PERSONAL DATA PROCESSING POLICY OF BIOLÓGICOS ESTRATÉGICOS S.A.S.

 

I. IDENTIFICATION

 

In accordance with the provisions of Law 1581 of 2012 and other concordant rules, the Data Protection Policy of BIOLÓGICOS ESTRATÉGICOS S.A.S. is established:

 

BIOLÓGICOS ESTRATÉGICOS S.A.S.

T.I.N.: 830.040.462-1

WEBSITE: http://www.bioest.com.co

E-MAIL: protecciondedatospersonales@bioest.com.co

ADDRESS: Km 2.5 Vía Bogotá Siberia- Vereda Parcelas Parque Portos Sabana 80 Bodega 68. Cota- Cundinamarca.

PHONE: 57 (1) 8985160

AREA IN CHARGE: General Management.

EFFECTIVE DATE: October 20, 2016.

 

II. OBJECTIVE OF THE PERSONAL DATA PROCESSING POLICY

 

In accordance with the provisions of Articles 15 and 20 of the Political Constitution of Colombia, Law 1581 of 2012 and Decree 1377 of 2013 and other provisions regulating the protection of personal data, BIOLÓGICOS ESTRATÉGICOS S.A.S. as processor of personal data, hereby presents its personal data protection policy which aims to regulate the collection, processing, storage, protection and administration of personal data legally obtained from customers, suppliers and employees, acquired through different channels of information and stored in company databases, subject to personal data processing and protection.

 

In compliance with the above, BIOLÓGICOS ESTRATÉGICOS S.A.S. will only use the information obtained from natural or legal persons for the fulfillment of its corporate purpose and other commercial activities related to the same, in accordance with the provisions of the principle of purpose contained in paragraph b, Article 4, of Law 1581 of 2012.

 

In accordance with the regulatory framework of Habeas Data, BIOLÓGICOS ESTRATÉGICOS S.A.S. will implement confidentiality and privacy measures for the processing of personal data.

 

III. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

 

BIOLÓGICOS ESTRATÉGICOS S.A.S., under the provisions of Article 4 of Law 1581 of 2012, shall apply in a harmonious and comprehensive manner the principles governing the processing of personal data in the collection, handling, use, processing, storage and exchange of data, namely:

 

a) Principle of legality in data processing: The Processing referred to in the law is a regulated activity that must be subject to what is established therein and in the other provisions that develop it;

b) Principle of purpose: The Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject;

c) Principle of freedom: Processing may only be carried out with the Data Subject prior, express and informed consent. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that overrides consent;

d) Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and comprehensible. The processing of partial, incomplete, fractioned or misleading data is prohibited;

e) Principle of transparency: The right of the Data Subject to obtain information about the existence of data concerning him/her from the Data Controller or the Data Processor, at any time and without restrictions, must be guaranteed;

f) Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of Law 1581 of 2012 and the Constitution. In this sense, the Processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for by law;

Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination or communication, unless data access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties in accordance with the law;

g) Security Principle: The information subject to Processing by the Controller or Processor referred to in the law, shall be handled with the technical, human and administrative measures necessary to provide security to the records, avoiding their adulteration, loss, query, use or unauthorized or fraudulent access;

h) Principle of confidentiality: All persons involved in the Processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the Processing, and may only supply or communicate personal data when this corresponds to the development of the activities authorized by law and under the terms thereof.

 

IV. DEFINITIONS

 

The following outlines the definitions applicable to this policy in accordance with Article 3 of Law 1581 of 2012 and Article 3 of Decree 1377 of 2013 and Chapter 25 of Single Decree 1074 of 2015:

 

a. Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data;

b. Database: Organized set of personal data that is subject to Processing;

c. Personal data: Any information linked or that can be associated to one or several determined or determinable natural persons;

d. Processor: Natural or legal person, public or private, that by itself or in association with others, performs the Processing of personal data on behalf of the Controller;

e. Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the Processing of the data;

f. Data Subject: Natural person whose personal data is the object of Processing;

g. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or erasure.

h. Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the Processing of his personal data, by means of which he is informed about the existence of the information processing policies that will be applicable to him, the way to access them and the purposes of the Processing that is intended to be given to the personal data.

i. Public data: Data that is not semi-private, private or sensitive. Data related to the marital status of individuals, their profession or trade and their status as merchants or public servants, among others, are considered public data. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality.

j. Sensitive Data: Sensitive data are understood to be those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or organizations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

k. Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is the Controller and is located inside or outside the country.

l. Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is the performance of a Processing by the Processor on behalf of the Controller.

 

V. SPECIAL DATA CATEGORIES

 

For the purposes of this policy and in the context of the Habeas Data regulatory framework, special categories of data will be considered:

 

i. Sensitive data. In accordance with the Habeas Data Law, sensitive data are understood to be those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or organizations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

 

ii. Processing of sensitive data. The Processing of sensitive data is prohibited, except when:

 

a) The Data Subject has given his/her explicit authorization to such Processing, except in those cases in which by law the granting of such authorization is not required;

b) The Processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapacitated. In these events, the legal representatives must give their authorization;

c) The Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they relate exclusively to its members or to persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the authorization of the Data Subject;

d) The Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial proceeding;

e) The Processing has a historical, statistical or scientific purpose. In this event, the measures leading to the erasure of the identity of the Data Subjects shall be adopted.

 

VI. LEGAL CONDITIONS FOR DATA PROCESSING

 

For the processing of personal data, BIOLÓGICOS ESTRATÉGICOS S.A.S. assumes as legal conditions for the data processing of data subjects the following:

 

i. Data Subject Authorization

 

For the processing of personal data, BIOLÓGICOS ESTRATÉGICOS S.A.S. will require the Data Subject prior and informed authorization, which may be obtained through any of the communication channels indicated in this personal data policy that may be queried later and that is easy to read, without technical barriers that prevent its access and that correspond in its entirety to that which is contained in the database.

 

In order to comply with the aforementioned, BIOLÓGICOS ESTRATÉGICOS S.A.S. has established channels for inquiries and news such as:

1. Querying and updating personal data.

2. Data query request

These channels are:

1. Website: http://www.bioest.com.co

2. E-mail: protecciondedatospersonales@bioest.com.co

3. Service Hotline: 57 (1) 8985160

4. Personalized service: Km 2.5 Vía Bogotá Siberia- Vereda Parcelas Parque Portos Sabana 80 Bodega 68. Cota- Cundinamarca.

Notwithstanding the foregoing, the Data Subject authorization shall not be necessary in the case of:

a) Information required by a public or administrative entity in the exercise of its legal functions or by court order;

b) Data of a public nature;

c) Cases of medical or sanitary emergency;

d) Processing of information authorized by law for historical, statistical or scientific purposes;

e) Data related to the Civil Registry of Persons.

 

ii. Duty to inform the Data Subject.

 

When authorization is requested for the processing of data, BIOLÓGICOS ESTRATÉGICOS S.A.S. shall inform the data subject in a clear and express manner of the information described above, among others:

a) The Processing to which your personal data will be subjected and its purpose;

b) The optional nature of the answer to the questions asked, when they deal with sensitive data or with the data of children and adolescents;

c) The rights you have as Data Subject;

d) The identification, the physical or electronic address and telephone number of the Controller.

A copy of the above will be provided upon request by the Data Subject and proof of compliance shall be retained.

iii. Provision of information

BIOLÓGICOS ESTRATÉGICOS S.A.S. will only provide information as long as the persons requesting it meet the following conditions:

a) To the Data Subjects, their successors in title or their legal representatives;

b) To public or administrative entities in the exercise of their legal functions or by court order;

c) To third parties authorized by the Data Subject or by law.

 

VII. DUTIES OF BIOLÓGICOS ESTRATÉGICOS

 

In accordance with the provisions of Article 17 of Law 1581 of 2012, BIOLÓGICOS ESTRATÉGICOS S.A.S. assumes the following duties as the party responsible for the processing of personal data:

 

a) Ensure the Data Subject, at all times, the full and effective exercise of the right of habeas data;

b) Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject;

c) Duly inform the Data Subject about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted;

d) Keep the information under the necessary security conditions to prevent its adulteration, loss, query, use or unauthorized or fraudulent access;

e) Ensure that the information provided to the Processor is truthful, complete, accurate, updated, verifiable and comprehensible;

f) Update the information, communicating in a timely manner to the Processor all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to is kept up to date;

g) Rectify the information when it's incorrect and make the relevant notification to the Processor;

h) To provide to the Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of the Habeas Data Law;

i) To demand from the Processor, at all times, adherence for the security and privacy conditions of the Data Subject's information;

j) To process queries and complaints formulated under the terms set forth in the Habeas Data Law;

k) Adopt an internal manual of policies and procedures to ensure proper compliance with Law 1581 of 2012 and, in particular, for the handling of queries and complaints;

l) Inform the Processor when certain information is under discussion by the Data Subject, once the complaint has been filed and the respective process has not been completed;

m) To inform, upon request of the Data Subject, about the use given to his/her data;

n) Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the data subjects' information.

o) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

 

In compliance with the above, BIOLÓGICOS ESTRATÉGICOS S.A.S. shall require for the collection, storage, use, circulation or erasure of personal data the free, express and informed consent of the Data Subject.

 

VIII. Privacy Notice

 

Following the principle of purpose established in the Habeas Data Law, the data delivered to BIOLÓGICOS ESTRATÉGICOS S.A.S. will be part of our database and will be used for the fulfillment of commercial activities, making available to the Data Subject the personal data processing policy.

 

Clarifying that in the cases in which it's not possible to comply with this requirement, BIÓGICOS ESTRATÉGICOS S.A.S. will inform by means of a PRIVACY NOTICE to the Data Subject of the personal data, about the existence of such policies and how to access them, in a timely manner and in any case no later than the time of collection of the personal data.

 

In this sense, the minimum scope and content of the privacy notice shall be:

 

1. Name or company name and contact details of the Controller.

2. The Processing to which the data will be subjected and its purpose.

3. The rights of the Data Subject.

4. The mechanisms provided by the controlling party for the Data Subject to get to know the information processing policy and the substantial changes that occur in it or in the corresponding Privacy Notice.

 

Nevertheless, BIOLÓGICOS ESTRATÉGICOS S.A.S. shall inform the Data Subject how to access or query the information processing policy or personal data processing.

 

Thus, in compliance with the legal mandate, it has been contemplated in this policy that personal data are the property of the persons to whom they refer, and that only they can decide about them.

 

IX. RIGHTS OF PERSONAL DATA SUBJECTS

 

In accordance with the provisions of the Habeas Data Law and other regulatory standards, the Data Subject of the personal data has the following rights:

 

a) To know, update and modify their personal data before the Controllers or Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose Processing is expressly prohibited or has not been authorized;

b) Request proof of the authorization granted to the Controller, aside from when expressly exempted as a requirement for the Processing, in accordance with the provisions of Article 10 of the Habeas Data Act.

c) To be informed by the Controller or the Processor, upon request, regarding the use made to their personal data;

d) File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it;

e) To revoke the authorization and/or request the data erasure when the Processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or erasure will proceed when the Superintendence of Industry and Commerce has determined that the Controller or Processor has incurred in conduct contrary to this law and the Constitution;

f) Free of charge access to your personal data that have been subject to Processing.

 

X. PROCEDURES FOR THE PROCESSING OF PERSONAL DATA

 

In order to protect and maintain the confidentiality of the Personal Data of the Data Subjects or their successors, the procedures applicable by BIOLÓGICOS ESTRATÉGICOS S.A.S. to exercise their rights to know, update, rectify and erase information and/or submit queries, complaints or claims, will be:

 

1. Queries

 

BIOLÓGICOS ESTRATÉGICOS S.A.S. will provide, through any of the communication channels indicated in this personal data policy, the information contained in its databases and which is linked to the identification of the Data Subjects or their successors, by keeping proof of this information.

 

The query will be answered within a maximum term of ten (10) working days from the receipt date. When it's not possible to answer the query within said term, the Data Subject shall be informed, stating the reasons for the delay and indicating the date on which the query will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

 

2. Claims

 

The Data Subject or his successors who consider that the information contained in the database(s) of BIOLÓGICOS ESTRATÉGICOS S.A.S. should be corrected, updated or erased, or when they notice the alleged law breach, they may file a claim through any of the communication channels indicated in this personal data policy, which will be processed under the following rules:

1. The claim shall be made by means of a request directed to BIOLÓGICOS ESTRATÉGICOS S.A.S. and shall contain: i. Identification of the Data Subject; ii. Description of the facts giving rise to the claim; iii. Address of the Data Subject; iv.Documents to be used in the claim

2. If the claim is incomplete, the Data Subject will be required within five (5) days following receipt of the claim to correct the faults.

3. If two (2) months have elapsed from the date of the request without the applicant submitting the required information, it shall be understood that the claim has been withdrawn.

4. In the event that the person who receives the claim is not competent to handle it, he/she will transfer it to the appropriate person within a maximum term of two (2) working days and will inform the Data Subject of the situation.

5. Once the complete claim has been received, a legend will be included in the database stating "claim in process" and the reason for the claim, within a term not exceeding two (2) working days. Said legend shall be maintained until the claim is settled.

6. The maximum term to address the claim will be fifteen (15) working days from the day following the date of receipt. When it's not possible to attend the claim within said term, the Data Subject will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) working days following the expiration of the first term.

 

3. Procedure requirement

 

When the Data Subject or successor wants to make a complaint to the Superintendence of Industry and Commerce for the processing of personal data by BIOLÓGICOS ESTRATÉGICOS S.A.S., you must have first made the query or complaint process to the company.

 

4. Right to update, rectification and erasure

 

The Data Subjects of the Personal Data or successors, may at any time, request to BIOLÓGICOS ESTRATÉGICOS S.A.S. the update, rectification or erasure of your data and/or revoke the authorization of the data processing, by submitting a claim to any of the communication channels indicated in this policy. The claim must indicate the facts that give rise to the claim, the physical address or e-mail address where the response will be notified, as well as the documents that you want to assert in the claim.

 

The foregoing, taking into account that the personal data contained in the databases must be accurate and sufficient, thereby guaranteeing the right of the Data Subject or successors to update, rectify or erase their information.

 

However, the request for information erasure and the revocation of the authorization will not proceed when the Data Subject has a legal or contractual duty to remain in the database.

 

BIOLÓGICOS ESTRATÉGICOS S.A.S. makes available to the Data Subject, free and easily accessible mechanisms to submit the request for data erasure or revocation of the authorization granted.

 

If the respective legal term has expired and the personal data has not been erased, the Data Subject shall have the right to request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the personal data erasure.

 

BIOLÓGICOS ESTRATÉGICOS S.A.S. shall apply the procedure described in Article 22 of Law 1581 of 2012. Establishing the technical, human and administrative measures necessary to provide security to the records, avoiding loss, adulteration, query, use or unauthorized or fraudulent access.

 

XI. TRANSMISSION AND TRANSFER OF PERSONAL DATA

 

For the transmission and transfer of personal data, the rules established in Law 1581 of 2012 shall apply:

 

1. International transfers of personal data shall observe the provisions of Article 26 of Law 1581 of 2012.

2. International transfers of personal data that are made between a controller and a processor to enable the processor to carry out processing on behalf of the controller shall not require the Data Subject to be informed or to have his or her consent.

3. For the transfer of personal data, a contract for the transfer of personal data must be signed, stating the scope of the processing, the activities that the Processor will perform on behalf of the Controller for the processing of personal data and the obligations of the Processor towards the Data Subject and the Controller. By means of such contract, the Processor will commit to implement the obligations of the Controller under the information processing policy established herein, and to carry out the Data Processing in accordance with the purpose authorized by the Data Subjects and with the applicable laws.

 

In addition to the obligations listed above, the following obligations shall apply to the respective Processor in the contract:

 

a) To Process, on behalf of the Controller, the personal data in accordance with the principles that protect them.

b) To safeguard the security of databases containing personal data.

c) To keep confidentiality with respect to the processing of personal data.

 

XII. NATIONAL REGISTRY OF DATABASES

 

BIOLÓGICOS ESTRATÉGICOS S.A.S., will catalog the information contained in its databases, which will be registered and updated in the National Registry of Databases - RNBD of the Superintendence of Industry and Commerce; being subject to data processing as well as this policy.

 

The policy of BIOLOGICOS ESTRATÉGICOS S.A.S. for the processing of personal data will be published on its website and is effective as of the date set forth herein.

 

GENERAL MANAGEMENT

BIOLÓGICOS ESTRATÉGICOS S.A.S.