ARANDA SOFTWARE ANDINA S.A.S. is committed to the proper processing of the personal data it manages in its capacity as the Data Controller, Therefore, it hereby informs all data subjects of this personal data processing policy, the application of which is mandatory for all natural or legal persons who directly or indirectly process the personal data managed by the Organization in the course of its business activities.
This Policy is therefore established not only to comply with the law, but also to provide clear and sufficient information regarding the purposes for which the personal data of the data subjects included in the organization’s databases—including employees, suppliers, shareholders, and customers acting as consumers, among others—is processed. Likewise, it is established to publicize the procedure implemented by the organization to guarantee the exercise of the right to data access and to outline the guidelines that ensure the protection of personal data processed byARANDA SOFTWARE ANDINA S.A.S.
This policy applies to all databases, both physical and digital, that contain personal data and are processed by ARANDA SOFTWARE ANDINA S.A.S. in its capacity as the Data Controller, as well as in cases where it acts as the Data Processor.
ARANDA SOFTWARE ANDINA S.A.S.,a commercial entity with Tax ID No. 830.099.766-1, is a Colombian company whose corporate purpose is to provide services related to the development, production, and marketing of software projects both nationally and internationally.
● PHYSICAL ADDRESS: 97 Diagonal, No. 17–60, Office 702, Bogotá, D.C.
● WEBSITE: www.arandasoft.com
● PHONE: +57 (1) 7563000
● EMAIL: protecciondedatos@arandasoft.com
This Policy establishes general guidelines for the protection and processing of personal data within the company, thereby helping to strengthen the level of trust between the Data Controller and Data Subjects regarding the processing of their information; and to inform Data Subjects of the purposes for which their personal data is processed and the mechanisms and methods available for exercising their rights.
This Personal Data Processing and Protection Policy applies to all databases and/or files containing personal data processed byARANDA SOFTWARE ANDINA S.A.S., as the data controller.
This is version 4.0 of the company’s personal data processing policy, , based on the database update process of databases carried out in compliance with External Circular 003 of 2018.
● Habeas Data: The right of every person to access, update, andcorrect information collected about them inpublic or privatefiles anddatabases.
● Personal data: Any information linked to or that can be associated withone or more identified or identifiable individuals.
● Data Database: An organized set of personal data that is subject to processing.
● Processing: Any operation or set of operations performed onpersonal data, such as collection, storage, use, dissemination, ordeletion.
● Authorization: Prior, express, and informed consent from the Data Subject toprocess personal data
● Privacy Notice: This is the document, whether in physical, electronic, or any otherknown or unknown format, that is made available to the Data Subject forthe purpose of informing them about the processing of their personal data.
● Headline: A natural person whose personal data is being processed.
● Beneficiary: A person who, through inheritance or transfer, acquires therights of another person.
● DData Controller: A natural or legal person, public or private,who, alone or jointly with others, determines the purposes and meansoftheprocessing of personal data
● DData Processor: A natural or legal person, public or private,who, acting alone or jointly with others, processespersonaldataon behalf of the data controller.
The following guiding principles shall apply with regard to the protection of personal data:
a) Principle of legality in data processing: The processing referred to in the Habeas Data Act is a regulated activity that must comply with the provisions of that Act and the other regulations implementing it.
b) Principle of purpose: The processing must serve a legitimate purpose in accordance with the Constitution and the law, which must be communicated to the Data Subject.
c) Principle of freedom: Processing may only take place with the prior, express, and informed consent of the Data Subject. Personal data may not be collected or disclosed without prior authorization, or in the absence of a legal or judicial mandate that supersedes consent.
d) Principle of Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
e) Principle of transparency: During processing, the data subject’s right to obtain from the data controller or data processor, at any time and without restriction, information regarding the existence of data concerning him or her must be guaranteed.
f) Principle of Restricted Access and Circulation: The processing is subject to the limitations arising from the nature of the personal data, the provisions of the law, and the Constitution. In this regard, processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for by law.
Personal data, with the exception of public information, may not be made available on the Internet or through other means of mass dissemination or communication, unless access can be technically controlled to ensure that such information is accessible only to the data subjects or third parties authorized by law.
g) Security Principle: Information subject to processing by the Data Controller or Data Processor as referred to in the Habeas Data Act must be handled using the technical, human, and administrative measures necessary to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent consultation, use, or access.
h) Principle of Confidentiality: All persons involved in the processing of personal data that is not of a public nature are obligated to ensure the confidentiality of the information, even after their involvement in any of the tasks comprising the processing has ended, and may only disclose or communicate personal data when such disclosure is necessary for the performance of activities authorized by law and in accordance with its terms.
Data subjects shall have the following rights, as well as any others granted to them by law:
a) To access, update, and correct your personal data by contacting the data controller or data processors. This right may be exercised, among other things, in cases where data is incomplete, inaccurate, fragmented, misleading, or where its processing is expressly prohibited or has not been authorized.
(b) Request proof of the authorization granted to the data controller, unless such authorization is expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of the Act.
c) To be informed by the data controller or data processor, upon request, regarding the use that has been made of your personal data.
(d) File complaints with the Superintendency of Industry and Commerce regarding violations of the provisions of the law and any other regulations that amend, supplement, or add to it.
e) Revoke consent and/or request the deletion of data when the processing fails to comply with constitutional and legal principles, rights, and safeguards. Such revocation and/or deletion shall be granted when the Superintendency of Industry and Commerce has determined that, in the course of processing, the data controller or processor has engaged in conduct contrary to the law and the Constitution
f) To access, free of charge, your personal data that has been processed.
Without prejudice to the exceptions provided for in Statutory Law 1581 of 2012, as a general rule regarding the processing of personal data, ARANDA SOFTWARE S.A.S.will obtain the prior and informed consent of the Data Subject, which may be obtained by any means that can be subject to subsequent verification.
7.1 Events for which authorization is not required
The data subject's consent will not be required in the following cases:
(a) Information requested by a public or administrative entity in the course of its lawful duties or pursuant to a court order.
b) Publicly available data.
c) Medical or health emergencies.
(d) Processing of information authorized by law for historical, statistical, or scientific purposes.
e) Data related to the Civil Registry of Persons.
ARANDA SOFTWARE ANDINA S.A.S. As the data controller, it will fulfill the following obligations:
a) To guarantee the Data Subject, at all times, the full and effective exercise of the right to access personal data.
b) Request and retain, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject.
c) Duly inform the Data Subject of the purpose of the collection and the rights to which they are entitled by virtue of the authorization granted.
d) Retain the information under the necessary security conditions to prevent its alteration, loss, unauthorized consultation, use, or access or fraudulent access.
e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
f) Update the information, promptly notifying the Data Processor of all changes regarding the data previously provided previously provided and take any other necessary measures necessary to ensure that the information provided to the Data Controller remains up to date.
g) Correct the information when it is incorrect and notify the to the Data Processor.
h) Provide the Data Processor, as applicable, only data whose processing has been previously authorized in accordance with the provisions of this law.
i) Require the Data Processor at all times to respect the security and privacy conditions regarding the Data Subject’s information.
j) Process inquiries and complaints submitted in accordance with the terms set forth in Statutory Law 1581 of 2012.
(k) Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to address inquiries and complaints.
l) Notify the Data Processor when certain information is being disputed by the Data Subject, once the complaint has been filed at
and the relevant proceedings have not yet been concluded.
m) Provide information, upon the data subject’s request, regarding the use of their data.
(n) Notify the data protection authority in the event of security breaches that pose risks to the
management of data subjects' information.
(o) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
9.1 Processing of Employees’ Personal Data
ARANDA SOFTWARE ANDINA S.A.S. collects personal data from its Employees which the company classifies as confidential, and will only be disclosed by the company with the express authorization of the data subject or when requested by a Competent Authority.
The purposes for which the company’s employees’ personal data will be used are as follows:
a) To comply with the obligations imposed on employers by Colombian labor law, or with orders issued by the competent Colombian or foreign authorities.
b) To issue certifications regarding the data subject’s relationship with the Company.
c) Comply with the obligations imposed on the company as an employer regarding occupational safety and health regulations and the Occupational Safety and Health Management System (SG-SST).
d) Manage the duties performed by employees.
e) Carry out the various stages of the Company’s disciplinary processes and review memos, warnings, or any other type of disciplinary action imposed on employees.
f) Contact family members in case of an emergency.
g) Manage and oversee payroll.
h) Monitor employees' work schedules and overtime hours.
(i) Keep track of employees' sick leave, absences, leave of absence, and vacation time.
j) Keep a record of the training provided to employees.
k) Store your personal data, including biometric data, on its website as a record of the activities carried out.
l) Comply with the biosafety protocols applicable to the Company in accordance with the guidelines issued by the national government.
m) Monitor, track, and evaluate employees.
(n) Take the necessary photographs and images for employee identification, compliance monitoring, and the collection of evidence regarding the services provided.
(o) In addition, employees' biometric data is used for commercial purposes related to the Company's corporate purpose.
(p) Disclose employee information to third parties with whom the Company has a contractual relationship, including partners, consortia, and clients, to the extent necessary to comply with such third parties’ protocols, solely for the purpose of enabling them to manage and coordinate the personnel who actually provide the services arising from the professional relationship, as well as to facilitate compliance with legal obligations regarding tax and social security matters.
q) Provide employee identification information to travel agencies, transportation companies, hotels, and other entities for the purpose of managing reservations and settling related expenses.
(r) Carry out international data transfers or transmissions to countries that provide a level of protection similar to that of Colombia.
(s) disclosure of information to third parties responsible for evaluation, training, certification, and other processes required for the performance of the contractual relationship.
t) Verify, compare, and evaluate employees' professional and personal competencies.
u) Submit information to compensation funds, pension fund administrators (AFPs), occupational risk insurance companies (ARLs), insurance companies, and others.
v) Initiate internal investigations based on complaints filed by current and former employees, third parties, or the employees themselves.
w) Handling complaints against employees regarding workplace harassment or violations of codes of conduct.
ARANDA SOFTWARE ANDINA S.A.S.stores the personal data of its employees, including data collected during the recruitment process, and keeps it in a folder labeled with each employee’s name
.
Only the Human Resources Department and the Administrative Department will have access to this file and will handle it for the purpose of managing the contractual relationship betweenARANDA SOFTWARE ANDINA S.A.S.and the employee.
ARANDA SOFTWARE ANDINA S.A.S.processes sensitive personal data regarding its employees, such as information about their minor children, for the sole purpose of registering them as beneficiaries of the social security and parafiscal systems.
For the purposes of this processing, the relevant consent is obtained; such consent must always be explicit and voluntary, and must clearly specify the sensitive personal data to be processed and the purpose of such processing.
In addition, it will employ robust security measures to manage and safeguard such sensitive data, on the understanding that such sensitive data will be used solely byARANDA SOFTWARE ANDINA S.A.S.for the aforementioned purposes.
Once the employment relationship has ended,ARANDA SOFTWARE ANDINA S.A.S.will store all personal data obtained during the selection process and all documentation generated during the course of the employment relationship in a central archive with restricted access, ensuring that the information is subject to appropriate security measures and standards at all times, given that employment-related information may contain sensitive data.
In any case, the information will not be processed for a period exceeding twenty (20) yearsfrom the termination of the employment relationship, or as required by legal or contractual circumstances that necessitate the handling of the information.
Finally, the company wishes to inform you that, in accordance with the provisions of External Circular 008 of 2020 issued by the Superintendency of Industry and Commerce, the sensitive personal data collected to comply with biosafety protocols in the context of the COVID-19 pandemic was used solely for the purposes specified by the Ministry of Health and Social Protection, and will only be stored for as long as is reasonable and necessary to demonstrate compliance with said regulatory provisions. Once the purpose of the Personal Data Processing has been fulfilled, the Company will automatically delete the collected data.
9.2Processing of apprentices’ personal data:
ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its trainees and stores it in a database that the company classifies as confidential; such data will only be disclosed with the express authorization of the data subject or when requested by a competent authority.
The purposes for which the personal data of the trainees at ARANDA SOFTWARE ANDINA S.A.S. will be:
a) Comply with the obligations imposed on employers by Colombian labor law, particularly the provisions of Law 789 of 2002 and its implementing regulations.
b) Issue certificates regarding the data subject’s relationship with the company.
c) Verify any requirements that arise during the apprentice onboarding process.
d) Comply with the obligations imposed on the company as an employer regarding occupational safety and health regulations and the Occupational Safety and Health Management System (SG-SST).
e) Oversee the tasks performed by the apprentices.
f) Monitor the progress of trainees during both the classroom and practical training phases.
g) Contact family members in case of an emergency.
In any case, the information will not be processed for a period longer than the duration of the applicant’s relationship with the company, which in no case may exceedtwo (2) years, plus any additional time required in accordance with legal or contractual circumstances that necessitate the handling of the information
9.3 Processing of customers' personal data:
ARANDA SOFTWARE ANDINA S.A.S. collects itscustomers’ personal dataand stores it in a database that the Company classifiesas confidential;such datawill only be disclosed with the express authorization of the data subject orwhen requested by a Competent Authority.
The purposes for which the personal data of customersof ARANDA SOFTWARE ANDINA S.A.S. will be:
a) Monitoring and accounting records of obligations incurred with customers.
b) Compliance with tax and legal requirements before public and regulatory authorities.
c) Compliance with contractual obligations, for which information may be transferred to third parties, such as financial institutions, third-party partners, notaries, attorneys, etc.
d) Compliance with judicial decisions and administrative, legal, tax, and regulatory provisions.
e) Transmission of information and personal data during audit processes.
f) Administrative management for the execution of pre-contractual, contractual, and post-contractual stages.
g) Creation of the customer profile on the Company’s platforms or software.
h) Ensuring the provision of services for the development, production, and commercialization of software projects.
i) Ensuring compliance with the rights granted to them under Law 1581 of 2012.
j) Conduct business prospecting and marketing activities.
k) Evaluate customer service and conduct satisfaction surveys.
l) Share information with third-party partners who collaborate with the company, considering that they must access the information to some extent to fulfill their duties; these partners will also be subject to the same obligations regarding confidentiality, information handling, and personal data protection to which this company is subject.
m) Process requests, complaints, or claims submitted directly by the customer through customer service channels.
n) Contact the customer via physical and electronic means—email, SMS, or chat—to send information of interest or related to the contractual relationship, invite them to training sessions, or inform them about the service portfolio.
o) Maintain business contact with the Company, even after the termination of the contractual relationship.
p) As a matter of good business practice or legal obligation,check customer records against restricted lists, OFAC lists, PEPs,
Clinton, and UN lists, in order to prevent money laundering and terrorist financing.
In any case, the information will not be processed for a period longer than the duration of the contractual relationship between the customer and the Company, plus any additional time required in accordance with legal or contractual circumstances that necessitate the handling of the information.
9.4 Processing of Personal Data of Suppliers and Contractors:
ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of itssuppliers and contractorsandstores it in a database which, althoughcomposed mostly of public data, is classified by the companyas confidential; in the case of private data, thecompanywill only disclose itwith the express authorization of the data subject or whenrequested byacompetentauthority.
The purposes for which the personal data of Suppliers and Contractors of ARANDA SOFTWARE ANDINA S.A.S. will be:
a) Manage invoices submitted by suppliers or contractors.
b) Monitor contributions made by contractors to the social security system.
c) Conduct evaluations and selection of potential suppliers.
d) Ensure compliance with tax and legal requirements regarding public and regulatory entities.
e) Monitor and process payments for goods and services received.
f) Qualitative and quantitative evaluations of the service levels received from suppliers.
g) Control and accounting recording of obligations incurred with suppliers and contractors.
h) Issuing invitations to bid and carrying out procedures for the pre-contractual, contractual, and post-contractual stages.
i) Any others specifically established in the authorizations granted by the suppliers themselves
ARANDA SOFTWARE ANDINA S.A.S.will only collect from its suppliers and contractors the data that is necessary, relevant, and not excessive for the purpose of selection, evaluation, and performance of the applicable contract. The collection of personal data of suppliers’ employees byARANDA SOFTWARE ANDINA S.A.S.will, in all cases, be for the purpose of verifying the suitability and competence of the employees; that is, once this requirement has been verified,ARANDA SOFTWARE ANDINA S.A.S. will returnsuch information to the Supplier, unless its retention is expressly authorized.
In any case, the information will not be processed for a period longer than the duration of the Supplier’s and contractors’ relationship with the company, plus any additional time required in accordance with legal or contractual circumstances that necessitate the handling of the information.
9.5 Processing of Personal Data of Prospective Customers
ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its shareholders, stores it in a database that the company classifies as confidential, and will only disclose such data with the express authorization of the data subject or when requested by a Competent Authority.
The purposes for which shareholders’ personal data is used are:
a) To enable the exercise of the rights and duties arising from shareholder status.
b) To enable the sending of invitations to events scheduled by the company.
c) To issue certifications regarding the Account Holder’s relationship with the company.
d) To comply with the provisions and regulations set forth in the Commercial Code and other applicable regulations.
e) Summon or invite the Shareholder to the various ordinary and extraordinary corporate meetings that they must attend in their capacity as a shareholder and in accordance with the provisions of the company’s Articles of Incorporation.
f) Share identification information with third parties to ensure their compliance with the obligations inherent to AML/CFT risk management systems.
In any case, the information will not be processed for a period longer than the company’s existence, plus any additional time required by legal or contractual circumstances that necessitate the handling of the information.
9.6 Processing of Visitors’ Personal Data at Entry Control:
ARANDA SOFTWARE ANDINA S.A.S. collects personal data from itsvisitors through forms and surveys that may includesensitivepersonal data,such as the temperature or health status of third parties, incompliance with the Company’s biosafety protocols. This informationis stored in a database classified by the entity asconfidential and will only be disclosed by the Company with the express authorization ofthe data subject or when requested by a Competent Authority.
The purposes for which the personal data of thoseentering the facilities ofARANDA SOFTWARE ANDINA S.A.S.are usedare as follows:
a) Ensure that only individuals with valid access authorization are granted entry to the Company’s facilities and restrict access to those without authorization.
b) Ensure security in monitored areas.
c) Provide suitable work environments for the safe performance of activities within the Company.
d) Comply with the obligations stipulated in the Occupational Health and Safety Management System.
e) Comply with the biosafety protocols implemented by the Company.
In any case, the information will not be processed for a period exceeding one (1) year from the date of collection, in accordance with the legal or contractual circumstances that necessitate the handling of the information
9.7 Processing of Website Users' Personal Data:
ARANDA SOFTWARE ANDINA S.A.S. collects personal data from interested third parties through its website and stores it in a database classified by the company as confidential, which will only be disclosed with the express authorization of the data subject or when requested by a Competent Authority.
The purposes for which the personal data contained on theARANDA SOFTWARE ANDINA S.A.S.website is used are as follows:
a) To facilitate communication with customers or third parties through the “Contact Us” section.
b) To publish events or news of interest.
c) Receive and process complaints and claims from third parties.
d) Legal, accounting, administrative, commercial, promotional, informational, marketing, and sales purposes.
e) Conduct promotional, marketing, and advertising campaigns.
f) Publicize the company’s portfolio of services.
In any case, the information will not be processed for a period longer than that agreed upon with the third party or user through a contract or authorization to use their personal data, starting from the date of collection, in accordance with the legal or contractual circumstances that necessitate the handling of the information.
9.8 TProcessing of Personal Data from Video Surveillance Records
ARANDA SOFTWARE ANDINA S.A.S. collects biometric data from its employees and visitors through its surveillance cameras and stores it in a database that the company classifies as confidential; this data will only be disclosed with the express authorization of the data subject or when requested by a competent authority.
The purposes for which the personal data captured by the surveillance cameras of ARANDA SOFTWARE ANDINA S.A.S. are as follows:
a) Ensure safety in the workplace.
b) Provide a suitable work environment for the safe performance of the company’s business activities.
c) Monitor the entry, presence, and exit of employees and contractors at the company’s facilities.
To comply with the disclosure obligations incumbent upon ARANDA SOFTWARE ANDINA S.A.S. as a personal data controller, the company will post Privacy Notices in areas where images are captured that involve the processing of personal data.
In any case, the information will not be processed for a period exceeding 30 days from the date of collection, in accordance with the legal or contractual circumstances that necessitate the handling of the information.
9.9 Processing of Personal Data of SENA Trainees:
ARANDA SOFTWARE ANDINA S.A.S. collects biometric data from its employees and stores it in a database that the company classifies as confidential; this data will only be disclosed with the express authorization of the data subject or when requested by a Competent Authority.
The purposes for which the personal data captured by the surveillance cameras of ARANDA SOFTWARE ANDINA S.A.S. will be:
a) Ensure safety in the workplace.
b) Allow access only to authorized personnel.
c) Monitor employees’ entry, presence, and exit from company facilities.
In any case, the information will not be processed for a period longer than the duration of the employment relationship with the employee.
9.10 Processing of Personal Data of Prospective Customers:
ARANDA SOFTWARE ANDINA S.A.S. maintains a registry of ProspectiveClients, whose information has been collected by the Company withthe express authorization of the Data Subject through events or through thecompletion of quote requests by the Data Subjects themselves.
ARANDA SOFTWARE ANDINA S.A.S.stores this information in adatabase classified by the company as confidential, and it will onlybe disclosed with the data subject’s express authorization or whenrequested byaCompetentAuthority.
The purposes for which the personal data of Prospective Customers of ARANDA SOFTWARE ANDINA S.A.S. will be:
a) Sending invitations to events organized by the company.
b) Sending information about projects offered by the company to interested parties.
c) Verifying compliance with the requirements established by the company for access to a project, agreement, or contract.
d) Conducting business development activities and marketing operations.
e) Process inquiries, complaints, or claims submitted by data subjects.
f) To prepare management reports and internal statistics.
g) Ensure the exercise of your right to data access (inquiries, complaints, and claims regarding the updating, correction, deletion, or removal of data).
In any case, the information will not be processed for a period longer than that agreed upon with the prospective customer through an authorization to use their personal data, effective from the date of collection, in accordance with the legal or contractual circumstances that necessitate the handling of the information.
In any case, the information will not be processed for a period longer than that established through the authorization granted by the prospective client to use their personal data, starting from the date of collection, in accordance with the legal or contractual circumstances that necessitate the handling of the information.
9.10 TProcessing of personal data of candidates or applicants for selection processes:
ARANDA SOFTWARE ANDINA S.A.S.collects the personal data of candidates participating in the selection processes conducted by the Company and stores it in a database classified as confidential; such data will only be disclosed with the express authorization of the data subject or upon request by a competent authority.
The purposes for which the personal data of applicants in the recruitment processes conducted byARANDA SOFTWARE ANDINA S.A.S.are used are as follows:
a) Conducting internal and external administrative procedures for the transparent execution of the personnel selection process.
b) Sending communications scheduled by the Company to conduct various selection tests.
c) Verifying any requirements that arise during the recruitment process.
d) Verifying the applicant’s employment, academic, and personal references.
e) Facilitating the overall onboarding process for selected personnel.
f) Conducting security checks and home visits.
All personal data provided to us by the applicant will become part of a “Talent Pool,” which the Company, as the Data Controller, may process for current and future recruitment processes in which the applicant’s profile is suitable. The databases where this information is stored have the necessary security measures in place to ensure the complete security of the data provided during the recruitment process. In any case, the information will not be processed for a period longer than that authorized by the applicant and the additional time required in accordance with legal or contractual circumstances that necessitate the handling of the information.
The personal data provided by the data subjects listed above in this Personal Data Processing Policy of ARANDA SOFTWARE ANDINA S.A.S. will be retained for as long as:
a) A legal or contractual relationship exists with the data subject.
b) The personal data provided will be retained until the data subject requests its deletion, provided there is no legal obligation to retain it.
c) The personal data provided will be retained for a period of two (2) years from the data subject’s last confirmation of interest. That is, from the data subject’s intention to continue receiving information, products, or services fromARANDA SOFTWARE ANDINA S.A.S.
d) Personal data contained in various company ledgers and documents in its capacity as a business entity will be retained for a period of ten (10) years from the date of the last entry, document, or receipt. on paper or on any technical, magnetic, or electronic medium that guarantees its exact reproduction.
Paragraph:Excluded from the data retention period stipulated in section C is any information whose content specifies a term longer than that indicated, in accordance with a legal mandate or an order issued by a competent authority.
In compliance with the provisions of the regulatory decrees governing the content of Personal Data Processing Policies, data subjects are hereby informed that their information may be used, stored, and retained in both electronic and physical media.
Digital and physical information is stored in environments equipped with adequate data protection controls. This includes physical, IT, technological, and environmental security controls across all areas of the company, including its own facilities, data centers, and document storage sites.
In accordance with the principle of transparency, Data Subjects have access at any time (upon written or verbal request) to the stored information, as do their successors in title who can prove their status, the Data Subject’s representative and/or agent, a competent authority, and any party designated in a provision in favor of or on behalf of another.
The purposes of the collection, storage, use, and disposal of such data are governed by the provisions of Law 1581 of 2012, its implementing regulations, and this Policy.
Appointment of the Data Protection Officer: In order to ensure that the measures implemented by the organization to comply with the obligations established in Statutory Law 1581 of 2012 are appropriate, effective, and verifiable by data subjects or the Superintendency of Industry and Commerce in the exercise of its functions, the Senior Management of ARANDA SOFTWARE ANDINA S.A.S. has appointed an individual who currently serves as the PERSONAL DATA PROTECTION OFFICER (OPD), who is duly registered in the RNBD application.
This DPO will be responsible for overseeing compliance with the data protection regime by the data controllers and processors atARANDA SOFTWARE ANDINA S.A.S., using a risk-based approach. Similarly, the DPO will serve as the point of contact with the supervisory authority.
In any case, to ensure that the company’s Data Protection Officer (DPO) has adequate support in terms of financial resources, infrastructure, and personnel, as needed, the organization’s senior management may outsource compliance with certain regulatory obligations to an external consulting firm with expertise in the field.
ARANDA SOFTWARE ANDINA S.A.S.currently does not engage in the international transmission or transfer of personal data. In the event that it decides to carry out the international transfer of personal data, in addition to obtaining the express and unequivocal authorization of the Data Subject, it will ensure that the action provides adequate levels of data protection and complies with the requirements established in Colombia by Statutory Law 1581 of 2012 and its regulatory decrees.
On the other hand, when ARANDA SOFTWARE ANDINA S.A.S. decides to carry out an international data transfer, it may do so without the data subjects’ authorization, provided that it guarantees the security of the information, confidentiality, and the conditions governing the scope of data processing, in accordance with the provisions of Article 10 of Law 1581 of 2012
ARANDA SOFTWARE ANDINA S.A.S. does not directly process the personal data of minors; however, specifically, the Company collects and processes the personal data of its employees’ minor children, for the sole purpose of complying with the obligations imposed by law on employers regarding enrollment in social security and parafiscal systems, as well as compliance with family leave provisions (Law 1857 of 2017), and specifically to enable children to enjoy their fundamental rights to health, recreation, and family life.
In any case, ARANDA SOFTWARE ANDINA S.A.S. will, where applicable, obtain the necessary authorization from their legal representatives for the processing of such data, always bearing in mind the best interests of the child and respect for the prevailing rights of children and adolescents enshrined in Article 44 of the Political Constitution of Colombia.
In accordance with the principle of accountability in the processing of personal data, and to ensure compliance with these policies by the organization’s employees and contractors,ARANDA SOFTWARE ANDINA S.A.S.conducts annual training and awareness sessions on personal data protection and information security, providing documentation of attendance. In this regard, it is confirmed that the content of the training sessions is updated periodically and that these sessions may be conducted by external consultants who are experts in the field.
The Data Subject, their successors, representative, and/or authorized agent, or any person designated by stipulation in favor of another, may exercise their rights by contacting us in writing to the administrative department responsible for personal data protection within the company. The communication may be sent to the following email address: electrónico:sandra.doncel@arandasoft.comor via written communication sent to the following address: Diagonal 97 # 17 – 60, Office 702, Bogotá D.C.
a. Inquiries
The Data Subject may access their personal information stored in the databases of ARANDA SOFTWARE ANDINA S.A.S., and the company will provide all information contained in the individual record or related to the applicant’s identification.
Once received by the company, the request will be processed within a maximum of ten (10) business days from the date of receipt. If it is not possible to respond to the inquiry within this period, the data subject will be notified, stating the reasons for the delay and indicating the new date by which the inquiry will be addressed, which in no case may exceed five(5) business days followingthe expiration of the initial period.
b. Claims
When it is determined that the information contained in a database of ARANDA SOFTWARE ANDINA S.A.S should be corrected,updated, or deleted, or when a suspected breach ofany of the obligations contained in the Data Protection Actis detected,a complaintmay befiled with ARANDA SOFTWARE ANDINA S.A.S which will beprocessed in accordance with the following rules:
1.The complaint must be submitted in writing to ARANDA SOFTWARE ANDINA S.A.S identifying the Account Holder, describingthe facts giving rise to the complaint, providingthe address, and attaching anysupporting documents.
If the claim is incomplete, the claimant will be asked to provide the missing information within five (5) days following receipt of the claim to correct the deficiencies.After two (2) months from the date of the request, if theclaimant has notsubmitted the required information, theclaimwill be deemed withdrawn.
In the event that ARANDA SOFTWARE ANDINA S.A.Sreceives a complaintthat it is not authorized to resolve, the company will forward it to theappropriate party within a maximum of two (2) business days and will inform the Data Subject.
2.Once the complete claim has been received, the company will adda note to the relevantdatabase stating “claim pending” and the reason for it, within a period of no more than two (2) business days. Thecompany will maintainthis notation on the disputed data until the claim is resolved.
3. The maximum time limit for addressing the complaint shall be fifteen (15) business days counted from the day following the date of receipt. If it is notpossible to address the complaint within that period, the company will inform theData Subject of the reasons for the delay and the new date by which the complaint will be addressed,which in no case may exceed eight (8) business days following theexpiration of the initial period.
Requests submitted by data subjects to inquireabout or file a complaintregarding the use and processing of their personal data must include certainminimum details in order to provide the data subject with a clear response thatis consistent with the request. The requirements for the request are:
a) Be addressed to ARANDA SOFTWARE ANDINA S.A.S.
b) Include the data subject’s identification information (name andidentification document).
c) Include a description of the facts underlying the inquiry orcomplaint.
d) The purpose of the request.
e) Provide the Data Subject’s mailing address and/or email address.
f) Attach any supporting documents. (Especially forclaims.)
If the inquiry or complaint is submitted in person, theData Subject must submit their request or complaint in writing, subjectonly to the requirements set forth in the preceding paragraph.
12.3 Admissibility Requirement
The Account Holder, their successors, their representative and/or authorized agent, or any other party designated by agreement in favor of another, may only file a complaint with the Superintendency of Industry and Commerce regarding the exercise of their rights after having exhausted the consultation or complaint process directly with the Company.
12.4 Request for update and/or correction
ARANDA SOFTWARE ANDINA S.A.S. will correct and update, at the request ofthe data subject, any information that is inaccurate or incomplete, in accordance withthe procedure and terms set forth above. To this end, the data subject mustsubmit the request through the channels provided by the company, specifying theupdate and correction of the data, and must also provide the documentationsupporting such request.
17. Revocation of Authorization and/or Deletion of Data
The Data Subject may revoke at any time the consent or authorization given for the processing of their personal data, provided that there is no legal or contractual impediment to doing so.
The Data Subject also has the right to request at any time thatARANDA SOFTWARE ANDINA S.A.S.delete or remove their personal data when:
(a) Considers that they are not being treated in accordance with the principles, duties, and obligations set forth in current regulations.
(b) Are no longer necessary or relevant for the purpose for which they were collected.
(c) The period necessary to fulfill the purposes for which the data was collected has elapsed.
Such deletion entails the total or partial removal of personal information, as requested by the data subject, from the records, files, databases, or processing operations carried out byARANDA SOFTWARE ANDINA S.A.S. The right to cancellation is not absolute; therefore,ARANDA SOFTWARE ANDINA S.A.S.may deny the revocation of authorization or the deletion of personal data
in the following cases:
(a) The data subject has a legal or contractual obligation to remain in the database.
(b) The deletion of data would hinder judicial or administrative proceedings related to tax obligations, the investigation and
prosecution of crimes, or the enforcement of administrative penalties.
(c) The data is necessary to protect the data subject’s legally protected interests; to take action in the public interest; or to fulfill a legal obligation incumbent upon the data subject.
ARANDA SOFTWARE ANDINA S.A.S. reserves the right to modify thePersonal Data Processing and Protection Policy at any time.However, any modification will be communicated in a timely manner to thedata subjects through the usual means of contactand in advance of its effective date.
In the event that a data subject does not agree with the new General orSpecialPolicyand has valid reasons constituting just cause for notcontinuing with the authorization for the processing of personal data, the data subjectmay request that the company remove their information through the channelsindicated in Chapter 16. However, Data Subjects may not request the removalof their personal data when the company has a legal or contractual obligationto process the data.
This Policy is effective as of April 1, 2024.