DATA PROCESSING POLICY

General Information

This document sets forth the Personal Data Processing Policies of PROMOTORA DE CAFÉ COLOMBIA S.A., performing as guild ENTITY of private law, in compliance with provisions of Law 1581 of 2012 and Decree 1377 of 2013. It describes the mechanisms whereby the ENTITY ensures a proper management of personal data collected in its databases, in order to enable Owners to exercise the Habeas Data right.

 

Controller

The ENTITY is a legal entity of private law, non-profit, established in Bogotá, with legal personality recognized by the National Government with NIT. 830.112.317-1, whose contact details are the following:

Address: Calle 73 No. 8-13 Piso 3 Torre A - Bogotá D.C., Colombia

Phone: 3136600

Email:datos.personales@juanvaldezcafe.com

 

Definitions

  • Authorization: Prior, express and informed consent by the Owner to perform Processing of personal data;
  • Database: Organized set of personal data that is subject to Processing;
  • Personal data: Any information relating or that can be related to one or more identified or identifiable natural persons;
  • Processor: Natural or legal person, public or private, that on its own or jointly with others processes personal data on behalf of the Controller;
  • Controller: Natural or legal person, public or private, that on its own or jointly with others decides on the database and/or data Processing;
  • Owner: Natural person whose personal data are subject to Processing;
  • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation or deletion.
  • Principle of Legality: Personal data processing is a regulated activity that must conform to provisions of the applicable law and other provisions developing it;
  • Principle of Purpose Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Owner;
  • Principle of Freedom: Processing can only be performed with the prior, express and informed consent of the Owner. Personal data shall not be obtained or disclosed without prior authorization, or in the absence of any legal or judicial mandate excusing the consent;
  • Principle of Veracity or Quality: Information subject to Processing must be true, complete, accurate, up to date, verifiable and understandable. Processing of partial, incomplete, fractional or misleading data is prohibited;
  • Principle of Transparency: Processing must guarantee the Owner’s right to obtain from the Controller or Processor, at any moment and without restrictions, information about existence of data concerning the Owner;
  • Principle of Restricted Access and Circulation: Processing is subject to the limits derived from the nature of personal data, provisions of law and the Constitution. In this sense, Processing shall only be performed by people authorized by the Owner and/or people provided by law.
  • Personal data, except for public information, shall not be available on the internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to Owners or authorized third parties according to law;
  • Principle of Security: Information subject to Processing by the Controller or Processor must be managed through technical, human and administrative measures that are necessary to ensure security of records, preventing their adulteration, loss, consultation, use, or unauthorized or fraudulent access;
  • Principle of Confidentiality: All persons involved in Processing of non-public personal data are obliged to ensure confidentiality of the information, even after ending their relationship with any of the tasks related to Processing, being only able to supply or communicate personal data when this corresponds to development of activities authorized by law and in its terms.

 

Categories of personal data collected:

- General data.

- Identification data.

- Location data.

- Sensitive data (only when required).

- Socioeconomic content data.

 

Content of Databases

Databases of the ENTITY store general information such as full name, ID number and type, gender and contact details (email, physical address, land line and mobile phone). In addition, and depending on nature of the database, the ENTITY may have specific data required for Processing of the data. Databases of employees and contractors include, additionally, information about labor and academic history, sensitive data required by the nature of the labor relationship (photography, family members, biometric data).

Sensitive information may be stored in the databases with prior authorization of the Owner, in accordance with Articles 5 and 7 of Law 1581 of 2012.

 

Processing

The information in the databases of the ENTITY is subjected to different forms of processing, such as collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization and organization, all of them partially or totally, according to the purposes established here. Information may be delivered, transmitted or transferred to public entities, commercial partners, contractors, affiliates or subsidiaries, only in order to comply with the purposes of the corresponding database. In any case, the delivery, transmission or transfer shall take place with previous signing of commitments that are necessary to safeguard confidentiality of the information. Personal information, including sensitive information, may be transferred, transmitted or handed over to third countries, regardless of the level of security of regulations on personal information management. Complying with legal duties, the ENTITY may provide the personal information to judicial or administrative entities.

The ENTITY shall guarantee proper use of personal data of minors, ensuring to comply with applicable legal requirements and that all Processing is previously authorized and justified in the highest interests of minors.

 

Purpose

The purpose of information collected by the ENTITY is to enable proper development of its mission or object as a guild entity. In addition, the ENTITY keeps the information necessary to comply with legal duties, mainly in accounting, corporate and labor matters.

The information on customers, suppliers, partners and employees, current or past, is kept in order to facilitate, promote, enable, or maintain relations of labor, civil and commercial nature.

 

Owners’ Rights

According to provisions of Article 8 of Colombian Law 1581 of 2012, the Owners may:

  • Know, update and rectify their personal data to the ENTITY or the Processors. This right may be exercised, among others, on partial, inaccurate, incomplete, fractional or misleading data, or on data whose Processing is expressly prohibited or not authorized.
  • Request proof of authorization given to the ENTITY, except when expressly excluded as a requirement for such Processing, in accordance with provisions of Article 10 of this law.
  • Be informed by the ENTITY or the Processor, upon request, about the use given to their personal data.
  • File before the Superintendence of Industry and Commerce complaints for violations of provisions of this Law and other regulations that modify, add or complement it.
  • Revoke authorization and/or request the deletion of data when Processing does not respect constitutional and legal principles, rights and guarantees. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has decided that the ENTITY or the Processor has fallen into conducts that are contrary to this law and the Constitution.
  • Access for free their personal data that have been subject to Processing.

 

Obligations of the ENTITY

The ENTITY shall:

  • Ensure the Owner, at any time, the full and effective exercise of the Habeas Data right.
  • Request and keep, under conditions provided in this law, a copy of the respective authorization given by the Owner.
  • Duly inform the Owner about the purpose of collection and their rights by virtue of the authorization given.
  • Keep the information under security conditions that are necessary to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
  • Ensure that the information provided to the Processor is true, complete, accurate, up to date, verifiable and understandable.
  • Update the information, by communicating, in a timely manner, to the Processor all news about the data previously provided and take other measures necessary to ensure that the information provided is up to date.
  • Rectify the information when it is inaccurate and communicate what is relevant to the Processor.
  • Provide the Processor, depending on the case, only with the data whose Processing is previously authorized according to provisions of this law.
  • Require of the Processor, at any time, respect for conditions of security and privacy of the Owner’s information.
  • Respond to requests and claims made in the terms provided by this law.
  • Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, to respond to requests and claims.
  • Inform the Processor when certain information is under discussion by the Owner, once the claim has been made and the respective handling is not completed.
  • Inform, at the request of Owners, about the use given to their data;
  • Inform the data protection authority about violations of security codes and risks in management of owners’ information.
  • Comply with the instructions and requirements set by the Superintendence of Industry and Commerce.

 

Responsible Person or Area (Controller)

All requests, complaints or claims related to personal data Processing, according to provisions of Law 1581 of 2012 and Decree 1377 of 2013, shall be submitted to:

Entity: Promotora de Café de Colombia S.A. - PROCAFECOL S.A-.

Address: Calle 73 No. 8-13 Building A Floor 3 Bogotá D.C, Colombia

Email:datos.personales@juanvaldezcafe.com

Phone: 742 39 95 in Bogotá or 01 8000 517 711 intjhe resto d the contry.

 

Procedures for submission of and response to requests

Personal data owners appearing in the databases of the ENTITY, or their successors, may consult the data and the ENTITY shall provide the requested information according to terms provided by applicable legislation. All consultation, correction, updating or deletion request shall be made in writing or by email, according to the information described in this document.

Requests will be responded within ten (10) business days from the date of receipt of the respective request. If it is not possible to respond to the request within such term, the interested party shall be informed, explaining the reasons for the delay and indicating the date at which the request shall be responded, which in no case shall exceed five (5) business days after expiration of the first term.

 

Procedures for submission of and response to requests, complaints and claims

Claims shall be made in writing or by email, according to the information described in this document, and shall contain at least the following information:

  • Owner’s ID.
  • Description of the facts giving rise to the claim.
  • Owner’s address.
  • Documentation that the owner wants to submit as evidence.

If the claim is incomplete, the interested party shall be required within five (5) days following the receipt of the claim to amend the faults. If two (2) months pass after the requirement date and the interested party has not submitted the required information, the claim shall be understood as withdrawn.

If the person receiving the claim is not competent to solve it, the claim shall be forwarded to the competent person within a maximum term of two (2) business days and shall inform the interested party about the situation.

Once the complete claim is received, the database shall include a legend that says "claim being processed" and its reason, no later than two (2) business days. Such legend shall be kept until the claim is decided.

The maximum term to respond to the claim shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to respond to the claim within such term, the interested party shall be informed about the reasons for the delay and the date at which the claim will be responded, which in no case shall exceed eight (8) business days after the first expiration date.

 

Modifications to this policy

The owners of the personal data and / or consumers will be notified of the substantial changes that this policy undergoes through its website: www.juanvaldezcafe.com

According to the third paragraph of Article 5 of Colombian Decree 1377 of 2013, it is understood by substantial modification, those changes in the content of this Personal Data Processing Policy related to the identification of the person responsible and the purpose of the treatment of personal information that does not affect the content of the authorization; when it does, PROCAFECOL S.A. will obtain a new authorization in accordance with these new purposes.

 

Validity of the Database

The Personal Data Processing Policies of the ENTITY shall be in force as of July 27, 2013. The ENTITY reserves the right to modify them in the terms and with the limitations provided by law.

Databases managed by the ENTITY shall be kept indefinitely while pursuing its mission or object, and as long as necessary to ensure fulfillment of obligations of legal nature (particularly of labor and accounting nature), but the data may be deleted at any moment at the request of its Owner, as long as this request is not contrary to any legal obligation of the ENTITY or an obligation established in a contract between the ENTITY and the Owner.