PERSONAL DATA PROCESSING AND PROTECTION POLICY

LBX S.A.S

  1. INTRODUCTION

Set out below are the unified policies for the treatment of information that govern the activity developed by LBX S.A.S in relation to data supplied by its customers, employees, shareholders, suppliers and potential customers. The present document is developed in compliance with Law 1581 of 2012, and the Regulatory Decree 1377 of 2013, allowing the holder of the personal data access to all the information regarding your rights as a holder, the purpose of the treatment, the mechanisms to effectively exercise their rights. If you are related in any of our databases its because you have expressed your will in a conscience and informed way to allow the processing of your information for the purposes that have been pointed out. LBX S.A.S is responsible for the processing of personal data in accordance with article 13 of the Decree 1377 of 2013, prepares and publishes to all interested persons  this Manual that contains all the essential elements for compliance with Colombian law related to the protection of Personal Data.

INFORMATION OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF THE DATA: 

LBX S.A.S

NIT: 800,291.381-3

Carrera 14 No. 408 76 – 26 Office 408 Bogotá D.C.

(+57) (1) 2264826

asisgerencia@lbxconsultores.com

  1. LEGAL FRAMEWORK 

Constitution, article 15.

Law 1266 of 2008

Law 1581 of 2012

1727 Regulatory Decrees of 2009 and 2952 of 2010,

Partial Regulatory Decree 1377 of 2013

Court Ruling C – 1011 of 2008, and C – 748 of 2011 of the Constitutional Court

III. SCOPE OF APPLICATION 

This policy shall apply to personal data stored in any database of LBX S.A.S  where the holder is a natural person.

  1. DEFINITIONS 

For the purposes of this policy and in accordance with the regulations on the protection of personal data, account shall be taken of the following definitions

  • Authorization: Any manifestation of will, free, targeted, informed and explicit, oral or written, by which the owner accepts, either by means of a declaration or through conduct which is reasonably inferred from the granting of the processing of personal data.
  • Treatment: Any operation or set of operations, carried out or not through automated procedures, and applied to personal data, such as the collection, registration, organization, preservation, processing or alteration, removal, consultation, use, communication by transmission, dissemination or any other form that facilitates the access to the same, collation or interconnection, as well as their blocking, deletion, modification or destruction.
  • Privacy Notice: verbal or written communication generated by the responsible, addressed to the holder for the processing of their personal data, which informs about the existence of the policies of treatment of information that will be applicable, the way of accessing the same and the purposes of the treatment of personal data.
  • Policies for treatment of personal data: a set of guidelines that are intended to inform and define both the rules of processing of personal data in an organization such as the guidelines for the holder to exercise their rights.
  • Responsible for the treatment: person or legal entity, public or private, which by itself or in association with others, decides based on data and/or the treatment of the data.
  • In charge of the treatment: natural person or legal entity, public or private, which by itself or in association with others, perform the processing of personal data on behalf of the person responsible for the processing.
  • Database: any structured set of personal data accessible in accordance with certain criteria.
  • Holder of the data: person owner of the information supplied, which is the object of the treatment.
  • Delegate or responsible area: natural person or area of the company delegated to: (i) the implementation and operation of the policies of the processing of personal data; (ii) to process and reply to the requests of the holder of the information; (iii) Cooperate and give timely response to requests of the supervisory authority.
  • Public data: Is the data that is not private, semi-private or sensitive information. Public data are considered, among others, the data relating to the marital status of the people, to their profession or trade and quality of trader or of public servant. By its nature, public data can be contained, among others, in public records, public documents, official gazettes and newsletters and court rulings duly executed  that are not subject to reservation.
  • Sensitive Data: sensitive data are understood as those that affect the privacy of the Holder or the abuse of which you can generate discrimination, such as revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade union membership, social organizations, human rights or that promotes the interests of any political party or to ensure that the rights and guarantees of political opposition parties, as well as data relating to health, sexual life, and biometric data.
  • Transfer: the transfer of data takes place when the responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a receiver, which in turn is responsible for the treatment and is inside or outside the country.
  • Transmission: Treatment of personal data that involves communication of the same within or outside the territory of the Republic of Colombia when aimed at the realization of a treatment by the committee on behalf of the responsible.
  1. PRINCIPALS

To ensure the protection of personal data LBX S.A.S applied in a harmonious and integral way the following principles, in the light of which there  will be a need to perform the treatment, transfer and transmission of personal data

Principle of legality in the field of data-processing:

The treatment of data is a regulated activity, which should be subject to the laws in force and applicable governing the subject.

Principle of purpose:

The processing of personal data that make LBX S.A.S  or to which it has access, will obey to a legitimate aim in line with the Constitution of Colombia, which shall be notified to the respective holder of personal data.

Principle of Freedom:

The treatment of the personal data can only be carried out with the consent, prior, expressed and informed consent of the holder. Personal data may not be obtained or disclosed without authorization, or in the absence of a legal mandate, statutory, or judicial power to relieve the consent.

Principle of accuracy or quality:

The information subject to processing of personal data must be truthful, complete, accurate, up-to-date, verifiable and understandable. It is prohibited to the treatment of partial data, incomplete, or misleading.

Principle of transparency:

In the processing of personal data, LBX S.A.S  will ensure the holder the right to obtain at any time and without restrictions, information about the existence of any type of information or personal data that may be of hi/her interest or ownership.

Principle of access and restricted circulation:

The processing of personal data shall be subject to the limits that are derived from the nature of these, of the provisions of the law and the Constitution. As a result, the treatment may be made only by persons authorized by the holder and/or by the persons referred to in the law. The personal data, unless the public information may not be available on the internet or other means of mass communication or disclosure, unless access is technically controllable to provide a knowledge restricted to holders or authorized third parties in accordance with the law. For these purposes the obligation of LBX S.A.S , will be limited to the best of their abilities but not guaranteed.

Principle of security:

The information subject to treatment by LBX S.A.S , managed with the necessary technical, human and administrative measures necessary in order to provide security to the records to avoid their adulteration, loss, query, use or unauthorized access or fraudulent.

Principle of confidentiality:

All persons who in LBX S.A.S , administrate , manage, update, or have access to any type of information in databases, are required to ensure that the reserve of the  information, thus,  they commit  to preserve and maintain in strict confidence and shall not disclose to any third party, all of the information that they come to know in the implementation and exercise of their functions; except in the case of activities specifically authorized by the law of data protection. This obligation remains and will remain even after the end of its relationship with any of the work related with treatment.

  1. RIGHTS OF THE HOLDER OF THE INFORMATION

In accordance with the provisions laid down by the regulations applicable in respect of the protection of data, the following are the rights of the holders of personal data:

  1. Access, know, update and rectify your personal data held by LBX S.A.S  in its capacity as responsible for the treatment. This right may be exercised, among others, in the face of partial data, fractional, inaccurate, incomplete, misleading, or those whose treatment is expressly prohibited or has not been authorized.
  2. Request proof of the authorization given to the LBX S.A.S for the treatment of data valid, by any means, except in those cases in which authorization is not required.
  3. Be informed by LBX S.A.S , upon request, with respect to the use that has been given to their personal data.
  4. Submit to the Superintendence of Industry and Commerce, or a similar entity, complaints for violations of the provisions of law 1581 of 2012 and other rules that modify, add or complement, prior consultation procedure or requirement to LBX S.A.S .
  5. Revoke the authorization and/or request the deletion of data when in the treatment the principles, constitutional and legal guaranties are not respected.
  6. Free access to their personal data which have been the subject of treatment, at least once each calendar month, and whenever there are substantial changes to this policy that will motivate further consultations.

These rights may be exercised by:

  • The owner, who must prove their identity in a sufficient form by the various means made available by LBX S.A.S
  • The successors of the title holder, who must provide proof of such quality.
  • The representative and/or agent of the holder, accreditation of the representation or seizure.
  • Another in favor or for which the holder has stipulated.

Rights of children and adolescents

In the processing of personal data respect shall be ensured for the rights of minors. It is outlawed the treatment of personal data from children.

VII. DUTIES OF LBX S.A.S AS RESPONSIBLE OF THE PROCESSING OF PERSONAL DATA

LBX S.A.S , recognizes the ownership  of the personal data held by people and consequently they may in an exclusive manner  may decide over them. Therefore, LBX S.A.S ‘ personal data will be used for the fulfilment of the purposes expressly authorized by the holder or by the regulations in force.

In the treatment and protection of personal data, LBX S.A.S  shall has the following duties, without prejudice to other provisions that regulate or that may regulate this matter:

  1. Ensure the holder, always, the full and effective exercise of the right of habeas data.
  2. Request and keep a copy of the respective authorization granted by the holder for the processing of personal data.
  3. Properly Inform the holder about the purpose of the collection and the rights to which they are entitled by the authorization granted.
  4. Keep the information under the conditions of security measures necessary to prevent their adulteration, loss, query, use or unauthorized access or fraudulent.
  5. Ensure that the information is truthful, complete, accurate, up-to-date, verifiable and understandable.
  6. Promptly update the information, based on this way all the developments regarding the details of the holder. In addition, you must implement all necessary measures to ensure that the information is kept up to date.
  7. To rectify the information when it is incorrect and communicate the important ones.
  8. Respect the conditions of security and privacy of the information of the holder.
  9. The processing of queries and claims made in the terms set forth by law.
  10. Identify when certain information is under discussion by the holder.
  11. Inform at the request of the holder on the use of their data.
  12. Inform the data protection authority when violations of the security codes and risks exist in the administration of the holder’s information.
  13. Meet the requirements and instructions issued by the Superintendence of Industry and Commerce on the topic.
  14. Use only data whose treatment is pre-authorized in accordance with the provisions of the Law 1581 of 2012.
  15. Ensure proper use of the personal data of children and adolescents, in those cases in which you enter authorized for treatment of their data.
  16. Record in the database the with the word “claim in process ” in the way that is regulated in the law.
  17. Insert into the database of the word “information in judicial discussion” once notified by the competent authority on judicial processes related to the quality of the personal data.
  18. Refrain from circulating information that is being disputed by the holder and whose block has been ordered by the Superintendence of Industry and Commerce.
  19. Allow access to this information only to those who can access it.
  20. Use the holder’s personal data only for those purposes for which is duly empowered and respecting in all cases the regulations on the protection of personal data.

VIII. AUTHORIZATION AND CONSENT OF THE HOLDER

LBX S.A.S  requires free, prior, express and informed consent of the owner of the personal data for the treatment of the information, except in the cases expressly authorized by law, namely:

  1. Information required by a public or administrative entity in the exercise of their statutory functions or by court order.
  2. Data of a public nature.
  3. Cases of medical emergency or health care.
  4. Treatment of information authorized by law for historical, statistical or scientific purposes.
  5. Data related to the Civil Registry of Persons.

Manifestation of the authorization 

The authorization to LBX S.A.S for the processing of personal data shall be provided by:

  • The owner, who must prove their identity in the form by the various means available to LBX S.A.S
  • The representative and/or agent of the holder, accreditation of the representation or seizure.
  • Another in favor or for which the holder has stipulated.

Means to grant the authorization

LBX S.A.S  will obtain the authorization through different means, including the physical document, e-mail, message data, Internet, Web sites, or in any other format that in any case allow the obtainment of consent by unequivocal behaviors through which it is concluded that had not been sorted by the holder or the person entitled to do this, the data was not stored or captured in the database. The authorization will be requested by LBX S.A.S  prior to the processing of personal data.

Proof of authorization

LBX S.A.S  shall keep proof of the authorization granted by the holders of the personal data for its treatment, for which will use the mechanisms available  today as well as to take the necessary actions to maintain the record of the manner and date in which it obtained this. Consequently LBX S.A.S  may establish physical files or electronic repositories made directly or through contracted third parties for this purpose.

Revocation of the authorization.

The holders of the personal data may at any time revoke the authorization granted to LBX S.A.S  for the processing of their personal data or request the deletion of the same, as long as it does not prevent a legal or contractual provision.  LBX S.A.S  will establish simple mechanisms and channels that allow the holder to revoke their  authorization or request the deletion of their personal data, at least by the same means by which it was given.

For the above, it should be understood that the revocation of consent can be expressed, on the one hand, so total in connection with the purposes authorized, and therefore LBX S.A.S  shall cease any activity of the data processing; and, on the other hand, partially in relation to certain types of treatment, in which case they will be on the suspension of the activities of treatment, such as for advertising purposes, among others. Finally, LBX S.A.S , can continue to the personal data for those purposes in relation to which the holder would not have revoked their consent.

  1. TREATMENT TO WHICH THE DATA WILL BE SUBMITTED AND ITS PURPOSE

The treatment of the personal data of employees, former employees, suppliers, contractors, customers, former customers, potential customers or any person with whom LBX S.A.S  has established or establish a relationship, permanent or occasional basis, will be carried out in the legal framework that regulates the matter and by virtue of their status as an Institution of Higher Education, and will be all necessary for the fulfillment of the institutional mission. In any case, personal data may be collected and processed to:

  1. To submit information related to programs, activities, news, content by area of interest, products and other goods or services offered by LBX S.A.S .
  2. Developing the mission of LBX S.A.S in accordance with its Statutes
  3. To comply with the regulations in force in Colombia for institutions of higher education, including but not limited to any requirement of the Ministry of National Education, accrediting entities or local authorities
  4. To comply with the norms applicable to suppliers and contractors, including but not limited to the tax and commercial laws
  5. Comply with the provisions of the Colombian legal system in labor and social security, among others, apply to former employees, current employees and candidates for future employment.
  6. Conduct surveys related to the services or goods of LBX S.A.S
  7. Develop programs in accordance with its Statutes
  8. Keep in touch with former students with related professions or interests
  9. Report on employment opportunities, trade fairs, seminars or other studies at local and international level
  10. Promote research in all fields including the scientist
  11. Comply with all its contractual commitments.

For the treatment of the personal data of children and adolescents shall be in accordance with this policy in the section relating to the rights of these.

Sensitive Data

In the case of sensitive personal data, LBX S.A.S , can make use and treatment of them when:

  1. The holder has given his/her explicit authorization, except in the cases provided for by law is not required the granting of such authorization.
  2. The processing is necessary to safeguard the vital interest of the holder and he/she is physically or legally incapacitated. In these events, the legal representatives shall give their authorization.
  3. The treatment is carried out during the legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose aim is political, philosophical, religious or trade union, provided that relate exclusively to its members or to people who maintain regular contacts due to its purpose. At these events, the data cannot be supplied to third parties without the authorization of the holder.
  4. The treatment refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
  5. The treatment that has a historical, statistical or scientific purpose. In this event, all measures must be taken leading to the suppression of identity of the holders.

Without prejudice of  the exceptions highlighted  in the law, in the processing of sensitive data requires prior authorization, expressed  and informed of the holder, which must be obtained by any means that can be subject to consultation and subsequent verification.

  1. PRIVACY NOTICE

The Privacy Notice is the physical document, e-mail or in any other format, placed at the disposal of the holder to inform about the processing of data. Through this document it is communicated to the holder of the information related to the existence of policies of information processing of LBX S.A.S and which will be applicable, the way of accessing the same and the characteristics of the treatment of personal data.

The privacy notice must contain, as a minimum, the following information:

  1. The identity, address and contact details of the person responsible for the processing.
  2. The type of treatment which the data will be submitted and its purpose
  3. The rights of the holder.
  4. The general mechanisms provided for by the responsible for the holder policy treatment of information, and the substantial changes that occur in it. In all cases, he /she must inform the holder how to access or refer to the treatment of information.
  5. The optional character of the relative response to questions about sensitive data.
  1. GUARANTEES OF THE RIGHT OF ACCESS

To ensure the right of access of the data, LBX S.A.S  shall place at the disposal, subject to proof of their identity, legitimacy, or personality of his representative, without cost or expense of any kind, in detail and detailed information, the respective personal data through all sorts of means, including electronic media that allow the holder’s direct access to them. Such access shall be offered without any limit and must allow the holder to know them and update them on-line.

XII. PROCEDURE TO THE ATTENTION OF CLAIMS, REQUESTS FOR CORRECTION, UPDATE AND DELETION OF DATA

  1. Claims

The holder or his/her heirs who consider that the information contained in a database,  must be the subject of correction, updating or deletion, or warn the alleged breach of any of the duties contained in the law, may file a complaint with the LBX S.A.S , which will be processed under the following rules:

  1. The claim of the holder shall be made by application to LBX S.A.S to the e-mail asisgerencia@lbxconsultores.com or by written communication addressed to the Manager, with the identification of the holder, the description of the events giving rise to the claim, address, and accompanying documents that you want to enforce. If the claim is incomplete, the  interested party will be contacted within five (5) days following receipt of the claim in order that it may remedy the faults. After two (2) months from the date of the invitation, without the applicant presenting the information required, it shall be deemed to have waived the claim. If anyone who receives the claim is not competent to resolve it, it shall be transferred to the persona that it may concern in a maximum of two (2) business days and inform of the situation to the person concerned.
  2. Once complete claim is received , it will be cataloged with the label “claim in progress” and the reason for it, in a term that will not exceed two (2) business days. The label will be maintained until the claim is decided.
  3. The maximum term to meet the claim shall be fifteen (15) working days counted from the day following the date of its receipt. When it is not possible to meet the claim within such term, the official concerned shall be informed of the reasons for the delay and the date on which the claim will be attended, which in any case shall not exceed eight (8) working days following the expiry of the first term.
  1. Update request and/or rectification

LBX S.A.S  will correct and update, at the request of the holder, the information that will prove to be incomplete or inaccurate, in accordance with the procedure and the terms mentioned above, which will be taken into account:

  1. The holder shall submit the request to the following e-mail asisgerencia@lbxconsultores.comor on physical media addressed to the Institutional Marketing department indicating the update and/or rectification to perform and provide the documentation to support the request.
  2. LBX S.A.S , can enable mechanisms that will facilitate the exercise of this right to the holder, as long as there is a benefit. As a result, it will be possible to enable electronic or other means as it deems appropriate, which shall be informed in the privacy notice and will be made available on the web page.
  1. Request for deletion of data

The holder of the personal data has  the right to request to LBX S.A.S  its deletion (elimination) in any of the following events:

  1. Consider that they are not being treated in accordance with the principles, duties and obligations provided for in the current regulations.
  2. It has ceased to be necessary or relevant for the purpose for which they were collected.
  3. The period required for the fulfilment of the purpose for which they were collected was exceeded.

This suppression  involves the removal of all or part of the personal information in accordance with what was requested by the holder in the records, files, databases or treatments performed by LBX S.A.S . However, this right is not absolute and in consequence LBX S.A.S  may deny the exercise of the same when:

  1. The holder has a legal or contractual duty to remain in the database.
  2. The elimination of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of criminal offenses or the updating of administrative sanctions.
  3. The data is needed to protect the legally protected interests of the holder; to perform an action in the public interest, or to comply with an obligation legally acquired by the holder.

XIII. NATIONAL REGISTRY OF DATA BASE

LBX S.A.S , reserves, in the events referred to in the law and in its statutes and regulations, the ability to maintain and catalog information that rests in their databases or data banks, such as confidential in accordance with the rules in force, the statutes and rules, all of the above and in line with the professional secrecy of counsel and the attorney- client privilege on the basis of Article 74 of the Political Constitution of Colombia, paragraph 9 of Article 28 of the 1123 Act of 2007 and other regulations that develop or modify.

LBX S.A.S , shall proceed in accordance with the applicable regulations and the regulations for that purpose issued by the Government, to perform the registration of their databases, before the National Registry of Data Base (RNBD) that will be managed by the Superintendence of Industry and Commerce. The RNBD., is the public directory of databases subject to treatment that operate in the country; and that will be of free inquiry to citizens , in accordance with the regulations for that purpose issued by the Government.

XIV. INFORMATION SECURITY

Pursuant to the principle of security established in the regulations in force, LBX S.A.S  shall adopt the necessary technical, human and administrative measures necessary in order to provide security to the records to avoid their adulteration, loss, query, use or unauthorized access or fraudulent.

  1. INTERNATIONAL USE AND TRANSFER OF PERSONAL DATA AND PERSONAL INFORMATION BY LBX S.A.S

In compliance with the values and principles of operation of LBX S.A.S , and according to the nature of permanent or occasional relations that any person holding personal data may have with  LBX S.A.S , this may make the transfer and transmission, even international, of all the personal data, as long as they comply with the applicable legal requirements; and accordingly the holders with the acceptance of the present policy, specifically authorize to transfer and transmit, even at the international level, the personal data. The data will be transferred, for all the relations that can be established with LBX S.A.S .

For the international transfer of personal data holders, LBX S.A.S  shall take the necessary measures to ensure that third parties are aware of and are committed to observing this policy, on the understanding that the personal information that they receive, may only be used for matters directly related to LBX S.A.S  and only for as long as it lasts and may not be used or intended for a different purpose or order. Observation will be held For the international transfer of personal data in regard to  article 26 of the 1581 Act of 2012.

International transmissions of personal data that LBX S.A.S , handles are not required to be reported to the holder or with his consent when there is a contract of transfer of personal data in accordance with article 25 of Decree 1377 of 2013.

LBX S.A.S , will also be able to exchange personal information with governmental authorities or other public (including, among other judicial or administrative authorities, tax authorities and research organizations criminal, civil, administrative, disciplinary and fiscal), and third participants in civil legal procedures and its accountants, auditors, lawyers and other advisors and representatives, because it is necessary or appropriate: (a) to comply with applicable laws, including the laws different from those of your country of residence; (b) to comply with legal process; (c) to respond to requests for public authorities and the government, and to respond to the requests of the public authorities and the government different from the country of residence; (d) To enforce Our terms and conditions; (e) To protect our operations; (f) to protect our rights, privacy, safety or property, yours or third parties; and (g) to obtain allowances applicable or limit the damages that we may affect.

XVI. RESPONSIBLE AND IN CHARGE OF THE PROCESSING OF PERSONAL DATA

LBX S.A.S  will be responsible for the processing of personal data.

XVII DURATION

This policy governs from September 5th of 2016.

Andrés Lobo M.

Director Partner

LBX S.A.S*************************************************************************