PERSONAL DATA PROTECTION POLICY

1. Reach

This Personal Data Protection Policy will apply to all databases and/or files containing personal data that are processed byJLC Auditors & Advisors SASas the controller of Personal Data, (hereinafter, “THE COMPANY”).

2. Identification of the Data Controller

JLC Auditors & Advisors SAS Entity with registered address at Calle 98 70 91 Of. 803 in the city of Bogotá D.C., in the municipality of Bogotá (Cundinamarca), Colombia.

3. Definitions

  • Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of Personal Data.
  • Privacy NoticeVerbal or written communication generated by the Data Controller, addressed to the Data Subject for the Processing of their Personal Data, informing them about the existence of the applicable Data Processing Policies, how to access them, and the purposes of the intended  processing of their personal data.
  • Database: An organized set of Personal Data that is subject to Processing.
  • Customers: Natural or legal person, public or private, with whom THE COMPANY has a business  relationship.
  • Consumers: Natural person who consumes the services produced by THE COMPANY.
  • Personal Data Any information linked to or that can be associated with one or more specific or identifiable natural persons. Examples of personal data include: name, national identity card number, address, email address, telephone number, marital status, health information, fingerprint, salary, assets, financial statements, etc.
  • Sensitive dataInformation that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations that promote the interests of any political party or guarantee the rights and protections of opposition political parties, as well as data relating to health, sex life, and biometric data, including, among others, still or moving images, fingerprints, photographs, iris scans, voice recognition, facial or palm recognition, etc.
  • Data Controller A natural or legal person, public or private, who, alone or jointly with others, processes Personal Data on behalf of the Data Controller. In cases where the Data Controller does not act as the Data Processor, the Data Processor will be expressly identified.
  • Data ControllerA natural or legal person, public or private, who, alone or jointly with others, decides on the Database and/or the Processing of the data.
  • ClaimRequest from the data subject or persons authorized by the data subject or by law to correct, update, or delete their personal data or to revoke authorization in the cases established by law.
  • Terms and ConditionsGeneral framework establishing the conditions for participants in promotional or related activities.
  • Titular Natural person whose Personal Data is being processed.
  • Transfer Data transfer occurs when the Data Controller and/or Processor, located in Colombia, sends the information or personal data to a recipient, who is also a Data Controller and is located within or outside the country.
  • Transmission Processing of Personal Data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is for the Processor to carry out processing on behalf of the Controller.
  • Treatment Any operation or set of operations performed on Personal Data, such as collection, storage, use, circulation, or deletion.

4. Principles Applicable to the Processing of Personal Data

For the Processing of Personal Data,THE COMPANYIt will apply the principles mentioned below, which constitute the rules to be followed in the collection, handling, use, processing, storage and exchange of personal data:

  • Legality: The processing of personal data will be carried out in accordance with applicable legal provisions (Statutory Law 1581 of 2012 and its regulatory decrees).
  • Purpose: The personal data collected will be used for a specific and explicit purpose, which must be communicated to the Data Subject or permitted by law. The Data Subject will be informed clearly,  sufficiently, and in advance about the purpose of the information provided.
  • Freedom: The collection of Personal Data may only be carried out with the prior, express, and informed authorization of the Data Subject.
  • Truthfulness or Quality: Information subject to Personal Data Processing must be truthful,  complete, accurate, up-to-date, verifiable, and understandable.
  • Transparency: In the processing of personal data, the data subject’s right to obtain, at any time and without restrictions, information about the existence of data concerning them is guaranteed.
  • Access and restricted circulation: The processing of personal data may only be carried out by  persons authorized by the Data Subject and/or by persons provided for by law.
  • Security: Personal data subject to processing will be handled using all necessary security measures  to prevent its loss, alteration, unauthorized or fraudulent access, use, or disclosure.
  • Confidentiality: All officials who work inTHE COMPANYThey are obliged to maintain confidentiality regarding the personal information they access in the course of their work. THE COMPANY.

5. Treatment and Purposes to which the Personal Data processed by THE COMPANY will be subjected

THE COMPANYActing as the Data Controller, for the proper development of its business activities, as well as for strengthening its relationships with third parties, it collects, stores, uses, circulates and deletes Personal Data corresponding to natural persons with whom it has or has had a relationship, such as, without limitation, employees and their family members, shareholders, consumers, clients, distributors, suppliers, creditors and debtors, for the following purposes:

A. General purposes for the processing of Personal Data

  • To allow the Holders to participate in marketing and promotional activities (including participation in contests, raffles and sweepstakes) carried out by THE COMPANY;
  • Evaluate service quality, conduct market research on consumption habits, and perform statistical analyses for internal use;
  • Controlling access to the offices of THE COMPANYand establish security measures, including the establishment of video-monitored areas;
  • To respond to inquiries, requests, complaints and claims made by Data Subjects and oversight bodies and to transmit Personal Data to other authorities that, under applicable law, must receive Personal Data;
  • To eventually contact, via email or any other means, individuals with whom it has or has had a  relationship, such as, but not limited to, employees and their family members, shareholders,  consumers, clients, distributors, suppliers, creditors, and debtors, for the aforementioned purposes.
  • Transfer the collected information to different areas ofTHE COMPANYand to its affiliated companies in Colombia and abroad when necessary for the development of its operations (accounts receivable and administrative collections, treasury, accounting, among others);
  • For the handling of judicial or administrative requirements and the fulfillment of judicial or legal mandates;
  • Register your personal data in the information systems of THE COMPANY and in their commercial and operational databases;
  • Any other activity of a similar nature to those described above that may be necessary to carry out the corporate purpose of THE COMPANY.

B. Regarding the personal data of our Clients and Consumers:

  • To fulfill the obligations undertaken by THE COMPANY with its Clients and Consumers at the time of purchasing our products;
  • Send information about changes in the conditions of the products offered by THE COMPANY;
  • Send information about offers related to our products that you offer THE COMPANY and its affiliated companies;
  • To strengthen relationships with its Consumers and Clients, through sending relevant information,  taking orders, and evaluating service quality;
  • For the determination of outstanding obligations, the consultation of financial information and credit history, and the reporting of defaulted obligations to credit bureaus, with respect to its debtors;
  • Allowing companies linked to THE COMPANY, with whom it has entered into contracts that include provisions to guarantee the security and proper handling of the personal data processed, contact the Data Controller for the purpose of offering goods or services of interest to them;
  • Controlling access to the offices ofTHE COMPANYand establish security measures, including the  establishment of video-monitored areas;
  • Use the various services through the websites of THE COMPANY including downloads of content and formats;

C. Regarding the personal data of our employees:

  • To manage and operate, directly or through third parties, the processes of personnel selection and  hiring, including the evaluation and qualification of participants and the verification of employment and personal references, and the performance of security studies;
  • To carry out the activities inherent to Human Resources management within THE COMPANY such as payroll, affiliations with entities of the general social security system, occupational health and  welfare activities, exercise of the employer’s disciplinary power, among others;
  • To make the necessary payments arising from the execution of the employment contract and/or its  termination, and any other social benefits to which they may be entitled in accordance with  applicable law;
  • Contracting out employee benefits to third parties, such as life insurance, medical expenses, among  others;
  • Notify authorized contacts in case of emergencies during working hours or in connection with work  activities;
  • To coordinate the professional development of employees, their access to the employer’s IT resources, and provide support for their use;
  • Plan business activities;

D. Regarding Supplier Data:

  • To invite them to participate in selection processes and events organized or sponsored by THE COMPANY;
  • For the evaluation of compliance with their obligations;
  • To register in the systems ofTHE COMPANY;
  • To process your payments and verify outstanding balances;

E. Regarding the personal data of our shareholders:

  • For the recognition, protection and exercise of the rights of shareholders of THE COMPANY;
  • For the payment of dividends;
  • To eventually contact shareholders via email or any other means for the aforementioned purposes;

6. Rights of Personal Data Holders

Natural persons whose Personal Data is processed by THE COMPANY They have the following rights, which they can exercise at any time:

6.1 To know the Personal Data about which THE COMPANY The Data Subject is carrying out the Processing. Likewise, the Data Subject may request at any time that their data be updated or rectified, for  example, if they find that their data is partial, inaccurate, incomplete, fragmented, misleading, or if its  Processing is expressly prohibited or has not been authorized.
6.2 Request proof of the authorization granted toTHE COMPANY for the processing of your personal data.
6.3 To be informed by THE COMPANY Upon request, regarding the use that this entity has made of your Personal Data.
6.4 File complaints with the Superintendency of Industry and Commerce for violations of the provisions  of the Personal Data Protection Law.
6.5 Request from THE COMPANY the deletion of your Personal Data and/or the revocation of the authorization granted for its Processing, by submitting a claim, in accordance with the procedures established in section 13 of this Policy. However, the request for deletion of information and the revocation of authorization will not be granted when the Data Subject has a legal or contractual obligation to remain in the Database and/or Files, nor while the relationship between the Data Subject and the Data  Controller remains in effect.THE COMPANYunder which their data was collected.
6.6 Access your Personal Data that has been processed, free of charge. The rights of the Data Subjects may be exercised by the following persons:
-By the Holder;
-By their successors in title, who must prove such status;
-By the representative and/or attorney-in-fact of the Holder, upon prior accreditation of the representation or power of attorney;
-By stipulation in favor of another or for another.

7. Duties of THE COMPANY as Data Controller

THE COMPANYIt is understood that Personal Data belongs to the individuals to whom it refers and only  they can decide how it is used. In that sense,THE COMPANYThe Personal Data collected will be used only for the purposes for which it is duly authorized and respecting, in all cases, current regulations on the  Protection of Personal Data. THE COMPANYIt will comply with the duties established for Data  Controllers, as set forth in Article 17 of Law 1581 of 2012 and other regulations that amend, modify or  replace it.

8. Area Responsible for the Implementation and Compliance of this Policy

The JLC Management area is responsible for the development, implementation, training, and compliance  with this Policy. To this end, all employees who process personal data in the different areas of JLC…THE  COMPANY They are obligated to report these Databases to the Management area and to immediately  forward to it all requests, complaints or claims received from Personal Data Holders.
The JLC Management area has also been designated by THE COMPANYas the area responsible for handling requests, inquiries, complaints, and claims, before which the Data Subject may exercise their rights to know, update, rectify, and delete their data and revoke their authorization. This area is located at the following address:Calle 98 70 91 Of. 803, Bogotá D.C., Colombiaand can be contacted via  email:[email protected]

9. Authorization

THE COMPANY It will request prior, express, and informed authorization from the Data Subjects whose  Personal Data it requires to process. This expression of the Holder’s will can be given through different  mechanisms made available by THE COMPANY such as:

  • In writing, by completing an authorization form for the Processing of Personal Data determined  by THE COMPANY.
  • Orally, through a telephone conversation or videoconference.
  • Through unambiguous conduct that allows the conclusion that they granted their authorization,  through their express acceptance of the Terms and Conditions of an activity that requires the  authorization of participants for the Processing of their Personal Data.

IMPORTANT: Under no circumstances THE COMPANY The silence of the Holder will be interpreted
as unequivocal conduct.

10. Special Provisions for the Processing of Personal Data.

A.Processing of Sensitive Personal Data

The processing of sensitive personal data is prohibited by law, unless there is express, prior and informed  authorization from the data subject, among other exceptions established in Article 6 of Law 1581 of 2012.
In this case, in addition to meeting the established requirements for authorization, THE COMPANY will inform the Holder:
– Because the data is sensitive, the individual is not obligated to authorize its processing.
– Which of the data to be processed are sensitive and the purpose of the processing.

Additionally, THE COMPANYsensitive data collected will be processed under security and confidentiality  standards appropriate to its nature. To this end,THE COMPANYIt has implemented administrative,  technical, and legal measures contained in its Policies and Procedures Manual, which are mandatory for  its employees and, where applicable, for its suppliers, affiliated companies, and business partners.

B.Processing of Personal Data of Children and Adolescents

According to the provisions of Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013,THE  COMPANYThe company will only carry out treatment related to children and adolescents if such  treatment responds to and respects the best interests of the children and adolescents and ensures respect  for their fundamental rights.

Once the above requirements have been met,THE COMPANYAuthorization must be obtained from the  legal representative of the child or adolescent, after the minor has exercised their right to be heard, an  opinion that will be valued taking into account their maturity, autonomy, and capacity to understand the matter.

11. Procedure for Handling and Responding to Requests, Inquiries, Complaints and Claims from Personal Data Holders

The Holders of Personal Data processed by THE COMPANY They have the right to access their Personal  Data and the details of said Processing, as well as to rectify and update them if they are inaccurate or to request their deletion when they consider them to be excessive or unnecessary for the purposes that  justified their collection, or to object to their Processing for specific purposes.

The procedures implemented to guarantee the exercise of these rights through the submission of the eespective application are:
▪Communication addressed to JLC Auditors Management area,Calle 98 70 91 Of. 803, Bogotá D.C. Colombia.
▪Application submitted to the email address: [email protected]
▪Application submitted via telephone+57 (1) 2456465 to the Management area.

These channels may be used by data subjects, or third parties authorized by law to act on their behalf, in order to exercise the following rights:

11.1 Procedure for making requests and inquiries

i. The Data Subject may consult their personal data at any time. To do so, they may submit a request  indicating the information they wish to know, through any of the mechanisms mentioned above.
ii. The Data Subject or their successors must prove their identity, the identity of their representative, and the representation or stipulation in favor of or for another. When the request is made by a person other than the Data Subject and it is not proven that they are acting on their behalf, it will be considered not submitted.
iii. The inquiry and/or request must contain at least the name and contact address of the Data Subject or any other means to receive a response, as well as a clear and precise description of the personal data  regarding which the Data Subject seeks to exercise the right of inquiry and/or request.
iv. If the query and/or request made by the Data Subject is incomplete, THE COMPANY The interested  party will be required, within five (5) days of receiving the inquiry and/or request, to correct the  deficiencies. If two (2) months have passed since the date of the request, and the applicant has not  submitted the required information, it will be understood that they have withdrawn their inquiry.
v. Requests and/or inquiries will be handled byTHE COMPANYwithin a maximum period of ten (10)  business days from the date of receipt. If it is not possible to address the request or inquiry within this  period, the applicant will be informed of this fact, stating the reasons for the delay and indicating the date on which their request or inquiry will be addressed, which in no case may exceed five (5) business days  following the expiration of the first period.

11.2 Procedure for submitting complaints and claims

In accordance with the provisions of Article 14 of Law 1581 of 2012, when the Data Subject or their successors consider that the information processed byTHE COMPANYIf it needs to be corrected,  updated, or deleted, or if it needs to be revoked due to an alleged breach of any of the duties contained in  the Law, they may submit a request toTHE COMPANYwhich will be processed under the following rules:
i. The Data Subject or their successors must prove their identity, the identity of their representative, and  the representation or stipulation in favor of or for another. When the request is made by a person other  than the Data Subject and it is not proven that they are acting on their behalf, it will be considered not  submitted.
ii. The request for rectification, updating, deletion or revocation must be submitted through the means  enabled by THE COMPANY indicated in this document and contain, at a minimum, the following  information:
– The name and home address of the Data Subject or any other means to receive the response.
– Documents proving the identity of the applicant and, if applicable, that of their representative with the  corresponding authorization.
– A clear and precise description of the personal data with respect to which the Data Subject seeks to exercise any of their rights, and the specific request.
iii. If the application is submitted incomplete, THE COMPANY The applicant must be notified within five  (5) days of receipt to correct any deficiencies. If the applicant fails to provide the required information  within two (2) months of the notification date, it will be understood that they have withdrawn their  application.
iv. If the person receiving the request is not authorized to resolve it, they will forward it to the JLC Legal Department within a maximum of two (2) business days and inform the interested party of the situation.
v. Once the request is received, a note stating “claim in process” and the reason for the claim will be added to the Database within a period not exceeding two (2) business days. This note must remain until the  claim is resolved.
vi. The maximum time to process this request will be fifteen (15) business days, counted from the day  after the date of receipt. If it is not possible to process it within this period, the interested party will be  informed of the reasons for the delay and the date on which their claim will be addressed, which in no  case may exceed eight (8) business days following the expiration of the first period.

12.Information obtained passively

When using the services contained within the websites of THE COMPANY This website may passively  collect information through information management technologies, such as “cookies,” which collect  information about the user’s hardware and software, IP address, browser type, operating system, domain  name, access time, and referring website addresses. These tools do not directly collect users’ Personal  Data. Information will also be collected about the pages the user visits most frequently on these websites  to understand their browsing habits. However, users of the websites ofTHE COMPANYYou have the  option to configure how cookies work, according to your internet browser settings.

13.Personal Data Security

THE COMPANY In strict application of the Principle of Security in the Processing of Personal Data, the  company will provide the necessary technical, human, and administrative measures to ensure the security  of the records, preventing their alteration, loss, unauthorized or fraudulent access, use, or  disclosure. The obligation and responsibility ofTHE COMPANYIt is limited to providing the appropriate  means for this purpose.THE COMPANYdoes not guarantee the total security of your information nor is it  responsible for any consequences arising from technical failures or unauthorized access by third parties to the database or file where the Personal Data subject to Processing by [Company Name] is stored. THE COMPANY and their managers. THE COMPANY It will require the service providers it contracts to adopt and comply with appropriate technical, human, and administrative measures for the protection of  Personal Data in relation to which said providers act as Processors.

14.Transfer, Transmission and Disclosure of Personal Data

THE COMPANY It may disclose to its affiliated companies worldwide the Personal Data it processes, for their use and processing in accordance with this Personal Data Protection Policy.

Likewise THE COMPANY may provide Personal Data to third parties not affiliated with THE COMPANY when:
– These are contractors executing contracts for the development of activities related to THE COMPANY;
– By transfer, under any title, of any line of business to which the information relates.

In any case, when THE COMPANY If you wish to send or transmit data to one or more Processors located  within or outside the territory of the Republic of Colombia, you will establish contractual clauses or enter  into a personal data transfer agreement in which, among other things, the following will be agreed:
i. The scope and purposes of the treatment.
ii. The activities that the Manager will carry out on behalf ofTHE COMPANY.
iii. The obligations that the Data Processor must fulfill with respect to the Data Subject and THE COMPANY.
iv. The Data Processor has a duty to process data in accordance with the authorized purpose and observing the principles established in Colombian law and this policy.
v. The obligation of the Data Processor to adequately protect personal data and databases, as well as to maintain confidentiality regarding the processing of transmitted data.
vi. A description of the specific security measures that will be adopted by both THE COMPANY as well as  by the Data Controller at their destination.
THE COMPANY Authorization will not be required when the international data transfer is covered by any of the exceptions provided for in the Law and its Regulatory Decrees.

15.Applicable Legislation

This Personal Data Protection Policy, the Privacy Notice, and the Authorization Form Annex, which forms part of this Policy, are governed by the provisions of current legislation on the protection of Personal Data, as referred to in Article 15 of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013, Decree 1727 of 2009, and other regulations that modify, repeal, or replace  them.

16.Validity

This Personal Data Protection Policy has been in effect since January 1, 2018.

    X

    Contact us by WhatsApp