Cromasoft SAS

PRIVACY POLICY

ATH-PO-10

Version 1

OBJECTIVE To define the procedures and personal data protection policy to be adopted by Cromasoft, in order to guarantee the safeguarding of the rights to privacy and habeas data regarding the information stored in databases containing this type of data.

To comply with the provisions established in the following constitutional and legal precepts:

  • Article 17 of Law 1581 of 2012
  • Article 10 of Decree 1377 of 2013
  • Chapter 25 of Decree 1047 of May 26, 2015
  • Law 1273 of 2009

To guarantee, through the implementation of the procedures required for such compliance, the confidentiality, integrity, and security of the information—conditions that are already recorded within the contractual framework established with stakeholders.

Aquí tienes la traducción completa y fiel del resto del documento. Se han utilizado los términos legales y corporativos estándar en inglés más precisos (por ejemplo, Data Controller para Responsable, Data Processor para Encargado, y Data Subject para Titular) para garantizar que el texto mantenga su validez técnica e institucional.

SCOPE

This document applies to all employees, clients, or suppliers of Cromasoft, and to all databases held by the company acting as either a Data Controller or Data Processor, as applicable, in the development of its corporate purpose.

As part of its corporate policies, Cromasoft maintains a constantly evolving Information Security Management System based on the ISO 27001:2022 standard, which includes thoroughly documented processes and procedures aimed at ensuring compliance and the proper management of the information it processes.

  1. POLICY

Our personal data protection policy defines the conditions relative to the processing of information with which we interact, in accordance with the development of the company’s Corporate Purpose, whether directly (Cromasoft – Data Subjects) or indirectly (Cromasoft – Client).

All semi-private, private, and sensitive personal information incorporated into the databases for collection, processing, storage, circulation, authentication, deletion, transmission, updating, etc., will receive special security treatment, guaranteeing the protection of confidentiality as mandated by the current Constitutional and Legal framework.

The processing of personal data must be carried out in compliance with the general and special regulations on the matter and for activities permitted under the Political Constitution of Colombia, pursuant to Article 15, which establishes: “All persons have the right to know, update, and rectify information gathered about them in data banks and in files of public and private entities…”. Likewise, it notes that the collection, processing, and circulation of data shall respect freedom and other guarantees enshrined in the Constitution; furthermore, Article 20 of said statute establishes that every person has the right to inform and to receive truthful and impartial information.

Unless a legal provision dictates otherwise, data collection can only be carried out with the prior, express, and informed authorization of the Data Subject. Personal data may not be obtained or disclosed without the prior consent of the Data Subject, or in the absence of a legal or judicial mandate that waives such consent.

The Data Subject must be informed clearly, sufficiently, and in advance about the purpose of the information provided; therefore, no data may be collected without a clear specification of its purpose.

The information subject to processing must be truthful, complete, exact, updated, verifiable, and understandable. The processing of partial, incomplete, fractioned, or misleading data is prohibited.

Each employee linked to Cromasoft (directly or through a third party) must comply with the policies and procedures established by Cromasoft regarding information security and data protection, to guarantee the security of personal data and prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.

In the processing of information, the Data Subject’s right to obtain from the controller, at any time and without restrictions, information regarding the existence of data concerning them must be guaranteed.

In cases where access to data subjects’ information is granted by delegation of the client, the client shall be responsible to the data subject for guaranteeing their rights and for any type of communication to them. It will be the client’s responsibility, if necessary, to inform the data subject about the processing applied to their information by Cromasoft. Cromasoft will align itself with the client’s own definitions regarding data protection policies by signing a confidentiality and information management agreement for the entrusted task.

Cromasoft will not execute any task on the data other than those assigned by the client.

Personal data, except for public information, may not be available on the internet or other mass media or communication channels, unless access is technically controllable and manageable to provide restricted visibility only to the data subjects or authorized third parties in accordance with this Law or the prior authorization of the data subject.

Cromasoft will define the processes for obtaining the authorization to use the data subjects’ information and will disclose them in a controlled manner.

All employees, clients, and suppliers of Cromasoft involved in the processing of personal data that is not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with Cromasoft has ended, and may only supply or communicate personal data when it corresponds to the development of activities authorized by Law.

The authorization signed by the data subject for the processing of their data is granted to Cromasoft as the entity contracted for the execution of specific functions, and not to its employees or contractors. Therefore, it must be noted that the Criminal Code establishes the following as a criminal offense: VIOLATION OF PERSONAL DATA. “Anyone who, without authorization to do so, for their own benefit or that of a third party, obtains, compiles, subtracts, offers, sells, exchanges, sends, buys, intercepts, discloses, modifies, or employs personal codes or personal data contained in files, records, databases, or similar media, shall incur a prison sentence of forty-eight (48) to ninety-six (96) months and a fine of 100 to 1,000 current legal monthly minimum wages…”

In the case of Children and Adolescents, they are subjects of special constitutional protection; therefore, the Processing of their personal data is prohibited, except for data that is public in nature. In the event that processing information of minors is required, the request for authorization must proceed through the responsible adult in charge of the minor.

  1. RESPONSIBILITY OF STAKEHOLDERS
  • To comply with the policies defined within this document.
  • To inform Cromasoft’s Management of any irregularity regarding non-compliance with the policies defined in this document.
  • To request, document, and retain the data subject’s authorization whenever their data is to be processed.
  • To inform the data subject about the purpose of the data collection.
  • To inform the data subject about the mechanisms established to address their requests.
  • To secure the information and the procedures to access it.
  • To guarantee the integrity of the stored information.
  • To update or correct the collected information in a timely manner upon the request of the data subject.
  • To require those who process the information to guarantee its confidentiality and integrity.
  • To process consultations or petitions from data subjects regarding requests for data correction, consistency, etc., always avoiding the violation of the rights assigned to them by the constitution.
  1. DEVELOPMENT

3.1 Processing and Purposes for which Cromasoft will use the data

The personal data provided by data subjects will be used for the following purposes:

  • Contracts, Confidentiality Agreements, among others.
  • Social Security affiliations and updates.
  • Employment and commercial references, etc.
  • Payment obligations.
  • Reporting to government entities.
  • Access authorizations.
  • Bidding processes, commercial proposals.
  • Internal and external communications.
  • ID badging.
  • Occupational Health and Safety Plan.
  • Processing inherent to the purpose of contracts with its clients.

3.2 Rights of Data Subjects

In compliance with Law 1581 of 2012, all employees and suppliers of Cromasoft are obliged to respect and guarantee the rights of Data Subjects, which include:

  • To know, update, rectify, and delete personal data (according to the data subject’s request), always verifying the identity of the data subject beforehand to prevent unauthorized third parties from accessing or attempting to alter their data in an unauthorized or fraudulent manner.
  • To access the request for revocation of authorization or deletion of personal data when the Superintendency of Industry and Commerce has determined that Cromasoft, in its processing, has engaged in conduct contrary to Law 1581 of 2012 or the Constitution.
  • To access their personal data free of charge. The information requested by the Data Subject may be provided by any means, including electronic ones, as required by the Data Subject. The information must be easy to read, without technical barriers that prevent access, and must fully correspond to the data residing in the entity’s database.

3.3 Duties of Cromasoft when acting as a Data Controller.

Cromasoft and all its employees are obliged to comply with the legal provisions issued by government entities regarding the processing of personal data. Therefore, they must act in such a way as to fulfill the following obligations:

3.4 Duties of Cromasoft regarding the Data Subject

  • To request and keep a copy of the respective authorization granted by the Data Subject for data processing.
  • To inform the Data Subject clearly and sufficiently about the purpose of the collection and the rights they hold by virtue of the authorization granted.
  • To guarantee the Data Subject, at all times, the full and effective exercise of the right to Habeas Data—that is, to know, update, rectify, or delete their personal data.
  • To inform the Data Subject, upon request, about the use given to their personal data.

3.5 Duties of Cromasoft regarding the integrity, security, and confidentiality of personal data

  • To keep the information under the security conditions necessary to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.
  • To rectify or update personal data in a timely manner when necessary.

3.6 Duties of Cromasoft when processing through a delegate (Data Processor).

  • To supply the data processor only with the personal data that the Data Subject has authorized to be provided to third parties.
  • To guarantee that the information supplied to the data processor is truthful, complete, exact, updated, verifiable, and understandable.
  • To communicate in a timely manner to the data processor all updates regarding the data previously supplied and to adopt any other necessary measures to ensure that the information provided remains updated.
  • To inform the data processor in a timely manner of any rectifications made to personal data so that the processor may proceed with the relevant adjustments.
  • To demand from the data processor at all times respect for the security and privacy conditions of the Data Subject’s information, as well as the policy defined by Cromasoft for data processing.

3.7 Duties of Cromasoft regarding the Superintendency of Industry and Commerce.

  • To report any potential violations of security codes and the existence of risks in the administration of Data Subjects’ information.

3.8 Processing of Members’ data prior to Decree 1377.

For the processing of data belonging to members whose information was collected prior to the issuance of Decree 1377 of 2013, the following actions must be taken:

  • Deploy the communication channels regularly used with the data subject so that they may authorize the processing of their data.
  • Utilize alternative mechanisms established in Decree 1377 of 2013, such as mass media, the controller’s website, information posters, among others, to inform data subjects about processing policies. The Superintendency of Industry and Commerce must be informed of this within five (5) days following its implementation.
  • The data subject will have a period of thirty (30) business days, counted from the implementation of any of the alternative media used, to contact the controller or delegate to request the deletion of their personal data, with the exception of data whose preservation is required by law.
  • If no type of data deletion request is received from the data subject, the controller or processor may continue to carry out the Processing of the data contained in their databases for the purpose or purposes indicated in the data processing policy.

3.9 Area responsible for handling the data subject.

The Administrative Management (Gerencia Administrativa) of Cromasoft is the competent department before which the data subject can exercise their rights to know, update, rectify, and delete data, and to revoke their authorization.

The channels through which the data subject can express their intent are:

  • Written medium: Letter, email to contacto@cromasoft.com
  • In-person: The data subject may go directly to Cromasoft’s headquarters located at Calle 106 No 54-78 Office 403 – Bogotá
  • Telephone medium: Through the line 601 2 71 37 63 – Bogotá

The response terms for requests will be 10 days.

  1. PERSONAL DATA COLLECTION

For the development of Cromasoft’s corporate purpose, it is necessary to collect personal information such as email addresses, names, home addresses, and telephone numbers, among others. Cromasoft does not sell, rent, or lease its website registration lists to third parties. Furthermore, no data is collected without the authorization of the Data Subject.

4.1 Processing Authorization

During the data collection process, authorization for Data Processing will be requested, and additionally, the data subject must be informed clearly and expressly of the following:

  • The Processing to which their personal data will be subjected and its purpose.
  • The optional nature of replying to questions asked when they concern sensitive data or data regarding children and adolescents.
  • The rights that assist them as a Data Subject.
  • The identification, physical or electronic address, and telephone number of the Data Controller.

It is understood that the Data Subject has given their authorization when:

  • They state it in writing (physical, electronic document, or any other that can be verified subsequently).
  • They state it orally (provided that the medium used can be verified subsequently).
  • When the Data Subject performs unequivocal conduct that allows for the reasonable conclusion that authorization was granted.
  • When a third party makes the information public by any other means.

In no case shall silence be equated to unequivocal conduct.

Authorization will not be necessary in the following cases:

  • Data of a Public nature.
  • Cases of medical or health emergencies.
  • Processing of information authorized by Law for historical, statistical, or scientific purposes.
  • Data related to the Civil Registry of persons.

4.2 Proof of Authorization

For the purpose of demonstrating authorization for data processing, sources such as the following may be used:

  • Forms
  • Recordings
  • Electronic records
  • Printed records

4.3 Right of Access

Every data subject may request, free of charge, information relative to their personal data at least once every month.

In the event that requests imply costs for generation, shipping, etc., and exceed one request per month, the data subject shall bear the expenses of such processing.

Date: 1/12/2022 Initial Version

PRIVACY POLICY

This Privacy Policy establishes the terms under which Cromasoft S.A.S. uses and protects the information provided by its users when using its website. This company is committed to the security of its users’ data. When we ask you to fill out personal information fields by which you can be identified, we do so ensuring that it will only be used in accordance with the terms of this document. However, this Privacy Policy may change over time or be updated, so we recommend and emphasize checking this page continuously to ensure that you agree with such changes.

Information Collected Our website may collect personal information such as: full name, email, and landline/cell phone information of the data subject. Likewise, when necessary, specific information related to the circumstances giving rise to the data subject’s inquiry may be required.

Use of Collected Information Our website uses the information to provide the best possible service, particularly to maintain a user registry, keep a record of inquiries made, and improve our products and services. Emails may be sent through our site to provide information we consider relevant to you or to offer proper attention regarding the inquiry made; these emails will be sent to the address you provide in the form.

Cromasoft S.A.S. is highly committed to keeping your information secure. We use secure systems to ensure that no unauthorized access exists.

Cookies A cookie refers to a file sent for the purpose of requesting permission to be stored on your computer. Upon accepting, said file is created, and the cookie then serves to gather information regarding web traffic and facilitates future visits to a recurring website. Another function of cookies is that they allow websites to recognize you individually and therefore provide you with the best personalized service on their platform. Our website uses cookies to identify the pages visited and their frequency. This information is used solely for statistical analysis, and thereafter, the information is permanently deleted. You can delete cookies at any time from your computer. However, cookies help provide a better service from websites; they do not grant access to information on your computer or about you unless you choose to provide it directly.

You can accept or deny the use of cookies; however, most browsers accept cookies automatically as it serves to provide a better web service. You can also change your computer settings to decline cookies. If declined, you may not be able to use some of our services.

Third-Party Links This website might contain links to other sites that might be of interest to you. Once you click on these links and leave our page, we no longer have control over the site to which you are redirected, and therefore, we are not responsible for the terms, privacy, or data protection on those other third-party sites. Such sites are subject to their own privacy policies, so it is advisable to consult them to confirm that you agree with them.

Control of Your Personal Information At any time, you can restrict the collection or use of personal information provided to our website. This company will not sell, assign, or distribute the personal information collected without your consent, unless required by a judge with a court order.

Cromasoft S.A.S. reserves the right to change the terms of this Privacy Policy at any time.

The rights provided in the National Constitution and in Law 1581 of 2012 may be exercised through the communication channels established by Cromasoft S.A.S. for public assistance: the hotline 3213195122 and the email comercial@cromasoft.com.

For all of the above, I have granted my consent to Cromasoft S.A.S. to process my personal information in accordance with the privacy policy made known to me before collecting my personal data.

I declare that this authorization was requested of me and presented to me before delivering my data, and that I sign it freely and voluntarily once read in its entirety.