Skip to content

Privacy notice and data processing policy

GENERAL CONSIDERATIONS

Article 15 of the Constitution of the Republic of Colombia establishes the right of any person to know, update and rectify the personal data that exists about him/her in data banks or files of public or private entities. Likewise, it orders those who have personal data of third parties to respect the rights and guarantees provided in the Constitution when such information is collected, processed and circulated.

Likewise, Article 21 guarantees the right to honor and provides that the law shall establish the form of its protection, therefore, in observance of the constitutional norms considered as Fundamental Rights.

Statutory Law 1581 of October 17, 2012 establishes the minimum conditions for the legitimate processing of personal data of customers, employees and any other natural person. Both paragraphs k) of article 17 and f) of article 18 of this law obliges those responsible and in charge of the processing of personal data to "adopt an internal manual of policies and procedures to ensure proper compliance with this law and especially for the attention of inquiries and complaints".

Article 25 of the same law mandates that data processing policies are mandatory and that failure to comply with them will result in sanctions. Such policies cannot guarantee a lower level of treatment than that established in law 1581 of 2012.

Chapter III of Decree 1377 of June 27, 2013 regulates some aspects related to the content and requirements of the Information Treatment Policies and Privacy Notices.

ARANDA SOFTWARE ANDINA S.A.S. is committed to respecting the rights of its employees and third parties in general. Therefore, it adopts the following policy of treatment of personal data of mandatory application in all activities involving the processing of personal data.

MANDATORY

These policies are of mandatory and strict compliance by all employees of the organization in Colombia, as well as for contractors, suppliers, contractors and third parties who work on behalf of ARANDA SOFTWARE ANDINA S.A.S. therefore must observe and respect these policies in the performance of their duties and activities entrusted or delegated in which the processing of Personal Data is involved.

Failure to comply with them shall give rise to labor sanctions or contractual liability, as the case may be. The above without prejudice to the duty of the employees or those who act on behalf of ARANDA SOFTWARE ANDINA S.A.S.

S.A.S. to respond patrimonially for the damages caused to the owners of the data or to ARANDA SOFTWARE ANDINA S.A.S. for the breach of these policies or the improper processing of personal data.

Taking into account all of the above, in compliance with the provisions of the Statutory Law 1581 of 2012 and its Regulatory Decrees, the
recommendations on Data Protection by the OECD and the OAS, the Company establishes this General Policy, which in turn includes the Special policies applicable to the Processing and Protection of Personal Data in the organization.

1. IDENTIFICATION OF THE PERSON RESPONSIBLE:

ARANDA SOFTWARE ANDINA S.A.S. commercial company identified with NIT 830.099.766-1 is constituted as a Colombian company, whose corporate purpose is to provide development services, production and marketing of software projects.

● PHYSICAL ADDRESS: Diagonal 97 # 17 - 60 Office 702 Bogotá D.C.

● WEBSITE: www.arandasoft.com

● PHONE: +57 (1) 7563000

● EMAIL: protecciondedatos@arandasoft.com

2. OBJECTIVE

This Policy establishes the general guidelines for the protection and processing of personal data within the company, thus strengthening the level of trust between the Controller and the Data Controllers in relation to the processing of their information; informing the Data Controllers of the purposes and transfers to which their personal data are submitted and the mechanisms and forms for the exercise of their rights.

3. SCOPE

This Personal Data Processing and Protection Policy shall be applied to all databases and/or files containing personal data that are processed by ARANDA SOFTWARE ANDINA S.A.S., as the party responsible for the processing of personal data.

This policy constitutes version 3.0 of the company's personal data processing policy, based on the database update process carried out by the company in compliance with External Circular 003 of 2018, i.e. the update that every company must carry out of its databases between January 2nd and March 31st of each year to
from 2020.

4. DEFINITIONS

Habeas Data: The right of every person to know, update and rectify the information that has been collected about him/her in files and data banks of a public or private nature.

Personal data: Any information linked or that can be associated to one or more determined or determinable natural person(s).

Database: Organized set of personal data that is the subject of processing.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.

Privacy Notice: It is the physical, electronic document or in any other known or to be known format, which is made available to the Data Subject in order to inform about the processing of their personal data.

Data Subject: Natural person whose personal data is the subject of processing.

Causee: A person who by succession or transmission acquires the rights of another person.

Data Controller: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the processing of the data.

Data Processor: Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of the Data Controller.

5. GUIDING PRINCIPLES APPLICABLE TO PERSONAL DATA

The following guiding principles shall apply to the protection of personal data:

a) Principle of legality in data processing: The processing referred to in the Habeas Data Law is a regulated activity that must be subject to the provisions set forth therein and in the other provisions that develop it.

b) Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the law, which must be informed to the Data Subject.

c) Principle of freedom: Processing may only be exercised with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.

d) Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.

e) Principle of transparency: In the processing, the right of the Data Subject to obtain from the Controller or Processor, at any time and without restriction, information about the existence of data concerning him/her must be guaranteed.

f) Principle of restricted access and circulation: The treatment is subject to the limits derived from the nature of the personal data, from the provisions of the law and the Constitution. In this sense, the processing may only be carried out by persons authorized by the Holder and/or by the persons provided by law.

Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination or communication, unless access is technically controllable so as to provide restricted knowledge only to Data Subjects or authorised third parties in accordance with the law.

g) Principle of security: The information subject to processing by the Data Controller or Data Processor referred to in the Habeas Data Law, shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

h) Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only supply or communicate personal data when this corresponds to the development of the activities authorized by law and under the terms of the same.

6. RIGHTS OF THE OWNERS

Personal data subjects shall enjoy the following rights, and those granted to them by law:

a) To know, update and rectify their personal data with respect to the data controller or data processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorised;

b) Request proof of the authorisation granted to the Data Controller, except when expressly exempted as a requirement for the processing, in accordance with the provisions of Article 10 of the Law;

c) Be informed by the Controller or the Processor, upon request, of the use made of his or her personal data;

d) File complaints before the Superintendency of Industry and Commerce for infringements of the provisions of the law and other regulations that modify, add to or complement it;

e) To revoke the authorisation and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion shall proceed when the Superintendency of Industry and Commerce has determined that the Controller or Processor has engaged in conduct contrary to the law and the Constitution;

f) Access free of charge to their personal data which have been processed.

7. AUTHORISATION OF THE HOLDER OF PERSONAL DATA

Notwithstanding the exceptions provided for in the Statutory Law 1581 of 2012, as a general rule in the processing of personal data, ARANDA SOFTWARE ANDINA S.A.S.will collect the prior and informed authorization of the Data Subject, which may be obtained by any means that may be subject to subsequent consultation.

7.1 Events for which authorisation is not required

Authorisation by the Data Controller is not required in the case of:

(a) Information required by a public or administrative body in the exercise of its legal functions or by court order;

(b) Data of a public nature;

(c) cases of medical or health emergencies;

(d) processing of information authorised by law for historical, statistical or scientific purposes;

e) Data related to the Civil Registry of Persons.

8. DUTIES OF ARANDA SOFTWARE ANDINA S.A.S. AS THE PARTY RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

ARANDA SOFTWARE ANDINA S.A.S. as responsible for the processing of personal data, shall comply with the following duties:

a) Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.

b) Request and keep, under the conditions provided for by law, a copy of the respective authorisation granted by the Data Controller.

c) Duly inform the Data Subject about the purpose of the collection and the rights he/she is entitled to by virtue of the authorisation granted.

d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorised or fraudulent use or access.

(e) ensure that the information provided to the Data Controller is true, complete, accurate, up to date, verifiable and comprehensible.

f) Update the information, communicating in a timely manner to the Data Processor, all new developments with respect to the data previously provided and adopt the other necessary measures to ensure that the information provided to the Data Processor is kept up to date.

g) Rectify the information when it is incorrect and communicate the relevant information to the Data Controller.

h) To provide to the processor, as the case may be, only data the processing of which has been previously authorised in accordance with the provisions of this law.

i) Demand that the Data Controller at all times respect the conditions of security and privacy of the Data Subject's information.

j) To process queries and claims formulated under the terms set out in Statutory Law 1581 of 2012.

k) Adopt an internal manual of policies and procedures to ensure adequate compliance with the law and, in particular, to deal with queries and complaints.

l) Inform the Data Controller when certain information is under discussion by the Data Subject, once the complaint has been filed and the respective process has not been completed.

m) Informing the Data Subject, at his request, about the use given to his data

n) Inform the data protection authority when there are violations of the security codes and there are risks in the administration of data subjects' information.

o) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

9. SPECIFIC POLICIES FOR THE PROCESSING OF PERSONAL DATA.

9.1 Processing of Employees' personal data

ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its Employees which are classified by the company as confidential, and will only be disclosed by the company with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which the personal data of the company's employees are used will be:

a) To comply with the obligations imposed on employers by Colombian labour law, or with orders issued by the competent Colombian or foreign authorities.

(b) issue certifications concerning the relationship of the data subject with the Undertaking.

c) Comply with the obligations imposed on the company as an employer, in relation to Occupational Safety and Health regulations, and the so-called Occupational Safety and Health Management System (OSHMS).

d) To manage the functions carried out by the workers.

e) Execute the different stages of the Company's disciplinary processes and consult memos, warnings or any type of sanction imposed on employees.

f) Contacting family members in case of emergency.

(g) Payroll management and control

(h) Controlling workers' hours and overtime worked.

(i) Keeping a record of incapacity, absences, leave and holidays of workers.

(j) Keeping a record of training given to workers

(k) store your personal data, including biometric data on its website in support of the activities carried out.

l) Comply with the biosecurity protocols applicable to the Company in accordance with the provisions issued by the National Government.

(m) carry out control, monitoring and evaluation of workers.

n) Take images and photographs necessary for the recognition of the worker, control of compliance and collection of evidence of the services performed.

o) Additionally, biometric data of employees are used for commercial purposes related to the Company's corporate purpose.

p) Communicate information on employees to third parties with which the Company maintains a contractual relationship, partners or consortiums and clients to the extent necessary to comply with the protocol of the third parties, for the sole purpose of enabling them to manage the control and coordination of the personnel who effectively provide the services arising from the professional relationship, as well as to enable compliance with legal, tax and social security obligations.

q) Communicating workers' identification data to travel agencies, transport companies, hotels and other entities for the management of reservations and settlement of expenses incurred.

r) To carry out international transfer or transmission of data to countries that provide similar protection to Colombia.

s) provision of the information to third parties in charge of evaluation, training, certification and other processes required in the development of the contractual relationship.

t) Verify, compare, evaluate the work and personal competencies of employees.

u) Sending information to compensation funds, AFP, ARL, insurance companies, among others.

v) Initiate internal investigations based on complaints filed by active and non-active employees, third parties or the employees themselves.

w) Handling of complaints against workers for harassment at work or violation of codes of conduct.

ARANDA SOFTWARE ANDINA S.A.S. stores the personal data of its employees, including those that have been obtained in the development of the selection process, and keeps them in a folder identified with the name of each of them.

This folder will only have access and will be treated by the Human Resources Area and the Administrative Area with the purpose of managing the contractual relationship between the ARANDA SOFTWARE ANDINA S.A.S. and the employee.

ARANDA SOFTWARE ANDINA S.A.S. treats sensitive personal data of its employees such as the data of their minor children for the sole purpose of registering them as beneficiaries of the social security system and parafiscal. For the purposes of this treatment the respective authorization is collected, which in any case will be express and optional, clearly indicating the Sensitive Personal Data subject to treatment and the purpose of it.

Likewise, it will have high security systems for the handling of those sensitive data and its reserve, in the understanding that such sensitive data will only be used by ARANDA SOFTWARE ANDINA S.A.S. for the aforementioned purposes.

Termination of the labor relationship, ARANDA SOFTWARE ANDINA S.A.S. will proceed to store all personal data obtained from the selection process and the documentation generated in the development of the employment relationship, in a central file with restricted access, subjecting the information at all times to appropriate security measures and levels of security, since the labor information may contain sensitive data.

In any case, the information will not be processed for a period exceeding twenty (20) years from the termination of the employment relationship, or in accordance with the legal or contractual circumstances that make it necessary to handle the information.

Finally, in accordance with the stipulations of the External Circular 008 of 2020 of the Superintendence of Industry and Commerce, the data collected to comply with the biosecurity protocols will only be used for the purposes indicated by the Ministry of Health and Social Protection, and will only be stored for the reasonable and necessary time to comply with such protocols. Once the purpose of the Personal Data Processing has been fulfilled, the Company will automatically delete the data collected.

9.2 Processing of Trainees' personal data:

ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its trainees and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which are used the personal data of the trainees of the ARANDA SOFTWARE ANDINA S.A.S. will be:

a) To comply with the obligations imposed by Colombian labour law on employers, in particular with the provisions of Law 789 of 2002 and its Regulatory Decrees.

b) Issue certifications regarding the data subject's relationship with the company.

c) To corroborate any requirement that may arise in the course of the apprenticeship placement process.

d) Comply with the obligations imposed on the company as an employer, in relation to Occupational Safety and Health regulations, and the so-called Occupational Safety and Health Management System (OSHMS).

e) To manage the functions performed by the trainees.

f) to monitor the development of the trainees in the teaching and practical phase.

g) Contacting relatives in case of emergency.

In any case, the information will not be processed for a period longer than the duration of the applicant's relationship with the company, which in no case may exceed two (2) years, and the additional time required in accordance with the legal or contractual circumstances that make it necessary to handle the information.

9.3 Processing of personal customer data:

ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its customers and stores them in a database which is classified by the Company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which are used the personal data of customers of ARANDA SOFTWARE ANDINA S.A.S. CUSTOMERS. will be:

a) Process of control and accounting registration of the obligations contracted with clients.

b) Compliance with tax and legal aspects before public and regulatory entities.

c) Fulfilment of contractual obligations, whereby the information may be transferred to third parties, such as financial institutions, third party partners, notaries, lawyers, etc.

d) Compliance with judicial decisions and administrative, legal, fiscal and regulatory provisions.

e) Transmission of information and personal data in audit processes.

(f) Administrative management for the execution of the pre-contractual, contractual and post-contractual stages.

g) Creation of the client in the Company's platforms or software.

h) Ensuring the provision of services for the development, production and marketing of software projects.

(i) Ensure compliance with their rights under Law 1581 of 2012.

j) To carry out commercial prospecting and marketing activities.

k) Evaluate customer service and conduct satisfaction surveys.

l) Share the information with third party allies that collaborate with the company, considering that for the fulfilment of their duties they must have access to some extent to the information, which will also be subject to the obligations of confidentiality, handling of information and protection of personal data to which this company is subject.

m) To process requests, complaints or claims established directly by the customer through the customer service channels.

n) Contact the client by physical and electronic means - email, SMS or chat to send information of interest or related to the contractual relationship, to invite him/her to trainings or to the portfolio of services.

o) Maintain business contact with the Company, even after the contractual relationship has ended.

p) Consult as a good business practice or legal obligation, clients' backgrounds in restrictive lists, OFAC, PEPS,
Clinton and UN lists, in order to prevent money laundering and financing of terrorism.

In any case, the information will not be processed for a period longer than the duration of the contractual relationship between the client and the Company, and the additional time required in accordance with the legal or contractual circumstances that make the handling of the information necessary.

9.3 Processing of personal data of Suppliers and Contractors

ARANDA SOFTWARE ANDINA S.A.S. collects personal data from its suppliers and contractors and stores them in a database which, although it consists mostly of public data, is classified by the company as confidential, and that, in the case of private data, will only be disclosed by the company with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which are used the personal data of suppliers and contractors of ARANDA SOFTWARE ANDINA S.A.S. will be:

(a) Manage accounts receivable submitted by suppliers or contractors.

(b) Keeping a record of the contributions made to the social security system by contractors

c) Carrying out evaluations and selection of potential suppliers.

d) Compliance with tax and legal aspects with public and regulatory entities.

e) Control and payments for goods and services received.

f) Qualitative and quantitative assessments of the levels of service received from suppliers.

(g) Control and accounting process for obligations to suppliers and contractors.

h) Sending invitations to contract and making arrangements for the pre-contractual, contractual and post-contractual stages.

i) Others specifically set out in the authorisations granted by the suppliers themselves.

ARANDA SOFTWARE ANDINA S.A.S. will only collect from its suppliers and contractors the data that are necessary, relevant and not excessive for the purpose of selection, evaluation and execution of the contract.

The collection of the personal data of employees of suppliers by ARANDA SOFTWARE ANDINA S.A.S. will have in any case the purpose of verifying the suitability and competence of employees, ie, once verified this requirement, ARANDA SOFTWARE ANDINA S.A.S. will return such information to the Supplier, except when its conservation is expressly authorized.

In any case, the information will not be processed for a period longer than the duration of the relationship of the Supplier and contractors with the company, and the additional time required in accordance with the legal or contractual circumstances that make the handling of the information necessary.

9.4 Processing of personal data of shareholders

ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its shareholders and stores them in a database which is classified by the company as confidential, and that will only be disclosed by the company with the express authorization of the owner or when a Competent Authority requests it.

The purposes for which the personal data of the Shareholders are used will be:

a) Enable the exercise of the duties and rights deriving from the status of shareholder

b) To allow the sending of invitations to events scheduled by the company.

c) Issue certifications regarding the relationship of the Registrant with the company.

d) To comply with the precepts and regulations established in the Commercial Code and other applicable regulations.

e) To summon or invite him to the various meetings of a corporate nature which he must attend in his capacity as shareholder.

In any case, the information shall not be processed for a period longer than the duration of the company's existence, and such additional time as may be required in accordance with the legal or contractual circumstances that make it necessary to handle the information.

9.5 Processing of Visitors' personal data at the Entry Control:

ARANDA SOFTWARE ANDINA S.A.S. collects personal data of its visitors through forms and surveys that may include sensitive personal data such as temperature or health status of third parties in compliance with the Company's biosecurity protocols. This information is stored in a database which is classified by the entity as confidential, and will only be disclosed by the Company with the express authorisation of the owner or when requested by a Competent Authority.

The purposes for which are used the personal data of those who enter the facilities of ARANDA SOFTWARE ANDINA S.A.S. will be:

a) Ensure entry to the Company's premises to persons who are authorised to enter freely and restrict passage to those who are not authorised.

b) To ensure security in the monitored environments.

c) To provide suitable working environments for the safe performance of activities within the Company.

d) To comply with the obligations stipulated in the Occupational Health and Safety Management System.

(e) comply with the biosecurity protocols implemented by the Company.

In any case, the information will not be processed for a period of more than one (1) year from its collection in accordance with the legal or contractual circumstances that make it necessary to handle the information.

In accordance with the provisions of External Circular 008 of 2020 of the Superintendence of Industry and Commerce, the data collected to comply with the biosecurity protocols will only be used for the purposes indicated by the Ministry of Health and Social Protection, and will only be stored for the reasonable and necessary time to comply with such protocols. Once the purpose of the Personal Data Processing has been fulfilled, the Company will automatically delete the data collected.

9.6 Processing of personal data on the Website

ARANDA SOFTWARE ANDINA S.A.S. collects personal data from interested third parties through its website and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which are used the personal data contained in the website of ARANDA SOFTWARE ANDINA S.A.S. WEBSITE. will be:

a) Enable communication with customers or third parties through the contact us section.

b) To publish events or news of interest.

c) Receive and process complaints and claims from third parties.

d) Legal, accounting, administrative, commercial, promotional, informational, marketing and sales purposes.

e) Carrying out promotion, marketing, advertising and publicity campaigns.

f) Publicise the company's portfolio of services.

In any case, the information will not be processed for a period longer than that agreed with the third party or user through a contract or authorisation to use their personal data counted from its collection in accordance with the legal or contractual circumstances that make the handling of the information necessary.

9.7 Processing of personal data from Video Surveillance Registration

ARANDA SOFTWARE ANDINA S.A.S. collects biometric data of its employees and visitors through its Surveillance Cameras and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which are used the personal data contained in the Surveillance Cameras of ARANDA SOFTWARE ANDINA S.A.S. will be:

a) Ensuring safe working environments.

b) To provide suitable working environments for the safe conduct of the company's work activities.

c) Control the entry, stay and exit of employees and contractors on company premises.

In order to comply with the duty of information that corresponds to ARANDA SOFTWARE ANDINA S.A.S. as administrator of personal data, the company will implement Privacy Notices in the areas where the capture of images involving the processing of personal data is performed.

In any case, the information will not be processed for a period of more than 30 days from its collection in accordance with the legal or contractual circumstances that make it necessary to handle the information.

9.8 Processing of Biometric Control personal data

ARANDA SOFTWARE ANDINA S.A.S. collects biometric data of its employees and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which are used the personal data contained in the Surveillance Cameras of ARANDA SOFTWARE ANDINA S.A.S. will be:

a) Ensuring safe working environments.

b) Allow access only to authorised personnel.

c) Control the entry, stay and exit of employees on company premises.

In any case, the information shall not be processed for a period longer than the duration of the employment relationship with the employee.

9.9 Processing of personal data of Prospective Clients:

ARANDA SOFTWARE ANDINA S.A.S. has a record of Prospective Customers, whose information has been collected by the Company with the express authorization of the Holder through events or through the completion of requests for quotations by them. ARANDA SOFTWARE ANDINA S.A.S. stores this information in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the holder or when requested by a Competent Authority.

The purposes for which are used the personal data of the Prospects of Clients of ARANDA SOFTWARE ANDINA S.A.S. will be:

a) Sending invitations to events scheduled by the company.

b) Send information on projects offered by the company to interested persons.

c) Verify compliance with the requirements established by the Company to access a project, agreement or contract.

d) To carry out commercial prospecting and marketing operations.

e) To process queries, complaints or claims submitted by data subjects.

f) To produce management reports and internal statistics.

g) Guarantee the exercise of their right to Habeas Data (queries, complaints and claims about updating, correction, suppression or deletion of data).

In any case, the information shall not be processed for a period longer than that agreed with the prospect through an authorisation to use his or her personal data counted from the time of its collection in accordance with the legal or contractual circumstances that make the handling of the information necessary.

9.10 Processing of personal data of candidates or applicants in selection processes:

ARANDA SOFTWARE ANDINA S.A.S. collects personal data of candidates or applicants of the selection processes carried out by the Company and stores them in a database which is classified as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which are used the personal data of the applicants of the selection processes carried out by ARANDA SOFTWARE ANDINA S.A.S. will be:

(a) Carrying out internal and external administrative management for the transparent implementation of the staff selection process.

b) Sending of communications programmed by the Company to carry out different selection tests.

c) To corroborate any requirement that may arise in the course of the selection process.

d) Verification of the applicant's employment, academic and personal references.

(e) To carry out the overall recruitment process for selected staff.

f) Conduct security surveys and home visits.

All personal data provided by the applicant or applicant will become part of a "Talent Bank", which the Company, as the Responsible Party, may use for current and future selection processes in which the applicant's profile is suitable. The databases where this information is stored have the necessary security measures to guarantee the total security of the data supplied during the selection process. In any case, the information will not be processed for a period longer than that authorised by the applicant and for such additional time as may be required in accordance with the legal or contractual circumstances that make it necessary to handle the information.

10. INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA

ARANDA SOFTWARE ANDINA S.A.S. currently does not perform international transmission or transfer of personal data. In the event that it decides to make the International Transfer of personal data, in addition to having the express and unequivocal authorization by the Holder, it will ensure that the action provides adequate levels of data protection and meets the requirements set in Colombia by the Statutory Law 1581 of 2012 and its regulatory decrees.

On the other hand, when ARANDA SOFTWARE ANDINA S.A.S. decides to perform International Transmission of data, it may do so without the authorization of the owners, provided it ensures the security of information, confidentiality and the conditions governing the scope of data processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.

11. DATA ON CHILDREN AND ADOLESCENTS

ARANDA SOFTWARE ANDINA S.A.S. does not directly process personal data of minors; however, in particular, the Company collects and processes the personal data of the minor children of its employees, with the sole purpose of complying with the obligations imposed by law on employers in relation to affiliations to the social security and parafiscal system, as well as compliance with the family day (Law 1857 of 2017), and in particular to allow the enjoyment of the fundamental rights of children to health, recreation and the right to family.

In any case, ARANDA SOFTWARE ANDINA S.A.S. will collect when appropriate the respective authorization to their legal representatives for their treatment, always bearing in mind the best interests of the child and respect for the prevailing rights of children and adolescents enshrined in Article 44 of the Political Constitution of Colombia.

12. PROCEDURE FOR DEALING WITH QUERIES, CLAIMS AND PETITIONS, AND MECHANISMS FOR EXERCISING THE RIGHTS OF THE OWNERS.

The Data Subject, its assignees, its representative and/or proxy, or whoever is determined by stipulation in favor of another; may exercise their rights by contacting us through written communication addressed to the administrative area in charge of the protection of personal data in the company. The communication may be sent to the following email:
sandra.doncel@arandasoft.com or through written communication filed at the following address: Diagonal 97 # 17 - 60 Office 702 Bogotá D.C.

12.1 Consultations

You can consult the personal information of the Holder that is in the databases of ARANDA SOFTWARE ANDINA S.A.S. and the company will be responsible for providing all the information contained in the individual record or that is linked to the identification of the applicant.

The consultation once received by the company will be answered within a maximum term of ten (10) business days from the date of receipt of the same.

When it is not possible to attend the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the new date on which such consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

12.2 Complaints

When it is considered that the information contained in a database of ARANDA SOFTWARE ANDINA S.A.S. should be corrected, updated or deleted, or when the alleged breach of any of the duties contained in the Law of Habeas Data is noticed, you may file a claim with ARANDA SOFTWARE ANDINA S.A.S. which will be processed under the following rules:

1. The claim shall be formulated by means of a written communication addressed to ARANDA SOFTWARE ANDINA S.A.S. with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents you want to assert.

If the claim is incomplete, the interested party will be required within five (5) days of receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

In the event that ARANDA SOFTWARE ANDINA S.A.S. receives a Claim of which it is not competent to solve it, the company will transfer it to the person who effectively corresponds in a maximum term of two (2) working days and will inform the Holder.

2. Once the complete claim has been received, the company will include in the respective database a legend that reads "claim in process" and the reason for the claim, within a term no longer than two (2) business days. The company will keep such legend in the data under discussion until the claim is decided.

3. The maximum term to address the claim will be fifteen (15) working days from the day following the date of receipt. When it is not possible to address the claim within such term, the company will inform the Holder the reasons for the delay and the new date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

MINIMUM CONTENT OF THE APPLICATION

Requests submitted by the holder in order to make a query or complaint about the use and handling of his personal data must contain minimum specifications, in order to provide the holder with a clear and coherent response to the request. The requirements of the request are:

a) Be addressed to ARANDA SOFTWARE ANDINA S.A.S.

b) Contain the identification of the Holder (Name and Identification Document).

(c) contain a description of the facts giving rise to the enquiry or complaint.

d) The subject matter of the request.

e) Indicate the Holder's physical and/or electronic (e-mail) notification address.

f) Attach the documents you wish to assert. (Especially for complaints)

In the event that the query or claim is submitted in person, the Data Subject shall submit the request or claim in writing without any formality other than the requirements set out in the previous point.

12.3 Procedural requirement

The Data Subject, his or her successors in title, his or her representative and/or proxy, or whoever is determined by stipulation in favour of another; may only file a complaint before the Superintendence of Industry and Commerce for the exercise of his or her rights once he or she has exhausted the Consultation or Complaint procedure directly before the company.

12.4 Request for update and/or rectification

ARANDA SOFTWARE ANDINA S.A.S. will rectify and update, at the request of the holder, the information that is inaccurate or incomplete, according to the procedure and the terms indicated above, for which the Holder must submit the request according to the channels provided by the company, indicating the update and rectification of the data and in turn must provide documentation to support such request.

13. Revocation of the authorisation and/or deletion of the Data

The Data Subject may revoke at any time the consent or authorisation given for the processing of his or her personal data, provided that there is no impediment enshrined in a legal or contractual provision.

Likewise, the Holder has the right to request at any time to ARANDA SOFTWARE ANDINA S.A.S. the deletion or elimination of their personal data when:

a) Considers that they are not being treated in accordance with the principles, duties and obligations provided for in the regulations in force.

(b) are no longer necessary or relevant for the purpose for which they were obtained.

(c) the time necessary for the fulfilment of the purposes for which they were obtained has elapsed.

Such deletion implies the total or partial elimination of the personal information, as requested by the holder in the records, files, databases or treatments carried out by ARANDA SOFTWARE ANDINA S.A.S.

The right of cancellation is not absolute and therefore ARANDA SOFTWARE ANDINA S.A.S. may deny revocation of authorization or deletion of personal data in the following cases:

a) The data subject has a legal or contractual duty to remain in the database.

(b) the deletion of data would hinder judicial or administrative proceedings related to tax obligations, the investigation and prosecution of criminal offences or the updating of administrative penalties.

c) The data are necessary to protect the legally protected interests of the data subject; to carry out an action in the public interest; or to comply with an obligation legally acquired by the data subject.

14. MODIFICATION OF POLICIES

ARANDA SOFTWARE ANDINA S.A.S. reserves the right to modify the Policy of Treatment and Protection of Personal Data at any time. However, any modification will be communicated in a timely manner to the holders of personal data through the usual means of contact with ten (10) working days prior to its entry into force.

In the event that a Data Subject does not agree with the new General or Special Policy and with valid reasons that constitute a just cause for not continuing with the authorisation for the processing of personal data, the Data Subject may request the company to withdraw his/her information through the channels indicated in Chapter 12. However, Data Subjects may not request the withdrawal of their personal data when the company has a legal or contractual duty to process the data.

15. VALIDITY

This Policy is effective as of March 2022.