Page 1 of 8 DATA PROCESSING POLICY
EKKOFY S.A.S.
In compliance with Law 1581 of 2012 and Decree 1377 of 2013, in force in the Republic of Colombia, and any other applicable regulation on the matter, the following is the Data Processing Policy of EKKOFY S.A.S.
1. DATA CONTROLLER INFORMATION
EKKOFY S.A.S.
NIT 901.328.403-2
Domicile: Bogotá
Address: Calle 97A No. 9A-34, 6th Floor
Email: daniel.palis@ekkofy.com
Phone: +57 310 3469972
2. GENERAL PROVISIONS
2.1. Purpose
This Data Processing Policy aims to ensure proper compliance with applicable personal data protection rules and to inform data subjects about how EKKOFY S.A.S. uses the information provided by them, as well as the procedures and mechanisms for handling the personal data collected for the purposes authorized in advance.
2.2. Applicable Law
This Policy has been prepared in accordance with Articles 15 and 20 of the Colombian Constitution, Law 1581 of 2012 and its regulatory decrees, in particular Decree 1377 of 2013.
2.3. Scope
This Policy applies to the processing of personal data recorded in any database that makes them subject to Processing by EKKOFY S.A.S., whether acting as Controller and/or Processor.
2.4. Definitions
For the purposes of this Policy, and in accordance with Article 3 of Law 1581 of 2012 and Article 3 of Decree 1377 of 2013, the following terms shall have the meanings set out below:
a. Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of his/her Personal Data.
b. Privacy Notice: A physical, electronic or other document generated by the Controller, addressed to the Data Subject for the Processing of his/her Personal Data, informing the existence of the Controller's data processing policies applicable to his/her data, how to access them, and the purpose for which such data will be used.
Page 2 of 8
c. Database: Organized set of Personal Data subject to Processing. It may be automated or physical depending on the form of Processing or storage.
d. Personal Data: Any information linked or that can be associated with one or more determined or determinable natural persons.
e. Private Data: Data that, by its intimate or reserved nature, is relevant only to the Data Subject.
f. Public Data: Data that is not Semi‑private, Private, or Sensitive. Public Data includes, among others, information relating to a person's marital status, profession or trade, and status as a merchant or public servant. By their nature, public data may be contained, among others, in public registries, public documents, gazettes and official bulletins, and final court judgments not subject to confidentiality.
g. Sensitive Data: Data that affects the intimacy of the Data Subject or whose improper use may lead to discrimination, including but not limited to data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions or human rights/social organizations, political party interests, as well as data relating to health, sex life, and biometric data.
h. Processor: Natural or legal person, public or private, who, alone or in association with others, carries out the Processing of Personal Data on behalf of the Controller.
i. Products: Refers to goods or services.
j. Controller: Natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the Processing of data.
k. Data Subject: Natural person whose Personal Data is subject to Processing.
l. Transfer: Occurs when the Controller and/or Processor located in Colombia sends information or personal data to a recipient who, in turn, is a Controller located within or outside the country.
m. Transmission: Processing of Personal Data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose is Processing by the Processor on behalf of the Controller.
n. Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion.
2.5. Guiding Principles applicable to the Processing of Personal Data
To guarantee the Processing carried out by EKKOFY S.A.S. as Controller and/or Processor, the following principles will apply, under Article 4 of Law 1581 of 2012:
a. Legality: Processing performed by EKKOFY S.A.S. on Personal Data shall be subject to Law 1581 of 2012 and other applicable regulations.
b. Purpose: Processing shall obey a legitimate purpose in accordance with the Constitution and the law, which will be informed to the Data Subject.
c. Freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that dispenses with consent.
Page 3 of 8
d. Truthfulness or Quality: Information subject to Processing must be truthful, complete, accurate, up‑to‑date, verifiable, and understandable. Processing of partial, incomplete, fractioned data or data that leads to error is prohibited.
e. Transparency: The Processing shall guarantee the Data Subject’s right to obtain from EKKOFY S.A.S., as Controller and/or Processor, at any time and without restrictions, information regarding the existence of data concerning him/her.
f. Restricted Access and Circulation: Processing is subject to limits derived from the nature of Personal Data, Law 1581 of 2012, and the Constitution. Accordingly, Processing may only be carried out by persons authorized by the Data Subject and/or those provided in Law 1581 of 2012.
g. Security: Information subject to Processing by EKKOFY S.A.S. as Controller and/or Processor shall be handled with technical, human, and administrative measures necessary to provide security to the records to prevent alteration, loss, consultation, unauthorized or fraudulent use or access.
h. Confidentiality: All persons involved in the Processing of Personal Data that is not public are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks comprising Processing has ended. Personal Data may only be supplied or communicated when it corresponds to the development of activities authorized by Law 1581 of 2012 and under its terms.
3. PROCESSING TO WHICH PERSONAL DATA AND COMMERCIAL INFORMATION WILL BE SUBJECT, AND ITS PURPOSES
Personal Data will be collected, stored, transmitted, transferred, processed, and used for all aspects inherent to the Products offered by EKKOFY S.A.S., and for the performance of contracts with clients, users, suppliers, employees, and other collaborators. This implies that data will be used for the following purposes:
3.1. Users
a. Fulfill obligations undertaken by EKKOFY S.A.S. with its Users.
b. Send information about the Products offered by EKKOFY S.A.S.
Page 4 of 8
c. Send information about changes to the conditions of the Products offered by EKKOFY S.A.S.
d. Send to physical or electronic addresses, mobile phones or devices, via text messages (SMS and/or MMS) or through any other analog and/or digital means of communication existing now or in the future, commercial, advertising, or promotional information about the Products of EKKOFY S.A.S., and information about events and/or promotions, in order to promote, invite, execute, inform and, in general, carry out commercial or advertising campaigns, promotions, or contests conducted by EKKOFY S.A.S. and/or by third parties.
e. Process Users’ data supplied by third parties for the purposes indicated herein.
f. Transfer or transmit Personal Data to third parties in Colombia and abroad, for consideration or free of charge, for their commercial use, especially to clients of EKKOFY S.A.S. for the management of their campaigns.
g. Transfer or transmit Users’ Personal Data to Processors in Colombia and abroad when necessary for the performance of contracts with clients by EKKOFY S.A.S.
h. Prepare analytics studies including any details related to the Products offered by EKKOFY S.A.S. to be shared with partners linked to EKKOFY S.A.S.’s business.
i. Other purposes necessary to fulfill contracts entered into with Users of EKKOFY S.A.S.
3.2. Suppliers
a. Execute contracts with suppliers of EKKOFY S.A.S.
b. Provide references to other natural or legal persons.
3.3. Employees
a. Prepare résumés.
b. Execute and comply with the employment contract and other employer obligations under the law.
c. Manage and operate, directly or through third parties, recruitment and hiring processes, including evaluation and qualification of participants, verification of employment and personal references, and security checks.
d. Carry out HR activities such as payroll, social security affiliations, wellness and occupational health, and employer disciplinary powers, among others.
e. Make payments derived from the employment contract and/or its termination, and any other benefits according to applicable law.
f. Contract employment benefits with third parties, such as life insurance, medical expenses, among others.
Page 5 of 8
g. Notify authorized contacts in case of emergencies during working hours or in connection with work.
h. Coordinate employees’ professional development, access to IT resources, and provide assistance in their use.
i. Transfer and transmit employees’ information to Processors in Colombia and abroad when necessary for operations and payroll management.
j. Other purposes necessary to comply with the employment contract.
3.4. Shareholders and Board Members
a. Call them to meetings of the General Shareholders’ Assembly or the Board of Directors, as applicable.
b. Send them the information necessary to make informed decisions at the respective meetings.
3.5. Purposes applicable to all
a. Strengthen relationships with clients and suppliers by sending relevant information, taking orders, and evaluating the quality of the Products of EKKOFY S.A.S.
b. Determine outstanding obligations, consult financial information and credit history, and report to credit bureaus in terms of Law 1266 of 2008 with respect to debtors.
c. Control access to EKKOFY S.A.S. offices and establish security measures, including video‑surveilled areas.
d. Respond to queries, requests, complaints, and claims made by Data Subjects and transmit Personal Data to oversight bodies and other authorities that must receive Personal Data under applicable law.
e. Register personal data in EKKOFY S.A.S. information systems and in its commercial and operational databases.
f. Provide, share, send, or deliver personal data to parent companies, affiliates, related, or subordinate companies of EKKOFY S.A.S. located in Colombia or abroad when such companies require the information for the purposes indicated herein.
4. RIGHTS OF DATA SUBJECTS
Under Law 1581 of 2012, Data Subjects have the right to:
a. Know, update, and rectify their personal data before the Controller or Processor. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned data, data that leads to error, or data whose Processing is expressly prohibited or has not been authorized.
Page 6 of 8
b. Request proof of the authorization granted to the Controller, except where expressly exempted as a requirement for Processing, pursuant to Article 10 of Law 1581 of 2012.
c. Be informed by the Controller or Processor, upon request, regarding the use given to their personal data.
d. File complaints before the Superintendence of Industry and Commerce for violations of this law and other rules that modify, add to, or complement it.
e. Revoke the authorization and/or request the deletion of the data when the Processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce determines that the Controller or Processor has engaged in conduct contrary to this law and the Constitution.
f. Access, free of charge, their personal data that have been subject to Processing.
5. PARTY IN CHARGE OF HANDLING REQUESTS, QUERIES, AND CLAIMS
EKKOFY S.A.S.’s Management will handle Data Subjects’ petitions, queries, and claims. Any request must be sent to daniel.palis@ekkofy.com in order to exercise the rights to know, update, rectify, and delete data, and to revoke the authorization granted by law and by this Policy.
6. PROCEDURE FOR DATA SUBJECTS TO EXERCISE THEIR RIGHTS TO KNOW, UPDATE, RECTIFY, DELETE INFORMATION, AND REVOKE AUTHORIZATION
6.1. Queries
EKKOFY S.A.S. provides the email daniel.palis@ekkofy.com for the Data Subject, his/her successors, representatives and attorneys‑in‑fact, and legal representatives of minor Data Subjects to make queries regarding which personal data about the Data Subject is stored in EKKOFY S.A.S. databases.
6.1.1. If the requester is entitled to make the query under Law 1581 of 2012 and its regulatory decrees, EKKOFY S.A.S. will collect all information about the Data Subject contained in its databases and will make it known to the requester.
6.1.2. The party responsible for handling the query, as indicated above, will respond to the requester provided he/she is entitled to do so as the Data Subject, his/her successor, attorney‑in‑fact, representative, or legal guardian in the case of minors. This response will be sent within ten (10) business days from the date the request was received by EKKOFY S.A.S.
6.1.3. If the request cannot be answered within ten (10) business days, the requester will be contacted to communicate the reasons for the delay and the status of the request, using the same or a similar channel to the one used by the Data Subject. The final response to all requests will take no longer than fifteen (15) business days from the date the initial request was received at EKKOFY S.A.S.
Page 7 of 8
6.2. Claims
EKKOFY S.A.S. provides the email daniel.palis@ekkofy.com for the Data Subject, his/her successors, representatives and attorneys‑in‑fact, and legal representatives of minor Data Subjects to file claims regarding (i) personal data processed by the company that must be corrected, updated, or deleted; or (ii) alleged non‑compliance with applicable regulations.
6.2.1. The claim must be submitted by the Data Subject, his/her successors, or representatives/attorneys‑in‑fact in accordance with Law 1581 and its regulatory decrees to the email indicated above and must contain: (a) the Data Subject’s name and identification; (b) a description of the facts giving rise to the claim and the objective sought (update, correction or deletion, or compliance with duties); (c) the claimant’s address and contact details; and (d) all documentation the claimant wishes to rely upon. Before addressing the claim, EKKOFY S.A.S. will verify the identity of the Data Subject or his/her representative/attorney‑in‑fact, or verify that there was a stipulation for another. To this end, the original identification document and applicable powers or documents may be required.
6.2.2. If the claim or additional documentation is incomplete, EKKOFY S.A.S. will request the claimant, only once and within five (5) days of receiving the claim, to correct the deficiencies. If the claimant does not submit the required documentation and information within two (2) months following the date of the initial claim, it will be understood that he/she has withdrawn the claim.
6.2.3. If for any reason the person who receives the claim is not competent to resolve it, the claim will be forwarded to General Management within two (2) business days following receipt, and the claimant will be informed of such referral.
6.2.4. Once the claim is received with complete documentation, a legend stating “claim in process” and the reason for it will be included in the EKKOFY S.A.S. database where the Data Subject’s data is stored, within no more than two (2) business days. This legend will remain until the claim is decided.
6.2.5. The maximum term to address the claim will be fifteen (15) business days from the day after its receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
7. EFFECTIVE DATE OF THE DATA PROCESSING POLICY AND DATABASE RETENTION PERIOD
Page 8 of 8
This Data Processing Policy of EKKOFY S.A.S. has been in force since October 16, 2019.
Personal data that is collected, stored, transmitted, transferred, processed, and used will remain in EKKOFY S.A.S. databases, based on the criteria of temporality and necessity, for as long as necessary for the purposes mentioned in this Policy for which they were collected.
EKKOFY S.A.S.
NIT 901.328.403-2