Privacy Policy

1. OBJECTIVE

The purpose of this Privacy and Personal Data Protection Policy, (hereinafter "Privacy Policy"), is to comply with the Statutory Law No. 1581 of 2012, its Regulatory Decree 1074 of 2015 (Chapter 25) and other rules governing the Protection of Personal Data, or those that complement, replace, modify or repeal them, and in particular, to guarantee the right of Habeas Data of the Personal Data Owners.

II. SCOPE

This Privacy Policy is applicable both to SICOLSA DEL CENTRO S.A.S, hereinafter "THE COMPANY" as Data Controller and its direct and indirect employees, as well as to all those natural or legal third parties to whom it transmits or transfers Personal Data of the Data Subjects that comprise the Stakeholders of the Data Controller, when they carry out any Processing on them.

In its capacity as Controller, the Company may enter into contracts for the transmission of personal data with one or more Processors, for the processing of personal data. In these cases, the Processor shall undertake to (i) implement the obligations of the Controller under this policy; (ii) carry out the processing of data in accordance with the purpose that the owners have authorized described in this processing policy; and (iii) comply with other obligations imposed by the laws on the subject.

III. IDENTIFICATION OF THE DATA CONTROLLER

NAME:	SICOLSA DEL CENTRO S.A.S.
NIT	901432904
ADDRESS:	Kilometer 9 via Magdalena
E-MAIL:	notificaciones@sicolsa.com
PHONE:	3102245630

1. DEFINITIONS

For the purposes of this Privacy Policy, the following definitions shall apply:

• Data Protection: are all the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

• Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of his or her personal data, which may include

collected (i) in writing, (ii) orally, or (iii) through unequivocal conduct, that allows a reasonable conclusion to be drawn that he/she granted the authorization.

• Privacy Notice: Physical document, electronic or in any other format generated by the Data Controller, which is made available to the Data Subject for the Processing of his/her personal data, by means of which the Data Subject is informed of the existence of the information processing policies that will be applicable to him/her, the way to access them and the characteristics of the processing that is intended to be given to the Personal Data.
  • Database: Organized set of physical or electronic (digital) personal data that is subject to manual or automated processing.

• Clients: Natural or legal person, public or private, with whom THE COMPANY has a business relationship.

• Personal Data: Any information linked or that can be associated to one or several determined or determinable natural persons. Some examples of personal data are the following: name, citizenship card, address, e-mail, telephone number, marital status, health data, fingerprint, salary, assets, financial statements, etc. The nature of Personal Data may be public, semi-private, private or sensitive.
  • Private Data: It is data that, due to its intimate or reserved nature, is only relevant to the Data Subject.

• Public Data: It is the data qualified as such according to the mandates of the law or the Political Constitution and that which is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, their status as merchants or public servants, and data that may be obtained without any reservation whatsoever. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins, which are not subject to confidentiality.
  • Sensitive Data: Are those that affect the privacy of the Personal Data Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data (among others), of human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data (among others, still or moving image capture, fingerprints, photographs, iris, voice, facial or palm recognition, etc.).).
  • Semi-private data: Semi-private data are those that are not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to their owner, but also to a group of people or to society in general. Semi-private data is understood as, among other things

other, information related to social security and financial and credit behavior.

• Right of Habeas Data: In accordance with the provisions of Article 15 of the Political Constitution of Colombia, it is the right of all persons to know, update and rectify the information that has been collected about them in data banks and in the files of public and private entities.
  • Stakeholders: For the purposes of this Privacy Policy, Stakeholders shall be understood as all groups of natural persons with respect to whom the Controller and/or Processors carry out any Processing of Personal Data.
  • Personal Data Protection Officer: Person or Area Responsible for dealing with Complaints and Claims that may arise regarding Personal Data Protection, designated in the Privacy Policy.

• PQR S: Petitions, queries and claims regarding Personal Data Protection.

• ClaimRequest of the Data Subject or of the persons authorized by him/her or by the Law to correct, update or delete his/her personal data or to revoke the authorization in the cases established by the Law.
  • Processing: To subject personal data to a series of programmed operations, with a specific purpose in accordance with the Company's corporate purpose.

• Play: Obtain a copy, in one or many copies, of the personal data that are obtained.
  • Treatment: Any operation or set of operations on personal data, such as collection, storage, updating, use, circulation.
  • Data Processor: Natural or legal person, public or private, that by itself or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller. In the events in which the Controller does not act as Data Processor, the Data Processor shall be expressly identified. For the purposes of this Privacy Policy, Data Processors are understood as those reported in the National Registry of Databases.

• Responsible for the treatment: Natural or legal person, public or private, that by itself in association with others, decides on the Database and/or the Processing of the data. For the purposes of this Privacy Policy, the company SICOLSA DEL CENTRO S.A.S. is understood as the Data Controller.

• Headline: For the purposes of Law 1266 of 2008, it is the natural or legal person to whom the information contained in a database refers and subject of the right of habeas data and other rights and guarantees enshrined in that Law and the rules that complement, modify, replace or repeal it. For the purposes of Law 1581 of 2012, it is the natural person whose personal data are subject to Processing.
  • Transfer: Data Transfer takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is the Data Controller and is located inside or outside the country.
  • Transmission: Processing of Personal Data that involves the communication of such data within or outside the territory of the Republic of Colombia when the purpose of the Processing is carried out by the Processor on behalf of the Controller.

V. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

The following are the Guiding Principles on Personal Data Protection, and shall apply to the Processing carried out by the Data Controller, its employees and all those natural or legal third parties to whom it Transmits or Transfers Personal Data of the Data Subjects that comprise its Stakeholders, when they carry out any Processing on the same:

• PRINCIPLE OF LEGALITY: The processing of Personal Data shall be carried out in accordance with the legal requirements established in the Statutory Law 1581 of 2012 and its regulatory decrees.

• PRINCIPLE OF PURPOSE: The Processing of Personal Data must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject and will be used for a specific and explicit purpose which must be informed to the Data Subject. The Data Subject shall be clearly, sufficiently and previously informed about the purpose of the information provided.

• PRINCIPLE OF FREEDOM: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves the consent. Excepted from this principle are Public Data, which may be subject to Processing without requiring authorization from the Data Subject, in accordance with the provisions of Law 1581 of 2012 and its Regulatory Decree 1074 of 2015.

• PRINCIPLE OF TRUTH OR QUALITY: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.

• PRINCIPLE OF TRANSPARENCY: The right of the Data Subject to obtain, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the Processing.

• PRINCIPLE OF ACCESS AND RESTRICTED CIRCULATION: The processing of personal data may only be carried out by persons authorized by the Data Controller and/or by the persons provided for in the Law.

• SECURITY PRINCIPLE: The information subject to processing shall be protected through the use of technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

• PRINCIPLE OF CONFIDENTIALITY: All persons involved in the processing of personal data are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing.

VI. TYPE OF INFORMATION SUBJECT TO PROCESSING

The information obtained by the Company subject to processing may refer, among others, to:

a) Customers or Potential Customers:

Refers to the data of natural persons to whom the Company sells products or provides services in development of the corporate purpose and that are necessary to comply with legal and / or contractual obligations such as billing, payment reports or that by law or internal policies are required to perform; for the attention of inquiries, requests and / or requests; to initiate and / or attend actions and / or claims. For the maintenance and development of the commercial relationship; to carry out marketing, promotion or advertising activities; to perform market intelligence activities, evaluate consumer habits, conduct surveys, send text messages, conduct loyalty campaigns, perform commercial alliances to generate added value, provide news and information about the products and/or services of THE COMPANY and of general interest; to comply with the rules of customer knowledge required by the financial system and the rules of prevention of money laundering and terrorist financing; to verify debts with the state; to inquire about their assets.

The Company will collect the following personal data:

• Full names and surnames.
  • Type and number of identity document (civil registry, identity card, citizenship card, passport, foreigner's card or ID card, etc.)

diplomatic).

• Place and date of birth, nationality.
  • Age, sex, marital status and languages spoken.
  • Schooling, profession and occupation.
  • Usual physical address, e-mail address, telephone number, cell phone number and fax number.

b) Contractors and Suppliers:

Refers to the data of natural persons who have a contractual and commercial relationship with the Company, for compliance with legal and/or contractual obligations, such as payments, payment reports, reports that by law or internal policies are required to make, attention to inquiries, requests and/or applications; to initiate or attend actions and/or claims; to perform audits, send invitations to participate in contracting processes, to request quotations and/or information on products and services, identification of income, monitoring compliance with obligations of Contractors.

The Company will collect the following personal data:

• Name of the Contractor and/or Supplier or company name, identification number or NIT, place of domicile, address, telephone numbers, fax, e-mail;
  • Name of manager or legal representative and address, telephone, fax, e-mail;
  • Name of the manager or sales coordinator or whoever is acting in his/her stead, address, telephone numbers, fax, e-mail address;
  • Name of the person assigned to collect the portfolio, e-mail; Tax information;
  • Bank information including bank account holder's name, bank account number and bank name or code.

c) Applicants, Employees and Former Employees:

To comply with the labor obligations of THE COMPANY, such as payroll payments, payments and reports to the general social security system in health and pensions, attention to inquiries, requests, applications, actions and claims. In addition, they are used for the development of activities of THE COMPANY with its employees such as training, granting credits, recreational activities, sending corporate communications, making business alliances to generate added value for employees and other activities that are required in the normal development of the organization and compliance with the rules, regulations and activities with its employees.

It refers to the data of the natural persons who work with the Company. The Company will collect the following personal data:

• Name and identification of the worker and family group, address, telephone number, name of spouse or permanent partner and beneficiaries, name and identification of children, medical history, social security affiliations, medical policy, age, date of birth, education information, health status, medications used, medical authorizations, among others;
  • Resume, education, experience, links with entities, links with companies;
  • Salary and other payments;
  • Pension contributions;
  • Balance of debts;
  • Legal proceedings, seizures;
  • Affiliation information for employee and union funds;
  • Employment contract;
  • Work history of the worker;
  • Psychological evaluation report;
  • Occupational medical history of the worker;
  • Fingerprint;
  • Photographic record
  • Union membership.

If the information collected includes sensitive data, the Company will inform the Data Subject of the quality of such sensitive data and the purpose of the processing, and it will only be processed with the prior, express and informed consent of the Data Subject. In the case of sensitive data, the Data Subject is not obliged to authorize its treatment and the Company will not be able to give such sensitive data a different treatment, except when:

• The Data Subject has given his or her explicit authorization to such Processing, except in those cases where by law the granting of such authorization is not required;
  • The Processing is necessary to safeguard the vital interest of the Data Subject and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization;
  • The Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or to persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the authorization of the Data Controller;
  • The Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process;
  • The processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Controllers must be adopted.

d) Consumers or potential consumers of our Products:

To comply with the obligations of THE COMPANY in terms of product quality, for the effective attention of consumer inquiries and/or complaints and as statistical information; to carry out marketing, promotion or advertising activities, conduct surveys, send text messages, conduct loyalty campaigns, make business alliances to generate added value, evaluate consumer habits, disseminate news and information about the products and/or services of THE COMPANY and of general interest.

• Shareholders/Board of Directors

To comply with the obligations of the Company in the capacity in which they act. The Company will collect the information required for the performance of its functions, among others, the following:

• Identification data

• Business or professional location data, as well as personal data

• Financial, credit and/or economic rights data.

• Equity data

• Socioeconomic data (educational level, training and/or academic history of the person, etc., work history of the person, work experience, position, dates of entry and exit, annotations, calls for attention, etc.). General data of affiliation and contributions to the Integral Social Security System (EPS, IPS, ARL, dates of entry/withdrawal EPS, AFP, etc.).

• Judicial and/or disciplinary record

• Physical security

For effective check-in and check-out at the facilities. The Company will collect the information required for registration, including, but not limited to, the following:

• Identification data

• Photographic record of visitors

• General data on affiliation and contributions to the Integral Social Security System (EPS, IPS, ARL, dates of entry/withdrawal EPS, AFP, etc.).    

• Audiovisual record of people entering the facilities. 

VII. PROCESSING TO WHICH PERSONAL DATA WILL BE SUBJECTED AND THE PURPOSES FOR WHICH THEY WILL BE USED

In compliance with corporate processes and policies, THE COMPANY may require, transmit or transfer such data to its parent companies, related companies, affiliates and/or subsidiaries in Colombia and/or abroad. The collection of personal data by THE COMPANY will be limited to those personal data that are relevant to the purpose for which they are collected or required. Except in cases expressly provided by law, no personal data will be collected without the authorization of the Data Subject, nor will deceptive or fraudulent means be used to collect and ensure the proper processing of personal data. Data processing includes the collection, storage, management, use, transfer, transmission and destruction, as permitted by law.

Personal data will be obtained through the documents that the Company subscribes with its customers, suppliers, contractors and employees, such as customer linking forms, service request forms, website registrations, purchase orders, sales invoices, resumes, contracts, event attendance lists and other marketing and contact channels.

The information regarding the personal data of the owners will be used for the following purposes:

1. General purposes for the processing of personal data of all stakeholders

• General purposes for the processing of personal data of all stakeholders
  • Storage of information and/or Personal Data in physical files or own servers and/or those of third parties, located inside or outside the country, in countries considered by the Superintendence of Industry and Commerce as safe or those that are not, provided that the Data Processors that store the information contain policies of confidentiality, privacy and protection and custody of the information and a Confidentiality and Transmission of Personal Data Agreement is signed with them.
  • Registration of incoming and outgoing documents.
  • Analysis and development of programs that generate a social impact for the Stakeholders of the Data Controller.
  • Convening and execution of programs, meetings, training and events, as well as keeping documentary records thereof, such as attendance lists, photographs, voice and/or video recordings.
  • Transmit or transfer such data to its parent companies, related companies, commercial allies, clients, affiliates and/or subsidiaries in Colombia and/or abroad.
  • Consultation, verification, and analysis in restrictive and control lists, such as lists linked to SAGRILAFT, as well as in public or private databases related to judicial, criminal, disciplinary and tax records, and any other list containing information on corruption offenses, money laundering, financing of terrorism or any other illicit activity.
  • Inclusion in WhatsApp groups or chats.
  • Image processing through video surveillance systems for the purposes indicated in this policy.   
  • Elaboration and materialization of surveys and interviews.
  • Sending communications related to the purposes contained in this Privacy Policy, the corporate purpose of the Data Controller or strategic allies, advertising, marketing, promotions, events, marketing and promotion of products and / or services, contests and campaigns to update data and information on changes in the processing of personal data, loyalty campaigns, raffles, games and shows, content updates on the website, alliances and benefits, through the professional, business and/or personal contact data of the Data Controllers, including, but not limited to landline and/or cell phone, physical and/or electronic mail, SMS and/or MMS text messages, social networks, electronic media and/or any other means of communication.
  • Controls, statistics and history of relations maintained with Stakeholders of the different Stakeholders.
  • Registration and control of access and entry to the premises of the Data Controller.
  • Support in internal and/or external audits, fiscal audits, advisories, consultancies and implementation of improvement plans.
  • Compliance with current standards.
  • Reports to competent administrative and judicial authorities.
  • Attention and follow-up of requirements made by competent administrative and judicial authorities.
  • Attention and follow-up of requirements made by control agencies on Non-Sensitive, Private and/or Sensitive Data.
  • Management of administrative procedures for planning, organization, management and
  • Compliance with the obligations arising from the contracts signed between the Data Controller and the Data Subjects, or with their contractors or employers.
  • Publications and internal or external communications.
  • Financial and administrative management, creation of third parties and registration in the databases of the Data Controller.
  • Fiscal, economic and accounting management.
  • For security or fraud prevention purposes.
  • Sending information to the Data Controllers, related to the corporate purpose of the Data Controller or its strategic allies.
  • Attention to PQR's submitted by the Holders or by those who can prove their legitimacy to do so.
  • Purposes indicated in the authorization granted by the Data Subject and/or in the Privacy Notices.
  • Evaluate the quality of service.
  • Purposes for the processing of personal data of applicants, direct and indirect, active and inactive employees and their families.
  • Manage and operate, directly or through third parties, the personnel selection and recruitment processes, including the evaluation and qualification of participants and the verification of work and personal references, and the performance of security studies.
  • Development of the personnel selection and promotion process, analysis of resumes, validation of qualifications, work and/or personal references, interviews and medical, psycho-technical and competency tests as required.
  • Retention of resumes and results of the selection processes for future personnel hiring processes and/or for compliance with current legal regulations.
  • Employment, execution of contracts and agreements for the modification of labor and apprenticeship contracts.
  • Registration of information on direct and indirect, active and inactive employees, pensioners and their families, for the development of activities of affiliation and payment of social security and parafiscal taxes, payroll, bonuses, vacations, recognition of pension rights and settlements.
  • To make the necessary payments derived from the execution of the employment contract and/or its termination, and other social benefits in accordance with the applicable law;
  • Issuance of labor and internship certifications.
  • Climate, organizational culture and well-being activities for direct and indirect employees and their families.
  • Coordinate employee professional development, employee access to employer's IT resources and support their use;
  • Management of permits, licenses and authorizations.
  • Management of sanctions, warnings, reprimands, reprimands, discharges and dismissals with or without just cause.
  • Fulfillment of obligations of the Data Controller, in accordance with the legal regulations in force.
  • Training and education of direct and indirect personnel.
  • Competency and performance evaluations.
  • Wage deductions allowed by current regulations and the practice and registration of garnishments as required by the competent authority.
  • Delivery of endowment.
  • Contracting with third parties for services that benefit direct and indirect employees and their families.
  • Compliance with current regulations on occupational health and safety and environmental issues, among others, collection and analysis of health information and socio-demographic profile of direct and indirect, active and inactive employees.
  • Hotel reservations, air or land tickets, delivery of gasoline vouchers and tolls, per diems and vehicle requests, among others, in the event of relocation by direct and indirect employees.
  • Provision of information to Contractors and Suppliers, for the execution of the contracts signed between them and the Data Controller.
  • Schedule control.
  • Creation and administration of users and passwords for access to the different applications, technological and computer equipment of the Data Controller and e-mail accounts.
  • Creation and control of access and modification of documents stored in shared folders.
  • Custody and management of information and databases.
  • Identification and follow-up of occupational health and safety risks, personnel entry and exit, payroll and promotions.
  • Carrying out health and occupational health and safety promotion and prevention programs.
  • Transfer of proof of payment of social security and parafiscal contributions and proof of training provided to employees, sent to the Contractors of the Data Controller, when required for the payment of goods and/or services provided by the latter as Contractor and/or Supplier.

• Purposes for the processing of personal data of customers, prospects and their collaborators:

• Behavioral analysis and market segmentation.
  • Offering and quoting of goods and/or services of the Data Controller and/or its strategic allies.
  • Subscription, modification and execution of contracts.
  • Compliance with legal and contractual obligations.
  • Invoicing and collection of goods and/or services.
  • Collection management according to the guidelines set forth in Law 2300 of 2023.
  • Updating of balances, reimbursement of amounts collected in the event of sale of portfolio or final customer's peace of mind.
  • Customer loyalty, profile analysis, commercial prospecting.
  • For the determination of outstanding obligations, the consultation of financial information and credit history and the reporting to information centers of unfulfilled obligations, with respect to its debtors.
  • History of commercial relations.
  • Transmission and Transfer of contact data to the Data Processors, Contractors and Suppliers and/or Strategic Allies, so that they may Process the Personal Data of the Data Subject, for the purposes indicated in this Privacy Policy.
  • Evaluation of the quality of the goods and/or services provided by the Data Controller.
  • Custody and management of information and databases.
  • Inform about and send offers or commercial proposals and other information about their products and services, for which you can use my contact information, such as: telephone number (mobile or landline), SMS, email and physical address.
  • Follow up on the satisfaction of prospective customers and handle their complaints, requests or recommendations.
  • Contacting the Data Subject by any means to carry out studies and/or confirmation of personal data necessary for the execution of the possible contractual relationship.
  • Recording of calls, meetings or virtual or face-to-face events attended

• Transmit or transfer such data to its parent companies, related companies, commercial allies, clients, affiliates and/or subsidiaries in Colombia and/or abroad.

• Consultation, verification, and analysis in restrictive and control lists, such as lists linked to SAGRILAFT, as well as in public or private databases related to judicial, criminal, disciplinary and tax records, and any other list containing information on corruption offenses, money laundering, financing of terrorism or any other illicit activity.
  • Consultation of financial, commercial and credit behavior and compliance with obligations in the databases of information operators (credit bureaus).
  • Reporting, processing and disclosure of information related to the fulfillment or non-fulfillment of financial, commercial or contractual obligations.

• Purposes for the processing of personal data of suppliers, contractors and their collaborators:

• Request, collection and analysis of quotations and/or bids.
  • To register in the COMPANY's systems;
  • Request for references and certificates from third parties.
  • Management of the purchase of goods and/or services.
  • Verification of legal, technical and/or financial requirements
  • Compliance with legal and contractual obligations.
  • Management of invoicing and payment of goods and/or services.
  • Evaluation of Contractors and Suppliers.
  • Contact with Suppliers and Contractors or their collaborators, for the development of contracts signed or service orders and/or purchases issued, until their termination.
  • Verification of the payment of salaries and social benefits of Contractors and Suppliers and their collaborators.
  • Verification of compliance with occupational health and safety and environmental standards - SSTA.
  • Verification of compliance with the rules governing the Protection of Personal Data.
  • Inventory control.
  • History of commercial relations.
  • Issuance of commercial references.
  • Management of sanctions, warnings, reprimands, reprimands and exclusions.
  • Creation and administration of users and passwords for access to the different applications, technological and computer equipment of the Data Controller and e-mail accounts.
  • Custody and management of information and databases.
  • Validation of references.
  • Providing training to suppliers and contractors.
  • Compliance with legal and contractual obligations.
  • Advancement of the respective selection process and evaluation of the supplier or contractor.
  • Manage procedures (requests, complaints, claims).
  • Periodic updating of data.
  • Publications in social networks, website and any other media.
  • Registration of incoming and outgoing documents
  • Legal proceedings, compliance with authorities' requirements and fulfillment of legal obligations.
  • Consult, verify and analyze restrictive and control lists, such as lists linked to SAGRILAFT, as well as public or private databases related to judicial, criminal, disciplinary and tax records, and any other list containing information on corruption offenses, money laundering, financing of terrorism or any other illegal activity.

• Purposes for the processing of personal data of shareholders and members of the board of directors:

• For the recognition, protection and exercise of the rights of the shareholders of THE COMPANY;
  • To eventually contact, via e-mail, or by any other means, the shareholders for the aforementioned purposes;
  • Sending information related to the activities of the Data Controller.
  • Convening of the Board of Directors.
  • Payment of fees to members of the Board of Directors.
  • Modifications, additions and changes in general related to legal and shareholding aspects.
  • Notarial records.
  • Management of dividend and profit sharing payments to shareholders.
  • Custody and management of information and databases.
  • Know to whom financial information on the results of the operation of the business, or any other significant information for shareholders, should be reported.
  • Registration of shares and debentures.
  • Subscription of assembly and/or board of directors minutes.
  • To comply with legal provisions regarding tax withholding, follow-up and reporting of information to control entities.
  • Sending of requested documentation and information in compliance with the corporate purpose.
  • Sending and inclusion in WhatsApp chats or groups or any instant messaging media or application, for sending information and messages related to the corporate purpose of THE COMPANY, including, but not limited to landline and/or cell phone, physical and/or electronic mail, SMS and/or MMS text messages, social networks, electronic media and/or any other means of communication.
  • Manage procedures (requests, complaints, claims).
  • Contacting the Data Subject by any means to conduct surveys, studies and/or confirmation of personal data.
  • Transmission or transfer of information to third parties for the execution of contractual links in compliance with legal obligations.
  • Consultation, verification, and analysis in restrictive and control lists, such as lists linked to SAGRILAFT, as well as in public or private databases related to judicial, criminal, disciplinary and tax records, and any other list containing information on corruption offenses, money laundering, financing of terrorism or any other illicit activity.

• Purposes for the processing of personal data of strategic allies:

• Compliance with legal and contractual obligations.
  • Compliance with legal and statutory regulations governing the contracts entered into.
  • Custody and management of information and databases.
  • Invoicing and payment management for the provision of services.
  • Retention of information for historical and statistical purposes.
  • Elaboration and development of contracts that mediate the benefit relationship generated with third parties.

• Purposes for the processing of personal data collected for security and video surveillance purposes

- Physical security of the facilities and in the supply chain.

-    Monitor by means of video surveillance and voice recording, the different areas of THE COMPANY.

- Serve as evidence in judicial or extrajudicial proceedings.

- Serve as evidence for disciplinary processes carried out by the person in charge.

- Statistical purposes.

- Attendance record.

- Schedule control.

- Verification of functions within the loading and unloading process.

- Verify Security in the supply chain.

- Ensure traceability of the operation.

- Attention to product warranty requirements.

- Transmission and national or international transfer of data to public authorities in the exercise of their functions and/or to third parties to whom it is necessary to comply with contractual or legal obligations.

The Company may appoint Agents to carry out the processing of personal data in accordance with the purposes described above, and in particular for compliance with legal obligations, payroll administration, and for accounting and commercial purposes, the latter include all activities aimed at presenting offers, promotions, products, announcements, advertising, opportunities, sweepstakes, campaigns, loyalty programs, customer loyalty, customer retention; and in general information on products and services of the Company that may be of interest to customers and users.

The Company may assign (transfer) the Information contained in its databases as part of the Company's assets in the event that the Company or parts of the business are sold, merged or acquired by a third party.

Without prejudice to the foregoing authorizations by the Holder, the Company undertakes to comply with its obligation of data privacy, taking all the necessary technical, organizational and security measures to prevent its alteration, loss, treatment or unauthorized access as established in Law 1581 of 2012 and Decree 1377 of 2013.

VIII. RIGHTS OF THE OWNERS

The rights of the Personal Data Owners are the following:

• To know, update and rectify their personal data with respect to the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.

• Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.

• To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been made of their personal data.

• File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it.

• To revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the processing. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Processing the Controller or Processor has incurred in conduct contrary to Law 1581 of 2012 and the constitution.

• Access free of charge to the personal data that have been subject to Processing: at least once every calendar month, and (ii) each time there are substantial modifications to the Information Processing Policies that motivate new consultations.

• The request for deletion of the information and the revocation of the authorization will not proceed when the Data Subject has a legal or contractual duty to remain in the database.

Holders may exercise the rights described in this section, submit claims or requests to know, update, rectify and delete information and revoke the authorization; and request proof of their authorizations by sending an e-mail to notificaciones@sicolsa.com or by written request to the physical address indicated in this policy.

1. Inquiries: The holders or their successors may consult the personal information of the holder that is in the Company's database, after validation and proof of identity, containing at least: i) the complete identification of the holder, ii) the personal data they want to be consulted, ii) address, iii) email, and; iv) in case of being successors attach the respective document proving it. The consultation will be answered by THE COMPANY, within a maximum period of ten (10) working days from the date of receipt thereof. When it is not possible to attend the consultation within such term, the interested party shall be informed stating the reasons for the delay and shall indicate the date on which the request will be attended within a maximum of five (5) business days following the expiration of the first term.
2. Claims: The Data Subject or assignee who considers that the information contained in a database should be corrected, updated or deleted, or when he/she notices the alleged breach of any of the duties contained in the law, may submit a claim to THE COMPANY, which will be processed under the following rules: i) The claim shall be made by request to the email contained in this policy with the identification of the Data Subject, the description of the facts giving rise to the claim, the address, and accompanying the documents that he/she wants to assert. If the claim is incomplete, THE COMPANY will require the interested party within five (5) days of receipt thereof to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been withdrawn; ii) Once the complete claim is received, a legend will be included in the database stating "claim in process" and the reason for the claim, within a period not exceeding two (2) business days. Said legend shall be maintained until the claim is decided; iii) The Data Subject or assignee may file a complaint before the Superintendence of Industry and Commerce, once the consultation or claim process before the COMPANY has been exhausted.

Revocation of authorization and/or deletion of data: The Data Controllers may at any time request the COMPANY to delete the personal data referred to in Law 1581 of 2012 and/or revoke the authorization granted for the Processing thereof, by filing a claim, in accordance with the Procedure indicated in this Policy. If upon expiration of the respective legal term, THE COMPANY has not deleted the personal data, the Data Subject shall be entitled to request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the deletion of the personal data. Notwithstanding the foregoing, personal data must be retained when required for compliance with a legal or contractual obligation.

IX. DUTIES OF THE DATA CONTROLLER

The Company as Responsible has the authority to define the purposes and essential means for the processing of personal data, including those who will act as sources and users (Sentence C - 748 of 2011), consequently, the Company may provide personal data to suppliers of products and services, use them in a certain way, appoint Agents, enter into contracts of transmission and transfer, taking into account the following duties:

• Guarantee to the Data Subject, at all times, the full and effective exercise of the Right of Habeas Data.

• Request and keep by any means and under the conditions provided for in Law 1581 of 2012, a copy of the respective authorization granted by the Holder.

• Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted.

• Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

• Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.

• Update the information, communicating in a timely manner to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.

• Rectify the information when it is incorrect and communicate the pertinent to the Data Processor.

• Provide to the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012.

• To require the Data Processor at all times to respect the security and privacy conditions of the Data Subject's information.

• Process queries and claims formulated in the terms set forth in Law 1581 of 2012.

• Adopt an internal manual of policies and procedures to ensure proper compliance with Law 1581 and, in particular, for the handling of queries and complaints.

• Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.

• Inform upon request of the Data Subject about the use given to their data.

• Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Holders.

• Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

In the event that the Controller enters into transfer contracts, contracts for the transmission of personal data or appoints Processors for the processing of personal data, the Controller shall verify that the Processor undertakes to (i) implement the obligations of the Controller under this policy; (ii) process the data in accordance with the purpose that the owners have authorized, as described in this processing policy; and (iii) comply with the other obligations imposed by the laws on the matter.

Exceptionally, The Company may transfer personal data in the following cases:

• Bank or stock exchange transfers, in accordance with the applicable legislation;
  • Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity;
  • Transfers necessary for the execution of a contract between the Data Subject and The Company, or for the execution of pre-contractual measures as long as the Data Subject's authorization is obtained;
  • Transfers legally required to safeguard the public interest, or for the recognition, exercise or defense of a right in a judicial proceeding.

• DUTIES OF THE DATA PROCESSOR:

The Data Processor shall comply with the obligations of the Controller under these policies and process the personal data in accordance with the purposes authorized by the owner, guaranteeing the confidentiality of the data and the security of the databases that contain them.

Likewise, the Data Controller shall refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce..

XI. AUTHORIZATION:

THE COMPANY will request prior, express and informed authorization to the Data Controllers of the Personal Data on which it requires to carry out the Processing.

This manifestation of will of the Holder may be given through different mechanisms made available by THE COMPANY, such as:

• In writing, by filling out an authorization form for the Processing of Personal Data determined by THE COMPANY.
• Orally, through a telephone conversation or videoconference.
• Through unequivocal conducts that allow concluding that he/she granted his/her authorization, through his/her express acceptance to the Terms and Conditions of an activity within which the authorization of the participants is required for the Processing of his/her Personal Data.

In no case shall the COMPANY assimilate the silence of the Holder to an unequivocal conduct.

Holders may revoke their consent to the use and processing of their personal data at any time, as long as it is not prevented by a legal or contractual provision. The revocation may be partial or total, which is why the scope of the revocation must be clarified by the holder at the time of requesting it.

XII. PERSON OR AREA RESPONSIBLE FOR THE ATTENTION OF PQR's

In order to attend the holder's PQR's related to the rights to know, update, rectify, delete and revoke their authorization of personal data, THE COMPANY has provided the following channels:

ADDRESS: Kilometer 9 via Magdalena

E-MAIL: notificaciones@sicolsa.com

TELEPHONE: 3102245630

• REQUEST FROM JUDICIAL OR ADMINISTRATIVE AUTHORITIES

For the provision of information to judicial or administrative authorities, the Constitutional Court's decision C-748 of 2011 must be followed:

• The public or administrative entity must justify its request by indicating the link between the need to obtain the data and the fulfillment of its constitutional or legal functions.
• with the delivery of the information, the public or administrative entity will be informed that it has the duty to comply with the obligations and requirements imposed by law 1581 of 2012, as data controller, or in charge in certain cases. 
• The receiving administrative entity must comply with all the legal mandates that exist on the subject at the date of receipt of the information, especially the principles of purpose, legitimate use, restricted circulation, confidentiality and security.

• USE OF COOKIES

Cookies are files that are downloaded to the user's computer when accessing certain websites. These files allow websites, among other functions, to store and retrieve information about the user's browsing habits or your computer. Depending on the information they contain and how the equipment is used, cookies can also be used to recognize the user.

Cookies will be used by THE COMPANY as set forth below:

1. In order for the website to remember information about the user's visit, in order to improve and make the user's browsing experience more secure, taking into account the following:

• Cookies can remember other types of personal information, such as preferences in terms of website settings (language, screen resolution, among others), so that it is not necessary to set them again.
• Cookies are essential for the operation of the Internet, providing advantages in the provision of interactive services, facilitating navigation and usability of the website. Cookies are not a virus or any other type of malicious program that can damage users' devices, nor delete or read information from the user's computer or device.

•  Cookies are created or updated on the user's computer or device automatically when the user accesses the COMPANY's website, which allows the COMPANY or third parties hired by the COMPANY to track the user's cookies and, therefore, the information they contain or obtain from the user, for the following purposes:

• To offer the services provided by THE COMPANY.
• Detect preferences, commercial or market needs.
• Loyalty and management of the needs or interests detected.
• Sending information regarding services, promotions, alliances, campaigns, new contents of the website, opening of new services, and other issues related to the corporate purpose of the firm and that could become of interest, in accordance with the monitoring of the information collected through cookies; the above, to directed to the contact information provided through the website.

• Cookies are only read by the website that created them.

• THE COMPANY may share information obtained through cookies with external persons or third parties (partners, customers, suppliers or related companies), in order to improve services to the user. 

On the other hand, although there are different types of Cookies, the ones that will be used by THE COMPANY will be the following:

• Own or third party cookies: They are own when the Cookies are managed from the terminal or domain of the same editor, while they are third party, when they are not sent by the editor itself, but by another entity.
• Session and persistent cookies: Session Cookies are a type of Cookies designed to collect and store data while the user accesses a website and expire at the end of the session, so that the data collected will only be stored while the user is browsing the website. In the case of persistent cookies, the data continues to be stored in the terminal and can be accessed for a certain period of time. The information obtained through these Cookies is used to analyze web traffic patterns.
• Technical cookies: They are those that allow controlling traffic and data communication.
• Personalization cookies: They allow users to access according to some of their own characteristics that are collected (browser, language, etc.), such as customizing the home page of the search engine. 
• Analytics cookies: Collect data on user behavior and allow to develop a user profile, so you can analyze and detect browsing habits and improve the website, blog or e-Commerce to suit the browsing needs of users. 
• Advertising Cookies: They collect data on the management of advertising spaces. This type of Cookies allow, for example, to show users advertising banners of which they may be potentially interested.

Finally, it is clarified that all Internet browsers allow you to limit the behavior of a cookie or disable cookies within the browser settings or options. The steps to do so are different for each browser, and instructions can be found in the help menu of your browser. 

You can also modify your cookie settings by clicking on the "Cookie Settings" button.

•  NATIONAL AND INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA 

In the event that THE COMPANY carries out the international Transfer or Transmission of Personal Data, in addition to having the express and unequivocal authorization of the Data Subject, it shall ensure that it signs a contract or agreement with the Controller or Processor that is located outside the national territory, and that the country to which the data is transferred or transmitted, provides adequate levels of data protection, according to the list of countries considered as safe harbors established by the Superintendence of Industry and Commerce in its Sole Circular. 

XVI. CHANGE OF POLICIES

The Company reserves the right to review and modify at any time this Personal Data Processing Policy, which may be consulted at the administration offices or by contacting the email address of the person responsible for the processing of personal data (notificaciones@sicolsa.com). When substantial modifications are made to this Policy, this fact will be communicated to the owners of the information by sending a notice to the e-mail address they have registered, before implementing them. Said notice shall indicate the date on which the new Policy becomes effective. When the change refers to the purposes of the processing, a new authorization will be requested from the owners to apply the same.

XVII. VALIDITY

This update to the Policy is effective as of March 13, 2023 and replaces in all its parts the one that was in force until this date. The databases in which the personal data will be registered will be valid for the time the information is kept and used for the purposes described in this policy.

Version	Date	Description
1	March 13, 2023	Document creation
2	July 25, 2025	Addition of purposes, adjustment of the area in charge of processing, addition of new stakeholders, adjustment of the procedure for the exercise of rights.