Introduction

Through this document, INVERSIONES SILCE SAS (hereinafter “The Company”) complying with the regulation on the Protection of Personal Data and with respect for the rights of the Holders of the information indicated in Law 1581 of 2012, the Regulatory Decree 1377 of 2013 and the other concordant regulations on the matter, it is allowed to implement this Personal Data Processing Policy (hereinafter, “The Policy”) of mandatory application in all activities that involve the Processing of Personal Data and mandatory compliance by The Company, its Administrators, Collaborators and third parties with whom it is contractually or commercially related.

The Company, within the development of its corporate purpose: “purchase, sale, direct distribution, production and marketing of textiles, among others” daily receives, transmits and processes Personal Data, so it is essential to have this policy and strictly comply with it.

Objective

The objective of this Policy is to guarantee proper compliance with the applicable Personal Data Protection Law, as well as the definition and subsequent determination of all issues related to the procedures, principles and security policies according to which the Company will guarantee the proper treatment of personal data that is collected in the development of its corporate purpose.

Legal Framework

The Policy was prepared in strict compliance with all the provisions of the current regulations on the matter, in this way, this document complies with the provisions of Articles 15 and 20 of the Political Constitution of Colombia, in Law 1581 of 2012 by the which “general provisions are issued for the protection of personal data”, in Regulatory Decree 1377 of 2013 and in the other regulations that in the future may modify, regulate or add to the applicable regulations on the Protection of Personal Data.

Definitions

As provided in Article 3 of Decree 1337 of 2013 and Article 3 of Law 1581 of 2012, the following terms will be defined throughout the Policy:

File: Set of data recorded as a single storage unit, containing personal data.

Authorization: means the prior, express and informed consent of the owner to carry out the processing of personal data, which is obtained at the time of data collection. This can be i) written; ii) verbal or; iii) unequivocal behaviors that allow a reasonable conclusion that the Holder accepted the Treatment of his data.

Privacy Notice: Verbal or written communication generated by the person in charge, addressed to the owner, for the processing of their personal data, through which they are informed about the existence of the Information Treatment Policy that It will be applicable to you, the way to access it and the purposes of the treatment that is intended to be given to personal data.

Database: Organized set of personal data that is subject to processing, electronic or not, whatever the modality of its formation, storage, organization and access.

Query: means the request of the Personal Data Holder, of the persons authorized by him, or those authorized by law, to know the information that rests on him in the Company’s Databases.

Reasoner: Person who has succeeded another due to the death of the latter (heir).

Personal data: Means any information linked to or that may be associated with one or more determined or determinable natural persons. Personal Data includes, but is not limited to, identification data, contact and location information (including geolocation), data classified as sensitive, financial information, consumer preferences and behaviors, data inferred from information observed or delivered. directly by the owner or by third parties and demographic and transactional information.

Public personal data: It is the data that is not semi-private, private or sensitive. Public data is considered, among others, data related to the marital status of people, their profession or trade and their status as merchants or public servants. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality. The personal data existing in the commercial register of the Chambers of Commerce are public (Article 26 of the Commercial Code).

Likewise, they are public data, those that, by virtue of a decision of the Holder or a legal mandate, are found in files of free access and consultation. These data can be obtained and offered without any reservation and regardless of whether they refer to general, private or personal information.

Dsemi-private personal data: means data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its Owner but also to a certain sector or group of people, or society in general. For example: data referring to compliance and non-compliance with financial obligations or data relating to relations with social security entities.

Sensitive Data: Sensitive Data is understood to be those that affect the privacy of the owner or whose improper use may generate discrimination, such as revealing racial or ethnic origin, political orientation, religious or philosophical convictions , belonging to unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and data biometrics (fingerprints, photographs, security camera recordings) among others.

Treatment Manager: Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of the person responsible for the Treatment.

Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the treatment of the data contained in it.

Owner: Natural person whose personal data is processed.

Treatment: means any operation or set of operations on Personal Data, such as the collection, storage, use, circulation, transfer, transmission, updating or deletion of Personal Data, among others.

Transmission: means the Treatment of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out a Treatment by the Manager on behalf of the person in charge

Transfer: The transfer of personal data takes place when the person in charge and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible of the Treatment and is located inside or outside the country.

Procedural requirement: previous step that the Owner must take before filing a complaint with the Superintendence of Industry and Commerce. This consists of a direct claim to the Manager or Manager of your Personal Data.

Deletion: </ b> This is the name given to the action that the owner of the personal data requests from the person in charge and/or in charge of the data, in exercise of the right that assists him/her of freedom and purpose regarding the information of he.

It is noted that the definitions included in this Policy were taken from the regulations in force to date, which regulate the due protection of personal data of natural persons against the circulation and treatment of the same.
 

Principles

Pursuant to the provisions of current regulations, the Company has incorporated into the Policy the general principles relating to the processing of personal data. These fundamental principles are taken from Article 4 of Law 1581 of 2012.

a) Principle of legality in terms of data processing: The processing referred to in this law is a regulated activity that must be subject to what is established in it and in the other provisions that develop it;

b) Principle of purpose: The Treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Holder;

c) Principle of freedom: The Treatment can only be exercised with the prior, express and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent;

d) Principle of veracity or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fractional or misleading data is prohibited;

e) Principle of transparency: In the Treatment, the right of the Holder to obtain from the Treatment Manager or the Treatment Manager, at any time and without restrictions, information about the existence of data that concerns him must be guaranteed;

f) Principle of restricted access and circulation: Treatment is subject to the limits derived from the nature of personal data, the provisions of this law and the Constitution. In this sense, the Treatment can only be done by persons authorized by the Owner and/or by the persons provided for in this law;

LPersonal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to Holders or authorized third parties in accordance with this law;

g) Principle of security: The information subject to Treatment by the Treatment Manager or Treatment Manager referred to in this law, must be handled with the technical, human and administrative measures that are necessary to grant security to the records, avoiding their tampering, loss, unauthorized or fraudulent consultation, use or access;

h) Principle of confidentiality: All persons involved in the Processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks included in the Treatment, being able to supply or communicate personal data only when it corresponds to the development of the activities authorized in this law and in its terms.

Rights of Data Holders

• The Company will carry out the Processing of Personal Data in accordance with the conditions established by the Owner, the law or public entities for the fulfillment of the activities of its corporate purpose, such as the contracting, execution and commercialization of the goods and services that this or its Related Entities offer.
• The Processing of Personal Data may be carried out through physical, automated or digital means according to the type and form of information collection.
• The Company may also process Personal Data, among others, for the following purposes:
• Exercise your right to know sufficiently the Holder with whom you intend to establish relationships, provide services, and assess the present or future risk of the same relationships and services. Carry out the pertinent steps for the development of the pre-contractual, contractual and post-contractual stage with the Company, with respect to any of the products or services offered by it, whether or not it has acquired or with respect to any underlying business relationship that it has with it, as well how to comply with Colombian or foreign law and the orders of judicial or administrative authorities;
• Develop commercial and marketing activities, such as consumer analysis, customer profiling, brand traceability, sending benefits, advertising, promotions, offers, news, discounts, customer loyalty programs, market research, generation of campaigns and events of own brands, business partners or Entities Linked to Silce Investments, fully identified in the Personal Data Processing Policy section of the website www.fajasvelvet.com and/or in this document.
• Implement relationship strategies with customers, suppliers, shareholders and other third parties with whom the Company has contractual or legal relationships;
• Manage inquiries, requests, petitions, complaints and claims related to the services and products offered by or purchased from The Company and/or its Related Entities.
• Carry out satisfaction surveys.
• Disclose, transfer and/or transmit Personal Data inside and outside the country to parent companies, affiliates or subsidiaries of Inversiones Silce. or to third parties as a result of a contract, law or lawful relationship that requires it or to implement cloud computing services.
• Notify the owner of orders, dispatches or events related to the purchase of merchandise or the provision of services.
• Carry out statistical analysis, billing, offer and/or recognition of benefits, telemarketing, collections related to Inversiones Silce or Related Entities.
• Verify the identity of the owner, carry out security studies and/or apply security protocols in order to prevent and mitigate the risk of fraud, money laundering and/or financing of terrorism.
• The offer of financing means for Related Entities, the analysis of credit applications and for this, ordering, cataloging, classifying, dividing or separating the information provided by the Data Holders. Verify, corroborate, verify, validate, investigate or compare the information provided by the Data Holders, with any information that is legitimately available, such as commercial relations. Access, consult, compare and evaluate all the information that is stored on the Holder in the databases of any credit, financial, judicial or security record registry, of a state or private, national or foreign nature, or any commercial or service database, which allows establishing in a comprehensive and complete historical manner, the behavior that as a debtor, user, client, guarantor, endorser, affiliate, beneficiary, subscriber, taxpayer and/or as Holder of financial, commercial or of any other nature.
• Manage compliance with the internal policies of Inversiones Silce, including the Policy.
• Implement artificial intelligence programs or any other that technology and the law allow.
• For security purposes, improvement of our service and the experience in The Company’s facilities, Personal Data may be used, among others, as evidence in any type of process, regarding the data (i) collected directly in the security points, (ii) taken from the documents that people provide to the security personnel and (iii) obtained from the video recordings that are made inside or outside the Company’s facilities.
• Know, store and process all the information provided by the Data Holders in one or more databases, in the format it deems most convenient.
• Carry out all tax, accounting, tax and billing procedures.
• The data that is collected or stored about the employees of Inversiones Silce. By completing the forms, by telephone, or by submitting documents (resume, annexes) they will be treated for everything related to labor issues of a legal or contractual nature. By virtue of the foregoing, the Company will use the Personal Data for the following purposes: (1) Comply with laws such as, among others, labor law, social security, pensions, professional risks, family compensation funds (Integral System of Social Security) and taxes; (2) Comply with the instructions of the competent judicial and administrative authorities; (3) Implement labor and organizational policies and strategies.
• By accepting the processing of personal data to The Company, in addition, the owner authorizes the person in charge to transfer the personal data to the Related Entities so that these companies can process the data, for their benefit, for the same purposes indicated.

The validity of the database will be the reasonable and necessary time to fulfill the purposes of the Treatment in each case, taking into account the provisions of Article 11 of Decree 1377 of 2013.

The Owner of the personal data will have the following rights:

a) Know, update and rectify your personal data before the Treatment Managers or Treatment Managers. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or those whose Treatment is expressly prohibited or has not been authorized;

b) Request proof of the authorization granted to the company, except when expressly excepted as a requirement for Treatment, in accordance with the provisions of article 10 of Law 1581 of 2012

c) Be informed by the company, upon request, regarding the use it has given to your personal data;

d) Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add or complement it;

e) Revoke the authorization and/or request the deletion of the data when the Treatment does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that in the Treatment the Responsible or Processor has incurred in conduct contrary to this law and the Constitution;

The request for deletion of the information and the revocation of the authorization will not proceed when the Holder has a legal or contractual duty to remain in the database of the Responsible or Processor.

f) Free access to your personal data that have been processed

Duties of the Company when acting as Responsible

The company is obliged to comply with the following duties, without prejudice to the other provisions provided by law and others that govern its activity:

a) Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data;

b) Request and keep, under the conditions provided in this law, a copy of the respective authorization granted by the Holder;

c) Duly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted.

d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

e) Guarantee that the information provided to the Treatment Manager is true, complete, accurate, updated, verifiable and understandable;

f) Update the information, communicating in a timely manner to the Treatment Manager, all the news regarding the data that he has previously provided and adopt the other necessary measures so that the information provided to him is kept updated;

g) Rectify the information when it is incorrect and communicate what is pertinent to the Treatment Manager;

h) Provide the Treatment Manager, as the case may be, only data whose Treatment is previously authorized in accordance with the provisions of this law;

i) Demand from the Treatment Manager at all times, respect for the security and privacy conditions of the Owner’s information;

j) Process the queries and claims formulated in the terms indicated in this law;

k) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and especially, for the attention of queries and claims;

l) Inform the Treatment Manager when certain information is under discussion by the Owner, once the claim has been filed and the respective process has not been completed;

m) Inform at the request of the Owner about the use given to their data;

n) Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the Holders.

o) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce

Duties of the Company when acting as Manager

The Treatment Managers must comply with the following duties, without prejudice to the other provisions set forth in this law and in others that govern their activity

a) Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data;

b) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

c) Timely update, rectify or delete data under the terms of this law;

d) Update the information reported by the Treatment Managers within five (5) business days from its receipt;

e) Process the queries and claims made by the Holders in the terms indicated in this law;

f) Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, for the attention of queries and claims by the Holders;

g) Register in the database the legend “claim in process” in the manner regulated by this law;

h) Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data;

i) Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce;

j) Allow access to information only to people who may have access to it;

k) Inform the Superintendence of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders;

l) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

Commission of personal data of the Company to a third party

For the fulfillment of its corporate purpose, the Company may entrust the Treatment of personal data that it possesses to a third party, in order for the latter to carry out the communication, promotion, marketing, notification, data update, loyalty plan efforts. , programs and special projects that allow, among others, the fulfillment of the following purposes both by physical and digital means:

• Celebration, subscription or maintenance of contractual relations with the Holders.
• Granting credit and consumer financing.
• Treatment of information required in labor and corporate matters of the Company.
• Confidential, privacy and non-disclosable information.
• Fulfillment of the purpose of the service as a provider.
• All of the above, always respecting the purposes that the Owner of the information has authorized the Company or authorized by Ministry of Law.

Authorization for the use of personal data

The Company, acting as Responsible for the Processing of personal data and Transactional Information, obtains from the Data Holders their clear, express, prior, informed and defect-free Authorization, through physical and electronic forms, the website, invoices or serial coupons. , forms, formats, activities, contests, face-to-face or on social networks, PQR format, data messages or Apps. data collection formats and/or through other means available or available for this purpose.

For the above, the Company will request the Owners of the personal data and the Transactional Information, their Authorization, informing them of the purpose for which the Processing of their personal data will be provided. The foregoing, except in the expressly authorized cases determined by Law, which are regulated in article 10 of Law 1581 of 2012.

The authorization may also be obtained based on unequivocal behaviors of the Data Holder that allow a reasonable conclusion that he gave his consent for the Treatment. Said conduct (s) must (n) be very clear (s) so that it does not admit (n) doubt or mistake about the will to authorize the Treatment.

National or international transfers of Personal Data

The Company may make data transfers to other Data Controllers when so authorized by the Owner of the information, by law or by an administrative or judicial mandate.

National or international transmissions of Personal Data
The company may send or transmit data to one or more Managers located inside or outside the territory of the Republic of Colombia in the following cases:

1. When you have authorization from the Owner.

2. When, without authorization, there is a data transmission contract between the Responsible Party and the Processor, or the document that replaces it.

Procedure for Holders to exercise their rights

For the full and effective exercise of the rights that assist the Holders of Personal Data, or the persons entitled by law for this purpose, the Company has the email address servicioalcliente@fajasvelvet.com through which they can submit all queries , complaints and / or claims associated with the right of Habeas Data.
All requests made by persons entitled to know the Personal Data held by the Company may be made through the aforementioned email, which will include the date of receipt of the query and the identity of the requester.

The claim must be addressed to INVERSIONES SILCE SAS and contain at least the following information:

1. Name and identification of the Owner of the data or the legitimated person.

2. Accurate and complete description of the facts that give rise to the claim.

3. Physical or electronic address to send the response and report on the status of the process.

4. Documents and other relevant evidence that you want to assert.

When the Owner of the personal data intends to know, access the information, or request a copy of the Authorization, the identity of the petitioner or his legitimacy for this purpose will be verified. The response to the query must be communicated to the applicant within a maximum term of ten (10) business days from the date of receipt thereof. When it is not possible to respond to the query within said term, the interested party must be informed of the reasons for the delay and the date on which the query will be addressed, which in no case may exceed five (5) business days following the expiration of the foreground.

If the request or claim is incomplete, the interested party will be required within five (5) days of receipt to correct the failures. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn the claim.

When the Owner of personal data intends to rectify, update, delete any of their data or revoke their Authorization, the Customer Service area will resolve their claim within fifteen (15) business days from the day following the date of your receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

Person or area responsible for the protection of Personal Data
The Personal Data Protection Officer is the person in charge of the data protection function, which can be contacted via email servicioalcliente@fajasvelvet.com

Video surveillance

The Company uses various means of video surveillance installed in different internal and external sites of its facilities or offices. For this reason, it informs the general public about the existence of these mechanisms by disseminating video surveillance announcements on visible sites.

The information collected through this mechanism is used for security purposes, improvement of our service and the experience in The Company’s facilities, likewise, as evidence in any type of process before any type of authority or organization.

The Company does not deliver the video recordings obtained to any third party, unless there is a court order or competent authority or the law allows it.

XVII. Data of the Data Controller
Company name: INVERSIONES SILCE SAS.

• NIT: 901036728-7
• Address: Carrera 56 N 46 – 49 office 1107
• Email: servicioalcliente@fajasvelvet.com
• Telephone in Medellín: +57 318 350 41 96
• Website: www.fajasvelvet.com

XVIII. Information security policies
The Company will adopt the necessary technical, administrative and human measures to ensure the security of the Personal Data to which it treats, protecting the confidentiality, integrity, use, unauthorized and/or fraudulent access to them. To this end, it has implemented mandatory security protocols for all Personnel who have access to this data and/or information systems.

The internal security policies under which the Owner’s information is kept to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access are included in the Company’s Comprehensive Personal Data Management Program.

The Treatment of Personal Data will be from the beginning of the Event until the day that INVERSIONES SILCE SAS is dissolved and liquidated or until the purpose for which the Personal Data was collected is completed.

XIX. Adjustments to the Personal Data Processing policy

With a view to maintaining the validity of the policy, the Company can adjust and modify it, indicating the date of the update on the website or through the use of other means, such as data messages, physical materials at points of sale, etc.