The company DIVERSE S.A.S. domiciled in the city of Medellín, with address at Circular 3ª 68C- 21 , email address diversas@une.net.co and contact telephone number 4- 2604800 and identified with Nit 890.924.236-6, hereinafter the company, with a view to protect and ensure the holders of personal data a proper treatment of their personal information and in compliance with the stipulations outlined in Law 1581 of 2012, Decree 1377 of 2013 and the single Decree 1074 of 2015, proceeds to issue the following policy of treatment of information. The main purpose of this policy is to inform the holders of personal data, the rights they have, the procedures and mechanisms provided by the company to enforce those rights and let them know the scope and purpose of the treatment to which the personal data will be subjected.

TREATMENT AND PURPOSES

The registered database is administered by the section in charge within the company for the management of employees, customers, suppliers and others, it is treated in an automated manner and the purpose for which the information was collected is to keep a record of employees, income and withdrawals of personnel, payroll and social benefits; to keep a record of customers, for the preparation of sales invoices and collections, request account statements and reconciliations; to keep a record of suppliers is used to establish contact regarding the acquisition of goods and expenses of products related to the corporate purpose of the company; to keep a record of others. Likewise, those responsible, in charge or third parties that have access to personal data by virtue of law or contract or that could have it, will keep the treatment within the following purposes:

1. Manage all information necessary for compliance with legal obligations to employees, customers, suppliers and others.
2. Comply with the company’s internal processes regarding the administration of employees, customers, suppliers and others.
3. Comply with contracts entered into with employees, customers, suppliers and others.
4. The process of archiving, updating systems, protection and custody of information and databases of employees, customers, suppliers and others.
5. Processes within the company, for development or operational purposes and/or systems administration.
6. The transmission of data to third parties with whom contracts have been entered into for this purpose, for commercial, administrative, marketing and/or operational purposes, including, but not limited to, the issuance of cards, personalized certificates and certifications to third parties, in accordance with the legal provisions in force.
7. Maintain and process by computer or other means, any type of information related to the registration of employees, customers, suppliers and others.
8. The other purposes determined by those responsible in processes of obtaining personal data for processing, which are communicated to the holders at the time of collection of personal data, in order to comply with legal and regulatory obligations, as well as company policies.

MAIN DEFINITIONS

For the following information treatment policy, the parameters established in Law 1581 of 2012, which dictates the general provisions for the protection of data, will be taken into account and the definitions provided therein, seeking to provide a more complete protection of the personal data that the database has, will be taken into account:

“Article 3. Definitions. For the purposes of this law, the following definitions shall apply:

1. AuthorizationPrior, express and informed consent of the holder to carry out the processing of personal data;

1. Databaseorganized set of personal data that is the object of processing;

1. Personal DataPersonal Data: any information linked or that can be associated to one or several determined or determinable natural persons;

1. Data Processornatural or legal person, public or private, which by itself or in association with others, carries out the processing of personal data on behalf of the data controller;

1. Data ControllerNatural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of the data;

1. Data subject: natural person whose personal data is the object of processing;

1. Processingany operation or set of operations on personal data, such as collection, storage, use, circulation or deletion”.

PRINCIPLES

The company, in the development of its business activities will collect, use, store, transmit and perform various operations on the personal data of the owners. In all processing of personal data carried out by the company, those responsible, responsible and / or third parties to whom personal data is transferred must comply with the principles and rules established by law and in this policy, in order to guarantee the right to habeas data of the owners and comply with the obligations of law that the company has.

The principles to be taken into account when carrying out a treatment:

1. Legality of data processingThe company will be subject to the provisions of the law and the provisions that regulate it.

1. PurposeAll personal data processing activities carried out by the company shall obey the purposes mentioned in this policy or in the authorization granted by the holder of the personal data, or in the specific documents where each type or process of personal data processing is regulated. The purpose of the processing of personal data must be informed to the owner of the personal data at the time of obtaining his/her authorization. Personal data may not be processed for purposes other than those informed and consented to by the data owners. The purpose for which the personal data was collected obeys a legitimate purpose in accordance with the constitution and the law.

1. Freedom: The processing of personal data that the company performs is done with prior authorization from the holder or taking into account the grounds that relieve the consent of the holder and that are enshrined in the law.

1. Accuracy or quality of the dataThe personal data subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The company does not treat personal data that are partially, fractioned and that its treatment may induce an error that may harm the holder of the treatment of information, when these cases occur, the company will request the holder the necessary correction and update so that this situation does not continue to occur, in case of not being able to update the information the company will refrain from making a treatment on this data.

1. TransparencyUpon the holder’s request, the company shall provide a solution to the request made by the holder regarding the information contained in the database. The response to this request will be carried out directly by the privacy officer. The unit in charge of the treatment of the information will accompany the response process in the necessary cases.

1. Restricted access and circulationPersonal data may only be processed by company personnel who are authorized to do so, or who, as part of their duties, are in charge of carrying out such activities and have been authorized by the company. Personal data may not be given to those who do not have authorization or have not been authorized by the company to carry out the processing.

1. TemporalityAs a general rule, the company will not use the owner’s information beyond the reasonable period of time required by the purpose for which the owner of the personal data was informed.

Paragraph. In cases where there is special legislation on the subject, the information will be kept for the term indicated by the special law.

1. Restricted access: except for expressly authorized data: The company may not make personal data available for access through the internet or other mass media, unless technical and security measures are put in place to control access and restrict it to authorized persons only.

1. Safety: The company must always carry out the processing of information by providing the technical, human and administrative measures necessary to maintain the confidentiality of the data and to prevent it from being adulterated, modified, consulted, used, accessed, deleted, or known by unauthorized persons or by authorized and unauthorized persons in a fraudulent manner, or that the personal data is lost. Any new project involving the processing of personal data must consult this processing policy to ensure compliance with this rule.

1. Confidentiality and further processingAny personal data that is not public data must be treated as confidential by those responsible, even if the contractual relationship or the link between the owner of the personal data and the company has been terminated. Upon termination of such relationship, such personal data must continue to be treated in accordance with this policy and the law.

1. Individuality: The company shall maintain separately the databases in which it has the quality of person in charge or that could become so, from the databases in which it acts in the capacity of person in charge.

RIGHTS OF THE HOLDER OF THE PERSONAL DATA.

According to the law, holders of personal data have the following rights:

1. To know, update and rectify their personal data against the company or those in charge of processing them. This right may also be exercised against partial, inaccurate, incomplete, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
2. Request proof of the authorization granted to the company, except in cases where the law indicates that authorization is not required for the processing of such information.
3. Submit requests to the company or the data processor regarding the use that has been made of your personal data, and to have them provide you with such information.
4. To file complaints before the Superintendence of Industry and Commerce for violations to the Law.
5. To freely revoke their authorization and/or request the deletion of their personal data from the company’s databases or when the Superintendence of Industry and Commerce has determined through a definitive administrative act that the company or the person in charge of the processing has incurred in conduct contrary to the law or when there is no legal or contractual obligation to maintain the personal data in the database of the data controller.
6. Request access and access free of charge to your personal data that have been subject to processing in accordance with Article 21 of Decree 1377 of 2013.
7. To know the modifications to the terms of this policy prior and efficiently to the implementation of the new modifications or, failing that, of the new information treatment policy. H. To have easy access to the text of this policy and its modifications.

1. Easy and simple access to personal data under the control of the company to effectively exercise the rights granted by law to the owners.
2. Know the agency or person authorized by the company to whom you can submit complaints, inquiries, claims and any other request about your personal data.

Holders may exercise their legal rights and carry out the procedures established in this policy by presenting their citizenship card or original identification document. In case of having personal data of minors, they may exercise their rights personally, or through their parents or adults who hold parental authority, who must prove it through the relevant documentation. Likewise, the holder’s rights may be exercised by the assignees who can prove such capacity, the representative and/or attorney-in-fact of the holder with the corresponding accreditation and those who have made a stipulation in favor of another or for another.

PRIVACY OFFICER.

The company has appointed as privacy officer Ms. NEDY ALEJANDRA CHAVARRIA ARANGO, who will be in charge from now on of receiving and answering requests, complaints, claims and queries that the owners of the information have about the processing of their information. Among the functions of the privacy officer are the following without this being an exhaustive list of its functions, which may increase for the protection of the rights of the owners of the information.

1. Receive requests from the holders of personal data, process and respond to those that are based on the law or these policies, such as: requests to update personal data; requests to know the personal data; requests for deletion of personal data when the holder freely requests the deletion or when the holder submits a copy of the decision of the Superintendence of Industry and Commerce in accordance with the provisions of the law, requests for information on the use given to their personal data, requests to update personal data, requests for proof of the authorization granted, when it has proceeded according to the law.

1. To respond to the holders of personal data on those requests that do not proceed in accordance with the law.

1. To serve as a link between the regulatory organizations on issues related to privacy, confidentiality and security of information, in this case the Superintendence of Industry and Commerce.

1. Conduct periodic assessments of compliance with privacy, confidentiality and security policies.

1. Comply with the legal obligations dictated in the rules on the treatment of personal data, especially what is enshrined in Law 1581 of 2016 and its regulatory decrees.

1. To orient the company’s personnel on the subject of information treatment and privacy.

1. Control and verify access to personal data within the company.

The privacy officer’s contact details are as follows:

• E-mail address: diversascontab@une.net.co
• Position of contact person: Accounting Assistant.

PROCEDURES FOR EXERCISING THE RIGHTS OF THE HOLDERS OF PERSONAL DATA CONSULTATIONS:

The company will have mechanisms in place so that the holder, their successors in title, their representatives and/or attorneys-in-fact, those who have been stipulated in favor of or for another, and/or the representatives of minor holders, may make inquiries regarding the personal data of the holder that is stored in the company’s databases.

These mechanisms may be physical, such as a window procedure at the address Circular 3ª No. 68c- 21 San Joaquín, or electronic, through the following e-mail address contabilidad@diversas.com.co y tesoreria@diversas.com.co or by telephone at the service line 604-4448164, where they will be in charge of receiving requests, complaints and claims.

Whatever the means, the company will keep proof of the consultation and its response.

1. If the applicant has the capacity to formulate the consultation, in accordance with the accreditation criteria established in Law 1581 of 2012 and Decree 1377 of 2013, the company will collect all the information about the holder that is contained in the individual record of that person or that is linked to the identification of the holder within the company’s databases and will make it known to the applicant.
2. The person responsible for answering the query will respond to the applicant as long as he/she has the right to do so because he/she is the owner of the personal data, his/her assignee, proxy, representative, has been stipulated by another or for another, or is the legal responsible in the case of minors. This response will be sent within ten (10) working days from the date on which the request was received by the company.
3. In the event that the request cannot be processed within ten (10) business days, the applicant will be contacted to communicate the reasons why the status of the request is being processed. For this purpose, the same or a similar means to the one used by the holder to communicate his request will be used. In this case, the term to answer will be extended for five (05) more days.
4. The final response to all requests will take no longer than fifteen (15) business days from the date the initial request was received by the company.

CLAIMS:

The company has mechanisms for the holder, their assignees, representative and/or attorneys-in-fact, those who stipulated by another or for another, and/or the representatives of minor holders, to make claims regarding the personal data processed by the company that should be subject to correction, updating or deletion, or the alleged breach of the company’s legal duties.

These mechanisms may be physical, such as a window procedure at the address Circular 3ª No. 68c- 21 San Joaquín, or electronic through the following email address diversascontab@une.net.co and diversas@une.net.co or by telephone at the service line 4-260484800, where they will be in charge of receiving requests, complaints and claims.

1. The claim must be submitted by the holder, their successors in title or representatives or accredited in accordance with Law 1581 and Decree 1377, as follows:

• You should contact the privacy officer Ms. nedy alejandra chavarria chavarria chavarria chavarria NEDY ALEJANDRA CHAVARRIA ARANGO by e-mail to the following address tesoreria@diversas.com.co and diversas@une.net.co; physically at the address Circular 3ª No. 68C-21 San Joaquín; or by telephone at 42604800.
• It must contain the name and identification document of the holder.
• It must contain a description of the facts that give rise to the claim and the objective pursued (update, correction, suppression, or fulfillment of duties).
• It should indicate the address and contact and identification data of the claimant.
• It must be accompanied by all documentation that the claimant wishes to assert.

The company before attending the claim will verify the identity of the holder of the personal data, its representative and/or proxy, or the accreditation that there was a stipulation by or for another. For this purpose, the company may require the original identification document of the owner, and the special or general powers of attorney or documents required, as the case may be.

1. If the claim or additional documentation is incomplete, the Company will require the claimant to correct the deficiencies one time within five (5) days of receipt of the claim. If the claimant does not submit the required documentation and information within two (2) months from the date of the initial claim, it will be understood that the claim has been withdrawn.

1. If for any reason the person who receives the complaint within the company is not competent to resolve it, he/she shall refer it to the privacy officer within two (2) business days after receiving the complaint, and shall inform the complainant of such referral.

1. Once the claim is received with the complete documentation, a legend will be included in the company’s database where the holder’s data subject to claim is stored, stating “claim in process” and the reason for the claim, within a term not exceeding two (2) business days. This legend must be maintained until the claim is decided.

1. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

VALIDITY.

This Policy is effective as of February fourteenth (14), 2017. Personal data that is stored, used or transmitted will remain in our database, based on the criteria of temporality and necessity, for as long as necessary for the purposes mentioned in this policy, for which they were collected.