PERSONAL DATA AND PRIVACY PROTECTION POLICY

INTRODUCTION

According to Law 1581 of 2012 and regulating decrees, PRODUCTORA DE SOFTWARE S.A. (hereinafter, “PSL”) adopts the personal data and privacy protection policy herein, which regulates collection, storage, treatment, protection, and management of data obtained by PSL from customers, suppliers, employees, and any other stakeholder PSL has or shall have any relation whatsoever.

PSL shall be able to modify this policy in order to adapt it to current legislation and jurisprudence changes and to industry practices. If so, PSL shall disclose timely on its website, or any other appropriate media, the introduction to such changes.

Data freely and willingly provided to PSL by customers, suppliers, employees, or any other stakeholder through any media shall be introduced to its databases under PSL’s responsibility.

PSL shall treat personal data adequately and safely complying with all legal requirements and following the parameters under ISO 27001 standard, Data Safety; PSL has been duly ISO 27001 certified.

TREATMENT GENERAL ASPECTS

Identification of the Treatment Accountable Party:

PRODUCTORA DE SOFTWARE S.A., identified with VATIN 890,923,937-6, is based in Itagüí municipality, Department of Antioquia, on Carrera 42 No. 72 - 11, 4th floor, Capricentro building, website: www.psl.com.co, e-mail: This email address is being protected from spambots. You need JavaScript enabled to view it., phone: +574 372-2022.

Nature of the Personal Information Collected:

PSL shall collect contact data and any other kind of pertinent data according to the nature of the relation PSL has with the data holder, whether work, commercial, or any other kind of data.

In general, personal data collected by PSL has the following nature, depending on the data holder:

Interested in Commercial Relations. People who, on their own will, contact PSL on its website, e-mail, phone, or any other media, in order to request information about products or services, assess possibilities of commercial alliances, supply PSL products or services, and, in general, assess the possibility to develop any type of relation with the company. In these cases, requested data is basic, related to the person’s identification, company he/she works for, position, e-mail, phone, city, and subject. At times, when contacted on PSL website, the company servers get, for statistical purposes, data related to the operative system, version and type of browser, and IP address used by the contacting party.

Customers, Suppliers, and Others. When a final commercial relation is established, PSL collects data required to adequately process such relation according to the parameters set forth herein, in compliance with all legal requirements and related agreements.

People who send their resumes on their own will to the company in order to be considered for selection processes. Data provided on such resumes is exclusively used for effects of the selection, recruiting, and hiring process by staff in charge of such processes. PSL shall not share collected data with any natural or corporate person other than itself.

Employees. Employee data is strictly confidential duly adjusted to Colombian laws. It is used only by those who are in charge of human relations. PSL shall not disclose any data related to employees to people other than those in charge of work relations or to entities and people outside the company.

Sources of Data:

PSL collects data from the following sources:

Directly from the Holder of the Data

Automatically, when the data holder uses PSL websites. PSL websites use cookies and other tools that collect visitors’ data; just by visiting a website, the following information may be obtained, automatically:

  • Clicker hyperlinks.
  • Used browser.
  • Website pages visited.
  • IP address.
  • Websites visited before accessing the portal.

Thus, if the data holder does not want it to be automatically collected, he/she must disable automatic acceptance from the browser and know when data is being sent to his/her computer. If cookies are disabled, website experience might be affected.

From other sources. PSL shall be able to get personal data from public databases or from third parties duly authorized by the data holder to share data.

Treatment Data Shall be Submitted to

Personal data obtained by PSL, might be subject to be stored, used, circulated, or deleted, depending on the purpose it had been collected for, and/or according to the law.

Data subject to treatment must be truthful, whole, accurate, updated, verifiable, and understandable.

Purpose of the Treatment

Data collected by PSL shall be used, with the holders’ authorization, for these purposes:

  1. Offer information on products and services, as well as commercial opportunities.
  2. Materialize potential legal relations with people interested in becoming PSL customers, suppliers, or employees.
  3. Provide services to the holder of the information, as well as assistance, advisory, and support required to comply with duties originated from the commercial relation.
  4. Keep customers updated on commercial process development, as well as the offer or execution of services rendered by PSL, including cloud services.
  5. Comply with the requirements attached to the duties PSL was hired for.
  6. Perform product and service marketing, promotion, advertising, and purchases, as well as searches, controls, verifications, alliances, agreements, and any other activity related to PSL services and current and future products.
  7. Keep internal statistics and assess offered product and service quality, as well as customer, supplier, and other stakeholder level of satisfaction through satisfaction polls and any other mechanism devised for such purpose.
  8. Conduct own administrative, countable, and fiscal duties, including, but not being limited to, invoicing, accounts receivable and accounts payable processes, supplier management, and reports to fiscal authorities.
  9. Hire people for the company and comply with legal employer obligations, such as, but not being limited to, personnel, temporary employee and intern, and payroll management; work risk prevention, personnel training, social security affiliation and payment; and work wellbeing.
  10. Comply with legal and statutory duties.
  11. Respond questions, claims, and complaints.
  12. Conduct activities aimed at controlling and minimizing company online and offline safety risks.
  13. Transfer and/or transmit data to third parties in the country or overseas, if required, as long as such people guarantee transmitted and/or transferred data confidentiality and safety.

The aforementioned activities personal data is used for, are conducted by PSL or third parties hired by PSL, as required. In any case, PSL shall guarantee that hired third parties to treat data comply with these bylaws and with the parameters set forth by law.

Sensitive Data Treatment

Sensitive data is data that affects the intimacy of the data holder and when undue use may generate discrimination, such as those related to ethnic or racial origin, sexual life, health, and biometric data (that is, those that allow identifying a person for his/her physical features, voice, movement, such as pictures, fingerprints, signatures, etc.), or data related to religious or philosophical conviction or political orientation.

Data holder has the right not to provide sensitive data requested by PSL. Likewise, the data holder is warned not to send sensitive data when not required to provide PSL services.

Underage Data Treatment

PSL only treats underage personal data collected only with the express consent of their parents or legal representatives, depending on the case, only for relevant purposes according to this policy.

Authorization to Treat Personal Data

PSL shall notify the personal data holder about this policy and shall be granted authorization to treat his/her personal data. Likewise, PSL shall notify the data holder on any changes made to this policy and shall be granted new authorization if such changes refer to the purpose of the treatment.

The authorization may be granted to PSL through written document, e-mail, verbally, by phone, or through any other media that allows keeping, searching, or evidencing such authorization. In addition to it, such authorization shall be able to be manifested through unambiguous conducts that allow reasonably concluding that he/she granted such authorization. Silence from the data holder shall never be associated to an unambiguous conduct.

PSL shall not require authorization from the data holder when:

  1. Data has been requested by a public or administrative entity in exercise of its legal duties or through legal order;
  2. Data has public nature;
  3. Medical or sanitary emergency;
  4. Special treatment authorized by law for historical, statistical, or scientific purposes;
  5. Data related to the person’s birth certificate.

Confidentiality

PSL shall not make public employee, customer, supplier, stakeholder, or anybody else’s personal data, with whom PSL has any kind of relation or relationship, and shall only disclose such data to those people authorized by PSL that must know it in order to make the respective treatment of such data to those people authorized by law.

PSL DUTIES

PSL may be simultaneously accountable and in charge of personal data treatment. In case PSL performs both roles, it shall comply with both legal duties, as follows:

PSL Duties as Accountable for the Treatment

As accountable for the treatment, PSL shall have the following duties:

  1. Guarantee the data holder, at all times, full and effective exercise of the habeas data right.
  2. Request and keep, under the conditions foreseen by Law 1581 of 2012, and regulating decrees, copy of the authorization thereof granted by the data holder;
  3. Duly report the data holder on data collection purposes and rights that cover him/her in virtue of the authorization granted.
  4. Keep information under required safety conditions to hinder unauthorized or deceitful adulteration, loss, search, use, or access.
  5. Guarantee that information provided to the Treatment Responsible Party is truthful, whole, accurate, updated, verifiable, and understandable.
  6. Update data, timely posting the Treatment Responsible Party, on any changes on data that had been previously submitted and adopt any required measure for provided data to be constantly updated.
  7. Correct data when inaccurate and communicate what is relevant to Treatment Responsible Party.
  8. Provide the Treatment Responsible Party, depending on the case, only with data whose treatment has been duly authorized in compliance with Law 1581 of 2012.
  9. Demand from the Treatment Responsible Party, at all times, compliance with data holder safety and privacy conditions.
  10. Process requests and claims in compliance with the term under Law 1581 of 2012.
  11. Adopt an internal policy and procedure guideline to guarantee adequate compliance with the law and, particularly, to answer requests and claims.
  12. Report to the Treatment Responsible Party when certain data is being debated by the data holder, once a claim has been made and the process has not finished.
  13. Report the data holder on the use given to his/her data, upon request.
  14. Report the Superintendence of Industry and Commerce whenever safety codes are breached and there are risks to the management of holders’ data.
  15. Comply with the Superintendence of Industry and Commerce instructions and requirements.

PSL Duties as the Party in Charge of the Treatment

  1. Guarantee the data holder, at all times, full and effective exercise of the habeas data right.
  2. Keep information under required safety conditions to hinder unauthorized or deceitful adulteration, loss, search, use, or access.
  3. Timely update, correct, or delete date in compliance with the terms under the law.
  4. Update data reported by the Treatment Responsible Party within five (5) business days since filing date.
  5. Process requests and claims in compliance with the terms under the law.
  6. Adopt an internal policy and procedure guideline to guarantee adequate compliance with the law and, particularly, to answer requests and claims.
  7. Register in the database the label “Request in Progress” as regulated by the law.
  8. Insert in the database the label "Data in Legal Discussion" once notified by the competent authority on legal processes related to personal data quality.
  9. Refrain from using data being debated by the data holder and that has been ordered to be blocked by the Superintendence of Industry and Commerce.
  10. Allow access to data only to authorized people.
  11. Report the Superintendence of Industry and Commerce whenever safety codes are breached and there are risks to the management of holders’ data.
  12. Comply with the Superintendence of Industry and Commerce instructions and requirements.

DATA HOLDER RIGHTS

Data holders have the following rights:

  1. Know, update, and correct personal data for PSL. This right may be exercised, among others, when data is partial, incomplete, inaccurate, fractioned, error-inducing, or when treatment has been expressly forbidden or unauthorized.
  2. Request proof of authorization granted to PSL, except when expressly excepted as treatment requirement in compliance with the law.
  3. Be informed by PSL, upon request, on use given to personal data.
  4. Submit complaints to the Superintendence of Industry and Commerce for personal data protection breaches.
  5. Revoke authorization and/or request personal data deletion whenever data treatment has no respect for principles, rights, and legal or constitutional guarantees.
  6. Free access to personal data being subject to treatment.

PROCEDURES

Request, Search, Claim, and Complaint Attention Responsible Area

Information Safety Area shall be in charge of attending data holders’ requests, searches, claims, and complaints, according to the procedures hereunder.

Searches

Data titleholders, or their successors, have the right to request personal data as treated by PSL. Requests shall be made at Carrera 42 No. 72 - 11, 4th floor, Capricentro building, Itagüí, Antioquia, at +574 372-2022, or at This email address is being protected from spambots. You need JavaScript enabled to view it.

When making a request, the following information shall be provided:

  • If data holder: Copy of the identification document (Colombian Citizenship Identification Card, Colombian Underage Identification Card, Colombian Foreigner Identification Card, or passport).
  • If successor: Copy of the identification document, data holder death certificate, document certifying his/her capacity, and the data holder identification number.
  • Legal representative or representative: Valid identification document copy, power of attorney thereof, and the data holder identification number.

The request shall be answered within ten (10) business days since filing date.

Whenever it is not possible to answer the request in such term, the interested party shall be notified about the reasons for the delay and the date when it shall be answered which shall never exceed five (5) additional business days to the previous term.

Claims:

The data holder has the right to request updating, correcting, and deleting personal data, as well as revoking the authorization granted to PSL. For that, he/she may file such claim at Carrera 42 No. 72 - 11, 4th floor, Capricentro building, Itagüí, Antioquia, at +574 372-2022, or at This email address is being protected from spambots. You need JavaScript enabled to view it.

When making a request, the following information shall be provided:

  • If data holder: Copy of the identification document (Colombian Citizenship Identification Card, Colombian Underage Identification Card, Colombian Foreigner Identification Card, or passport).
  • If successor: Copy of the identification document, data holder death certificate, document certifying his/her capacity, and the data holder identification number.
  • Legal representative or representative: Valid identification document copy, power of attorney thereof, and the data holder identification number.

Additionally, the request shall clearly indicate the expectations; that is, if it is about an update, correction, or deletion of the data or revoking the authorization granted to PSL for the treatment of personal data.

Likewise, the request shall identify the data holder, describe the facts that led to the claim, provide contact data, and submit all documents thereof.

If the request is incomplete, the interested party shall be notified in order to correct the mistakes within five (5) business days following the filing of the original request. After two (2) months of the filing date without the additional information being submitted, it shall be construed the claim has been withdrawn.

Once the full claim has been received, the database entry shall read “Request in progress”, indicating the reason for the request, within two (2) business days. Such label shall be kept until the claim is duly answered.

The maximum term to answer the claim shall be fifteen (15) business days counted since the date following the filing date. Whenever it is not possible to answer the request in such term, the interested party shall be notified about the reasons for the delay and the date when it shall be answered which shall never exceed eight (8) additional business days to the previous term.

PERSONAL DATA AND PRIVACY PROTECTION POLICY VALIDITY

This policy shall become effective since disclosed through any media. PSL has the right to update it or modify it at any time; if so, PSL shall warn recipients through any means.

PSL DATABASE VALIDITY

PSL databases shall be valid for the period of time required by law, by the agreement that regulates them, or by the time required to comply with the database purpose according to this policy. PSL shall not delete databases that by law shall be valid during a specific period of time set forth under the agreement that regulates them or by the purpose they were created for, if they determine a validity term lower than the one legally set forth.