Instagram

Legal compliance

PERSONAL DATA PROTECTION POLICY

1. Introduction In compliance with the provisions of Statutory Law 1581 of October 17, 2012, which establishes the general provisions for the protection of personal data in Colombia, GESTIONES Y REPRESENTACIONES CHIA S.A.S. (hereinafter, “the Company”) presents this Personal Data Protection Policy. Its purpose is to regulate the handling, responsibilities, duties, and procedures that guarantee the proper use and management of personal data collected from natural persons who maintain a legal or contractual relationship with the Company.

2. Scope of Application This Policy applies to the processing of personal data carried out in Colombian territory or by data controllers/processors located abroad. It applies to employees, executives, contractors, shareholders, clients, suppliers, external consultants, and other natural persons who interact with the Company under any legal or contractual modality.

3. Definitions

  • Authorization: Prior, express, and informed consent from the data subject.

  • Data Subject: The natural person whose data is collected.

  • Database: An organized set of personal data.

  • Personal Data: Any information associated with a determined or determinable natural person.

  • Sensitive Data: Information affecting privacy or leading to discrimination.

  • Public Data: Information not classified as private or sensitive.

  • Data Processing: Operations such as collection, storage, use, circulation, or deletion of personal data.

  • Data Controller: GESTIONES Y REPRESENTACIONES CHIA S.A.S.

  • Data Processor: A person or entity that processes personal data on behalf of the controller.

  • Privacy Notice: Communication informing data subjects about the existence and content of this policy.

  • Transmission: Data processing that involves transferring data to a processor within or outside Colombia.

4. Principles All data processing will follow the following principles:

  • Legality

  • Purpose

  • Freedom

  • Truthfulness

  • Transparency

  • Restricted Access and Circulation

  • Security

  • Confidentiality

5. Authorization for Data Processing Prior to data collection, the Company or its Processors shall obtain the express authorization from the Data Subject, after informing them about:

  • The purpose of data processing.

  • The type of data collected.

  • The rights of the Data Subject.

  • Third parties who will access the data.

  • Contact information of the Company.

This authorization constitutes full proof of the Data Subject’s free and informed consent. The Company shall store this authorization and ensure the confidentiality and proper use of the data.

6. Data Processing Purposes by Data Category

  • Employees: Management of the employment relationship, social security, internal communication, payroll, internal audits, legal compliance.

  • Job Applicants: Evaluation and selection processes.

  • Contractors and Suppliers: Contract management, quality evaluation, tax and legal compliance.

  • Clients: Service provision, communication, legal compliance, anti-money laundering measures.

  • Shareholders (Natural Persons): Legal purposes related to shareholder status.

7. Rights of Data Subjects According to Law 1581 of 2012, data subjects have the right to:

  • Know, update, and correct their data.

  • Request proof of authorization.

  • Be informed of data usage.

  • Revoke consent or request data deletion.

  • File complaints with the Superintendence of Industry and Commerce.

These rights may be exercised by the data subject, their heirs, legal representatives, or by stipulation in favor of others.

8. Duties of the Data Controller/Processor

  • Guarantee the data subject’s rights.

  • Store proof of authorization.

  • Maintain information under secure conditions.

  • Respond to requests for data access, correction, or deletion.

  • Notify the Superintendence of any data security breaches.

9. Procedure for Queries and Complaints

9.1 Queries: The data subject may request information regarding their personal data by contacting:

  • Mail: Complejo Logístico El Pino, Autopista Medellín Km 2, Cota, Cundinamarca.

  • Email: habeas.data@grchia.com

  • Phone: 6683030, Option 1

Queries will be answered within 10 business days. If an extension is required, a response will be given within 5 additional business days.

9.2 Complaints: Data subjects may request correction, update, or deletion of their data. Complaints must be submitted in writing or via the aforementioned contact channels. If incomplete, the Company will request additional information within 5 days. If not completed within 2 months, the complaint will be dismissed.

Complete complaints will be labeled as “Claim in Process” within 2 days and resolved within 15 business days. If more time is needed, the extension may not exceed 8 additional business days.

Data Deletion and Consent Revocation: Requests for deletion or revocation must specify the scope of the request. Deletion may not apply if there are legal or contractual obligations requiring data retention.

10. Changes to This Policy Any substantial changes to this Policy will be communicated to the Data Subjects using the contact information provided.

Effective Date: This Policy is effective from August 12, 2013.

Other Compliance and Policy Documents

PTEE.
Código de Ética y Conducta V4
Instagram

Contact