Personal Data Processing Policies

 

POLICY FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA OF

PARCHITA PACIFLORA SAS

 

This policy is adopted by PARCHITA PACIFLORA SAS (hereinafter "PARCHITA"), identified with NIT 900.188.051-8 and with its main address in the municipality of Medellín, in order to comply with Law 1581 of 2012, Decree 1377 of 2013, and other amending and complementary regulations.

PARCHITA reserves the right to make changes to this personal data processing and protection policy. If any changes are made to this policy, PARCHITA will publish the new terms on its website, indicating the effective date of the new regulations. If such changes result in a change to the purpose for which the information is collected, USERS will be asked for new authorization.

 

1.       LEGAL BASIS AND SCOPE OF APPLICATION.

The personal data processing policy is developed in compliance with Articles 15 and 20 of the Political Constitution; Articles 17, letter k) and 18, letter f) of Statutory Law 1581 of 2012, which establishes general provisions for the Protection of Personal Data; Article 2.2.2.25.1.1, Section 1, Chapter 25 of Decree 1074 of 2015, which partially regulates Law 1581 of 2012 (Article 13 of Decree 1377 of 2013).

This policy will apply to all personal data recorded in databases that are processed by the data controller.

1.1.        Scope

This document will apply to all personal data or any other type of information that is used or stored in the databases and files of the commercial company PARCHITA PACIFLORA SAS, identified with NIT  900.245.841- 4 (hereinafter " PARCHITA "), domiciled in the municipality of Medellín - Antioquia, respecting the criteria for obtaining, collecting, using, treating, processing, exchanging, transferring and transmitting personal data, and establishing the responsibilities of PARCHITA and its employees, collaborators and contractors in the management and processing of personal data stored in its databases and files.

PARCHITA is a Colombian fashion brand founded in 2008 in Medellín. Since its inception, the company has been dedicated to creating unique bags, purses, and accessories, combining design, color, and artisanal processes to offer pieces that reflect the essence of those who wear them.  

The brand is distinguished by its commitment to sustainability and local production. It uses durable and environmentally friendly materials, such as PVC and canvas, to create high-quality products. Each piece is the result of an expert manual process, ensuring the authenticity and perfection of its designs.

With over 16 years in the market, Parchita has managed to expand both nationally and internationally. It has physical stores in Medellín, Bogotá, and Cali, and has established a presence in countries such as Ecuador, Guatemala, Costa Rica, Panama, and Bolivia. Additionally, its online store allows customers from all over the world to access its products.  

Parchita's philosophy focuses on "coloring lives" through fashion, offering products that not only complement its customers' style but also tell stories and convey emotions. This approach has made the brand a benchmark in Colombian fashion, distinguished by its innovation, quality, and social responsibility.

In accordance with the above and by virtue of the principle of demonstrated responsibility, which emphasizes the role of the Data Controller as the one called to implement measures within the organization that allow it to demonstrate compliance with current regulations.

1.2. Applicable Standards

       Political Constitution of Colombia.

       Law 1581 of 2012.

       Judgment C-748 of 2011

       Decree 1074 of 2015.

       Decree 1377 of 2013

       Decree 886 of 2014.

       Circular 01 of November 8, 2016.

       Guide for the implementation of the Accountability Principle of the Superintendency of Industry and Commerce.

       Decree 255 of 2022

2. DEFINITIONS

The following definitions are established in article 3 of Law 1581 of 2012 and article 2.2.2.25.1.3 section 1 Chapter 25 of decree 1074 of 2015 (Article 3 of decree 1377 of 2013)

2.1.  Authorization

Prior, express, and informed consent granted by the Data Subject to allow the Data Controller and/or Data Processor to collect, store, use, distribute, or delete their personal data. Authorization may be granted by any means that allows for subsequent review, including written or oral means, or through unequivocal conduct by the Data Subject that reasonably allows us to conclude that their consent has been granted. Under no circumstances may silence be equated with unequivocal conduct.

2.2.  Database

23.  An organized set of personal data that is subject to processing, regardless of the method of its formation, storage, organization, and access, whether in physical, electronic, or digital media.     Personal Data .

Any information linked to or that can be associated with one or more individualized or individualizable natural persons, such as but not limited to: i) Full name; ii ) Identification type and number; iii) Address (Department, city, neighborhood, zone, stratum); iv) Telephone; v) Date of birth; vi) Sex; vii) Marital status; viii) Place of birth; ix) Occupation; x) Email; xi) Activity; xii) Data of the person responsible when it is a minor (identification number, relationship and address); xiii) Data of companion (telephone and address); xiv) Contact in case of emergency; xx). Image.

2.4.       .     Public Data

This is data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person's marital status, their profession or occupation, and their status as a merchant or public servant. By its nature, public data may be contained in, among other things, public registries, public documents, official gazettes and bulletins, and duly enforceable court rulings that are not subject to confidentiality.

2.5.  Semi-private data

It is that which is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its owner but to a certain sector or group of people or to society in general, such as: Databases containing financial, credit, commercial, service information and that from third countries.

2.6.  Private Data

This personal data, due to its intimate or confidential nature, is of interest only to its owner, and its processing requires prior, informed, and express authorization. This includes databases containing data such as personal telephone numbers and email addresses; employment data; data on administrative or criminal offenses, managed by tax authorities, financial institutions, and management entities and common services of Social Security; databases on financial solvency or credit; databases with sufficient information to assess the identity of the owner; databases of the managers of operators that provide electronic communication services.

2.7.  Sensitive Data

Sensitive data is understood to be that which affects the privacy of the Data Subject or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

2.8.  Data Controller

A natural or legal person, public or private, who, either alone or in association with others, processes personal data on behalf of the data controller.

2.9.  Data Controller

A natural or legal person, public or private, who, either alone or in association with others, decides on the database and/or the processing of data.

2.10.  Responsible for Managing Databases

Collaborator responsible for monitoring and coordinating the proper application of data processing policies once stored in a specific database, as well as implementing the guidelines issued by the data controller and the Data Protection Officer.

2.11.  Data Protection Officer

This is the natural person within PARCHITA PACIFLORA SAS who assumes the function of coordinating the implementation of the legal framework for the protection of personal data, who will process the requests of the Owners for the exercise of the rights referred to in Law 1581 of 2012.

2.12.  Holder

Natural person whose personal data is subject to processing.

2.13.  Treatment

Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

2.14.  Privacy Notice

Verbal or written communication generated by the controller, addressed to the Data Subject for the processing of their personal data, through which they are informed of the existence of the information processing policies that will be applicable to them, how to access them, and the purposes of the processing intended to be given to the personal data.

2.15.  Transfer

Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is also the controller of the data and is located within or outside the country.

2.16.  Transmission

Processing of personal data that involves communicating the data within or outside the territory of the Republic of Colombia when the purpose is to carry out a specific processing task carried out by the data processor on behalf of the controller.

3.                PRINCIPLES OF DATA PROTECTION

Article 4 of Law 1581 of 2012 establishes principles for the processing of personal data that must be applied harmoniously and comprehensively in the development, interpretation, and application of the Law. The legal principles of data protection are as follows:

3.1.  Principle of Legality

Data processing is a regulated activity that must comply with the provisions of Law 1581 of 2012, Decree 1377 of 2013 compiled in Chapter 25 of Decree 1074 of 2015, and other provisions that develop it.

3.2.  Principle of Purpose

The processing must be for a legitimate purpose in accordance with the Constitution and the Law, which must be communicated to the Data Subject.

3.3.  Principle of Liberty

Data processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial order providing consent. Data processing requires the prior and informed authorization of the Data Subject by any means that allows for subsequent access.

3.4.  Principle of truthfulness or quality

The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

3.5.  Principle of Transparency

During processing, the Data Subject's right to obtain from the Data Controller or the Data Processor, at any time and without restriction, information about the existence of data concerning him or her must be guaranteed. When requesting authorization from the Data Subject, the Data Controller must clearly and expressly inform him or her of the following, retaining proof of compliance with this obligation:

       The processing to which your data will be subjected and its purpose.

       The Data Subject's response to questions regarding sensitive data or data relating to children or adolescents is optional.

       The rights that you have as the Owner.

       The identification, physical address, email address and telephone number of the data controller.

3.6.  Principle of Restricted Access and Circulation

Processing is subject to the limits derived from the nature of the personal data, the provisions of Law 1581 of 2012, and the Constitution. In this regard, processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for in the Law. Personal data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to Data Subjects or third parties authorized in accordance with the Law.

3.7.  Security Principle

The information processed by the Data Controller or Data Processor must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent access, consultation, use, or access. The Data Controller is responsible for implementing the corresponding security measures and for informing all personnel with direct or indirect access to the data. Users who access the Data Controller's information systems must be aware of and comply with the security rules and measures corresponding to their duties. These rules and security measures are included in the Internal Security Policies Annex, which are mandatory for all users and company personnel. Any modification to the rules and measures regarding personal data security by the Data Controller must be made known to users.

3.8.  Principle of confidentiality

All persons involved in the processing of personal data that are not public in nature are required to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended. They may only provide or communicate personal data when this corresponds to the development of the activities authorized by Law 1581 of 2012 and under the terms thereof.

4.                AUTHORIZATION OF THE DATA PROCESSING POLICY

Pursuant to Article 9 of Law 1581 of 2012, the processing of personal data requires the prior and informed authorization of the Data Subject. By accepting this policy, any Data Subject who provides information related to their personal data consents to the processing of their data by PARCHITA under the terms and conditions set forth herein.

The authorization of the Holder will not be necessary when it concerns:

       Information required by a public or administrative entity in the exercise of its legal functions or by court order.

       Data of a public nature.

       Cases of medical or health emergencies.

       Processing of information authorized by law for historical, statistical or scientific purposes.

       Data related to the Civil Registry of persons.

 

 

5.                DATA CONTROLLER

The person responsible for processing the databases covered by this policy is PARCHITA PACIFLORA SAS , identified by NIT 900.245.841-4 , whose contact details are as follows:

       Address: 9 C South Street No. 50 FF-71, Medellín Antioquia.

       Email: info@parchita.com.co

 

6.                DATA PROTECTION OFFICER

The Data Protection Officer of PARCHITA will be JUAN JOSÉ GOMEZ OSORIO identified with an ID card - Legal Leader, who will have the following functions:

       Promote the development and implementation of a system that allows for the management of risks associated with the processing of personal data.

 

       Coordinate the definition and implementation of controls for the Comprehensive Personal Data Management Program.

 

       Serve as a liaison and coordinator with other PARCHITA areas to ensure a cross-functional implementation of the Comprehensive Personal Data Management Program.

 

       Promote a culture of data protection at PARCHITA.

 

       Maintain an inventory of the personal databases held by PARCHITA and classify them according to their type.

       Register the organization's databases with the RNBD and update the report of the instructions issued on this matter by the Superintendency of Industry and Commerce.

 

       Obtain declarations of conformity from the Superintendency of Industry and Commerce when required.

 

       Review the contents of international data transmission contracts signed with Data Processors not residing in Colombia.

 

       Analyze the responsibilities of each PARCHITA position to design a data protection training program tailored to each of them.

 

       Conduct general data protection training for all PARCHITA employees.

 

       Provide the necessary training to new employees who, due to their employment conditions, have access to personal data generated by the organization.

 

       Integrate data protection policies into the activities of other areas of the organization (Administrative, Commercial, and Production Management).

       Measure participation and evaluate performance in data protection training.

       Require that employee performance reviews include successful completion of Personal Data training.

       Ensure the implementation of internal audit plans to verify compliance with its personal data processing policies.

       Accompany and assist the organization in handling visits and the requests made by the Superintendency of Industry and Commerce.

       Monitor the Comprehensive Personal Data Management Program.

 

       Report semiannually to the company's legal representative on the evolution of the risk, the controls implemented, the monitoring, and, in general, the progress and results of the program.

 

7.                RIGHTS OF THE HOLDERS

Pursuant to Article 8 of Law 1581 of 2012, Article 2.2.2.25.4.1, Section 4, Chapter 25 of Decree 1074 of 2015 (Articles 21 and 22 of Decree 1377 of 2013), data subjects may exercise several rights regarding the processing of their personal data. These rights may be exercised by the following persons:

  1. By the Holder, who must sufficiently prove his identity by the different means made available to him by the person responsible.
  2. By their successors in title, who must prove such status.
  3. By the representative and/or agent of the Owner, upon prior accreditation of the representation or power of attorney.
  4. By stipulation in favor of another and for another
  5. The rights of children and adolescents shall be exercised by those empowered to represent them.

The rights of the Holder are the following:

7.1.  Right of access or consultation

This is the Data Subject's right to be informed by the data controller, upon request, regarding the origin, use, and purpose of their personal data.

7.2.  Rights to complaints and claims

The Law distinguishes four types of claims:

       Correction request: This is the Data Subject's right to have any data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or unauthorized updated, corrected, or modified.

       Deletion request: This is the Data Subject's right to have data that is inadequate, excessive, or does not respect constitutional and legal principles, rights, and guarantees deleted.

       Revocation request: This is the Data Subject's right to revoke the authorization previously granted for the processing of their personal data. This will be appropriate when it has been determined that the Controller or Processor has engaged in conduct contrary to the constitution or the law in the processing.

       Infringement claim : This is the Data Subject's right to request that non-compliance with Data Protection regulations be remedied.

 

7.3.  Right to request proof of the authorization granted to the data controller

Except when expressly excepted as a requirement for treatment in accordance with the provisions of article 10 of Law 1581 of 2012 and article 4 of these policies

7.4.  Right to file complaints for violations with the Superintendency of Industry and Commerce

The Data Subject or legal successor may only submit a request (complaint) to the SIC – Superintendency of Industry and Commerce once the consultation or claim process has been completed with the data controller or data processor.

8.                RIGHTS AND DUTIES OF THE DATA CONTROLLERS:

 

RIGHTS

       Use and retain the information while the authorization granted by the owner is valid.

       Process inquiries, complaints, and claims within the legal timeframes, which will begin upon receipt of the request.

       Prepare and maintain the database containing the personal information covered by this policy.

       Use the information for authorized purposes.

HOMEWORK

PARCHITA will always keep in mind that personal data belongs to the individuals to whom it refers and that only they have the right to make decisions regarding it. In this regard, it will use it only for the purposes for which it is duly authorized and in compliance with Law 1581 of 2012, Decree 1377 of 2013, and other applicable regulations on the protection of Personal Data. In accordance with the provisions of Article 17 of Law 1581 of 2012 and Articles 21 and 22 of Decree 1377 of 2013, PARCHITA  undertakes to permanently comply with the following duties in relation to the processing of personal data:

       Guarantee the holder, at all times, the full and effective exercise of the right to habeas data.

       Request and retain, under the conditions provided for in this law, a copy of the respective authorization granted by the owner;

       Keep information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.

        Properly inform the owner about the purpose of the collection and the rights to which he or she is entitled by virtue of the Authorization granted.

       Carry out the updating, rectification, or deletion of data in a timely manner, that is, in accordance with the terms set forth in Articles 14 and 15 of Law 1581 of 2012.

        Inform the owner, upon request, about the use given to their data.

       Process inquiries and complaints submitted by the owners in accordance with the terms set forth in Articles 14 and 15 of Law 1581 of 2012.

       Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.

        Allow access to information only to people who are allowed to access it.

       Inform the Superintendency of Industry and Commerce when security code violations occur and risks arise in the management of data subjects' information.

       Designate an area to assume the function of Personal Data Protection, which will process requests from data subjects for the exercise of the rights referred to in Law 1581 of 2012 and Decree 1377 of 2013.

       Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

       To process the information provided by the owners for the purposes set out in this regulation.

       The others established in Colombian legislation.

9.                COLLECTION OF PERSONAL DATA:

PARCHITA may collect personal data from data subjects by any of the following means: written, printed, magnetic, digital, telephone, virtual, known or unknown, or through unequivocal conduct by the data subject that allows us to reasonably conclude that they have granted authorization.

Those in charge and responsible for the processing of information may not use deceptive or fraudulent means to collect and process personal data.

10.             REQUEST FOR AUTHORIZATION FROM THE PERSONAL DATA HOLDER

Data requests from data subjects must be limited to personal data that is relevant and appropriate for the purposes of this policy or required under current regulations. Under no circumstances will data that violates the dignity and integrity of the individual be requested.

Before or at the time of collecting personal data, PARCHITA will request the Data Subject's authorization to process such data, expressly informing them of the purposes for which it will be used. This authorization will be obtained through automated, written, or oral means that allow for the preservation of proof of its granting, or through unequivocal conduct that allows for the reasonable conclusion that the Data Subject gave their consent, in accordance with the provisions of Article 2.2.2.25.2.2 of Decree 1074 of 2015 (Article 7 of Decree 1377 of 2013).

FORM AND MECHANISMS FOR GRANTING AUTHORIZATION. Authorization for the processing of personal data may be granted through a physical or electronic document, a data message, a website, a verbal recording, or any other mechanism that allows for the preservation of proof of its granting. Authorization may also be deemed to have been granted through unequivocal conduct by the Data Subject, which allows for the reasonable conclusion that they have consented to the processing of their data.

In all cases, PARCHITA will ensure that the Data Subject has been informed in advance of the purposes of the processing, the rights they have, and the channels available to exercise them, in accordance with the Personal Data Processing Policy and the current Privacy Notice. This is to enable the Data Subject to make informed decisions and exercise control over the use of their personal information.

11.             PROCESSING OF DATA OF MINORS

In accordance with Article 7 of Law 1581 of 2012, the processing of personal data of children and adolescents is prohibited, except as provided in Article 2.2.2.25.2.9 Section 2 of Chapter 25 of Decree 1074 of 2015 (Article 12 of Decree 1377 of 2013) and in compliance with the following parameters and requirements:

  1. That responds to and respects the best interests of children and adolescents.
  2. Ensure respect for their fundamental rights.

Once the above requirements have been met, PARCHITA will request authorization from the child or adolescent's legal representative prior to exercising the minor's right to be heard. This opinion will be assessed taking into account the child's maturity, autonomy, and ability to understand the matter. The data controller and processor involved in the processing of personal data of children and adolescents must ensure their proper use, applying the principles and obligations established in Law 1581 of 2012 and regulatory standards.

12.             PRIVACY NOTICE.

PARCHITA's privacy notice is located on the website www.parchita.com.co and will be available in all data collection formats and other cases in which it is not possible to make this information processing policy immediately available to the Owner.

 

13.             ATTENTION TO DATA SUBJECTS

The Data Protection Officer of PARCHITA will be in charge of handling requests, queries and complaints to which the Data Owner can exercise his/her rights physically at the address: Calle 9 C Sur No. 50 FF-71, Medellín, Antioquia and/or through the email: info@parchita.com.co

 

14.             PROCEDURE FOR EXERCISING THE RIGHTS OF THE HOLDER.

 

14.1.  Right of access or consultation

According to Article 2.2.2.25.4.2. Section 4, Chapter 25 of Decree 1074 of 2015 (Article 21 of Decree 1377 of 2013), the Data Subject may consult his or her personal data free of charge in two cases:

  1. At least once every calendar month.
  2. Whenever there are substantial modifications to information processing policies that motivate new inquiries.

For inquiries with a frequency greater than once per calendar month, PARCHITA may only charge the Owner for shipping, reproduction, and, where applicable, certification of documents. Reproduction costs may not exceed the costs of recovering the corresponding material. To this end, PARCHITA will provide proof of such expenses to the Superintendency of Industry and Commerce, upon request.

Data subjects may exercise their right to access or consult their data by writing to PARCHITA , sending it by email to info@parchita.com.co with the subject line "Exercise of the right of access or consultation," or by post to Calle 9 C Sur No. 50 FF-71, Medellín, Antioquia . The request must contain the following information:

       Name and surname of the Holder.

       Photocopy of the Citizenship Card of the Holder and, where applicable, of the person representing him/her, as well as the document proving such representation (power of attorney, civil registry or similar).

       Petition in which the request for access or consultation is specified.

       Address for notifications, date and signature of the applicant.

       Supporting documents for the request made, where applicable.

Once the request has been received, PARCHITA will resolve the consultation request within a maximum period of ten (10) business days from the date of receipt. When it is not possible to address the query within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be addressed, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are established in Article 14 of Law 1581 of 2012.

14.2.  Rights to complaints and claims

The Data Subject may exercise their right to access or consult their data by writing to PARCHITA , sending it by email to info@parchita.com.co , indicating "Exercise of the right of access or consultation" in the Subject line, or by post to Calle 9 C Sur No. 50 FF-71, Medellín, Antioquia . The request must contain the following information:

       Name and surname of the Holder.

       Photocopy of the Citizenship Card of the Holder and, where applicable, of the person representing him/her, as well as the document proving such representation (power of attorney, civil registry or similar)

       Description of the facts and request specifying the request for correction, deletion, revocation or infringement.

       Address for notifications, date and signature of the applicant.

       Documents supporting the request made that you wish to assert, where applicable.

If the claim is incomplete, the interested party will be required within five (5) days of receipt to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, the claim will be deemed to have been withdrawn.

Once the complete claim has been received, a legend stating "claim in process" and the reason for the claim will be added to the database within a period of no more than two (2) business days. This legend must remain in effect until the claim is decided.

PARCHITA will resolve the consultation request within a maximum period of fifteen (15) business days from the date of receipt. When it is not possible to address the claim within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

15.             PROCESSING AND PURPOSES OF COLLECTING PERSONAL DATA:

PARCHITA , in the course of its business activity related to the manufacturing, marketing, distribution, import, and export of travel goods, handbags, wallets, belts, backpacks, and other similar accessories made of leather, skin, or any other material suitable for such purposes. It may also manufacture saddlery and harness-making items, as well as leather footwear with any type of sole. It will collect, store, and use the personal data of the data subjects for the following purposes:

       For the development of the company's corporate purpose.

 

       Validate the data subject's identity, verify and update their information, and analyze their financial, commercial, and credit performance, as well as compliance with legal obligations.

 

       Establish, maintain, manage, and terminate contractual relationships, including the execution of contractual and legal obligations arising from such relationships.

       Offer, provide, and manage products or services through any channel or medium, directly or in partnership with third parties, in accordance with the owner's profile and technological advances.

 

       Communicate advertising campaigns, promotions, events, new products, commercial benefits, and technical, legal, and service information through physical or electronic means, including calls, text messages, social media, or messaging applications.

       Manage the collection and recovery of portfolios directly or through third parties.

       Conduct market analysis, statistical, commercial, financial, interbank, risk, and customer behavior research.

       Consult public or private databases for risk analysis, fraud prevention, money laundering, terrorist financing, and other illegal activities.

       Perform, validate, or verify transactions, including the collection of biometric data such as fingerprints, images, or voice.

       Know and monitor the status of commercial or contractual operations with the company.

       Conduct satisfaction surveys and improve procedures, products, services, and market strategies.

       Track and analyze the order history, trade references, banking records, and credit history of customers, suppliers, and distributors.

       Manage internal accounting, financial, tax, auditing, compliance, and reporting matters, including the processing of employee, contractor, manager, or agent data.

       Manage human resources processes such as selection, organizational development, performance evaluation, payroll management, social security affiliation, and maintenance of employment and occupational history.

       Establish efficient contact with the owner regarding matters related to products, services, customer service, contractual conditions, or applicable policies.

       Identify, monitor, and control the entry of people into the company's physical facilities for security and surveillance purposes.

 

       Carry out surveillance and security tasks within the PARCHITA facilities.

 

16.             SECURITY MEASURES

PARCHITA , in order to comply with the security principle enshrined in article 4, letter g) of Law 1581 of 2012, has implemented the necessary technical, human and administrative measures to guarantee the security of the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access, which are determined in the Annex to these policies.

Furthermore, PARCHITA , by signing the corresponding transmission contracts, will require the data processors with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information when processing personal data.

17.             COOKIES OR WEB BUGS [AG1] 

The ____________ website does not use persistent cookies or web beacons to collect users' personal data. Only session cookies are used to facilitate safe and efficient navigation of the site, optimize access, and improve the user experience. These cookies are not stored permanently on the user's device and are automatically deleted when the browser is closed.

Users can configure their browser to allow, block, or delete installed cookies, including session cookies. They can also disable the use of technologies such as JavaScript through their browser's security options, although this may limit the proper functioning of some sections of the website.

For more information on how to manage cookies, we recommend consulting the documentation for your browser (e.g., Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, etc.).

          

18.             PROCEDURE FOR NOTIFICATION, MANAGEMENT AND RESPONSE TO INCIDENTS

PARCHITA establishes a procedure for reporting, managing, and responding to incidents to ensure the confidentiality, availability, and integrity of the information contained in the databases under its responsibility.

The procedure for reporting, managing and responding to incidents is as follows:

       When a person becomes aware of an incident (loss, theft and/or unauthorized access) that affects or may affect the confidentiality, availability and integrity of the protected information of the company or any of the Managers, they must immediately report it to the Data Protection Officer, describing in detail the type of incident that occurred, and indicating the people who may have been related to the incident, the date and time it occurred, the person who notified the incident, the person to whom it was reported and the effects it has produced.

       Data Protection Officer creates an incident log that must contain: the type of incident (internal or external fraud, damage to physical assets, technological failures, process execution and administration), date and time of the incident, the person reporting it, the person to whom it is reported, the effects of the incident, and corrective measures.

       Likewise, you must implement procedures for data recovery when applicable, indicating who performed the process, the data restored, and, where applicable, the data that required manual recording during the recovery process.

       Additionally , the Data Protection Officer must inform the Superintendency of Industry and Commerce, through the RNBD, within 15 business days of having been detected.

       Finally, PARCHITA will notify the Holders of the incident when it is identified that they may be significantly affected.

 

19.             RISK MANAGEMENT ASSOCIATED WITH DATA PROCESSING

PARCHITA has identified risks related to the processing of personal data and established controls to mitigate their causes by implementing security policies. Therefore, it will establish a risk management system along with the necessary tools, risk matrix,  indicators and resources necessary for its administration, when the organizational structure, internal processes and procedures, the amount of databases and types of personal data processed by the organization are considered to be exposed to frequent or high-impact events or situations that affect the proper provision of the service or threaten the information of the holders.

The risk management system will determine the sources, such as technology, human resources, infrastructure, and processes, that require protection, their vulnerabilities, and threats, in order to assess their level of risk. Therefore, to ensure the protection of personal data, the type or group of internal and external individuals and the different levels of access authorization will be taken into account. Likewise, the possibility of any type of event or action that could cause damage (material or immaterial) will be monitored.

 

20.             PROVISION OF PERSONAL DATA TO THE AUTHORITIES

When a public or administrative entity, in the exercise of its legal functions or by court order, requests PARCHITA to access and/or provide Personal Data contained in any of its databases, the legality of the request will be verified, as well as the relevance of the data requested in relation to the purpose expressed by the authority, and a record of the delivery of the requested personal information will be signed, specifying the obligation to guarantee the rights of the Owner, both to the official who makes the request, to the person who receives it, as well as to the requesting entity.

21.             DATA TRANSFER TO THIRD COUNTRIES

Pursuant to Title VIII of Law 1581 of 2012, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. A country is deemed to offer an adequate level of data protection when it meets the standards set by the Superintendency of Industry and Commerce on the matter, which in no case may be lower than those required by this law for its recipients. This prohibition shall not apply in the case of:

       Information for which the Owner has given his express and unequivocal authorization for the transfer.

       Exchange of medical data when required by the Data Subject's treatment for reasons of health or public hygiene.

       Bank or stock transfers, in accordance with applicable legislation.

       Transfers agreed upon within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.

       Transfers necessary for the execution of a contract between the Data Controller and the Data Controller, or for the execution of pre-contractual measures, provided that the Data Controller's authorization is obtained.

       Transfers legally required to safeguard the public interest, or for the recognition, exercise, or defense of a right in a judicial process.

 

It should be noted that, in cases not contemplated as an exception, it will be up to the Superintendency of Industry and Commerce to issue the declaration of compliance regarding the international transfer of personal data.

International transfers of personal data between PARCHITA and a data processor to enable the processor to process the data on behalf of the controller do not require the data subject's notification or consent, provided that a personal data transfer agreement exists.

22.             PROCESSING OF BIOMETRIC DATA - SENSITIVE

When processing biometric or sensitive data stored in databases, this data will be collected and processed strictly for security reasons, to verify personal identity and control access to employees, clients, and visitors, or, in general, to comply with contractual obligations. Sensitive biometric identification mechanisms capture, process, and store information related to, among other things, a person's physical characteristics (fingerprints, voice recognition, and facial features) in order to establish or authenticate each subject's identity.

Biometric database management is implemented with technical security measures that guarantee compliance with the principles and obligations derived from the Statutory Law on Data Protection, while also ensuring the confidentiality and confidentiality of data subjects' information.

When requesting the processing of sensitive personal data, the data subject will be informed of the optional nature of such authorization.

23.             NATIONAL DATABASE REGISTRY - RNBD

The National Database Registry (RNBD) is the public directory of databases subject to processing that operate in the country. It is administered by the Superintendency of Industry and Commerce and is freely accessible to citizens.

 

Considering that PARCHITA acquired the obligation to register its databases for having total assets or greater than 100 thousand tax value units (UVT), from the year 2023 it must carry out the following activities in the RNBD

       By March 31 of each year, you must complete the annual update of the RNBD, including any changes to the information recorded therein.

       No later than the first 15 business days of February and August of each year, the report of claims filed by personal data holders in the previous six months must be submitted.

       When a new database is created, it must be registered within two months of its creation.

       When substantial changes are made to the information reported to the RNBD, it must be updated within the first 10 business days of each month.

 

24.             INFORMATION AND PERSONAL DATA SECURITY

Compliance with the regulatory framework for Personal Data Protection, as well as the security, confidentiality, and/or confidentiality of the information stored in its databases, is of vital importance to PARCHITA . Therefore, we have established information security guidelines, procedures, and standards, which may change at any time to adapt to new regulations and PARCHITA 's needs. The objective is to protect and preserve the integrity, confidentiality, and availability of information and personal data.

We also guarantee that in the collection, storage, use and/or processing, destruction or elimination of the information provided, we rely on technological security tools and implement security practices that include: transmission and storage of sensitive information through secure mechanisms, use of secure protocols, securing technological components, restricting access to information to authorized personnel only, data backup, secure software development practices, among others.

If it is necessary to provide information to a third party due to a contractual relationship, we enter into a transfer agreement to guarantee the confidentiality and privacy of the information, as well as compliance with this Data Processing Policy, the information security policies and manuals, and the data subject service protocols established by PARCHITA . In any case, we undertake commitments to the protection, care, security, and preservation of the confidentiality, integrity, and privacy of the stored data.

25.             DOCUMENT MANAGEMENT

Documents containing personal data must be easily retrievable, which is why the location of each document, both physical and digital, must be documented. These storage routes must be inspected frequently. Their preservation must be guaranteed by defining the medium on which they are stored and under what conditions this preservation will be carried out, taking into account environmental conditions, storage locations, risks to which they are exposed, among others. The retention time for documents is determined based on legal requirements as follows:

       Commercial documents will be kept for a period of ten (10) years from the date of the last entry, document or receipt.

       Employment and occupational health and safety documents will be kept indefinitely for the duration of the PARCHITA company.

       Documentation relating to a data subject that is not used for commercial or work-related purposes will be retained for as long as the company deems appropriate; however, its processing will be subject to the purpose authorized by the data subject.

 

Likewise, the final disposition of the same must be clear, identifying whether it is recycled, reused, preserved, digitized, among others.

To ensure they are easily traceable, documents must be coded and updated and modified by the responsible personnel. This modification will be carried out whenever necessary. Document deletion requires justification, as described in the history, which is located at the bottom of all documents.

The data controller will distribute documents containing personal data. The controller will document evidence of such distribution, specifying, among other things, the type of document and the identification of the person to whom the information was provided.

A person responsible for ensuring the confidentiality of the data subjects' personal data must be designated. This person will safeguard the documents, guarantee their physical and digital protection, prevent alterations to the information, and ensure that documents leaving their custody are identified and easily traceable.

26.             VALIDITY

The databases under PARCHITA's control will be processed for as long as is reasonable and necessary for the purpose for which the data were collected. Once the purpose(s) of the processing have been fulfilled, and without prejudice to any legal provisions that provide otherwise, PARCHITA will delete the personal data in its possession unless there is a legal or contractual obligation requiring its retention.

These policies are mandatory upon approval by PARCHITA's General Management, and company procedures must be adjusted to ensure compliance. Failure to comply will result in penalties and consequences under the employment contract and Internal Work Regulations.

PARCHITA 's data protection policy has been in effect since its initial publication.

EXHIBIT

Internal Security Policies

 

PARCHITA within the framework of compliance with Law 1581 of 2012 has decided to implement the following controls in order to guarantee the security of the information and reduce the risk of tampering, loss, unauthorized or fraudulent consultation, use or access.

1.     Commitment of Senior Management

PARCHITA's General Management, aware of the importance of information security in carrying out its competitive strategy and meeting the objectives of its stakeholders, is committed to:

       Train employees in their roles and responsibilities in the area of ​​information security.

       Promote information security roles and responsibilities within the organization.

       Provide adequate resources to achieve information security objectives.

       Promote the dissemination and awareness of the Information Security Policy among PARCHITA employees. 

       Demand compliance with the Policy and current legislation in the field of information security.

       Consider information security risks when making decisions.

 

2.     Training and awareness

PARCHITA must ensure that all personnel receive adequate security training and awareness at least once a year, especially regarding personal data protection, confidentiality, and the prevention of information leaks. Employees must also be informed of updates to security policies and procedures that affect them and of existing threats, so that compliance with this Policy can be guaranteed. Employees are also required to exercise diligence, care, and confidentiality with respect to information, ensuring that such information does not fall into the hands of unauthorized employees or third parties.

 

3.     Clean desk policy. [AG2]  In order to protect information in the workspace, the following guidelines are established:

       Lock your computer session when you leave your workstation, either manually or by using automatic locking.

       At the end of the workday, the workstation must be cleared of visible documents or materials containing sensitive information.

       Physical documents classified as confidential must be kept under lock and key.

       Avoid leaving printed documents, USB drives, disks, or other data-based devices on desks or in common areas.

       Photographing or sharing sensitive information contained in physical documents or computer screens is prohibited.

 

  1.                     Strong passwords

All access to systems, platforms, and devices must be protected by strong passwords that meet the following requirements:

       Minimum 8 characters.

       Include uppercase and lowercase letters, numbers, and at least one special character.

       Do not contain spaces.

       Avoid using personal data such as names, dates of birth, or obvious sequences.

Passwords must be updated at least every four (4) months and must not be shared or publicly exposed under any circumstances.

                                   

  1. Preventing information leaks.

Information leaks are considered to be situations, whether intentional or accidental, in which personal data or sensitive information is disclosed to unauthorized persons. To prevent these situations, PARCHITA will implement the following measures:

       Identification of critical information assets and their risk levels.

       Periodic analysis of potential leak vectors (email, USBs, mobile devices, printouts, Internet, social networks, among others).

       Implementation of controls to restrict the use of removable devices.

       Policies for the appropriate use of email and instant messaging.

       Ban on using public Wi-Fi networks to access corporate information without a VPN.

       Restriction of oral transmission of sensitive information in public or unsafe places.

In addition, procedures will be established for responding to a security incident, including notification protocols, forensic analysis, and impact mitigation.

                                                            

  1. Goods, equipment and mail owned by the company

All electronic devices, email accounts, applications, digital platforms and other tools provided by the company to its employees are the exclusive property of PARCHITA and must be used solely for the development of work activities.

       Personal use of these resources must be restricted and in accordance with internal policies.

       The company may conduct audits or technical reviews of the equipment, emails, and software used by employees at any time to verify their proper use and prevent security incidents.

       The installation of unauthorized software on corporate computers is prohibited.

       Any improper or unauthorized use may result in disciplinary action.

  1.      Security measures

Within the framework of the implementation of the personal data protection system, the following security measures will be established according to the type of data and databases.

 

Table I: Common security measures for all types of data (public, semi-private, private and sensitive) and automated and non-automated databases

Document and media management

Access control

Incidents

Staff

1. Measures to prevent unauthorized access to or recovery of data that has been discarded, deleted, or destroyed

1. User access limited to the data necessary for the performance of their functions.

1. Incident log: type of incident, time of occurrence, notification issuer, notification recipient, effects and corrective measures.

1. Definition of the functions and obligations of users (staff) with access to the data

2. Restricted access to the location where the data is stored

2. Updated list of authorized users and accesses.

2. Procedure for reporting and managing incidents.

2. Definition of control and authorization functions

3. Authorization of the person responsible for the release of documents or media by physical or electronic means.

3. Mechanisms to prevent access to data for uses other than those authorized.

 

3 Dissemination among staff of the rules and the consequences of non-compliance with them

4. Labeling or identification system of the type of information.

4. Granting, modification or cancellation of permits by authorized personnel.

 

3 Dissemination among staff of the rules and the consequences of non-compliance with them

5. Inventory of documentation and supports.

 

 

 

 

 

Table II: Common security measures for all types of data (public, semi-private, private and sensitive) according to the type of database.

Non-automated (manual) databases

Automated databases (software)

Filing and storage

Custody of documents

Identification and authentication

Telecommunications

Documentation archiving following procedures that guarantee proper preservation, location, and consultation, and that allow the exercise of the rights of the Owners.

Storage devices with mechanisms that prevent access by unauthorized persons.

Duty of diligence and custody of the person in charge of documents during their review or processing

Personalized user identification for accessing information systems and verification of their authorization.

Identification and authentication mechanisms. Passwords: assignment, expiration (every 4 months)

Access to data through secure networks

 

Table III: Security measures for private data according to the type of databases

Automated and/or non-automated databases

Automated databases

Audit

Security Officer

Internal security manual

Document and media management

Access control

Identification and authentication

Incidents

1. Ordinary audit (internal or external) every six months

1. Designation of one or more persons responsible for managing the databases.

1. Periodic compliance controls.

1. Record of incoming and outgoing documents and media: date, sender and receiver, number, type of information, method of delivery, person responsible for reception or delivery.

1. Access control to the place or places where the information systems are located.

1. Mechanism that limits the number of repeated attempts at unauthorized access.

1. Record of data recovery procedures, person who performs them, restored data and manually recorded data

2. Extraordinary audit due to substantial modifications in information systems.

2. Prohibition of delegation of responsibility from the Data Controller to those responsible for managing the databases.

 

 

 

 

Authorization from the Data Protection Officer for the execution of recovery procedures.

2. Report on the detection of deficiencies and proposal for corrections.

2. Prohibition of delegation of responsibility from the Data Controller to those responsible for managing the databases.

 

 

 

 

 

3. Analysis and conclusions of the security officer and the data controller.

2. Prohibition of delegation of the Data Controller's responsibility to those responsible for managing the databases.

 

 

 

 

 

 

 

Table III: Security measures for private data according to the type of databases

Non-automated databases

Automated databases

Access control

Document storage

Copy or reproduction

Transfer of documentation

Document and media management

Access control

Telecommunications

1. Access for authorized personnel only.

 

1. Filing cabinets, cupboards or other cabinets located in access areas protected with keys or other measures

1. Only for authorized users.

1. Measures to prevent access or manipulation  of documents.

1. Definition of user profiles according to their function

1. Access log: user, time, database accessed, type of access and record accessed

1. Data transmission through encrypted electronic networks.

2. Log of access by unauthorized users.

 

 

 

 

2. Data encryption.

2. Monthly control of the access log by the person responsible for managing the databases.

 

 

 

 

 

3. Encrypt portable devices when they are away.

.

 

 

  1. COMPLIANCE AND MEASUREMENT.

 

This policy will be mandatory for all PARCHITA employees, contractors, and third parties with access to company information. Failure to comply with this policy will be evaluated in accordance with the internal work regulations and may result in contractual or legal consequences.

PARCHITA reserves the right to review and update this policy in response to regulatory, technological, or strategic changes that may affect information security.

 

Modifications made

 

Version to modify

Modification that is made to it

Reviewed

Approved

Date

0

The document was created 

 

 

March 6, 2024

1

General modification to the policy.

 

 

June 3, 2025

 

 

 

 

 

Juan Esteban Ortiz Osorio
Legal Representative
PARCHITA PACIFLORA SAS

(modified: 06/19/2025)