TREINTAYSEIS GRADOS S.A.S. (hereinafter the “Company”), a company incorporated in accordance with the laws of the Republic of Colombia and identified with Nit. 900.482.446-3, in compliance with the provisions of Law 1581 of 2012 which aims to develop the constitutional right of all people to know, update and rectify the information that has been collected about them in databases or files and that it is susceptible to treatment and the other rights, freedoms and constitutional guarantees referred to in article 15 of the Political Constitution of 1991; as well as the right to information included in article 20 of the same norm; and Decrees 1377 of 2013, 886 of 2014, 1074 of 2015 and/or other regulations that modify and/or add and/or replace them, which regulate the protection of personal data and using the legal guarantees that all people must comply with. in Colombia for the proper treatment of said information, develops the following policy for the treatment of personal data (hereinafter the “Policy”) that assists customers, shareholders, suppliers and employees within the Company, it is the Company formulate the following policies: 

I. DEFINITIONS 

For the purposes of this Policy, it is understood as:

1. Authorization: Prior, express and informed consent of the Holder to carry out the Processing of Personal Data.
2. Database: Organized Set of Personal Data that is subject to Processing.
3. Personal Data: Any information linked or that may be associated with one or more specific or determinable natural persons.
4. Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the Database and/or the Treatment of the data.
5. Person in Charge of Treatment: Natural or legal person, public or private, that by itself or in association with others, performs the Treatment of Personal Data on behalf of the Person Responsible for Treatment.
6. Owner: Natural person whose Personal Data is subject to Treatment.
7. Treatment: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.
8. Public data: It is that data classified as such according to the mandates of the law or the Constitution. The data contained in public documents, executed judicial sentences that are not subject to reservation and those related to the civil status of people are public, among others.
9. Semi-private data: Semi-private data is data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its Owner, but also to a certain sector or group of people or to society in general, such as financial data and loans from commercial activities.
10. Private data: It is the data that, due to its intimate or reserved nature, is only relevant to the Holder.
11. Sensitive data: those related to racial or ethnic origin, membership in trade unions, social or human rights organizations, political or religious convictions, sexual life, biometrics or health data. This information may be provided by the Holder of these data.
12. Privacy Notice: physical or electronic document generated by the ata Controller that is made available to the Holder with information regarding the existence of the Information Processing Policy, which will be applicable. Likewise, it contains the way to access it and the characteristics of the Treatment that is intended to be given to personal data.

II. APPLICABLE PRINCIPLES TO THE PROCESSING OF PERSONAL DATA

In the development, interpretation and application of the Personal Data Protection Law, the protection of Personal Data in the Company will be subject to the following principles:

• Legality: Data processing in Colombia is a regulated activity, which must be subject to the established in the aforementioned regulations and in the other provisions that develop it. Therefore, the business processes and recipients of this standard must be subject to this regulations.

• Purpose: The processing of data must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Holder in a concrete and precise manner.

• Temporary limitations to Data Processing: Once the purpose of the Processing has been fulfilled, the Company must proceed to delete the Personal Data. Notwithstanding the foregoing, the Company must comply with all legal and contractual obligations regarding the Processing of Personal Data. 

• Freedom: Data processing can only be exercised with the prior, express and informed consent of the Holder. Therefore, Personal Data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.

• Truthfulness: The information subject to Processing must be truthful, complete, exact, up-to-date, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited.

•  Transparency: In the Processing of data, the Holder’s right to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data that concerns him or her must be guaranteed.

• Access and restricted circulation: Data Processing is subject to the limits derived from the nature of Personal Data and the limits established by Law. Finally, Processing can only be done by a person authorized by the Holder and by the other persons authorized by Law. For these purposes, the obligation of the Company will be mediate. The data provided by the Holder may not be available on the internet or other mass communication media, unless it is public information or unless access to said information is technically controllable to provide restricted knowledge only to the Holders or third parties authorized by the Law.

• Security: The information subject to Treatment by the Company must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

• Confidentiality: All persons in the Company involved in the Processing of Personal Data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the Treatment, being able to only supply or communicate Personal Data when this corresponds to the development of activities authorized by Law.

• Sensitive Data: The Company will not collect sensitive Data, which are those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious convictions or philosophical, membership in unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data .

III. SCOPE

This Policy applies to all employees of the Company, applicants to be hired by it, former employees, representatives, agencies, suppliers, allies and all headquarters and branches nationwide that have any activity related to Personal Data Processing. ; includes the information of Personal Data of clients, employees, suppliers, contractors, strategic allies, linked and partners.

IV. RIGHTS OF THE DATA HOLDERS

The rights of the Holder are:

1. Know, update and rectify their personal data in front of the Treatment Managers or Treatment Managers. This right may be exercised, among others, against inaccurate partial data, incomplete fractional data that lead to error, or those whose Treatment is prohibited or has not been authorized.
2. Request proof of the Authorization granted to the Data Controller except when expressly exempted by law.
3. Be informed by the Treatment Manager, upon request, regarding the use that has been given to their personal data.
4. Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it.
5. Revoke the Authorization and/or request the elimination of the data when the principles, constitutional rights and legal guarantees are not respected in the Treatment. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Treatment the Responsible or the Person in Charge have incurred in conduct contrary to the law and the Constitution.
6. Free access to your Personal Data that has been subject of Processing.

To consult, know, update, rectify, delete or revoke any type of information, the Holder must submit a written request to the Person in Charge of the Processing of personal data, by means the reason for which wishes to perform any of the aforementioned procedures.

V.DUTIES THAT THE RESPONSIBLE HAS WITH THE HOLDERS OF THE DATA

The Company, in its capacity as Responsible, assumes the following duties, without prejudice to those others provided for in the provisions that regulate or could regulate this matter:

1. Guarantee the Holder, at all times, the full and effective exercise of the right of habeas data;
2. Request and keep, under the conditions provided by law, a copy of the respective Authorization granted by the Holder.
3. Duly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the Authorization granted.
4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent Access.
5. Guarantee that the information provided to the Treatment Manager is true, complete, accurate, updated, verifiable and understandable.
6. Update the information, promptly communicating to the Person in Charge of the Treatment, all the news regarding the data that has previously been provided and adopt the other necessary matters so that the information provided to it is kept up to date.
7. Rectify the information when it is incorrect and communicate the pertinent changes to the Treatment Manager.
8. Provide the Person in Charge of Treatment, as the case may be, only data whose treatment is previously authorized by law.
9. Require the Treatment Manager at all times to respect the security and privacy conditions of the Holder’s information.
10. Transact queries and claims made in the terms provided by law.
11. Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, in particular, for dealing with queries and complaints.
12. Inform the Person in Charge of Treatment when certain information is under discussion by the Holder, once the claim has been filed and the respective procedure has not been completed.
13. Inform at the request of the Owner about the use given to their data.
14. Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the Holders’ information.
15. Fulfill the instructions and requirements issued by the Superintendency of Industry and Commerce of Colombia.
16. Use only data whose Treatment is previously authorized in accordance with the provisions of Law 1581 of 2012 (Colombia goverment)
17. Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce;
18. Allow access to information only to people who can have access to it;
19. Use the personal data of the Holder only for those purposes for which it is duly empowered and respecting in all cases the current regulations on personal data protection.

VI. DUTIES OF THE DATA PROCESSOR

Those in Charge of Treatment must comply with the following duties, without prejudice to the other provisions set forth in the Law.

1. Guarantee to the Holder, at all times, the full and effective exercise of the right of habeas data.
2. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
3. Perform timely updating, rectification or deletion of data under the terms of Law 1581 of 2012 (Colombian Laws).
4. Update the information reported by the Treatment Managers within five (5) business days from its receipt.
5. Process queries and claims made by the Holders in the terms indicated in this Policy.
6. Adopt an internal manual of policies and procedures to guarantee adequate compliance with Law 1581 of 2012 and, especially, for the attention of queries and claims by the owners.
7. Record in the Database the legend “claim in process” in the manner in which it is regulated in this Policy.
8. Insert in the Database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of the Personal Data.
9. Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendency of Industry and Commerce.
10. Allow access to information only to people who can have access to it;
11. Inform the Superintendence of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders;
12. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

First Anottation: In the event that the qualities of Treatment Manager and Treatment Manager concur in the same person, compliance with the duties provided for each one will be required.

Second Anottation: When the Company delegates its function as Person in Charge of the Processing of Personal Data to a third party, the third party that assumes this responsibility must comply with all the obligations that are stipulated in this Policy and respect all the rights of the Owner.

VII. CASES IN WHICH THE COMPANY DOES NOT REQUIRE AUTHORIZATION FOR THE PROCESSING OF DATA IN ITS POSSESSION

The Authorization of the Holder will not be necessary in the case of:

1. Information required by a public or administrative entity in the exercise of its legal functions or by court order;
2. Data of a public nature, that is, data that is not semi-private, private or sensitive and may be contained, among others, in public records and documents, official gazettes, bulletins or court rulings.
3. Cases of medical or health emergency.
4. Treatment of information authorized by law for historical, statistical or scientific purposes;
5. Data related to the Civil Registry of people.

VIII. TREATMENT TO WHICH THE DATA WILL BE SUBJECTED AND PURPOSE OF IT 

The processing of personal data of employees, suppliers, customers, shareholders or any person with whom the Company has established or establishes a relationship, whether permanent or occasional, will be carried out within the legal framework of the matter.

In any case, personal data may be collected and processed to.

1. Carry out the sending of information related to products and other goods or services offered by the Company.
2. The development of the Company’s purpose.
3. Comply with the regulations applicable to shareholders, suppliers and contractors, including, but not limited to, tax and commerce regulations.
4. Comply with the provisions of the Colombian legal system in labor and social security matters, among others, applicable to former employees, current employees and candidates for future employees.
5. Comply with all contractual commitments.

IX. SPECIFIC POLICIES FOR THE PROCESSING OF PERSONAL DATA.

The operations that constitute the Processing of Personal Data by the Company, in its capacity as Responsible for the Treatment, will be governed by the provisions set forth below:

FOCUS GROUPS

• Processing of data of the Company’s employees.

• Data processing before the contractual relationship

The Company will inform in advance, by means of a written document containing the Owner’s Authorization, which will refer to this Policy, which will also be available on the Company’s website, to those who are interested in working with it, the applicable rules to the Treatment of Personal Data provided by the interested party, as well as the Treatment that will be given to the data obtained during the selection process.

When the Company contracts with a third party to carry out selection processes, said contract will establish that the data collected in said process must be treated in compliance with the provisions of this Personal Data Protection Policy.

The data that is delivered to the Company due to a selection process will not be used for purposes other than those aimed at selecting a person to be linked to it, and any other use is totally prohibited.

The collection of Sensitive Data during this process will be done with the prior express Authorization of the Owner, for which it must be reported before starting the process, which data is considered Sensitive Data, in accordance with the definition provided by the Law and this Policy, what is the purpose sought with them and what will be their Treatment.

• Data processing during the contractual relationship:

The Company will store the Personal Data obtained during the selection process of the employees who are linked to it, prior Authorization of the same, which will be recorded in the corresponding learning or work contract and which refers to this Policy, which in the same form will be available on the Company’s website, in a folder, both physical and electronic, identified with the name of each one of them.

Access to these folders is only authorized for people who work in the Human Management area and the Administrative area of the Company, for the sole purpose of managing the relationship between the Company and the employee.

The use of this information for purposes other than those established within the respective internship or work contract and the authorizations signed by the employees, is prohibited, and will only be admissible in cases where there is an order from a competent authority, whether judicial or administrative among others, as long as it is empowered to request it. Due to the foregoing, it is a duty of the Company, and especially of the Person in Charge or Person in Charge of the Processing of Personal Data, to evaluate whether or not said authority is competent to request said information, in order to prevent the unauthorized transfer of Personal Data. to third parties outside the Company

For the collection of Sensitive Data during the employment relationship, an express Authorization of the Holder of the same will be required, different from that contained in the employment contract and which must be included in an attached document, for which it must be informed that Data is considered sensitive, in accordance with the legal definition and that contemplated in this Policy, in addition to informing you of the purpose of the same and what its Treatment will be.

In the event that the Company hires external services for Data Processing, the employee must, within the express Authorization for Processing by the Company, authorize the transfer of their data to that third party.

• Data treatment after the employment relation has ended

Once the employment relationship has ended, for any of the reasons contemplated in the employment contract or in the law, the Company will proceed to store the data obtained before and during the employment relationship, with the prior written authorization of the Holder thereof, either that this is contained in the employment contract or in an attached document, which will likewise refer to this Policy, which will be contained on the Company’s website, in a central physical and electronic file, to fulfill the following purposes:

i.)Comply with Colombian or foreign law, if applicable, and judicial, administrative or private entity orders in the exercise of public functions; ii.) Issue certifications related to the relationship of the Holder of said data, that is, the worker, with the Company: iii.) Statistical or historical purposes.

The Company, in addition, may make use of these Databases for all those actions related to the powers, obligations and duties granted by law due to its capacity as employer. Likewise, for all those related, complementary or similar activities that you must carry out as an employer.

• Treatment of personal data of customers:

The Company will store the Personal Data of those who decide to contract the services of the same obtained during the pre-contractual, contractual and post-contractual stage, through the Authorization contained in the business proposal or document attached to it, which will refer directly to this Policy, which is also contained on the Company’s website, in a folder in electronic format, identified with the name of each of them. These folders can only be accessed by those employees of the Company who have Authorization from the Person in Charge or the Person in Charge of the Processing of Personal Data, and whose purpose is to administer the contractual relationship between the Company and the Client.

In the event that the Company hires the external services of a third party to carry out its corporate purpose and that involves the Processing of Personal Data, this third party will act as the Person in Charge of data collection. The Company must guarantee that the collection of Personal Data by third parties is carried out by obtaining the due express Authorization from the owner of the data stating the approval of the transfer of their data to that third party, who will assume the same responsibilities that it has the Company in this Policy.

1. Treatment of personal data of shareholders:

The data and personal information of the natural persons who become shareholders of the Company, will be considered as reserved information, since said information is registered in the trade books and has the condition of reserved by provision of the Law. However, this information may be disclosed in the cases established by the rules that regulate the public stock market or by order of a competent authority.

To access this information, must proceed in accordance with the provisions of the Commercial Code, Law 1258 of 2008 and other regulations that regulate said matter (Colobian Laws).

The purpose that the Company has with the handling of the personal information of the shareholders is the following:

1. Allow the exercise of the rights and duties that derive from the quality of shareholder; ii. Sending invitations, summons to events and meetings scheduled by the Company; iii. Release of certificates related to the relationship of the Data Owner with the Company iv. Others authorized by the Holder-Shareholder.

The data of the shareholders will be collected and stored with the reservation mentioned above, through the express authorization of their owners, which will be contained in a written document signed by each shareholder and which refers to this Policy, which Likewise, it may be consulted on the Company’s website.

1. Treatment of Personal Data of Purveyors.

The Company will only collect from its suppliers, the data that is necessary, pertinent and useful, but not excessive, in order to be able to select, evaluate and execute the obligations that arise from each relationship. Obtaining said data will be done through a supplier registration format, in which the Authorization by the supplier will be contained, and which likewise refers to this Policy, which will also be available on the website of the Company.

 This type of data will be collected for the fulfillment of the following purposes: 

1. i. Carrying out procedures in the different stages of the contract (Pre-contractual, contractual and post-contractual); ii. Those that are established in the corresponding contract and in the authorizations that are granted by the suppliers, when these are required; iii. Verify the moral suitability and competence of the supplier and its employees. In this case, once the suitability of the supplier has been verified, said information will not be stored by the Company in any Database, but will be returned to the supplier, unless the latter authorizes this information to be stored.

X. MODIFITION OF THE POLICY.

The Company reserves the right to modify the Personal Data Protection Policy at any time. Any modification will be communicated in a timely manner to the Holders of the data through the usual means of contact and/or through the website: http://36grados.com/ fifteen (15) business days prior to its entry.

In case of not agreeing for valid reasons and that they constitute a just cause with the new policies for handling Personal Data, the Holders of the information or their representatives may request the Company to withdraw their information through the means previously indicated in this Policy. However, it will not be possible to request the withdrawal of said information while maintaining a link of any order with the entity or obeying a legal obligation.

XI. QUERIES AND CLAIMS

The holders or their successors in title may consult the personal information of the Holder that resides in any Database of the Company. The Treatment Manager must provide them with all the information contained in the individual record or that is linked to the identification of the Holder.

The query will be formulated by the means authorized by the Treatment Manager as long a proof of it can be maintained. 

The query will be answered within a maximum term of ten (10) business days from the date of receipt of the query. When it is not possible to attend the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be attended, which in no case may exceed five (5) business days following the expiration of the first term.

The Holder of the Personal Data object of the Treatment or his successors in title who consider that the information contained in a Database must be subject to correction, update or deletion, or when they notice the alleged breach of any of the duties contained in this Policy and In the law, they may file a claim with the Treatment Manager or the Treatment Manager, which will be processed under the following rules:

1. The claim will be made by means of a request addressed to the Treatment Manager, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that are to be asserted. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn the claim. 

In the event that the person who receives the claim is not competent to resolve it, it will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.

2. Once the complete claim is received, it will be included in the Database, in a term not exceeding two (2) business days, a legend that says “claim in process” and the reason for it. Said legend must be kept until the claim is decided.
3. The maximum term to address the claim will be fifteen (15) business days from following day of the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term date.

The Holder or successor in title may only file a complaint with the Superintendence of Industry and Commerce once they have exhausted the consultation or claim process before the Data Controller or the Data Processor.

XII. SECURITY INFORMATION AND SECURITY MEASURES.

In compliance with the safety principle established in current regulations The Company will adopt the technical, human and administrative necessary measures to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

XIII. INTERNATIONAL USE AND TRANSFER OF PERSONAL DATA AND PERSONAL INFORMATION BY THE COMPANY.

The Company, taking into account the nature of the permanent or occasional relationships that the Holder may have with it, may carry out the transfer and transmission, including international, of all the Personal Data, as long as they comply with the applicable legal requirements. Consequently, the Holders who accept this Policy, expressly authorize to transfer and transmit, even internationally Personal Data. The data will be transferred, for all relationships that may be established with the Company

For the international transfer of Personal Data of the Holders, the Company will take the necessary measures so that third parties know and commit to observe this Policy, under the understanding that the personal information they receive may only be used for matters directly related to the Company and only while they last and may not be used or intended for a different purpose. For the international transfer of Personal Data, the provisions of article 26 of Law 1581 of 2012 will be observed.

The Company may also exchange personal information with government or other public authorities (including, among other judicial or administrative authorities, tax authorities and criminal, civil, administrative, disciplinary and fiscal investigation bodies), and third parties involved in civil legal proceedings and its accountants, auditors, attorneys and other advisers and representatives, because it is necessary or appropriate: (a) to comply with applicable laws, including laws other than those of your country of residence; (b) to comply with legal process; (c) to respond to requests from government and public authorities, and to respond to requests from government and public authorities other than those in your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our, yours, or any third party’s rights, privacy, safety, or property; and (g) obtain the applicable compensation or limit the damages that may affect us.

XIV. HABEAS DATA – CONTACT INFORMATION 

For the exercise of Habeas Data, the Holder of the personal data or whoever demonstrates a legitimate interest in accordance with what is indicated in the current legislation, may contact the Company through the following email: gerencia@36grados.com or by communication to the following address: CARRERA 43D # 14A 115. or call (604) 4483638

The person submitting the request should provide accurate data to process the request with due diligence on the part of the Company.

Quien presente la solicitud debería suministrar datos exactos para tramitar la solicitud con la diligencia adecuada por parte de la Compañía. 

XV. LAW AND  JURISDICTION. 

• Constitución Política de 1991, artículo 15 y artículo 20. 

• Ley 1266 de 2008 

• Ley 1581 de 2012

• Decreto reglamentario 1727 de 2009

• Decreto reglamentario 2952 de 2010

•  Decreto 1377 de 2013

•  Decreto 886 de 2014

XVI. VIGENCIA

This Personal Data Processing Policy is effective from January 27, 2022 and the Databases that contain the information of the owners will be valid for 10 years, extendable for equal periods.

TREINTAYSEIS GRADOS