PERSONAL DATA PROTECTION POLICY

The personal data treatment and protection policy is presented below, which must be applied by ZUMATI SAS, its employees and collaborators, within the framework of
development and application of Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013, on data protection in the Republic of Colombia.

1. LEGAL FRAMEWORK.

• Political Constitution of Colombia, article 15,
• Law 1581 of 2012,
• Regulatory Decree 1377 of 2013.
  

2. PURPOSE.

Establish the general guidelines according to Law 1581 of 2012, article 18 literal f, for the collection, storage, use, circulation or deletion of personal data of collaborators, suppliers and clients of ZUMATI SAS.

3. SCOPE.

The policy of Treatment and Protection of personal data contained herein is applicable to all collaborators, suppliers and clients, by virtue of the contractual relations carried out to comply with its corporate purpose and satisfy their needs, in order to apply current legislation. in Colombia, regarding the protection of personal data.

The principles and provisions contained in Law 1581 are applicable to personal data registered in any database that makes them susceptible to treatment by entities of a public or private nature.

Therefore, the data processing carried out by ZUMATI SAS must be subject to the personal data protection regime established by this law, its regulatory decrees and other regulations that complement, modify or repeal it.

4. TERM.

Permanent as of July 27, 2013.

This policy will be in force as of July 27, 2013 and the validity period of the database will be five (5) years from the date of termination of the last contractual relationship, so that Allow compliance with legal and/or contractual obligations by ZUMATI SAS, especially in accounting, tax and tax matters.

In case there are substantial changes in the content of the data processing policies, referring to the identification of the person in charge and the purpose of the Treatment of personal data, which may affect the content of the authorization, the Treatment Manager must communicate these changes to the Owner before or at the latest at the time of implementing the new policies. In addition, you must obtain new authorization from the Owner when the change refers to the purpose of the Treatment.

5. APPLICABLE REGULATIONS.

This Policy is governed by the parameters set by articles 15 and 20 of the Political Constitution, Law 1581 of 2012 “By which general provisions are issued for the protection of personal data” and Chapter 25 of Decree 1074 of 2015 ” By which Law 1581 of 2012 is partially regulated.

6. DATA AND IDENTIFICATION OF THE RESPONSIBLE.

ZUMATI SAS, with address at Carrera 15 # 88 21, Bogotá, Colombia, and can be contacted at that address or by email at info@zumati.co.

7. DESCRIPTION.

1. DEFINITIONS. 

In order to determine the meaning of the concepts used in this Policy, we will resort to the following definitions, in accordance with the provisions of Law 1266 of 2008, Law 1581 of 2012, and Regulatory Decree 1377 of 2013:

• Authorization: Prior, express, and informed consent of the owner to carry out the processing of personal data.
• Privacy Notice: Physical, electronic document or in any other format generated by the person in charge whose purpose is to make available to the owner the policy for the treatment of personal data that the company has.
• Database: Organized set of personal data that is subject to treatment, which rests in physical or electronic documents.
• Personal Data: Any information linked or that can be associated with one or several determined or determinable natural persons. Those pieces of information may become determinable to identify the owner of the personal data.
• Sensitive Data: Those that affect the privacy of the owner or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, rights human rights, or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data. 
• Public Data: It is data that is not semi-private, private, or sensitive. Public data is considered, among others, data related to the marital status of people, their profession, their status as merchants or public servants, and in general all data that may be contained in public records, public documents, and gazettes. , official gazette, and duly executed judicial sentences that are not subject to reservation.
• Semi-private Data: It is that data that does not have an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to the owner but to a certain sector or ZUMATI SAS of people or to society in general, such as, for example, financial data. and credit.
• Private Data: It is the data that by its intimate or reserved nature identifies the user.  
• Processor: Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of the controller. A person internal or external to ZUMATI SAS may have the quality of a manager.
• Treatment Official: person or area of ZUMATI SAS that is in charge of resolving complaints, queries, and claims from the holders of the information, in addition to managing and controlling the personal data contained in the databases, under the fulfillment of the duties and responsibilities provided to guarantee the protection of the rights of the data owner. In no case will he be responsible to the owner for the quality of the data provided to him
• Habeas Data: Fundamental right of every person to know, update, rectify, and/or delete personal data that has been processed.
• Right to Protection of Personal Data: grants its owner powers of disposal and control over their personal data.
• Claim: Request of the Data Owner or of the persons authorized by it or by the Law to correct, update or delete their Personal Data or to revoke the authorization in the cases established in the Law.
• Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the treatment of the data.
• Owner: Natural person whose personal data is processed.
• Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion of the same.
• Transfer: It refers to the cases in which the person in charge or in charge of the treatment of personal data that is located in Colombia, sends said information to a recipient who, in turn, is the person in charge of the treatment and is inside or outside the country.
• Transmission: It refers to the cases in which the Processing of personal data is carried out by the Manager on behalf of the Responsible, and the communication of information within or outside the territory of Colombia must be mediated between them.

2. PRINCIPLES ON THE HANDLING OF PERSONAL DATA.

The personal data management policy of ZUMATI SAS will apply in a harmonious and comprehensive manner with the following principles established in Law 1581 of 2012:

• Legality: ZUMATI SAS treats personal data strictly in accordance with the legal requirements established in Statutory Law 1581 of 2012, its regulatory decrees, and other legislation in force in Colombia that repeals or modifies them.
• Purpose: All data processing in ZUMATI SAS is subject to a defined and legitimate purpose in accordance with the Constitution and the law, which must be informed to the owner. The essential data to carry out the corporate purpose is distinguished, which includes the data necessary to maintain contractual ties with clients, collaborators, and suppliers, and the optional data required to be able to offer additional services and strengthen ZUMATI SAS. In any case, you must adequately inform the owners about the purpose of the processing of their data and about this policy.
• Freedom: All processing of personal data carried out by the company must be supported by the prior, express, and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent. The tacit consent of the collaborator, supplier, or client of ZUMATI SAS is not allowed. ZUMATI SAS clearly distinguishes, in its data collection procedures and records and in the databases, between essential data, sensitive data, and optional data.
• Veracity or quality: The information contained in the data subject to treatment must be truthful, complete, exact, updated, verifiable and understandable. ZUMATI SAS must regularly update current data. The processing of partial, incomplete, divided, or misleading data is legally prohibited.
• Transparency: ZUMATI SAS will inform the owners in advance what personal data it requires from them and what is the purpose for which it is required, understanding that said purpose will always be related to their work. Subsequently and at the request of the owners, ZUMATI SAS will inform them about their personal data and the purpose thereof registered in the ZUMATI SAS database, without prejudice to the periodic information obligations that are held (social security account statements, payroll, work certificates, reference verification, presentation of bids, etc.). The right of the owner to obtain from ZUMATI SAS the information about the existence of data that concerns him must be guaranteed at all times.
• Access and restricted circulation: Personal Data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to Holders or authorized third parties. by the owner or authorized third parties. ZUMATI SAS does not use the Internet protocol “HTTP” to allow third parties access to personal data; therefore, through corporate internet portals, only their own owners can access personal data.
• Security: The security of personal data is a priority for ZUMATI SAS when it comes to the personal data of collaborators, suppliers, and customers. ZUMATI SAS ensures the technical and administrative measures that are necessary to grant security to the personal data in its care, avoiding its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
  • Technical measures include Physical archives with restricted access; a system of central servers for electronic files; a backup system for electronic files; restricted access by registered users and passwords to electronic databases.
  • Administrative measures include the Definition of managers and managers of personal data processing at ZUMATI SAS; a clear and restricted definition of data access for each person in charge; a definition of administrative procedures linked to the functions and positions in ZUMATI SAS; the inclusion of data processing policies in contracts with third parties.

In the event of loss of personal data, ZUMATI SAS will proceed as provided by law, informing the owner of the data and the Superintendency of Industry and Commerce.

• Confidentiality: ZUMATI SAS maintains the most rigorous confidentiality practices in relation to the personal data in its charge. Personal data will not be disclosed or used outside the narrow scope of its express purpose and within the limits established by law. The persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, until after the end of the contractual relationship.
• Temporality: When the information ceases to serve the purposes for which its treatment was authorized, ZUMATI SAS will not be able to provide it to users or third parties.
• Necessity: Personal data can only be processed by ZUMATI SAS during the time required and when the purpose of its processing justifies it.

8. FORM OF USE OF THE INFORMATION.

By accepting this Policy, clients, suppliers, active and inactive dependent workers, contractors, and, in general, any holder of the information, declare to know and accept it, and as a consequence, authorize in a prior, voluntary, spontaneous and informed ZUMATI SAS regarding the processing of their personal data, in such a way that the companies may process the data partially or totally, including the collection, storage, use, processing, disclosure, transmission and transfer of the data provided for the execution of the purposes described above.

For their part, those who provide personal data of their clients, beneficiaries, dependents, employees, managers or shareholders declare that as managers they have prior authorization from those to give them such treatment. ZUMATI SAS may act as the person in charge or in charge of the personal data, depending on the purpose for which the data was obtained, for which reason it undertakes to comply with the responsibilities that the regulations have established for each one. It will not lose its quality, despite the transmission of the information made, under the restrictions indicated in this policy.

9. TREATMENT OF DATA COLLECTED BY ZUMATI SAS

1. Collection of personal data: In accordance with the provisions of Decree 1377 of 2013, the collection of data must be limited to those personal data that are relevant and adequate for the purpose for which they are collected or required in accordance with current regulations. Except in the cases expressly provided by law, personal data may not be collected without the authorization of the Owner.
2. Authorization: In order to guarantee the rights of the information holders, ZUMATI SAS, as the person responsible for the treatment, must obtain from them, at the time of data collection, free, prior, express, and informed authorization from the Holder for this purpose, by any means that allows it to be used as evidence, preferably in writing. The authorization can be granted by any means and, in any way, for example, in writing, orally, or through the conduct of the Holder that allows a reasonable conclusion that the authorization was granted. In no case can silence be assimilated into unequivocal conduct. In any case, the authorization must contain at least a description of the purpose of data processing. Thus, ZUMATI SAS will inform the owner, before requesting the authorization, at least about the following aspects:

• The treatment to which your personal data will be subjected and the purpose thereof.
• Which of the data that will be subject to treatment are sensitive and the purpose of the treatment, as well as the non-obligation to grant authorization for said effect
• The rights that assist you as the owner. ZUMATI SAS must inform the owner of the location on the corporate website where he can consult this information. With his signature, the holder certifies having read and understood the manual in its entirety and accepting it in terms of its scope and content.
• The identification, physical or electronic address, and telephone number of the data controller.
• ZUMATI SAS keeps the authorizations granted in a secure file and delivers a copy to the holder when he requests it.

Personal data found in publicly accessible sources or information contained in databases available to the general public will not require authorization for processing.

3. Cases in which authorization is not necessary: The authorization of the owner of the information will not be necessary in the following cases:

• Information required by a public or administrative entity in the exercise of its legal functions.
• The information that is required by court order;
• The data provided is public in nature.
• Cases of medical or health urgency;
• Treatment of information authorized by law for historical, statistical, or scientific purposes;

In any case, whoever accesses personal data without prior authorization must comply with the provisions contained in Law 1581 of 2012 and Decree 1377 of 2013.

4. Sensitive data: ZUMATI SAS may treat sensitive personal data for “a historical, statistical or scientific purpose” and within the framework of processes to improve the quality process at ZUMATI SAS, and for this it will adopt the appropriate measures to suppress identity. of the headlines.

Sensitive personal data may only be processed, without the existence of prior consent, in the case of a vital emergency that requires immediate action (such as emergency medical intervention, etc.).

Third parties (Doctors, lawyers, external psychologists, etc.) will be especially careful to guarantee restricted access and maintain the security and confidentiality of sensitive personal data in their charge.

5. Data collected previously: ZUMATI SAS has data whose collection is prior to the promulgation of Law 1581 of 2012. Among these data are current and essential data for the performance of the Company’s work, as well as inactive data. result of concluded contractual relationships. For the continuous treatment of current data, ZUMATI SAS will obtain the express and informed consent of the owners, as long as this obligation does not represent a disproportionate burden for ZUMATI SAS under the terms of Decree 1377 of 2013.
6. Revocation of authorization: The owner of the information may, at any time, revoke the authorization for treatment or request the deletion of the information contained in the ZUMATI SAS databases, except when there is a legal duty or a current contractual relationship. and 5 more years from the termination of said relationship, taking into account the provisions applicable to the matter in question and the administrative, accounting, fiscal, legal and historical aspects of the information.

In any case, the Holder must indicate in his request whether it is a total or partial revocation, the latter when he only wants to eliminate one of the purposes for which the Treatment was authorized, a scenario in which the Holder must indicate the purpose that you want to delete.

10. PURPOSES OF TREATMENT.

The Personal Data managed by ZUMATI SAS will be collected, used, stored, updated, transmitted and/or transferred, for the following purposes or purposes:

Regarding the Personal Data of our Clients and Suppliers:

1. To provide required services and products;
2. Inform about changes, modifications, or new products or services that are related or not to the contracted or acquired by the Holder by any means of communication;
3. Comply with obligations contracted with the Holder;
4. Evaluate the quality of the product and service, carry out market studies and statistical analyzes for internal uses and the participation of the Holders in marketing and promotional activities;
5. Sharing of Personal Data, including the Transfer and Transmission of Personal Data to third parties for purposes related to the operation of ZUMATI SAS;
6. Carry out internal studies on compliance with commercial relations and market studies at all levels;
7. Carry out internal or external audit processes typical of the commercial activity that ZUMATI SAS develops;
8. Allow companies linked to ZUMATI SAS, with which it has entered into contracts that include provisions to guarantee the security and adequate Treatment of the Personal Data processed, to contact the Owner with the purpose of offering goods or services of interest to them;
9. Control access to ZUMATI SAS offices, including the establishment of video surveillance areas;
10. Respond to inquiries, requests, complaints, and claims that are made by the Owners and control agencies and Transmit the Personal Data to the other authorities that by virtue of the applicable law must receive the Personal Data;
11. Use the different services corresponding to websites, including content and format downloads;
12. Transfer the information collected to different areas of ZUMATI SAS and related areas in Colombia and abroad when necessary for the development of its operations and payroll management (portfolio collection and administrative collections, treasury, accounting, among others);
13. Register the Holders in the ZUMATI SAS systems and process their payments or collections;
14. Any other activity of a similar and/or complementary nature to those described above that is 10e necessary to develop the corporate purpose of the members of ZUMATI SAS.

REGARDING THE PERSONAL DATA OF OUR COLLABORATORS AND EMPLOYEES:

15. Develop the activities of human resources management within ZUMATI SAS, such as payroll, affiliations to entities of the general social security system, occupational health and welfare activities, and exercise of the employer’s sanctioning power, among others;
16. Make the necessary payments derived from the execution of the employment contract and/or its termination, and the other social benefits that may apply in accordance with the applicable law;
17. Contract labor benefits with third parties, such as life insurance, and medical expenses, among others;
18. Notify authorized contacts in case of emergencies during working hours or during the development thereof;
19. Coordinate the professional development of the employees, the access of the employees to the computer resources of ZUMATI SAS and assist in their use;
20. Plan business activities;
21. Transfer the information collected to different areas of ZUMATI SAS and related areas in Colombia and abroad when necessary for the development of its operations and payroll management (portfolio collection and administrative collections, treasury, accounting, among others);
22. Control access to the offices and plants of the Companies, including the establishment of video surveillance areas;
23. Carry out training;
24. Register the Holders in the ZUMATI SAS systems;
25. Any other activity of a similar and/or complementary nature to those described above that are necessary to develop the corporate purpose of the members of ZUMATI SAS.
    

12. RIGHTS OF HOLDERS.

The holders of personal data and other persons who, according to article 20 of Decree 1377 of 2013, are legitimated, may exercise the following rights:

• Know, update and rectify your Personal Data before those responsible for Treatment or Treatment Managers. This right may be exercised, among others, against data that is partial, inaccurate, incomplete, divided, misleading, or whose Treatment is expressly prohibited or has not been authorized.
• Request proof of the existence of the authorization, except in cases in which the Law exempts the authorization, in accordance with the provisions of article 10 of Law 1581 of 2012.
• Request and receive information about the use of your personal data.
• Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it.
• Revoke the Authorization and/or request the deletion of the data when the Treatment does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Treatment the Responsible or Processor has incurred in conduct contrary to Law 1581 of 2012 and/or the Constitution.
• Free access to your Personal Data that has been processed

11. PERSON AND AREA RESPONSIBLE FOR HANDLING REQUESTS, COMPLAINTS, OR CLAIMS FROM HOLDERS OF THE INFORMATION.

The area responsible for dealing with requests for access, rectification, updating, deletion of data, or revocation of the consent or authorization granted for the Treatment of your Personal Data to anyone, is the information protection officer, Carrera 15 # 88 21, of Bogotá, Colombia and can be contacted at that address or at info@zumati.co.

The Information Protection Officer will have as its main functions to ensure the effective implementation of the policies and procedures adopted by ZUMATI SAS to comply with the Colombian Personal Data Protection Regime and take charge of the structuring, design, and administration of the Program. Comprehensive Personal Data Management. The Company’s Personal Data Protection Officer will be responsible for:

1. Manage the appropriate procedure that must be filed by any Claim that, in accordance with the provisions of this Policy, is formulated by the Holders;
2. Verify that the information received by the Owner is sufficient to be able to respond;
3. Evaluate the need to extend the term to respond to the Claims;
4. Channel the claim within ZUMATI SAS as appropriate;
5. Project the response of the Claim with the support of the legal area, if necessary;
6. Send the answers to the Holders in the terms provided in the Law, in this Policy, and in the Manual of Policies and Procedures of ZUMATI SAS;
7. Order the inclusion of warnings in the databases against claims in the claim or under judicial discussion;
8. Ensure compliance with this Policy;
9. Supported by the Legal Area, to structure, design, and manage the Comprehensive Personal Data Management Program in line with the indications approved by the Board of Directors and the Presidency for this purpose;
10. Keep the Presidency informed of the state of progress in the implementation of the Comprehensive Personal Data Management Program, through the delivery of reports where the detailed detail of the activities carried out, the pending ones, and the time in which each one of them is completed will carry out and the resources required for that purpose;
11. Prepare annual reports on the progress of the implementation and operation of the Comprehensive Personal Data Management Program to be presented at the General Shareholders’ Meetings of the Companies;
12. Implement a training program in the protection of Personal Data within ZUMATI SAS and ensure the carrying out of permanent training activities for its collaborators;
13. As part of this function, the ZUMATI SAS Personal Data Protection Officer will supervise the training of new collaborators in the proper Processing of Personal Data and, in particular, the particular obligations that they must comply with due to their position;
14. Audit the compliance of the different areas of ZUMATI SAS regarding the adequate compliance of the Colombian Personal Data Protection Regime, in this Policy and those derived from the implementation of the Comprehensive Program for Personal Data Management;
15. Develop, with the support of the IT Area, the controls that are required to guarantee the implementation and effectiveness of the Comprehensive Personal Data Management Program and strict compliance with the obligations of ZUMATI SAS under the Colombian Personal Data Protection Regime ;
16. Coordinate and promote the definition and implementation of a ZUMATI SAS risk management system associated with the Processing of Personal Data;
17. Coordinate and promote the definition and implementation of controls of the Comprehensive Personal Data Management Program, with the support of the IT Area;
18. Serve as a link and coordinate with the other areas of ZUMATI SAS to ensure the transversal implementation of the Comprehensive Program for Personal Data Management;
19. Maintain the inventory of Personal Databases of the Companies permanently updated with the support of the respective areas. For this purpose, it will carry out, directly or with the support of the internal audit area, semi-annual audits;
20. Validate the creation of Personal Databases and register them in the National Registry of Databases of the Superintendence of Industry and Commerce with the support of the legal area;
21. Update the information in the National Registry of Databases whenever necessary in accordance with the applicable law; a function that includes the management of reports of security incidents before the Superintendence of Industry and Commerce;
22. Manage contracts for the international transfer of Personal Data or manage declarations of conformity, as necessary in accordance with the National Registry of Databases, in conjunction with the Document Management Area and the legal area;
23. Respond to queries made within ZUMATI SAS regarding the Comprehensive Database Management Program and the Colombian Personal Data Protection Regime;
24. Confirm the responsibilities of each area of ZUMATI SAS in relation to the Processing of Personal Data under its responsibility, and establish compliance indicators for periodic verification of compliance;
25. Attend visits from the Superintendence of Industry and Commerce related to the supervision of the Colombian Personal Data Protection Regime within ZUMATI SAS.
    

12. PROCEDURES SO THAT THE HOLDERS OF THE INFORMATION CAN EXERCISE THEIR RIGHTS.

The Holders of Personal Data processed by ZUMATI SAS have the right to access their Personal Data and the details of said Treatment, as well as to rectify and update them if they are inaccurate or to request their deletion when they consider that they are excessive or unnecessary for the purposes that justified their obtaining or to oppose the Treatment of the same for specific purposes. The ways that have been implemented to guarantee the exercise of said rights through the presentation of the respective application are:

• Digital mailbox: There is a digital mailbox on the institutional portal, which can be accessed through the email info@zumati.co by any user. These channels may be used by the Holders of Personal Data, or third parties authorized by law to act on their behalf, in order to exercise the following rights:

1. Requests: The attention of requests, queries, and claims of the owner of the information can be exercised at the electronic address info@zumati.co with the aim of exercising their rights to know, update, rectify, and delete the data and revoke the authorization. Such requests must be made in writing.
2. Consultations: The owners can request ZUMATI SAS to consult their personal data free of charge. This request will be made in writing, by submitting an email to the following address info@zumati.co specifying the type of data to be consulted. The person in charge will forward the query to the corresponding managers and will ensure compliance with the deadlines for the query.

These inquiries will be answered within a minimum period of 10 business days from the date of receipt thereof and the requirements within a maximum period of 15 business days from the date of receipt thereof. The result of the query consists of the list of all the information that is linked to the identification of the holder in the consulted database. This list is exhaustive and does not have a particular structure beyond the structure given by the data record.

When it is not possible to meet the request within said term, this fact will be informed to the applicant, stating the reasons for the delay and indicating the date on which the query will be addressed, which in no case may exceed five (5) business days. following the expiration of the first term.

3. Claims: The owners can submit a claim to ZUMATI SAS when they consider that the information contained in a database must be corrected, updated or deleted or when it must be revoked due to the alleged breach of any of the duties contained in the database. Law by ZUMATI SAS, for which the claim will be processed in accordance with the following procedure:

1. The Holder or his successors in title must prove his identity, that of his representative, the representation or stipulation in favor of another or for another. When the request is made by a person other than the Owner and it is not proven that he/she acts on behalf of the former, it will be deemed not submitted.
2. The claim for rectification, updating, deletion or revocation must be submitted in writing, via email info@zumati.co
3. The claim must contain a clear and precise description of the Personal Data with respect to which the Holder seeks to exercise any of the rights, as well as the reasons for the claim and, if applicable, must accompany the claim with documentation proving the claim. If the claim is incomplete, the interested party will be required within five (5) days of receipt thereof to correct the failures. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn the claim. Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the Database, within a term of no more than two (2) business days. Said legend must be maintained until the claim is decided.
4. The maximum term to address the request or claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to meet the request within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the request will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
5. In the event that ZUMATI SAS is not competent to resolve the claim, it will notify the corresponding party and inform the claimant of the situation within 5 business days of receipt of the claim.

First paragraph. Rectification and update: When the claims are aimed at rectification or updating, the Holder must indicate the corrections to be made and adopt the documentation that supports his request.

Second paragraph. Deletion: The deletion of Personal Data is carried out through the total or partial elimination of personal information as requested by the Owner. However, ZUMATI SAS may deny it when the Owner has a legal or contractual duty to remain in the Database.

13. INTERNATIONAL AND NATIONAL TRANSMISSIONS OF DATA TO PROCESSORS:

ZUMATI SAS, within the performance of tasks derived from its binational nature and its international cooperation links with other countries, may transfer personal data to third countries.

Without exception, the transfer of this data obeys defined purposes, related to or derived from the work of ZUMATI SAS and its improvement. It is only carried out when there is the corresponding authorization from the owner and, if necessary, when responding to requests from public or administrative entities in the exercise of their legal functions.

14. DUTIES ZUMATI SAS AS RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA.

In accordance with Law 1581 of 2012, and without prejudice to the other provisions on the protection of personal data, ZUMATI SAS as the person responsible for the Treatment must comply with the following duties,

1. Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data;
2. Request and keep, under the conditions provided in this law, a copy of the respective authorization granted by the Owner;
3. Duly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted;
4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
5. Guarantee that the information provided to the Treatment Manager is true, complete, exact, updated, verifiable and understandable;
6. Update the information, communicating in a timely manner to the Treatment Manager, all the news regarding the data that he has previously provided and adopt the other necessary measures so that the information provided to him is kept updated;
7. Rectify the information when it is incorrect and communicate what is pertinent to the Treatment Manager;
8. Provide the Treatment Manager, as the case may be, only data whose Treatment is previously authorized in accordance with the provisions of this law;
9. Demand from the Treatment Manager at all times, respect for the security and privacy conditions of the Owner’s information;
10. Process the queries and claims formulated in the terms indicated in this law;
11. Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, in particular, for the attention of queries and claims;
12. Inform the Treatment Manager when certain information is under discussion by the Holder, once the claim has been filed and the respective process has not been completed;
13. Inform at the request of the Owner about the use given to their data;
14. Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the Holders;
15. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
    

15. MODIFICATIONS TO THE POLICY.

We reserve the right to make changes or updates to this Policy at any time. However, these modifications will be available to the public through the website https://www.zumati.co in the event that the changes refer to the authorized purposes, we will proceed to obtain a new authorization for the treatment of the data by part of the headlines

16. POLICY CONSULTATION.

The Personal Data Protection Policy must be announced, presented, and arranged on the official site https://www.zumati.co.

17. CONFIDENTIALITY AND SECURITY OF DATABASES.

ZUMATI SAS will apply the best practices for the security, discretion, protection, storage, and confidentiality of the Personal Data of the holders. It will verify when appropriate, the origin of the legal exceptions to deliver the personal data to the authorities and in the pertinent cases.

18. PROCESSING OF COMMERCIAL DATA.

ZUMATI SAS will process the commercial data and financial information that it deems necessary for the fulfillment of its corporate purpose and for all contracts with third parties. Their data will be treated with privacy, rights to privacy, the good name of people, within the process of processing personal data, and during all activities that will have the principles of confidentiality, security, legality, access, freedom and transparency.

For this purpose, the signing of the Confidentiality Agreement for the delivery of Data with all providers is regulated.

19. DATA PROCESSING OF DIRECT EMPLOYEES OF THE COMPANY.

All the data provided by the employees of ZUMATI SAS will be stored, compiled, used, shared, consulted, transmitted, exchanged and transferred, to comply with the obligations derived from the employment relationship and the exercise of rights as an employer. All information related to the employees or former employees of ZUMATI SAS will be kept so that the Company can fulfill its obligations as an employer and exercise the rights that correspond to it in that same condition, in accordance with Colombian labor legislation.

At the time of entry to ZUMATI SAS of new employees with a labor contract, it is a requirement that, at the time of the start of their assigned tasks, they state that they know, accept and apply the Personal Data Protection Policies.

To end the process of linking a new ZUMATI SAS employee, it is necessary to guarantee the employee’s acceptance of this policy.

20. TREATMENT OF PHOTOS AS PERSONAL DATA.

ZUMATI SAS may make use of photographs provided there is prior, express, and informed authorization where the purpose of the use of the photographs is determined, complying with the provisions of Law 1581 of 2012.

In the event that the owner of the data for the photographs is a minor, the provisions of article 20 of this Policy must be taken into account.

21. SOCIAL NETWORKS.

Social networks such as Facebook, Instagram, WhatsApp, Linkedin, and Twitter, constitute complementary platforms for the dissemination of information (communication), which are highly interconnected with the digital media of the users and are not under the responsibility of ZUMATI SAS for an alien to it. All the information that users provide on the social networks in which ZUMATI SAS participates as a user does not constitute or form part of the Personal Data subject to the protection of this Policy, being the full responsibility of the company providing that platform.

22. VIDEO SURVEILLANCE.

ZUMATI SAS informs its employees and visitors about the existence of security mechanisms, through a notification in video surveillance announcements on visible sites.

23. APPROVAL:

• Approved by: Legal area
• Approval Date: 01/10/2023
• Last update: 01/10/2023