Data processing policy

DIGITAL GULUPA SAS

1. AIM

Guarantee the constitutional right of all persons to know, update and rectify the information that has been collected about them in databases or files that GULUPA.COM.CO either GULUPADIGITAL.COM has collected for the purposes provided for in the respective authorization. For the purposes of this Policy GULUPADIGITAL.COM is considered responsible for the information collected.

2. SCOPE

The contents of this document apply at all levels of the company and to all databases with personal data that are in the possession of GULUPADIGITAL.COM and the Personal Data Processors who act on their behalf.

3. DEFINITIONS

a) Authorization: Prior, express and informed consent of the Owner to carry out the Processing of his/her personal data.

b) Privacy notice: Verbal or written communication generated by the Controller, addressed to the Owner for the processing of his/her personal data, through which he/she is informed about the existence of the information processing policies that will be applicable to him/her, the way to access them and the purposes of the processing that is intended to be given to the personal data.

c) Database: Organized set of personal data that is subject to processing

d) Personal data: Any information linked to or that may be associated with one or more specific or identifiable natural persons;

e) Public data: This is data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the civil status of individuals, their profession or occupation and their status as a merchant or public servant. By its nature, public data may be contained in, among others, public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality.

f) Private data: It is the data that, due to its intimate or reserved nature, is only relevant to the Owner.

g) Sensitive data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data.

h) Data Processor: Natural or legal person, public or private, who by itself or in association with others, carries out the processing of personal data on behalf of the Data Controller;

i) Data Controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of data;

j) Holder: Natural person whose personal data are subject to processing;

k) Transfer: Data transfer occurs when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is the Controller and is located within or outside the country.

l) Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out a Processing by the Processor on behalf of the Controller.

m) Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

4. GUIDING PRINCIPLES

In the development, interpretation and application of this law, the following principles shall be applied in a harmonious and comprehensive manner:

a) Principle of legality in data processing: The Treatment referred to in this law is a regulated activity that must be subject to the provisions established therein and in other provisions that develop it.

b) Principle of purpose: The Treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Owner.

c) Principle of freedom: The processing may only be carried out with the prior, express and informed consent of the Data Controller. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives consent.

d) Principle of truthfulness or quality: The information subject to processing must be true, complete, accurate, up-to-date, verifiable and understandable. The processing of partial, incomplete, fractional or misleading data is prohibited.

e) Principle of transparency: In the Processing, the right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her must be guaranteed.

f) Principle of restricted access and circulation: The Processing is subject to the limits arising from the nature of the personal data, the provisions of this law and the Constitution. In this regard, the Processing may only be carried out by persons authorized by the Owner and/or by the persons provided for in this law; Personal data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties in accordance with this law.

g) Safety principle: The information subject to processing by the Data Controller or Data Processor referred to in this law must be handled with the technical, human and administrative measures necessary to ensure the security of the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

h) Confidentiality principle: All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks that comprise the processing has ended, and may only provide or communicate personal data when this corresponds to the development of the activities authorized in this law and under the terms thereof.

5. TREATMENT

GULUPADIGITAL.COM considers respect and credibility as values, which is consistent with compliance with the guidelines set forth in Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, for which reason it adopts this Policy for the Processing of Personal Data, which will be reported to all holders of the data collected or that will be obtained in the future in the exercise of academic, cultural, commercial or labor activities.

GULUPADIGITAL.COM Acting as Controller of Personal Data, for the proper development of its different activities, it collects, stores, uses, updates, circulates and deletes Personal Data corresponding to natural persons with whom it has or has had a relationship, such as, without the enumeration meaning limitation, plant and mission workers and their families, shareholders, users, suppliers, clients, financial entities and other interested parties, respecting the principle of confidentiality of the data provided.

6. PURPOSES

The purposes for which GULUPADIGITAL.COM collects personal information derived solely and exclusively for the fulfillment of its corporate purpose and commercial activity; in no other case is information collected.

These purposes are:

Administrative procedures, Administrative management, Customer management, Supplier management, Financial and accounting management, Tax management, Business relationship history, Data and reference verification, Health risk verification, Sending communications, Employee information, Profile analysis, Offering products and services, Time control, Management of sanctions, warnings, calls to attention, exclusions, Staff training, Payroll management, Personnel management, Temporary work management, Social benefits, Occupational risk prevention, Employment promotion and management, Staff promotion and selection, Security, Declaration and payment of social security contributions, Labor relations and working conditions.

7. CHANNELS FOR ATTENTION TO THE OWNER

These are the means through which the Information Holders must communicate with the Responsible Party to assert their rights, these are those offered by GULUPADIGITAL.COM:

• Personal Service Point:  Carrera 83 #32EE – 38, Medellin, Colombia
• Email:   info@gulupadigital.com
• Telephone Line:   604 – 589 88 90

8. RIGHTS OF DATA OWNERS.

In accordance with the provisions of Article 8 of Law 1581 of 2012 and Articles 21 and 22 of Decree 1377 of 2013, the Owner of the personal data has the following rights:

a) Know, update and rectify your personal data in front of GULUPADIGITAL.COM., as data controller.

b) Request proof of the authorization granted to GULUPADIGITAL.COM, as Data Controller.

c) Be informed by GULUPADIGITAL.COM, upon request, regarding the use that has been given to your personal data. d) Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to or complement it, once you have exhausted the consultation or claim process with the Data Controller.

e) Revoke the authorization and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights and guarantees.

f) Access free of charge to your personal data that have been subject to processing.

9. GULUPADIGITAL HOMEWORK.COM

In relation to the processing of personal data, GULUPADIGITAL.COM, The data controller shall bear in mind at all times that personal data is the property of the persons to whom it refers and that only they can decide on it. In this regard, the data controller shall use it only for those purposes for which it is duly authorized, and in all cases respecting Law 1581 of 2012, Decree 1377 of 2013 and Decree 886 of 2014 and other applicable regulations on the protection of personal data:

a) Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data;

b) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access;

c) Duly inform the Owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted;

d) Ensure that the information provided to the Data Processor is true, complete, accurate, up-to-date, verifiable and understandable;

e) Carry out the timely update, rectification or deletion of data, according to the terms provided in articles 14 and 15 of Law 1581 of 2012,

f) Provide the Data Processor, as the case may be, only with data whose processing has been previously authorized in accordance with the provisions of this law;

g) Demand that the Data Processor at all times respect the security and privacy conditions of the Owner's information;

h) Inform the Data Subject upon request about the use given to his/her data;

i) Process queries and complaints made by the Owners in the terms indicated in articles 14 and 15 of Law 1581 of 2012;

j) Insert into the database the legend "information under judicial discussion" once notified by the competent authority about judicial proceedings related to the quality or details of the personal data;

k) Insert into the database the legend “claim in process” and the reason for it, within a period of no more than two (2) business days after receiving the complete claim.

l) Refrain from circulating information that is being disputed by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce;

m) Allow access to information only to persons who may have access to it;

n) Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the management of the information of the Holders;

o) Designate an area to assume the function of personal data protection, which will process the requests of the Holders, for the exercise of the rights referred to in Law 1581 of 2012 and Decree 1377 of 2013.

p) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

10. CLAIMS

In accordance with the provisions of article 15 of Law 1581 of 2012, the Owner or his successors who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged non-compliance of any of the duties contained in Law 1581 of 2012, Decree 1377 of 2013 or any other applicable regulation, may file a claim with the

Data Controller, which will be processed under the following rules:

a) The claim may be submitted by the Holder, taking into account the information indicated in article 15 of Law 1581 of 2012 and in article 9 of Decree 1377 of 2013. If the claim received does not have complete information that allows it to be processed, that is, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that the applicant wishes to assert, the interested party will be required within five (5) days following receipt to correct the deficiencies. After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

b) If for any reason a claim is received that should not actually be directed against you GULUPADIGITAL.COM, this will be forwarded, to the extent possible, to the appropriate party within a maximum period of two (2) business days, and will inform the interested party of the situation.

c) Once the complete claim has been received, a note stating "Claim in Process" and the reason for it will be included in the database maintained by the Responsible Party, within a period of no more than two (2) business days from the receipt of the complete claim. This note must be maintained until the claim is decided. d) The maximum period for addressing the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address it within this period, the interested party will be informed before the expiration of the aforementioned period of the reasons for the delay and the date on which his claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first period.

11. GULUPADIGITAL HOMEWORK.COM

In development of the security principle established in Law 1581 of 2012, GULUPADIGITAL.COM, will adopt the technical, human and administrative measures necessary to ensure the security of the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access, with the creation, implementation and audit of a Personal Data Security Management System.

12. FINAL PROVISIONS

GULUPADIGITAL.COM will appoint a DATA PROTECTION OFFICER to fulfill the function of personal data protection, who will process the requests of the Holders, for the exercise of the rights of access, consultation, rectification, updating, deletion and revocation referred to in Law 1581 of 2012.

13. VALIDITY

This document is effective as of its publication on February 18, 2019.

The approval and effective date of this Policy must be supported by the company's directives in a signed document.