+57 318 282 62 95 informacion@proquimes-sa.com

Personal Data Processing Policy

  1. OBJETIVE
    This Personal Data Processing Policy (hereinafter the "Policy") aims to regulate the collection, storage, use, circulation, and deletion of personal data within SOCIEDAD PROQUIMES S.A. (hereinafter "PROQUIMES S.A."), providing tools to ensure the authenticity, confidentiality, and integrity of the information. The Policy is structured in accordance with the mandates of Statutory Law 1581 of 2012, the relevant decrees, and any regulations that complement, amend, or repeal it.

 

  1. SCOPE
    The Policy of PROQUIMES S.A. covers all administrative, organizational, and control aspects that must be complied with by executives, employees, contractors, and third parties who work with or maintain a direct relationship with the Company. This Policy is to be integrated with the Information Security Policy Manuals and the Information Asset Management Manuals.

 

  1. LEGAL FRAMEWORK OF THE POLICY
    - Law 1581 of 2012, through which the General Regime for the Protection of Personal Data was issued. - Decrees and external circulars that regulate the norm indicated in the previous numeral. - Constitutional Court Ruling C–748 of 2011, through which the Statutory Law Project for the Protection of Personal Data was declared constitutional.

 

  1. POLICY DEVELOPMENT
    PROQUIMES S.A. incorporates respect for the protection of personal data in all its actions. Consequently, from the moment data is received, authorization will be requested for the use of such information for purposes aligned with the company’s mission. PROQUIMES S.A. respects the principles established by law and will observe in its actions and handling of personal data the purposes derived from the collection of such data. PROQUIMES S.A. will implement the strategies and necessary actions to enforce the rights established in Statutory Law 1581 of 2012 and other complementary, modifying, or repealing regulations. PROQUIMES S.A. will inform all users of the rights derived from the protection of personal data.

 

  1. STRATEGIES
    5.1 DATA PROCESSING To ensure the proper handling and protection of personal data, PROQUIMES S.A. will oversee the management of such data in three areas through designated data managers. These managers will carry out activities in accordance with this Policy and for the purpose of developing processes related to the use, processing, collection, and protection of data, pursuant to Law 1581 of 2012 and other applicable regulations. The identified areas are: • Marketing Area • Human Resources Area • Purchasing and Logistics Area
    5.2 DATA PROCESSING RESPONSIBLES The heads of each of the areas mentioned in section 5.1 of this Policy, or their appointed delegates, shall be responsible for the processing of data. These individuals will have access to and will handle the databases where personal data collected from third parties by PROQUIMES S.A. is stored.
    5.3 INFORMATION SECURITY COMMITTEE The Information Security Committee will be composed of three members: the Marketing Coordinator, the Human Resources Assistant, and the Purchasing and Logistics Assistant, who are each responsible for data processing in their respective areas. The committee members will be coordinated by the person designated as the Information Security Officer.
    5.4 INFORMATION SECURITY OFFICER The Administrative and Marketing Director, or their temporary delegate, will serve as the Information Security Officer and will coordinate the Information Security Committee. This officer will ensure compliance with this Policy within organizational activities and will oversee, through the committee, the training, dissemination, and scope of the Policy. The Officer and the Information Security Committee shall be responsible for decisions related to the updating, modification, application, and implementation of this Policy.
    5.5 DISSEMINATION AND TRAINING PROQUIMES S.A. will define the processes for dissemination and training related to the content of this Policy through its Information Security Committee.
    5.6 INTERNAL ORGANIZATION AND RISK MANAGEMENT.
    PROQUIMES S.A. will define any action related to the protection of personal data within its Information Security Committee. Among the members of this committee, one person will be assigned to fulfill the role of Personal Data Protection Officer.

 

  1. DEFINITIONS
    • Privacy Notice: Verbal or written communication generated by the party responsible for processing personal data, addressed to the Data Subject, which informs them about the existence of applicable data processing policies, how to access them, and the purposes for which their personal data will be used.
    • Authorization: Prior, express, and informed consent granted by the Data Subject for the processing of their personal data.
    • Databases: An organized collection of personal data that is subject to processing.
    • Personal Data: Any information linked or that can be associated with one or more identified or identifiable natural persons.
    • Public Data: Data that is not classified as semi-private, private, or sensitive.
    • Sensitive Data: Data that affects the privacy of the Data Subject or that, if misused, could lead to discrimination.
    • Data Processor: A natural or legal person, public or private, who processes personal data on behalf of the Data Controller.
    • Data Controller: A natural or legal person, public or private, who decides independently or in association with others about the database and/or data processing.
    • Data Subject: The natural person whose personal data is subject to processing.
    • Transfer: Occurs when the Data Controller and/or Processor located in Colombia sends personal data to a recipient who is also a Data Controller and who is located within or outside the country.
    • Transmission: The processing of personal data that involves its communication within or outside the territory of Colombia with the purpose of processing it by the Processor on behalf of the Controller.
    • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
    • Data Protection Officer: The role within PROQUIMES S.A. responsible for monitoring and enforcing this Policy under the supervision of the Information Security Committee.

 

  1. GUIDING PRINCIPLES
    • Principle of Legality in Data Processing: Data processing is a regulated activity that must be conducted in accordance with the provisions of the law and other applicable regulations.
    • Principle of Purpose: Data processing must have a legitimate purpose aligned with the Political Constitution and the law, which must be communicated to the Data Subject.
    • Principle of Freedom: Data may only be processed with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that exempts the need for consent.
    • Principle of Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
    • Principle of Transparency: During data processing, the Data Subject must be guaranteed the right to obtain information at any time and without restrictions from the Data Controller or Processor regarding the existence of data concerning them.
    • Principle of Restricted Access and Circulation: Data processing is subject to the limits arising from the nature of personal data and constitutional and legal provisions. Personal data may only be processed by persons authorized by the Data Subject and/or those provided for by law.
    • Principle of Security: The information subject to processing by the Data Controller or Processor must be handled using the necessary technical, human, and administrative measures to ensure the security of the records and prevent their adulteration, loss, consultation, unauthorized use, or fraudulent access.
    • Principle of Confidentiality: All persons involved in the processing of personal data that is not public in nature are obliged to guarantee the confidentiality of the information, even after the termination of their relationship with any of the tasks involved in the processing.

 

  1. SPECIAL CATEGORIES OF DATA 8.1 SENSITIVE PERSONAL DATA
    Sensitive data refers to any information that affects the privacy of the Data Subject or that, if misused, could result in discrimination. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or any group that promotes the interests of political parties or guarantees the rights and safeguards of opposition political parties, as well as data relating to health, sexual life, and biometric data.
    PROQUIMES S.A. will restrict the processing of sensitive personal data to what is strictly necessary and will request prior and express consent regarding the purpose of its processing.
    8.2 PROCESSING OF SENSITIVE PERSONAL DATA The use and processing of data classified as sensitive may be carried out when:
    • The Data Subject has given their express authorization, except in cases where the law does not require it.
    • The processing is necessary to safeguard the vital interests of the Data Subject, and the individual is physically or legally unable to give consent. In such cases, the legal representative(s) must give authorization.
    • The processing refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial proceeding.
    • The processing has a historical, statistical, or scientific purpose, or occurs within the framework of improvement processes, provided that measures are taken to anonymize the identity of the data subjects.
    8.3 PERSONAL DATA OF CHILDREN AND ADOLESCENTS Minors are the holders of their personal data and, therefore, are entitled to the rights associated with it. According to the provisions of the Political Constitution and in accordance with the Code for Children and Adolescents, the rights of minors must be interpreted and applied with priority and special care.
    In accordance with Constitutional Court Ruling C-748 of 2011, the opinions of minors must be considered when processing their data.
    PROQUIMES S.A. therefore commits to respecting the prevailing rights of minors in the processing of personal data. The processing of personal data of minors is prohibited, except for public data.

 

  1. CLASSIFICATION OF INFORMATION AND DATABASES
    The databases are classified as follows:
    9.1 CONFIDENTIAL DATABASES
    These are electronic files or databases containing confidential information related to PROQUIMES S.A.’s business model. Examples include financial data, personnel databases, sensitive information about executives, suppliers, formulas, research, processes, procedures, and R&D projects. In general, this refers to databases containing information related to the know-how and operational activities of PROQUIMES S.A.
    9.2 DATABASES WITH SENSITIVE INFORMATION
    These include data that affects the privacy of the Data Subject or that, if misused, could result in discrimination. This encompasses data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human rights organizations, or political parties, as well as information related to health, sexual life, and biometric data. At PROQUIMES S.A., access to this type of information is restricted and will only be known to an authorized group of employees.
    9.3 DATABASES WITH PUBLIC INFORMATION
    These are databases that contain data classified as public under the provisions of the law or the Political Constitution, and that are not deemed semi-private, private, or sensitive. Public data includes, among others, information regarding marital status, profession or occupation, status as a merchant or public servant, and any data that can be obtained without confidentiality restrictions. By nature, public data may be found in public records, public documents, official gazettes and bulletins, enforceable court rulings not subject to confidentiality, social media, and publicly accessible websites.

 

  1. RIGHTS AND OBLIGATIONS OF DATA SUBJECTS
    • To access, know, update, and rectify their personal data held by PROQUIMES S.A., in its role as the Data Controller.
    • To request, through any valid means, a copy of the authorization granted to PROQUIMES S.A., except in cases where the law exempts the requirement for such authorization.
    • To request information from PROQUIMES S.A., upon request, regarding the use that has been made of their personal data.
    • To file complaints with legally constituted authorities, particularly with the Superintendence of Industry and Commerce (SIC), for violations of the provisions of current regulations, provided that a prior consultation or claim has been made to the Data Controller.
    • To modify and revoke the authorization and/or request the deletion of their personal data when the processing does not respect constitutional principles, rights, and guarantees.
    • To be informed of and access, free of charge, their personal data that has been subject to processing.

 

  1. DUTIES OF PROQUIMES S.A. IN RELATION TO PERSONAL DATA PROCESSING
    PROQUIMES S.A. recognizes that personal data belongs to the individuals to whom it refers, and only they may decide over it. The company will use such data exclusively for activities within the ordinary course of business as defined by its corporate purpose and its legal relationships with contractors, clients, employees, and/or suppliers. In all cases, PROQUIMES S.A. shall comply with the applicable legal framework on the protection of personal data (Law 1581 of 2012, which established the General Personal Data Protection Regime).

 

  1. INFORMATION PROCESSING POLICIES
    12.1 GENERAL PROVISIONS ON AUTHORIZATION
    PROQUIMES S.A. will request authorization for the processing of personal data by any means that can serve as proof. Depending on the case, this authorization may be part of a broader document—such as a contract—or a specific document for this purpose. In any case, the purpose of data processing will be described in the same or an attached document. PROQUIMES S.A. will inform the Data Subject of the following:
    • A specific request for the required data.
    • The type of processing and the purpose of the use of their personal data.
    • The rights of the Data Subject.
    • The channels available for submitting inquiries, requests, and/or complaints.
    12.2 GUARANTEES FOR THE RIGHT OF ACCESS
    PROQUIMES S.A. will guarantee the right of access, provided that the identity of the Data Subject, their legal authority, or the representation of their proxy is duly verified. The company will make available, free of charge and in a detailed manner, the relevant personal data.
    12.3 INQUIRIES
    Data Subjects or their successors may request access to the personal data stored in the databases of PROQUIMES S.A. Therefore, PROQUIMES S.A. will guarantee the right to inquiry by providing Data Subjects with all information contained in their individual record or linked to their identity. To address inquiries, PROQUIMES S.A. will:
    • Enable electronic or other suitable means of communication.
    • Establish forms, systems, and other methods.
    • Use existing customer service or claims handling services.
    Regardless of the mechanism used, inquiries will be answered within a maximum of ten (10) business days from the date of receipt. If an inquiry cannot be answered within this period, the requester will be informed of the reasons for the delay before the initial deadline expires. In no case shall the extension exceed five (5) additional business days. Inquiries related to personal data must be submitted via email to: proteccion-de-datos@proquimes-sa.com.
    12.4 COMPLAINTS
    The Data Subject or their successors may file a complaint with the Data Controller if they believe that the data contained in a database should be corrected, updated, or deleted, or if they notice a potential breach of any legal obligations related to personal data protection. Complaints must be submitted by completing the “Personal Data Processing Complaint Form,” which can be requested by emailing: proteccion-de-datos@proquimes-sa.com. In this form, the Data Subject must indicate whether they wish their data to be updated, corrected, deleted, or if they wish to revoke their authorization. For complaints, the provisions of Article 15 of Law 1581 of 2012 must be considered. If the complaint is incomplete, the Data Subject will have five (5) business days to complete it. If after two (2) months the required information is not provided, it will be understood that the complaint has been withdrawn. If the person who receives the complaint is not competent to resolve it, they must forward it to the appropriate party within two (2) business days and inform the interested party accordingly. Once the complete complaint is received, the maximum response time will be fifteen (15) business days from the next business day after receipt. If the complaint cannot be resolved within this period, the reasons for the delay and the expected response date will be communicated. The new date may not exceed eight (8) business days after the initial deadline. Paragraph 1: If there is a valid contract or legal act in force between PROQUIMES S.A. and the complainant, the request will be denied.
    12.5 RECTIFICATION AND UPDATE OF DATA
    PROQUIMES S.A. may rectify and update, at the request of the Data Subject, the information that turns out to be incomplete or inaccurate, in accordance with the procedure and terms previously indicated. In this regard, PROQUIMES S.A. will take into account the following:
    In requests for rectification and update of personal data, the data subject must indicate the corrections to be made and provide the documentation that supports their request. PROQUIMES S.A. has full freedom to enable mechanisms that facilitate the exercise of this right, as long as it does not harm the Data Subject. Consequently, electronic means or others that PROQUIMES S.A. considers pertinent may be enabled. PROQUIMES S.A. may establish forms, systems, and other methods, which will be made available to interested parties on the website or requested via email at the address proteccion-de-datos@proquimes-sa.com.
    12.6 DELETION OF DATA
    The Data Subject may request PROQUIMES S.A. the deletion (elimination) of their personal data when:
    • They consider that the data is not being processed in accordance with the principles, duties, and obligations established in current regulations.
    • The data has ceased to be necessary or pertinent for the purpose for which they were collected.
    • The period necessary to fulfill the purposes for which they were collected has expired.
    The deletion implies the total or partial elimination of personal information as requested by the Data Subject in the records, files, databases, or treatments carried out by PROQUIMES S.A. The right to deletion is not an absolute right, and the data controller may deny its exercise when:
    • The Data Subject has a legal or contractual duty to remain in the database.
    • The deletion of data hinders judicial or administrative actions related to tax obligations, the investigation, and prosecution of crimes, or the updating of administrative sanctions.
    • The data is necessary to protect the legally protected interests of the Data Subject, to perform an action in the public interest, or to comply with a legally acquired obligation by the Data Subject.
    12.7 REVOCATION OF AUTHORIZATION
    Any data subject may revoke, at any time, their consent to the processing of their personal data, provided that a legal or contractual provision does not prevent it. To this end, PROQUIMES S.A. will establish simple mechanisms that allow the Data Subject to revoke their consent. There are two modalities in which consent revocation can occur:
    Regarding all consented purposes, meaning that PROQUIMES S.A. must completely stop processing the Data Subject’s data. Regarding certain consented purposes, such as for advertising or market research. In this case, PROQUIMES S.A. must partially stop processing the Data Subject’s data. Other purposes for which the data processing was authorized may still be carried out, as long as the Data Subject agrees with them.
    12.8 CONTRACTS
    In employment contracts, PROQUIMES S.A. will include clauses in order to authorize, in advance and generally, the processing of personal data related to the execution of the contract, including the authorization to collect, modify, or correct, in the future, the personal data of the holder. It will also include authorization for some of the personal data, if applicable, to be accessed by third parties with whom PROQUIMES S.A. has service provision or other types of contracts, for the performance of tasks related to the contract. These clauses will mention this Policy. In contracts with third parties, when the contractor requires personal data, PROQUIMES S.A. will provide such data only when there is prior and express authorization from the data subject for this transfer. In these cases, since the third parties are data processors, their contracts will include clauses that specify the purposes and treatments authorized by PROQUIMES S.A., and precisely define the use that such third parties may make of the data. 12.9 TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES The transfer of personal data to third countries will only be carried out when there is corresponding authorization from the Data Subject.

 

  1. GENERAL APPLICABLE RULES
    PROQUIMES S.A. establishes the following general rules for the protection of personal and sensitive data, as well as for the care of databases, electronic files, and personal information:
    • PROQUIMES S.A. will ensure the authenticity, confidentiality, and integrity of the information.
    • The Security Committee will be responsible for designing and implementing the strategy to ensure compliance with this Policy.
    • PROQUIMES S.A. will take all necessary technical measures to guarantee the protection of existing databases. In cases where the infrastructure depends on a third party, it will ensure that data availability and the protection of personal and sensitive data are fundamental objectives.
    • Audits and periodic controls will be carried out to guarantee the correct implementation of Law 1581 of 2012 and its regulatory decrees.
    • It is the responsibility of employees, collaborators, contractors, shareholders, and members of the board of directors of PROQUIMES S.A. to report any incident related to data breaches, computer damage, personal data violations, data commercialization, the use of personal data of minors, identity theft, or any behavior that may compromise the privacy of an individual.
    • To guarantee the protection of personal information, PROQUIMES S.A. will adopt all necessary mechanisms on its transactional portals to ensure data confidentiality. This may include adopting technological security measures, such as security software, digital signatures, SSL certificates, Hypertext Transfer Protocol Secure (HTTPS), and other necessary tools to safeguard and protect the company's databases.
    • The training and education of employees, suppliers, and contractors will be a fundamental component of these Policies.
    • The Data Protection Officer will be responsible for identifying and promoting data subject authorizations, privacy notices, website notices, awareness campaigns, claim legends, and other procedures to ensure compliance with Law 1581 of 2012 and other related regulations.

 

  1. FUNCTION OF PERSONAL DATA PROTECTION WITHIN PROQUIMES S.A.
    14.1 RESPONSIBLE PARTIES
    The Responsible Party for the processing of personal data is the "natural or legal person, public or private, who decides on the database and/or data processing." In this sense, the responsible party is the one who defines the purposes and means of processing personal data and guarantees compliance with legal requirements. In the case of PROQUIMES S.A., the person responsible for adopting the necessary measures for the proper processing of personal data is the Data Protection Officer.
    14.2 PROCESSORS
    A Processor of personal data is "the natural or legal person, public or private, who processes personal data on behalf of or at the instruction of the responsible party." This means that for each data processing activity, the respective processors must be identified, and they must act under the precise instructions of a responsible party.
    14.3 PROCESSORS' DUTIES
    PROQUIMES S.A. distinguishes between Internal Processors and External Processors. Internal Processors are employees and collaborators of PROQUIMES S.A., while External Processors are natural or legal persons who process data provided by the entity to perform an assigned task (suppliers, consultants, etc.).
    14.4 INTERNAL DEPLOYMENT OF THE DATA PROTECTION POLICY
    Upon adopting this Policy, PROQUIMES S.A. will establish:
    • Terms and conditions for the use of external IT tools: Self-regulation of the principles and rules established by Law 1581 of 2012, specifically aimed at protecting the right to habeas data of clients, users, and, in general, any natural person who interacts with an IT application (element that manages information, whether physical or electronic).
    • Data Protection Officer: In compliance with the legal duty established in Article 17 of Law 1581 of 2012, regarding the need to assign direct responsibilities to an individual within the organization, the role of Data Protection Officer is created, headed by the Information Security Officer or whoever they designate, and forming part of the Information Security Committee. Based on the guidelines defined by the Security Committee, the Data Protection Officer will coordinate all actions to ensure the effective implementation of the Personal Data Protection Policy within PROQUIMES S.A. The main obligations of the Security Committee are as follows:
    • Ensure the Data Subject, at all times, the full and effective exercise of the right to habeas data.
    • Request and keep a copy of the respective authorization granted by the Data Subject, under the conditions provided by the current law.
    • Inform the Data Subject properly about the purpose of data collection and the rights that assist them by virtue of the granted authorization.
    • Maintain information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.
    • Ensure that the information provided to the Processor is truthful, complete, accurate, updated, verifiable, and understandable.
    • Update the information by promptly communicating to the Processor any news regarding the data previously supplied and adopt the necessary measures to keep the information up-to-date.
    • Rectify incorrect information and inform the Processor accordingly.
    • Provide the Processor, as appropriate, only data whose processing is previously authorized under the provisions of the law.
    • Require the Processor, at all times, to comply with the data subject's security and privacy protocols.
    • Address queries and complaints submitted in the terms established by the law.
    • Notify the Processor when certain information is being disputed by the Data Subject, once the claim has been filed and the corresponding process is ongoing.
    • Upon the Data Subject's request, inform them of how their personal data has been used.
    • Notify the Data Protection Authority (SIC) when security code violations occur, and there are risks in managing the Data Subject's information.
    • Comply with instructions and requirements issued by the Superintendence of Industry and Commerce (SIC).

 

  1. NATIONAL DATABASE REGISTRY
    According to the provisions of Decree 886 of 2014, which regulates Article 25 of Law 1581 of 2012, PROQUIMES S.A. will independently register in the National Database Registry each of the databases containing personal data processed by the Company (Articles 2 and 3 of Decree 886 of 2014), identifying each of these databases according to the purpose for which they were created (Article 9 of Decree 886 of 2014). In the registration of the databases, PROQUIMES S.A. will indicate its corporate name, tax identification number, as well as its location data and contact information of the responsible person.
    PROQUIMES S.A. will also indicate in the National Database Registry the corporate name, tax identification number, location, and contact information of the Data Processors (Article 7 of Decree 886 of 2014).
    Finally, PROQUIMES S.A. must update the information registered in the National Database Registry when substantial changes occur.

 

  1. VALIDITY AND UPDATE
    This Policy comes into effect upon its approval by the Information Security Committee, and its update will depend on the instructions of said Committee. Actions aimed at the protection of personal data within the Information Security Committee will be articulated, which will carry out semi-annual reviews of the proper execution of the Policy jointly with the Company's Data Protection Officer. The approved version of this Policy will be published on the official website of PROQUIMES S.A. It is the duty of PROQUIMES S.A. employees and collaborators to be familiar with this Policy and take all necessary actions for its compliance, implementation, and maintenance. This Personal Data Protection Policy was approved in the session of the Security Committee of PROQUIMES S.A. on the second (02) day of the fifth (05) month of the year two thousand twenty-three (2023).