personal data processing policy
SunDevs.
General Considerations
Sundevs is a Colombian company dedicated to the development of information technology activities. In the course of its corporate purpose, Sundevs carries out activities that may involve the processing of personal data, including promotions, events, contests, hiring processes, among others. In this regard, Sundevs commits to abide by the following Information Processing Policy.
Article 15 of the Constitution of the Republic of Colombia enshrines every person’s right to know, update, and rectify personal data about them that exists in databases or files of public or private entities. Likewise, it orders those who hold third parties’ personal data to respect the rights and guarantees provided in the Constitution when collecting, processing, and circulating such information.
Statutory Law 1581 of October 17, 2012 establishes the minimum conditions to legitimately process the Personal Data of clients, employees, and any other natural person. Subparagraphs (k) of Article 17 and (f) of Article 18 of said law require those responsible for and in charge of Personal Data Processing to “adopt an internal manual of policies and procedures to ensure adequate compliance with this law and, in particular, for handling inquiries and complaints.”
Article 25 of the aforementioned law establishes that data processing policies are mandatory and that failure to comply will result in sanctions. Likewise, it provides that such policies may not guarantee a level of processing lower than that established in Law 1581 of 2012.
Chapter III of Decree 1377 of June 27, 2013 regulates certain aspects related to the content and requirements of Information Processing Policies and Privacy Notices.
Sundevs is committed to respecting the rights of its clients, employees, and third parties in general. Therefore, it adopts the following Personal Data Processing Policy, which shall be mandatory in all activities involving the processing of Personal Data.
01
CHAPTER I – GENERAL PROVISIONS
Mandatory Nature and Scope of Application
This Policy is mandatory and strictly binding for all Sundevs employees in Colombia, contractors, and third parties acting on behalf of Sundevs.
All Sundevs employees must observe and respect this Policy in the performance of their duties. In cases where there is no employment relationship, a contractual clause must be included so that those acting on behalf of Sundevs undertake to comply with this policy. Non-compliance will give rise to labor sanctions or contractual liability, as applicable. This is without prejudice to the duty to compensate for damages caused to Data Subjects or to Sundevs due to breach of this Policy or improper processing of Personal Data.
⸻
Definitions
Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing of Personal Data.
Database: Organized sets of Personal Data that are subject to processing.
Inquiry: Request made by the Data Subject or by persons authorized by the Data Subject or by law to know the information contained about them in databases or files.
Personal Data: Any information linked to or that may be associated with one or more identified or identifiable natural persons. Examples include: name, national ID number, address, email, phone number, marital status, health data, fingerprint, salary, assets, among others.
Sensitive Personal Data: Information that affects the Data Subject’s privacy or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions or social/human rights organizations, or that promotes the interests of any political party or guarantees the rights and safeguards of opposition political parties, as well as data related to health, sex life, and biometric data (including, among others, the capture of still or moving images, fingerprints, photographs, iris, voice, facial or palm recognition, etc.).
Public Personal Data: Data classified as such by law or the Political Constitution, and all data that is not semi-private or private. Public Personal Data includes, among others, data contained in public documents, public records, official gazettes and bulletins, and final judicial decisions not subject to confidentiality, as well as data related to civil status, profession or trade, and status as a merchant or public servant. These data may be obtained and offered without restriction, regardless of whether they refer to general, private, or personal information.
Private Personal Data: Data that, due to its intimate or reserved nature, is only relevant to the Data Subject, such as merchants’ books, information obtained from inspection of a residence, among others.
Semi-Private Personal Data: Personal Data that is not intimate, reserved, or public, and whose knowledge or disclosure may be of interest not only to the Data Subject but also to a certain sector or group of people or society in general, such as data concerning compliance or non-compliance with financial obligations, or data related to relationships with social security entities.
Data Processor (Encargado del Tratamiento): A natural or legal person who, alone or together with others, processes Personal Data on behalf of the Data Controller.
Complaint/Claim (Reclamo): Request made by the Data Subject or persons authorized by the Data Subject or by law to correct, update, delete their Personal Data, or to revoke Authorization in the cases established by law.
Data Controller (Responsable del Tratamiento): A natural or legal person, public or private, who, alone or together with others, decides on the collection, purposes of the database, and/or the processing of the data. For example, the company that owns the databases or information system containing Personal Data.
Data Subject (Titular): The natural person whose Personal Data is processed.
Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion.
Transfer: A transfer occurs when the Data Controller and/or Data Processor located in Colombia sends information or Personal Data to a recipient who is also a Data Controller and is located inside or outside the country.
Transmission: Processing of Personal Data involving the communication of such data within Colombia (national transmission) or outside Colombia (international transmission) for the purpose of processing by the Data Processor on behalf of the Data Controller.
⸻
Principles for the Processing of Personal Data
Personal Data must be processed in compliance with general and special rules on the matter and only for activities permitted by law.
Principles related to the collection of Personal Data
In the development, interpretation, and application of this Policy, the following principles shall be applied harmoniously and comprehensively:
Freedom principle: Unless otherwise provided by law, Personal Data may only be collected with the Data Subject’s prior, express, and informed Authorization. Personal Data may not be obtained or disclosed without the Data Subject’s prior consent, or absent a legal or judicial mandate that waives consent.
Accordingly, the Data Subject must be clearly, sufficiently, and priorly informed of the purpose of the information provided. Therefore, data may not be collected without clearly specifying their purpose. Deceptive or fraudulent means may not be used to collect or process Personal Data.
Data minimization / limitation of collection principle: Only Personal Data strictly necessary to fulfill the purposes of processing must be collected, and it is prohibited to record or disclose data that is not closely related to the purpose of processing. Therefore, all reasonable efforts must be made to limit processing to the minimum necessary. Data must be:
(i) adequate
(ii) relevant
(iii) consistent with the purposes for which it was collected.
Principles related to the use of Personal Data
Purpose limitation principle: Processing must have a legitimate purpose in accordance with the Constitution and the Law, and such purpose must be informed to the Data Subject. Thus, the Data Subject must be clearly, sufficiently, and priorly informed of the purpose, and data may not be collected without a specific purpose. Data must be processed according to authorized uses. If over time the use of Personal Data changes in ways the person does not expect, renewed prior consent must be obtained.
Storage limitation / temporality principle: Personal Data shall be kept only for the reasonable and necessary time to fulfill the purpose of processing and legal requirements or instructions from supervisory and control authorities or other competent authorities. Data shall be retained when necessary to fulfill a legal or contractual obligation. To determine the processing term, applicable rules for each purpose and administrative, accounting, tax, legal, and historical aspects will be considered. Once the purpose(s) has been fulfilled, the data will be deleted.
Non-discrimination principle: Any act of discrimination based on information collected in databases or files is prohibited.
Compensation principle: It is mandatory to compensate for damages caused by possible failures in Personal Data processing.
Principles related to information quality
Truthfulness/quality principle: Information subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. Processing partial, incomplete, fragmented, or misleading data is prohibited.
Therefore, reasonable measures must be adopted to ensure that data are accurate and sufficient and, when requested by the Data Subject or determined by Sundevs, they shall be updated, rectified, or deleted where appropriate.
Principles related to protection, access, and circulation
Security principle: Every person linked to Sundevs must comply with the technical, human, and administrative measures established by the entity to provide security to Personal Data, preventing alteration, loss, consultation, use, or unauthorized or fraudulent access.
Transparency principle: Processing must guarantee the Data Subject’s right to obtain at any time and without restrictions information about the existence of Personal Data concerning them.
Restricted access principle: Access to Personal Data shall only be allowed to:
• the Data Subject;
• persons authorized by the Data Subject; and
• persons authorized by legal mandate or court order.
Personal Data—except Public Personal Data—may not be available on the internet or other mass disclosure/communication media unless access can be technically controlled to provide restricted knowledge only to Data Subjects or authorized third parties according to law.
Restricted circulation principle: Personal Data may only be sent or supplied to:
• the Data Subject;
• persons authorized by the Data Subject; and
• public or administrative entities in the exercise of their legal functions or by court order.
Confidentiality principle: All persons involved in processing Personal Data that is not public must ensure confidentiality, even after their relationship with the processing activities ends, and may only provide or communicate Personal Data when it corresponds to activities authorized by law.
02
CHAPTER II – PURPOSES OF PROCESSING
Processing to which Personal Data will be subject and its purpose
Sundevs will process Personal Data lawfully and fairly to fulfill purposes related to its corporate purpose and, in particular, without limitation, the following:
Employees: Sundevs manages databases through which it processes Personal Data, such as résumés and contact information of employees and their family members or emergency contacts. These data are used to comply with internal labor, social security, and occupational risks obligations, and may be used for demographic and statistical purposes. Sundevs may entrust processing to authorized third parties.
Clients: Sundevs will process its clients’ authorized Personal Data to fulfill contractual obligations and/or maintain internal control of ongoing business relationships, and may be used for demographic and statistical purposes and promotional activities. Sundevs may entrust processing to authorized third parties.
Suppliers: Sundevs may process suppliers’ Personal Data to fulfill contractual obligations and/or maintain internal control of ongoing business relationships, as well as to verify potential conflicts, independence matters, and the financial, legal, and commercial viability of a potential business relationship. The data may be used for demographic and statistical purposes and promotional activities. Sundevs may entrust processing to authorized third parties.
Other third parties: Sundevs may process Personal Data of other third parties resulting from their participation in promotional activities or raffles carried out directly or indirectly by the company, in its own name or jointly with third parties, to comply with obligations and rules defined in applicable regulations and/or the promotion rules, and to verify potential conflicts and independence matters. The data may be used for demographic and statistical purposes and promotional activities. Sundevs may entrust processing to authorized third parties.
Sundevs may also process Personal Data it generally obtains for the following purposes:
• Carry out relevant steps for the pre-contractual, contractual, and post-contractual stages with clients and suppliers, regarding any products offered (whether acquired or not) or any underlying business relationship, as well as comply with Colombian or foreign law and orders from judicial or administrative authorities;
• Manage procedures (requests, complaints, claims), conduct satisfaction surveys regarding Sundevs goods and services or those of related companies and business partners;
• Provide contact information and pertinent documents to the sales force and/or distribution network, telemarketing, and any third party with which Sundevs has a contractual relationship of any kind;
• Disclose, transfer and/or transmit Personal Data within and outside the country to third parties as a result of a contract, law, or lawful relationship requiring it, or to implement cloud computing services; and/or when necessary for operations (administrative collections, client creation, accounting procedures, etc.);
• Transfer or transmit, nationally or internationally, to Sundevs affiliated companies as Data Processors or to third parties under a contract;
• Know the Data Subject’s information held by credit bureaus such as CIFIN and Datacrédito, or operators of financial, credit, commercial information databases from third countries referred to in Law 1266 of 2008, for the purposes indicated in that law and its regulations;
• Access and consult the Data Subject’s information contained in databases or files of any private or public entity (including ministries, administrative departments, DIAN, the Prosecutor’s Office, the National Civil Registry, courts, tribunals, and high courts), whether national, international, or foreign.
With respect to data (i) collected directly at locations where activities take place, (ii) taken from documents provided to security staff, and (iii) obtained from video recordings inside or outside the facilities where activities are carried out, these will be used for security and promotional purposes and may be used as evidence in any type of proceeding.
03
CHAPTER III – RIGHTS AND DUTIES
Rights of Data Subjects
Persons obliged to comply with this Policy must respect and guarantee the following rights of Data Subjects:
• Know, update, and rectify their Personal Data before the company, as Data Controller or Data Processor. For this purpose, the identity of the person must be verified beforehand to prevent unauthorized third parties from accessing the Data Subject’s data;
• Obtain a copy of the Authorization granted to Sundevs as Data Controller, except when expressly exempted as a requirement for processing under Article 10 of Law 1581 of 2012;
• Be informed about the use Sundevs has made or will make of the Data Subject’s Personal Data;
• Have inquiries and complaints handled according to the guidelines established in the law and this policy;
• Have requests to revoke Authorization and/or delete Personal Data granted when the Superintendence of Industry and Commerce has determined that Sundevs and/or the Data Processor engaged in conduct contrary to Law 1581 of 2012 or the Constitution;
• The Data Subject may also revoke Authorization and request deletion when there is no legal or contractual duty requiring the data to remain in the database or file;
• Requests for deletion and revocation will not proceed when the Data Subject has a legal or contractual duty to remain in the database or file;
• Access their processed Personal Data free of charge. The requested information may be provided by any means, including electronic, as required by the Data Subject, must be easy to read, without technical barriers, and must correspond fully to what is stored in the database.
These rights may be exercised by:
• the Data Subject, who must sufficiently prove identity through means provided by Sundevs;
• heirs/successors, who must prove such status;
• the Data Subject’s representative and/or attorney-in-fact, upon proof of representation; and/or
• by stipulation for the benefit of another.
Processing of minors’ data
The rights of children and adolescents shall be exercised by those legally empowered to represent them. Likewise, processing of minors’ data must have prior authorization from parents or guardians and must be permitted by applicable law. The company commits to respect minors’ fundamental rights, including privacy and reputation, and will adopt the strictest policies for proper handling and processing of minors’ personal data, in compliance with the Minors’ Code and any additional rules that supplement or amend it.
⸻
Duties of Sundevs as Data Controller
All persons obliged to comply with this Policy must bear in mind that Sundevs must comply with legal duties. Therefore, they must act in such a way as to fulfill the following obligations:
Duties regarding the Data Subject
• Request and keep a copy of the Authorization granted by the Data Subject, under the conditions set forth in this Policy;
• For minors, request and keep a copy of the Authorization granted by parents or guardians;
• Clearly and sufficiently inform the Data Subject about the purpose of collection and the rights granted by the Authorization;
• Guarantee the Data Subject the full and effective exercise of habeas data rights at all times (know, update, rectify);
• Inform, at the Data Subject’s request, about the use given to their Personal Data; and
• Process inquiries and complaints under the terms indicated in this policy.
Duties regarding quality, security, and confidentiality
• Observe principles of truthfulness, quality, security, and confidentiality;
• Keep information under necessary security conditions to prevent alteration, loss, unauthorized access or use;
• Update information when necessary; and
• Rectify Personal Data when appropriate.
Duties when processing through a third-party Data Processor
• Provide the Data Processor only Personal Data whose processing has been previously authorized. For national and international transmissions, execute a “Personal Data Transmission Agreement” or include contractual clauses per Article 25 of Decree 1377 of 2013;
• Ensure that information provided is truthful, complete, accurate, updated, verifiable, and understandable;
• Timely communicate all updates regarding the data and adopt measures to keep information updated;
• Inform the Data Processor of rectifications so they can make appropriate adjustments;
• Require the Data Processor to respect security and privacy conditions at all times; and
• Inform the Data Processor when certain information is under dispute by the Data Subject once a complaint has been filed and is pending decision.
Duties regarding the Superintendence of Industry and Commerce
• Inform it of any security code violations and risks in managing Data Subjects’ information; and
• Comply with instructions and requirements issued by the Superintendence of Industry and Commerce.
⸻
Duties of Sundevs as Data Processor
If Sundevs processes Personal Data on behalf of another entity (Data Controller), it must:
• Guarantee the Data Subject the full and effective exercise of habeas data rights;
• Keep information under security conditions to prevent alteration, loss, unauthorized access or use;
• Timely update, rectify, or delete data;
• Update information reported by Data Controllers within five (5) business days of receipt;
• Process inquiries and complaints under the terms indicated in this policy;
• Record in the database the notice “complaint in process” as established herein;
• Insert “information under judicial dispute” once notified of legal proceedings regarding data quality;
• Refrain from circulating disputed information when blocking has been ordered by the Superintendence;
• Allow access only to persons authorized by the Data Subject or by law;
• Inform the Superintendence of security code violations and risks; and
• Comply with instructions and requirements issued by the Superintendence.
04
CHAPTER IV – PRIVACY NOTICE
The privacy notice is a physical or electronic document, or in any format, made available to the Data Subject before or at the time their data is collected, and is the means by which they are informed about the applicable Information Processing Policies, how to access them, and, in general, the purposes for which their data has been obtained and how Sundevs will process it.
05
CHAPTER V – AUTHORIZATION
Authorization
Those obligated to comply with this Policy must obtain the Data Subject’s (or parents’/guardian’s, in the case of minors) prior, express, and informed Authorization to collect and process their Personal Data.
This obligation is not required when dealing with Public Personal Data; processing for historical, statistical, or scientific purposes where the information is not linked to a specific person; and data related to civil registration.
Forms and mechanisms to grant Authorization
To obtain Authorization, the following instructions must be followed:
First, before the Data Subject gives Authorization, it is necessary to clearly and expressly inform them of:
• the processing their Personal Data will be subject to and its purpose;
• the optional nature of responding to questions regarding Sensitive Personal Data or minors’ data;
• the rights they have as Data Subject under Article 8 of Law 1581 of 2012; and
• Sundevs’ identification, physical or electronic address, and phone number.
Second, consent will be obtained through any means that can later be consulted (in writing or formally orally).
Evidence must be kept of both the information duty and the consent. If the Data Subject requests a copy, it must be provided.
Authorization may also be obtained from the Data Subject’s unequivocal conduct that reasonably allows concluding that consent was granted for the processing and its purposes. Such conduct must be clear and leave no doubt. In no case may silence be considered unequivocal conduct.
Persons authorized to grant consent include:
• the Data Subject, proving identity sufficiently through means provided by Sundevs;
• the Data Subject’s heirs/successors, proving such status;
• the Data Subject’s representative/attorney-in-fact, upon proof of representation;
• parents or guardians in the case of minors; and
• by stipulation for the benefit of another.
06
CHAPTER VI – PROCESSING OF SENSITIVE PERSONAL DATA
In the course of its business activity, Sundevs processes Sensitive Data for specific purposes. For example, it collects, uses, and stores health and sick-leave/incapacity data of its workers and of minors.
Sundevs will process Sensitive Personal Data only when previously authorized by the relevant Data Subject and will process it under security and confidentiality standards corresponding to its nature.
For this purpose, Sundevs has implemented administrative, technical, and legal measures contained in its mandatory Policies and Procedures Manual, applicable to employees and, as relevant, to suppliers, related companies, and/or business partners.
The collection of Sensitive Personal Data will always indicate that it is optional and is not a condition to access any products or services.
Authorization for processing Sensitive Personal Data
When collecting Sensitive Personal Data, the following requirements must be met jointly:
• Authorization must be explicit;
• the Data Subject must be informed they are not required to authorize processing; and
• the Data Subject must be explicitly and priorly informed which data are sensitive and the purpose of processing.
Authorization for processing minors’ Personal Data
When collecting and processing minors’ Personal Data (children and adolescents), the following must be met jointly:
• Authorization must be granted by persons empowered to represent minors, who must ensure minors’ right to be heard and consider their opinion based on maturity and autonomy;
• it must be stated that answering questions about minors’ data is optional; and
• processing must respect the best interests of minors and ensure respect for their fundamental rights. The Data Subject must be explicitly and priorly informed which data are sensitive (if applicable) and the processing purpose.
Classification and special processing of certain Personal Data
Those obligated to comply with this Policy must identify Sensitive Personal Data and minors’ data they may collect or store in order to:
• implement heightened accountability and stricter compliance requirements;
• increase security levels;
• increase access and use restrictions; and
• consider legal and Policy requirements for collection.
07
CHAPTER VII – TRANSFER OF DATA TO THIRD COUNTRIES
When data is sent or transferred to another country, prior Authorization from the Data Subject whose data is being transferred will be required, unless the law provides otherwise. Such Authorization is a prerequisite for international circulation of data. Therefore, before sending Personal Data to Data Controllers located in another country, those obligated to comply with this Policy must verify that prior, express, and unequivocal Authorization exists allowing transmission of such Personal Data.
08
CHAPTER VIII – INTERNATIONAL AND NATIONAL TRANSMISSIONS TO DATA PROCESSORS
When Sundevs wishes to send or transmit data to one or more Data Processors located inside or outside Colombia, it must do so through contractual clauses or a “Personal Data Transmission Agreement” providing, among other things:
• the scope of processing;
• the activities the Data Processor will perform on behalf of Sundevs;
• the obligations the Data Processor must fulfill regarding the Data Subject and Sundevs;
• the obligation to comply with the Data Controller’s obligations while observing this Policy;
• the duty to process data according to the authorized purpose and principles in Colombian law and this policy;
• the obligation to adequately protect Personal Data and databases and maintain confidentiality; and
• a description of specific security measures to be adopted by Sundevs and the Data Processor at the destination.
09
CHAPTER IX – ACCESS, INQUIRY, AND COMPLAINT PROCEDURE
Procedures for Data Subjects to exercise their rights
Below are the procedures for Data Subjects to exercise their rights to know, update, rectify, delete information, or revoke Authorization.
Data Subjects’ rights may be exercised by:
• the Data Subject, proving identity sufficiently;
• heirs/successors, proving status;
• representatives/attorneys-in-fact, proving representation; and
• by stipulation for the benefit of another.
Minors’ rights shall be exercised by their legal representatives.
All inquiries and complaints will be handled through the channels enabled by Sundevs, which will adopt evidence mechanisms for filing and processing.
The following person/area of Sundevs will be responsible for data protection and handling Data Subjects’ requests: Human Resources and Finance.
Inquiries
All inquiries will be channeled through the company’s channels. Evidence must be kept of:
• date of receipt;
• identity of requester; and
• copy of requester’s ID.
Once identity is verified, the requested Personal Data will be provided. Responses must be provided within ten (10) business days from receipt. If not possible, the interested party will be informed of the reasons and the date when the inquiry will be answered, which may not exceed five (5) business days after the first term expires.
Complaints/Claims
Complaints aim to correct, update, delete data, or file a complaint for alleged non-compliance with duties in Law 1581 of 2012 and this Policy.
The complaint must be submitted in a request addressed to Sundevs containing:
• name and identification of the Data Subject or authorized person;
• precise and complete description of the facts giving rise to the complaint;
• physical or electronic address for response and status updates; and
• relevant documents and evidence.
If incomplete, the interested party will be required within five (5) days of receipt to correct deficiencies. If two (2) months pass without providing the required information, the complaint will be considered withdrawn.
If complete, a note “Complaint in process” and the reason will be included in the database/system within no more than two (2) business days and will remain until the complaint is decided.
The maximum term to address the complaint is fifteen (15) business days from the day after receipt. If not possible, the interested party will be informed of the reasons and the date it will be addressed, which may not exceed eight (8) business days after the first term expires.
Person/area responsible for Personal Data Protection
Human Resources and Finance will assume the data protection function and handle Data Subjects’ requests under Law 1581 of 2012, Decree 1377 of 2013, and this Policy. They can be contacted via:
• Email: contabilidad@sundevs.com, hr@sundevs.com
• Phone: (8)26292253127978329
The functions of the Personal Data Protection Officer(s) include:
1. Structure, design, and manage the Comprehensive Personal Data Protection Management Program.
2. Coordinate institutional efforts, resources, methodologies, and strategies to ensure implementation, sustainability, and continuous improvement.
3. Promote self-assessments at least once a year or as deemed necessary.
4. Advise on handling Data Subject requests under applicable law.
5. Coordinate across organizational areas for transversal implementation.
6. Integrate identified risks into the Integrated Management System and advise risk management.
7. Monitor controls and report progress at least annually.
8. Keep the Information Processing Policy and Data Protection Manual updated.
9. Support updates in the National Database Registry (RNBD).
10. Report complaints to the RNBD/SIC per regulation.
11. Supervise updates to the RNBD reporting.
12. Promote a data protection culture through awareness activities.
13. Lead registration of new databases and update reporting as required by SIC.
14. Obtain SIC conformity declarations when required for international transfers to non-certified safe countries.
15. Ensure effective implementation of adopted policies and good practices.
16. Support inspections and requirements from the supervisory authority.
17. Provide reports requested by oversight bodies.
18. Any other functions established by data protection regulations.
Videos and images obtained in Sundevs promotional activities
Sundevs is a company dedicated to software systems development activities (planning, analysis, design, programming, testing) and IT consulting and IT facilities management activities. The collected information will be used for the security of people, assets, and facilities. This information may be used as evidence in any type of proceeding before any authority or organization.
Other documents forming part of this Policy
The Sundevs Internal Work Regulations, confidentiality agreements, labor or commercial contracts, and other documents that directly or indirectly address Personal Data Processing form part of this Policy. This Policy will prevail in case of inconsistencies regarding Personal Data Processing between those documents and this Policy.
Effective date and validity period of databases
This policy will enter into force as of February 24, 2021.