Processing of personal data

AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA OF VERDEPACIFIC - CUSTOMERS

The data subject hereby grants prior, express, and informed authorization to VERDEPACIFIC, representing BOTSAS, with Tax ID 830.097.359-6, located at Carrera 15 # 88–21, Office 402 – Bogotá DC, Telephone: +573102709357. Email: protecciondedatos.verdepacific@gmail.com (hereinafter “VERDEPACIFIC”), the company that will act as the data controller, to collect, store, use, process, circulate, delete, transfer, transmit, and, in general, perform any operation or set of operations on the data subject's personal data, understood as any information linked to or that may be associated with the data subject (hereinafter the “Personal Data”). Personal Data includes, but is not limited to, identification data, contact and location information, data classified as sensitive, financial information, consumer preferences and behaviors, data inferred or not from information observed or provided directly by the data subject or by third parties, and demographic and transactional information. Personal Data will be collected through the various channels of VERDEPACIFIC, its affiliated entities, and/or its partners, and through which the data subject provides their information.

Personal Data will be processed for the following purposes and those that are analogous or compatible with them and with those described in VERDEPACIFIC's personal data processing policy, available at www.verdepacific.com.co :

• Develop commercial and marketing activities, such as consumption analysis, customer profiling, brand traceability, sending benefits, advertising, promotions, offers, news, discounts, customer loyalty programs, market research, generation of campaigns and events for VERDEPACIFIC's own brands.
• Manage inquiries, requests, petitions, complaints and claims related to the services and products offered by or acquired from VERDEPACIFIC and/or its Affiliated Entities.
• Conduct data update campaigns.
• Develop knowledge studies of the holder.
• Conduct satisfaction surveys.
• Notify the holder about orders, shipments or events related to the purchase of merchandise or the provision of services.
• To carry out statistical analysis, billing, offering and/or recognition of benefits, telemarketing, collections related to VERDEPACIFIC or with Linked Entities.
• Manage compliance with legal, pre-contractual, contractual or post-contractual obligations.
• Manage compliance with VERDEPACIFIC's internal policies, including the Policy.
• Provide information reports to the competent authorities.

Contacts to the holder may be made through different channels, such as sending text messages, physical and/or electronic mail, through WhatsApp or other social networks, telephone means or any other that technology and the law allow.

As the data subject, the data subject accepts and acknowledges having been informed of their rights to know, update, and rectify their information, including rights to correct partial, inaccurate, incomplete, fragmented, or misleading data, or data whose processing is prohibited or has not been authorized; to be informed about the processing of their data; to request proof of the authorization granted; to revoke authorization for processing and/or request the deletion of data when there is no legal or contractual obligation to keep it in the database; to file complaints for violations of the General Regime for the Protection of Personal Data with the Superintendency of Industry and Commerce (SIC); and to access, free of charge, the personal data that has been processed. Responses concerning sensitive data (e.g., fingerprints, photos, video recordings, and other biometric data) or data of children and adolescents are optional. Any questions, requests, claims, complaints, or petitions related to your personal data can be directed to protecciondedatos.verdepacific@gmail.com

The data subject declares that the provision of third-party data, where applicable, has been done with their unequivocal and express authorization. Finally, the data subject and/or legal representative states that the Personal Data for which this authorization is granted has been provided voluntarily, truthfully, and completely.

BOTSAS PERSONAL DATA PROCESSING POLICY

1. IDENTIFICATION OF THE DATA CONTROLLER

BOTSAS, with address at Carrera 15 # 88– 21, Of. 402 – Bogotá DC, Telephone: +573102709357, Bogotá – Colombia.

Email: protecciondedatos.verdepacific@gmail.com

2. GENERAL PROVISIONS

BOTSAS, which for the purposes of this policy will be called “VERDEPACIFIC”; identified with NIT 830.107.411-6, with address at Carrera 17 # 166 – 75, in Bogotá, in compliance with Law 1581 of 2012 and the rules that regulate, add or modify it, adopts the personal data processing policies of mandatory application for all personal data collected, processed, stored, used, updated and deleted by the company.

These policies are mandatory and must be strictly adhered to by all employees and contractors providing services to the company. All employees, contractors, and, in general, individuals acting on behalf of VERDEPACIFIC with legitimate reasons, must observe and respect these policies in the performance of their duties. In cases where there is no employment relationship, appropriate contractual measures must be taken to ensure that those acting on behalf of BOTSAS are obligated to comply with these policies.

Failure to comply with these policies may result in the imposition of labor and civil sanctions, as applicable. This is without prejudice to the sanctions established in Articles 23 and 24 of Law 1581 of 2012, as well as the criminal penalties for information leaks and violations of personal data, as established in Law 1273 of 2009.

3. OBJECTIVE

The personal data processing policies of BOTSAS have as their main objective to comply with Law 1581 of 2012 and Decree 1074 of 2015, as well as other regulations that modify, add to or regulate them.

This document establishes the guidelines and procedures to be followed for adequate protection of personal data in the various processes and in general in the development of activities related to the processing of personal data by the company.

4. APPLICABILITY

BOTSAS' personal data processing policies cover all administrative, organizational, cultural, commercial and control aspects that must be complied with by Senior Management, employees, contractors, partners, suppliers, clients and third parties who work or have a direct relationship with the company.

Data processing policies must be integrated into the company's internal processes, in which personal data is collected and processed.

However, in accordance with the provisions of Law 1581 of 2012, these policies exclude databases for personal or domestic use, except when these are to be supplied to a third party, in which case the authorization of the data subjects within the database must be obtained, as well as the other exclusions established in the Law.

5. LEGAL OR REGULATORY FRAMEWORK

The company's personal data processing policies are governed by the following rules internally and externally:

•  LAW 527 OF 1999

It defines and regulates access to and use of data messages, electronic commerce and digital signatures, and establishes certification entities and dictates other provisions.

It also introduces the concept of functional equivalent, electronic signature as mechanisms for authenticity, availability and confidentiality of information.

• LAW 1273 OF 2009

This law establishes and protects the legal rights to information and personal data. It also defines criminal offenses such as computer damage, violation of personal data, unauthorized access to computer systems, interception of computer data, and theft by computer, among others.

• LAW 1581 OF 2012

Which establishes general provisions for the protection of personal data.

• DECREE 1074 OF 2015

Through which Law 1581 of 2012 is regulated, on aspects related to the authorization of the Data Subject for the Processing of their personal data, the Processing policies of the Controllers and Processors, the exercise of the rights of the Data Subjects, the transfers of personal data and the responsibility demonstrated in relation to the Processing of personal data.

Likewise, Article 25 of Law 1581 of 2012, relating to the National Registry of Personal Databases, which is in charge of the Superintendency of Industry and Commerce, is regulated, and where those who act as Responsible for the processing of personal data, must register their Databases following the instructions of this decree.

• CIRCULAR 005 OF 2017. SUPERINTENDENCY OF INDUSTRY AND COMMERCE

Which regulates matters related to international transfers of personal data

• GUIDELINES FOR DEMONSTRATED RESPONSIBILITY

Guidelines established by the Superintendency of Industry and Commerce in order to comply with the principle of demonstrated responsibility or Accountability.

• ISO 27001-2013

It establishes good practices in information security to guarantee the integrity, confidentiality, and availability of information.

6. DEFINITIONS

The following definitions, in addition to those established in the personal data protection regime, will be taken into account both for these policies and for the processing of personal data in the Company.

• Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data.
• Database: An organized set of personal data that is subject to processing.
• Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.
• Data Processor: Natural or legal person, public or private, who, alone or in association with others, carries out the processing of personal data on behalf of the Data Controller.
• Data Controller: Natural or legal person, public or private, who alone or jointly with others, decides on the database and/or the processing of the data.
• Data Subject: Natural person whose personal data is subject to Processing.
• Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation or deletion.
• Sensitive data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose misuse may generate discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data.
• Privacy or Data Protection Officer: This is the person or department within the Company whose function will be the monitoring and control of this policy under the control and supervision of Senior Management.

• Implementation: Process for the implementation and execution of privacy and data protection policies as well as the implementation of a comprehensive personal data protection system based on the principle of demonstrated responsibility or Accountability.
• Technical Measures: These are the technical and technological measures, such as digital signatures, information encryption, electronic signatures, information security policies, to guarantee the protection of information and data in the Company.
• Organizational Processes: Internal processes are a set of steps that must be carried out and are part of the Company to achieve goals and objectives defined by the Company, which must be kept documented.
• Data transfer: This takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is a Controller and is located inside or outside the country.
• Data transmission: This involves the communication of data within or outside the territory of the Republic of Colombia and is intended for processing by the Processor on behalf of the Controller.
• Comprehensive Data Protection System (SIPD): This is a comprehensive system based on quality principles such as accountability. The system includes indicators, risk assessments, responsible parties, communication channels, organizational commitment, processes, and scope, as well as everything necessary to implement a comprehensive system based on quality principles, with its technical and legal components.

7. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

The handling and processing of personal and sensitive data within the company must be framed under the following principles, in addition to those provided for legally and jurisprudentially that are applicable:

• Purpose: The processing of personal data must have a legitimate purpose in accordance with the law, which must be communicated to the data subject beforehand. VERDEPACIFIC collects personal data for processes related to selection, hiring, marketing, customer loyalty, and/or distribution, and other processes carried out by the company, which are detailed in this Policy and/or the Privacy Notice and/or in the respective authorization form at the time of personal data collection.
• Truthfulness or Quality: The information must be truthful, complete, accurate, up-to-date, verifiable, and understandable.
• Transparency: Guarantee of the Owner to know information about the existence of data belonging to him/her.
• Restricted Access and Circulation: In accordance with the nature of the data and with the authorizations given by the Owner or other persons provided for in the law.
• Security: These are the technical, human and administrative measures necessary to prevent alteration, loss, consultation, use or unauthorized or fraudulent access.
• Confidentiality: Keeping information confidential, during and after the completion of the company's personal data processing activities.

8. DATA PROCESSING POLICY

To comply with the data processing policies and the obligations of Law 1581 of 2012, its Regulatory Decrees and other regulations that complement, add to or modify it, the following must be taken into account for the handling of information and personal data in the company.

The company understands that the personal information of its employees, users, clients, suppliers, and third parties in general is subject to the right of habeas data and, consequently, the processing of this information is carried out with the utmost care and in accordance with the law to guarantee people the full exercise and respect for their right of Habeas Data.

The information contained in the company's databases and information systems has been obtained in the course of its activities, and in any case, its collection is carried out in accordance with the criteria of the Colombian legal framework.

9. GENERAL RULES FOR THE PROTECTION OF PERSONAL DATA AT BOTSAS

In addition to the implementation and pursuit of compliance with personal data processing policies, the following general rules will be observed within VERDEPACIFIC.

• The company will take all necessary technical, cultural, and legal measures to ensure the protection of information in existing databases.
• Legal audits and controls will be carried out to ensure the correct implementation of Law 1581 of 2012 as well as the policies for the processing of personal data.
• The company's Information Systems must guarantee the confidentiality, integrity, and availability of information.
• It is the responsibility of the company's employees, contractors, suppliers, and customers to report any incident of information leakage, computer damage, violation of personal data, data marketing, use of personal data of children or adolescents, identity theft, or conduct that may violate the privacy of a person.

The company will gradually implement the principle of demonstrated responsibility or Accountability, creating a comprehensive system for the protection of personal data.

based on controls, processes, procedures, indicators, risks, as in the implementation of these personal data protection policies.

VERDEPACIFIC will take all necessary technical and legal measures to ensure the implementation of this policy, including the creation of a comprehensive personal data protection system integrated into information security policies.

The training and development of employees, contractors, suppliers, and people who for some justifiable reason must carry out activities on behalf of or for the company, will be a fundamental complement to this policy.

The company will be attentive to the various instructions on data protection, such as the mechanisms created by the Office of Personal Data Protection of the Superintendency of Industry and Commerce.

VERDEPACIFIC will duly inform the Holder about the purpose of the collection and the rights that he/she has by virtue of the authorization granted.

VERDEPACIFIC will process inquiries and claims made in accordance with the terms established by law.

10. COLLECTION OF PERSONAL INFORMATION AND AUTHORIZATION OF THE DATA SUBJECT. VERDEPACIFIC will expressly inform the data subject, prior to authorizing the processing of their personal data, about the existence and acceptance of the specific conditions for processing their data in each case, informing them of the mechanisms and procedures available to them to access, update, rectify, or delete their personal information from the databases. Individuals within the company who, in the course of their duties or activities, participate in the collection of personal data must clearly and expressly inform the data subject, in order to obtain authorization for the processing of their personal data, about the purpose of the processing and the voluntary nature of the authorization, maintaining and properly managing documentation, whether electronic or physical, as proof of said authorization.

10.1 REVOCATION OF AUTHORIZATION

Data subjects may, at any time, request the company to delete their personal data and/or revoke the authorization granted for its processing.

The request for deletion of information is not appropriate when the Owner has a legal or contractual duty to retain it.

The Data Subject has two options to revoke their consent:

1. Revoking all consented purposes: VERDEPACIFIC, from that request onwards, will not be able to process the personal data of the holder again, unless the holder authorizes the processing of the same again in the future.
2. Partially revoking consent: VERDEPACIFIC, from that request onwards, may continue to process the data for the purpose or purposes that were not revoked by the Owner.

Taking the above into account, it is necessary that the holder, when requesting the revocation, clearly and expressly indicate whether the revocation required is total or partial.

In any case, the company may not exceed the deadlines established in Article 15 of Law 1581 of 2012 to process and respond to the respective exercise of rights.

11. TREATMENT TO WHICH THE PERSONAL DATA HELD BY BOTSAS WILL BE SUBJECT

Personal data stored in physical or electronic databases will be processed, which consists of the following activities:

11.1 INFORMATION GATHERING

VERDEPACIFIC collects information from the Data Subjects, based on the implementation and completion of forms and documents for the collection of personal data, in which the data subject is informed about: the purpose of the collection, channels and mechanisms for complaints and claims, data processing policies, among other aspects provided for in the Law.

11.2 OTHER TREATMENT ACTIVITIES

VERDEPACIFIC will also carry out the activities: storage, use, administration, circulation and deletion of personal data.

The purposes of the processing of personal data by BOTSAS are stated in the PRIVACY NOTICE.

The databases subject to processing are the following:

• Customer database
• Suppliers Database
• Employee Database
• Employee Records Database
• Biometric Database
• Video surveillance database

12. PROCEDURE FOR EXERCISING THE RIGHT OF HABEAS DATA

Data subjects whose information is held in databases owned by BOTSAS, or third parties legally authorized or expressly authorized in writing by the data subject, to exercise their rights of Update, Rectification, Knowledge or Deletion of their personal information, may use the following mechanisms to send their request:

• Send an email expressly stating your request (to know, update, rectify or delete your personal data) to the email address protecciondedatos.verdepacific@gmail.com

Regardless of the method used to submit a request to exercise the rights outlined herein, the request will be addressed within ten (10) business days of receipt by the relevant department in the case of an inquiry, while in the case of a complaint, it will be addressed within fifteen (15) business days of receipt. The relevant department will inform the data subject of the receipt of the request.

When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

If the claim or inquiry from the data subject is incomplete, the interested party will be required to correct the deficiencies within five (5) business days following receipt of the request. If two (2) months have passed since the date of the request without the applicant submitting the required information, it will be understood that they have withdrawn the claim.

13. AREA OR PERSON RESPONSIBLE FOR THE POSITION OF PRIVACY OFFICER – DATA PROTECTION

The responsibility for ensuring the proper protection of personal data, as well as regulatory compliance on this matter at BOTSAS, will be the responsibility of the PRIVACY OFFICER, linked to Senior Management, before whom the owners of personal data processed by the Company can exercise their rights to know, update, rectify and delete the data and revoke the authorization.

The privacy officer will have the following functions:

• Inform Senior Management and the Board of Directors about the handling of personal data in the company.
• Conduct audits with the different areas to review the application of the Personal Data Processing Policy.
• Report if any conduct is related to the crimes of Law 1273 of 2009.
• Review the implementation of cybersecurity and information security policies.
• Verify the integration of data processing policies with the information security manual or policies.
• Verify the rights of personal data holders
• Identify and establish risks for the handling of personal data in the company's services.

• Create formats and different procedures in order to apply within the company Law 1581 of 2012 and Decree 1074 of 2015.
• Verify that the development of the business model and the services offered comply with the personal data processing policy.
• Inform employees, users, suppliers, contractors, partners, and third parties in general, of the duties for the fundamental compliance of Habeas Data.
• Working together with the legal, technology and quality departments, in pursuit of a culture of data protection and privacy.
• Establish processes for collecting authorizations from the owner of the personal information contained in the company's databases, so that they are involved in the proper protection of personal data.
• Perform the activities of the National Database Registry before the Superintendency of Industry and Commerce, as well as keep abreast of its updating.
• To comply with the provisions of the law regarding business obligations in data protection.
• Establish training and capacity-building processes on personal data and information privacy issues.

14. RIGHTS OF DATA SUBJECTS

In accordance with the provisions of Statutory Law 1581 of 2012, on the protection of personal data and its regulatory decree 1074 of 2015, the rights that data subjects have, which VERDEPACIFIC must ensure are respected and their exercise guaranteed, are:

1. To know, update and rectify your personal data held by the company (Controller and/or Processors). This right may also be exercised by the Data Subject with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or has not been authorized.
2. Request proof of the authorization granted to BOTSAS for the processing of personal data, except in cases excepted by law (Article 10 of Law 1581 of 2012).
3. To be informed by BOTSAS (Controller and/or Processor) upon request, regarding the use given to your personal data.
4. To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of the current regulations for the protection of personal data.
5. You may revoke authorization and/or request the deletion of your data from BOTSAS when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that the Controller or Processor has engaged in conduct contrary to the Law and the Constitution.
6. Access your personal data that has been processed, free of charge.
7. To be aware of any substantial changes in the data processing policy concerning the purpose and identification of the data controller, no later than the time the new policies come into effect.
8. For data subjects whose data collection was carried out prior to the issuance of Decree 1074 of 2015, make known the processing policies issued under the regulation of this decree.
9. Access to personal information, for which those in charge and responsible must implement simple and agile mechanisms to guarantee permanent access.
10. Exercise the right of access to update, rectify, delete personal data.

15. ROLE IN THE PROCESSING AND OBLIGATIONS FOR THE PROTECTION OF PERSONAL DATA

BOTSAS issues these information processing policies in compliance with the Constitution and Law 1581 of 2012, as well as its Regulatory Decree 1074 of 2015; likewise, it is stated that the company, according to the various processes it manages with its employees, contractors, clients, users and suppliers, holds the status of Controller of personal data and as such must comply with the duties imposed by the legislation for these roles within the processing of personal data, contemplated in article 17 of Law 1581 of 2012.

In addition to the obligations set out in the articles cited above, the company must ensure that it adopts all technical, legal and organizational measures to comply with this policy.

16. VALIDITY AND UPDATING

The effective date of this Policy update is January 1, 2018. Its updates will depend on the instructions of the BOTSAS Privacy Officer in accordance with the guidelines of Senior Management, as well as subsequent regulations on personal data protection that modify, add to, delete, or replace the regulations on personal data protection.