Data processing policy

The company Biodistribuciones Terra S.A.S, in its capacity as data controller, is committed to privacy and to the proper handling of personal information, which is why it invites you to learn about its Personal Data Processing Policy. Biodistribuciones Terra S.A.S requires certain personal data to which it treats for the normal development of its activity, and within the framework of the relationship that links it with customers, workers, suppliers and other interest groups, it will request only the data that in effect need for it. These data include, among others, identification and contact data; those related to economic activity, commercial and/or financial information. For this purpose, Biodistribuciones Terra S.A.S has adopted appropriate security measures in order to ensure the proper and confidential treatment of personal data. Biodistribuciones Terra S.A.S obtains personal data because the owner has provided them, because they have been obtained from a third party authorized by the owner or by law to provide them, or because they are public data, that is, data for which prior authorization is not required. . In the event that the company requires processing personal data for a purpose other than that stated in the authorization, it will request a new one from the owner.

INFORMATION OF THE RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

Responsible for the processing of personal data: Biodistribuciones Terra S.A.S. NIT: 900.472.077-6 Telephone: +57(1)7031240 Address: Carrera 25 No. 70-18 / Carrera 27 No. 68-73 (Bogotá D.C.) Emails: info@biodistribucionesterra.com / contacto@karavansay.com / customerservice@karavansay.com Website: www.karavansay.com

REGULATORY BASIS

Through Law 1581 of October 17, 2012, the National Congress issued the General Provisions for the Protection of Personal Data, including the regime of rights of the holders of the information and the obligations of those responsible and in charge of its treatment, thus constituting the general framework of the Protection of Personal Data in Colombia. Likewise, on June 27, 2013, the National Government issued Decree 1377 of 2013, by which the aforementioned Law was regulated, in order to facilitate its implementation in aspects related to the authorization of the owner of the information, the Policies of Treatment of the Responsible and Managers, the exercise of the rights of the holders of the information, the Transfers of Personal Data and the Demonstrated Responsibility against the Treatment of Personal Data. For its part, on May 26, 2015, it issued Decree 1074 of 2015, known as the Single Regulatory Decree of the Commerce, Industry and Tourism Sector.

MAIN DEFINITIONS

  1. Authorization: prior, express and informed consent of the owner to carry out the processing of their personal data.
  2. Privacy notice: physical or electronic document or any type of format made available to the owner for the processing of their personal data.
  3. Database: an organized set of personal data, which are subject to treatment.
  4. Personal data: any information linked or that can be associated with a specific or determinable person.
  5. Private data: those that due to their intimate or reserved nature are only relevant to the headline.
  6. Public data: data that may be contained, among others, in public registries, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality. Public data is considered, among others, data related to the marital status of people, profession or trade, to their capacity as merchant or public servant.
  7. Semi-private data: are those that are not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to the owner but to a certain sector or to society in general. For example, the financial and credit data of the commercial activity or services.
  8. Sensitive data: those data that affect the privacy of the owner, or whose improper use could generate discrimination against him.
  9. In charge of the treatment: natural or legal person, public, private or mixed, that by itself or in association with others, carries out the processing of personal data by delegation of a person in charge of the treatment.
  10. Responsible for the treatment: natural or legal person, public, private or mixed, that by itself or in association with others, decides on the database and the treatment of the data.
  11. Owner: natural person whose personal data is processed, be it a customer, supplier, employee, or any third party who, due to a commercial or legal relationship, provides personal data.
  12. Transfer: sending by the person in charge of the treatment or a person in charge of the data, to a third party as recipient, inside or outside the national territory for the effective treatment of personal data.
  13. Transmission: refers to the communication of personal data by the person in charge to the person in charge, located inside or outside the national territory, so that by delegation it processes personal data.
  14. Treatment: any operation on personal data, such as collection, storage, use, circulation or deletion.

MEANS TO OBTAIN THE HOLDER’S AUTHORIZATION

  • In writing
  • Orally
  • Through unequivocal behaviors of the owner of the information, which allow those responsible to conclude that the authorization was granted.
  • In any of the three cases, proof of the owner’s authorization for the processing of his personal data must be kept.

CASES IN WHICH THE HOLDER’S AUTHORIZATION IS NOT NECESSARY

Although those responsible for data processing are required to have express authorization from the owners, in the following cases it is not necessary to request it, but the other obligations stipulated by law must be complied with:
  • When the information is required by a public or administrative entity in exercise of its legal functions or by court order.
  • In case of processing data of a public nature.
  • Cases of medical or health emergency.
  • For the processing of information authorized by law for historical purposes, statistical or scientific.
  • When it comes to data related to the Civil Registry.

USE AND PURPOSE OF PROCESSING PERSONAL DATA

  • Execution of the commercial, civil or labor contract signed with Biodistribuciones Terra.
  • Payment of contractual obligations.
  • Sending information to government or judicial entities at their express request.
  • Support in external/internal audit processes.
  • Sending or receiving messages for commercial, advertising or customer service purposes.
  • Providing effective customer service.
  • Contact with candidates, clients, employees or suppliers to send information related to the contractual, commercial and obligatory relationship that takes place.
  • Registration of the information of the candidates, clients, employees and suppliers in
  • the database of Biodistribuciones Terra.
  • Security or fraud prevention purposes.
  • Data collection for the fulfillment of the duties as the person in charge of the
  • personal information and data.

PROCESSING OF SENSITIVE DATA

As stipulated by the law, sensitive data are those that “affect the privacy of the owner and may lead to discrimination, such as those that reveal their racial or ethnic origin, their political orientation, religious or philosophical convictions, membership of unions, social organizations, human rights, as well as data related to health, sexual life, and biometric data.” Due to the nature of this type of data, it is necessary that the owner is previously informed that he is not obliged to authorize its treatment, as well as what the sensitive data requested is and what its purpose will be.

INFORMATION SUBJECT TO PROCESSING

Among other data and with the aim of facilitating the relationship with each of the interest groups, the following information could be required from each of them: Customers:
  • Customer name or company name, identification number or NIT with verification digit, place of residence, correspondence address, dispatch address, telephone numbers, fax, email, economic activity, products, and related companies.
  • Name of the general manager or legal representative, signature and telephone numbers.
  • Name of the person in charge of collecting the portfolio, purchasing manager, warehouse manager, and contact information.
  • Number of employees.
  • Business operating time.
  • Tax information.
  • Supplier information, city, and contact details.
  • Bank information, such as the name of the bank account holder, bank account number, and bank name or code.
  • Images obtained, recorded and captured through the company’s cameras and camcorders.
Goods and service suppliers:
  • Name of the supplier or company name, identification number or NIT with verification digit, place of residence, address, telephone numbers, fax, and email.
  • Name of the general manager or legal representative and address, identity cards, telephone numbers, fax, email.
  • Name of sales manager or coordinator, and contact information.
  • Name of the person in charge of collecting the portfolio, and contact information.
  • Number of employees.
  • Business operating time.
  • Tax information.
  • Bank information including bank account holder name, bank account number, and bank name or code.
  • Name of the person(s) that appears on the Chamber of Commerce certificate.
  • Images obtained, recorded and captured through the company’s cameras and camcorders.
Employees:
  • Name, identification, blood group, address, telephone number, date of birth, marital status, size of staff, medical history, social security affiliations, medical policy, age, study information, health status, medications used , medical authorizations, participation in recreational and sports activities.
  • Family group: names, identifications, blood group, dates of birth, medical history, social security affiliations, medical policy, age, state of health, medications used, medical authorizations, participation in recreational and sports activities.
  • Resume, education, experience, links with entities, links with companies.
  • Salary and other payments.
  • Balance of debts contracted with Biodistribuciones Terra or through payroll.
  • Pension contributions.
  • Incorporation and contributions to voluntary pension funds, food vouchers, etc.
  • Judicial proceedings, embargoes.
  • Debts in favor of cooperatives.
  • Discount authorizations.
  • Benefits throughout your working life.
  • Employment contract.
  • Changes in the employment contract.
  • Relationship with previous employers.
  • Employment history of the worker.
  • Payment of relief and benefits.
  • Beneficiaries of the worker for the purpose of payment of aid and benefits.
  • EPS affiliation, pension fund, ARL, compensation fund.
  • Training received.
  • Psychological evaluation report.
  • Worker demographic report.
  • Entrance examination and occupational periodicals of the worker.
  • Work accidents.
  • Overtime.
  • Entry and exit from the plant.
  • Photographic record.
  • Images obtained, recorded and captured through the company’s cameras and camcorders.
  • Performance evaluation.
  • Electronic record of signature and fingerprint.
Candidates in selection process:
  • Name, identification, address, telephone number, date of birth, study information, participation in recreational and sports activities.
  • Resume, education, experience, links with entities, links with companies.
  • Images obtained, recorded and captured through the company’s cameras and camcorders.
Faced with sensitive data that could be included in the previous lists, the owner is not obliged to authorize their treatment and they will only be treated with their prior, express and informed consent. The processing of data of children and adolescents is prohibited, except for data from public nature and when the treatment responds and respect the best interests of girls, children and adolescents, and ensure respect for fundamental rights. In compliance of the above requirements, the representative of the girls, boys and adolescents will grant the authorization, prior exercise of the minor to be heard, opinion that will be valued taking into account counts maturity, autonomy and ability to understand the issue.

RIGHTS OF THE HOLDER OF PERSONAL DATA

  • Know, update and rectify the data against Biodistribuciones Terra S.A.S. or data processors. This right may be exercised, among others against partial, inaccurate, incomplete, fractional data, which induce error, or those whose treatment is expressly prohibited or has not been < span style="color: var( --e-global-color-text ); font-fami ly: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size ); font-weight: var( --e-global-typography-text-font-weight ); background-color: var(--nv-site-bg); letter-spacing: var(--bodyLetterSpacing); text-transform: var(--bodyTextTransform);">allowed.
  • Revoke the authorization and/or request the deletion of the data when in the treatment the principles, rights and constitutional and legal guarantees are not respected. The revocation will proceed as long as there is no legal or contractual obligationto preserve the personal data.
  • At any time and at no cost, you may request removal of data that it deems necessary, for which it must be properly identified and indicate what information to remove, which includes delivering the support documentation that is required for this purpose.
  • To be informed by Biodistribuciones Terra S.A.S upon request, regarding the use that has been given to the data.
  • Submit complaints to the Competent Authority for violations of the provisions of the law and other regulations that modify, add or complement it.

OBLIGATIONS OF THE COMPANY AS RESPONSIBLE FOR DATA PROCESSING PERSONAL

The duties of the data controller are as follows:
  • Guarantee the owner, at all times, the full and effective exercise of the right to habeas data.
  • Request and keep, under the conditions provided in this law, a copy of the < span style="color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size ); font-weight: var( --e-global-typography-text-font-weight ); background-color: var(--nv-site-bg) ; letter-spacing: var(--bodyLetterSpacing); text-transform: var(--bodyTextTransform);">respective authorization granted by the owner.
  • Duely inform the owner about the purpose of collection and rightsthat assist you by virtue of the authorization granted.
  • Keep the information under the security conditions necessary to prevent tampering, loss, reference, unauthorized access or use, or fraudulent.
  • Process the queries and claims formulated in the terms indicated in this law.
  • Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, in particular, to deal with queries and complaints.
  • Inform at the request of the owner about the use given to their data.
  • Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the holders.
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
When you delegate data processing to a processor, your duties as controller are:
  • Guarantee that the information provided to the person in charge of the treatment is true, complete, exact, updated, verifiable and understandable.
  • Update the information, communicating in a timely manner to the person in charge of the treatment all the news regarding the data that he has previously provided and adopt the other necessary measures so that the information provided to him is kept updated.
  • Crectify the information when it is incorrect and communicate what is relevant to the person in charge of the treatment.
  • Supply to the person in charge of the treatment, as the case may be, only data whose treatment is previously authorized in accordance with the provisions of this law.
  • Require the person in charge of the treatment to respect the security and privacy conditions of the owner’s information at all times.
  • Inform the person in charge of the treatment when certain information is under discussion by the owner, once the claim has been filed and the respective procedure has not been completed.

OBLIGATIONS WHEN THE COMPANY IS IN CHARGE OF THE TREATMENT OF PERSONAL DATA

  • Guarantee the owner, at all times, the full and effective exercise of the right of habeas data.
  • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Timely update, rectify or delete data under the terms of this law.
  • Update the information reported by those responsible for treatment within five (5) business days from its receipt.
  • Process the queries and claims made by the owners in the terms indicated in this law.
  • Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, for the attention of queries and claims by the holders.
  • Register in the database the legend &quot;claim in process&quot; in the manner regulated by this law.
  • Insert the legend &quot;information in judicial discussion&quot; once notified by the competent authority about judicial processes related to the quality of personal data.
  • Abstain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.
  • Allow access to information only to people who can access it.
  • Inform the Superintendence of Industry and Commerce when there are violations of security codes and there are risks in the administration of the information of the holders.
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

PROCEDURE FOR THE EXERCISE OF THE RIGHT OF HABEAS DATA

In compliance with the regulations on protection of personal data, Biodistribuciones Terra presents the procedure and minimum requirements for the exercise of the rights of the holders. For the filing and attention of the request, we require the supply of the following information:
  • Full name and surname.
  • Contact details (physical and/or electronic address and contact telephone numbers).
  • Means to receive a response to the request.
  • Reason(s)/fact(s) giving rise to the claim with a brief description of the right to be exercised (to know, update, rectify, request proof of the authorization granted, revoke it, delete it, access the information) .
  • Signature (if applicable) and identification number.
The maximum term provided by law to resolve the claim is fifteen (15) business days, counted from the day following the date of receipt. When it is not possible to address the claim within said term, Biodistribuciones Terra will inform the interested party of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the foreground. Once the terms indicated by Law 1581 of 2012 and the other regulations that regulate or complement it have been fulfilled, the owner who is denied, totally or partially, the exercise of the rights of access, update, rectification, deletion and revocation may put your case to the knowledge of the Superintendency of Industry and Commerce – Delegation for the Personal Data Protection-.

EXTENDED INFORMATION AND EXERCISE OF THE HOLDER’S RIGHTS

For further expansion of the concepts, definitions and regulations related to this policy, you can refer to the following laws and their complementary regulations: Law 1266 of 2008 “Habeas Data”, Law 1581 of 2012 “Protection of Personal Data”, Decree 1377 of 2013. If you have questions about this policy, as well as any concern or claim, or if you require the exercise of any complaint, rectification, update, consultation, access request or data theft, you can contact us through by any of the following means: Telephone: 57-1-7031240 (Monday to Friday between 8 a.m. and 5 p.m.) Address: Carrera 25 No. 70-18 / Carrera 27 No. 68-73 (Bogotá D.C.) Emails: info@biodistribucionesterra.com / contacto@karavansay.com / customerservice@karavansay.com Version updated on October 14, 2021