POLICY OF TREATMENT OF PERSONAL DATA INFORMATION IN SRF CONSULTORES S.A.S.

In compliance with the law 1581 of 2012 and the regulatory decree 1377 of 2012, SRF Consultores S.A.S. informs the applicable policies for the treatment and protection of personal data.  

Company name: SRF Consultores S.A.S. 
NIT: 900.641.938-8 
Address: Calle 119 No. 14A-26 Ofc. 204 Bogotá – Colombia 
Email: info@srfconsultores.com 
Phone: +57 601 3004901  

1. PURPOSE OF DATA PROCESSING  

For the full development of the corporate purpose, SRF Consultores S.A.S. collects, stores, updates and deletes, additionally may share, transfer, transmit and use this personal data of collaborators, employees, administrators, partners, customers, suppliers and other persons with whom SRF Consultores S.A.S. is related.

The scope of the authorization includes the power for SRF Consultores S.A.S. to send messages with institutional content, notifications, portfolio status reports, new references, promotions and other information related to the portfolio of products offered by the company through email and/or text messages to the cell phone.

SRF Consultores S.A.S., as the responsible party, has provided a physical infrastructure, hardware and software and suitable and adequate personnel to store, dispose and treat the personal data of the owners in a secure manner.

2. RIGHTS OF THE HOLDER OF PERSONAL DATA 

• To know, update and rectify their personal data with respect to the data controller or data processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
  
• Request proof of authorization granted to the data controller, except when expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
• To be informed by the data controller or the person in charge of the processing assigned by SRF Consultores S.A.S., upon request, regarding the use given to their personal data.
• File complaints with the SIC for violations of the provisions of Law 1581 of 2012 and other regulations amending it.
• To revoke the authorization and/or request the deletion of the data when the treatment does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion will proceed only when the Superintendence of Industry and Commerce has determined that in the treatment, the responsible or in charge have incurred in conduct contrary to the law 1581 of 2012 or the constitution. The request for deletion or revocation does not apply if the owner of the data has a legal or contractual duty and therefore must be in the database of SRF Consultores S.A.S.
• Access free of charge to their personal data that have been subject to processing.
  
• SRF Consultores S.A.S. will ensure respect for the prevailing rights of children and adolescents in the processing of their data except for those data that are of a public nature.

3. DUTIES OF SRF CONSULTORES S.A.S. 

By virtue of this policy of treatment and protection of personal data SRF Consultores S.A.S. is obliged to comply with the following duties, without prejudice to the provisions of the law.  

• Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
• Request and keep a copy of the respective authorization granted by the owner.
• Duly inform the owner about the purpose of the collection and the rights he/she has by virtue of the authorization granted.  
• Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
• Ensure that the information is truthful, complete, accurate, up-to-date, verifiable and understandable.
• Update the information, communicating in a timely manner to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.
• Rectify the information when it is incorrect and communicate the pertinent to the Data Processor.
• Provide to the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012.
• To require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.
• Process queries and claims formulated in the terms set forth in Law 1581 of 2012.
• Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.
• Inform upon request of the Data Subject about the use given to his/her data.
• Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Holders.
• Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
• SRF Consultores S.A.S. will use the personal data of the holder only for those purposes for which it is authorized and respecting in any case the current regulations on personal data protection.

4. PROCEDURE FOR HANDLING INQUIRIES, CLAIMS, REQUESTS AND COMPLAINTS.  

The procedure to make inquiries, requests, complaints and claims or to exercise the rights as owner or attorney-in-fact of personal data, will be by written communication or email, to the account (info@srfconsultores.com) or by personal presentation at the offices of SRF Consultores S.A.S.

After proving the identity or presenting a valid and complete authorization, SRF Consultores S.A.S. will process and for which it is required:  

• Full name of the owner and identification document.  
• Reply address or means by which you may receive a reply.  

For Inquiries  

The holder may consult his personal information, which is in the databases, maximum once a month and at no cost and which will be attended within ten (10) working days from the date of receipt, if for any reason the request cannot be attended, the holder or proxy will be informed within the same term, explaining the reasons why it has not been possible to deliver the information and will be informed of the new date to give the answer that may not exceed five (5) working days following the first expiration.  

Claims  

The claim shall include a detailed description of the facts that generate the non-conformity and accompanied by documents that the claimant wishes to assert.

If the information provided is incomplete, the holder or attorney-in-fact will be requested within five (5) days after receipt of the claim to complete or deliver the missing information. If after two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been abandoned. If the person who receives the claim is not competent to resolve it, he/she will transfer it to the corresponding person within a maximum term of two (2) working days and will inform the interested party of the situation.

The maximum term to address a claim is fifteen (15) business days from the day following the date of receipt. In case of any difficulty and it is not possible to attend the claim within the stipulated term, the holder or representative will be informed of the reasons for the delay and the new date on which the claim will be attended, which in no case may exceed eight (8) working days following the expiration of the first term.  

In order to attend to petitions, complaints and additionally updates, corrections, rectifications or suppression of data, they will be attended within fifteen (15) working days, counting from the day following the date of receipt. In case of any difficulty and it is not possible to attend them within the stipulated term, the holder or proxy will be informed of the reasons for the delay and the new date on which it will be attended, which in no case may exceed eight (8) working days following the expiration of the first term.  

5. DATA TRANSFER TO THIRD COUNTRIES  

The transfer of personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it complies with the standards set by the Superintendence of Industry and Commerce on the matter, which in no case may be lower than those required by law to its recipients.  

This prohibition shall not apply in the case of:

• Información respecto de la cual el Titular haya otorgado su autorización expresa e inequívoca para la transferencia.  
• Exchange of medical data, when required for the Treatment of the Owner for reasons of public health or hygiene.  
• Bank or stock transfers, in accordance with the applicable legislation.  
• Transfers agreed upon within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.  
• Transfers necessary for the execution of a contract between the Owner and the Data Controller, or for the implementation of pre-contractual measures, provided that the Owner’s authorization is obtained.  
• Transfers legally required to safeguard the public interest, or for the recognition, exercise or defense of a right in a judicial process.

6. MODIFICATIONS TO PERSONAL DATA PROCESSING POLICIES. 

SRF Consultores S.A.S. reserves the right to modify, at any time, unilaterally, its policies and procedures for the processing of personal data. Any changes will be published and announced. In addition, previous versions of this personal data processing policy will be kept.