Skip to content

Privacy Notice, Processing Policy and Protection of Personal Data for services, applications and platforms of Aranda Device Management.

This privacy notice applies to Services/Applications/Platforms provided by Aranda Device Management:

In compliance with the General Regime of Habeas Data, regulated by Law 1581 of 2012 and its regulatory Decrees; the company ARANDA SOFTWARE ANDINA SAS identified with NIT. 830.099.766-1 and email address https://arandasoft.com/ as a company that stores and collects personal data, and as RESPONSIBLE, must inform you of the following:

Personal data requested when browsing the website https://arandasoft.com/ will be processed in accordance with the purposes related to the Company's corporate purpose and, in particular, to respond to concerns raised through this channel; and to send information considered of interest through electronic newsletters. The personal and contact data requested will be kept in a database of the company for as long as a contractual or legal relationship with the owner of the information is maintained, and in any case for a maximum period of 20 years, once such relationship with the owner has ended, for the sole purpose of complying with the obligation to provide the information.óThe information shall be kept for a maximum period of 20 years, after the end of the relationship with the data subject, for the sole purpose of complying with the legal obligation to keep records, to meet requests from authorities and/or for statistical purposes.

As the owner of the information, you have the right to know, update and rectify your personal data; to request the revocation of the authorisation and/or request the deletion of the data when the processing carried out does not respect the constitutional and legal principles, rights and guarantees; and to access your personal data subject to processing free of charge.

If you wish to submit queries, complaints or claims, you can send your request to the following e-mail address protecciondedatos@arandasoft.com or in person at the following Diagonal. 97 No.17-60 IFX Network Building Office 702 in the city of Bogotá D.C.

Processing and protection of personal data policy for Services/Applications/Platforms provided by Aranda Device Management:

In compliance with the provisions of the Statutory Law 1581 of 2012 and its Regulatory Decrees, the company establishes the General and Special Policy applicable to the Processing and Protection of Personal Data in the organisation.

1. IDENTIFICATION OF THE PERSON RESPONSIBLE

ARANDA SOFTWARE ANDINA S.A.S., commercial company identified with NIT 830.099.766-1 is constituted as a Colombian company, whose corporate purpose is to provide development services, production and marketing of software projects.

2. OBJECTIVE
This Policy establishes the general guidelines for the protection and processing of personal data within the company, thus allowing to strengthen the level of confidence between Responsibles and Data Subjects in relation to the processing of their information; inform the Data Controllers of the purposes and transfers to which their personal data are subjected and the mechanisms and forms for the exercise of their rights.
3. SCOPE
This Personal Data Processing and Protection Policy shall be applied to all databases and/or files containing personal data that are processed by ARANDA SOFTWARE ANDINA S.A.S., as the party responsible for the processing of personal data. 

This policy constitutes version 2.0 of the company's personal data processing policy, based on the database update process carried out by the company in compliance with External Circular 003 of 2018, i.e. the update that all companies must carry out of their databases between 2 January and 31 March of each year from 2020 onwards. 
4. DEFINITIONS

● Habeas Data: The right of every person to know, update and rectify the information that has been collected about him/her in public or private files and data banks.

Personal data: Any information linked or capable of being linked to one or more specific or identifiable natural person(s).

● Database: An organised collection of personal data that is the subject of processing.

Processing: Any operation or set of operations which is performed on personal data, such as collection, storage, use, circulation or deletion.

● Authorisation: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.

Privacy notice: It is the physical, electronic or any other known or to be known format, which is made available to the Data Subject in order to inform about the processing of personal data.

Data subject: Natural person whose personal data is the subject of processing.

● Causee: A person who by succession or transmission acquires the rights of another person.

Data Controller: A natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of the data.

Processor: A natural or legal person, public or private, who, alone or in association with others, carries out the processing of personal data on behalf of the Controller.

5. GUIDING PRINCIPLES APPLICABLE TO PERSONAL DATA

The following guiding principles shall apply to the protection of personal data:

a) Principle of legality in the processing of data: The processing referred to in the Habeas Data Act is a regulated activity that must be subject to the provisions set forth therein and in the other provisions that develop it.

b) Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the law, which must be informed to the Data Subject.

c) Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorisation, or in the absence of a legal or judicial mandate that relieves consent.

d) Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable and comprehensible. The processing of partial, incomplete, fragmented or misleading data is prohibited.

e) Principle of transparency: The right of the Data Subject to obtain from the Controller or the Processor, at any time and without restriction, information about the existence of data relating to him/her, must be guaranteed in the processing.

f) Principle of restricted access and circulation: The processing is subject to the limits arising from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the processing may only be carried out by persons authorised by the Data Controller and/or by the persons provided for by law.

Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination or communication, unless access is technically controllable so as to provide restricted knowledge only to Data Subjects or authorised third parties in accordance with the law.

g) Principle of security: The information subject to processing by the Data Controller or Data Processor referred to in the Habeas Data Act must be handled with the technical, human and administrative measures necessary to ensure the security of the records, avoiding their adulteration, loss, consultation, unauthorised or fraudulent use or access.

h) Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only supply or communicate personal data when this corresponds to the development of the activities authorised by law and in accordance with the terms of the same.

6. RIGHTS OF THE OWNERS

Personal data subjects shall enjoy the following rights, and those granted to them by law:

a) To know, update and rectify their personal data with respect to the data controller or data processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorised;

b) Request proof of the authorisation granted to the Data Controller, except when expressly exempted as a requirement for the processing, in accordance with the provisions of Article 10 of the Law;

c) Be informed by the Controller or the Processor, upon request, of the use made of his or her personal data;

d) File complaints with the Superintendency of Industry and Commerce for infringements of the provisions of the law and other regulations that modify, add to or complement it;

e) To revoke the authorisation and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion shall proceed when the Superintendency of Industry and Commerce has determined that the Controller or Processor has engaged in conduct contrary to the law and the Constitution;

f) Access free of charge to their personal data which have been processed.

7. AUTHORISATION OF THE HOLDER OF PERSONAL DATA

Without prejudice to the exceptions provided for in the Statutory Law 1581 of 2012, as a general rule in the processing of personal data, ARANDA SOFTWARE ANDINA S.A.S. will collect the prior and informed authorisation of the Data Subject, which may be obtained by any means that may be subject to subsequent consultation.

7.1 Events for which authorisation is not required

Authorisation by the Data Controller is not required in the case of:

(a) Information required by a public or administrative body in the exercise of its legal functions or by court order;

(b) Data of a public nature;

(c) cases of medical or health emergencies;

(d) processing of information authorised by law for historical, statistical or scientific purposes;

e) Data related to the Civil Registry of Persons.

8. DUTIES OF ARANDA SOFTWARE ANDINA S.A.S. AS THE PARTY RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

ARANDA SOFTWARE ANDINA S.A.S., as the party responsible for the processing of personal data, shall comply with the following duties:

a) Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.

b) Request and keep, under the conditions provided for by law, a copy of the respective authorisation granted by the Data Controller.

c) Duly inform the Data Subject about the purpose of the collection and the rights he/she is entitled to by virtue of the authorisation granted.

d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorised or fraudulent use or access.

(e) ensure that the information provided to the Data Controller is true, complete, accurate, up to date, verifiable and comprehensible.

f) Update the information, communicating in a timely manner to the Data Processor, all new developments with respect to the data previously provided to him/her and adopt the other necessary measures so that the information provided to him/her is kept up to date.

g) Rectify the information when it is incorrect and communicate the relevant information to the Data Controller.

h) To provide to the processor, as the case may be, only data the processing of which is previously authorised in accordance with the provisions of this law.

i) Demand that the Data Controller at all times respect the conditions of security and privacy of the Data Subject's information.

j) To process queries and claims formulated under the terms set out in Statutory Law 1581 of 2012.

k) Adopt an internal manual of policies and procedures to ensure adequate compliance with the law and, in particular, to deal with queries and complaints.

l) Inform the Data Controller when certain information is under discussion by the Data Subject, once the complaint has been filed and the respective process has not been completed.

m) Informing the Data Subject, at his request, about the use given to his data

n) Inform the data protection authority when there are violations of the security codes and there are risks in the administration of data subjects' information.

o) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

9. SPECIFIC POLICIES FOR THE PROCESSING OF PERSONAL DATA

9.1 Processing of Employees' personal data

ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its employees, which are classified by the company as confidential, and will only be disclosed by the company with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which the personal data of the company's employees are used will be:

a) To comply with the obligations imposed on employers by Colombian labour law, or with orders issued by the competent Colombian or foreign authorities.

(b) issue certifications concerning the relationship of the data subject with the Undertaking.

c) Comply with the obligations imposed on the company as an employer, in relation to Occupational Safety and Health regulations, and the so-called Occupational Safety and Health Management System (OSHMS).

d) To manage the functions carried out by the workers.

e) Execute the different stages of the Company's disciplinary processes and consult memos, warnings or any type of sanction imposed on employees.

f) Contacting family members in case of emergency.

(g) Payroll management and control

(h) Controlling workers' hours and overtime worked.

(i) Keeping a record of incapacity, absenteeism, leave and holidays of workers.

(j) Keeping a record of training given to workers

(k) store your personal data, including biometric data on its website in support of the activities carried out.

l) Comply with the biosecurity protocols applicable to the Company in accordance with the provisions issued by the National Government.

(m) carry out control, monitoring and evaluation of workers.

n) Take images and photographs necessary for the recognition of the worker, control of compliance and collection of evidence of the services performed.

o) In addition, biometric data of employees are used for commercial purposes related to the Company's corporate purpose.

p) Communicate information on employees to third parties with which the Company maintains a contractual relationship, partners or consortiums and clients to the extent necessary to comply with the protocol of the third parties, for the sole purpose of enabling them to manage the control and coordination of the personnel who effectively provide the services deriving from the professional relationship, as well as to enable compliance with legal, tax and social security obligations.

q) Communicating workers' identification data to travel agencies, transport companies, hotels and other entities for the management of reservations and settlement of expenses incurred.

r) To carry out international transfer or transmission of data to countries that provide similar protection to Colombia.

s) provision of the information to third parties in charge of evaluation, training, certification and other processes required in the development of the contractual relationship.

t) Verify, compare, evaluate the work and personal competencies of employees.

u) Sending information to compensation funds, AFP, ARL, insurance companies, among others.

v) Initiate internal investigations based on complaints filed by active and non-active employees, third parties or the employees themselves.

w) Handling of complaints against workers for harassment at work or violation of codes of conduct.

ARANDA SOFTWARE ANDINA S.A.S. stores the personal data of its employees, including those obtained during the selection process, and keeps them in a folder identified with the name of each of them.

This folder will only be accessed and processed by the Human Resources Area and the Administrative Area for the purpose of administering the contractual relationship between ARANDA SOFTWARE ANDINA S.A.S. and the employee.

ARANDA SOFTWARE ANDINA S.A.S. processes sensitive personal data of its employees such as the data of their minor children for the sole purpose of registering them as beneficiaries of the social security and parafiscal system. For the purposes of this treatment the respective authorization is collected, which in any case will be express and optional, clearly indicating the Sensitive Personal Data to be processed and the purpose of the same.

Likewise, it will have high security systems for the handling of sensitive data and its reserve, in the understanding that such sensitive data will only be used by ARANDA SOFTWARE ANDINA S.A.S. for the aforementioned purposes.

Once the employment relationship has ended, ARANDA SOFTWARE ANDINA S.A.S. will proceed to store all the personal data obtained from the selection process and the documentation generated in the development of the employment relationship, in a central file with restricted access, subjecting the information at all times to appropriate security measures and levels, given that the employment information may contain sensitive data.

In any case, the information will not be processed for a period of more than twenty (20) years from the termination of the employment relationship, or in accordance with the legal or contractual circumstances that make it necessary to handle the information.

Finally, in accordance with the provisions of External Circular 008 of 2020 of the Superintendence of Industry and Commerce, the data collected to comply with the biosecurity protocols shall only be used for the purposes indicated by the Ministry of Health and Social Protection, and shall only be stored for the reasonable and necessary time to comply with said protocols. Once the purpose of the Processing of Personal Data has been fulfilled, the Company will automatically delete the data collected.

9.2 Processing of Trainees' personal data:

ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its trainees and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorisation of the owner or when requested by a Competent Authority.

The purposes for which the personal data of the trainees of ARANDA SOFTWARE ANDINA S.A.S. are used will be:

a) To comply with the obligations imposed by Colombian labour law on employers, in particular with the provisions of Law 789 of 2002 and its Regulatory Decrees.

b) Issue certifications regarding the data subject's relationship with the company.

c) To corroborate any requirement that may arise in the development of the apprenticeship process.

d) Comply with the obligations imposed on the company as an employer, in relation to Occupational Safety and Health regulations, and the so-called Occupational Safety and Health Management System (OSHMS).

e) To manage the functions performed by the trainees.

f) to monitor the development of the trainees in the teaching and practical phase.

g) Contacting family members in case of emergency.

In any case, the information will not be processed for a period longer than the duration of the applicant's relationship with the company, which in no case may exceed two (2) years, and the additional time required in accordance with the legal or contractual circumstances that make it necessary to handle the information.

9.3 Processing of personal customer data:

ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its customers and stores them in a database which is classified by the Company as confidential, and will only be disclosed with the express authorisation of the owner or when requested by a Competent Authority.

The purposes for which the personal data of ARANDA SOFTWARE ANDINA S.A.S. customers are used will be:

a) Process of control and accounting registration of the obligations contracted with clients.

b) Compliance with tax and legal aspects before public and regulatory entities.

c) Fulfilment of contractual obligations, whereby the information may be transferred to third parties, such as financial institutions, allied third parties, notaries, lawyers, etc.

d) Compliance with judicial decisions and administrative, legal, fiscal and regulatory provisions.

e) Transmission of information and personal data in audit processes.

(f) Administrative management for the execution of the pre-contractual, contractual and post-contractual stages.

g) Creation of the client on the Company's platforms or software

h) Ensuring the provision of services for the development, production and marketing of software projects.

(i) Ensure compliance with their rights under Law 1581 of 2012.

j) To carry out commercial prospecting and marketing activities.

k) Evaluate customer service and conduct satisfaction surveys.

l) Share the information with third party allies that collaborate with the company, considering that for the fulfilment of their duties they must have access to some extent to the information, which will also be subject to the obligations of confidentiality, handling of information and protection of personal data to which this company is subject.

m) To process requests, complaints or claims established directly by the customer through the customer service channels.

n) Contacting the client by physical and electronic means - email, SMS or chat to send information of interest or related to the contractual relationship, to invite him/her to training or to the portfolio of services.

o) Maintain business contact with the Company, even after the contractual relationship has ended.

p) Consult as a good business practice or legal obligation, Clinton and UN background information, in order to prevent money laundering and terrorist financing.

(q) INCLUDE OTHERS WHICH IT CONSIDERS TO BE MISSING

In any case, the information will not be processed for a period longer than the duration of the contractual relationship between the client and the Company, and the additional time required in accordance with the legal or contractual circumstances that make the handling of the information necessary.

9.3 Processing of personal data of Suppliers and Contractors

ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its suppliers and contractors and stores them in a database which, although it is mostly made up of public data, is classified by the company as confidential, and which, in the case of private data, will only be disclosed by the company with the express authorisation of the owner or when requested by a Competent Authority.

The purposes for which the personal data of the Suppliers and Contractors of ARANDA SOFTWARE ANDINA S.A.S. are used will be:

(a) Manage accounts receivable submitted by suppliers or contractors.

(b) Keeping a record of the contributions made to the social security system by contractors

c) Carrying out evaluations and selection of potential suppliers.

d) Compliance with tax and legal aspects with public and regulatory bodies

e) Control and payments for goods and services received.

f) Qualitative and quantitative assessments of the levels of service received from suppliers.

(g) Control and accounting process for obligations to suppliers and contractors.

h) Sending invitations to contract and making arrangements for the pre-contractual, contractual and post-contractual stages.

i) Others specifically established in the authorisations granted by the suppliers themselves.

ARANDA SOFTWARE ANDINA S.A.S. will only collect from its suppliers and contractors the data that are necessary, relevant and not excessive for the purpose of selection, evaluation and execution of the contract in question. The collection of personal data of the suppliers' employees by ARANDA SOFTWARE ANDINA S.A.S. will in any case have the purpose of verifying the suitability and competence of the employees; that is, once this requirement has been verified, ARANDA SOFTWARE ANDINA S.A.S. will return such information to the Supplier, except when its conservation is expressly authorised.

In any case, the information will not be processed for a period longer than the duration of the relationship of the Supplier and contractors with the company, and the additional time required in accordance with the legal or contractual circumstances that make the handling of the information necessary.

9.4 Processing of personal data of shareholders

ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of its shareholders and stores them in a database which is classified by the company as confidential, and which will only be disclosed by the company with the express authorisation of the owner or when requested by a Competent Authority.

The purposes for which the personal data of the Shareholders are used will be:

a) Enable the exercise of the duties and rights deriving from the status of shareholder

b) To allow the sending of invitations to events scheduled by the company.

c) Issue certifications regarding the relationship of the Registrant with the company.

d) To comply with the precepts and regulations established in the Commercial Code and other applicable regulations.

e) To summon or invite him to the various meetings of a corporate nature which he must attend in his capacity as shareholder.

In any case, the information shall not be processed for a period longer than the duration of the company's existence, and such additional time as may be required in accordance with the legal or contractual circumstances that make it necessary to handle the information.

9.5 Processing of Visitors' personal data at the Entry Control:

ARANDA SOFTWARE ANDINA S.A.S. collects personal data of its visitors through forms and surveys that may include sensitive personal data such as temperature or health status of third parties in compliance with the Company's biosecurity protocols. This information is stored in a database which is classified by the entity as confidential, and will only be disclosed by the Company with the express authorisation of the owner or when requested by a Competent Authority.

The purposes for which the personal data of those who enter the facilities of ARANDA SOFTWARE ANDINA S.A.S. are used will be:

a) Ensure entry to the Company's premises to persons who are authorised to enter freely and restrict passage to those who are not authorised.

b) To ensure security in the monitored environments.

c) To provide suitable working environments for the safe performance of activities within the Company.

d) To comply with the obligations stipulated in the Occupational Health and Safety Management System.

(e) comply with the biosecurity protocols implemented by the Company.

In any case, the information will not be processed for a period of more than one (1) year from its collection in accordance with the legal or contractual circumstances that make the handling of the information necessary.

In accordance with the provisions of External Circular 008 of 2020 of the Superintendence of Industry and Commerce, the data collected to comply with the biosecurity protocols shall only be used for the purposes indicated by the Ministry of Health and Social Protection, and shall only be stored for the reasonable and necessary time to comply with said protocols. Once the purpose of the Processing of Personal Data has been fulfilled, the Company will automatically delete the data collected.

9.6 Processing of personal data on the Website

ARANDA SOFTWARE ANDINA S.A.S. collects personal data from interested third parties through its website and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorisation of the owner or when requested by a Competent Authority.

The purposes for which the personal data contained in the website of ARANDA SOFTWARE ANDINA S.A.S. are used will be:

a) Enable communication with customers or third parties through the contact us section.

b) To publish events or news of interest.

c) Receive and process complaints and claims from third parties.

d) Legal, accounting, administrative, commercial, promotional, informational, marketing and sales purposes.

e) Carrying out promotion, marketing, advertising and publicity campaigns.

f) Publicise the company's portfolio of services.

In any case, the information will not be processed for a period longer than that agreed with the third party or user through a contract or authorisation to use their personal data counted from its collection in accordance with the legal or contractual circumstances that make the handling of the information necessary.

9.7 Processing of personal data from Video Surveillance Registration

ARANDA SOFTWARE ANDINA S.A.S. collects biometric data of its workers and visitors through its Surveillance Cameras and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which the personal data contained in the ARANDA SOFTWARE ANDINA S.A.S. Surveillance Cameras are used will be:

a) Ensuring safe working environments.

b) To provide suitable working environments for the safe conduct of the company's work activities.

c) Control the entry, stay and exit of employees and contractors on company premises.

In order to comply with the duty of information that corresponds to ARANDA SOFTWARE ANDINA S.A.S. as administrator of personal data, the company will implement Privacy Notices in the areas where the capture of images involving the processing of personal data is carried out.

In any case, the information will not be processed for a period of more than 30 days from its collection in accordance with the legal or contractual circumstances that make it necessary to handle the information.

9.8 Processing of Biometric Control personal data

ARANDA SOFTWARE ANDINA S.A.S. collects biometric data of its employees and stores them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which the personal data contained in the ARANDA SOFTWARE ANDINA S.A.S. Surveillance Cameras are used will be:

a) Ensuring safe working environments.

b) Allow access only to authorised personnel.

c) Control the entry, stay and exit of employees on company premises.

In any case, the information shall not be processed for a period longer than the duration of the employment relationship with the employee.

9.9 Processing of personal data of Prospective Clients:

ARANDA SOFTWARE ANDINA S.A.S. has a register of Prospective Customers, whose information has been collected by the Company with the express authorization of the Holder through events or through the completion of requests for quotations by the same. ARANDA SOFTWARE ANDINA S.A.S. stores such information in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when a Competent Authority requests it.

The purposes for which the personal data of the Prospects of Clients of ARANDA SOFTWARE ANDINA S.A.S. are used will be:

a) Sending invitations to events scheduled by the company.

b) Send information on projects offered by the company to interested persons.

c) Verify compliance with the requirements established by the Company to access a project, agreement or contract.

d) To carry out commercial prospecting and marketing operations.

e) To process queries, complaints or claims submitted by data subjects.

f) To produce management reports and internal statistics.

g) Guarantee the exercise of their right to Habeas Data (queries, complaints and claims about updating, correction, suppression or deletion of data).

In any case, the information shall not be processed for a period longer than that agreed with the prospect through an authorisation to use his or her personal data counted from the time of its collection in accordance with the legal or contractual circumstances that make the handling of the information necessary.

9.10 Processing of personal data of candidates or applicants in selection processes:

ARANDA SOFTWARE ANDINA S.A.S. collects the personal data of the candidates or applicants of the selection processes carried out by the Company and stores them in a database which is classified as confidential, and will only be disclosed with the express authorization of the owner or when requested by a Competent Authority.

The purposes for which the personal data of the applicants of the selection processes carried out by ARANDA SOFTWARE ANDINA S.A.S. are used will be:

(a) Carrying out internal and external administrative management for the transparent implementation of the staff selection process.

b) Sending of communications programmed by the Company to carry out different selection tests.

c) To corroborate any requirement that may arise in the course of the selection process.

d) Verification of the applicant's employment, academic and personal references.

(e) To carry out the overall recruitment process for selected staff.

f) Conduct security surveys and home visits.

All personal data provided by the applicant or applicant will become part of a "Talent Bank", which the Company, as the Responsible Party, may use for current and future selection processes in which the applicant's profile is suitable. The databases where this information is stored have the necessary security measures to guarantee the total security of the data supplied during the selection process. In any case, the information will not be processed for a period longer than that authorised by the applicant and for such additional time as may be required in accordance with the legal or contractual circumstances that make it necessary to handle the information.

All personal data provided by the applicant or applicant will become part of a "Talent Bank", which the Company, as the Responsible Party, may use for current and future selection processes in which the applicant's profile is suitable. The databases where this information is stored have the necessary security measures to guarantee the total security of the data supplied during the selection process. In any case, the information will not be processed for a period longer than that authorised by the applicant and for such additional time as may be required in accordance with the legal or contractual circumstances that make it necessary to handle the information.

10. INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA

ARANDA SOFTWARE ANDINA S.A.S. does not currently perform international transmission or transfer of personal data. In the event that it decides to carry out the International Transfer of personal data, in addition to having the express and unequivocal authorisation of the Data Subject, it will ensure that the action provides adequate levels of data protection and meets the requirements set out in Colombia by the Statutory Law 1581 of 2012 and its regulatory decrees.

On the other hand, when ARANDA SOFTWARE ANDINA S.A.S. decides to carry out international data transmission, it may do so without the authorization of the owners, as long as it guarantees the security of the information, confidentiality and the conditions that regulate the scope of data processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.

11. DATA ON CHILDREN AND ADOLESCENTS

ARANDA SOFTWARE ANDINA S.A.S. does not directly process the personal data of minors; however, in particular, the Company collects and processes the personal data of the minor children of its employees for the sole purpose of complying with the obligations imposed by law on employers in relation to affiliations to the social security and parafiscal systems, as well as compliance with the family working day (Law 1857 of 2017), and in particular to allow the enjoyment of the fundamental rights of children to health, recreation and the right to a family.

In any case, ARANDA SOFTWARE ANDINA S.A.S. will collect when appropriate the respective authorisation from their legal representatives for their treatment, always bearing in mind the best interests of the minor and respect for the prevailing rights of children and adolescents enshrined in Article 44 of the Political Constitution of Colombia.

12. PROCEDURE FOR DEALING WITH QUERIES, CLAIMS AND PETITIONS, AND MECHANISMS FOR EXERCISING THE RIGHTS OF THE OWNERS.

The Data Subject, their successors in title, their representative and/or proxy, or whoever is determined by stipulation in favour of another; may exercise their rights by contacting us through written communication addressed to the administrative area in charge of the protection of personal data in the company. The communication may be sent to the following e-mail address: protecciondedatos@arandasoft.com or through written communication to the following address: Diagonal 97 # 17 - 60 Office 702 Bogotá D.C.

12.1 Consultations

It will be possible to consult the personal information of the Holder that is in the databases of ARANDA SOFTWARE ANDINA S.A.S. and the company will be responsible for providing all the information contained in the individual record or that is linked to the identification of the applicant.

The consultation, once received by the company, will be dealt with within a maximum of ten (10) working days from the date of receipt of the same.

If it is not possible to deal with the consultation within this period, the interested party shall be informed, stating the reasons for the delay and indicating the new date on which the consultation will be dealt with, which in no case may exceed five (5) working days following the expiry of the first period.

12.2 Complaints

When it is considered that the information contained in a database of ARANDA SOFTWARE ANDINA S.A.S. should be corrected, updated or deleted, or when the alleged breach of any of the duties contained in the Habeas Data Law is noticed, claims may be filed with ARANDA SOFTWARE ANDINA S.A.S. which will be processed under the following rules:

  1. The claim shall be made by written communication addressed to ARANDA SOFTWARE ANDINA S.A.S. with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying documents that you want to assert.
    If
    the claim is incomplete, the interested party will be required within five (5) days of receipt of the claim to rectify the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.
    In the event that ARANDA SOFTWARE ANDINA S.A.S. receives a Claim which is not competent to resolve it, the company will transfer it to the person who actually corresponds within a maximum period of two (2) working days and will inform the Holder.
  2. Once the complete claim has been received, the company will include a legend in the respective database stating "claim in process" and the reason for the claim, within a period of no more than two (2) working days. The company will keep this legend on the data under discussion until the claim is decided.
  3. The maximum term to address the claim will be fifteen (15) working days from the day following the date of receipt. When it is not possible to address the claim within this period, the company will inform the Holder of the reasons for the delay and the new date on which the claim will be addressed, which in no case may exceed eight (8) working days following the expiration of the first term.

MINIMUM CONTENT OF THE APPLICATION

Requests submitted by the holder in order to make a query or complaint about the use and handling of his personal data must contain minimum specifications, in order to provide the holder with a clear and coherent response to the request. The requirements of the request are:

a) be addressed to ARANDA SOFTWARE ANDINA S.A.S.

b) Contain the identification of the Holder (Name and Identification Document).

(c) contain a description of the facts giving rise to the enquiry or complaint.

d) The subject matter of the request.

e) Indicate the Holder's physical and/or electronic (e-mail) notification address.

f) Attach the documents you wish to assert. (Especially for complaints)

In the event that the query or claim is submitted in person, the Data Subject shall submit the request or claim in writing, without any formality other than the requirements set out in the previous point.

12.3 Procedural requirement

The Data Subject, his or her successors in title, his or her representative and/or proxy, or whoever is determined by stipulation in favour of another; may only file a complaint before the Superintendence of Industry and Commerce for the exercise of his or her rights once he or she has exhausted the consultation or complaint procedure directly with the company.

12.4 Request for update and/or rectification

ARANDA SOFTWARE ANDINA S.A.S. will rectify and update, at the request of the holder, the information that is inaccurate or incomplete, according to the procedure and the terms indicated above, for which the Holder must submit the request according to the channels provided by the company, indicating the update and rectification of the data and in turn must provide documentation to support such a request.

13. Revocation of the authorisation and/or deletion of the Data

The Data Subject may revoke at any time the consent or authorisation given for the processing of his or her personal data, provided that there is no impediment enshrined in a legal or contractual provision.

The Data Subject also has the right to request at any time to ARANDA SOFTWARE ANDINA S.A.S. the suppression or elimination of his personal data when:

a) Considers that they are not being treated in accordance with the principles, duties and obligations provided for in the regulations in force.

(b) are no longer necessary or relevant for the purpose for which they were obtained.

(c) the time necessary for the fulfilment of the purposes for which they were obtained has elapsed.

Such deletion implies the total or partial elimination of personal information, as requested by the owner in the registers, files, databases or processing carried out by ARANDA SOFTWARE ANDINA S.A.S.

The right of cancellation is not absolute and therefore ARANDA SOFTWARE ANDINA S.A.S. may deny revocation of authorisation or deletion of personal data in the following cases:

a) The data subject has a legal or contractual duty to remain in the database.

(b) the deletion of data would hinder judicial or administrative proceedings related to tax obligations, the investigation and prosecution of criminal offences or the updating of administrative penalties.

c) The data are necessary to protect the legally protected interests of the data subject; to carry out an action in the public interest; or to comply with an obligation legally acquired by the data subject.

14. MODIFICATION OF POLICIES

ARANDA SOFTWARE ANDINA S.A.S. reserves the right to modify the Processing and Protection of Personal Data Policy at any time. However, any modification will be communicated in a timely manner to the holders of personal data through the usual means of contact with ten (10) working days prior to its entry into force.

In the event that a Data Subject does not agree with the new General or Special Policy and with valid reasons that constitute a just cause for not continuing with the authorisation for the processing of personal data, the Data Subject may request the company to withdraw his/her information through the channels indicated in Chapter 12. However, Data Subjects may not request the withdrawal of their personal data when the company has a legal or contractual duty to process the data.

15. VALIDITY

This Policy is effective as of June 2021.