Data Treatment Policy

The purpose of this manual is to comply with Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, which aims to develop the constitutional right of all individuals to know, update, and rectify information collected about them in databases or archives, as well as other constitutional rights, freedoms, and guarantees referred to in Article 15 of the Political Constitution; along with the right to information enshrined in Article 20 of the same. 

Thus, SIGLA SAS states that it guarantees the rights to privacy, intimacy, and good name in the processing of personal data, and consequently, all its actions will be governed by the principles of legality, purpose, freedom, truthfulness, quality, transparency, restricted access and circulation, security, and confidentiality. 

All individuals who, in the course of various contractual, commercial, labor, or other activities—whether permanent or occasional—provide SIGLA SAS with any type of personal information or data will have the right to know, update, and rectify it. 
To this end, and in accordance with Article 18, subsection (f) of Law 1581 of 2012, SIGLA SAS adopts this internal manual of policies and procedures to ensure proper compliance with Law 1581 of 2012 and, in particular, to address inquiries and complaints from personal data holders. 

In compliance with the provisions of Statutory Law 1581 of 2012, “which establishes general provisions for the protection of personal data,” and its Regulatory Decree 1377 of 2013, SIGLA SAS presents its Personal Data Processing Policy, which will apply to all activities related to the collection, storage, use, circulation, rectification, and deletion of personal data that must be processed due to the execution of its corporate purpose. 

IDENTIFICATION OF THE PERSON IN CHARGE 

NAME OR BUSINESS NAME: Geographic Information Systems of Latin America Sigla S.A.S 
DOMICILE AND ADDRESS: KR 47 # 106 – 08 
PHONE NUMBER: 601 7293735  

Email: info@sigla-sas.com 

1. APPLICABLE LEGISLATION

This manual has been prepared considering the provisions of Article 15 of the Political Constitution, Law 1581 of 2012, “which establishes general provisions for the protection of personal data,” and Decree 1377 of 2013, “which partially regulates Law 1581 of 2012.” These policies will also be subject to any other regulations that complement or replace the aforementioned laws. 

Consequently, SIGLA SAS issues this Privacy and Personal Data Processing Policy, which applies to the personal data stored in its databases (hereinafter referred to as the “Policy”), belonging to individuals who have authorized SIGLA SAS to manage their data in accordance with corporate guidelines and this Policy. The following provisions also form part of this policy: Law 1266 of 2008, Regulatory Decrees 1727 of 2009 and 2592 of 2010, and Constitutional Court rulings C-1011 of 2008 and C-748 of 2011. 

2. SCOPE OF APPLICATION

This policy shall apply and be binding upon the following individuals: 

• Legal representatives and/or corporate administrators. 

• SIGLA SAS internal staff, whether executives or not, responsible for managing and processing personal databases. 

• Contractors and natural or legal persons providing services to SIGLA SAS under any contractual modality that involves processing personal data. 

• Shareholders, statutory auditors, and other individuals with whom there is a statutory legal relationship. 

• Public or private individuals who use personal data. 

• Any other individuals as established by law.

   

3. OBJECTIVE

SIGLA SAS seeks to ensure the protection of personal data used or stored in its databases and files, guaranteeing every individual’s constitutional right to know, update, and rectify the information collected about them. 

This is in line with Article 15 of the Political Constitution, Law 1581 of 2012, and other regulatory decrees. This document establishes criteria for obtaining, collecting, using, processing, exchanging, transferring, and transmitting personal data. It also defines the responsibilities of the company and its employees in handling and processing personal data stored in its databases and files. 

SCOPE OF APPLICATION 

This Internal Policy Manual applies to personal data recorded in any personal database subject to processing by SIGLA SAS. 

It establishes the criteria and behaviors that SIGLA SAS (employees, contractors, shareholders, board members, etc.) must follow to preserve the confidentiality, integrity, and availability of information, understood as follows: 

• Confidentiality: Ensuring that information is accessible only to authorized individuals. 

• Integrity: Safeguarding the accuracy and completeness of information and processing methods. 

• Availability: Guaranteeing that authorized users have access to information and related resources whenever required. 

Additionally, SIGLA SAS must fulfill its duties as a personal data processing company, including: 

• Ensuring the data subject’s full and effective exercise of their habeas data rights at all times. 

• Obtaining the necessary authorization from the data subject. 

• Properly informing the data subject about the purpose of data collection and their rights under the authorization. 

• Storing information under appropriate security conditions to prevent alteration, loss, unauthorized consultation, use, or access. 

• Keeping information updated and addressing any changes to the data subject’s details. 

• Implementing all necessary measures to maintain the accuracy and currency of the information.

   

4. SCOPE

The policies described in this Manual apply at all levels of SIGLA SAS and to all personal databases in its possession, whether processed within Colombian territory or subject to Colombian legislation due to international norms and treaties. 

5. PRINCIPLES

According to Law 1581 of 2012, the following guiding principles shall apply to the processing of personal data: 

a) Principle of legality.
b) Principle of purpose.
c) Principle of freedom. 
d) Principle of truthfulness or quality. 
e) Principle of transparency. 
f) Principle of restricted access and circulation. 
g) Principle of security. 
h) Principle of confidentiality. 

6. DEFINITIONS

To ensure complete clarity regarding the terminology used in the applicable legislation and in this Personal Data Processing Policy, the following definitions are provided: 

• Authorization: Prior, express, and informed consent given by the data subject for the processing of their personal data. 

• Information Asset: Structured and unstructured information that exists in printed or electronic form, including data stored in records, files, and databases. 

• Privacy Notice: A verbal or written communication from the data controller to the data subject informing them about the existence of data processing policies, how to access them, and the purpose of data processing. 

• Database: A structured set of personal data subject to electronic or non-electronic processing, regardless of the method of formation, storage, organization, or access. 

• Data Subject: The individual to whom the personal data stored in a database pertains. 

• Data Processing: Any operation or set of operations, whether automated or not, that allows the collection, storage, modification, usage, circulation, evaluation, blocking, destruction, or general processing of personal data, including its transfer to third parties.

   

7. RESPONSIBILITIES

The General Management, with the support of the entire company’s management team, shall be responsible for the approval and application of the guidelines contained in this Manual, ensuring the proper processing of personal data obtained during SIGLA SAS’s corporate activities. 

Therefore, the Director and each Process Leader shall be responsible for collecting, transmitting, and/or providing third-party data, ensuring compliance with these data protection policies.” 

 

8. PERSONAL DATA PROCESSING POLICY

SIGLA SAS is committed to the proper collection, use, processing, transfer, updating, and conservation of the personal data of our business associates, such as employees, clients, shareholders, contractors, suppliers, among others, in order to guarantee the rights of the data subjects and prevent unauthorized third parties from accessing, misusing, altering, losing, or stealing the information contained in the databases. This is achieved by implementing the company’s security protocols through the continuous execution of technological, physical, and administrative security controls that ensure the integrity, confidentiality, availability, and safekeeping of the information. 

To comply with Statutory Law 1581 of October 17, 2012, and any amendments, additions, or supplements thereto, various processes and guidelines are established for handling the information of Shareholders, Clients, Suppliers, Employees, and other stakeholders, as referenced in this policy, which includes the following aspects: 

Proper service delivery: This covers all matters related to the necessary data for analyzing and developing feasibility, contracting, adapting, and executing the service, in areas such as leasing, customer service, service improvement, customer satisfaction, information, security, and, in general, all essential information to fulfill the scope of the contract, regulations, and applicable laws. 

Commercial purposes: This includes all activities aimed at presenting offers, services, advertisements, opportunities, customer loyalty, customer retention, and, in general, information on goods, products, and services that may be of interest to clients and users. 

Other purposes: The company may establish additional purposes for processing personal data, for which it must obtain the prior, express, informed, and consented authorization of the data subject. 

9. AUTHORIZATION 

For the processing of personal data, SIGLA SAS requires prior consent of the data subject, freely and informedly. Various channels have been implemented to obtain, verify, and record the Authorization. 

10. MEANS AND METHOD OF GRANTING AUTHORIZATION 

Authorization may be documented in physical, digital, or any format that allows for subsequent consultation. Once granted, it ensures that the Data Subject is aware of the data collection and that its use will be solely for the purposes determined by SIGLA SAS. 

The authorization will include: 
a) Who collects (responsible party or processor) 
b) What is collected (data being gathered) 
c) Why the data is collected (purpose of processing) 
d) How to exercise the rights of access, correction, updating, or deletion of the provided personal data 

11. PRIVACY NOTICE 

This is the physical or electronic document made available to the Data Subject so they can be informed about who is responsible for processing personal data, their rights, and the purposes of data usage. 

– The name (corporate name) and contact details of the Data Controller. 
– The processing to which the data will be subjected and its purpose. 
– The rights of the Data Subject. 
– The general mechanisms implemented by the Data Controller to ensure the Data Subject is aware of the Data Processing Policy and any substantial changes made to it. In all cases, the Data Subject must be informed of the available consultation channels. 

12. DATA SUBJECTS’ RIGHTS 

Data Subjects may exercise the following rights regarding their personal data processed by SIGLA SAS: 

1. a) To know, update, and rectify their personal data held by SIGLA SAS in its role as the data controller. This right may be exercised, among other reasons, in the case of partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or unauthorized.
   b) To request proof of the authorization granted to SIGLA SAS as the data controller, except when authorization is explicitly exempted as a processing requirement, such as in cases involving:

• Information required by a public or administrative entity in the exercise of its legal functions or by court order. 

• Publicly available data. 

• Data related to medical or health emergencies. 

• Processing authorized by law for historical, statistical, or scientific purposes. 

• Data related to civil registry records. 

1. c) To be informed by SIGLA SAS, upon request, regarding the use of their personal data.
   d) To file complaints with the Superintendency of Industry and Commerce regarding violations of Law 1581 of 2012 or other applicable regulations after exhausting the consultation or complaint process with the Data Controller.
   e) To revoke authorization and/or request the deletion of data when processing does not respect constitutional and legal principles, rights, and guarantees. 
   f) To access, free of charge, their personal data that has been processed. 

 

13. SIGLA SAS’S OBLIGATIONS REGARDING PERSONAL DATA PROCESSING 

SIGLA SAS commits to permanently fulfilling the following obligations concerning the processing of personal data: 

a) Ensuring that the Data Subject fully and effectively exercises their right to habeas data at all times.
b) Requesting and retaining copies of the corresponding authorization granted by the Data Subject.
c) Properly informing the Data Subject about the purpose of data collection and their rights under the authorization granted. 
d) Keeping the information under the necessary security conditions to prevent alteration, loss, unauthorized consultation, use, or fraudulent access. 
e) Ensuring that the data provided by the data processor is accurate, complete, up-to-date, verifiable, and comprehensible. 
f) Updating, rectifying, or deleting data in a timely manner, as stipulated in Articles 14 and 15 of Law 1581 of 2012. 
g) Handling inquiries and complaints filed by Data Subjects within the deadlines specified in Article 14 of Law 1581 of 2012. 
h) Refraining from sharing information that is being contested by the Data Subject and whose restriction has been ordered by the Superintendency of Industry and Commerce. 
i) Informing the Data Subject, upon request, about the use of their data. 
j) Notifying the Superintendency of Industry and Commerce in cases of security breaches that pose risks to the management of Data Subjects’ information. 
k) Complying with the instructions and requirements issued by the Superintendency of Industry and Commerce. 

14. RIGHT OF ACCESS TO INFORMATION 

The Data Subject may request to know whether their data is being processed by the Company. 
The Data Subject may access their personal data held by the Data Controller. 
The Company will inform the Data Subject about the types of personal data processed and the justifications for such processing. 

15. DATA RECTIFICATION AND UPDATING 

The Data Subject has the right to request the update or rectification of their personal data. SIGLA SAS is obligated to rectify and update the Data Subject’s information if it is incomplete or inaccurate, as outlined in this Policy. The request for rectification or update must specify the corrections to be made, and in some cases, supporting documentation may be required. 

SIGLA SAS may establish mechanisms to facilitate the exercise of this right, such as electronic means or other appropriate methods. 

16. DATA DELETION 

The Data Subject has the right, at any time, to request that SIGLA SAS delete their personal data if: 
a) They wish for their data to be removed from SIGLA SAS’s databases. 
b) They believe that the data is not being processed in accordance with the principles, obligations, and duties set out in Law 1581 of 2012 and Decree 1377 of 2013. 
c) The data is no longer necessary or relevant for the purpose for which it was collected. 
d) The necessary period for fulfilling the data’s original purpose has expired. 

The deletion process must ensure that the data is permanently erased and cannot be recovered. 

17. REVOCATION OF AUTHORIZATION

The Holders of Personal Data may revoke their consent for the Processing of their Personal Data at any time, provided that it is not prevented by a legal or contractual provision. To this end, SIGLA SAS must establish simple, easily accessible, and free mechanisms that allow the Holder to revoke their consent, at least through the same means by which it was granted and under the 12 terms stipulated in Law 1581 of 2012, its regulatory Decrees, and modifying or complementary regulations. 
It should be noted that there are two modalities in which consent revocation may occur: 
The first may be for the entirety of the consented purposes, meaning that SIGLA SAS must completely cease Processing the Holder’s Data; the second may apply to specific types of Processing, such as for advertising or market research purposes. Under the second modality, that is, partial revocation of consent, other purposes of the Processing that the Controller, in accordance with the granted Authorization, may carry out and that the Holder agrees with, remain unaffected. 

Therefore, it will be necessary for the Holder, when submitting the revocation request, to indicate whether the revocation they intend to make is total or partial. In the second case, they must specify which Processing they do not agree with. 
There will be cases in which consent, due to its necessity in the relationship between the Holder and the Controller for the fulfillment of a contract or by legal provision, cannot be revoked. 
The mechanisms or procedures that SIGLA SAS establishes to handle revocation requests for granted consent may not exceed the deadlines set for handling claims as indicated in Article 15 of Law 1581 of 2012. 

18. PROCEDURE FOR HANDLING REQUESTS 
Under the responsibility of the General Management of SIGLA SAS, any person who requires it may exercise their rights to know, update, rectify, and request the deletion of their personal data at any time. 
The right to consultation will be guaranteed by providing the information contained in the individual record. To handle requests, petitions, and claims related to personal data consultation, THE COMPANY guarantees that the email account info@sigla-sas.com is enabled to respond to consultation requests, with a maximum period of ten (10) business days from the date of receipt. 
If it is not possible to respond to the consultation within this period, the interested party will be informed before the expiration of the 10 days, explaining the reasons for the delay and indicating the date when their consultation will be addressed, which in no case may exceed five (5) business days after the expiration of the first deadline. 

19. PROTECTION OF INFORMATION ASSETS 
To prevent loss, damage, or unauthorized access to information, all employees, shareholders, members of the Board of Directors, among others, must take the necessary security measures, keeping restricted or confidential information locked away and computers locked when their workstations are unattended or during non-working hours. 
This includes printed documents, CDs, USB storage devices, and removable media in general. 
Additionally, it is required that sensitive information sent to printers be collected immediately. 

20. MONITORING OF THE IMPLEMENTATION OF POLICIES 
The General Management will coordinate a semi-annual review of changes in personal information reported to the Regulatory Authorities and stored in the databases under the responsibility of each area, according to modification or deletion requests received from the holders. This review should include an assessment of improvement opportunities and the need to make changes in the security approach, including applicable recommendations through a schedule of activities to be carried out. 

21. COMPLIANCE WITH SECURITY POLICIES 
The persons responsible for each process must regularly review compliance with the established procedures for handling information within their area of responsibility, as well as verifying the security requirements defined in the policies, regulations, and other applicable provisions, to determine whether they remain applicable or need to be modified.