Personal data protection and processing policy

Personal data protection and processing policy

Home / ESG

  Code: POL-0046 | Version: 03

PROCAPS S.A. 
NIT 890.106.527-5
Calle 80 No. 78 B – 201
Telephone 3719291
contacto@procaps.com.co 
Barranquilla (Atlántico) – Colombia.

The purpose of this “Policy for the Protection and Processing of Personal Data” (hereinafter “The Policy”) is to establish the rules on the protection of Personal Data that will be adopted and accepted by the company PROCAPS S.A. (hereinafter “PROCAPS, when it is Responsible and/or in Charge of the Processing of Personal Data.

The purpose of this Policy is to compile the principles and rules that regulate the processing of personal data with respect to all Owners related to PROCAPS, in order to guarantee regulatory compliance in all operations and activities.

In compliance with the provisions of Decree 255 of 2022 (Binding Corporate Rules), the provisions established in this Policy are mandatory for PROCAPS, acting as Controller and Data Processor as appropriate, as well as for its shareholders. collaborators, workers and interest groups.

This Policy includes mechanisms to ensure that the data is:

  • Treated in a lawful, fair and transparent manner in relation to the owner of the personal data.
  • Collected for specific, explicit and legitimate purposes, and will not be subsequently processed in a manner incompatible with said purposes.
  • Adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed.
  • Accurate and kept up to date; taking all reasonable measures to have inaccurate personal data deleted or rectified without delay.
  • Preserved in a way that allows the owner to be identified, for a period no longer than necessary according to the purpose.
  • Treated under the control of the Data Controller, who, for each processing operation, guarantees and demonstrates compliance.

This Policy is issued within the framework of the adoption of measures of proven responsibility (Accountability) to verify that useful, timely, relevant and efficient measures have been implemented in PROCAPS.

This Policy is binding for those who have signed the Back Office Services Provision Agreement (hereinafter, the “Services Agreement”) in which they express their acceptance and which is included as an annex to said agreement.

In accordance with the regulations in force in Colombia and the applicable labor legislation, this Policy is binding and enforceable by PROCAPS collaborators. The collaborators have been informed of the existence of this, indicating that it is a Policy of mandatory compliance and establishing that, in accordance with the applicable legislation and the PROCAPS employment contracts, they may apply the corresponding disciplinary regime in case of non-compliance with them. .

The transfers of personal data are carried out between PROCAPS and the Companies with which PROCAPS has signed the Agreement for the Provision of Back Office services and will be framed solely and exclusively within the guidelines indicated in said Service Agreement, during the normal course of its business. activities; and said data may be stored in centralized databases accessible by said Companies, which are duly listed in the Agreement, from any part of the world where they have a presence.

This Policy is not a Contract, it simply indicates our desire to protect your private personal information.

In compliance with the provisions of Statutory Law 1581 of 2012 and its regulatory decrees and other current regulations, the company PROCAPS S.A. [hereinafter “PROCAPS”]informs the Policy for the Protection and Treatment of Personal Data.

1. LOCATION

This document is located digitally on the Intranet and on the company's website.

2. AIM

Establish the criteria for the collection, consultation, storage, ordering, classification, cataloguing, analysis, processing, use, circulation and deletion of personal data that are subject to processing by PROCAPS, either as Controller and/or in Charge of the data. themselves, in compliance with the current legal regime contained in Statutory Law 1581 of 2012 and other corresponding regulations.

3. RANGE

This Policy applies to all personal information registered in the PROCAPS databases, whether as “Responsible” and/or “Processor” and in relation to all the activities carried out in execution of its corporate purpose and in relation to all the interest groups with which it relates.

4. RESPONSIBILITY

It is aimed at direct and indirect collaborators, contractors, consultants, suppliers and third parties related to PROCAPS.

5. IDENTIFICATION OF THE COMPANY RESPONSIBLE FOR THE TREATMENT

This Policy applies in relation to the company PROCAPS S.A. private company identified with NIT No. 890.106.527-5, commercial registration No. 24802 of July 26, 1976, with main address at Calle 80 No. 78 B – 201 in the city of Barranquilla (Colombia), telephone number 3719291 , email contacto@procaps.com.co

6. CARE CHANNELS

The owners of the information or their successors may access the information that is registered about them in the database of the PROCAPS company.through the following service channels:

City

Address

Email

Barranquilla (Colombia)

Calle 80 No. 78 B - 201

habeasdata@procaps.com.co

7. LEGAL BASIS

a. Political Constitution of Colombia, article 15.
b. Law 1266 of 2008.
c. Regulatory Decrees 1727 of 2009 and 2952 of 2010.
d. Law 1581 of 2012.
and. Partial Regulatory Decree 1377 of 2013.
f. Decree 886 of 2014.
g. Sole Decree 1074 of 2015.
h. Decree 255 of 2022.
i. Law 2300 of 2023.
j. All other consistent regulations related to the protection of personal data in Colombia.

8. DEFINITIONS

For the purposes of interpretation, application and implementation of this Policy, the following definitions will apply:

a. AUTHORIZATION: Prior, express and informed consent of the owner to carry out the processing of personal data.

b. PRIVACY NOTICE: Verbal or written communication generated by the person responsible for the information addressed to the owner for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the way to access the themselves and the purposes of the treatment that is intended to be given to personal data.

c. SERVICE AGREEMENT: It is the Contract that PROCAPS signs with companies to which it provides Back Office services or comprehensive administrative support.

d. DATABASE:Organized set of personal data that is subject to processing.

and. CHANNELS TO EXERCISE RIGHTS: They are the means of receiving and responding to requests, queries and claims that the Data Controller and the Data Processor must make available to the Owners of the information.

f. PERSONAL DATA: Any piece of information linked to one or more specific or determinable persons or that can be associated with a natural person.

g. PUBLIC DATA: It is the data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade and their status as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality.

h. SENSITIVE DATA: Sensitive data is understood to be data that affects the privacy of the owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, of human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.

i. PROCESSOR OF TREATMENT: Natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller.

j. HABEAS DATA:Right of any person to know, update and rectify the information that has been collected about them in the data bank and in files of public and private entities.

k. BINDING CORPORATE RULES: The policies, principles of good governance or codes of good business practices of mandatory compliance assumed by the Data Controller, established in Colombian territory, to carry out transfers or a set of transfers of personal data to a controller who is located outside Colombian territory and that is part of the same business group.

l. PERSONAL DATA PROTECTION AND PROCESSING POLICY: The formal document approved by PROCAPS that reflects the conditions applicable to any processing operation regarding Personal Data.

m. RESPONSIBLE FOR THE TREATMENT: Natural or legal person, public or private, who, by themselves or in association with others, decides on the database and/or Data Processing.

n. TITULAR:Natural person whose personal data is the subject of Processing.

the. TREATMENT: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

p. TRANSFER: The transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is located inside or outside the country. .

q. TRANSMISSION: Processing of personal data that involves the communication thereof within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the person in charge on behalf of the person responsible.

9. BEGINNING

In the development, interpretation and application of Law 1581 of 2012, which establishes general provisions for the protection of personal data and the regulations that complement, modify or add to it, the following guiding principles will be applied in a harmonious and comprehensive manner:

a. PRINCIPLE OF LEGALITY: Data processing is a regulated activity that must be subject to the provisions of the law and the other provisions that develop it.

b. PRINCIPLE OF PURPOSE: The treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the owner. Regarding the collection of personal data, PROCAPSIt will be limited to those data that are relevant and appropriate for the purpose for which they were collected or required in accordance with this policy and the internal procedural manual for the management of information and databases.

c. PRINCIPLE OF FREEDOM: The treatment can only be carried out with the prior, express, and informed consent of the owner. Personal data may only be obtained or disclosed with prior authorization, or with the existence of a legal or judicial mandate that relieves consent.

d. PRINCIPLE OF TRUTHFULNESS OR QUALITY: The information subject to processing must be true, complete, accurate, up-to-date, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.

and. PRINCIPLE OF TRANSPARENCY: In the processing, the right of the owner to obtain from the person responsible for the treatment or the person in charge of the treatment, at any time and without restrictions, information about the existence of data that concerns him or her must be guaranteed.

f. PRINCIPLE OF ACCESS AND RESTRICTED CIRCULATION: The processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the treatment can only be carried out by people authorized by the owner and/or by the people provided for by law. Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide knowledge restricted only to the owners or third parties authorized in accordance with the law.

g. SAFETY PRINCIPLE: The information subject to treatment by PROCAPS must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.

h. PRINCIPLE OF CONFIDENTIALITY: PROCAPSis obliged to guarantee the confidentiality of the information, even after its relationship with any of the tasks included in the treatment has ended, and may only supply or communicate personal data when this corresponds to the development of activities authorized by law.

10. RIGHTS THAT ASSIST THE OWNER OF THE INFORMATION.

The owner of the personal data will have the following rights:

a. Know, update and rectify your personal data against PROCAPSin its capacity as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.

b. Request proof of the authorization granted to PROCAPSexcept when expressly excepted as a requirement for treatment.

c. Be informed by PROCAPS, upon request, regarding the use that has been given to your personal data.

d. Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it.

and. Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees.

f. Access free of charge to your personal data that has been processed.

11. RIGHTS OF CHILDREN, GIRLS AND ADOLESCENTS .

In the Treatment, respect for the prevailing rights of children and adolescents will be ensured. The Processing of personal data of children and adolescents is prohibited, except for data that is public in nature.

12. DUTIES OF PROCAPS.

a. Make use of the information contained in the databases only for the purpose for which it is authorized.

b. Guarantee the owner, at all times, the full and effective exercise of the right of Habeas Data.

c. When personal data is collected, it must be limited to that which is relevant and appropriate for the purpose for which it is required in accordance with the provisions of the law. To do so, no deceptive or fraudulent means will be used.

d. Preserve the information under the security conditions necessary to prevent its adulteration, loss, unauthorized or fraudulent consultation, use or access.

and. Timely update, rectify or delete the data in the terms indicated by this policy in the Procedures-Claims section.

f. Enable electronic or other means of communication that it considers relevant that allow for timely response to queries and claims presented by the owners of the information.

g. The requested information must be provided free of charge and by any means, as required by the owner. The information must be easy to read, without technical barriers that prevent access, and must strictly correspond to that stored in the database.

h. In the event that the certification of the authorized information is requested physically and/or it needs to be sent by certified mail, the PROCAPS company may require the applicant to pay the corresponding amount of expenses, without being able to charge at any time. more than actually billed; If required, the PROCAPS company must demonstrate to the Superintendence of Industry and Commerce the support for said expenses.

i. Adopt the other necessary measures so that the information provided to PROCAPS remains updated.

j. Rectify information when it is incorrect.

k. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

l. Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.

m. Allow access to information only to people who can have access to it.

n. Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the administration of the owners' information.

the. Establish the necessary mechanisms to obtain the authorization of the owners of the processing of their data, which may be granted through a physical document, electronic document or in any other format that guarantees subsequent consultation.

p. Keep proof of authorization and deliver a copy to the owner of the information if required.

q. Establish simple and free mechanisms that allow the owner to request the report, modification, deletion or update of the data, which may be the same mechanisms used to grant consent without prejudice to the expenses that may arise on the occasion of the issuance and sending of the same.

r. Protect the information subject to Treatment through the use of the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

To this end, PROCAPS will maintain mandatory security protocols for personnel with access to personal data and information systems.

s. Ensure that PROCAPS staffthat intervenes in the processing of personal data guarantees the confidentiality of the information, even after the end of its relationship with any of the tasks that the processing includes in accordance with the provisions of the employment contract and/or other provisions subject to the relationship between official and the company.

t. Designate a “Personal Data Protection Officer” who assumes the function of protecting personal data and who will also ensure that, through the customer service channels, the owners' requests are processed.

in. In principle, the processing of personal data of children and adolescents is prohibited by law, unless it is data of a public nature and/or when said processing meets the parameters and requirements established in this Policy.

v. Use personal data in accordance with the authorization given by the owner and will only transmit or transfer it to allies, subsidiaries or subsidiaries, third parties that may use the information to carry out their work acting on behalf of PROCAPS and/or in compliance with the requirements of the authorities, adhering to the laws that apply on the matter and respecting the Service Agreements in force with third parties.

In. Collect, store, use or circulate personal data for as long as is reasonable and necessary, in accordance with the purposes that justified its processing, taking into account the legal provisions and administrative, accounting, fiscal, legal and historical aspects of the information.

Once the purpose of the treatment has been fulfilled and without prejudice to legal regulations that provide otherwise, PROCAPSmust delete personal data. Notwithstanding the above, personal data must be preserved when required to comply with a legal or contractual obligation.

x. Prove the existence of the “Personal Data Protection and Processing Policy” and the way to access it.

and. Comply with the following parameters for the collection, use and processing of personal data:

i. The processing of the personal data collected must obey a legitimate purpose of which the owner must be informed.

ii. The processing of personal data can only be carried out with the prior, express and informed consent of the owner.

iii. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that requires consent.

iv. The information subject to processing must be true, complete, accurate, up-to-date, verifiable and understandable.

v. The processing of partial, incomplete, fragmented or misleading data is prohibited.

we. Guarantee the right of the owner to obtain, at any time and without restrictions, information about the existence of data that concerns him or her.

With. Request again from the owner of the information the authorization for data processing, in the event of a substantial modification to this “Personal Data Protection and Processing Policy”.

13. AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA

Without prejudice to the exceptions provided for in the Law, the processing of the owner's personal data requires the prior and informed authorization of the Owner, which must be obtained by any means that can be subject to subsequent consultation.

The authorization must contain the following information:

a. Name and identification of the person from whom authorization is being requested.

b. Identification of the data being collected.

c. Purpose of the data subject to authorization.

d. Information on the procedure to exercise rights to access, correct, update or delete the personal data provided.

and. Rights that assist the owner.

f. Service channels provided by PROCAPS.

PROCAPS, in the terms provided in the Law, generated a notice (Privacy Notice) in which the owners are informed that they can exercise their right to the processing of personal data by going to the service channels included in this Policy.

14. EVENTS IN WHICH THE AUTHORIZATION OF THE OWNER OF THE PERSONAL DATA IS NOT NECESSARY.

The authorization of the owner of the information will not be necessary in the following cases:

a. Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b. Public data.
c. Medical or health emergency cases.
d. Processing of information authorized by law for historical, statistical or scientific purposes. Data related to the Civil Registry of people.

15. LEGITIMATION FOR THE EXERCISE OF THE OWNER'S RIGHT

The rights of the owners established in the Law may be exercised by the following people:

a. By the owner, who must sufficiently prove his or her identity.
b. By the successors of the owner, who must prove such quality.
c. By the representative and/or attorney-in-fact of the owner, prior accreditation of the representation or power of attorney.
d. By stipulation in favor of another or for another. The rights of children and adolescents will be exercised by the people who are empowered to represent them.

16. TREATMENT TO WHICH THE DATA WILL BE SUBJECTED AND PURPOSE OF THE SAME.

The Processing of the personal data of the Owners with whom PROCAPS relates by virtue of its corporate purpose, including clients, suppliers and consumers, will be framed in the legal order and in accordance with the following purposes in general terms or those that are reported at every moment in which personal data collection operations are carried out:

a. Internal management and commercial relationship management of its interest groups, clients, distributors and suppliers of the different business segments.
b. Sending communications, correspondence, text messages, instant messaging systems, emails or telephone contact with its clients, distributors and consumers in relation to its commercial, advertising, marketing, promotional, sales and other related activities.
c. Personnel selection processes, management of contractual relationships, labor relations and guaranteeing compliance with the obligations derived from it, granting benefits to its collaborators by itself or through third parties.
d. Analysis of potential with essentially commercial purposes, whether of suppliers, distributors and/or clients.and. Management of procedures (requests, complaints, claims), perform risk analysis, carry out satisfaction surveys regarding the company's goods and services.
f. Investigation of events emanating from manufactured and/or marketed products.
g. Monitoring of people who consume and/or acquire the products and/or marketed by the company.
h. Deployment of corporate social responsibility activities towards stakeholders.
i. Management of the security of people, property and information assets in the custody of the organization.
j. Creation of databases for the purposes described above.
Specifically in relation to each interest group, PROCAPS may have the following purposes:

a. Purposes regarding Clients or Users of the Products or Services:

- Carry out the pertinent steps for the development of the pre-contractual, contractual and post-contractual stage with PROCAPS, with respect to any of the products or services offered by PROCAPS, whether or not the Owner has acquired or with respect to any underlying business relationship it has with it.
- Register the Owner in the systems, forms, lists, files, physical or electronic, managed by PROCAPS, for the purposes of the execution of the commercial legal relationship established with PROCAPS.
- Advance the electronic billing procedures for the products or services acquired by the Owner.
- Maintain operations support, incident monitoring and compliance with contractual and legal obligations.
- Comply with your legal and contractual obligations.
- Send messages, notifications or alerts through any means to send and disseminate legal, security information, promotions, commercial, advertising, marketing, institutional or educational campaigns, sweepstakes, events or other benefits.
- Send electronic messages or make telephone contacts, or through any means, to advance the confirmation of personal data of the Owner necessary for the execution of the legal relationship that has been established with PROCAPS.
- Contact the Owner through email, instant messaging, text messages, formal communications, telephone calls and/or any means known or unknown to send contractual, informative documents, account statements or invoices in relation to the obligations derived of the contracts entered into with PROCAPS, in its different commercial establishments.
- Provide information to third parties with whom you have a contractual relationship and it is necessary to deliver it to them for the fulfillment of the contracted object.
- Carry out the archiving and document management tasks of PROCAPS, in accordance with current legal provisions.
- For administrative and analytical purposes, such as information systems administration, accounting, billing and auditing, marketing, check processing and verification.
- Share information with commercial allies to offer products and services, complying with all authorizations required by law and this Policy.
- Communicate news about PROCAPS products, invite events or programs organized by the company.
- Consult, verify and confirm credit and commercial information of the Owner, in Risk and/or Information Centers or any other public or private, national, foreign or multilateral entity that administers or manages databases or credit information, or any other financial entity. from Colombia, or from abroad or of a multilateral nature, all the information that refers to the Owner, about its credit, financial, commercial, services and third countries behavior of the same nature, for the purposes of evaluating and granting financing for the assets. or products purchased with PROCAPS, as long as you have the corresponding authorization.
- To make reports to the risk and information centers, all the conditions and procedures established in current laws will be met and especially in relation to Law 1266 of 2008 and related regulations.
- Manage the risk of Money Laundering and Terrorist Financing and Corruption and Bribery.

b. Purposes regarding Worker Candidates:

- Process the employment applications that PROCAPS receives from the candidates, process them and define them within the stipulated time, according to the selection process or the call;
- Contact the Owner through email, instant messaging, text messages, formal communications, telephone calls and/or any means known or unknown in relation to the selection process or the call.
- Evaluate the worker's work capacity, to establish their suitability for future employment and/or to comply with the requirements of occupational preventive medicine.
- Carry out the archiving and document management tasks of PROCAPS, in accordance with current legal provisions.
- Manage the risk of Money Laundering and Terrorist Financing and Corruption and Bribery.

c. Purposes regarding workers (collaborators):

- To manage compliance with the terms established in the employment relationship such as: affiliation and contributions to social security entities, creation of an employment contract, generation and processing of payroll payments and labor benefits.
- Comply with regulations on labor matters, social security, pensions, professional risks, family compensation funds (Comprehensive Social Security System) and taxes.
- Comply with the instructions of the competent judicial and administrative authorities;
- Implement labor and organizational policies and strategies.
- Include the Owner employed in the development of the different training, development, well-being, occupational health and safety programs and activities established by PROCAPS for its collaborators and beneficiaries.
- Carry out preventive or occupational medicine procedures, in conjunction with the occupational risk administrator.
- Contact you to give you orders related to your assigned job duties.
- Carry out the archiving and document management tasks of PROCAPS, in accordance with current legal provisions.
- Create cards and/or identification mechanisms for the employed Owner, with their biometric data, so that they can carry it and identify themselves as a PROCAPS employee. This purpose is necessary in accordance with the PROCAPS security policy and will be handled as sensitive information with express authorization.
- Establish and maintain an access control record to PROCAPS facilities, using biometric data, in order to facilitate access and circulation in PROCAPS physical facilities. This purpose is necessary in accordance with the PROCAPS security policy and the sensitive information that is processed will be managed in accordance with current law and this Policy.
- Contact the Owner through email, instant messaging, text messages, formal communications, telephone calls and/or any means known or unknown to send contractual, informative documents or invoices in relation to the obligations derived from the contracts that celebrate with PROCAPS.
- Share information with commercial allies to offer products and services, complying with all authorizations required by law and this Policy.
- Communicate news about PROCAPS products, invite events or programs organized by the company.
- For administrative and analytical purposes, such as information systems administration, accounting, billing and auditing, marketing, check processing and verification.
- Publish your face and personal image represented in photographs and/or video recordings of the Owners to be published on the PROCAPS website and social networks and in publications in printed media, information brochures, management reports, billboards, corporate material, among other media. digital and printed, as part of your internal and external communications in your role as an employer, to document the organizational structure or training, development, well-being, occupational health and safety activities established by PROCAPS.
- In the case of former collaborators, PROCAPS may store, even after the employment contract has ended, the information necessary to comply with the obligations that may arise by virtue of the employment relationship that existed in accordance with Colombian legislation, as well as provide labor certifications. that are requested by the former official or by third parties against whom he carries out a selection process.
- Manage the risk of Money Laundering and Terrorist Financing and Corruption and Bribery.

d. Purposes regarding Suppliers or Contractors:

- Register the Owner in the systems, forms, lists, files, physical or electronic, managed by PROCAPS, for the purposes of providing the contracted services.
- Advance electronic billing procedures for contracted services.
- Maintain operations support, incident monitoring and compliance with contractual and legal obligations.
- Comply with your legal and contractual obligations.
- Send electronic messages or make telephone contacts, or through any means, to advance the confirmation of personal data of the Owner necessary for the execution of the legal relationship that has been established with PROCAPS.
- Contact the Owner through email, instant messaging, text messages, formal communications, telephone calls and/or any other means known or unknown, to send contractual, informative documents, account statements or invoices in relation to the obligations derived from the contracts entered into with PROCAPS, in its different commercial establishments or offices.
- Grant access to the interaction portals of suppliers and/or contractors in order to supply all the processes required internally by PROCAPS.
- Provide information to third parties with whom you have a contractual relationship and it is necessary to deliver it to them for the fulfillment of the contracted object.
- Carry out the archiving and document management tasks of PROCAPS, in accordance with current legal provisions.
- Validate, verify and consult the economic and transactional information of the Owner with the purpose of establishing the legal relationship with PROCAPS.
- For administrative and analytical purposes, such as information systems management, accounting, billing and auditing, marketing, check processing and verification.
- Share information with commercial allies to offer products and services, complying with all authorizations required by law and this Policy.
- Communicate news about PROCAPS products and/or services, invite to events or programs organized by the company.
- Consult, verify and confirm credit and commercial information of the Owner, in Risk or Information Centers, or any other public or private, national, foreign or multilateral entity that administers or manages databases or credit information, or any other financial entity. Colombia, or from abroad or of a multilateral nature, all information that refers to the Owner, about its credit, financial, commercial, services and third countries behavior of the same nature.
- To make reports to the risk and information centers, all the conditions and procedures established in current laws will be met and especially in relation to Law 1266 of 2008 and related regulations.
- Manage the risk of Money Laundering and Terrorist Financing and Corruption and Bribery.

and. Purposes regarding PROCAPS Shareholders:

- Comply with the obligations and rights derived from your status as a PROCAPS shareholder.
- Send you electronic, physical and/or telephone communications to your contact information to inform you, summon you or call you to meetings of the social bodies of PROCAPS where required, and/or to send you the documents and reports that will be put up for consideration at such meetings.
- Send you communications and information necessary for the exercise of your rights as a PROCAPS shareholder, and/or for the fulfillment of the obligations borne by PROCAPS in favor of its shareholders.
- Carry out comprehensive administration activities of the shareholder registry book.
- Contact the Owner through email, instant messaging, text messages, formal communications, telephone calls and/or any other means known or unknown, to send contractual documents, information, account statements in relation to their quality of service. PROCAPS shareholder.
- Carry out the archiving and document management tasks of PROCAPS, in accordance with current legal provisions.
- Provide information related to procedures, complaints and requests from shareholders.
- Communicate news about PROCAPS products and/or services, invite events or programs organized by PROCAPS.
- Give access to the information to the judicial or administrative authorities that request said data in the exercise of their functions.
- Manage the risk of Money Laundering and Terrorist Financing and Corruption and Bribery.
- Compliance with the necessary activities and purposes of the Company – shareholders relationship.

f. Processing of Sensitive Personal Data obtained through Video Surveillance

PROCAPS uses various means of video surveillance installed in different internal and external locations of its facilities or offices. For this reason, it informs the general public about the existence of these mechanisms by posting and disseminating information notices with details of the contact channels and the policies that govern said treatment.

The information collected through this mechanism is used for security purposes, controlling and identifying access to PROCAPS headquarters, offices and commercial establishments; maintain security and access control to buildings, establishments open to the public and other facilities; promote the safety of people, property and facilities; the improvement of our service and the experience in the PROCAPS facilities, likewise, as evidence in any type of process before any type of authority or organization.

PROCAPS does not deliver the video recordings obtained to any third party, unless there is an order from a court or competent authority or unless the law allows it.

The authorization in relation to the handling of this personal data is understood to be granted through the unequivocal action of entering the facilities that are the subject of video surveillance and monitoring by PROCAPS.

In any case, PROCAPS reserves the right to inform the Holders of the purpose of each Processing of information on personal data at the time of collecting it through the Authorization. In the event that the personal data no longer fulfill the purpose for which they were obtained, they will be deleted from our databases under the terms and conditions established by Colombian legislation and/or the Personal Data Protection and Processing Policy.

17. SENSITIVE DATA

In the case of sensitive personal data, it may be used and processed when:

a. The Owner has given explicit authorization to said Treatment, except in cases where the granting of said authorization is not required by law.
b. The Treatment is necessary to safeguard the vital interest of the Owner and the Owner is physically or legally incapacitated. In these events, legal representatives must grant their authorization.
c. The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process. .
d. The Treatment has a historical, statistical or scientific purpose. In this event, measures must be adopted leading to the deletion of the identity of the Holders.

18. DATA OF BOYS, GIRLS AND ADOLESCENTS

The processing of personal data of children and adolescents is prohibited, except when it concerns data of a public nature, and when said processing meets the following parameters and/or requirements:

a. That they respond to and respect the best interests of children and adolescents.
b. That respect for their fundamental rights is ensured.

Once the above requirements have been met, the legal representative of the children or adolescents will grant authorization, after the minor has exercised his or her right to be heard, an opinion that will be valued taking into account maturity, autonomy and ability to understand the matter. The PROCAPS companywill ensure the appropriate use of the processing of personal data of children or adolescents.

It is presumed that whoever grants the Authorization for the Processing of Personal Data on behalf of a minor has the legal authority to do so, so it is understood that said statement is made under the gravity of an oath.

19. PEOPLE TO WHOM THE INFORMATION MAY BE PROVIDED

The information that meets the conditions established by law may be provided to the following people:

a. To the owners, their successors (when those are missing) or their legal representatives.
b. To public or administrative entities in the exercise of their legal functions or by court order.
c. To third parties authorized by the owner or by law.

20. INTERNATIONAL DATA TRANSFER

The transfer of personal data to any person whose seat is a country not safe for data protection is prohibited. Safe countries are understood to be those that have adopted Personal Data Protection Guidelines in their internal legislation and/or comply with the standards set by the Superintendency of Industry and Commerce.

Exceptionally, international data transfers may be carried out by PROCAPS when:

a. The owner of the data has granted prior, express and unequivocal authorization to carry out the transfer.
b. The transfer is necessary for the execution of a contract between the owner and PROCAPS as responsible and/or in charge of the treatment.
c. These are bank and stock transfers in accordance with the legislation applicable to such transactions.
d. It involves data transfer within the framework of international treaties that are part of the Colombian legal system.
and. These are transfers legally required to safeguard a public interest.
f. These are transfers included within the framework of the existing Services Agreement.

At the time of an international transfer of personal data, prior to sending or receiving the same, PROCAPS will sign the agreements that regulate in detail the obligations, burdens and duties that arise for the intervening parties.

The agreements or contracts entered into must comply with the provisions of this Policy, as well as the legislation and jurisprudence that is applicable regarding the protection of personal data.

It will be up to the Data Protection Officer to validate international personal data transfer operations to guarantee the minimum information security conditions required by PROCAPS.

It will be up to the Data Protection Officer of PROCAPS give prior favorable opinion on agreements or contracts that involve an international transfer of personal data, taking into account as guidelines the applicable principles included in this Policy.

Likewise, it will be up to the PROCAPS Data Protection Officer to make the pertinent queries before the Superintendence of Industry and Commerce to ensure the circumstance of “safe country” in relation to the territory of destination and/or origin of the data.

21. INTERNATIONAL TRANSMISSION OF PERSONAL DATA

In the contractual relationships that PROCAPS enters into with suppliers located in third countries that do not have an adequate level of protection, in which these, as Processors, carry out any type of processing of personal information, the owners do not need to be informed or obtain prior consent. of these. The above, provided that there is a contract that regulates:

a. The scope of treatment;
b. The activities that the third party in charge will carry out on behalf of PROCAPS;
c. The obligations of the third party provider as Manager towards the Owners and PROCAPS as Responsible, in accordance with the provisions of Colombian law;
d. The obligation to process personal data only for the contracted purposes;
and. The prohibition of processing personal data for unauthorized uses;
f. The obligation to process personal data in compliance with current Colombian legislation;
g. The obligation to comply with the principles applicable to the processing of personal data in force in Colombia;
h. The obligation to adopt security measures according to the criticality of the personal information processed under the contract concluded;
i. The obligation to process personal data in compliance with the principle of confidentiality;
j. The obligation to notify within the term of current law in Colombia any security incident that compromises the personal data processed;
k. The obligation to comply with the internal policy and regulations adopted by PROCAPS regarding the protection of personal data.
l. Establish the channels for the exercise of habeas data to the holders of personal data, as well as the information requirements that PROCAPS has;
m. The other obligations required of those in charge under the provisions of the Colombian personal data protection regime.

22. CONSERVATION OF PERSONAL DATA

The custody of the information in each Database will be that which is reported at the time of data collection or that established by PROCAPS in accordance with the purpose. The PROCAPS Databases will have the period of validity that corresponds to the purpose for which their treatment was authorized and the special rules that regulate the matter, as well as those rules that establish the exercise of the corporate purpose of PROCAPS. In any case, the information provided will remain stored for as long as necessary to allow us to fulfill the purposes set forth herein and to comply with legal and/or contractual obligations by PROCAPS, especially in labor, accounting, fiscal and tax matters. for all the time necessary to address the provisions applicable to the matter in question and the administrative, labor, accounting, fiscal, legal and historical aspects of the information, or in any event provided for by law.

For the purposes of determining the reasonableness of the time of permanence of Personal Data in the Databases, by virtue of the nature of each Personal Data, the documentary retention times contained in this Policy will be applied.

23. PROCEDURES FOR ATTENDING QUERIES, CLAIMS AND PETITIONS.

i. CONSULTATIONS. The owners or their successors may consult the personal information of the owner that resides in any PROCAPS database. The owner may send questions or queries related to their personal data collected and processed by PROCAPS through the service channels set forth in this Policy.

The PROCAPS company will resolve concerns or queries within ten (10) business days following the date on which it was received. When it is not possible to attend to the query within said term, the interested party will be informed before the expiration of ten (10) days, expressing the reasons for the delay and indicating the date on which their query will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.

ii. CLAIMS. The owner (or his successors) who considers that the information contained in any PROCAPS database should be corrected, updated or deleted, or when they notice the alleged breach of any of the legal duties, may present the claim through the attention channels set forth in this Policy.

The claim must contain at least: The identification of the owner of the personal data, the description of the facts that give rise to the claim, the address of the owner, and must accompany the documents that you want to assert. If this information does not contain, the interested party will be required within five (5) days of receipt to correct the deficiencies. If two (2) months have elapsed from the date of the request without the applicant presenting the required information, it will be understood that the claim has been abandoned.

Once the complete claim is received, a legend that says "CLAIM IN PROCESS" and the reason for it, within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided.

The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to attend to it within said term, the interested party will be informed before the expiration of the aforementioned period of the reasons for the delay and the date on which their claim will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term.

iii. SUPPRESSION. The right to delete data is not absolute, PROCAPS may deny it when:

a. The owner has a legal or contractual duty to remain in the database.

b. The deletion of data hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.

c. The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.

d. If the deletion of personal data is appropriate, PROCAPSmust operationally carry out the deletion in such a way that the deletion does not allow the recovery of the information, without prejudice to the technological trace of the existence of the respective Data in the Database.

24. AREA RESPONSIBLE AND IN CHARGE OF THE PROTECTION OF PERSONAL DATA

PROCAPS, within compliance with the provisions of Law 1581 of 2012 and other regulations that govern the protection of personal data in Colombia, has established an internal structure in charge of giving full compliance to all regulations and this Policy, as shown. next:

PERSONAL DATA PROTECTION OFFICER

He will be the person in charge of leading the personal data protection program in PROCAPS, processing the requests of the Owners for the exercise of rights and has the following functions:

a. Respond to all requests, requests, queries or claims presented by the Owners.
b. Manage the personal data protection system and PROCAPS.
c. Serve as liaison and coordinator with the other areas of PROCAPS to ensure transversal implementation of the System.
d. Maintain an inventory of the Databases within PROCAPS and update the annual report according to instructions from the Competent Authority in Colombia (Superintendency of Industry and Commerce).
and. Register and update the Databases with the National Registry of Databases (RNBD)
f. Obtain declarations of conformity when necessary.
g. Integrate personal data protection and processing policies within PROCAPS activities.
h. Measure participation and rate performance in personal data protection training.
i. Ensure the implementation of monitoring plans to verify compliance with this Policy.
j. Accompany and assist PROCAPS in responding to visits, requests for information, disciplinary processes and/or responding to requirements from the Competent Authorities.
k. Monitor work plans and/or personal data protection management program.
l. Prepare information security incident reports.
m. Consolidate and continually improve the activities that are part of the work plans and/or personal data protection management program.
n. Promote the implementation of a system that allows managing the risks of personal data processing.
the. Promote the culture of personal data protection in PROCAPS.
p. Review all PROCAPS operations that may have an impact in relation to the protection of personal data.
q. Analyze the responsibilities of the positions of PROCAPS collaborators to design a training program appropriate to each profile.
r. Design and execute a general personal data protection training program in PROCAPS.
s. Require that the evaluation of PROCAPS collaborators and officials include having satisfactorily passed the training on personal data protection.
t. Present internal reports addressed to the Senior Management of PROCAPS and/or to the authorities in charge of controlling compliance with the rules and Policies.

in. Make proposals for improvements, adjustments, modifications or new internal provisions in accordance with the regulations issued in relation to the protection of personal data in PROCAPS.

v. Submit to Senior Management the approval of documents related to personal data protection in PROCAPS.

He PERSONAL DATA PROTECTION OFFICER by PROCAPSwill be the person responsible for ensuring the protection of personal data and who will also ensure that the requests, queries and claims of the owners are processed and channeled through the service channels for the exercise of the rights of access, consultation, rectification, updating, deletion and revocation referred to in this Policy, in accordance with the regulations related to the subject.

25. INFORMATION SECURITY

Information security is important to PROCAPS, which is why it has physical, electronic and procedural protection measures for the confidential management of the information contained in its databases and institutional documents that make up the Information Security system. which must be applied in a harmonious manner with this Policy.

Likewise, PROCAPS undertakes to take all necessary security measures to protect personal data from loss, misuse, unauthorized or fraudulent access, unauthorized disclosure, alteration, among others.

PROCAPS is exonerated from illegal manipulations by third parties, technical or technological failures, which are outside its scope of protection.

26. ATTENTION TO REQUIREMENTS OF ADMINISTRATIVE AND JUDICIAL ENTITIES

The PROCAPS PERSONAL DATA PROTECTION OFFICER will be the person in charge, together with the legal representative of the company, of attending to any visit, information request or request in relation to personal data. PROCAPS may reveal the personal information of its Owners upon request from the competent Judicial or Administrative Authorities in accordance with current legislation. PROCAPS will not assume any damages resulting from this disclosure of information, in compliance with orders from competent administrative or judicial authorities.

27. STORAGE AND PROCESSING OF PERSONAL DATA

The Personal Data collected will be stored in physical and/or digital databases or in hybrid form as appropriate to the type of data in question and the purpose of the processing of the Personal Data. Likewise, the processing may be manual and/or automated. as appropriate, ensuring in all cases the security of the information.

28. MECHANISM ESTABLISHED TO RELEASE SUBSTANTIAL CHANGES

In accordance with the provisions of the Law, PROCAPS will inform the owners of the information of any substantial modification that may arise in the Personal Data Processing Policy and for this purpose, it will use the appropriate means to inform the owners of these changes. the information through the website (https://procapslaboratorios.com) and/or email and/or phone call and/or text messages and/or WhatsApp.

29. VALIDITY PERIOD OF THE DATABASES

The length of time personal data remains in the databases will depend on the type of data and the existing legal obligations regarding the conservation of said data. For this purpose, PROCAPS will analyze internally and in detail the type of data of the owner and will guarantee the maximum period of permanence, in accordance with the attached personal data retention table (ANNEX 02), a retention table that will be modified accordingly. compliance with the regulatory changes that affect it.

30. VALIDITY AND MODIFICATIONS

This policy was approved by the Senior Management of PROCAPS S.A., and came into effect on March 4, 2024 and modifies all provisions that had been issued in advance in the organization.

The databases in which personal data will be recorded will have a validity equal to the time in which the information is maintained and used for the purposes described in this Policy. Once these purposes are met and as long as there is no legal or contractual duty to retain your information, your data will be deleted from our databases.

31. APPROVAL AND DISCLOSURE
This document was reviewed, analyzed and approved for implementation by PROCAPS S.A. on March 4, 2024.

PROCAPS will make the corresponding disclosure with the corresponding interest groups and it will be recorded in ANNEX I “Communication Minutes and Training Certificate on the Policy for the Protection and Treatment of Personal Data”.

Temas relacionados

icono de Personal data protection and processing policy

Personal data protection and processing policy