Privacy notice and data processing policy
ARANDA SOFTWARE ANDINA S.A.S. is committed to the proper treatment of the personal data that it manages as Responsible, therefore, it informs all information holders of this policy of treatment of personal data, whose application is mandatory for all natural or legal persons who directly or indirectly carry out treatment of personal data that are managed by the Organization in the exercise of its corporate purpose.
Thus, this Policy is established not only in order to comply with the Law, but also with the purpose of providing clear and sufficient information on the purposes for which the personal data of the owners that make up the databases of the organization, including employees, suppliers, shareholders, customers as consumers, among others, are processed. Similarly, it is consolidated in order to publicize the procedure implemented by the organization to ensure the exercise of the right of Habeas Data and to indicate the guidelines that guarantee the protection of personal data that are processed in ARANDA SOFTWARE ANDINA S.A.S.
This policy applies to all databases, both physical and digital, containing personal data and which are subject to treatment by ARANDA SOFTWARE ANDINA S.A.S. as Responsible, also in those cases in which they operate as a person in charge of the processing of personal data.
ARANDA SOFTWARE ANDINA S.A.S.commercial company identified with NIT 830.099.766-1 is constituted as a Colombian company, whose corporate purpose is to provide development services, production and marketing of software projects at national and international level.
● PHYSICAL ADDRESS: Diagonal 97 # 17 - 60 Office 702 Bogotá D.C.
● WEBSITE: www.arandasoft.com
● PHONE: +57 (1) 7563000
● EMAIL: protecciondedatos@arandasoft.com
This Policy establishes the general guidelines for the protection and processing of personal data within the company, thus strengthening the level of trust between the Controller and the Data Controllers in relation to the processing of their information; informing the Data Controllers of the purposes and transfers to which their personal data are submitted and the mechanisms and forms for the exercise of their rights.
This Policy of Treatment and Protection of Personal Data will be applied to all databases and/or files that include personal data that are subject to treatment by ARANDA SOFTWARE ANDINA S.A.S., as responsible for the treatment of personal data .
This is version 4.0 of the company's personal data processing policy. the company's personal data treatment policy, based on the process of updating the databases process of updating databases in compliance with External Circular 003 of 2018. 2018.
● Habeas Data: The right of every person to know, update and rectify the information that has been collected about him/her in files and data banks of a public or private nature.
● Personal data: Any information linked or that can be associated to one or more determined or determinable natural person(s).
● Database Data Base: Organized set of personal data that is the subject of processing.
● Processing: Any operation or set of operations on personal data , such as collection, storage, use, circulation or deletion.
● Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.
● Privacy Notice: It is the physical, electronic document or in any other known or to be known format, which is made available to the Data Subject in order to inform about the processing of their personal data.
● Headline: Natural person whose personal data is the subject of processing.
● Causeword: Person who by succession or transmission acquires the rights of another person.
● Responsible for the treatment: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of the data.
● Erocessor: Natural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the Data Controller.
The following guiding principles shall apply to the protection of personal data:
a) Principle of legality in data processing: The processing referred to in the Habeas Data Law is a regulated activity that must be subject to the provisions set forth therein and in the other provisions that develop it.
b) Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the law, which must be informed to the Data Subject.
c) Principle of freedom: Processing may only be exercised with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.
d) Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
e) Principle of transparency: In the processing, the right of the Data Subject to obtain from the Controller or Processor, at any time and without restriction, information about the existence of data concerning him/her must be guaranteed.
f) Principle of restricted access and circulation: The treatment is subject to the limits derived from the nature of the personal data, from the provisions of the law and the Constitution. In this sense, the processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for by law.
Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to Data Holders or authorized third parties in accordance with the law.
g) Principle of security: The information subject to processing by the Data Controller or Data Processor referred to in the Habeas Data Law, shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
h) Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only supply or communicate personal data when this corresponds to the development of the activities authorized by law and under the terms of the same.
Personal data owners shall enjoy the following rights, and those granted to them by law:
a) To know, update and rectify their personal data with respect to the Data Controller or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
b) Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the processing, in accordance with the provisions of Article 10 of the Law.
c) To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been made of their personal data.
d) File before the Superintendence of Industry and Commerce complaints for violations to the provisions of the law and other regulations that modify, add or complement it.
e) To revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the processing. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that in the processing the Controller or Processor have incurred in conduct contrary to the law and the Constitution.
f) Access free of charge to your personal data that have been processed.
Without prejudice to the exceptions provided for in the Statutory Law 1581 of 2012, as a general rule in the processing of personal data, ARANDA SOFTWARE S.A.S.will collect the prior and informed authorization of the Data Subject, which may be obtained by any means that may be subject to subsequent consultation.
7.1 Events in which authorization is not required
The authorization of the Holder shall not be necessary in the case of:
a) Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b) Data of a public nature.
c) Cases of medical or sanitary emergency.
d) Processing of information authorized by law for historical, statistical or scientific purposes.
e) Data related to the Civil Registry of Persons.
ARANDA SOFTWARE ANDINA S.A.S. as responsible for the processing of personal data, shall comply with the following duties:
a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
b) Request and keep, under the conditions set forth in the law, a copy of the respective authorization granted by the Data Subject.
c) Duly inform the Data Subject about the purpose of the collection and the rights to which he/she is entitled by virtue of the c) Duly inform the Data Subject about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted.
d) To keep the information under the necessary security conditions to prevent its adulteration, loss, misuse, alteration, loss or destruction. to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. authorized or fraudulent use or access.
e) Guarantee that the information provided to the Data Controller is truthful, complete, complete, accurate, complete, complete, complete, complete, complete, complete, complete, complete, complete, complete, complete, complete, complete and e) Guarantee that the information provided to the Data Controller is truthful, complete, accurate, updated, verifiable and understandable. understandable.
f) To update the information, communicating in a timely manner to the Data Processor, any new of the treatment, all the news with respect to the data that has been previously previously provided, and to adopt the other necessary measures to ensure that the information necessary so that the information provided to the Data Controller is kept up to date. updated.
g) Rectify the information when it is incorrect and communicate the pertinent to the Data Processor. to the Data Processor.
h) To provide to the Data Processor, as the case may be, only data whose processing is previously data whose processing is previously authorized in accordance with the provisions of this law. the provisions of this law.
i) To demand from the Data Processor, at all times, the respect for the conditions of security and privacy of the information. i) Require the Data Controller to respect at all times the security and privacy conditions of the Data Subject's information.
j) To process the queries and claims formulated under the terms set forth in the Statutory Law in the Statutory Law 1581 of 2012.
k) Adopt an internal manual of policies and procedures to ensure adequate compliance with the law and, in particular, for the handling of queries and complaints.
l) Inform the Data Controller when certain information is under discussion by the Data Subject, once the claim has been submitted to
and the respective process has not been completed.
m) To inform, upon request of the Data Subject, about the use given to his/her data.
n) Inform the data protection authority when there are violations to the security codes and there are risks in the
administration of the information of the Data Holders.
o) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
9.1 Processing of Employees' personal data
ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its Employees which are classified by the company as confidential, and will only be disclosed by the company with the express authorization of the owner or when requested by a Competent Authority.
The purposes for which the personal data of the company's employees are used will be:
a) To comply with the obligations imposed by Colombian labor law to employers, or the orders issued by the competent Colombian or foreign authorities.
b) To issue certifications regarding the relationship of the data owner with the Company.
c) Comply with the obligations imposed on the company as an employer, in relation to Occupational Safety and Health standards, and the so-called Occupational Safety and Health Management System (SG-SST).
d) Manage the functions performed by the workers.
e) Execute the different stages of the Company's disciplinary processes and consult memos, warnings or any type of sanction imposed on employees.
f) Contacting family members in case of emergency.
g) To manage and control the payroll.
h) Controlling employees' working hours and overtime.
i) Keeping a control of incapacities, absenteeism, leaves of absence and vacations of employees.
j) Keeping a control of the training given to workers.
k) Store your personal data, including biometric data on its website as a support of the activities carried out.
l) Comply with the biosafety protocols applicable to the Company in accordance with the provisions issued by the National Government.
m) To carry out control, follow-up and evaluation of the workers.
n) Take images and photographs necessary for the recognition of the worker, compliance control and collection of evidence of the services rendered.
o) Additionally, biometric data of employees are used for commercial purposes related to the Company's corporate purpose.
p) Communicate information about employees to third parties with which the Company maintains a contractual relationship, partners or consortiums and customers to the extent necessary to comply with the protocol of the third parties, for the sole purpose of allowing them to manage the control and coordination of the personnel who effectively provide the services arising from the professional relationship, as well as to enable compliance with legal, tax and social security obligations.
q) Communicate workers' identification data to travel agencies, transportation companies, hotels and other entities for the management of reservations and settlement of expenses incurred.
r) To carry out international transfer or transmission of data to countries that provide similar protection to Colombia.
s) delivery of information to third parties in charge of evaluation, training, certification and other processes required in the development of the contractual relationship.
t) Verify, compare and evaluate the labor and personal competencies of employees.
u) Sending information to compensation funds, AFP, ARL, insurance companies, among others.
v) Initiate internal investigations based on complaints filed by active and non-active employees, third parties or the collaborators themselves.
w) Handling of complaints against employees for harassment at work or violation of codes of conduct.
ARANDA SOFTWARE ANDINA S.A.S. stores the personal data of its employees, including those obtained in the development of the selection process, and keeps them in a folder identified with the name of each one
of them.
Such folder will only have access and will be treated by the Human Resources Area and the Administrative Area in order to manage the contractual relationship between ARANDA SOFTWARE ANDINA S.A.S. and the employee .
ARANDA SOFTWARE ANDINA S.A.S. treats sensitive personal data of its employees such as the data of their minor children with the sole purpose of registering them as beneficiaries of the social security and parafiscal system.
For the purposes of this Processing, the respective authorization is collected, which in any case will be express and optional, clearly indicating the Sensitive Personal Data to be processed and the purpose of such processing.
Likewise, it will have high security systems for the handling of those sensitive data and its reserve, in the understanding that such sensitive data will only be used by ARANDA SOFTWARE ANDINA S.A.S. for the aforementioned purposes .
Upon termination of the employment relationship, ARANDA SOFTWARE ANDINA S.A.S. will proceed to store all personal data obtained from the selection process and the documentation generated in the development of the employment relationship, in a central file with restricted access, subjecting the information at all times to appropriate security measures and levels, given that the employment information may contain sensitive data.
In any case, the information will not be processed for a period exceeding twenty (20) years from the termination of the employment relationship, or in accordance with the legal or contractual circumstances that make it necessary to handle the information.
Finally, the Company informs that in accordance with the provisions of External Circular 008 of 2020 of the Superintendence of Industry and Commerce, the sensitive personal data that were collected to comply with the biosecurity protocols in the framework of the pandemic by the COVID- 19 were only used for the purposes indicated by the Ministry of Health and Social Protection, and will only be stored for the reasonable and necessary time to demonstrate compliance with such regulatory provisions. Once the purpose of the Personal Data Processing has been fulfilled, the Company will automatically delete the collected data.
9.2 TTreatment of Trainees' personal data:
ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its trainees and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.
The purposes for which are used the personal data of the trainees of the ARANDA SOFTWARE ANDINA S.A.S. will be:
a) To comply with the obligations imposed by Colombian labor law on employers, especially with the provisions of Law 789 of 2002 and its Regulatory Decrees.
b) Issue certifications regarding the relationship of the data subject with the company.
c) To corroborate any requirement that may arise in the development of the apprenticeship process.
d) Comply with the obligations imposed on the company as an employer, in relation to Occupational Safety and Health standards, and the so-called Occupational Safety and Health Management System (SG-SST).
e) Manage the functions developed by the trainees.
f) To monitor the development of the trainees in the teaching and practical stages.
g) Contacting family members in case of emergency.
In any case, the information will not be processed for a period longer than the duration of the applicant's relationship with the company, which in no case may exceed two (2) years, and the additional time required according to the legal or contractual circumstances that make it necessary to handle the information.
9.3 Processing of customer personal data:
ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its customers and stores them in a database which is classified by the Company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.
The purposes for which are used the personal data of customers of ARANDA SOFTWARE ANDINA S.A.S. CUSTOMERS. will be:
a) Process of control and accounting registration of obligations contracted with clients.
b) Compliance with tax and legal aspects before public and regulatory entities.
c) Compliance with contractual obligations, for which the information may be transferred to third parties, such as financial entities, allied third parties, notaries, lawyers, etc.
d) Compliance with judicial decisions and administrative, legal, fiscal and regulatory provisions.
e) Transmission of information and personal data in audit processes.
f) Administrative management for the execution of the pre-contractual, contractual and post-contractual stages.
g) Creation of the client in the Company's platforms or software
h) Ensure the provision of development services, production and marketing of software projects.
i) Ensure compliance with the rights that correspond to them under Law 1581 of 2012.
j) Conduct business prospecting and marketing activities.
k) Evaluate customer service and conduct satisfaction surveys.
l) Share the information with third party allies that collaborate with the company, considering that for the fulfillment of their assignments they must access to some extent to the information, which will also be subject to the obligations of confidentiality, handling of information and protection of personal data to which this company is subject.
m) Process requests, complaints or claims established directly by the customer through the customer service channels.
n) Contact the customer through physical and electronic means - email, SMS or chat to send information of interest or related to the contractual relationship, invite them to training or with the portfolio of services.
o) Maintain business contact with the Company, even after the end of the contractual relationship.
p) Consult as good business practice or legal obligation, background of customers in restrictive lists, OFAC lists, PEPS,
Clinton and UN, in order to prevent money laundering and terrorist financing.
In any case, the information will not be processed for a period longer than the duration of the contractual relationship between the customer and the Company, and the additional time required according to the legal or contractual circumstances that make necessary the handling of the information.
9.4 Processing of personal data of Suppliers and Contractors:
ARANDA SOFTWARE ANDINA S.A.S. collects personal data from its suppliers and contractors and stores them in a database which, although it consists mostly of public data, is classified by the company as confidential, and that, in the case of private data, will only be disclosed by the company with the express authorization of the owner or when requested bya CompetentAuthority .
The purposes for which are used the personal data of suppliers and contractors of ARANDA SOFTWARE ANDINA S.A.S. will be:
a) Manage accounts receivable submitted by suppliers or contractors.
b) Keep control of contributions made to the social security system by contractors.
c) Conduct evaluations and selection of potential suppliers.
d) Compliance with tax and legal aspects with public and regulatory entities.
e) Control and payments for goods and services received.
f) Qualitative and quantitative evaluations of the levels of service received from suppliers.
g) Process of control and accounting record of the obligations contracted with suppliers and contractors.
h) Sending invitations to contract and carrying out the steps for the pre-contractual, contractual and post-contractual stages.
i) Any others specifically established in the authorizations granted by the suppliers themselves.
ARANDA SOFTWARE ANDINA S.A.S. will only collect from its suppliers and contractors the data that are necessary, relevant and not excessive for the purpose of selection, evaluation and execution of the contract. The collection of personal data of employees of suppliers by ARANDA SOFTWARE ANDINA S.A.S. will have in any case the purpose of verifying the suitability and competence of employees; that is, once this requirement is verified, ARANDA SOFTWARE ANDINA S.A.S. will return such information to the supplier, unless expressly authorized its conservation.
In any case, the information will not be processed for a period longer than the duration of the relationship of the Supplier and contractors with the company, and the additional time required according to legal or contractual circumstances that make it necessary to handle the information.
9.5 Processing of Personal Data of Prospective Clients
ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its shareholders, stores them in a database which is classified by the company as confidential, and will only be disclosed by the company with the express authorization of the owner or when requested by a Competent Authority.
The purposes for which the personal data of the Shareholders are used will be:
a) Allow the exercise of the duties and rights derived from the quality of shareholder.
b) Allow the sending of invitations to events scheduled by the company.
c) Issue certifications regarding the relationship of the Holder with the company.
d) Comply with the precepts and regulations established in the Code of Commerce and other applicable regulations.
e) To summon or invite him/her to the different ordinary and extraordinary meetings of corporate nature to which he/she must attend due to his/her
capacity as shareholder and in accordance with the provisions of the Bylaws of the organization.
f) To share identification information with third parties, in order to comply with the obligations of the ML/FT risk management systems.
In any case, the information will not be processed for a period exceeding the time of existence of the company, and the additional time required according to the legal or contractual circumstances that make it necessary to handle the information.
9.6 Processing of Visitors' personal data at the Entrance Control:
ARANDA SOFTWARE ANDINA S.A.S., collects personal data of its visitors through forms and surveys that may include sensitive personal data such as temperature or health status of third parties in compliance with the Company's biosecurity protocols. This information is stored in a database which is classified by the entity as confidential, and will only be disclosed by the Company with the express authorization of the owner or when requested by a Competent Authority.
The purposes for which the personal data of those who enter the facilities of ARANDA SOFTWARE ANDINA S.A.S.are used will be:
a) Ensure entry to the Company's facilities to people who have the authorization of free transit and restrict the passage to those who are not authorized.
b) Ensure safety in the monitored environments.
c) Allow adequate working environments for the safe development of activities within the Company.
d) Comply with the obligations stipulated in the Occupational Health and Safety Management System.
e) Comply with the biosafety protocols implemented by the Company.
In any case, the information will not be processed for a period of more than one (1) year from its collection, according to the legal or contractual circumstances that make necessary the handling of the information.
9.7 Processing of personal data of website users:
ARANDA SOFTWARE ANDINA S.A.S. collects personal data from interested third parties through its website and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.
The purposes for which personal data contained in ARANDA SOFTWARE ANDINA S.A.S. website are used will be:
a) Allow communication with customers or third parties through the contact us section.
b) Publish events or news of interest.
c) Receive and process complaints and claims from third parties.
d) Legal, accounting, administrative, commercial, promotional, informational, marketing and sales purposes.
e) Carry out promotional, marketing and advertising campaigns
f) Publicize the company's portfolio of services.
In any case, the information will not be processed for a period longer than the period agreed with the third party or user through a contract or authorization to use their personal data counted from its collection in accordance with the legal or contractual circumstances that make necessary the handling of the information.
9.8 Trocessing of personal data from the Video Surveillance Record
ARANDA SOFTWARE ANDINA S.A.S. collects biometric data of its employees and visitors through its Surveillance Cameras and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.
The purposes for which the personal data contained in the Surveillance Cameras are used are the following ARANDA SOFTWARE ANDINA S.A.S. will be:
a) Ensure safety in work environments.
b) Provide adequate work environments for the safe development of the company's work activities.
c) Control the entry, stay and exit of employees and contractors in the company's facilities.
In order to comply with the duty of information that corresponds to ARANDA SOFTWARE ANDINA S.A.S. as administrator of personal data, the company will implement Privacy Notices in the areas where the capture of images involving the processing of personal data is performed.
In any case, the information will not be processed for a period longer than 30 days from its collection in accordance with the legal or contractual circumstances that make it necessary to handle the information.
9.9 Processing of personal data of SENA Apprentices:
ARANDA SOFTWARE ANDINA S.A.S. collects biometric data of its employees and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.
The purposes for which the personal data contained in the Surveillance Cameras are used are the following ARANDA SOFTWARE ANDINA S.A.S. will be:
a) Ensure safety in work environments.
b) Allow access only to authorized personnel.
c) Control the entry, stay and exit of employees in the company's facilities.
In any case, the information will not be processed for a period longer than the duration of the employment relationship with the employee.
9.10 Processing of personal data of Prospective Clients:
ARANDA SOFTWARE ANDINA S.A.S. has a record of Prospective Customers, whose information has been collected by the Company with the express authorization of the Holder through events or through the completion of requests for quotations by them.
ARANDA SOFTWARE ANDINA S.A.S. stores such information in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the holder or when a CompetentAuthority requests it.
The purposes for which the personal data of Prospects of Clients of ARANDA SOFTWARE ANDINA S.A.S. will be:
a) To send invitations to events scheduled by the company.
b) To send information on projects offered by the company to interested persons.
c) To verify compliance with the requirements established by the Company to access a project, agreement or contract.
d) To carry out commercial prospecting activities and marketing operations.
e) To process queries, complaints or claims submitted by the owners.
f) To make management reports and internal statistics.
g) To ensure the exercise of their right of Habeas Data (queries, complaints and claims about updating, correction, deletion or elimination of data).
In any case, the information will not be processed for a period longer than the one agreed with the prospect through an authorization to use his personal data counted from its collection in accordance with the legal or contractual circumstances that make necessary the handling of the information.
In any case, the information will not be processed for a period longer than the one established through the authorization granted by the prospect to use his personal data counted from its collection in accordance with the legal or contractual circumstances that make necessary the handling of the information.
9.10 Trocessing of personal data of candidates or applicants for selection processes:
ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of the candidates or applicants of the selection processes carried out by the Company and stores them in a database which is classified as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.
The purposes for which the personal data of the applicants of the selection processes carried out by ARANDA SOFTWARE ANDINA S.A.S. are used will be:
a) Internal and external administrative management for the transparent execution of the personnel selection process.
b) Sending communications programmed by the Company to carry out different selection tests.
c) Corroborate any requirement that may arise in the development of the selection process.
d) Verification of labor, academic and personal references of the applicant.
e) To advance the general hiring process of the selected personnel.
f) Conduct security studies and home visits.
All personal data provided by the applicant or applicant will become part of a "Talent Bank", which the Company, as Responsible, may use for current and future selection processes in which the applicant's profile is suitable. The databases where this information is stored have the necessary security measures to guarantee the total security of the data provided during the selection process. In any case, the information will not be processed for a period longer than that authorized by the applicant and the additional time required according to the legal or contractual circumstances that make it necessary to handle the information.
The personal data provided by the holders previously listed in this Personal Data Processing Policy of ARANDA SOFTWARE ANDINA S.A.S. will be kept as long as:
a) A legal or contractual relationship is maintained with the Holder of the information.
b) The personal data provided will be kept as long as their deletion is not requested by the interested party and as long as there is no legal duty to keep them.
c) The personal data provided will be kept for a period of two (2) years from the last confirmation of interest from the Holder. That is, of the intention of the holder to continue receiving information, products or services from ARANDA SOFTWARE ANDINA S.A.S.
d) The personal data that rest in different books and papers of the company as a merchant, will be kept for a period of ten (10) years from the date of the last entry, document or voucher.
Paragraph: Excluded from the time of conservation of the data stipulated in item C, is that information whose content stipulates a term longer than the one indicated, in accordance with a legal mandate or an order issued by a competent authority.
In compliance with the provisions of the Regulatory Decrees that regulate the content of the Personal Data Processing Policies, we inform the Data Controllers that their information may be used, stored and preserved in electronic and physical media.
The storage of digital and physical information is carried out in media or environments that have adequate controls for data protection. This involves physical and computer, technological and environmental security controls in all areas of the company, both in its own facilities, computer centers and document storage sites.
In accordance with the principle of transparency, the Data Subjects have access at all times (upon written or verbal request) to the stored information, as well as, their successors who prove their quality, the representative and/or attorney-in-fact of the Data Subject, by a competent authority and by stipulation in favor of another or for another.
The purposes or purposes of its collection, storage, use and disposal are regulated in accordance with the provisions of Law 1581 of 2012, its regulatory decrees and this Policy.
Designation of the personal data protection officer: In order to ensure that the measures implemented by the organization to comply with the obligations established in the Statutory Law 1581 of 2012 are appropriate, effective and verifiable by the Owners of personal data or the Superintendence of Industry and Commerce in the exercise of their functions, the Senior Management of ARANDA SOFTWARE ANDINA S.A.S. appointed a person who currently assumes the role of PERSONAL DATA PROTECTION OFFICER (PPO) PERSONAL DATA PROTECTION OFFICER (PPO), which is duly reported in the RNBD application.
This DPO will be responsible for supervising the observance and compliance of the Data Protection Regime by the Responsible and Responsible Persons of ARANDA SOFTWARE ANDINA S.A.S.with a risk-based approach .Likewise, he/she will be the communication bridge with the Control Entity.
In any case, in order to ensure that the company's DPO has adequate support in terms of financial resources, infrastructure and personnel, as needed, the Senior Management of the organization may outsource compliance with certain regulatory obligations to an external consulting firm with expertise in the field.
ARANDA SOFTWARE ANDINA S.A.S. currently does not perform international transmission or transfer of personal data. In the event that it decides to make the International Transfer of personal data, in addition to having the express and unequivocal authorization by the Holder, will ensure that the action provides adequate levels of data protection and meets the requirements set in Colombia by the Statutory Law 1581 of 2012 and its regulatory decrees.
On the other hand, when ARANDA SOFTWARE ANDINA S.A.S. decides to make international data transmission, it may do so without authorization of the owners, provided it ensures the security of information, confidentiality and the conditions governing the scope of data processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
ARANDA SOFTWARE ANDINA S.A.S. does not directly process personal data of minors; however, in particular, the Company collects and processes the personal data of the minor children of its employees, for the sole purpose of complying with the obligations imposed by law on employers in relation to affiliations to the social security and parafiscal system, as well as compliance with the family day (Law 1857 of 2017), and in particular to allow the enjoyment of the fundamental rights of children to health, recreation and the right to family.
In any case, ARANDA SOFTWARE ANDINA S.A.S. will collect when appropriate the respective authorization to their legal representatives for their treatment, always bearing in mind the best interests of the child and respect for the prevailing rights of children and adolescents enshrined in Article 44 of the Political Constitution of Colombia.
In development of the principle of responsibility demonstrated against the processing of personal data and in order to ensure compliance with these policies by human resources and contractors of the organization, ARANDA SOFTWARE ANDINA S.A.S.develops annual training and awareness sessions on the protection of personal data and information security, leaving support for their attendance. In this regard, it is confirmed that the content of the training sessions is updated periodically and these can be carried out through external consultants who are experts in the field.
The Data Subject, its assignees, its representative and/or proxy, or whoever is determined by stipulation in favor of another; may exercise their rights by contacting us through written communication addressed to the administrative area in charge of the protection of personal data in the company. The communication may be sent to the following emailelectrónico:sandra.doncel@arandasoft.com or through written communication filed at the following address: Diagonal 97 # 17 - 60 Office 702 Bogotá D.C.
a. Consultations
The personal information of the Holder contained in the databases of ARANDA SOFTWARE ANDINA S.A.S. may be consulted and the company will be responsible for providing all the information contained in the individual record or that is linked to the identification of the applicant.
The consultation once received by the company will be answered within a maximum term of ten (10) working days . ten (10) working days from the date of receipt thereof. When it is not possible to attend the consultation within such term, the interested party will be informed, stating the reasons for the delay and indicating the new date on which the consultation will be attended, which in no case may exceed the following five (5) working days. (5) working days following following the expiration of the first term.
b. Claims
When it is considered that the information contained in a database of ARANDA SOFTWARE ANDINA S.A.S. should be corrected, updated or deleted, or when the alleged breach of any of the duties contained in the Law of Habeas Data is noticed , you can file a claim to ARANDA SOFTWARE ANDINA S.A.S which will be processed under the following rules:
1. The claim shall be formulated by means of a written communication addressed to ARANDA SOFTWARE ANDINA S.A.S with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents you want to assert.
If the claim is incomplete, the interested party will be requested within five (5) days. five (5) days following the receipt of the claim in order to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been abandoned .
In the event that ARANDA SOFTWARE ANDINA S.A.S.receives a Claim of which it is not competent to solve it, the company will transfer it to the person who effectively corresponds in a maximum term of two (2) working days. two (2) working days and inform the Holder.
2. Once the completed claim has been received, the company will include in the respective database a legend that reads. "claim in process" and the reason for the claim and the reason for the claim, within a term no longer than two (2) business days. two (2) working days. The company will keep such legend in the data under discussion until the claim is decided.
3. The maximum term to attend to the claim will be fifteen (15) working days. fifteen (15) working days from the day following the date of its receipt. When it is not possible to address the claim within such term, the company will inform the Holder the reasons for the delay and the new date on which the claim will be addressed, which in no case may exceed eight (8) businessdays . eight (8) working days following the expiration of the first term.
Requests submitted by the holder in order to make a query or complaint about the use and handling of their personal data must contain minimum specifications, in order to provide the holder with a clear and consistentresponse to the request. The requirements of the request are:
a) Be addressed to ARANDA SOFTWARE ANDINA S.A.S.
b) Contain the identification of the Holder (Name and Identification Document ).
c) Contain a description of the facts that motivate the consultation or complaint.
d) The object of the petition.
e) Indicate the Holder's notification address, physical and/or electronic (email).
f) Attach the documents you wish to assert (especially for claims).
In the event that the consultation or claim is submitted in person, the Holder must submit the request or claim in writing, without any formality other than the requirements set forth in the previous point.
12.3 Procedural requirement
The Holder, his assignees, his representative and/or proxy, or whoever is determined by stipulation in favor of another; may only file a complaint before the Superintendence of Industry and Commerce for the exercise of his rights once he has exhausted the process of Consultation or Claim directly before the Company.
12.4 Request for update and/or rectification
ARANDA SOFTWARE ANDINA S.A.S. will rectify and update, at the request of the holder, the information that is inaccurate or incomplete, according to the procedure and the terms indicated above, for which the Holder must submit the request according to the channels provided by the company, indicating the update and rectification of the data and in turn must provide documentation to support such request.
17. Revocation of Authorization and/or Deletion of Data
The Data Subject may revoke at any time the consent or authorization given for the processing of his/her personal data, as long as there is no impediment enshrined in a legal or contractual provision.
Likewise, the Data Subject has the right to request at any time to ARANDA SOFTWARE ANDINA S.A.S. the suppression or elimination of his personal data when:
a) Consider that they are not being treated in accordance with the principles, duties and obligations set forth in the regulations in force.
b) Are no longer necessary or pertinent for the purpose for which they were obtained.
c) The time necessary for the fulfillment of the purposes for which they were obtained has elapsed.
Such deletion implies the total or partial elimination of personal information, as requested by the holder in the records, files, databases or treatments carried out by ARANDA SOFTWARE ANDINA S.A.S. The right of cancellation is not absolute and therefore ARANDA SOFTWARE ANDINA S.A.S. may deny revocation of authorization or elimination of the
personal data in the following cases:
a) The owner has a legal or contractual duty to remain in the database.
b) The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and
prosecution of crimes or the updating of administrative sanctions.
c) The data are necessary to protect the legally protected interests of the holder; to carry out an action in the public interest, or to comply with an obligation legally acquired by the holder.
ARANDA SOFTWARE ANDINA S.A.S. reserves the right to modify the Policy of Treatment and Protection of Personal Data at any time. However, any modification will be communicated in a timely manner to the holders of personal data through the usual means of contact and in advance of its entry into force.
In the event that a Data Subject does not agree with the new General or Special Policy and with valid reasons that constitute just cause for not continuing with the authorization for the processing of personal data, the Data Subject may request the company to withdraw his/her information through the channels indicated in Chapter 16. However, Data Subjects may not request the withdrawal of their personal data when the company has a legal or contractual duty to process the data.
This Policy is effective as of April 01, 2024.