20. To comply with the labor obligations of the Company, such as: administrative management of the labor relationship, payroll payments, affiliations, payments and reports to the comprehensive social security system; payment of parafiscal taxes, among others.
  21. To give attention to consultations, requests, applications, actions and claims, made by the owner of the information or by their representatives or rightful claimants, or by entities of the general system of integral social security to which the owner is or has been linked.
  22. To participate in public or private contracting processes, and to meet the conditions or requirements of such contests, bids, public or private expressions of interest, public or private pre-qualifications, submission of proposals, and in general, to register or participate in any public or private contracting selection process.
  23. Socialization of policies, projects, programs and organizational changes.
  24. Statistical, commercial, strategic, financial, social, technical and risk rating analyses.
  25. To protect the health of the Company's employees and those who visit its facilities.

3.2. In relation to the databases of current, former and future customers and commercial allies:

  1. Communication with the Holders for contractual, informative or commercial purposes.
  2. Compliance with legal, accounting, commercial and regulatory duties.
  3. The control and preservation of the security of people, property and information of the Company.
  4. Socialization of policies, projects, programs and organizational changes.
  5. The dissemination of cases or matters handled by the Company that have been successful and representative.
  6. Statistical, commercial, strategic, financial, social, technical and risk rating analyses.
  7. The fulfillment of the Company's corporate purpose and the fulfillment of the contractual or civil purpose with the Holders.
  8. Transmit, transfer and provide the information and personal data of the Data Controllers to subsidiaries, subsidiaries or affiliates of The Company, commercial allies or other national or international companies or persons that The Company entrusts to carry out the processing of the information and comply with the purposes described in this Policy and the purpose of the commercial or civil relationship with the Data Controllers, or for such third parties to assume the position of Responsible Parties.
  9. Transmit, transfer and provide, free of charge or onerous, the information and personal data of the Data Controllers to national or international commercial partners so that they may contact the Data Controllers to offer them their products, information or services that, in the Company's opinion, may be of interest to the Data Controller.
  10. Transmit, transfer and provide the information and personal data of the Holders to national or international third parties, in those cases in which the Company participates in merger, integration, spin-off, liquidation and/or disposal of assets processes.
  11. Transmit, transfer and provide the information and personal data of the Data Controllers to national or international third parties, in those cases in which the Company has the interest to sell or market in any way the data as an asset or good of a commercial nature.
  12. Prevent and counteract a possible reputational risk that could affect the Company, for which different databases and sources may be consulted, such as databases of the National Police, Comptroller's Office, Interpol, FBI, SDNT list (or "Clinton List"), SARLAFT, as well as social and corresponding networks, in the form in which they are available.
  13. To verify labor, professional and commercial background and any reference concerning your professional and commercial suitability and/or behavior as a consumer.
  14. Verification and verification of the identity and criminal, financial disciplinary and credit history of the holders.
  15. To make reports to the databases of credit information operators and of a commercial nature.
  16. To manage the payment of remunerated sums, commissions, discounts and withholdings of a tax or parafiscal nature.
  17. To carry out marketing and advertising studies and strategies.
  18. Transmit, transfer and provide, free of charge or onerous, the information and personal data of the Data Holders to national and/or international governmental entities for projects managed by such entities.
  19. For marketing purposes and to send advertisements from the Company and/or third party business partners.
  20. To protect the health of the Company's Owners and of those who visit its facilities.
  21. Perform marketing, sales and promotional activities, telemarketing (telephone marketing), customer service, brand activation activities, prizes and promotions, directly or through third parties derived from commercial alliances or any link.
  22. To make invitations to events, improve services, and all those activities associated with the existing commercial relationship or link with the Company, or that which may come to have.
  23. Recording, publication and preservation of videoconferences.

3.3. In relation to the database of future, potential, current and former shareholders:

  1. The development, execution and fulfillment of the contractual relationship that the holder has with the Company.
  2. Compliance with legal, accounting, commercial and regulatory duties, and with requirements and requests for information from public authorities.
  3. Statistical, commercial, strategic, financial, social and technical analysis.
  4. Communication with owners for contractual, informational and commercial purposes.
  5. Compliance with legal, accounting, commercial and regulatory duties.
  6. Transmit, transfer and provide the information and personal data of the Data Controllers to subsidiary companies, subsidiaries or affiliates of The Company, commercial allies or other national and international companies or persons that The Company entrusts to carry out the processing of the information and comply with the purposes described in this Policy and the purpose of the commercial or civil relationship with the Data Controllers, or for such third parties to assume the position of Responsible Parties.
  7. In order to preserve the security of The Company, analyze and verify the information of The Company's shareholders.
  8. Transmit, transfer and provide the information and personal data of the Holders to national and/or international third parties, in those cases in which the Company participates in merger, integration, spin-off, liquidation and/or disposal of assets processes.
  9. To verify labor, professional and commercial background and any reference concerning your professional and commercial suitability.
  10. Verification and verification of the identity and criminal, financial disciplinary and credit history of the holders.
  11. For the exercise of the development of shareholder rights and the operation of the general shareholders' meeting.
  12. To protect the health of the Company's shareholders and those who visit its facilities.

3.4. In relation to the Company's supplier database:

  1. Fulfill the purpose of the civil or commercial relationship acquired with the Holders.
  2. To keep and manage the information of the commercial relationship with the Holders.
  3. Conduct historical, administrative or statistical studies of the Company's suppliers.
  4. Maintain the safety of the Company's facilities and those who work there.
  5. Maintain direct communication with the Holders for issues related to their commercial relationship.
  6. The control and preservation of the security of people, property and information of the Company.
  7. Verification and verification of the identity and criminal, financial disciplinary and credit history of the holders.
  8. Verify conflicts of interest in employees, shareholders or contractors of the Company and its subsidiaries, as well as their inabilities and incompatibilities.
  9. Keep a record of disciplinary sanctions imposed on suppliers of the Company.
  10. Fulfill the corporate purpose of the Company.
  11. Prevent and verify the commission of crimes or criminal conduct by employees, contractors and applicants, for which different databases and sources may be consulted, such as databases of the National Police, Comptroller's Office, Interpol, FBI, SDNT list (or "Clinton List"), SARLAFT, SAGRAFT, as well as the corresponding social networks, in the form in which they are available.
  12. Transmit, transfer and provide the information and personal data of the Holders to those third parties in charge of administering the social security system in Colombia, as well as to insurance companies.
  13. Transmit, transfer and provide the information and personal data of the Holders to third parties, in those cases in which there is an employer substitution or in those cases in which the Company assigns its contractual position.
  14. Transmit, transfer and provide the information and personal data of the Data Controllers to third parties, in order to provide professional references about the Data Controllers.
  15. To verify labor, professional and commercial background and any reference concerning your professional and commercial suitability.
  16. For the evaluation and development of supplier selection processes and their history.
  17. To manage and review the payment of sums for remunerated work, commissions, discounts and withholdings of a tax or parafiscal nature.
  18. Compliance with legal, accounting, commercial and regulatory duties, and with requirements and requests for information from public authorities.
  19. Statistical, commercial, strategic, financial, social and technical analysis.
  20. Communication with the Holders for contractual, informative and commercial purposes.

3.5. In relation to the end-consumer database.

  1. Communication with the Holders for contractual, informative or commercial purposes.
  2. Compliance with legal, accounting, commercial and regulatory duties.
  3. The control and preservation of the security of people, property and information of the Company.
  4. Socialization of policies, projects, programs and organizational changes.
  5. The dissemination of cases or matters handled by the Company that have been successful and representative.
  6. Statistical, commercial, strategic, financial, social, technical and risk rating analyses.
  7. The fulfillment of the Company's corporate purpose and the fulfillment of the contractual or civil purpose with the Holders.
  8. Transmit, transfer and provide the information and personal data of the Data Controllers to subsidiaries, subsidiaries or affiliates of The Company, commercial allies or other national or international companies or persons that The Company entrusts to carry out the processing of the information and comply with the purposes described in this Policy and the purpose of the commercial or civil relationship with the Data Controllers, or for such third parties to assume the position of Responsible Parties.
  9. Transmit, transfer and provide, free of charge or onerous, the information and personal data of the Data Controllers to national or international commercial partners so that they may contact the Data Controllers to offer them their products, information or services that, in the Company's opinion, may be of interest to the Data Controller.
  10. Transmit, transfer and provide the information and personal data of the Holders to national or international third parties, in those cases in which the Company participates in merger, integration, spin-off, liquidation and/or disposal of assets processes.
  11. Transmit, transfer and provide the information and personal data of the Data Controllers to national or international third parties, in those cases in which the Company has the interest to sell or market in any way the data as an asset or good of a commercial nature.
  12. Prevent and counteract a possible reputational risk that could affect the Company, for which different databases and sources may be consulted, such as databases of the National Police, Comptroller's Office, Interpol, FBI, SDNT list (or "Clinton List"), SARLAFT, as well as social and corresponding networks, in the form in which they are available.
  13. To verify labor, professional and commercial background and any reference concerning your professional and commercial suitability and/or behavior as a consumer.
  14. To carry out marketing and advertising studies and strategies.
  15. Transmit, transfer and provide, free of charge or onerous, the information and personal data of the Data Holders to national and/or international governmental entities for projects managed by such entities.
  16. For marketing purposes and to send advertisements from the Company and/or third party business partners.
  17. For security purposes, service improvement, service experience, Personal Data may be used, among others, as evidence in any type of process.
  18. DATA THAT ARE COLLECTED AND HOW THEY ARE OBTAINED.

The Company may expressly ask the Data Controllers or collect the data that are necessary to fulfill the purpose of the Database, which are -among others- the following:

4.1. In relation to databases of employees, contractors, former employees and former contractors: Name and surname, nationality, marital status, identification number, military passbook, professional card, fingerprint, date and place of birth, marital status, correspondence address, contact telephone number, e-mail, work, clinical or health, academic and patrimonial history, references, commercial background or financial, judicial, disciplinary and family information with other companies or public entities, recent photographs, images in surveillance cameras; images in videoconferences, occupational medical history; name, identification number, telephone, sex, date and place of birth, place of work, position or profession of the spouse or permanent partner of employees and contractors and of their relatives up to the fourth degree of consanguinity, second degree of affinity and/or first civil, gender, socioeconomic level, location and any other data that may be necessary to achieve the purposes described.

4.2. In relation to the databases of customers, suppliers, commercial allies: Name and surname, identification number, date of birth, correspondence address, contact telephone number, e-mail, commercial and judicial records, commercial and family relationships with other companies or public entities, needs and interests, place of work, domicile, fingerprints, photograph or images of face and body, signature, needs and interests and emotions.

4.3. In relation to future, potential, current and former shareholders' databases: Name and surname, identification number, date of birth, correspondence address, contact telephone number, e-mail, commercial and judicial background, commercial and family relationships with other companies or public entities, needs and interests, place of work, fingerprints, photograph or images of the face and body, signature, needs and interests.

4.4. In relation to the databases of end consumers: Name and surname, identification number, date of birth, correspondence address, contact telephone number, e-mail, commercial and judicial background, commercial and family relationships with other companies or public entities, needs and interests, place of work, address, fingerprints, photograph or images of face and body, gender, location, socioeconomic level, signature, needs and interests.

FIRST PARAGRAPH. The data may be provided explicitly by the Data Controllers, or collected at the beginning and/or during the labor or civil or commercial relationship between the Data Controllers and the Company.

SECOND PARAGRAPH. The Company will only collect and process data considered as Sensitive Data in the cases permitted by law. For such events, the Holders are informed that they are not obliged to provide such data or to authorize its processing. Once such data has been provided and the corresponding consent has been granted, the data will be collected and processed only for the purposes described in this Processing Policy.

4.5. Forms of data collection: The Company will collect data through its website, the Platform (learning system), applications, emails, physical or digital forms, surveys by digital or physical means, among other means, to which the Data Owners have access through the media, web portals or software applications of The Company, and any other means it deems suitable.

  1. DATA OF MINORS.

The Company will use, store and process personal data of minors who are users of the Platform, and whose treatment has been authorized by their legal representatives. The purpose of such processing shall be solely to fulfill the corporate purpose of the Company and provide educational services Platform. For such purposes, the Company shall take into account the respect and prevalence of the rights of minors, their best interests and fundamental rights.

  1. SENSITIVE INFORMATION AND DATA

Data related to health status, political orientation, ethnicity and any other data related to customers, employees or contractors, or final consumers that are likely to generate an act of discrimination, are Sensitive Data. Consequently, in accordance with the provisions of the regulations in force, the Holders are informed that they are not obliged to provide such data or to authorize its processing. Once such data has been provided and the corresponding consent has been granted, such data will be collected and processed only for the purposes described in this Processing Policy. Such treatment will only be carried out by means of the qualified authorization that the Company has for such purposes.

Holders who intend to make requests through the Company's Platform where it is necessary to provide sensitive information, must warn within the application, informing such situation within the corresponding form, for which, taking into account the nature of the requests and the service offered by the Platform, must grant their authorization for the processing of sensitive personal data, for the purposes of using the application and processing the petition process. If not granted, they must refrain from making such requests through the Platform and / or use it for such purposes, since, for the provision of the service and its nature, such authorization is required.

  1. IMAGE RIGHTS

By participating in any videoconference sponsored by The Company, the Holders accept and authorize that their names and images appear in the programs, publications and other advertising media and in general in any material for promotional or commercial purposes that The Company may wish to make during the term of 50 years, without implying the obligation to remunerate or compensate them. Likewise, they waive any claim for image rights.

  1. AUTHORIZATION FOR COLLECTION AND PROCESSING OF PERSONAL DATA AND OTHER INFORMATION.

By providing any of the personal data in the manner indicated in this Policy, and/or the express authorization, verbally or in writing, the Data Subject expressly or unequivocally authorizes The Company to collect personal data and any other information provided, as well as to carry out the processing of his/her personal data, in accordance with this Processing Policy and the law.

In order to obtain the authorization, it is necessary to clearly and expressly inform the Data Subject of the following:

 

  • The processing to which your Personal Data will be submitted and the purpose of such processing;

 

  • The optional nature of the response to the questions asked, when they deal with sensitive data or with the data of children and adolescents;

 

  • The rights that you have as Data Subject provided in Article 8 of Law 1581 of 2012;

 

  • The Company's identification, physical or electronic address.

 

The Authorization of the Holder must be obtained through any means that may be subject to subsequent consultation, such as the website, forms, formats, activities, contests, face-to-face or in social networks, PQR format, data messages or Apps, email, telephone, registration or authentication on the Platform, among others.

8.1 Term of the authorization: The term of the Processing of Personal Data shall be from the time the authorization is granted until the day The Company is dissolved and liquidated or until the purpose for which the Personal Data was collected is terminated.

 

  1. TREATMENT OF PERSONAL DATA.

 

The Company will only use, process and circulate the personal data and other information of the Data Subject for the purposes described and for the treatments authorized in this Processing Policy or in the laws in force. In addition to what is mentioned in other clauses, the Data Subject expressly authorizes the Company to collect, use and circulate his/her personal data and other information for the following purposes and in the following circumstances:

  1. Establish communication between The Company and the Data Subjects for any purpose related to the purposes set forth in this policy, either through calls, text messages, emails, any data message and/or physical means.
  2. Audit, study and analyze the information in the Database to design and execute administrative, labor and financial strategies related to the Company's personnel.
  3. Audit, study, analyze and use the information in the Database for the socialization of policies, projects, programs, results and organizational changes.
  4. To provide the information and personal data of the Data Controllers to subsidiaries, subsidiaries or affiliates of The Company, commercial allies or other companies or persons that The Company entrusts to carry out the processing of the information and comply with the purposes described in this Policy and the purpose of the labor or civil relationship with the Data Controllers.
  5. In order to preserve the security of The Company, analyze and verify the information of employees and collaborators of The Company and those who participate in selection processes.
  6. Perform financial, legal, commercial and security risk rating.
  7. Consult, store and use the financial information obtained from third party database administrators, prior authorization of the Data Subject for such consultation.
  8. Combine personal data with information obtained from other allies, state entities or companies, as well as send it to them to implement joint commercial strategies.
  9. When the information must be disclosed to comply with laws, regulations or legal process, to ensure compliance with the terms and conditions, to stop or prevent fraud, attacks on the security of The Company, or others, prevent technical problems or protect the rights of others.
  10. Transmit, transfer and provide the information and personal data of the Holders to national or foreign strategic allies so that they may contact the Holders to offer them goods and services of their interest, receive offers from the Holders, invite them to participate in programs, projects, events, socialize policies, projects, programs, results and organizational changes, as well as to treat and process the data in third-party cloud servers.
  11. Sell or transfer the data to national and/or foreign third parties, subject to compliance with current legislation and this Policy.
  12. Transfer, transmit and provide, free of charge or for a fee, the information and personal data of the Data Controllers to national and/or foreign commercial partners so that they may contact the Data Controllers to offer them their products, information or services that, in the Company's opinion, may be of interest to the Data Controller.
  13. To provide the information and personal data of the Data Controllers to subsidiaries, subsidiaries or affiliates of The Company, commercial allies or other companies or persons that The Company entrusts to carry out the processing of the information and comply with the purposes described in this Policy and the purpose of the labor or civil relationship with the Data Controllers.
  14. Verify conflicts of interest or possible irregularities in new contractors and/or employees of the Company.
  15. Any others that are necessary to fulfill the purposes described in this Privacy Policy.
  16. Transfer, transmit and provide the information and personal data of the Holders to third parties, in those cases in which the Company participates in merger, integration, spin-off and/or liquidation processes.
  17. Making, recording, preserving, reproducing video recordings.
  18. To provide the Platform service.
  19. Process payments from customers or end-consumers.
  1. USE OF PERSONAL DATA UNDER THIS POLICY

The Company will only process the personal data and other information of the Holders for the purposes described and the uses authorized in this Policy or in the laws in force.

10.1 Authorization for new uses: The Company may request authorization from the owners for new uses of their data or information, for which purpose it will publish the changes in this Processing Policy on its website or in any medium it deems appropriate as the case may be.

  1. CHANGES IN TREATMENT POLICY.

Any substantial change in the Treatment Policies will be timely communicated to the Data Holders through publication on our web portals, billboards or informed by e-mail or any other means deemed appropriate.

  1. STORAGE OF PERSONAL DATA AND SECURITY CONDITIONS.

The Data Subject expressly authorizes the Company to store his/her personal data in the manner and with the security measures it deems most convenient and adequate. The Company's security measures seek to protect the data of the Data Controller in order to prevent its adulteration, loss, use and unauthorized access. To this end, the Company diligently implements human, administrative and technical protection measures that are reasonably within its reach. The Data Subject expressly accepts this form of protection and declares that he/she considers it convenient and sufficient for all purposes. The data, in any case will have the security and confidentiality policies that are indicated in the following link www.arukay.com/tratamiento_datos_personales

  1. RIGHTS OF THE OWNERS.

The Company informs the Holders that, in accordance with current legislation, they have the right to know, update, rectify their information, and/or revoke the authorization for its processing. In particular, in accordance with Article 8 of Law 1581 of 2012, the following are rights of the Holders:

  • To know, update and rectify their Personal Data with respect to the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized. For this purpose, it is necessary to previously establish the identification of the person in order to prevent unauthorized third parties from accessing the data subject's data.

 

  • Request proof of the authorization granted to the Company, unless it is one of the cases in which authorization is not required, in accordance with the provisions of Article 10 of Law 1581 of 2012.

 

  • Be informed by the Company, upon request, regarding the use it has made of your Personal Data.

 

  • To file before the Superintendence of Industry and Commerce complaints for violations to the provisions of the law and other regulations that modify, add or complement it.

 

  • To revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees.

 

  • Object to the data being processed by the Company.

 

  • Move, copy, or transfer personal data from one controller to another, in a secure manner, in a readable and commonly used format (right of portability).

 

  • Access free of charge to your Personal Data that has been subject to Processing.

 

The request for deletion of the information and the revocation of the authorization shall not proceed when the Data Subject has a legal or contractual duty to remain in the database of the Data Controller.

 

  1. DUTIES OF THE COMPANY AS CONTROLLER OF PERSONAL DATA

The Company is obliged to comply with the duties imposed by law. Therefore, it must act in such a way as to comply with the following duties:

 

  • Guarantee to the Data Subject, at all times, the full and effective exercise of the rights mentioned in this Policy.

 

  • Observe the principles set forth in this policy in the Processing of Personal Data.

 

  • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

 

  • Update the information when necessary.

 

  • Rectify the Personal Data when appropriate.

 

  • To provide to the Data Processor only the Personal Data whose Processing is previously authorized.

 

  • Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.

 

  • Communicate in a timely manner to the Data Processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.

 

  • Inform in a timely manner to the Data Processor the rectifications made on the Personal Data so that it proceeds to make the appropriate adjustments.

 

  • To require the Data Processor at all times to respect the security and privacy conditions of the Data Subject's information.

 

  • Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.

 

  • Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Holders.

 

Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

  1. STATEMENTS OF THE HOLDERS

The owners state that:

 

  • By voluntarily providing any of the personal data in the manner indicated in the preceding paragraph, the express verbal or written authorization, the registration or creation of a profile or account on the Platform, or the authentication or entry to the Platform by means of authentication with the account of the holder subscribed to a third party, including, but not limited to Microsoft, Google or Facebook, the holder expressly and unequivocally authorizes The Company to collect personal data and any other information you provide, as well as to perform the treatment on your personal data, in accordance with this Policy and the law.

 

  • They were informed about the purposes for which the collected sensitive data will be used, which are described in Title I of this Policy.

 

  • They understand that sensitive data are those that affect the privacy of the holder or whose improper use may generate discrimination, as well as those of racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, data related to health status, sex life and biometric data.

 

They understand the security measures that the Company implements to provide protection to the personal data it collects and, therefore, accept the same

  1. PROCEDURE FOR CONSULTATIONS, UPDATES, REQUESTS AND CLAIMS REGARDING PERSONAL DATA.

who is in charge of the company's Personal Data Protection Area.

  1. Procedure to exercise your rights. All requests made by the entitled persons to know the Personal Data held by the Company shall be channeled through the aforementioned e-mail in which the date of receipt of the query and the identity of the applicant shall be stated. The claim must be addressed to ARUKAY S.A.S. and contain at least the following information: 1) Name and identification of the Data Holder or the person entitled. 2) Precise and complete description of the facts that give rise to the claim. 3) Claims. 4) Physical or electronic address to send the response and report on the status of the procedure. 5) Documents and other relevant evidence that you want to assert.
  2. Requests and Consultations on Personal Data. When the data owner or his assignees wish to consult the information contained in the database, the Company will respond to the request within a maximum period of ten (10) working days. In compliance with the provisions of Law 1581 of 2012, when it is not possible to answer the query within that period, the Data Subject will be informed, the reasons for the delay will be stated and the date on which the query will be answered will be indicated, which may not exceed five (5) business days following the expiration of the first term.
  3. Revocation of authorization, withdrawal or suppression of the Database and complaints about Personal Data. When the owner of the data or their assignees consider that the information contained in the databases should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, they may file a claim with the Company, which will be processed under the following rules:
  • The claim shall be formulated by means of a request addressed to the Company with the identification of the Holders, the description of the facts that give rise to the claim, the notification address, and the documents to be asserted shall be attached. If the claim is incomplete, The Company may require the interested party within five (5) days following receipt of the claim to correct the faults. After two (2) months have elapsed from the date of the requirement, without the applicant submitting the required information, it shall be understood that the claim has been withdrawn.
  • In the event that the Company is not competent to resolve the claim, it will transfer it to the appropriate person within a maximum term of two (2) business days and inform the Data Subject of the situation, which will relieve the Company of any claim or liability for the use, rectification or deletion of the data.
  • Once the complete claim has been received, when it cannot be resolved in an expeditious manner and whenever it is technically possible, a legend will be included in the database stating "claim in process" and the reason for it, within a term no longer than two (2) business days. Such legend shall be maintained until the claim is decided.
  • The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the Holder will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. The withdrawal or suppression shall not proceed when there is a contractual or legal duty to remain in the Company's database, such as, for example, for the fulfillment of accounting, tax, commercial or legal duties.
  1. COMPLAINTS TO THE SUPERINTENDENCE OF INDUSTRY AND COMMERCE

The Holder, its assignees or attorneys-in-fact, shall exhaust the consultation process before the Company or its designee, prior to the filing of any complaint before the Superintendence of Industry and Commerce as a Procedural Requirement.

  1. POLICY FOR THE DELETION AND/OR SUPPRESSION OF PERSONAL DATA

The Company, in accordance with the principles of purpose, necessity, proportionality and temporality, will process the personal data of the owners. Once the purpose of such processing has been fulfilled and it is deemed necessary, it will proceed to the deletion or elimination of the data of the owners, according to the following parameters:

  1. The Company will evaluate on a semi-annual and annual basis the information of the owners, and according to its characteristics and status, will proceed to choose those data that it considers at its discretion that should be deleted or eliminated. For such purposes, it will take into account whether there are rights of the owners that prevent the deletion of the data or whether there are legal, contractual or constitutional duties that prevent the deletion.
  2. The Company will previously inform the owners of the decision and the basis for the deletion of their personal data who, through the enabled channels, may exercise their right to file queries, petitions or claims regarding such decision within the following fifteen (15) business days. The consultations, petitions or claims will follow the procedures established in section 16. In the event that there is no claim or petition in relation to the decision, the deletion will be carried out.
  3. The Company shall submit the corresponding minutes and records regarding the processes of suppression and elimination of the personal data of the owners, for the purposes of traceability of the procedure.
  1. CONFIDENTIALITY, FUNDAMENTAL RIGHTS AND ANONYMIZATION OF PERSONAL DATA

The Company is respectful of the fundamental rights of privacy, freedom of expression and the good name and honor of the owners of its databases, for which reason, in order to guarantee such rights, it will take the measures it deems appropriate in terms of confidentiality, such as the following:

  1. Refrain from disclosing all or part of the confidential information received to any natural or legal person, governmental or private entities, which has not been previously authorized.
  2. Refrain from using, exploiting, employing, publishing or disclosing confidential information in a manner different from that authorized in this policy.
  3. Instruct all those who may have access to confidential information on how to handle, use, manage security measures and others, so that such information remains properly managed and protected.
  4. The use of confidential information is carried out in compliance with the principles of ethics and good practices in the protection of personal data. To this end, the Company expressly states that it uses all means at its disposal to prevent such irregular or unauthorized use of confidential information.
  5. The Company will anonymize the personal data of the owners, when it considers that it may affect their right to privacy, good name and honor. In any case, the Company, at the request of the owners and presenting the reasons for it, will carry out the corresponding anonymization of any personal data.
  6. The Company will not censor the personal information of the owners, as long as it is within the framework of good customs, the law and the constitution, guaranteeing the fundamental right of the owners to their freedom of expression.
  1. CONDITIONS TO WHICH SENSITIVE DATA ARE SUBMITTED

The Company will apply the necessary measures to carry out the processing of sensitive data of the holders in accordance with the provisions of Law 1581 of 2012, which is why it will refrain from processing personal data that are not expressly authorized by the Holder. Likewise, it will implement the necessary security and confidentiality measures to avoid any incident and/or violation of such information. The treatment will be exceptional and in accordance with the treatment and purposes stipulated in the qualified authorization and in accordance with the principle of Demonstrated Responsibility.

In any case, the holder must implement the necessary diligence to maintain the confidentiality and security of their sensitive personal information.

  1. INFORMATION ACCURACY AND QUALITY POLICIES

In the development of the principle of truthfulness and quality of information, the Company will take the necessary measures to ensure that the information contained in its databases is true, complete, accurate, updated, verifiable and understandable. For this reason, the Company requests the necessary and integral information from the Data Holders for the purposes of the respective processing. Likewise, it will request the necessary supports, so that the information in its databases is verifiable and true. For the above purposes, the Company will implement the following measures.

  1. It will take all measures so that, in the collection of information from the owners, complete, accurate, updated, verifiable and understandable information is obtained. In this sense, it will implement due diligence measures in the means of data collection for such purposes.
  2. It will offer update forms on a semi-annual basis to the holders, so that they can update their personal data.
  3. Refrain from processing the personal data of the owners, with partial, incomplete, fractioned or confusing information.
  4. It will verify the identity of the holders and the information provided, requesting the necessary documents of accreditation in each particular case, and may request, among others, the following: Citizenship card, Rut, judicial and police records, credit history, certifications from private and/or public entities.
  5. The Company will conduct biannual audits on the accuracy and quality of its information, and if irregularities and/or shortcomings are found in the same, the Company will require the holders to provide the necessary information and support.
  1. REFRAINING FROM PROCESSING DATA RELATED TO CRIMINAL RECORDS

The Company will refrain from processing personal data concerning the criminal records of individuals. However, it may verify public databases containing this type of information, with the sole and exclusive purpose of guaranteeing the legality of its operations and the security of the company and its employees.

  1. AUTOMATED DATA PROCESSING

The Company may carry out automated processing of personal data, therefore, it uses artificial intelligence applications, in order to achieve efficiency in its processes and perform profiling studies. These studies will not be made available to the public and will be kept under the confidentiality and security conditions stipulated in this policy.

However, personal data that are subject to an automation process are not used to make individual decisions about the rights of individuals, and are not the sole referent for decisions governing the Company's processing of personal data.

In any case, in the event that automated personal data processing is carried out that may eventually affect the data subjects, the Company will inform the data subjects and guarantee their right to object to the processing in question and its results.

  1. PRIVACY NOTICE

a. The privacy notice informs the Data Subject about the existence of the policies and procedures for the Processing of Personal Data contained in this policy, as well as the characteristics of the Processing that will be given to the Personal Data, and shall contain, at least, the following information: (i) identity, address and contact details of the Controller or Processor; (ii) type of Processing to which the Personal Data will be subject and its purpose; and (iii) the general mechanisms provided by the Controller for the Data Subject to know the Processing Policy and the mechanisms for consultation of the Data Subject's Personal Data.

The Company shall keep a copy of the model privacy notice that is transmitted to the Data Controllers for as long as the Processing of Personal Data is carried out and the obligations deriving therefrom last. For the storage of the model, the Company or its designee may use computer, electronic or any other technology. The privacy notice for the processing of personal data is available and can be consulted through the Platform's website.

  1. PERIOD OF VALIDITY OF THE DATABASE.

The personal data incorporated in the Database will be valid for the period necessary to fulfill its purposes and to allow the Company to comply with its legal and contractual obligations.

  1. NATIONAL OR INTERNATIONAL TRANSMISSIONS OR TRANSFERS OF PERSONAL DATA

The Company may transfer or transmit data to one or more Agents or Responsible Parties located within or outside the territory of the Republic of Colombia when so authorized by the Data Subject, by law or by an administrative or judicial mandate. For all purposes, it is understood that with the acceptance of this policy, the owners consent that The Company transfers or transmits the data internationally to its cloud computing service providers, to which The Company certifies that they are located in a jurisdiction with an adequate level of protection(i.e., the United States under the Safe Harbor framework).

  1. APPLICATION OF GUARANTEES AND RIGHTS OF THE REGULATION ESTABLISHED IN REGULATION (EU) 2016/679.

In the event that the Company has operations and acts that are subject and competence of the European Union regulation on Personal Data Protection, in its capacity as Responsible, will ensure the exercise of the prerogatives, guarantees and rights conferred in Regulation (EU) 2016/679. For such purposes, the Data Subject shall state in its claim or request the reasons and facts that support the application of such regime.

Likewise, prior to the use of the application, the Company must be informed of such situation through the channels provided for such purposes.

In any case, in application of the aforementioned regime, the Company will guarantee the exercise of the rights of restriction and portability of personal data, when requested by the owners and in the events of its origin in accordance with the regulation.