POLICY OF TREATMENT IN THE MATTER OF PERSONAL DATA PROTECTION ÁLVAREZ LIÉVANO LASERNA S.A.S.

The company ALVAREZ LIEVANO LASERNA S.A.S committed to the legal use, treatment in accordance with the established purposes and the security and privacy of the information it collects, stores, uses, circulates or deletes, containing personal data and in compliance with the legal mandate, established in the political constitution of Colombia in articles 15 and 20, law 1581 of 2012 "General provisions for the protection of personal data", decree 1377 of 2013 "By which law 1581 of 2012 is partially regulated" and decree 886 of 2014 "By which law 1581 of 2012 is partially regulated, regarding the registration of databases" and the commitment regarding the treatment of information, establishes general measures to ensure adequate levels of security and privacy for the protection of personal data, in order to avoid possible adulteration, loss, consultation, use or unauthorized access, applicable to personal data recorded in any database managed by the company and whose owner is a natural person.

 

CHAPTER I - GENERAL PROVISIONS

Article One. DEFINITIONS. For the fulfillment of the objective, the following concepts are defined:

Authorization: Prior, express and informed consent of the Data Subject, to carry out the processing of personal data.

Privacy notice: Verbal or written communication generated by the responsible party, addressed to the holder for the processing of personal data, through which he/she is informed about the existence of the information processing policies that will be applicable, how to access them and the purposes of the processing that is intended to be given to personal data.

Database: Organized set of personal data that is subject to processing.

Personal data: Any information linked or that can be associated to one or several determined or determinable natural persons.

Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.

Semi-private data: Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as financial and credit data of commercial activity or services referred to in Title IV of Law 1266 of 2008.

Sensitive data: Sensitive data are understood as those that affect the privacy of the holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life, and biometric data.

Private data: Private data. It is the data that due to its intimate or reserved nature is only relevant to the owner.

Data Processor: A natural or legal person, public or private, that by itself or in association with others, carries out the processing of personal data on behalf of the data controller.

Data Controller: Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of data.

Data subject: Natural person whose personal data is the object of processing.

Transfer: The transfer of data takes place when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.

Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is the performance of a Processing by the Processor on behalf of the Controller.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

Article Two. OBJECTIVE. To establish the guidelines to obtain the authorization of the owners, to carry out the treatment of personal data, the purposes of use, the rights of the owners, the channels of attention, as well as the internal procedures collected by ALVAREZ LIEVANO LASERNA S.A.S.

Article Three. SCOPE. This policy applies to all personal information registered in ALVAREZ LIEVANO LASERNA S.A.S. database.

All employees, contractors and third parties who have a relationship with the company and who process personal data must comply with this policy and the procedures established for the processing of personal data.

Article Four. PRINCIPLES. The principles that will govern this policy and in general the collection, use and processing of personal data:

  1. Legality: All actions must be subject to the provisions of the law.
  2. Purpose: The treatment of personal data collected by ALVAREZ LIEVANO LASERNA S.A.S. will have a purpose which will be communicated to the owner.
  3. Freedom: Processing may only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
  4. Truthfulness: The personal data provided by the holder and to which ALVAREZ LIEVANO LASERNA S.A.S. gives treatment, must be truthful, complete, accurate, updated, verifiable and understandable. The treatment of partial, incomplete, fractioned or misleading data is prohibited.
  5. Transparency: ALVAREZ LIEVANO LASERNA S.A.S will guarantee the holder's right to obtain information about the existence of personal data concerning him/her.
  6. Restricted access and circulation: Processing may only be carried out by persons authorized by the owner and/or by the persons provided for by law. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or authorized third parties.
  7. Security: ALVAREZ LIEVANO LASERNA S.A.S, will adopt the technical, human and administrative measures necessary to ensure the security of the data processed by the first, in particular to prevent tampering, loss, consultation, use or unauthorized or fraudulent access.
  8. Confidentiality: All persons involved in the processing of personal data are obliged to guarantee the confidentiality of the information.

    Article Five. PURPOSES.

    1. Purposes of the processing of personal data: To comply with the objectives and functions established in the decree 4108 of 2011, law 1562 of 2012, law 1610 of 2013 and those established in the other legal provisions in force. In addition, manage in a timely and clear manner the requests and inquiries made by stakeholders of the company related to general information about the mission, functions, procedures, procedures, current regulations, processes, procedures and mechanisms for participation. Provide answers to queries, claims, requests for action, rectification or monitoring of data.
    1. Purposes of the processing of personal data of employees: The company ALVAREZ LIEVANO LASERNA S.A.S. carries out the processing of personal information of employees and their family nucleus in order to comply with the obligations arising from the respective labor relations. Such purposes include:
    • Staff engagement
    • Comply with the objectives and activities established as affiliations of employees and their beneficiaries (children, spouse, etc.).
    • Payroll processing
    • Comply with the objectives and activities established in the SGSST.
    • Issuing labor certifications
    • Perform administrative activities such as card issuance, fingerprint records, issuance of admission cards, teleworking, among others.
    • Publications on the website, reports, events or training.
    1. Purpose of processing personal data of former employees: The company serves as a basis for the issuance of labor certifications referred to in article 57, numeral 7 of the substantive labor code, at the request of the former employee. And serve as historical data for pension applications and occupational medical history.

    CHAPTER II - AUTHORIZATION

    Article Sixth. AUTHORIZATION. The collection, storage, use, circulation and deletion of personal data by ALVAREZ LIEVANO LASERNA S.A.S. requires the free, prior, express and informed consent of the owners thereof. ALVAREZ LIEVANO LASERNA S.A.S., in its capacity as responsible for the processing of personal data, has provided the necessary mechanisms to obtain the authorization of the owners of the data, no later than at the time of collection of their data, ensuring in any case that it is possible to verify the granting of such authorization.

    Article Seven. FORMS AND MECHANISMS FOR GRANTING AUTHORIZATION. The authorization may be recorded in a physical or electronic document or in any other format that guarantees its subsequent consultation, or by means of a suitable technical or technological mechanism by means of which the informed consent of the owner of the personal data may be evidenced.

    Article Eight. PROOF OF AUTHORIZATION. ALVAREZ LIEVANO LASERNA S.A.S. will keep records or mechanisms necessary to demonstrate when and how the authorization was obtained by the owners of personal data for the treatment of the same.

    CHAPTER III - RIGHTS AND DUTIES

    Article 9. RIGHTS. In accordance with the provisions of Article 8 of Law 1581 of 2012 and Articles 21 and 22 of Decree 1377 of 2013, the holder of the personal data has the right:

    1. To know, update and rectify their personal data with respect to those responsible for the processing or those in charge of the processing. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
    2. Request proof of the authorization granted by the data controller, except when expressly exempted as a requirement for the processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
    3. Be informed by the data controller or data processor, upon request, regarding the use it has made of your personal data.
    4. To file before the Superintendence of Industry and Commerce complaints for violations to the provisions of this law and other regulations that may modify, add or complement it.
    5. To revoke the authorization and/or request the deletion of the data when the treatment does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or suppression will proceed when the superintendence of industry and commerce has determined that in the treatment the responsible or in charge have incurred in conduct contrary to this law and the constitution.
    6. Access free of charge to your personal data that has been processed.

    Article Ten. DUTIES. In accordance with the provisions of Article 17 of Law 1581 of 2012, ALVAREZ LIEVANO LASERNA S.A.S. is obliged to comply with the following duties:

    1. Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
    2. Request and keep, under the conditions provided for in this law, a copy of the respective authorization granted by the holder.
    3. Duly inform the holder of the purpose of the collection and the rights that he/she has by virtue of the authorization granted.
    4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
    5. Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable and understandable.
    6. Update the information, communicating in a timely manner to the data processor, all the news regarding the data previously provided and adopting the other necessary measures so that the information provided to the data processor is kept up to date.
    7. Rectify the information when it is incorrect and communicate it to the person in charge of the treatment.
    8. Provide the data processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this law; Require the data processor at all times to respect the security and privacy conditions of the holder's information.
    9. To process queries and claims formulated in accordance with the terms set forth in this law
    10. Adopt an internal manual of policies and procedures to ensure adequate compliance with this law and, in particular, for the handling of inquiries and complaints.
    11. Inform the data processor when certain information is under discussion by the owner, once the claim has been filed and the respective process has not been completed.
    12. Inform upon request of the owner about the use given to their data.
    13. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the owners.
    14. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

    CHAPTER IV - ACCESS, CONSULTATION AND COMPLAINT PROCEDURE

    Article eleven. RIGHT OF ACCESS. The right of access allows the interested party to know and obtain free information about their personal data subject to processing at least once every calendar month, whenever they require substantial changes in the policies of treatment of information that motivate new consultations. It is one of the rights that the law 1581 of 2012 recognizes to individuals so that they can control by themselves the use made of their personal data, and in particular the right to obtain information on whether it is being processed and if so the purpose of the same, as well as the information available on the origin of such data.

    In case of acting as successor, representative and/or attorney-in-fact, a document proving such capacity must be submitted, in addition to the identity document.

    The consultation will be answered within a maximum term of ten (10) working days from the date of receipt of the same. When it is not possible to attend the consultation within such term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

    In the event that the request does not meet the formal requirements of the regulations on data protection, the interested party will be asked to correct them, in order to be able to meet their right of access.

    Article Twelve Second. RIGHT TO UPDATE, RECTIFICATION. The Data Subject or their assignees who consider that the information contained in the databases that are processed by ALVAREZ LIEVANO LASERNA S.A.S. should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, may file a claim. The claim request must be addressed to ALVAREZ LIEVANO LASERNA S.A.S. or to the persons in charge of the treatment, with the identification of the holder, the description of the facts that give rise to the claim, the address, and accompanying the documents you want to assert. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned. In the event that the person receiving the claim is not competent to resolve it, he/she will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term. The beneficiary may request the rectification of the data he/she considers inaccurate or incomplete, and for such purpose must provide the documents supporting his/her claim and indicate the data he/she considers incorrect or inaccurate. Likewise, the beneficiary may request the modification or updating of his/her data in the File.

    Article thirteen. RIGHT TO SUPPRESSION OF DATA. The owner or his successors in title of the personal data has the right to request ALVAREZ LIEVANO LASERNA S.A.S. the suppression (elimination) in any of the following events:

    1. Consider that they are not being treated in accordance with the principles, duties and obligations set forth in the regulations in force.
    2. Are no longer necessary or relevant for the purpose for which they were collected.
    3. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

    This suppression implies the total or partial elimination of personal information as requested by the holder in the records, files, databases or treatments carried out by ALVAREZ LIEVANO LASERNA S.A.S. However, this right of the holder is not absolute and consequently the company may deny the exercise of the same when:

    1. The holder has a legal or contractual duty to remain in the database.
    2. The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
    3. The data is necessary to protect the legally protected interests of the holder; to carry out an action in the public interest, or to comply with an obligation legally acquired by the holder.

    Paragraph 1. Procedural requirement. The Holder or assignee may only file a complaint with the Superintendence of Industry and Commerce once the consultation or claim process has been exhausted before ALVAREZ LIEVANO LASERNA S.A.S. or its representatives, in accordance with Article 16 of Law 1581 of 2012.

    Article Fourteen. REVOCATION OF AUTHORIZATION. The owners of the personal data may revoke the authorization granted at any time, except for those events in which a legal or contractual provision prevents it.

    In any case, the holder must initiate in his request if it is a total or partial revocation, the latter when only one of the purposes for which the treatment was authorized is to be eliminated, scenario in which the holder must indicate the purpose to be eliminated.

    CHAPTER V - INFORMATION SECURITY

    Article Fifteenth. SECURITY MEASURES. ALVAREZ LIEVANO LASERNA S.A.S. will adopt the technical, human and administrative measures necessary to ensure the security of personal data processed, thus avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access.

    CHAPTER VI - FINAL PROVISIONS

    Article Sixteen. DESIGNATION. ALVAREZ LIEVANO LASERNA S.A.S. will designate the ADMINISTRATIVE AND FINANCIAL AREA that will be in charge of the protection of personal data, will process the requests of the owners, and will guarantee the exercise of their rights.

    Article seventeen. EFFECTIVENESS. This personal data protection policy has been approved and adopted by the board of directors of ALVAREZ LIEVANO LASERNA S.A.S. in session of January 16, 2023 and effective since its approval.

     

    BOARD OF DIRECTORS

    ALVAREZ LIEVANO LASERNA S.A.S.

    JANUARY 2023