Personal data protection and processing policy

Personal data protection and processing policy

Home / ESG / Corporate policies / Personal data protection and processing policy

The purpose of this "Policy for the Protection and Processing of Personal Data" (hereinafter "The Policy") is to establish the rules on the protection of Personal Data that will be adopted and hosted by the company PROCAPS SA (hereinafter "PROCAPS, when it is Responsible for of the Processing of Personal Data and/or Manager.)
The purpose of this Policy is to compile the principles and rules that regulate the processing of personal data with respect to all Holders that are related to PROCAPS, to guarantee regulatory compliance in all operations and activities.
In compliance with the provisions of Decree 255 of 2022 (Binding Corporate Regulations) the provisions established in this Policy are mandatory compliance by PROCAPS, acting as Responsible and as Processor as appropriate, as well as by its shareholders, collaborators, workers, and stakeholders.

This Policy includes mechanisms to ensure that the data is:

  • Treated in a lawful, loyal, and transparent manner in relation to the holder of the personal data.
  • Collected for specified, explicit and legitimate purposes, and will not be further processed in a manner incompatible with those purposes.
  • Adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed.
  • Accurate and will be kept up to date; taking all reasonable steps to promptly delete or rectify inaccurate personal data.
  • Preserved in a way that allows the holder to be identified, for a period not exceeding the necessary one, according to the purpose.
  • Treated under the control of the Data Controller, who, for each processing operation, guarantees and demonstrates compliance.
This Policy is issued as part of the work to adopt proven responsibility measures (Accountability) to verify that useful, timely, pertinent and efficient measures have been implemented in PROCAPS.

This Policy is binding for those who have signed the Agreement for the Provision of Back Office services (hereinafter, the "Service Agreement") in which they express their acceptance and which is included as an annex to said agreement.

In accordance with current regulations in Colombia and applicable labor legislation, this Policy is binding and enforceable for PROCAPS employees. Employees have been informed of the existence of this, indicating that it is a Mandatory Policy and establishing that, in accordance with the applicable legislation and the PROCAPS work contracts, they may apply the corresponding disciplinary regime in case of non-compliance with them. .

Transfers of personal data are made between PROCAPS and the Companies with which PROCAPS has signed the Back Office Services Agreement and will be framed solely and exclusively within the guidelines indicated in said Service Agreement, during the normal course of its business. activities: and said data may be stored in centralized databases accessible by said Companies, which are duly listed in Annex I, from anywhere in the world where they have a presence.

This Policy is not a Contract, it simply indicates our desire to protect your private personal information.

In compliance with the provisions of Statutory Law 1581 of 2012 and its regulatory decrees and other current regulations, the company PROCAPS SA [hereinafter “PROCAPS”] informs the Policy for the Protection and Processing of Personal Data.

AIM
Establish the criteria for the collection, consultation, storage, ordering, classification, cataloging, analysis, processing, use, circulation and deletion of personal data that are subject to processing by PROCAPS, either as Responsible and/or Data Manager, in compliance with the current legal regime contained in Statutory Law 1581 of 2012 and other concordant regulations.
 
  1. SCOPE
    This Policy applies to all personal information registered in the PROCAPS databases either as "Responsible" and/or "Manager" and in relation to all activities carried out in execution of its corporate purpose and in relation to all interest groups with which it is related.
  2. RESPONSIBILITY
    It is addressed to direct and indirect collaborators, contractors, consultants, suppliers and third parties related to PROCAPS.
  3. IDENTIFICATION OF THE COMPANY RESPONSIBLE FOR THE PROCESSING
    This Policy is applicable in relation to the company PROCAPS SA, a private company identified with NIT No. 890.106.527-5, commercial registration No. 24802 of July 26, 1976, with main address at Calle 80 No. 78 B - 201 of the city of Barranquilla (Colombia).
 
 
 
 
  1. CUSTOMER SERVICE CHANNELS
The holders of the information or their successors in title may access the information that is registered about them in the database of the PROCAPS company through the following service channels:
City Address Email
Barranquilla, Colombia) Calle 80 No. 78 B - 201 habeasdata@procaps.com.co
  1. LEGAL BASIS
    1. Political Constitution of Colombia, article 15.
    2. Law 1266 of 2008.
    3. Regulatory Decrees 1727 of 2009 and 2952 of 2010.
    4. Law 1581 of 2012.
    5. Partial Regulatory Decree 1377 of 2013.
    6. Decree 886 of 2014.
    7. Single Decree 1074 of 2015.
    8. Decree 255 of 2022.
    9. All other concordant regulations related to the protection of personal data in Colombia.
  1. DEFINITIONS
    For the purpose of interpretation, application and implementation of this Policy, the following definitions will apply:
    1. AUTHORIZATION: Prior, express, and informed consent of the holder to carry out the processing of personal data.
    2. PRIVACY NOTICE: Verbal or written communication generated by the person responsible for the information addressed to the holder for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the way to access themselves and the purposes of the processing that is intended to be given to personal data.
    3. SERVICE AGREEMENT: It is the Contract that PROCAPS signs with companies to which it provides Back Office services or comprehensive administrative support.
    4. DATABASE: Organized set of personal data that is subject to processing.
    5. CHANNELS TO EXERCISE RIGHTS: Means of receiving and attending to requests, queries, and claims that the Processing Manager and the one responsible must make available to the Holders of the information.
    6. PERSONAL DATA: Any piece of information linked to one or several determined or determinable persons or that can be associated with a natural person.
    7. PUBLIC DATA: It is the data that is not semi-private, private, or sensitive. Public data is considered, among others, the data related to people’s marital status, their profession or trade and their quality as merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.
    8. SENSITIVE DATA: Sensitive data is understood to be those that affect the privacy of the holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, being part of unions, social organizations, of human rights or that promotes the interests of any political party or that guarantees the rights and opposition political parties guarantees, as well as data related to health, sexual life, and biometric data.
    9. DATA PROCESSOR: Natural or legal person, public or private that by itself or in association with others, performs the Processing of personal data on behalf of the Data Controller.
    10. HABEAS DATA: Right of any person to know, update and rectify the information that has been collected about them in the data bank and in the files of public and private entities.
    11. BINDING CORPORATE RULES: The policies, principles of good governance or codes of good business practices of mandatory compliance assumed by the data processing manager, established in the Colombian territory, to make transfers or a set of transfers of personal data to a person in charge that is located outside the Colombian territory and that is part of the same business group.
    12. PERSONAL DATA PROTECTION AND PROCESSING POLICY: The formal document approved by PROCAPS that reflects the conditions applicable to any processing operation against Personal Data.
    13. DATA PROCESSOR: Natural or legal person, public or private that by itself or in association with others, decides on the database and/or Data Processing.
    14. HOLDER: Natural person whose personal data is processed.
    15. PROCESSING: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
    16. TRANSFER: The transfer of data takes place when the person in charge and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is located inside or outside the country.
    17. TRANSMISSION: Processing of personal data that implies the communication of the same inside or outside the territory of the Republic of Colombia when its purpose is to carry out a processing by the data processor on behalf of the data controller.
  1. PRINCIPLES
    In the development, interpretation and application of Law 1581 of 2012 by which general provisions for the protection of personal data and the regulations that complement, modify or add to it are issued, the following guiding principles will be applied in a harmonious and comprehensive manner:
    1. PRINCIPLE OF LEGALITY: Data Processing is a regulated activity that must be subject to what is established in the law and the other provisions that develop it.
    2. PRINCIPLE OF PURPOSE: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the holder. Regarding the collection of personal data, PROCAPS will limit itself to those data that are pertinent and adequate for the purpose for which they were collected or required in accordance with the internal procedure manual for the management of information and databases.
    3. PRINCIPLE OF LIBERTY: The processing can only be exercised with the prior, express, and informed consent of the holder. Personal data may only be obtained or disclosed with prior authorization, or with the existence of a legal or judicial mandate that relieves consent.
    4. PRINCIPLE OF VERACITY: The information subject to processing must be true, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractional, or misleading data is prohibited.
    5. PRINCIPLE OF TRANSPARENCY: In the processing, the right of the holder to obtain from the data processor or data controller, at any time and without restrictions, any information about the existence of data that concerns him or her must be guaranteed.
    6. PRINCIPLE OF ACCESS AND RESTRICTED CIRCULATION:
The processing is subject to the limits that derive from the nature of the personal data, law provisions and the Constitution. In this sense, the processing can only be done by persons authorized by the holder and/or by persons provided for by law. Personal data, except for public information, may not be available on the internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to holders or third parties authorized by law.
  1. SECURITY PRINCIPLE: The information subject to processing by PROCAPS must be handled with the technical, human, and administrative measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
  2. PRINCIPLE OF CONFIDENTIALITY: PROCAPS is obliged to guarantee the confidentiality of the information, even after the end of its relationship with any of the tasks that comprise the processing, being able to only provide or communicate personal data when it corresponds to the development of the activities authorized by law.
  1. RIGHTS THAT ASSIST THE HOLDER OF THE INFORMATION. The holder of the personal data will have the following rights:
    1. Know, update, and rectify their personal data against PROCAPS in its capacity as data controller. This right may be exercised, among others, against data that is partial, inaccurate, incomplete, divided, misleading, or whose processing is expressly prohibited or has not been authorized.
    2. Request proof of the authorization granted to PROCAPS except when expressly excepted as a requirement for processing.
    3. To be informed by PROCAPS, upon request, regarding the use that has been given to their personal data.
    4. Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add, or complement it.
    5. Revoke the authorization and/or request their data deletion when the Processing does not respect the constitutional and legal principles, rights and guarantees.
    6. Free access to their personal data that has been processed.
 
  1. CHILDREN AND ADOLESCENTS’ RIGHTS
Respect for the prevailing children and adolescents’ rights will be ensured during the processing. The Processing of personal data of children and adolescents is prohibited, except for those data that are of a public nature.
  1.  PROCAPS DUTIES.
    1. Make use of the information contained in the database only for the purpose for which it is authorized.
    2. Guarantee the holder, at all times, the full and effective exercise of the Habeas Data right.
    3. When personal data is collected, it must be limited to those pertinent and adequate for the purpose for which they are required in accordance with the provisions of the law. Deceptive or fraudulent means will not be used.
    4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
    5. Timely update, rectify or delete the data in the terms indicated by this policy in the section on Procedures-Claims.
    6. Enable electronic communication means or others considered to allow timely response to the queries and claims presented by the holders of the information.
    7. The requested information must be provided free of charge and by any means, as required by the holder. The information must be easy to read, without technical barriers that prevent its access and must strictly correspond to that which is in the database.
    8. If the certification of the authorized information is physically requested and/or it needs to be sent by certified mail, PROCAPS company may require the applicant to pay the amount that corresponds in expenses, without being able to collect at any time more than it was actually invoiced. In the event of being required, the PROCAPS company must demonstrate and support said expenses to the Superintendence of Industry and Commerce.
    9. Adopt the other necessary measures so that the information provided to it is kept updated.
    10. Rectify the information when it is incorrect.
    11. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
    12. Refrain from circulating information that is being controversial by the holder and whose blocking has been ordered by the Superintendence of Industry and Commerce.
    13. Allow access to information only to people who may have access to it.
    14. Inform the Superintendence of Industry and Commerce when there are violations of security codes and there are risks in the administration of the information of the holders.
    15. Establish the necessary mechanisms to obtain the holders’ authorization of the processing of their data, which may be granted through a physical, electronic document or in any other format that allows guaranteeing its subsequent consultation.
    16. It is PROCAPS’ obligation to keep proof of authorization and deliver a copy to the holder of the information if required.
    17. Establish simple and free mechanisms that allow the holder to request the report, modification, deletion, or data update, which can be the same mechanisms used for the granting of consent without prejudice to the expenses that may arise on the occasion of the issuance and delivery of the data. same.
    18. The information subject to processing must be protected using technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. For this, PROCAPS will maintain mandatory security protocols for personnel with access to personal data and information systems.
    19. PROCAPS personnel involved in the processing of personal data is obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the processing in accordance with the provisions of the employment contract and/or other provisions subject to the relationship between the official and the company.
    20. Appoint a "Personal Data Officer" who takes on personal data protection and who will also ensure that, the holders requests are processed through the service channels.
    21. In principle, the children and adolescents’ personal data processing is prohibited by law, unless they are data of a public nature and/or when such processing meets the parameters and requirements set forth in this Policy.
    22. The PROCAPS company will use the personal data in accordance with the authorization given by the holder and will only transmit or transfer them to allies, affiliates or subsidiary, third parties that may use the information for the development of their work acting on behalf of PROCAPS and/or giving compliance with the requirements of the authorities, taking advantage of the laws that apply on the matter and respecting the Service Agreements in force with third parties.
    23. They may only collect, store, use or circulate personal data for as long as is reasonable and necessary, in accordance with the purposes that justified their processing, considering the legal provisions and administrative, accounting, fiscal, legal, and historical aspects of the information. Once the purpose of the processing has been fulfilled and without prejudice to legal regulations that provide otherwise, PROCAPS must delete the personal data. Notwithstanding the foregoing, personal data must be kept when required to comply with a legal or contractual obligation.
    24. Prove the existence of the "Personal Data Protection and Processing Policy" and the way to access it, which will be published on the company's website, on social networks and at the main office.
    25. For the collection, use and processing of personal data, PROCAPS must comply with the following parameters:
      1. The processing of the personal data collected must obey a legitimate purpose of which the holder must be informed.
      2. The personal data processing can only be carried out with the prior, express, and informed consent of the holder.
      3. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
      4. The information subject to processing must be true, complete, accurate, updated, verifiable and understandable.
      5. The processing of partial, incomplete, fractional, or misleading data is prohibited.
      6. Guarantee the right of the holder to obtain at any time and without restrictions, information about the existence of data that concerns them.
    26. In the event of a substantial modification to this "Policy for the Protection and Processing of Personal Data", the PROCAPS company must again request authorization for data processing from the holder of the information.


 
  1. AUTHORIZATIONS
    Without prejudice to the exceptions provided for in the Law, in the processing of personal data of the holder, the prior and informed authorization of the Holder is required, which must be obtained by any means that can be subject to subsequent consultation. The authorization must contain the following information:
    1. Name and identification of the person from whom authorization is being requested.
    2. Identification of the data being collected.
    3. Purpose of the data subject to authorization.
    4. Information on the procedure to exercise rights of access, correction, updating or deletion of the personal data provided.
    5. The rights that assist the person as the holder.
    6. Service channels arranged by PROCAPS.
PROCAPS, in the terms provided in the Law, generated a notice (Privacy Notice) in which the holders are informed that they can exercise their right to the processing of personal data through the website. https://procapslaboratorios.com/aviso-de-privacidad, through the service channels included in this Policy.
  1. EVENTS IN WHICH THE HOLDER’S AUTHORIZATION OF THE PERSONAL DATA IS NOT NECESSARY.
    The holder’s authorization of the information will not be necessary in the following cases:
    1. Information required by a public or administrative entity in the exercise of its legal functions or by court order.
    2. Data of a public nature.
    3. Cases of medical or health urgency.
    4. Processing of information authorized by law for historical, statistical, or scientific purposes. Data related to people’s Civil Register.


 
  1. LEGITIMATION FOR THE EXERCISE OF THE RIGHT OF THE HOLDER
    The rights of the holders established in the Law may be exercised by the following persons:
    1. By the holder, who must sufficiently prove their identity.
    2. By the successors in title of the holder, who must prove such quality.
    3. By the representative and/or attorney of the holder, prior accreditation of the representation or empowerment.
    4. By stipulation in favor of another or for another. The rights of children and adolescents will be exercised by the people who are empowered to represent them.


 
  1. PROCESSING TO WHICH THE DATA WILL BE SUBJECTED AND PURPOSE OF THE SAME. The processing of the personal data of all the people that revolve around the corporate purpose of PROCAPS, including clients, suppliers and consumers, will be framed in the legal order and in accordance with the following purposes in general terms or those that are reported in each moment in which personal data collection operations are carried out:
    1. Internal management and business relationship management of its stakeholders, customers, distributors, and suppliers of the different business segments.
    2. The sending of communications, correspondence, text messages, instant messaging systems, emails or telephone contact with its clients, distributors, and consumers in relation to its commercial, advertising, marketing, promotional, sales and other related activities.
    3. Personnel selection processes, management of contractual relations, labor relations and guarantee compliance with the obligations derived from it, granting benefits to its employees by itself or through third parties.
    4. Potential analysis with an essentially commercial purpose, whether of suppliers, distributors and/or customers.
    5. Manage procedures (requests, complaints, claims) carry out risk analysis, carry out satisfaction surveys regarding the company's assets.
    6. Investigation of events emanating from pharmaceutical and/or marketed products.
    7. Follow up on the people who consume and/or purchase the products and/or marketed by the company.
    8. Deploy corporate social responsibility activities to stakeholders.
    9. Manage the security of people, property, and information assets in custody of the organization.
    10. Create databases for the purposes described in this authorization.
Specifically in relation to each interest group, PROCAPS may have the following purposes:
  1. Purposes with respect to Clients or Users of the Products or services:
    • Carry out the pertinent steps for the development of the pre-contractual, contractual, and post-contractual stage with PROCAPS, in regard to any of the products or services offered by PROCAPS, whether or not the Holder has acquired or regarding any underlying business relationship that the company has with the holder.
    • Register the Holder in the systems, forms, lists, files, physical or electronic, managed by PROCAPS, for the purpose of executing the commercial legal relationship established with PROCAPS.
    • Advance electronic billing procedures for products or services purchased by the Holder.
    • Maintain operations support, incident monitoring and compliance with contractual and legal obligations.
    • Comply with their legal and contractual obligations.
    • Send messages, notifications, or alerts through any means to send and disclose legal, security, promotions, commercial, advertising, marketing, institutional or educational information, raffles, events, or other benefits.
    • Send electronic messages or make telephone contacts, or through any means, to advance the confirmation of the Holder's personal data necessary for the execution of the legal relationship that has been established with PROCAPS.
    • Contact the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any known or unknown means to send contractual, informative documents, account statements or invoices in relation to the derived obligations of the contracts that it celebrates with PROCAPS, in its different commercial establishments.
    • Provide the information to third parties with whom they have a contractual relationship and that it is necessary to deliver it to them for the fulfillment of the contracted object.
    • Carry out the filing and document management tasks of PROCAPS, in accordance with current legal provisions.
    • For administrative and analytical purposes, such as information systems administration, accounting, billing, and auditing, marketing, check processing and verification.
    • Share information with business partners to offer products and services, complying with all authorizations required by law and this Policy.
    • Communicate news about PROCAPS products, invite to events or programs organized by the company.
    • Consult, verify and confirm credit and commercial information of the Holder, in Risk and/or Information Centers or any other public or private, national, foreign or multilateral entity that administers or manages databases or credit information, or any other financial entity of Colombia, or abroad or of a multilateral nature, all the information that refers to the Holder, about his credit, financial, commercial, service and third country behavior of the same nature, for the purpose of evaluating and granting financing in the goods or products purchased with PROCAPS, provided you have the corresponding authorization.
    • To report to the risk and information centers, all the conditions and procedures established in the current laws will be met and especially in relation to Law 1266 of 2008 and concordant regulations.
    • Manage the risk of Money Laundering and Financing of Terrorism and corruption.


 
  1. Purposes regarding Candidates to workers:
    • Process the employment relationship applications that PROCAPS receives from the candidates, process them, and define them within the stipulated time, according to the selection process or the call.
    • Contact the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any known or unknown means in relation to the selection process or the call.
    • Evaluate the worker's work capacity, to establish their suitability for future employment and/or to comply with the requirements of occupational preventive medicine.
    • Carry out the filiing and document management tasks of PROCAPS, in accordance with current legal provisions.
    • Manage the risk of Money Laundering and Financing of Terrorism and corruption.


 
  1. Purposes regarding workers (employees):
    • To manage compliance with the terms established in the employment relationship such as: affiliation and contributions to social security entities, creation of an employment contract, generation and processing of payroll payments and labor benefits.
    • Comply with regulations on labor matters, social security, pensions, professional risks, family compensation funds (Comprehensive Social Security System) and taxes.
    • Comply with the instructions of the competent judicial and administrative authorities.
    • Implement labor and organizational policies and strategies.
    • Include the Employee Holder in the development of the different training, development, welfare, occupational health and safety programs and activities established by PROCAPS for its workers.
    • Carry out preventive or occupational medicine efforts, in conjunction with the occupational risk administrator.
    • Contact them to instruct them on orders in relation to their assigned job functions.
    • Carry out the filing and document management tasks of PROCAPS, in accordance with current legal provisions.
    • Create ID badges and/or identification mechanisms for the Employee Holder, with their biometric data, so that they can carry it and identify themselves as a PROCAPS employee. This purpose is necessary in accordance with the PROCAPS security policy and will be handled as sensitive information with express authorization.
    • Establish and keep a record of access control to PROCAPS facilities, using biometric data, to facilitate their access and circulation in the PROCAPS physical facilities. This purpose is necessary in accordance with the PROCAPS security policy and the sensitive information that is processed will be managed in accordance with the current law and this Policy.
    • Contact the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any known or unknown means to send contractual, informative documents or invoices in relation to the obligations derived from the contracts that celebrate with PROCAPS.
    • Share information with business partners to offer products and services, complying with all authorizations required by law and this Policy.
    • Communicate news about PROCAPS products, invite to events or programs organized by the company.
    • For administrative and analytical purposes, such as information systems administration, accounting, billing, and auditing, marketing, check processing and verification.
    • Publish their face and personal image in PROCAPS management reports, communications, billboards, and corporate material, to document the organizational structure or training, development, well-being, occupational health and safety activities established by PROCAPS.
    • In the case of former employees, PROCAPS may store, even after the employment contract has ended, the information necessary to comply with the obligations that may arise by virtue of the employment relationship that existed under Colombian law, as well as provide labor certifications. that are requested by the ex-employee or by third parties against whom they carry out a selection process.
    • Manage the risk of Money Laundering and Financing of Terrorism and corruption.


 
  1. Purposes regarding Suppliers or Contractors:
    • Register the Holder in the systems, forms, lists, files, physical or electronic, managed by PROCAPS, for the purposes of providing the contracted services.
    • Advance electronic billing procedures for contracted services.
    • Maintain operations support, incident monitoring and compliance with contractual and legal obligations.
    • Comply with their legal and contractual obligations.
    • Send electronic messages or make telephone contacts, or through any means, to advance the confirmation of the Holder's personal data necessary for the execution of the legal relationship that has been established with PROCAPS.
    • Contact the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any other means known or unknown, for the sending of contractual, informative documents, account statements or invoices in relation to the Obligations derived from the contracts entered with PROCAPS, in its different commercial establishments or offices.
    • Grant access to the interaction portals of suppliers and/or contractors to supply all the processes required internally by PROCAPS.
    • Provide the information to third parties with whom they have a contractual relationship and that it is necessary to deliver it to them for the fulfillment of the contracted object.
    • Carry out the archiving and document management tasks of PROCAPS, in accordance with current legal provisions.
    • Validate, verify and consult the economic and transactional information of the Holder with the purpose of establishing the legal relationship with PROCAPS.
    • For administrative and analytical purposes, such as information systems administration, accounting, billing and auditing, marketing, check processing and verification.
    • Share information with business partners to offer products and services, complying with all authorizations required by law and this Policy.
    • Communicate news of PROCAPS products, invite to events or programs organized by the company.
    • Consult, verify and confirm credit and commercial information of the Holder, in Risk or Information Centers, or any other public or private, national, foreign or multilateral entity that administers or manages databases or credit information, or any other financial entity of Colombia, or from abroad or of a multilateral nature, all the information that refers to the Holder, about his credit, financial, commercial behavior, services and third countries of the same nature.
    • To make reports to the risk and information centers, all the conditions and procedures established in the current laws will be met and especially in relation to Law 1266 of 2008 and concordant regulations.
    • Manage the risk of Money Laundering and Financing of Terrorism and corruption.


 
  1. Purposes regarding PROCAPS Shareholders:
    • Comply with the obligations and rights derived from its capacity as a PROCAPS shareholder.
    • Send electronic, physical and/or telephone communications to their contact information to inform them, summon or call for meetings of the corporate bodies of PROCAPS where required, and/or to send them documents and reports that will be considered at such meetings.
    • Send communications and information necessary for the exercise of their rights as a PROCAPS shareholder, and/or for compliance with the obligations of PROCAPS in favor of its shareholders.
    • Carry out the activities of comprehensive administration of the shareholders registry book.
    • Contact the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any other known or unknown means, to send contractual, informative documents, account statements in relation to their quality of PROCAPS shareholder.
    • Carry out the filing and document management tasks of PROCAPS, in accordance with current legal provisions.
    • Provide information related to procedures, complaints, and requests from shareholders.
    • Communicate news of PROCAPS products, invite to events or programs organized by the Organization.
    • Give access to the information to the judicial or administrative authorities that request said data in the exercise of their functions.
    • Manage the risk of Money Laundering and Financing of Terrorism and corruption.
    • Compliance with the necessary activities and purposes of the Company-shareholder relationship.
 
  1. Processing of Sensitive Personal Data Obtained Through Video Surveillance
    PROCAPS uses various means of video surveillance installed in different internal and external sites of its facilities or offices. For this reason, it informs the public about the existence of these mechanisms by posting and disseminating informative notices with details of the contact channels and the policies that govern said processing. The information collected through this mechanism is used for security purposes, to control and identify access to PROCAPS headquarters, offices and commercial establishments; maintain security and access control to buildings, establishments open to the public and other facilities; strive for the safety of people, property and facilities; the improvement of our service and the experience in the PROCAPS facilities, likewise,

    PROCAPS does not deliver the video recordings obtained to any third party, unless there is a court order or competent authority or the law allows it.

    The authorization in relation to the handling of this personal data is understood to be conferred through the unequivocal action of entering the facilities that are subject to video surveillance and monitoring by PROCAPS.

    In any case, PROCAPS reserves the right to inform the Holders of the purpose of each Processing of information on personal data at the very moment of collecting them through the Authorization. If the personal data cease to fulfill the purpose for which they were obtained, they will be eliminated from our databases in the terms and conditions indicated by the Colombian legislation and/or the Personal Data Processing Protection Policy.
  1. SENSITIVE DATA
In the case of sensitive personal data, they may be used and processed when:
  1. The Holder has given his explicit authorization to said Processing, except in cases where the granting of said authorization is not required by law.
  2. The Processing is necessary to safeguard the vital interest of the Holder and the holder is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
  3. The Processing refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial process.
  4. The Processing has a historical, statistical, or scientific purpose. In this event, the measures leading to the deletion of the identity of the Holders must be adopted.
 
  1. DATA ON CHILDREN AND ADOLESCENTS
The processing of personal data of children and adolescents is prohibited, except in the case of data of a public nature, and when such processing complies with the following parameters and/or requirements:
  1. That they respond to and respect the best interest of children and adolescents.
  2. That the respect of their fundamental rights is ensured.
Once the above requirements have been met, the legal representative of the children or adolescents will grant authorization, prior to the minor's exercise of his or her right to be heard, an opinion that will be assessed considering maturity, autonomy, and ability to understand the matter. The PROCAPS company will ensure the appropriate use of the processing of the personal data of children or adolescents.
 
  1. PEOPLE TO WHOM THE INFORMATION MAY BE PROVIDED
    The information that meets the conditions established by law may be provided to the following persons:
    1. To the holders, their successors in title (when those are absent) or their legal representatives.
    2. To public or administrative entities in the exercise of their legal functions or by court order.
    3. To third parties authorized by the holder or by law.
 
  1. INTERNATIONAL DATA TRANSFER
The transfer of personal data to any person whose seat is in a country that is not safe for data protection is prohibited. Safe countries are understood to be those that have adopted Personal Data Protection Guidelines in their internal legislation and/or comply with the standards set by the Superintendence of Industry and Commerce. International data transfers may be made exceptionally through PROCAPS when:
  1. The holder of the data has granted his prior, express, and unequivocal authorization to carry out the transfer.
  2. The transfer is necessary for the execution of a contract between the holder and PROCAPS as the person in charge and/or in charge of the processing.
  3. In the case of bank and stock transfers in accordance with the legislation applicable to such transactions.
  4. In the case of data transfer within the framework of international treaties that are part of the Colombian legal system.
  5. Transfers legally required to safeguard a public interest.
  6. Transfers included within the framework of the existing Services Agreement.
At the time of an international transfer of personal data, prior to sending or receiving them, PROCAPS will sign the agreements that regulate in detail the obligations, charges and duties that arise for the parties involved.

The agreements or contracts that are concluded must comply with the provisions of this Policy, as well as the legislation and jurisprudence that may be applicable regarding the protection of personal data.
The Information Technology (IT) area will be responsible for validating the international transfer operations of personal data to guarantee the minimum information security conditions required by PROCAPS.

It will correspond to the PROCAPS Data Protection Officer to give a favorable opinion on the agreements or contracts that involve an international transfer of personal data, considering the principles applicable and included in this Policy as guidelines.
Likewise, it will correspond to the PROCAPS Data Protection Officer to make the pertinent consultations before the Superintendence of Industry and Commerce to ensure the circumstance of "safe country" in relation to the territory of destination and/or origin of the data.
  1. INTERNATIONAL PERSONAL DATA TRANSFER
    In the contractual relationships that PROCAPS enters with providers located in third countries that do not have an adequate level of protection, in which they, as Managers, carry out any type of personal information processing, the holders do not need to be informed or obtain prior consent. of these matters. The foregoing, provided that there is a contract that regulates:
    1. Scope of processing;
    2. Activities that the third party in charge will carry out on behalf of PROCAPS.
    3. The obligations of the third-party provider as manager towards the holders and PROCAPS as responsible, in accordance with the provisions of Colombian law.
    4. The obligation to process personal data only for the contracted purposes.
    5. The prohibition of processing personal data for unauthorized uses.
    6. Treat personal data in compliance with current Colombian legislation.
    7. Comply with the principles applicable to the processing of personal data in force in Colombia.
    8. Adopt security measures according to the criticality of the personal information processed under the contract entered.
    9. Treat personal data in compliance with the principle of confidentiality.
    10. Notify within the term of the law in force in Colombia any security incident that compromises the personal data processed.
    11. The obligation to comply with the internal policy and regulations adopted by PROCAPS regarding the protection of personal data.
    12. Establish the channels for the exercise of habeas data to the holders of personal data, as well as the information requirements that PROCAPS has.
    13. The other obligations required of those in charge by virtue of the provisions of the Colombian regime for the protection of personal data.
 
 
 
 
 
  1. PRESERVATION OF PERSONAL DATA
The custody of the information in each Database will be the one reported at the time of data collection or the one established by PROCAPS in accordance with the purpose. The PROCAPS Database will have the period of validity that corresponds to the purpose for which their processing was authorized and the special rules that regulate the matter, as well as those rules that establish the exercise of the corporate purpose of PROCAPS. In any case, the information provided will remain stored for all the time necessary to allow us to fulfill the purposes set forth herein and to comply with legal and/or contractual obligations in charge of PROCAPS,
Especially in labor, accounting, fiscal and tax matters or for all the time necessary to meet the provisions applicable to the matter in question and the administrative, labor, accounting, fiscal, legal and historical aspects of the information, or in any event provided for by law.

In order to determine the reasonableness of the permanence time of the Personal Data in the Databases, by virtue of the nature of each Personal Data, the documentary retention times contained in Annex II of this Policy will be applied.
  1. PROCEDURES
    1. PROCEDURES FOR THE ATTENTION OF QUERIES, CLAIMS AND REQUESTS.
      1. INQUIRIES. The holders or their successors in title may consult the personal information of the holder that rests in any PROCAPS database. The holder may send their questions or queries related to their personal data collected and processed by PROCAPS through the service channels set forth in this Policy.

        The PROCAPS company will resolve the holders’ concern or query within ten (10) business days from the date they received it. When it is not possible to respond to the query within said term, the interested party will be informed before the expiration of 10 days, stating the reasons for the delay, and indicating the date on which the query will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.
      2. CLAIMS. The holder (or their successors in title) who considers that the information contained in a PROCAPS database should be corrected, updated or deleted, or when they notice the alleged breach of any of the legal duties, may file the claim through the service channels set forth in this Policy.
      3. The claim must contain at least: The holder’s identification of the personal data, the description of the facts that give rise to the claim, the holder’s address, and must accompany the documents that are to be asserted. If it does not contain this information, the interested party will be required within five (5) days following its receipt to correct the faults. After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that he has withdrawn the claim.

        Once the complete claim is received, a sign that says, "CLAIM IN PROCESS" and the reason for it will be included in the database maintained by PROCAPS, within a term of no more than two (2) business days. Said sign must be maintained until the claim is decided.

        The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend to it within said term, the interested party will be informed before the expiration of the aforementioned term of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.


 
  1. DELETION. The right to delete data is not absolute, PROCAPS can deny it when:
    1. The holder has a legal or contractual duty to remain in the database.
    2. The deletion of data hinders judicial or administrative actions related to tax obligations, investigation and crime prosecution or any updating of administrative sanctions.
    3. The data is necessary to protect the legally protected interests of the holder; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the holder.
    4. If the cancellation of the personal data is reasonable, PROCAPS must operationally carry out the deletion in such a way that the elimination does not allow the recovery of the information.
       
  1. AREA RESPONSIBLE AND IN CHARGE OF PERSONAL DATA PROTECTION
    PROCAPS, in compliance with the provisions of Law 1581 of 2012 and other regulations governing the protection of personal data in Colombia, has established an internal structure in charge of fully complying with all regulations and this Policy, as follows:

    PERSONAL DATA PROTECTION OFFICER It will be the person in charge of leading the personal data protection program in PROCAPS, processing the requests of the Holders for the exercise of rights and has the following functions:
    1. Respond to all requests, petitions, queries, or claims submitted by the Holders.
    2. Manage the PROCAPS personal data protection system.
    3. Serve as a liaison and coordinator with the other PROCAPS areas to ensure a transversal implementation of the System.
    4. Maintain an inventory of the Databases within PROCAPS and update the annual report according to the indications of the Competent Authority in Colombia (Superintendency of Industry and Commerce).
    5. Register and update the Databases before the National Registry Databases (RNBD)
    6. Obtain declarations of conformity when necessary.
    7. Integrate personal data protection and processing policies within PROCAPS activities.
    8. Measure participation and qualify performance in personal data protection training.
    9. Ensure the implementation of audit plans to verify compliance with this Policy.
    10. Accompany and assist PROCAPS in the attention of visits, requests for information, disciplinary processes and/or response to requirements by the Competent Authorities.
    11. Monitor the personal data protection program.
    12. Prepare information security incident reports.
    13. Consolidate and continuously improve the activities that are part of the personal data protection program.
    14. Promote the implementation of a system that allows managing the risks of personal data processing.
    15. Promote the culture of protection of personal data in PROCAPS.
    16. Review of all PROCAPS operations that may have an impact in relation to the protection of personal data.
    17. Analyze the responsibilities of PROCAPS positions to design an adequate training program for each profile.
    18. Carry out a general training program on personal data protection in PROCAPS.
    19. Require that within the evaluation of PROCAPS employees and officials it is found that they have satisfactorily approved the personal data protection training.
    20. Submit internal reports to the Senior Management of PROCAPS and/or to the authorities in charge of controlling compliance with the rules and Policies.
    21. Make proposals for improvement, adjustments, modifications, or new internal provisions in accordance with the regulations issued in relation to the protection of personal data in PROCAPS.
    22. Submit to Senior Management the approval of documents related to the personal data protection in PROCAPS.
The PROCAPS PERSONAL DATA PROTECTION OFFICER will be the person responsible for ensuring the protection of personal data and who will also monitor so that the requests of the holders for the exercise of the rights of access are processed through the service channels, rectification, updating, deletion, and revocation referred to in this Policy, in accordance with the regulations related to the subject.
  1. INFORMATION SECURITY
The security of the information is important for PROCAPS, for this reason it has the physical, electronic, and procedural protection measures for the confidential handling of the information contained in its databases and institutional documents that make up the Information Security system, which must be applied in harmony with this Policy.

Likewise, PROCAPS undertakes to take all necessary security measures to protect your personal data from loss, misuse, unauthorized or fraudulent access, unauthorized disclosure, alteration, among others. PROCAPS is exonerated from illegal manipulation by third parties, technical or technological failures, that are outside its scope of protection.
 
  1. ATTENTION OF REQUIREMENTS OF ADMINISTRATIVE AND JUDICIAL ENTITIES
    The PROCAPS PERSONAL DATA PROTECTION OFFICER will be the person in charge, together with the legal representative of the company, of attending to any visit, request for information or request in relation to personal data. PROCAPS may disclose the personal information of its Holders upon request of the competent Judicial or Administrative Authorities in accordance with current legislation. PROCAPS will not assume the damages derived from this disclosure of information, in compliance with orders from competent administrative or judicial authorities.
 
  1. VALIDITY AND MODIFICATIONS
This policy was approved by PROCAPS Senior Management and came into effect on March 24, 2023, and modifies all the provisions that have been issued in advance in the organization. The databases in which the personal data will be registered will be valid for the same time as the information is maintained and used for the purposes described in this Policy. Once these purposes are met and provided there is no legal or contractual duty to retain the holder’s information, their data will be deleted from our databases.
 
  1. APPROVAL AND DISCLOSURE
This document was reviewed, analyzed, and approved for implementation by PROCAPS SA on March 24, 2023