Identification of the data controller

Company name: Soto Coffee
NIT: 98349244-6
Address Mz J Ca 17 Condominio Ciudad Real.
San Juan de Pasto (Nariño).

Legal regulations

This Personal Data Processing Policy is prepared in accordance with the provisions of the Political Constitution, Law 1581 of 2012, Regulatory Decree 1377 of 2013 and other complementary provisions.

Scope of application

It will be applied by SOTO COFFEE, with respect to the collection, storage, use, circulation, suppression, updating and in general of that information that constitutes a treatment of personal data, in the development of its administrative and operational activities.

Definitions

For the purposes of this policy and in accordance with legal regulations, the following definitions shall apply:

a) Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data;

b) Privacy Notice: A physical, electronic or any other format generated by the Controller that is made available to the Data Subject for the processing of his/her personal data. Therefore, the Privacy Notice communicates to the Data Subject the information regarding the existence of the data processing policies that will be applicable to him/her, how to access them and the purpose of the processing that is intended to be given to the personal data;

c) Database: Organized set of personal data that is the object of processing;

d) Personal data: Any information linked or that can be associated to one or several determined or determinable natural persons;

e) Public data: It is the data qualified as such according to the provisions of the law or the Constitution and that which is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, their status as merchants or public servants, and data that may be obtained without any reservation whatsoever. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins;

f) Private date: It is data that, due to its intimate or reserved nature, is only relevant to the owner;

g) Sensitive data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data;

e) Public data: It is the data qualified as such according to the mandates of the law or the Political Constitution and that which is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, their status as merchants or public servants, and data that may be obtained without any reservation whatsoever. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins;

f) Private date: It is data that, due to its intimate or reserved nature, is only relevant to the owner;

g) Sensitive data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data;

h) Data Processor: Natural or legal person, public or private, that by itself or in association with others, carries out the processing of personal data on behalf of the Data Controller;

i) Responsable del Tratamiento: Persona natural o jurídica, pública o privada, que or sí misma o en asocio con otros, decida sobre la base de datos y/o el Tratamiento de los datos;

j) Holder: Natural person whose personal data is processed;

k) Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion of such data.

Purpose for which the collection of personal data and their processing is carried out

a. Execute the existing contractual relationship with its customers, suppliers and employees, including the payment of contractual obligations;
b. To provide the services and/or products required by its users;
c. To inform about new products or services and/or changes in them;
d. Evaluate the quality of service;
e. Conduct internal studies on consumption habits;
f. Send to the physical mail, electronic mail, cell phone or mobile device, via text messages (SMS and/or MMS) or through any other analog and/or digital means of communication created or to be created, commercial, advertising or promotional information about the products and/or services, events and/or promotions of commercial or non-commercial nature of these, in order to promote, invite, direct, execute, inform and in general, carry out campaigns, promotions or contests of commercial or advertising nature, advanced by SOTO COFFEE and/or third parties;
g. To develop the selection, evaluation and employment process;
h. Support internal or external audit processes;
i. Register the information of employees and/or pensioners (active and inactive) in SOTO COFFEE's databases, those indicated in the authorization granted by the owner of the data or described in the respective privacy notice, as the case may be;
j. Provide, share, send or deliver your personal data to SOTO COFFEE's subsidiaries, affiliates or subordinate companies located in Colombia or any other country in the event that such companies require the information for the purposes indicated herein.

Regarding the data (i) collected directly at security points, (ii) taken from documents provided by individuals to security personnel and (iii) obtained from video recordings made inside or outside SOTO COFFEE facilities, these will be used for security purposes of people, goods and facilities of the company and may be used as evidence in any type of process.

If a personal data is provided, such information will be used only for the purposes stated herein, and therefore, SOTO COFFEE will not proceed to sell, license, transmit, or disclose the same, unless: (i) there is express authorization to do so; (ii) it is necessary to allow contractors or agents to provide the services entrusted; (iii) it is necessary in order to provide our services and/or products; (iv) it is necessary to disclose it to entities that provide marketing services on behalf of SOTO COFFEE or to other entities with which we have joint market agreements; (v) the information is related to merger, consolidation, acquisition, divestiture or other restructuring process of the company; (vi) it is required or permitted by law. In addition, SOTO COFFEE may subcontract to third parties for the processing of certain functions or information.

When effectively outsourcing the processing of personal information to third parties or providing information to third party service providers, SOTO COFFEE, warns such third parties about the need to protect such personal information with appropriate security measures, prohibits the use of the data for their own purposes and requests that personal information is not disclosed to others.

Principles applicable to the processing of personal data

a) Principle of finality: The processing of personal data collected must be carried out for a legitimate purpose, which must be communicated to the Data Subject;
b) Principle of freedom: The processing can only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent;
c) Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. Partial, incomplete, fractioned or misleading data will not be processed;
d) Principle of transparency: The right of the Data Subject to obtain from SOTO COFFEE at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed;
e) Principle of restricted access and circulation: The treatment is subject to the limits derived from the nature of the personal data, the provisions of this law and the Political Constitution. Personal data, except for public information and the provisions of the authorization granted by the owner of the data, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties;
f) Security principle: The information subject to treatment by SOTO COFFEE, shall be protected through the use of technical, human and administrative measures that are necessary to provide security to the records avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access;
g) Principle of confidentiality: All persons involved in the processing of personal data are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing.

PARAGRAPH ONE: In the event that sensitive personal data is collected, the Data Subject may refuse to authorize its processing.

Information control and security measures

a) The documents and media on which the databases are located are determined in the inventory of documents and media.
b) The documents and supports must classify the data according to the type of information they contain, be inventoried and be accessible only by authorized personnel, unless the characteristics of the same make the aforementioned identification impossible, in which case a reasoned record shall be made in the incoming and outgoing document register.
c) The output of documents and media containing personal data outside the premises under the control of the data controller must be authorized by the latter, this precept is also applicable to documents or media attached and sent by e-mail.

The holders of personal data by themselves or through their representative and/or attorney-in-fact or their successor in title may exercise the following rights with respect to the personal data processed by SOTO COFFEE:

a) Right of access: By virtue of which you may access the personal data under the control of SOTO COFFEE, in order to consult them free of charge at least once every calendar month, and every time there are substantial modifications to the Data Processing Policies that motivate new consultations;
b) Right to update, rectification and suppression: By virtue of which you may request the update, rectification and/or suppression of the personal data being processed, in such a way that the purposes of the processing are satisfied;
c) Right to request proof of authorization: except in the events in which, according to the legal regulations in force, authorization is not required to carry out the processing;
d) Right to be informed about the use of personal data;
e) Right to file complaints before the Superintendence of Industry and Commerce: for violations of the provisions of the current regulations on the treatment of personal data;
f) Right to require compliance with the orders issued by the Superintendence of Industry and Commerce.

PARAGRAPH ONE: For purposes of exercising the rights described above, both the holder and the person representing the holder must prove their identity and, if applicable, the capacity by virtue of which they represent the holder.

PARAGRAPH TWO: The rights of minors shall be exercised through the persons empowered to represent them.

Duties of SOTO COFFEE

All those obliged to comply with this policy must keep in mind that SOTO COFFEE is obliged to carry out the duties imposed by law, therefore, it will apply the personal data treatment regulations when it acts:

A. Como responsable del tratamiento: (i) Request and keep, under the conditions set forth in this policy, a copy of the respective authorization granted by the holder. (ii) Clearly and sufficiently inform the owner about the purpose of the collection and the rights he/she has by virtue of the authorization granted. (iii) Inform upon request of the holder about the use given to their personal data. (iv) To process queries and claims formulated under the terms set forth in this policy. (v) To ensure that the principles of truthfulness, quality, security and confidentiality in accordance with the terms established in the following policy (vi) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. (vii) Update the information when necessary. (viii) Rectify personal data when appropriate.
B. As a person in charge of the processing of personal data: If you are processing data on behalf of another entity or organization (Data Controller) you must comply with the following duties: (i) Establish that the controller is authorized to provide the personal data that it will process as processor. (ii) Guarantee the holder, at all times, the full and effective exercise of the right of habeas data. (iii) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. (iv) Timely update, rectification or deletion of data. (v) Update the information reported by the data controllers within five (5) business days of receipt. (vi) To process queries and claims formulated by the owners in the terms indicated in this policy. (vii) Register in the database the legend "complaint in process" in the manner established in this policy. (vii) Insert in the database the legend "information under judicial discussion" once notified by the competent authority about judicial processes related to the quality of the personal data. (iv) Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce. (x) Allow access to the information only to persons authorized by the owner or empowered by law for such purpose. (xi) Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the owners. (xii) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
C. When processing is carried out through a processor: (i) To provide the data processor only with the personal data whose processing is previously authorized. For the purposes of the national or international transmission of data, a contract for the transmission of personal data must be signed or contractual clauses must be agreed upon in accordance with the provisions of article 25 of decree 1377 of 2013. (ii) Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable and understandable. (iii) Communicate in a timely manner to the data processor all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date. (iv) Inform in a timely manner to the data processor the rectifications made on the personal data so that it proceeds to make the appropriate adjustments. (v) To require the data processor, at all times, to respect the security and privacy conditions of the owner's information. (vi) Inform the data processor when certain information is under discussion by the owner, once the claim has been filed and the respective process has not been completed.
D. Duties with respect to the Superintendency of Industry and Commerce: (i) Report possible violations of security codes and the existence of risks in the management of the information of the owners. (ii) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

Authorization request to the owner of the personal data

Before and/or at the time of collecting the personal data, SOTO COFFEE will request the data owner's authorization to collect and process the data, indicating the purpose for which the data is requested, using automated, written or oral technical means, which allow preserving proof of the authorization and/or the unequivocal conduct described in article 7 of Decree 1377 of 2013. Such authorization shall be requested for the time that is reasonable and necessary to meet the needs that gave rise to the request for the data and, in any case, in compliance with the legal provisions governing the matter.

Privacy Notice

In the event that SOTO COFFEE cannot make available to the owner of the personal data the present data treatment policy, it will publish the privacy notice attached to this document, whose text will be kept for later consultation by the owner of the data and/or the Superintendence of Industry and Commerce. Additionally, audits will be established for the purpose of monitoring compliance with the policy and the procedures derived from the implementation of the same.

Temporary limitations to the processing of personal data

SOTO COFFEE may only collect, store, use or circulate the personal data during the time that is reasonable and necessary, according to the purposes that justified the treatment, taking into account the provisions applicable to the matter in question and the administrative, accounting, fiscal, legal and historical aspects of the information. Once the purpose or purposes of the processing have been fulfilled, and notwithstanding any legal provisions to the contrary, the personal data in its possession shall be deleted. Notwithstanding the foregoing, personal data must be retained when required for compliance with a legal or contractual obligation.

Area responsible and procedure for the exercise of the rights of the holders of personal data

The Management Area of SOTO COFFEE will be responsible for attending the petitions, complaints and claims made by the owner of the data in exercise of the rights contemplated in numeral 8 of the present policy, with the exception of the one described in its literal e).For such effects, the owner of the personal data or whoever exercises its representation will be able to send its petition, complaint or claim:

Schedule: Monday to Friday from 8:00 a.m. to 12m and from 2:00 pm to 5:00 p.m.,
E-mail: pqrs@sotocoffee.com.co
Phone: (32) xxxxx
Cellphone: 31x xxx xxxx,
Office address: Mz J Ca 17 Condominio Ciudad Real. San Juan de Pasto (Nariño).

The petition, complaint or claim must contain the identification of the Holder, the description of the facts that give rise to the claim, the address and accompanying documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults.

After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn. In the event that the person receiving the claim is not competent to resolve it, he/she will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation. Once the complete claim has been received, a legend will be included in the database stating "claim in process" and the reason for the claim, within a term not exceeding two (2) business days. Said legend shall be maintained until the claim is decided. The maximum term to address the claim shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

MEDIDAS DE SEGURIDAD: En desarrollo del principio de seguridad establecido en la Ley 1581 de 2012, SOTO COFFEE, adoptará las medidas técnicas, humanas y administrativas que sean necesarias para otorgar seguridad a los registros evitando su adulteración, pérdida, consulta, uso o acceso no autorizado o fraudulento. El personal que realice el tratamiento de los datos personales ejecutará los protocolos establecidos con el fin de garantizar la seguridad de la información. Adicionalmente, se establecerán auditorias para efectos de hacer seguimiento del cumplimiento de la política y los procedimientos derivados de la implementación de la misma.

Physical or electronic database exchange policy

SOTO COFFEE does not sell the information of its users or share personal data without authorization of the holder, by physical and electronic means. In compliance with the provisions of Article 26 of the Statutory Law 1581 of 2012, SOTO COFFEE refrains from transferring personal data to other countries that do not have equal or higher standards of protection. However, the following exceptions shall apply: a) Information with respect to which the Data Subject has given his/her express and unequivocal authorization for the transfer; b) Exchange of medical data, when required by the treatment of the holder for reasons of public health or hygiene; c) Bank or stock exchange transfers, in accordance with the applicable legislation; d) Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity; e) Transfers necessary for the execution of a contract between the Data Subject and the Data Controller, or for the execution of pre-contractual measures as long as the authorization of the Data Subject is obtained.

Backup of personal information

The database will be backed up on a monthly basis.

Procedure or control in place for the final disposal of personal information

If the data is stored in applications, databases or computer media, the deletion or disassociation, if applicable, shall be requested to the IT support department to proceed with the corresponding development using the deletion or disassociation request form according to the model proposed in the annex to this procedure. If the data are contained in documents, the deletion or dissociation, if applicable, shall be carried out using a paper shredder or, if the data are kept, by means of an inactive file.

Validity

This policy is effective as of December 1, 2020 and supersedes any special regulations or manuals that may have been adopted by academic and/or administrative bodies at SOTO COFFEE.

Sincerely yours,