GRUPO LAERA LTDA PERSONAL DATA TREATMENT AND PROTECTION POLICY

1- CONTACT INFORMATION

GRUPO LAERA LTDA, is a commercial company under private law, legally constituted, domiciled in the city of Bogotá DC Colombia, identified with Nit . 830.133-454-2, who has the following Contact information:

Telephone: +57 6018794348

Cell: +57 31 87161495

Email: info@grupolaera.com

Website : www.grupolaera.com


2-GENERAL PRINCIPLES

GRUPO LAERA LTDA guarantees the protection of rights such as Habeas Data, privacy, intimacy and good name, so all its actions will be governed by the highest ethical, moral and legal principles.

Likewise, inform all holders of personal information held by GRUPO LAERA LTDA, about the rights, duties and obligations they have regarding the collection, storage and administration of their personal data, and the mechanisms implemented by the Company, aimed at to ensure the protection of personal information. 


3-LEGAL FRAMEWORK

GRUPO LAERA LTDA will be governed by the regulations issued on the matter and all those issued subsequently, having as main:

  • Article 15, of Colombia’s Political Constitution (1991).
  • Colombia’s Statutory Law 1266 of 2008.
  • Colombia’s Law 1581 of 2012. 
  • Resolution 76434 of 2012 (Colombia’s Superintendency of Industry and Commerce).
  • Colombia’s Decree 1377 of 2013.
  • Colombia’s Decree 1727 of 2009.
  • Colombia’s Decree 2952 of 2010.


4-DEFINITIONS

In accordance with current legislation on the matter, the following definitions are established, which will be applied and implemented taking into account the interpretation criteria that guarantee adequate application.

  • AUTHORIZATION: Prior, express and informed consent of the owner to carry out the Processing of personal data;
  • DATABASE: Organized set of personal data that is subject to Treatment;
  • PERSONAL DATA: Any information linked or that can be associated with one or several specific or determinable natural persons;
  • DATA PROCESSOR: Natural or legal person, public or private, who, by themselves or in association with others, processes personal data on behalf of the data controller;
  • RESPONSIBLE FOR THE TREATMENT: Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of the data;
  • OWNER: Natural person whose personal data is processed;
  • PROCESSING: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
  • SENSITIVE DATA: Sensitive data is understood to be data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data.
  • NATIONAL REGISTRY OF DATABASES: it is the public directory of databases subject to Treatment that operate in the country. 


5-SPECIFIC PRINCIPLES

GRUPO LAERA LTDA, will apply in a harmonious and comprehensive manner, the following principles, as established in the law:

  1. Principle of legality in matters of data processing: The processing referred to in this law is a regulated activity, which must be subject to what is established in it and in the other provisions that develop it.
  2. Principle of purpose: The Treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the information Owner.
  3. Principle of freedom: Treatment can only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that requires consent.
  4. Principle of truthfulness or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited.
  5. Principle of transparency: In the Treatment, the right of the Owner to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data that concerns him or her must be guaranteed.
  6. Principle of restricted access and circulation: Treatment is subject to the limits derived from the nature of the personal data, the provisions of this law and the Constitution. In this sense, the Treatment may only be carried out by persons authorized by the Owner and/or by the persons provided for in this Law.
  7. Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide knowledge restricted only to the Owners or authorized third parties in accordance with this law.
  8. Security principle: The information subject to Treatment by the Data Controller or Data Processor referred to in this law must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding its adulteration, loss, unauthorized or fraudulent consultation, use or access.
  9. Principle of confidentiality: All persons involved in the Processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the Processing has ended, being able to only supply or communicate personal data when this corresponds to the development of the activities authorized in this law and in the terms of the same.


6-PURPOSE OF THE DATABASE

GRUPO LAERA LTDA in the development of its corporate purpose, in the execution of Consulting contracts and/or works signed with its workers and in compliance with orders from judicial and/or administrative authorities, may process personal data for following purposes:

  1. Structure a contact base that allows it to be used as an instrument to carry out statistics, send general information or information related to the services offered by GRUPO LAERA LTDA such as Training, Workshops, commercial campaigns, surveys, invitations and/or confirmation of participation in activities or events, celebration of special dates, loyalty plans, market research and commercial and administrative relationships, through the sending of direct messages, text messages, emails, through social networks, directly through the Company or through a third party. 
  2. Provide treatment and responses to queries, requests, complaints and claims submitted to the Company. 
  3. Facilitate the development of contractual obligations of the Company. 
  4. Receive, collect and manage personal, professional, family or social information of natural persons for the purposes of carrying out analysis and selection, hiring, personnel updating and information management of employees, former employees and consultants.
  5. Any other purpose that is required on the occasion of the Company’s own activities.


7-SENSITIVE DATA:

Sensitive data is understood to be data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, of human rights or that promote the interests of any political party,  or information that guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data.


8-PROCESSING OF SENSITIVE DATA:

As established by law, data processing is prohibited, except under the following conditions:

  1. The Owner has given explicit authorization to said Treatment, except in cases where the granting of said authorization is not required by law.
  2. The Treatment is necessary to safeguard the vital interest of the Owner and the Owner is physically or legally incapacitated. In these events, legal representatives must grant their authorization.
  3. The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
  4. The Treatment has a historical, statistical or scientific purpose. In this event, measures must be adopted leading to the deletion of the identity of the Holders.


9-COLLECTION OF INFORMATION.

GRUPO LAERA LTDA, in the normal development of its activities, will limit itself to requesting those personal data that are strictly relevant and appropriate for the purpose for which they are collected, for compliance with the corporate purpose and current regulations, and will not use deceptive means or fraudulent to collect and process personal data.

The requested information will not be delivered to any third party in the development of its corporate purpose, except for the authorizations and requirements established by law.

In the case of the collection of information for the purposes of selection and hiring of officials and consultants, the information of the candidates will be collected at the will of the people who wish to apply for said processes.


10-OWNERS AUTHORIZATION:

Without prejudice to the exceptions provided for in the law, the treatment requires the prior, express and informed authorization of the owner, which must be obtained by any means that can be subject to subsequent consultation.


11-CASES IN WHICH AUTHORIZATION IS NOT REQUIRED:

The authorization of the Owner will not be necessary when it comes to:

  1. Information required by a public or administrative entity in the exercise of its legal functions or by court order;
  2. Data of a public nature;
  3. Cases of medical or health emergency;
  4. Processing of information authorized by law for historical, statistical or scientific purposes;
  5. Data related to the Civil Registry of Persons.


12-RIGHTS OF THE INFORMATION OWNERS.

According to the provisions of current regulations, the owner of personal data has the following rights:

  1. Know, update and rectify your personal data against GRUPO LAERA LTDA. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or those whose Processing is expressly prohibited or has not been authorized.
  2. Request proof of the authorization granted to the Company, except when expressly excepted as a requirement for Treatment, in accordance with the provisions of the law.
  3. Be informed by the Company, upon request, regarding the use it has given to your personal data.
  4. Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of the law and other regulations that modify, add or complement it.
  5. Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Processing, the Company has engaged in conduct contrary to the law and the Constitution.
  6. Free access to your personal data that has been processed.


13-DUTIES OF THE COMPANY IN THE PROCESSING OF PERSONAL DATA.

GRUPO LAERA LTDA, when acting as Data Controller, will comply with the following duties:

  1. Guarantee to the Holder, at all times, the full and effective exercise of the right of habeas data.
  2. Request and keep, under the conditions provided in this law, a copy of the respective authorization granted by the Owner.
  3. Duly inform the Owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.
  4. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  5. Rectify the information when it is incorrect.
  6. Process queries and claims made in the terms indicated in the law.
  7. Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, to respond to queries and complaints.
  8. Inform at the request of the Owner about the use given to their data.
  9. Inform the data protection authority when violations of security codes occur and there are risks in the administration of the Owners’ information.
  10. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.


14-AUTHORIZATIONS AND CONSENT.

The collection, storage, use, circulation or deletion of personal data by the Company requires the free, prior, express and informed consent of the owner thereof .


15-MEANS AND MANIFESTATIONS TO GRANT THE AUTHORIZATION.

The authorization may consist of a physical document, electronic document, data message, Internet, Websites, in any other format that guarantees its subsequent consultation, or through an appropriate technical or technological mechanism, which allows expressing or obtaining consent, through the which can be concluded unequivocally, that if the owner’s conduct had not occurred, the data would never have been captured and stored in the database.


16-PROOF OF AUTHORIZATION.

GRUPO LAERA LTDA will use the mechanisms it currently has and will implement and adopt the necessary actions to maintain records or suitable technical or technological mechanisms of when and how it obtained authorization from the holders of personal data for the processing thereof . To comply with the above, physical files or electronic repositories may be established directly or through third parties hired for this purpose.


17-INQUIRIES.

The owners, or their successors, may consult the personal information of the Owner that resides in any Company database. Consequently, the right to consultation will be guaranteed, providing the owners with all the information contained in the individual record or that is linked to the identification of the owner. To exercise the right to consultations, the interested party must prove the quality with which they act.

In any case, regardless of the mechanism implemented to respond to consultation requests, they will be responded to within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed before the expiration of the 10 days, expressing the reasons for the delay and indicating the date on which their query will be attended to, which in no case may exceed five days. (5) business days following the expiration of the first term.


18-CLAIMS.

The Owner or his successors who consider that the information contained in a database must be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the Law, may file a claim with The Company, in a document that must contain at least the following information:

  1. The claim must be made through a request addressed to GRUPO LAERA LTDA, clearly indicating the name and identification of the data owner. If it is through a third party, they must provide a copy of the respective power of attorney.
  2. A clear and complete description of the facts that give rise to the claim.
  3. The notification data, which at a minimum must be a physical and/or email address, landlines and cell phones.
  4. Evidence and documents that you intend to assert.

If the claim is incomplete, the interested party will be required within five (5) business days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claim has been abandoned.

In the event that the person who receives the claim is not competent to resolve it, he or she will forward it to the appropriate person within a maximum period of two (2) business days and will inform the interested party of the situation.

Once the complete claim is received, a legend that says «claim in process» and the reason for it will be included in the database , within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided.

The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term


19-ENABLED INFORMATION CHANNELS.

The owners and their successors may exercise their different rights before GRUPO LAERA LTDA by the following means:

Telephone: +57 6018794348

Cell: 3164826523

Email: info@grupolaera.com


20-PEOPLE TO WHOM THE INFORMATION MAY BE PROVIDED

Information related to the handling and processing of personal data may be provided to the following people:

  1. To the owners, their successors or legal representatives.
  2. To public or administrative entities in the exercise of their legal functions or by court order.
  3. To third parties authorized by the owner or by law.


21-REVOCATION OF AUTHORIZATION.

The owners may at any time request the deletion of their personal data and/or revoke the authorization granted for their processing by submitting a claim to the Company.

The request for deletion of personal data and revocation of authorization will not proceed when the owner has a legal or contractual duty to remain in the database.


22-INFORMATION SECURITY AND SECURITY MEASURES.

In development of the security principle established in current regulations, GRUPO LAERA LTDA will adopt the technical, human and administrative measures that are necessary to provide security to the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use or access. This information will be recorded in the Information security policy.


23-ATTENTION TO REQUESTS, QUERIES, COMPLAINTS AND CLAIMS.

The General Management of GRUPO LAERA LTDA will be responsible for addressing the requests, queries and claims of the owner and before this, the user may exercise their rights to know, update, rectify and delete the data and revoke the authorization. In the absence of the General Directorate, it will be the substitute legal representative who will attend to said requirements.

The General Management will be supported for this management, with the lawyer who supports and advises the work of the Company.


24-DISCLOSURE OF THE PERSONAL DATA PROCESSING AND PROTECTION POLICIES

These Personal Data Treatment and Protection Policies will remain available on the website www.grupolaera.com for interested parties.


25-VALIDITY.

This policy was approved at the shareholders’ meeting on December 30, 2022 and is effective as of that date, repealing all provisions that are contrary to it or have been issued previously.