PERSONAL DATA PROCESSING POLICIES
I. DATA CONTROLLER IDENTIFICATION
COMPANY NAME AND IDENTIFICATION: PRAGMA S. A., hereinafter referred to as THE COMPANY, a business corporation identified by Taxpayer ID (NIT) 811,004,057-1 and incorporated by public deed on February 19, 1996, registered with the Chamber of Commerce on February 21, 1996.
DOMICILE AND ADDRESS: THE COMPANY is domiciled in Medellín and its registered office is at Edificio Milla de Oro, Avenida El Poblado, Carrera 42 Nº 3 Sur 81 Torre 1 Piso 15.
PHONE: +57 323 563 9223
II. DATA PROCESSING PRINCIPLES
In any personal data processing carried out by THE COMPANY, the principles contained in the Colombian General System for Personal Data Protection will apply, especially the following:
1.1. Principle of legality: For the personal data processing carried out by THE COMPANY, the rules of the Colombian legal system regarding the General System for Personal Data Processing and those contained in this policy will apply.
1.2. Principle of purpose: The personal data processing carried out by THE COMPANY fulfills the purposes established in this policy, which are in harmony with the Colombian legal system. Where not provided for in this policy, higher rules that regulate, add, modify, or repeal it will apply.
1.3 Principle of freedom: The personal data processing carried out by THE COMPANY is in accordance with the prior express authorization of the personal data subject.
1.4. Principle of truthfulness or quality: The information subject to processing by THE COMPANY will be truthful, complete, updated, verifiable, and understandable.
1.5. Principle of transparency: THE COMPANY guarantees that the personal data subject can obtain information about their data at any time without restrictions, according to the procedures described in this policy.
1.6. Principle of restricted access and circulation: THE COMPANY guarantees that the personal data given to the databases it controls is processed by persons authorized by the subject and/or other persons permitted by law.
1.7. Principle of security: THE COMPANY will implement all the technical, human, and administrative measures necessary to protect the personal data processed in its databases, preventing unauthorized or unwanted use, adulteration, loss, or query.
1.8. Principle of confidentiality: The personal data in THE COMPANY's databases will be processed with strict confidentiality and reserve, according to the purposes described in this policy.
To expand these principles, check Law 1581/2012, Decree 1377/2013 and other regulatory provisions, as amended, clarified, supplemented, or repealed.
II. PROCESSING TO WHICH DATA WILL BE SUBMITTED AND PURPOSE
The personal data of the person with whom THE COMPANY has established or will establish a relationship, permanent or occasional, will be processed within the applicable legal framework. In any case, personal data may be collected and processed in the following cases:
a. To fulfill THE COMPANY’s corporate purpose in accordance with its legal bylaws.
b. To comply with the applicable tax and commercial regulations.
c. To send invitations to academic events and informative content. To send invitations to participate in Academia Pragma events and activities.
e. To comply with the provisions of the Colombian legal system regarding labor, social and other matters applicable to former, current, and potential employees.
f. To conduct surveys related to THE COMPANY’s services or goods.
g. To send commercial information of THE COMPANY.
h. To develop programs in accordance with its bylaws.
i. To fulfill all its contractual commitments.
III. RIGHTS OF THE DATA SUBJECT
As provided in current applicable data protection regulations, the personal data subject has the right to:
a. Access, know, update, and rectify their personal data with the COMPANY in its capacity as data controller. This right may be exercised, among others, on partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or unauthorized.
c. Be informed by THE COMPANY, upon request, of the use made of their personal data.
d. File complaints with the Superintendence of Industry and Trade for infractions to the provisions of Law 1581/2012, as amended, added, or supplemented, after consultation with or request to the COMPANY.
e.Revoke the authorization or request the deletion of data.
f. Freely access their personal data that has been processed, at least once every calendar month, and each time there are substantial modifications to this policy that give rise to new queries.
These rights may be exercised by:
- The data subject, who must sufficiently prove their identity by the means made available by THE COMPANY.
- The data subject’s successors, who must prove such capacity.
- The data subject’s representative or attorney-in-fact, after proving incumbency.
- Any other person stipulated by the data subject.
IV. PERSONAL DATA CONTROLLER AND PROCESSOR
THE COMPANY will control the processing of personal data. The administrative department will process personal data. Any communication on the matter must be sent at the email firstname.lastname@example.org
Transfers and Transmissions for Third-party Processing of Personal Data Supplied to THE COMPANY
The acceptance of this policy enables THE COMPANY to transmit or transfer all the data of the subject to third parties in the country or abroad, always observing the applicable legal provisions.
In turn, THE COMPANY undertakes to inform third parties of the parameters under which authorization has been granted and the provisions of this policy they must observe. The third parties may only make use of the data and/or information while the legal or contractual relationship with THE COMPANY survives, solely and exclusively for the purposes expressly defined by THE COMPANY.
V. PROCEDURE FOR INQUIRIES, CLAIMS, AND REQUESTS FOR DATA RECTIFICATION, UPDATE, AND DELETION
The data subject or their successors may query the personal information of the data subject that is on file in THE COMPANY, who will supply all the information contained in the individual record or linked to the identification of the data subject. THE COMPANY also provides a mechanism through which the data subject can file claims to update, rectify, delete their data, or permanently revoke the authorization.
In any case, regardless of the mechanism implemented for query requests, they will be answered within ten (10) business days from the date of receipt. When not answered within this term, the interested party will be informed before its expiration, stating the reasons for the delay and the date on which the query will be answered, which in no case may exceed five (5) business days from the expiration of the first term.
Queries may be made to the email email@example.com
VI. INFORMATION SECURITY MEASURES
In compliance with the principle of security set out in current regulations, THE COMPANY will adopt the technical, human, and administrative measures necessary to provide security to the records, preventing their unauthorized or fraudulent adulteration, loss, query, use, or access.
THE COMPANY is committed to correctly using and processing the personal data of its customers and users, preventing unauthorized access by third parties that seek to know, violate, modify, disclose, and/or destroy the information in the COMPANY’S databases. Thus, the COMPANY has security and access protocols for its information, storage, and processing systems, including physical security risk control measures.
Therefore, THE COMPANY must adopt measures to comply with the provisions of Laws 1581/2012, as amended or replaced. As a result of this legal obligation, among others, THE COMPANY must adopt logical, administrative, and physical security measures, according to the criticality of the personal data accessed to guarantee it will not be used, marketed, assigned, transferred and/or subjected to any other processing contrary to the purpose of this agreement. Any suspected loss, leak, or attack against the personal information in THE COMPANY’s databases will be reported immediately after THE COMPANY becomes aware of such event through the most appropriate or effective mechanisms, such as publication on the company's website or social media, direct communication to the email address or other means supplied by the affected party for such purposes, or in any other way that guarantees the data subject’s right to information. The loss, leak, or attack against personal data also involves the obligation to manage the security issue according to the applicable legal guidelines. Some of the minimum ISO 27001/27002 standards voluntarily adopted may be taken as a reference.
This policy is effective as of August 1, 2016.
Marcos Velez Botero