Personal Data Processing Policy

Addimentum > Personal Data Processing Policy

ADDIMENTUM S.A.S. (hereinafter referred to as "the Company") adopts this Personal Data Protection Policy in compliance with the provisions of Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, as well as other regulations that modify or regulate it, with the purpose of protecting the information and the exercise of the rights of the Data Subjects whose Data are Processed by the Company.

Personal Data held by the Company, in its capacity as Controller and/or Processor as the case may be, will be Processed in compliance with the principles and regulations provided for in Colombian laws, current national legislation, and good practices applicable to the regime of Personal Data protection, as determined by the Personal Data Protection Policy defined below.

Definitions:

  • Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of Data.
  • Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the Processing of their Personal Data, through which they are informed about the existence of the information Processing policies that will be applicable to them, how to access them, and the purposes of the Processing intended for the Personal Data.
  • Database: Organized set of Personal Data subject to Processing.
  • Company: Refers to Addimentum S.A.S.
  • Personal Data: Any information linked or that can be associated with one or several determined or determinable natural persons.
  • Public Data:Data classified as such according to the mandates of the law or the Political Constitution and all those that are not semiprivate or private, in accordance with the law. Public data include, among others, data relating to the civil status of individuals, their profession or occupation, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins, and duly executed judicial decisions not subject to reservation.
  • Semiprivate Data: Semiprivate data is data that does not have an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or to the Company in general, such as financial and credit data of commercial activity or services as established by current regulations in the matter.
  • Private Data: Data that, due to its intimate or reserved nature, is only relevant to the owner.
  • Sensitive Data: Sensitive data are those that affect the privacy of the Data Subject or whose misuse may lead to their discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
  • Processor: Natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of Personal Data on behalf of the Controller.
  • Controller: Natural or legal person, public or private, who, by themselves or in association with others, decides on the Database and/or the Processing of the Data;
  • Data Subject: Natural person whose Personal Data are subject to Processing.
  • Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion.
  • Transfer: Data transfer occurs when the Controller and/or Processor of Personal Data, located in Colombia, sends the information or Personal Data to a recipient, who in turn is responsible for the Processing and is located inside or outside the country.
  • Transmission: Processing of Personal Data that involves the communication of such data within or outside the territory of the Republic of Colombia when it has the purpose of Processing by the Processor on behalf of the Controller.

Purposes:

The Personal Data held by the Company will be Processed for the following general purposes:

  • To fulfill the obligations and/or commitments arising from existing business relationships with Data Subjects.
  • To comply with legal obligations involving Personal Data of Data Subjects.
  • For commercial management and relationship with its Data Subjects.
  • For prospective analysis on trends and preferences of Data Subjects regarding their goods and/or services.
  • To proactively understand the needs of Data Subjects in order to innovate and meet those needs.
  • To communicate to Data Subjects information about their goods, services, publications, training events, business activities, and/or advertising associated with their business activities, whether goods and/or services.
  • To carry out corporate social responsibility activities towards Data Subjects.
  • To be Processed by the Company by virtue of corporate, contractual, or legal relationships.
  • To share them with third parties for the purpose of fulfilling the object of the business relationship between the parties.
  • To share them among themselves or with third parties and provide data on the compliance or non-compliance with legal and business obligations directly or through public entities exercising surveillance and control functions.

Controller of Processing:

Addimentum S.A.S., is a company incorporated under the laws of the Republic of Colombia, identified with NIT (Tax Identification Number) 901026852-1, has its registered office in the city of Cartagena at the address registered in the Chamber of Commerce.

Addimentum S.A.S. will be responsible for the Processing of Personal Data.

Data Subject Rights:

 Data Subjects of the Personal Data referred to in Law 1581 of 2012, in their capacity as Data Subjects or legitimately authorized, in relation to the Processing of their Personal Data, have the right to exercise the actions recognized by law in matters of Personal Data protection and habeas data, namely:

  • Know, update, and rectify their Personal Data against the Company or the Processing Controllers. This right may be exercised, among others, against Partial, inaccurate, incomplete, fragmented data that leads to error, or those whose Processing is expressly prohibited or has not been authorized.
  • Request proof of the Authorization granted to the Processing Controller, unless expressly exempted as a requirement for Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
  • Be informed by the Processing Controller or the Processing Processor, upon request, regarding the use given to their Personal Data.
  • Submit to the Company requests, complaints, or claims, regarding the handling of Data of Data Subjects, through the channels provided for this purpose.
  • Submit complaints to the Superintendence of Industry and Commerce for infringements of Law 1581 of 2012 and other regulations that modify, add to, or complement it.
  • Revoke the Authorization and/or request the deletion of the data when the Processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Processing the Controller or Processor have engaged in conduct contrary to the law and the Constitution.
  • Access their Personal Data that have been subject to Processing free of charge.
  • Refrain from answering questions about sensitive data. The responses concerning sensitive data or data of children and adolescents will be optional.

Sensitive Data Processing:

 In the development of its corporate purpose, the Company processes the Personal Data of its employees, investors, shareholders, and providers of goods and services. In compliance with corporate processes and policies, they may require the Transmission or Transfer of such data to their linked companies, subsidiaries, and/or affiliates. The collection of Personal Data by the Company will be limited to those Personal Data that are relevant to the purpose for which they are collected or required. Except in cases expressly provided for by law, Personal Data will not be collected without the Authorization of the Data Subject, nor will deceptive or fraudulent means be used to collect and Process Personal Data.

According to Law 1581 of 2012, sensitive personal data are "those that affect the privacy of the Data Subject or whose misuse may lead to their discrimination", such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data. Within them, data of minors are also recognized.

The Company must Process data of this nature, in the development of relationships with its employees especially, those related to health and eventually biometric data by virtue of the reproduction, public communication, and transformation of photographs or analogous and/or digital procedures to photography or audiovisual productions for corporate purposes. In compliance with the law, the Company will not collect data from children, girls, and adolescents, except for those related to the inclusion of underage apprentices as permitted by current labor regulations and those related to the data of the employees' children, either for their inclusion or update.

In any case, when processing such data, special security measures will be adopted, and when Authorization for the Processing of sensitive data is requested, the Data Subject will be informed of the purposes for which they will be processed and will be informed that they have the right to refrain from answering questions about sensitive data, including data of children and adolescents.

In the processes of the Company that involve the collection and Processing of Personal Data, reference will be made to this Data Protection Policy..

Specific purposes for data processing:

 The Processing of data includes collection, storage, administration, use, Transfer, Transmission, and destruction, in the manner permitted by law and is carried out for the following specific purposes for each case:

a) Personal data of employees and former employees: Cumplimiento de las obligaciones  laborales de los empleados a cargo de la Compañía, tales como: pagos de nómina, pagos y reportes al Sistema General de Seguridad Social en Salud y Pensiones, prestaciones sociales, gestión de las incapacidades médicas de los empleados, gestión y manejo de accidentes de trabajo y/o de enfermedades profesionales y demás retribuciones consagradas en el contrato de trabajo o según lo disponga la ley; así como   para la atención de consultas, peticiones, solicitudes, acciones y reclamos;  actividades de la Compañía tales como capacitaciones, otorgamientos de créditos, actividades de recreación, envío de comunicaciones corporativas, realizar alianzas comerciales para generar valores agregados para los empleados, cumplimiento de las normas de prevención del lavado de activos y financiación del terrorismo y demás actividades que se requieran en el normal desarrollo de la organización y el cumplimiento de las normas, reglamentos y actividades.

The Personal Data will also be used to promote interaction platforms with the Company, which allow for the creation of alternative communication spaces and obtaining valuable information for human resource management. With the Personal Data provided, the respective user profile will be created in the Company's system, which can be managed by each Data Subject.

The Company will use the Personal Data of employees or former employees regarding image rights on photographs or analogous and/or digital procedures to photography, or audiovisual productions (videos), in accordance with national and international standards that are applicable, for reproduction, public communication, transformation, and distribution in printed and electronic, digital, optical editions, and on the internet, for corporate purposes only.

During health emergencies declared by the National Government, or any type of state of exception that affects the operation of the Company, they will process sensitive data of employees associated with the contingency in accordance with current regulations on the matter and the needs required.

b) Personal data of shareholders and investors:: Para la atención de consultas, peticiones, solicitudes, acciones, reclamos y pago de dividendos. Además, se utiliza para el desarrollo de actividades de la Compañía tales como capacitaciones, actividades de recreación, envío de comunicaciones corporativas, para cumplir con las normas de prevención del lavado de activos y financiación del terrorismo y demás actividades que se requieran en el normal desarrollo de la organización y el cumplimiento de las normas, reglamentos y actividades,

During health emergencies declared by the National Government, or any type of state of exception that affects the operation of the Company, they will process sensitive data of shareholders and investors associated with the contingency in accordance with current regulations on the matter and the needs required.

c) Personal data of providers: To comply with legal and/or contractual obligations, such as payments, billing, payment reporting, reports that by law or internal policies the Company is obliged to make; for the maintenance and development of the commercial relationship; to carry out marketing, promotion, or advertising activities, to carry out market intelligence activities, to establish commercial alliances; to generate added value, to disclose news and information about the products and/or services of the Company; to comply with anti-money laundering and terrorism financing regulations; to verify debts with the State; to comply with the obligations of the Company regarding the quality of products and services, for the effective handling of supplier inquiries and/or complaints, to handle inquiries, requests, and/or requests; to initiate and/or attend actions and/or complaints from suppliers; to carry out audits, send invitations to participate in procurement processes, and to request and send quotes and/or information about products and services.

During health emergencies declared by the National Government, or any type of state of exception that affects the operation of the Company, they will process sensitive data of providers associated with the contingency in accordance with current regulations on the matter and the needs required.

Revocation of Authorization and/or deletion of data:

 Data Subjects may at any time request the Company to delete the Personal Data referred to in Law 1581 of 2012 and/or revoke the Authorization granted for the Processing of these, by submitting a claim, in accordance with the procedure indicated in this Policy. If, after the respective legal term has expired, the Company has not deleted the Personal Data, the Data Subject will have the right to request the Superintendence of Industry and Commerce to order the revocation of the Authorization and/or the deletion of the Personal Data. However, the foregoing, Personal Data must be retained when required for compliance with a legal or contractual obligation. In the event that the Data Controllers carry out the Processing of Sensitive Data, it is guaranteed that Authorization for the Processing of such data will be obtained in advance and expressly, complying with the following obligations:

  • The Data Subject will be informed of the data for which, being Sensitive Data, they are not required to authorize their Processing.
  • The Data Subject will be informed in advance and expressly of which data are Sensitive and what will be the purpose of the Processing to be given to them.
  • No activity will be conditioned on the Data Subject providing Sensitive Data.

Procedure for Exercising the Right to Habeas Data:

 For the exercise of the Right to Habeas Data, the Data Subject or whoever demonstrates a legitimate interest as indicated in current regulations, may do so by completing the form located in the Personal Data Protection section of the website www.addimentum.co;or through a communication addressed to the legal area of the Company or at the address registered with the Chamber of Commerce of Medellín for Antioquia. The person exercising the right to habeas data must provide with precision the contact information requested in the web form or, failing that, the contact information to process and attend to their request for the exercise of their rights.

Queries will be answered within a maximum term of ten (10) business days counted from the date of receipt of this. When it is not possible to address the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.

Regarding claims or requests for correction, updating, rectification, revocation, or deletion of personal data, upon receipt of the habeas data exercise request, the Company will respond within the legal term of ten (10) business days, which may be extended for an additional five (5) business days, after prior communication to the person who has exercised this right, in accordance with the provisions of the law.

In case additional information is required to address the request, it must be submitted by the applicant within two (2) months following the request; if not, it will be understood that they have withdrawn.

The maximum term that the Controller has to address the request is fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to address the request within said term, the interested party will be informed of the reasons for the delay and the date on which their request will be addressed, which may not exceed eight (8) business days following the expiration of the first term.

The Processing of Personal Data carried out by the Company in accordance with this Policy will be based on the norms, programs, procedures, and instructions adopted for compliance with the applicable legislation on the protection of Personal Data.

Para los datos recolectados antes de la expedición del Decreto 1377 de 2013, la Compañía ha puesto en conocimiento de los Titulares la Política de Protección de Datos y el modo de ejercer sus derechos mediante su publicación en la página web https://addimentum.co/es/politica-proteccion-datos-personales/

Transfer or International Transmission of Personal Data:

 The Company may carry out the Transfer and Transmission, even international, of the Personal Data it has in its Databases, provided that the applicable legal requirements are met and the Data Subjects expressly authorize the Transfer and Transmission, even at an international level.

For the Transfer of Personal Data of the Data Subjects, the Company will take the necessary measures so that third parties are aware of and undertake to comply with this Policy, under the understanding that the personal information they receive may only be used for matters directly related to the Company or the purposes expressly authorized by the data subject, and only while this Authorization is valid. It may not be used or intended for a different purpose or end.

Modifications to the Personal Data Protection Policy:

 The Company reserves the right to make modifications or updates to this Personal Data Protection Policy at any time, to address legislative developments, internal policies, or new requirements for the provision or offering of its services or products. These modifications will be available to the public through the website www.addimentum.co www.addimentum.co;

Formulario

https://forms.office.com/r/BxEm1yhWRQ

en_USEN
es_ESES en_USEN