Personal data handling policy – Pepa Pombo US

PERSONAL DATA HANDLING POLICY

CONFECCIONES E INVERSIONES PEPA S.A.

 

Article 15 of the Colombian Constitution established the right to protection of personal data as the right of every person to know, update, rectify and/or cancel the information and personal data collected and/or handles in public or private databases.

Law 1581 of October 17, 2012 regulated this right by establishing the General Provisions for the Protection of Personal Data in Colombia, also regulated by Decrees 1377/2013 and 886/2014 (today incorporated in sole Decree 1074/2015), among others.

In compliance with its obligation under these provisions of law CONFECCIONES E INVERSIONES PEPA SA, guarantees the constitutional right of all to know, update, rectify, delete and revoke the authorization regarding the information collected about them in the databases that the Entity, has compiled for the purposes provided in the Law and the respective authorizations which have been handled in accordance with the provisions of the Personal Data Protection Law and its regulatory decrees.

For this purpose, CONFECCIONES E INVERSIONES PEPA SA has prepared this POLICY FOR THE HANDLING OF PERSONAL DATA, the application and observation of which is mandatory for all individuals and legal entities who have their personal data registered and handled in the databases of CONFECCIONES E INVERSIONES PEPA SA, in order to provide the necessary guidelines for compliance with legal obligations regarding the protection of personal data.

CONFECCIONES E INVERSIONES PEPA SA, informs all interested parties that the personal data obtained in the course of its business will be handled in accordance with the principles and duties defined in Law 1581/2012 and other regulations that concern themselves with this matter and regulate it. For all pertinent purposes, the domicile of CONFECCIONES E INVERSIONES PEPA S.A, will be Carrera. 14 # 83 – 46, Bogotá telephone: (57) 601 236 5958 Ext. 14 email: jose@pepabombo.com and page https://wwwpepapombo.com.

 2. OBJECTIVE.

OBJECTIVE: To set the criteria for collection, storage, use, circulation and deletion in order to enable the relevant steps to be taken in the course the Company´s business, in relation to the performance of its contract with the Holder of the personal data handled by CONFECCIONES E INVERSIONES PEPA SA

3. ADDRESSES

This policy will apply to all databases, both physical and digital, that contain personal data and that are handled by CONFECCIONES E INVERSIONES PEPA S.A., as data controller. Likewise, in those cases in which the Company acts as data handler.

This policy is mandatory, to be known and observed by all individuals and legal entities responsible for the administration of personal databases of CONFECCIONES E INVERSIONES PEPA S.A. - especially the administrators of the management of CONFECCIONES E INVERSIONES PEPA S.A. databases. and by those employees and contractors who directly or indirectly receive, attend to and execute acts and contracts that link the Holders of the information to CONFECCIONES E INVERSIONES PEPA SA, and of those who, attend to the requests, inquiries or claims concerning information related to those of personal data.

4. SCOPE

This Policy is intended to provide an expeditious and legal process to the different requests and claims made by the Holders of the Data, their heirs and another person who has the proper authorization.

This Policy also complies with the requirements of current regulations on the Protection of Personal Data. 

This Policy provides due protection to the interests and needs of the Holders of the Personal Information processed by CONFECCIONES E INVERSIONES PEPA S.A.

5. GLOSSARY

The following definitions will apply to the development, interpretation and implementation of current law and rules and regulations,. They are taken from current regulations, and will be used in a harmonious and comprehensive manner.

AREA RESPONSIBLE FOR ATTENTION TO REQUESTS, COMPLAINTS, CLAIMS AND INQUIRIES: Requests, complaints, claims and inquiries made by Holders of data will be handled by the Customer Service Office of CONFECCIONES E INVERSIONES PEPA S.A.

AREA RESPONSIBLE FOR DATA PROTECTION: It is the area within CONFECCIONES E INVERSIONES PEPA S.A., whose function is to monitor and control the application of the Personal Data Protection Policy and the implementation of the Comprehensive Personal Data Protection Program.

CONFIDENTIALITY: An element of information security element that enables a definition of who may access data and under what circumstances.

DATA HANDLING ADMINISTRATOR:  An individual or public or private  legal entity, acting alone or in association with others, that performs the handling of personal data on behalf of the Data Handling  Controller. CONFECCIONES E INVERSIONES PEPA S.A. acts as the Data Handling Administrator in cases where, alone or in association with others, it handles personal data on behalf of a Data  Handling Controller.

DATA HANDLING CONRTOLLER: An individual or public or private legal entity acting alone or in association with others, that takes decisions on the database and/or the Handling of data. CONFECCIONES E INVERSIONES PEPA S.A acts as the Data Handling Controller with respect to all personal data on which it takes direct decisions in the course of its business.

DATA QUALITY: The personal data submitted to handling must be: truthful, complete, accurate, updated, verifiable and understandable. When in possession of partial, incomplete, fragmented or misleading personal data, CONFECCIONES E INVERSIONES PEPA S.A must refrain from handling it, or request the Holder to complete or correct the information.

DATABASE: An organized set of Personal Data that will be handled; includes physical and electronic files.

DIGITAL INFORMATION: All information that is stored or transmitted by electronic and digital means such as email or other information systems.

HANDLING: Any operation or set of operations on Personal Data executed by CONFECCIONES E INVERSIONES PEPA S.A or the Data Handling Administrators, such as collection, storage, use, circulation or deletion.

HOLDER: An individual whose personal data are subject to Handling. 

PERSONAL DATA: Any information linked to or associable with one or more specific or determinable individuals Therefore, “personal data” should be understood as information related to an individual.

PUBLIC DATA: Data that are not semi-private, private or sensitive. Public data include amongst others, data related to the marital status of individuals, their profession or trade and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records,  public documents, official gazettes and bulletins and enforceable court decisions not subject to restriction.

 RESTRICTED ACCESS: Level of access to information limited by previously defined parameters. CONFECCIONES E INVERSIONES PEPA S.A will not make Personal Data available for access through the Internet or other means of mass communication.

RESTRICTED CIRCULATION: Personal data will only be handled by the personnel of CONFECCIONES E INVERSIONES PEPA S.A or those whose functions include such activities. Personal Data may not be delivered to those who do not have authorization or have not been enabled by CONFECCIONES E INVERSIONES PEPA S.A, to handle them.

RIGHTS OF CHILDREN AND ADOLESCENTS: The handling of date will ensure respect for the prevailing rights of children and adolescents. Only data that is of a public nature may be handled.

SEMI-PRIVATE DATA: Information that is not of an intimate, restricted or public nature and whose knowledge or disclosure may be of interest not only to its Holder but also to a certain sector or group or to society in general, as is the case of financial data, credit information or business activities

SENSITIVE DATA: Data that affect the privacy of the owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of labor unions, social or human rights organizations or organizations that promote the interests of a political party or that guarantee the rights and guarantees of opposition political parties; data related to health and sexual life; and biometric data.

6. GUIDING PRINCIPLES

the following principles will be applied in a harmonious and comprehensive manner in the development, interpretation, and application of current law, regulations, rules and regulations:

 

Principle of Legality in Matters of Data Handling: Date Handling is a regulated activity, subject to the provisions of Law 1581 of October 17, 2012, its  regulatory decrees and subsequent developments, supplements  and amendments.

Principle of Purpose: Data Handling must have a legitimate purpose in accordance with the Constitution and the Law, and the must be informed of that purpose.

Principle of Freedom: Data Handling may only be exercised with the prior, express and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a mandate of the law or the courts that relieves consent.

Principle of Veracity or Quality: The Data subject to Handling must be true, complete, exact, updated, verifiable and understandable. The Handling of partial, incomplete, fragmented or misleading Data is prohibited.

Principle of Transparency: In matters of Data Handling, the Owner must be guaranteed  the right to obtain information about the existence of Data that concern him or her from the Data Handling Controller or the Data Handling Administrator, at any time and without restriction..

Principle of Access and Restricted Circulation: Data Handling is subject to the limits derived from the nature of the personal data, and the provisions of the law and the Constitution. In this sense, Data Handling may only be effected by persons authorized by the Holder and/or by other persons provided for in the law.

Personal data, except for public information, may not be made available on the Internet or other means of disclosure or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties.

Principle of Security: The Data subject to Handling by the Data Handling Controller or the Data Handling Administrator referred to in the law, must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding adulteration, loss, or unauthorized or fraudulent consultation, use or access.

Principle of Confidentiality: All officers and contractors involved in Data Handling who are not of a public nature are obliged to guarantee the confidentiality of the Data, even after the end of their relationship with any of the tasks included in Data Handling; and may only supply or communicate personal data when this corresponds to the activities authorized by law and in the terms thereof. CONFECCIONES E INVERSIONES PEPA SA, undertakes to handle the Personal Data of the Holders as defined in Article 3(g)  of Law 1581/2012 in an absolutely confidential manner, using them exclusively for the purposes indicated in the previous section, and provided that the Holder has not objected to that Handling. CONFECCIONES E INVERSIONES PEPA S.A informs that it has implemented the necessary technical and organizational security measures that guarantee the security of their personal data and prevent its alteration, loss, and/or unauthorized handling or access.

Principle of temporality: Personal Data will be kept only for a time that is  reasonable and necessary to fulfil the purposes that justified their handling, taking into account the provisions of law applicable to the matter and the administrative, accounting, fiscal, legal and historical aspects of information. The data will be kept when necessary to comply with a legal or contractual obligation. The Data will be deleted when the purpose of the handling and the terms established above have expired.

Comprehensive interpretation of constitutional rights: The rights will be interpreted in harmony and balance with the right to information provided for in Article 20 of the Constitution and with the applicable constitutional rights.

Principle of Need: The Personal Data handled must be strictly necessary to the purposes of the database.

7. SPECIAL CATEGORIES OF DATA

7.1. SENSITIVE DATA

Sensitive Data are understood to be those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of labor unions, social or human rights organizations or those that promote the interests of a political party or uphold the rights and guarantees of opposition political parties; and data related to health and sexual life; and biometric data.

 7.1.1 PROCESSING OF SENSITIVE DATA

The processing of sensitive data is prohibited, except when:

1. a) The Holder has given his explicit authorization to said Treatment, except in cases where the granting of said authorization is not required by law.

2. b) The Treatment is necessary to safeguard the vital interest of the Holder and he is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.

3. c) The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.

4. d) The Treatment has a historical, statistical or scientific purpose. In this event, measures to suppress the identity of the Holders must be adopted.

 

7.1.2 SPECIAL AUTHORIZATION OF SENSITIVE PERSONAL DATA

CONFECCIONES E INVERSIONES PEPA S.A, will inform all its owners through the various means of obtaining authorization, that by virtue of Law 1581/2012 and regulations, they are not obliged to grant authorization for the processing of sensitive data.

In the event of processing data related to health, CONFECCIONES E INVERSIONES PEPA S.A, will implement the necessary measures to protect the confidentiality of the information. The sensitive biometric data processed are intended to identify individuals, security, compliance with legal obligations and the proper provision of products.

7.2 RIGHTS OF CHILDREN AND ADOLESCENTS

The treatment of personal data of children and adolescents is prohibited, except for public data, and when their handling complies with the following parameters and/or requirements:

-That they respond to and respect the best interests of children and adolescents.

-That they respect their fundamental rights.

If these requirements have been met, the legal representative of the children or adolescents will grant authorization, after the minors exercise their right to be heard, and their  opinion will be valued in the light of their maturity, autonomy and ability to understand the matter.

 8. DATA HANDLING AND PURPOSE.

The handling of Data by CONFECCIONES E INVERSIONES PEPA S.A., when consisting of personal data collected from individuals in the normal course of business at the time of forming personal relationships, contracting with suppliers, contracting services, making purchases, contacting clients, making sales , sending quotations, granting credit, in short, engaging in the normal course of business, are held and handled in databases intended for legitimate purposes and complying with the Constitution and the law: The following purposes are included:

8.1. CUSTOMERS AND VISITORS

8.1.1. To take appropriate steps for the furtherance of Company business in relation to performance of the contract entered into with the Data Holder.

8.1.2. To manage procedures (requests, complaints, claims).

8.1.3. To provide contact information to the salesforce and/or distribution network, telemarketing, market research and any third party with whom CONFECCIONES E INVERSIONES PEPA SA has a contractual relationship for engagement in activities of this type (market research and telemarketing, etc.), for the execution of the same.

8.1.4. To contact the Holder by phoned to conduct surveys, studies and/or confirmation of personal data necessary for the furtherance of a contractual relationship.

8.1.5. To contact the Holder through electronic channels – SMS or chat - to send news related to loyalty campaigns or service improvement.

8.1.6. To email the Holder sending bills, account statements or invoices in relation to the obligations arising from the contract between the parties.

8.1.7. To make invitations to events and offer new products and services.

8.1.8. To manage supplier and/or contractor information in relation to and services defined in their respective links with the Company, provided that  is strictly necessary.

8.1.9. To submit reports to external entities, such as the tac authority DIAN, the Superintenden cy of Corporations, the statistical bureau  DANE, among others, in compliance with legal requirements and required statistical analysis.

8.1.10. To manage the information needed to comply with tax, contractual and commercial obligations and commercial, corporate and accounting records.

 8.1.11. To provide the information to third parties with whom CONFECCIONES E INVERSIONES PEPA S.A. has a contractual relationship and to whom it needs to deliver that information in order to achieve the purpose of the contract..

8.1.12. To enhance initiatives for the promotion of offers of services and the updating of the Company's products.

8.1.13. Other purposes determined in the process of obtaining Personal Data for handling, and in any case in accordance with the law and within the framework of the furtherance of the corporate business of CONFECCIONES E INVERSIONES PEPA S.A.

8.2. SHAREHOLDERS AND EMPLOYEES

8.2.1. To act as required to comply with the legal obligations in relation to the employees and former employees.

8.2.2. To control compliance with requirements related to the Social Security System.

8.2.3. To publish the corporate directory for contact with employees.

8.2.4. In the case of biometric data captured through video surveillance or recording systems, their treatment will have the purpose of identification, security and the prevention of internal and external fraud.

8.2.5. The Personal Data of minors will be handled to comply with legal obligations.

8.2.6. In the case of participants in employee selection processes, the personal data processed will have the purpose of advancing the selection processes; CVs will be managed guaranteeing the principle of restricted access.

8.2.7. To inform and communicate general information about Company matters by the means and in the form considered convenient.

8.2.8. To manage the Company´s budget chain: payments, the issue of certificates of earnings and withholdings (individuals and legal entities) and lists of payments.

8.2.9. To manage the Company´s accounting processes.

8.3. SUPPLIERS/CONTRACTORS

8.3.1. For all purposes related to the object of the selection, contracts or related processes.

8.3.2. To perform all internal procedures and comply with accounting, tax and legal obligations.

 8.3.3. To manage the Company budget chain: payments, issue of income and withholding certificates (individuals and legal entities) and lists of payment.

8.3.4. To manage the Company accounting process.

8.3.5. To act as required in performing stages of contracts and relations with suppliers and contractors.

8.3.6. To issue contractual certifications requested by the Company´s  contractors or requests from the supervisory authorities.

8.3.7. To maintain an updated file that provides information about each contract.

8.3.8. Other purposes determined in the process of obtaining Personal Data for handling and in any case a required by law  and in the context of the normal course of the corporate Company business  of CONFECCIONES E INVERSIONES PEPA S.A.

9. NAVIGATION DATA.

The software navigation system necessary for the operation of the website of CONFECCIONES E INVERSIONES PEPA S.A, collects some personal data whose transmission is implicit in the use of internet protocols.

10. RIGHTS OF HOLDERS

As the Holder of your personal data, you have the right:

10.1. To free access to the data provided and handled.

10.2. To know, update and correct your information against partial, inaccurate, incomplete, fragmented or misleading Data, or Data whose handling is prohibited or has not been authorized.

10.3.To request proof of authorization granted.

10.4. To submit complaints for violations of the provisions of current regulations to the Superintendency of Industry and Trade (SIC).

10.5. To revoke the authorization and/or request the deletion of the Data, provided that there is no legal or contractual duty that prevents their deletion.

10.6. To refrain from answering questions about sensitive data. The answers that deal with sensitive data or data of children and adolescents will be optional. (Article 8, Law 1581/2012, Art. 21 and 22 Decree 1377/2013).

8.2. SHAREHOLDERS AND EMPLOYEES

8.2.1. To act  as required to comply with the legal obligations in relation to the employees and former employees.

8.2.2. To control compliance with requirements related to the Social Security System.

8.2.3. To publish the corporate directory for the purpose of employee contact.

8.2.4. In the case of biometric data captured through video surveillance or recording systems, their handling will have the purpose of identification, security and the prevention of internal and external fraud.

8.2.5. The Personal Data of minors will be handled in order to comply with legal obligations.

8.2.6. In the case of participants in employee selection processes, the Personal Data processed will have the purpose of furthering the selection process; CVs will be managed guaranteeing the principle of restricted access.

8.2.7. To inform and communicate the general information about Company events by the means and in the manner considered convenient.

8.2.8. To manage the Company budget chain: payments, issue of certificates of income and  withholdings (individuals and legal entities) and payment relationships.

8.2.9. To manage the Company  accounting process.

Paragraph: The rights of the owners may be exercised by:

-The Holder, who must sufficiently prove identity through any of the means made available by the Data Handling Administrator.

- By their successors in title, who must prove that status.

- By the representative and/or proxy of the Holder, subject to accreditation of the representation or power of attorney.

- By order of a judicial or administrative authority.

11. ATTENTION TO PETITIONS, INQUIRIES AND CLAIMS

The Customer Service Area of ​​CONFECCIONES E INVERSIONES PEPA S.A., is the unit responsible for processing the requests of Holders to make their rights effective.

The Data Holder may exercise a claim to rights over Data, by writing to CONFECCIONES E INVERSIONES PEPA SA, at email: jose@pepapombo.com, indicating in the Subject: “Exercise of the right to access or consultation ”, or through postal mail, sent to Carrera 14 # 83 – 46, Bogotá D.C. The request must contain the following data:

a) Full name of the Holder;

b) Photocopy of the Holder's citizenship card, and a copy of the citizenship card of the person who represents him, together with the appropriate document that proves the representation;

c) Clear and specific request, object of the request for access or consultation;

d) Address for service of notices, date and signature of the applicant;

 e) Documents supporting the application, when applicable.

 

The Data Holder may choose any of the forms of consultation of the database to receive the required information:

1) Screen display;

2) In writing, with a copy or photocopy sent by post;

3) Email, Whatsapp or other electronic means.

 

Business hours: Customer service hours are: Monday through Friday from 9:00 a.m. to 4:00 p.m.

Time to Complete the Request: Once the request is received CONFECCIONES E INVERSIONES PEPA S.A., will reply  to the consultation within a maximum period of ten  business days, counted from the day following the date of receipt. When it is not possible to attend to the matter within that term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their inquiry will be attended to, which in no case may be more than five  business days following the expiry of the first term. (Article 14, Law 1581/2012).

If the terms indicated by Law 1581/2012 as otherwise regulated or complemented have elapsed, a Holder who is denied the exercise of all or part of the right of access, update, correction, deletion and revocation may report his case to the Superintendency of Industry and Trade –Department for the Protection of Personal Data-.

12. INFORMATION SECURITY.

CONFECCIONES E INVERSIONES PEPA S.A., guarantees the use of technical, human and administrative measures necessary to provide security to personal data and other information subject to treatment, avoiding adulteration, loss, or unauthorized consultation or use or fraudulent access.

13. DUTIES OF THE DATA HANDLING ADMINISTRATOR AND DATA HANDLING CONTROLLER 

13.1. DUTIES OF THE DATA HANDLING CONTROLLER

CONFECCIONES  E INVERSIONES PEPA S.A. As the Data Handling Controller has the following duties, in addition to others required by law and regulation for its:

13.1.1. To guarantee the Holder, at all times, the full and effective exercise of the right of habeas data.

13.1.2. To request and keep a copy of the authorization granted by the Holder as required by law.

13.1.3. To inform the Holder of the purpose of Data  collection and the rights the Holder has by virtue of the authorization granted.

13.1.4. To keep the information under the conditions of  security conditions needed to prevent its adulteration, loss, or unauthorized consultation or use or fraudulent access.

13.1.5. To guarantee that the information provided to the Data Handling Administrator is true, complete, accurate, updated, verifiable and intelligible.

13.1.6. To update the information, promptly communicating all changes to Data provided and adopt the other necessary measures so that the information provided is kept up to date.

 13.1.7. To correct the information when it is incorrect and to communicate related requirements to the Data Handling Administrator.

13.1.8. To provide the Data Handling Administrator, (if any), as the case may be, only Data whose Handling has previously been authorized in accordance, as required by law.

13.1.9. To require the Data Handling Administrator, (if any) at all times, respect for the conditions of security and privacy of the Holder's information.

13.1.10. To process inquiries and claims received in the terms indicated in the law.

13.1.11. To adopt specific procedures to guarantee adequate compliance with the law and, in particular, for dealing with inquiries and claims.

13.1.12. To inform the Data Handling Administrator when certain information has been challenged by the Holder, once the claim has been submitted and until the appropriate procedure has been completed.

13.1.13. To inform the Holder of the use of his Data on request.

13.1.14. To inform the data protection authority when there are violations of the security codes and there are risks that the administration of the Holders' information may be compromisd.

 

13.2 DUTIES OF THE DATA HANDLING ADMINISTRATOR

The Data Handling Administrator, where CONFECCIONES E INVERSIONES PEPA S.A., acts as Administrator, will have the following duties, in additions¿ to others required by law or regulations applicable to its activities:

13.2.1 To guarantee the Holder, at all times, the full and effective exercise of the right of habeas data.

13.2.2 To keep the information under the necessary conditions of security to prevent adulteration, loss, or unauthorized consultation or use or fraudulent access. The Controller must comply with the minimum security conditions defined in the National Registry of Databases, which can be consulted at: https://www.pepapombo.com

13.2.1. To implement updates, corrections or deletions of data promptly as required by Law 1581/2012 and other current regulations applicable.

13.2.2. To update the information reported by the  Data Handling Controller within five business days from its receipt.

13.2.3. To process inquiries and claims made by Holders in the terms indicated in this Policy.

13.2.4. To adopt an internal Manual of policies and procedures to guarantee adequate compliance with the law and, in particular, for attending to inquiries and claims by Holders.

13.2.5. To record "Claim in process" entries in the database as regulated by law.

13.2.6. To insert "Information under judicial discussion" entries in the database when a competent authority serves notice of  a judicial processes related to the quality of personal data.

13.2.7. To refrain from circulating information disputed by the Holder and blocked by order of the Superintendency of Industry and Trade.

13.2.8. To allow access to information only to those entitled to access it.

13.2.9. To inform the Superintendence of Industry and Trade of when security codes have been breached and there are risks to the administration of Holders´ Data.

13.2.10. To comply with the instructions and requirements of the Superintendency of Industry and Trade.

13.2.11. To verify that the Data Handling Controller has the authorization for the handling of the Holder´s Personal Data.

14. GENERAL ACTIONS FOR THE PROTECTION OF PERSONAL DATA

The following are general guidelines applied by CONFECCIONES E INVERSIONES PEPA S.A, in compliance with its obligation to observe the principles for the administration of Personal Data.

These guidelines are complementary to the policies, procedures or general instructions currently existing and implemented, among which are the data and information management policies and the data and information management procedures; and they are in no way intended to replace or override them.

14.1. HANDLING OF DATA 

In the course of their duties, all Company employees will assume their responsibilities and obligations in the proper handling of Personal Data, from  collection, storage, use, and circulation through to final disposal.

14.2. USE OF DATA

The Personal Data contained in the databases must be used and handled in accordance with the purposes described in the appropriate section of this Policy.

For all purposes, the following assumptions must be taken into consideration:

14.2.1. In the event that an Area other than that which initially collected the Personal Data needs to use those Data, it may do so provided that the use is foreseeable in terms of the type of services offered by the Company, and for a purpose contemplated by this Personal Data Handling Policy.

14.2.2. Each Area must ensure that no confidential information or personal data are disclosed in physical document recycling practices. Therefore, resumes, academic titles, academic or employment certifications, medical examination results or any document containing information that allows an individual  person to be identified, may not be recycled.

14.2.3. In the event that a Data Handling Administrator has provided personal data or databases to any Area for a specific purpose, the Area that requested the Personal Data may not use those Personal Data for a purpose other than that specified in the Personal Data Handling Policy; at the end of the activity, the Area that requested the information is responsible for eliminating the database or the Personal Data used, avoiding the risk that information may be outdated information or cases in which a Holder has filed a claim during the time the Data were used.

14.2.4. Employees may not make decisions that have a significant impact on Personal Data, or that have legal implications, based exclusively on the information provided by the information system; they must therefore validate the information through other physical or digital instruments. manually, and, if necessary, directly by the Data Holder, where necessary.

14.2.5. Only authorized employees and contractors may enter, change or cancel the data contained in the databases or documents subject to protection. User access permissions are granted by the Company Management.

14.2.6. Any use of the Data other that those laid down here must be consulted and authorized in advance by the Company Manager.

 14.3.. DATA STORAGE

The storage of digital and physical Data is effected in media or environments that have adequate controls for data protection. This involves physical and computer security, technological and environmental controls in restricted areas, in its own facilities and/or computer centers or document centers managed by third parties.

14.3. DESTRUCTION

The destruction of physical and electronic media is effected through mechanisms that do not allow reconstruction. It is effected only in cases where no provision of law being disregarded, and always leaving a record for traceability purposes.

Destruction includes information contained in the possession of third parties as well as in Company facilities.

15. VIDEO SURVEILLANCE

The Company has video surveillance cameras to  implement physical security policies, complying with the parameters established in the Guide for the Protection of Personal Data in Video Surveillance Systems, issued by the Superintendency of Industry and Trade as the relevant authority.

The images must be kept for a maximum of 30 days. If images are the object of or support for a claim, complaint, or any judicial process, they must be held  until the moment it is resolved.

16. EMPLOYEE AND CONTRACTOR TRAINING

CONFECCIONES E INVERSIONES PEPA S.A., will develop annual training and awareness programs on personal data protection and information security. The Company has informed its staff, shareholders and other collaborators and contractors of these policies by videoconference and has sent the related documentation by email. The Company  trains its officers and contractors in the administration of Personal Data at least once a year, in order to measure their knowledge of the subject.

New employees and contractors, at the time of joining the Company, must receive training on Personal Data protection and information security; their attendance and  knowledge arew placed on record.

In the training and awareness programs, it must be ensured that employees, contractors and third parties are aware of their responsibilities regarding Personal Data protection and information security.

The training programs will be regularly updated.

Human Talent Management will work with  Company management to define the training and evaluation plans for the staff concerned, as and when regulatory changes are introduced.

17. REVIEW PROCESSES AND CONTROL AUDITS

The Company will conduct reviews or audits regarding Personal Data protection, verifying directly or through outside contractors that the policies and procedures have been properly implemented in the Company.

Based on the results obtained, plans for prevention, correction and improvement will then be designed and implemented.

18. PERIOD OF VALIDITY OF THE DATABASES

The Databases of CONFECCIONES E INVERSIONES PEPA SA, will have be valid for the time and purpose for which  handling is authorized and the special regulations allow, in  addition to the regulations that establish the exercise of legal functions assigned to the Company.

19. NATIONAL DATABASE REGISTER

Article 25 of Law 1581 and its Regulatory Decrees require CONFECCIONES E INVERSIONES PEPA SA, to register its databases together with this Personal Data Handling Policy, in the National Register of Databases administered by the Superintendency of Industry and Trade, in accordance with established procedure.

20. VALIDITY, VERSIONS AND UPDATING OF THE POLICY

This Personal Data Handling Policy takes effect from the date of its signature and complements the associated policies, with indefinite validity.

 Any substantial change in the Personal Data Handling Policy will be promptly communicated to Data Holders through the usual means of contact and/or through the website: https://www.pepapombo.com

Changes will be communicated to Holders who do not have access to electronic media or who cannot be contacted, through notices posted at the Company's head office.

21. RELATED DOCUMENTS

The following annexes are part of this Policy:

1. Authorization for the collection and handling of Personal Data

2. Document Management Instructions

3. Correspondence procedure and paperwork system.

4. Form for the  creation, amendment  or deletion of users in databases

5. Procedure for the secure deletion of Data

6. Instructions for customer service

7. Procedure for handling requests, inquiries, complaints, claims, suggestions and congratulations

 

JOSE RICARDO POMBO CASABIANCA 

Legal Representative

Confecciones e Inversiones Pepa S.A. 

 

March 2022