Data processing policy

The company Biodistribuciones Terra S.A.S., in its capacity as responsible for data processing, is committed to privacy and the proper handling of personal information, which is why it invites you to learn about its Personal Data Processing Policy. Biodistribuciones Terra S.A.S. requires certain personal data to which it gives treatment for the normal development of its activity, and in the framework of the relationship that links it with customers, employees, suppliers and other stakeholders, it will request only the data it actually needs for this purpose. These data include, among others, identification and contact data; those related to economic activity, commercial and/or financial information. For this purpose Biodistribuciones Terra S.A.S. has adopted adequate security measures in order to ensure the proper and confidential treatment of personal data.

Biodistribuciones Terra S.A.S. obtains personal data because the holder has provided them, because it has obtained them from a third party authorized by the holder or by law to provide them, or because they are public data, i.e. data for whose treatment is not required prior authorization. In the event that the company needs to process personal data for a purpose other than that stated in the authorization, it will request a new one from the owner.

INFORMATION OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

Responsible for the processing of personal data: Biodistribuciones Terra S.A.S.

NIT: 900.472.077-6

Telephone number: +57(1)7031240

Address: Carrera 25 No. 70-18 / Carrera 27 No. 68-73 (Bogotá D.C.)

E-mails: [email protected] / [email protected] /

[email protected]

Website: www.karavansay.com

REGULATORY BASIS

Through Law 1581 of October 17, 2012, the National Congress issued the General Provisions for the Protection of Personal Data, including the regime of rights of the holders of the information and the obligations of those responsible and in charge of its processing, thus constituting the general framework for the Protection of Personal Data in Colombia. Likewise, on June 27, 2013, the National Government issued Decree 1377 of 2013, through which the aforementioned Law was regulated, in order to facilitate its implementation in aspects related to the authorization of the holder of the information, the Processing Policies of the Controllers and Processors, the exercise of the rights of the holders of the information, the Transfers of Personal Data and the Demonstrated Responsibility regarding the Processing of Personal Data. For its part, on May 26, 2015 it issued Decree 1074 of 2015, known as the Sole Regulatory Decree of the Commerce, Industry and Tourism Sector.

MAIN DEFINITIONS

  1. Authorization: prior, express and informed consent of the holder to carry out the processing of his personal data.
  2. Privacy notice: physical, electronic document or any type of format made available to the holder for the processing of personal data.
  3. Data Base: organized set of personal data, which are subject to treatment processing.
  4. Personal Data: any information linked or that may be associated to a determined or determinable person.
  5. Private data: data that, due to its intimate or reserved nature, is only relevant for the owner relevant only to the owner.
  6. Public data: data that may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality. Public data includes, among others, data relating to the civil status of persons, profession or trade, their status as merchants or public servants.
  7. Semi-private data: data that are not intimate, reserved or public in nature and whose knowledge or disclosure may be of interest not only to the owner but also to a certain sector or society in general. For example, financial and credit data from commercial or service activities.
  8. Sensitive data: data that affect the privacy of the owner, or whose improper use could lead to discrimination.
  9. Data processor: natural or legal person, public, private or mixed, who by himself or in association with others, performs the processing of personal data by delegation of a data controller.
  10. Controller: natural or legal person, public, private or mixed, who alone or in association with others, decides on the database and the processing of data.
  11. Data subject: natural person whose personal data is the object of processing, whether client, supplier, employee, or any third party who, due to a commercial or legal relationship, provides personal data.
  12. Transfer: sending by the data controller or a data processor, to a third party as recipient, within or outside the national territory for the effective processing of personal data.
  13. Transmission: refers to the communication of personal data by the controller to the processor, located within or outside the national territory, to process personal data by delegation.
  14. Processing: any operation on personal data, such as collection, storage, use, circulation or suppression.

MEANS OF OBTAINING THE HOLDER’S AUTHORIZATION

  • In writing
  • Orally
  • By means of unequivocal conduct of the owner of the information, which allow those responsible to conclude that the authorization was granted.
  • In any of the three cases, proof of the holder’s authorization for the processing of his personal data must be kept.

CASES IN WHICH THE HOLDER’S AUTHORIZATION IS NOT REQUIRED

Although data controllers are required to have the express authorization of the owners, in the following cases it is not necessary to request it, but the other obligations stipulated by law must be complied with:

  • When the information is required by a public or administrative entity in exercise of its legal functions or by court order.
  • In case of treatment of data of public nature.
  • In cases of medical or health emergency.
  • For the processing of information authorized by law for historical, statistical or scientific purposes.
  • When dealing with data related to the Civil Registry. 

USE AND PURPOSE OF PERSONAL DATA PROCESSING

  • Execution of the commercial, civil or labor contract subscribed with Biodistribuciones Terra.
  • Payment of contractual obligations.
  • Sending information to governmental or judicial entities by express request of the same.
  • Support in external/internal audit processes.
  • Sending or receiving messages for commercial, advertising or customer service purposes.
  • Provision of effective customer service.
  • Contact with candidates, clients, employees or suppliers to send information related to the contractual, commercial and obligatory relationship that takes place.
  • Registration of the information of the candidates, customers, employees and suppliers in the database of the database of Biodistribuciones Terra.
  • Security purposes or fraud prevention.
  • Collection of data for the fulfillment of duties as responsible for the information and personal data.

TREATMENT OF SENSITIVE DATA

As stipulated by law, sensitive data are those that “affect the privacy of the owner and may result in discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights, as well as data relating to health, sex life, and biometric data”. Due to the nature of this type of data, it is necessary to let the holder know beforehand that he/she is not obliged to authorize its processing, as well as which are the sensitive data requested and what will be its purpose.

INFORMATION SUBJECT TO PROCESSING

Among other data and with the aim of facilitating the relationship with each of the interest groups, the following information may be required from each of them:

Customers:

  • Name of the client or company name, identification number or NIT with verification digit, place of residence, correspondence address, office address, telephone numbers, fax, email, economic activity, products, and related companies.
  • Name of the general manager or legal representative, signature and telephone numbers.
  • Name of the person in charge of portfolio collection, purchasing manager, warehouse manager, and contact information.
  • Number of employees.
  • Business operating time.
  • Tributary information.
  • Supplier information, city, and contact information.
  • Banking information, such as name of bank account holder, bank account number, and bank name or code.
  • Images obtained, recorded and captured through the company’s cameras and video cameras.

Goods and service suppliers:

  • Name of the supplier or company name, identification number or NIT with verification digit, place of residence, address, telephone numbers, fax, and email.
  • Name of the general manager or legal representative and address, identification numbers, telephone numbers, fax, email.
  • Name of the manager or sales coordinator, and contact information.
  • Name of the person in charge of portfolio collection, and contact information.
  • Number of employees.
  • Business operating time.
  • Tributary information.
  • Banking information that includes name of bank account holder, bank account number and bank name or code.
  • Name of the people who appear on the Chamber of Commerce certificate.
  • Images obtained, recorded and captured through the company’s cameras and video cameras.

Employees:

  • Name, identification, blood group, address, telephone, date of birth, marital status, endowment sizes, medical history, social security affiliations, medical policy, age, educational information, health status, medications used, authorizations medical, participation in recreation and sports activities.
  • Family group: names, identifications, blood group, dates of birth, medical history, social security affiliations, medical policy, age, health status, medications used, medical authorizations, participation in recreational and sports activities.
  • Resume, education, experience, links with entities, links with companies.
  • Salary and other payments.
  • Balance of debts contracted with Biodistribuciones Terra or through drafts.
  • Pension contributions.
  • Constitution and contributions to voluntary pension funds, food vouchers, etc.
  • Judicial processes, seizures.
  • Debts in favor of cooperatives.
  • Discount authorizations.
  • Benefits throughout your working life.
  • Work contract.
  • Changes in the employment contract.
  • Links with previous employers.
  • Work history of the worker.
  • Payment of aid and benefits.
  • Beneficiaries of the worker for the purpose of payment of aid and benefits.
  • EPS affiliation, pension fund, ARL, Compensation Fund.
  • Training received.
  • Psychological evaluation report.
  • Demographic report of workers.
  • Entrance exam and occupational periodicals of the worker.
  • Work accidents.
  • Extra hours.
  • Entry and exit of the plant.
  • Photographic record.
  • Images obtained, recorded and captured through the company’s cameras and video cameras.
  • Performance evaluation.
  • Electronic signature and fingerprint registration.

Candidates in the selection process:

  • Name, identification, address, telephone number, date of birth, educational information, participation in recreation and sports activities.
  • Resume, education, experience, links with entities, links with companies.
  • Images obtained, recorded and captured through the company’s cameras and video cameras.
  • Regarding sensitive data that may be included in the previous lists, the owner is not obliged to authorize its processing and will only be processed with his or her prior, express and informed consent.
  • The processing of data of children and adolescents is prohibited, except for data of a public nature and when the processing responds to and respects the best interests of children and adolescents, and ensures respect for fundamental rights. In compliance with the above requirements, the representative of the girls, boys and adolescents will grant authorization, prior to the minor’s exercise of being heard, an opinion that will be valued taking into account maturity, autonomy and ability to understand the matter.

RIGHTS OF THE HOLDER OF PERSONAL DATA

  • To know, update and rectify the data against Biodistribuciones Terra S.A.S. or data processors. This right may be exercised, among others against partial, inaccurate, incomplete, fractioned, misleading data, or those whose treatment is expressly prohibited or has not been authorized.
  • To revoke the authorization and/or request the deletion of the data when the treatment does not respect the principles, rights and constitutional and legal guarantees. The revocation will proceed as long as there is no legal or contractual obligation to keep the personal data.
  • At any time and at no cost, you may request the deletion of the data you deem necessary, for which you must identify yourself in due form and indicate which is the information to be deleted, which includes the delivery of supporting documentation required for this purpose.
  • To be informed by Biodistribuciones Terra S.A.S. upon request, regarding the use given to the data.
  • To file before the Competent Authority complaints for infringements to the provisions of the law and other rules that modify, add or complement it.

OBLIGATIONS OF THE COMPANY AS CONTROLLER OF PERSONAL DATA PERSONAL

  • The duties of the data controller are as follows:
  • Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
  • Request and keep, under the conditions provided in this law, a copy of the respective authorization granted by the owner.
  • Duly inform the owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.
  • Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Process queries and claims made in the terms indicated in this law.
  • Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, to respond to queries and complaints.
  • Inform at the request of the owner about the use given to his data.
  • Inform the data protection authority when violations of security codes occur and there are risks in the administration of the owners’ information.
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

When you delegate data processing to a person in charge, the duties of the person responsible are:

  • Guarantee that the information provided to the data processor is true, complete, accurate, updated, verifiable and understandable.
  • Update the information, promptly communicating to the person in charge of the treatment all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to him remains up to date.
  • Rectify the information when it is incorrect and communicate the pertinent information to the person in charge of treatment.
  • Provide the person in charge of processing, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this law.
  • Demand that the data processor at all times respect the security and privacy conditions of the owner’s information.
  • Inform the person in charge of the treatment when certain information is under discussion by the owner, once the claim has been submitted and the respective procedure has not been completed. 

OBLIGATIONS WHEN THE COMPANY IS IN CHARGE OF PROCESSING PERSONAL DATA

  • Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
  • Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Timely update, rectify or delete data under the terms of this law.
  • Update the information reported by those responsible for the treatment within five (5) business days from receipt.
  • Process queries and claims made by the owners in the terms indicated in this law.
  • Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, to respond to queries and complaints from the owners.
  • Register in the database the legend "claim in process" in the way regulated in this law.
  • Insert in the database the legend "information under judicial discussion" once notified by the competent authority about judicial processes related to the quality of personal data.
  • Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.
  • Allow access to information only to people who can have access to it.
  • Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the administration of the owners’ information.
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce. 

PROCEDURE FOR THE EXERCISE OF THE RIGHT OF HABEAS DATA

In compliance with the regulations on the protection of personal data, Biodistributions Terra presents the procedure and minimum requirements for the exercise of the rights of the owners. For the filing and attention of the request, we require the supply of the following nformation:

  • Full name and surname.
  • Contact information (physical and/or electronic address and contact telephone numbers).
  • Means to receive a response to the request.
  • Reason(s)/fact(s) that give rise to the claim with a brief description of the right you wish to exercise (know, update, rectify, request proof of the authorization granted, revoke it, delete it, access the information).
  • Signature (if applicable) and identification number.

The maximum term provided by law to resolve the claim is fifteen (15) business days, counting from the day following the date of receipt. When it is not possible to address the claim within said term, Biodistribuciones Terra will inform the interested party of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the claim. foreground. Once the terms indicated by Law 1581 of 2012 and the other rules that regulate or complement it have been met, the owner who is denied, totally or partially, the exercise of the rights of access, updating, rectification, deletion and revocation may put your case to the knowledge of the Superintendency of Industry and Commerce – Delegation for the Protection of Personal Data.

EXPANSION OF INFORMATION AND EXERCISE OF THE OWNER’S RIGHTS

For further expansion of the concepts, definitions and regulations related to this policy, you may refer to the following laws and their complementary rules: Law 1266 of 2008 & Habeas Data. Law 1581 of 2012 “Protection of Personal Data”, Decree 1377 of 2013. If you have questions about this policy, as well as any concerns or claims, or if you require the exercise of any complaint, rectification, update, consultation, request for access or subtraction of data, you can contact us through any of the following means:

Phone: 57-1-7031240 (Monday to Friday between 8 a.m. and 5 p.m.)

Address: Carrera 25 No. 70-18 / Carrera 27 No. 68-73 (Bogotá D.C.)

E-mails: [email protected] / [email protected] /

[email protected]

Version updated on October 14, 2021