data policy

Data Protection Policy

General InformationGeneralidades

This document establishes the Personal Data Processing Policy of INVERSIONES MENDEBAL S.A.S. in compliance with the provisions of Law 1581 of 2012, partially regulated by Decree 1377 of 2013. It describes the mechanisms by which the Organization ensures proper handling of personal data collected in its databases, allowing data subjects to exercise their Habeas Data rights.

INVERSIONES MENDEBAL S.A.S. guarantees privacy, confidentiality, and good name in the processing of personal data, and therefore adheres to the principles of legality, purpose, freedom, accuracy or quality, transparency, restricted access and circulation, security, and confidentiality.This Personal Data Processing Policy and the procedures for its protection apply to all clients, suppliers, contractors, and employees of INVERSIONES MENDEBAL S.A.S. whose data is included in the company's databases.

Responsible PartyResponsable

INVERSIONES MENDEBAL S.A.S. is a private legal entity domiciled in Bogotá, with Tax ID (NIT) 860.353.473-5. Contact details are as follows:

Address: Calle 79B # 8 – 11, Bogotá D.C., Colombia Phone: 7437430
Email: servicioalcliente@mendebal.com

Definitions

Authorization: Authorization: Prior, express, and informed consent of the owner of the personal data to carry out the processing of personal data. Database: An organized set of personal data that is subject to processing. Personal data: Any information linked to or that can be associated with one or more identified or identifiable natural persons. “Personal data” should then be understood as information related to a natural person (an individually considered person). Public data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data related to a person's marital status, profession or occupation, and status as a merchant or public servant. By its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality. Public personal data: Any personal information that is freely and openly available to the general public. Private personal data: All personal information that has restricted knowledge and is primarily private to the general public. Semi-private data: Data that is neither intimate, reserved, nor public, and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or to society in general. Sensitive data: Data that affects the privacy of the owner or whose improper use may cause discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or that promote interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data, among others, including still or moving image capture, fingerprints, photographs, iris, voice recognition, facial or palm recognition, etc. Data processor: A natural or legal person, public or private, who alone or in association with others carries out the processing of personal data on behalf of the data controller. Data controller: A natural or legal person, public or private, who alone or in association with others decides on the database and/or the processing of the data. Data subject: A natural person whose personal data is subject to processing. Transfer: The transfer of data occurs when the data controller and/or processor of personal data located in Colombia sends the information or personal data to a recipient who is also responsible for the processing and is located inside or outside the country. Transmission: Processing of personal data that involves communication of the data within or outside the territory of the Republic of Colombia when it is intended for processing by the processor on behalf of the controller. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

Principles

1. a) Principle of legality in data processing matters: The collection and, in general, the processing of personal data must comply with the provisions of Law 1581 of 2012, its Regulatory Decree 1377 of 2013, and other regulations that develop the matter; b) Principle of purpose: The Processing must obey a legitimate purpose according to the Constitution and the Law, which must be informed to the Data Subject; c) Principle of freedom: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that waives consent; d) Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable, and understandable. Processing of partial, incomplete, fragmented data or data that induces error is prohibited; e) Principle of transparency: In Processing, the Data Subject’s right to obtain information about the existence of data concerning them from the Data Controller or the Data Processor at any time and without restrictions must be guaranteed; f) Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of Law 1581 of 2012, its Regulatory Decree 1377 of 2013, and the Constitution. In this sense, Processing may only be carried out by persons authorized by the Data Subject and/or by persons provided for by law; Personal data, except public information, may not be available on the Internet or other mass dissemination or communication media, unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties according to the law; g) Principle of security: The information subject to Processing by the Data Controller or Data Processor referred to in this law must be handled with the technical, human, and administrative measures necessary to provide security to the records, preventing their adulteration, loss, consultation, use, or unauthorized or fraudulent access; h) Principle of confidentiality: All persons involved in the Processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks comprising the Processing has ended, being able only to provide or communicate personal data when this corresponds to the development of activities authorized by law and under its terms.

Content of the databases

In the databases of INVERSIONES MENDEBAL S.A.S. general information such as full name, identification number and type, gender, and contact information (email, physical address, landline and mobile phone) is stored. In addition to these, and depending on the nature of the database, INVERSIONES MENDEBAL S.A.S. may have specific data required for the processing to which the data will be subjected. In the databases of employees and contractors, additional information is included about employment and academic history, sensitive data required by the nature of the employment relationship (photograph, family group composition, biometric data).Sensitive information may be stored in the databases with prior authorization from the data subject, in compliance with the provisions of Articles 5 and 7 of Law 1581 of 2012.

Processing

The information contained in the databases of INVERSIONES MENDEBAL S.A.S. is subjected to different forms of processing, such as collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization, and organization, all partially or totally carried out in compliance with the purposes established herein. The information may be delivered, transmitted, or transferred to public entities, commercial partners, or suppliers solely to fulfill the purposes of the corresponding database. In any case, delivery, transmission, or transfer will be made after the necessary commitments have been signed to safeguard the confidentiality of the information. Personal information, including sensitive information, may be transferred, transmitted, or delivered to third countries, regardless of the level of security of the regulations governing the handling of personal information. In compliance with legal duties, INVERSIONES MENDEBAL S.A.S. may provide personal information to judicial or administrative entities. INVERSIONES MENDEBAL S.A.S. will ensure the proper use of personal data of minors, guaranteeing compliance with applicable legal requirements and that all processing is previously authorized and justified in the best interest of minors.

Purpose

The information collected by INVERSIONES MENDEBAL S.A.S. is intended to enable the proper development of its corporate purpose; additionally, the necessary information will be kept to comply with legal obligations, mainly in accounting, corporate, and labor matters. Information about clients, suppliers, strategic allies, and employees, whether current or former, is stored to facilitate, promote, enable, or maintain labor, civil, and commercial relationships. Information about actors involved in the mission-related operations is stored to fulfill the activities inherent to its purpose.

Rights of the data subjects

In accordance with the provisions of Article 8 of Law 1581 of 2012, data subjects may know, update and rectify their personal data before INVERSIONES MENDEBAL S.A.S. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fragmented data, data that induces error, or data whose processing is expressly prohibited or unauthorized. They may request proof of the authorization granted to INVERSIONES MENDEBAL S.A.S. except when expressly exempted as a requirement for processing, in accordance with Article 10 of this law. They may be informed by INVERSIONES MENDEBAL S.A.S. or the Processor, upon request, regarding the use given to their personal data. They may file complaints before the Superintendence of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add to, or complement it. They may revoke the authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that INVERSIONES MENDEBAL S.A.S. has engaged in conduct contrary to this law and the Constitution. They may access free of charge to their personal data that have been subject to processing.

Obligations of the Responsible

INVERSIONES MENDEBAL S.A.S. must guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data It must request and keep, under the conditions established in this law, a copy of the respective authorization granted by the Data Subject It must duly inform the Data Subject about the purpose of the collection and the rights they have by virtue of the granted authorization It must keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access It must guarantee that the information supplied to the Processor is truthful, complete, accurate, updated, verifiable, and understandable It must update the information, promptly communicating to the Data Processor all updates regarding the data previously supplied and adopt the necessary measures to keep the information provided to the Processor updated It must rectify the information when it is incorrect and communicate the relevant information to the Processor It must supply the Processor, as applicable, only data whose processing is previously authorized in accordance with the provisions of this law It must demand from the Processor, at all times, respect for the security and privacy conditions of the Data Subject’s information It must process the consultations and claims submitted under the terms established in this law It must adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, for the handling of consultations and claims It must inform the Processor when certain information is under dispute by the Data Subject, once a claim has been submitted and the respective procedure has not been completed It must inform, at the Data Subject’s request, about the use given to their data It must inform the data protection authority when violations of security codes occur and risks arise in the management of Data Subjects’ information It must comply with the instructions and requirements issued by the Superintendence of Industry and Commerce Responsible Person or Area Any request, complaint, or claim related to the handling of personal data, under the provisions of Law 1581 of 2012 and Decree 1377 of 2013, must be sent to: Entity: INVERSIONES MENDEBAL S.A.S. Address: Calle 79B # 8-11, Bogotá D.C. Email: servicioalcliente@mendebal.com Phone: 7437430

Procedures for Submission and Response to Inquiries

Data Subjects whose personal data are contained in the databases of INVERSIONES MENDEBAL S.A.S., may consult the data and request the provision of the information contained under the terms established in the applicable legislation. Any request for consultation, correction, updating, or deletion must be submitted in writing or by email, according to the information contained in this document. Inquiries will be attended to within a term of ten (10) business days counted from the date of receipt of the respective request. When it is not possible to attend the inquiry within that term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their inquiry will be attended to, which in no case may exceed five (5) business days following the expiration of the first term. Procedures for Submission and Response to Inquiries Complaints and Claims Complaints must be submitted in writing or by email, according to the information contained in this document, and must contain at least the following information Identification of the Data Subject Description of the facts giving rise to the complaint Address of the Data Subject Documentation to be submitted as evidence If the complaint is incomplete, the interested party will be required within five (5) days following the receipt of the complaint to correct the deficiencies. If two (2) months elapse from the date of the request without the applicant presenting the required information, it will be understood that they have withdrawn the complaint. If the person who receives the complaint is not competent to resolve it, they will forward it to the appropriate party within a maximum term of two (2) business days and will inform the interested party of the situation. The maximum term to attend to the complaint will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to attend the complaint within that term, the interested party will be informed of the reasons for the delay and the date on which the complaint will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term. Duration and Update of the Database The Personal Data Treatment Policy of INVERSIONES MENDEBAL S.A.S. is published on the company's website and the company reserves the right to modify it under the terms and limitations provided by law. The databases managed by INVERSIONES MENDEBAL S.A.S. will be maintained indefinitely, as long as the company develops its purpose, and as long as it is necessary to ensure compliance with legal obligations, particularly labor and accounting, but data may be deleted at any time at the request of the Data Subject, provided that such request does not contradict a legal obligation or an obligation contained in a contract between INVERSIONES MENDEBAL S.A.S. and the Data Subject.