Data processing policy

1. COMPANY INFORMATION.

ISAENG S.A.S, is a commercial company, constituted under the laws of Colombia, located in Cra 42 # 3 Sur – 81, Torre 1 Piso 15 of Medellin, Antioquia, identified with NIT 900,564,030-6 and with e-mail for legal notifications info@isaeng.com; that from now on and for the effects established in the present policies will be denominated ISAENG.

2. LEGAL FRAMEWORK.

The information handling policy is developed in compliance with Articles 15 and 20 of the Political Constitution; Articles 17, paragraph k) and 18, paragraph f) of the Statutory Law 1581 of 2012, which issues general provisions for the Protection of Personal Data (LEPD), Article 2.2.2.25.1.1 Section 1, Chapter 25 of Decree 1074 of 2015, which partially regulates Law 1581 of 2012 (Article 13 of Decree 1377 of 2013).  This policy shall apply to all personal data registered in databases that are processed by the data controller.

The following rules constitute the regulatory framework applicable to this policy:

Political Constitution of Colombia: It establishes the fundamental premises concerning the processing of personal data as a fundamental right (Habeas Data), derived from the right to privacy enshrined in Article 15 and the right to information in Article 20.

Law 1581 of 2012: Constitutes the general framework for the protection of personal data in Colombia and seeks to protect the right of all persons to know, update, and rectify the information contained in databases or files.

Law 1273 of 2008: By means of which a new protected legal asset is created called “of information and data protection” and systems that use information and communication technologies are fully preserved; prescribing criminal liability for the improper treatment of personal data.

Decree 1074 of 2015 Chapter 25 and Chapter 26 of the Compilation of Decrees:

Decree 1377 of 2013

Decree 886 of 2014

Circular 01 of November 8, 2016.

 

3. SCOPE

This document shall apply to all personal data or any other type of information that is used or stored in the databases and files of ISAENG S.A.S, respecting the criteria for obtaining, collecting, using, processing, exchanging, transferring and transmitting personal data, and establishing the responsibilities of ISAENG S.A.S and its employees in the handling and processing of the personal data stored in its databases and files.

4. DEFINITIONS

The following definitions are established in Article 3 of the LEPD and Article 2.2.2.25.1.3 section 1 Chapter 25 of Decree 1074 of 2015 (Article 3 of Decree 1377 of 2013).

4.1. Authorization.

Prior, express, informed and fixed consent that the holder of the information gives to ISAENG to carry out the processing of personal data.

Privacy notice.

Communication generated by ISAENG, addressed to the Holder for the Treatment of their personal data, by means of which they are informed about the existence of the policies of Treatment of information that will be applicable to them, the form of access to the same ones and the purposes of the Treatment that is tried to give to the personal data.

4.3. Data Base.

Organized group of personal data that is the object of treatment.

4.4. Customer and/or User.

Owner of the information that contracts the services and/or products of ISAENG; or that requests information through the virtual means provided for this purpose.

4.5.        Personal information.

Any information linked or that can be associated with one or more specific or determinable natural persons.

4.6.        Public information.

Data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of individuals, their profession or trade and their status as merchants or public servants. By its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, duly executed court rulings that are not subject to reservation.

4.7.        Semi-private data.

This is data that is not of an intimate, reserved, or public nature, and whose knowledge or disclosure may be of interest not only to the holder, but also to a certain sector or group of persons or to society in general, as is the case: Databases containing financial, credit, commercial, service and third country information.

4.8.        Private data.

It is a personal data that due to its intimate or reserved nature is only of interest to its owner and for its treatment requires prior, informed and express authorization. Databases containing data such as personal telephone numbers and e-mails; labor data, administrative or criminal infringements, administered by tax administrations, financial institutions and managing entities and common services of the Social Security, databases on asset or credit solvency, databases with sufficient information to evaluate the personality of the holder, databases of the persons responsible for operators providing electronic communication services.

Sensitive data.

Sensitive data is understood to be that which affects the privacy of the Data Subject or whose undue use may generate its discrimination, such as that which reveals the racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.

Data processor.

Natural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the Data Controller.

Person in charge of the treatment.

Natural or legal person, public or private, that by itself or in association with others, decides about the data base and/or the data processing.

4.12. Responsible for the administration of the databases.

Collaborator in charge of controlling and coordinating the adequate application of the data treatment policies once stored in a specific database; as well as of putting into practice the guidelines issued by the Data Protection Officer and the Data Controller.

4.13.     Data Protection Officer.

This is the natural person who assumes the function of coordinating the implementation of the legal framework on protection of personal data, which will process the requests of the Data Holders, for the exercise of the rights referred to in Law 1581 of 2012.

4.14. Third Parties.

This corresponds to the natural or legal person with whom ISAENG has commercial relations as a supplier or similar.

4.15.     Owners.

Natural or legal person whose personal data are processed.

4.16. Processing.

Any operation or set of operations involving personal data, such as collection, storage, use, circulation or deletion.

4.17.     Transfer.

The transfer of data takes place when the person responsible for and/or in charge of the processing of personal data, located in Colombia, is in charge of the processing of personal data.

4.18.     Transmission.

Processing of personal data that implies the communication of such data within or outside the territory of the Republic of Colombia when its purpose is to carry out a processing determined by the person in charge on behalf of the responsible party.

5. PRINCIPLES OF DATA PROTECTION

ISAENG, in developing its service model, adjusts its operation to the principles of Good Faith, Legality, Transparency and Security; and based on these principles, will treat the information, whether it is acting as responsible or in charge of the treatment. The following principles are of obligatory application by ISAENG

Principle of confidentiality.

Each and every one of the persons who administer, manage, update or have access to information of any kind found in databases, undertake to keep and maintain in a strictly confidential manner and not to disclose to third parties, all personal, commercial, accounting, technical, commercial or any other type of information provided in the execution and exercise of their functions. All persons working at present or linked in the future for such purpose, in the administration and management of databases, must sign an additional document or others to their labor or service contract for the purpose of ensuring such commitment. This obligation persists and is maintained even after the end of their relationship with any of the tasks included in the Treatment.

Principle of purpose.

The use, capture, collection and in general all processing of personal data to which it has access and is collected by ISAENG, will be subordinated and will serve a legitimate purpose informed to the respective owner of the personal data.

Principle of integral interpretation of constitutional rights.

The law shall be interpreted in the sense that constitutional rights, such as habeas data, the right to a good name, the right to honor, the right to privacy and the right to information, are adequately protected. The rights of the holders shall be interpreted in harmony and on a level of balance with the right to information provided for in article 20 of the Political Constitution of Colombia and with the other applicable constitutional rights.

Principle of legality.

In the use, capture, collection and in general all processing of personal data, the current and applicable provisions governing the processing of personal data, sectorial and other related fundamental rights shall be applied, especially the provisions of the data protection law, Decree 1377 of 2013 compiled in Chapter 25 of Decree 1074 of 2015 and other provisions that develop it.

Principle of freedom.

The use, capture, collection and in general any processing of personal data can only be carried out with the consent, prior, express, informed and fixed by the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal, statutory, or judicial mandate that relieves the consent.

Principle of security.

The personal data and information used, captured, collected and subject to treatment by ISAENG, will be protected to the extent that technical, human and administrative resources and minimum standards allow, through the adoption of technological protection measures, protocols, and all kinds of administrative measures that are necessary to provide security to electronic records and repositories to avoid their adulteration, modification, loss, consultation, and in general against any unauthorized or fraudulent use or access. The Responsible for the treatment has the responsibility to implement the corresponding security measures and to make them known to all the personnel who have access, directly or indirectly, to the data. Users who access the information systems of the Data Controller must know and comply with the rules and security measures that correspond to their functions. These rules and security measures are set out in the Internal Security Manual, which must be complied with by all users and staff of the company. Any modification of the rules and measures regarding the security of personal data by the person responsible for the treatment must be made known to the users.

Principle of information temporality.

The owner’s information may not be processed when it no longer serves the purpose for which it was collected.

Principle of transparency.

The processing must guarantee the right of the Data Subject to obtain from the Controller or the person in charge of the processing, at any time and without restrictions, information about the existence of data concerning him/her. At the time of requesting authorization from the data subject, the data controller must inform him/her clearly and expressly of the following, retaining proof of compliance with this duty:

The treatment to which your data will be submitted and the purpose of this treatment.

The optional nature of the Holder’s response to the questions asked when dealing with sensitive data or data on children or adolescents.

Your rights as a Data Subject.

The identification, physical address, e-mail and telephone number of the data controller.

The principle of truthfulness or quality.

The information subject to treatment must be truthful, complete, exact, updated, verifiable and understandable. The treatment of partial, incomplete, fractionated or misleading data is prohibited.

Principle of access and restricted circulation.

Processing is subject to the limits arising from the nature of the personal data, the provisions of the Data Protection Act and the Constitution. In this sense, the processing may only be done by persons authorized by the Data Controller and/or by the persons provided for by the Law. Personal data, except for public information, may not be made available on the Internet and other means of dissemination or mass communication, unless access is technically controllable in order to provide restricted knowledge only to Data Holders or third parties authorized under the Law.

6. DATA PROCESSING

The processing of personal data by ISAENG is defined by its service model. ISAENG is a commercial company dedicated to carrying out such activities as research in renewable energy, specialized consultancy, energy commercialization, exploitation and marketing of natural resources, business development and projects related to energy generation from renewable sources,

sustainable and/or non-conventional.

Acceptance of the present policy for the treatment of data.

In accordance with article 9 of the Personal Data Act, the processing of personal data requires the prior and informed consent of the Data Controller. By accepting this policy, any Holder who provides information regarding his/her personal data is consenting to the processing of his/her data by ISAENG S.A.S. under the terms and conditions set forth herein.

The Holder’s authorization will not be required in the case of

Information required by a public or administrative entity in the exercise of its legal functions or by court order.

Information of public nature.

Cases of medical or health emergency.

Processing of information authorized by law for historical, statistical or scientific purposes.

Data related to the Civil Registry of persons.

6.2. Information security and safety measures.

In development of the principle of security established in the current regulations, ISAENG will adopt the technical, human and administrative measures necessary to provide security to the records, trying to avoid its adulteration, loss, consultation, unauthorized or fraudulent use or access.

6.2.1. Physical Security Mechanisms

In order to guarantee the security and integrity of the data provided by the users, ISAENG has contracted a storage service in servers that may be located anywhere in the world, however, these will be subject to the legislation of the country where they are located.

Virtual Security Mechanisms:

ISAENG has electronic security measures to protect your data.

Collection

The collection of personal data is given according to the destination to which they are subjected, so:

User. Through the completion or physical or virtual subscription forms available for the purpose independently or integrated into other forms of linkage or affiliation to ISAENG, or services it can provide among others. Also through the physical or virtual filling of forms generated in advertising campaigns, loyalty, expansion or marketing, whether they are physically or virtually available in the links “REGISTER”, “WORK WITH US”, “CONTACT US” or any other with similar purpose in the main web portal or accessory website of ISAENG.

Employees. The collection of data on ISAENG employees is carried out from the beginning of the selection process, where the use to which the information provided is to be put is expressly reported, and at the time of employment the type of data to be collected and the purpose of collection is detailed in the employment contract.

Third parties. The collection of personal data from third parties is carried out on the basis of preliminary agreements and during the relationship that is maintained with any concept, detailing at each stage, whether through a contract, agreement or document, what type of data is to be collected and the purpose of its collection.

Authorization and consent.

The collection, storage, circulation, suppression and other uses of personal data by ISAENG require the free, prior, express and informed consent of the owner of the data.

Means for granting authorization.

The holder of the information grants his or her consent through the following means:

Electronic document.

Physical document.

Data message.

By telephone.

These mechanisms are established without prejudice to the possibility of obtaining the holder’s informed consent by different means, which guarantee the necessary conditions to do so; which allow to conclude unequivocally that it is the holder’s will.

Proof of authorization.

In order to keep the authorization granted by the holder of the data protected and available, ISAENG has technical, human and administrative measures that allow the suitable physical or digital storage, which allows to determine and to accredit the circumstances of time, way and place in which the authorization was granted, to guarantee the rights of the holder and to maintain unequivocal clarity in its procedures.

Updating, rectification, suppression and revocation of the authorization.

Updating and rectification of data.

In order to guarantee the rights of the holder of the information, in cases where the holder requests it, ISAENG will update and/or rectify the information because it is inaccurate or incomplete; for which it has provided the following mechanisms:

Through the e-mail address info@isaeng.com detailing the modifications to be made.

By means of a physical request addressed to ISAENG at the legal notification address indicated above.

Deletion of data.

In order to guarantee the rights of the holder of the information, ISAENG will, when necessary and at the request of the holder, delete all or part of the data, for which it has provided the following mechanisms:

Through the e-mail address info@isaeng.com detailing the modifications to be made.

By means of a physical request addressed to ISAENG at the legal notification address indicated above.

The above, provided that the following conditions are met:

When the data does not comply with the purpose for which it was provided

When they have ceased to be useful for the purpose for which they were supplied

When they have fulfilled the purpose for which they were supplied.

Subject to the law, ISAENG may not delete the data when the owner is under contractual, legal, administrative and/or judicial obligations that require the permanence of the data for its adequate fulfillment.

Revocation of the authorization.

ISAENG, at the request of the owner and using the physical and electronic mechanisms designed for this purpose, will accept the request for total or partial revocation of the authorization granted, for which the processing will cease, provided that the owner is not in force of contractual obligations, legal, administrative or judicial, which require the permanence for proper compliance.

Collected data.

The data collected by ISAENG is public, private, semi-private, sensitive and for minors; in each situation its collection complies with the prescriptions given by law for its proper treatment.

The personal data provided by the holder to ISAENG, as the responsible party, will be treated for storage, circulation (transfer and transmission), suppression, processing, compilation, updating, communication and/or making available, all in compliance with the regulations in force and with the following specific purposes described below:

Once the data has been provided by the owner to ISAENG, the latter will issue a Privacy Notice, to inform about the existence of these policies and the way to access them, where the specific purpose of the treatment is defined, which will be in each case:

Both for users, customers, affiliates and persons linked directly or indirectly to ISAENG, including users that the web tools; ISAENG collects data of a public, private, semi-private, sensitive and minor nature, complying with the requirements established by law for their treatment.

In view of the purpose the data will be treated for: Customer loyalty; accounting, fiscal and administrative management; customer management; management of collections and payments; management of invoicing; economic and accounting management; fiscal management; history of commercial relations; marketing; commercial prospecting; own advertising; distance selling; creation of the user’s resume; physical (telephone [calls and/or text messages] or written) or virtual communications related to services, products, promotions, advice, events, venues, programming, training, plans, workshops, market and financial trends, schedules, changes in services or products; Sending of physical (telephone [calls and/or text messages] or written) or virtual communications related to marketing, advertising, sales, billing, collection, service, validations, verifications, payment information; calls and participation in project execution; issuance of certifications; communication to the public and/or making available of videos or images in the media, web portal and social networks of ISAENG, related solely and exclusively to the development of the corporate purpose of ISAENG; consultation and report in financial risk centers the behavior of users. transfer and/or transmission to third parties, contractors, subcontractors, distributors and other third parties linked to ISAENG for the same purposes as established in these policies, business qualification.

The personal data provided by ISAENG employees will be processed in order to comply with the obligations arising from the working relationship that unites them and with the specific purposes established at the beginning of the relationship. The personal information of applicants, employees and former employees of ISAENG, will be treated for the following purposes

Management of associative, cultural, recreational, sports and social activities; management of training, management of education; management of scholarships and student aid; management of education, culture, sports; concession and management of permits, licenses and authorizations; historical, scientific or statistical purposes; management of internal statistics; management of sanctions, warnings, calls for attention, exclusions; provision of certification services; administrative procedures; dispatch of publications; registration of incoming and outgoing documents; reservations and issuance of transport tickets; financial management; accounting, tax and administrative management; management of collections and payments; time control; staff training; payroll management; personnel management; management of temporary work; management of social benefits; prevention and management of occupational risks; promotion and management of employment; promotion and selection of personnel; sending of physical communications (telephone [calls and/or text messages] or written) or virtual communications related to services, products, promotions, advice, events, locations, programming, training, plans, workshops, schedules, changes in services or products; Sending of physical communications (telephone [calls and/or text messages] or written) or virtual communications related to marketing, advertising, sales, billing, collection, service, validations, verifications, vacancies; transfer and/or transmission to third party partners, contractors, subcontractors, distributors and other third parties related to ISAENG for the same purposes established in these policies; consultation and report in financial risk centers the behavior of users.

The personal data provided by third parties to ISAENG, both in the pre-contractual, contractual and post-contractual stages, will be processed for the fulfillment of the obligations arising from the relationship that unites them, with the specific purposes that are established at the beginning of the relationship and with the following ones: : creation of third party’s resume; sending physical communications (telephone [calls and/or text messages] or written) or virtual communications related to services, products, promotions, advice, events, venues, programming, training, plans, workshops, trends, schedules, changes in services or products; sending physical communications (telephone [calls and/or text messages] or written) or virtual communications related to marketing, advertising, sales, billing, collection, service, validations, verifications, payment information; transfer and/or transmission to third party affiliates, allies, contractors, subcontractors, distributors and other third parties linked to ISAENG for the same purposes established in these policies; consultation and reporting in financial risk centers the behavior of third parties; historical, scientific or statistical purposes; management of internal statistics; provision of certification services; administrative procedures; administrative management; management of collections and payments; management of invoicing; management of suppliers; economic and accounting management; fiscal management; history of commercial relations.

7. PERSON IN CHARGE OF THE TREATMENT          

The person responsible for the treatment of the databases subject to this policy is ISAENG S.A.S, whose contact details are as follows:

ISAENG S.A.S located at Cra 42 # 3 Sur – 81, Torre 1 Piso 15 de Medellin, Antioquia, identified with NIT 900,564,030-6 and with e-mail for legal notifications info@isaeng.com

8. RIGHTS OF THE HOLDERS

In accordance with article 8 of the Personal Data Act and its regulatory decrees, Data Holders may exercise a number of rights in relation to the processing of their personal data. These rights may be exercised by the following persons.

By the Data Subject, who must prove his/her identity in a sufficient manner by the various means made available to him/her by the Controller.

By their assignees, who must prove such quality.

By the representative and/or proxy of the Holder, prior accreditation of the representation or proxy.

By stipulation in favor of another and for another.

The rights of the children or adolescents will be exercised by the persons who are empowered to represent them.

The rights of the Holder are the following:

The Owners who voluntarily and in compliance with the requirements of law, have provided personal data to ISAENG, have the following rights:

To know, update, rectify and delete the data and revoke the authorization.

To request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the suppression of the personal data.

To access the data. Those responsible and in charge of the treatment must establish simple and agile mechanisms that are permanently available to the Owners so that they can access the personal data under their control and exercise their rights over them.

To consult their personal data free of charge: (i) at least once every calendar month, and (ii) every time there are substantial modifications to the Information Treatment Policies that motivate new consultations and in the terms established by law.

To update, rectify or delete your personal data. In development of the principle of truthfulness or quality, in the treatment of personal data, reasonable measures must be taken to ensure that the personal data contained in the databases are accurate and sufficient and, when requested by the Data Subject or when the Controller has been able to warn him/her, they must be updated, rectified or deleted, in such a way that they satisfy the purposes of the treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fractionated, or misleading data, or data whose Processing is expressly prohibited or has not been authorized.

To request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for processing, in accordance with the provisions of the law.

To be informed by the Data Controller or the person in charge of the processing, upon request, of the use that has been made of their personal data.

To submit to the Superintendence of Industry and Commerce complaints for violations to the provisions of this law and other regulations that modify, add or complement it.

To revoke the authorization and/or request the deletion of the data when the processing does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or suppression shall proceed when the Superintendence of Industry and Commerce has determined that in the Treatment the Responsible or In charge has incurred in conducts contrary to this law and the Constitution.

To have free access to their personal data that have been subject to processing.

To exercise the fundamental right of habeas data in the terms of the law, by using the procedures for consultations or complaints, without prejudice to the other constitutional and legal mechanisms.

9. DATA PROCESSING OF MINORS

According to Article 7 of Law 1581 of 2012, the processing of personal data of children and adolescents is prohibited, except as provided in Article 2.2.2.25.2.9 section 2 of Chapter 25 of Decree 1074 of 2015 (Article 12 of Decree 1377 of 2013) and in compliance with the following parameters and requirements:

That it responds to and respects the best interests of children and adolescents.

That the respect of their fundamental rights is ensured.

Fulfilled the above requirements, ISAENG S.A.S will ask the legal representative of the child or adolescent the authorization prior to the exercise of the minor’s right to be heard, an opinion that will be assessed taking into account the maturity, autonomy and ability to understand the issue.  The person in charge and responsible involved in the treatment of the personal data of children and adolescents, must watch over the adequate use of the same, applying the principles and obligations established in Law 1581 of 2012 and regulatory norms.

10. ATTENTION TO DATA HOLDERS

The Data Protection Officer of ISAENG S.A.S. will be in charge of the attention of requests, consultations and claims before which the Holder of the data can exercise his rights.

 11. PROCEDURES TO EXERCISE THE RIGHTS OF THE HOLDER         

Right of access or consultation.

The Owner may consult his personal data free of charge in two cases: At least once every calendar month or each time there are substantial changes in the information processing policies that cause new consultations.

For consultations whose frequency is greater than one per calendar month, ISAENG S.A.S. may only charge the holder shipping costs, reproduction and, where appropriate, certification of documents. Reproduction costs may not exceed the cost of recovering the corresponding material. For this purpose, ISAENG S.A.S. will demonstrate to the Superintendence of Industry and Commerce, when required, the support of such expenses.

The owner of the data can exercise the right of access or consultation of their data by writing to ISAENG S.A.S. sent by email info@isaeng.com, indicating in the Subject “Exercise of the right of access or consultation”, or by mail sent to Cra 42 # 3 South – 81, Torre 1 Piso 15 de Medellin, Antioquia.

. The request must contain the following information:

Name and surname of the holder.

Photocopy of the Citizenship Card of the Holder and, if applicable, of the person representing him/her, as well as the document proving such representation.

Request in which the request of access or consultation is specified.

Address for notifications, date and signature of the applicant.

Documents accrediting the request made, when applicable.

The Owner may choose one of the following forms of database consultation to receive the requested information:

On-screen display.

In writing, with a copy or photocopy sent by registered or unregistered mail.

Electronic mail or other electronic means.

Another system adapted to the configuration of the database or the nature of the treatment, offered by ISAENG S.A.S.

Once the request has been received, ISAENG S.A.S. will resolve the request for consultation within a maximum of ten (10) working days from the date of receipt. When it is not possible to attend to the consultation within this period, the interested party will be informed, expressing the reasons for the delay and indicating the date on which the consultation will be attended to, which in no case may exceed five (5) working days following the expiry of the first term. These terms are set forth in article 14 of the Personal Data Act.

Once the consultation process has been exhausted, the Owner or successor in title may file a complaint with the Superintendence of Industry and Commerce.

11.2. Rights of complaints and claims

The data owner can exercise the rights of claim on their data by writing to ISAENG sent by email to info@isaeng.com, indicating in the Subject “Exercise of the right of complaint or claim”, or through mail sent to Cra 42 # 3 South – 81, Torre 1 Floor 15 Medellin, Antioquia,

The application must contain the following information:

Name and surname(s) of the holder.

Photocopy of the Citizenship Card of the Holder and, if applicable, of the person representing him/her, as well as the document proving such representation.

Description of the facts and petition in which the request for correction, suppression, revocation or inflation is specified.

Address for notifications, date and signature of the applicant.

Documents accrediting the petition formulated that are to be asserted, when applicable.

If the claim is incomplete, the interested party will be requested within five (5) days following the receipt of the claim to correct the faults. Passed two (2) months from the date of the requirement, without the applicant presents the required information, it will be understood that it has desisted of the claim.

Once the complete claim has been received, a legend will be included in the data base that says “claim in process” and the reason for it, in a term no longer than two (2) working days. This legend shall be maintained until the claim is decided.

ISAENG S.A.S. will resolve the request for a claim within a maximum of fifteen (15) working days from the date of receipt of the claim. When it is not possible to attend to the claim within this term, the interested party will be informed of the reasons for the delay and the date on which the claim will be attended to, which in no case may exceed eight (8) working days following the expiry of the first term.

Once the claim process has been exhausted, the Owner or successor in title may file a complaint with the Superintendence of Industry and Commerce.

12. SECURITY MEASURES       

ISAENG, in order to comply with the principle of security, has implemented the necessary technical, human and administrative measures to guarantee the security of the records by preventing their adulteration, loss, consultation, unauthorized or fraudulent use or access.

On the other hand, ISAENG, by means of the subscription of the corresponding transmission contracts, has required those in charge of the treatment with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the treatment of personal data.

The security measures implemented by ISAENG, which are included and developed in its “Internal Security Manual”, have been implemented and are subject to permanent control and revision.

13. SUBMISSION OF PERSONAL DATA TO THE AUTHORITIES

When a public or administrative entity in the exercise of its legal functions or by court order requests ISAENG to access and/or deliver personal data contained in any of its databases, the legality of the request will be verified, the relevance of the data requested in relation to the purpose expressed by the authority, and a record of the delivery of the personal information requested will be signed, specifying the obligation to guarantee the rights of the holder, both to the official who makes the request, to the person who receives it, as well as to the requesting entity.

14. TRANSFER OF DATA TO THIRD COUNTRIES

In accordance with the Personal Data Act, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it complies with the standards set by the Superintendence of Industry and Commerce on the subject, which in no case may be lower than those required by Law 1581 of 2012 for its recipients. This prohibition will not apply when it is a matter of

Information regarding which the Holder has granted his/her express and unequivocal authorization for the transfer.

Exchange of medical data, when so required by the treatment of the Cardholder for reasons of health or public hygiene.

Bank or stock exchange transfers, according to the applicable legislation.

Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.

Transfers necessary for the execution of a contract between the Holder and the person responsible for the treatment, or for the execution of pre-contractual measures as long as the Holder’s authorization is available.

Transfers legally required for the safeguard of public interest, or for the recognition, exercise or defense of a right in legal proceedings.

It must be taken into account that, in the cases not contemplated as an exception, the Superintendence of Industry and Commerce shall be responsible for issuing the declaration of conformity regarding the international transfer of personal data.

International transfers of personal data carried out between ISAENG and a person in charge to allow the person in charge to carry out the processing on behalf of the person in charge, shall not require to be informed to the Data Subject or to have his consent, provided that there is a contract for the transfer of personal data”.

15. TREATMENT OF BIOMETRIC DATA

The biometric data stored in the databases are collected and processed for strictly security reasons, to verify personal identity and to perform access control to employees, customers and visitors. The biometric identification mechanisms capture, process and store information related to, among others, the physical characteristics of the persons (fingerprints, voice recognition and facial aspects), in order to establish or “authenticate” the identity of each subject.

The administration of the biometric databases is executed with technical security measures that guarantee the due fulfillment of the principles and obligations derived from the Statutory Law in Data Protection, assuring in addition the confidentiality and reserve of the information of the holders.

16. VALIDITY

The databases for which ISAENG is responsible will be processed for as long as is reasonable and necessary for the purpose for which the data is collected. Once the purpose or purposes of the treatment have been fulfilled, and without prejudice to legal regulations that provide otherwise. ISAENG will proceed to delete the personal data in its possession unless there is a legal or contractual obligation that requires its conservation. Therefore, these databases have been created without a defined period of validity.

“The present treatment policy is in force from 30-09-2020”