comercial@pharex.co +57 (601) 411 9600
Contact us

Contact

Contact us

Data Protection

Notice of Privacy
Data processing authorization

 

CHAPTER 1: IDENTIFICATION OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

COMPANY NAME: PHAREX S.A.

NIT: 830046411-3

ADDRESS: AV CL 12 NO 79 A - 25 BG 8-9

EMAIL: PROTECCIONDEDATOS@PHAREX.CO

WEB PAGE: www.pharex.co

PHONE: (1) 4119600

 

1.1) DESCRIPTION OF PRODUCTS AND SERVICES OFFERED BY PHAREX S.A.: PHAREX S.A. It is a company dedicated to:

Product storage.
Secondary conditioning.
Transportation services.
Sales of raw materials.
Third party service (Billing, quality inspection)
CHAPTER 2: LEGAL FRAMEWORK

2.1) APPLICABLE LEGISLATION: This Personal Data Processing Policy is prepared in accordance with current legislation and each of the provisions that establish the constitutional and legal right in terms of obtaining, registering, managing and processing personal data, in order to guarantee and protect the fundamental right of Habeas Data of customers, employees, suppliers, partners and in general of any natural person Owner of personal data.

The guidelines of this Policy are based on compliance with:

a) Political Constitution of Colombia, article 15.
b) Law 1266 of 2008 (Colombia)
c) Law 1581 of 2012 (Colombia)
d) Regulatory Decree 1727 of 2009 (Colombia)
e) Decree 2952 of 2010 that regulated Articles 12 and 13 of Law 1266 of 2008. (Colombia)
f) Decree 886 that regulated Article 25 of Law 1582 of 2012. (Colombia)
g) Partial Regulatory Decree 1377 of 2013. (Colombia)
h) Sentences C – 1011 of 2008, and C - 748 of 2011 of the Constitutional Court (Colombia).

CHAPTER 3: SCOPE OF APPLICATION

3.1) PURPOSE: This document complies with the provisions of literal k) of article 17 of Law 1581 of 2012, which regulates the duties of those Responsible for the Treatment of personal data, within which is that of adopt an internal manual of Policies and procedures to guarantee adequate compliance with the law and especially for the attention of queries and claims, as well as the provisions of article 13 of Decree 1377 of 2013 that establishes the obligation on the part of those responsible for the Treatment to develop its Policies for the Treatment of personal data and ensure that those in charge of the Treatment fully comply with them and Decree 886 of 2014 that regulates matters related to the National Registry of Databases.

PHAREX SA, who will act as Responsible for Personal Data, prepares these Policies of mandatory and strict compliance applicable to all personal data, information and files registered in any database owned by PHAREX SA, susceptible to Treatment and whose Holder is a natural person.

CHAPTER 4: DEFINITIONS

For the purposes of developing this Policy and in accordance with the regulations applicable to the matter, the following definitions contained in Law 1581 of 2012 and Chapter 25 of Decree 1074 of 2015 are adopted:

a) AUTHORIZATION: Prior, express and informed consent of the Holder to carry out the Processing of personal data.
b) PRIVACY NOTICE: Verbal or written communication generated by PHAREX S.A. addressed to the Holder of the personal data, in which he is informed of the existence of the Information Treatment Policies that will be applicable to him, the way to access them and the purposes of the Treatment that is intended to be given to the personal data.
c) DATABASE: Organized set of personal data that is subject to Treatment.
d) SUCCESSOR: Person who has succeeded another due to the latter's death (heir).
e) PERSONAL DATA: Any information linked to or that may be associated with one or more determined or determinable natural persons.
f) PRIVATE DATA: It is the data that due to its intimate or reserved nature is only relevant for its Owner.
g) SEMI-PRIVATE DATA: These are data that do not have an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its Owner but to a group of people or society in general. For its Treatment, the express authorization of the Owner of the information is required (example: financial and credit data).
h) PUBLIC DATA: It is the data that is not semi-private, private or sensitive. Public data is considered, among others, data related to the marital status of people, their profession or trade and their quality as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial decisions that are not subject to reservation.
i) SENSITIVE DATA: Sensitive data is understood to be those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social or human rights organizations or that promotes the interests of any political party or that guarantees rights and guarantees. Likewise, biometric data, sexual life and those related to health are part of this category.

j) DATA OF MINORS: Data of Minors is understood as the personal data of children and adolescents (under 18 years of age). These data may be processed to the extent that said Treatment responds to and respects the best interests of children and adolescents and ensures respect for their fundamental rights, for which the legal representative of the minor, (who exercises the parental authority), will grant authorization prior to the minor exercising their right to be heard.
k) DATA PROCESSING MANAGER: Natural or legal person, public or private, that by itself or in association with others performs the Processing of personal data on behalf of the Data Controller.
l) HABEAS DATA: It is the right of any person to know, update and rectify the information that has been collected about them in the database and in the files of public and private entities.
m) RESPONSIBLE FOR THE TREATMENT: Natural or legal person, public or private, that by itself or in association with others decides on the database and/or the Treatment of the data.
n) HOLDER: Natural person whose personal data is subject to Treatment.
o) TREATMENT: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
p) TRANSFER: The transfer of data takes place when PHAREX S.A., located in Colombia, sends the information or personal data to a receiver, who in turn is Responsible for the Treatment and is located inside or outside the country.
q) TRANSMISSION: Processing of personal data that implies the communication of the same within or outside the territory of the Republic and whose purpose is to carry out a Processing by the person in charge on behalf of PHAREX S.A.

CHAPTER 5: GENERAL PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

In the development, interpretation and application of Law 1581 of 2012 and the regulations that complement, modify or add to it, PHAREX S.A., will act in all collection, handling and deletion of personal data and will apply the following principles in a harmonic and comprehensive manner:

5.1) PRINCIPLE OF LEGALITY REGARDING DATA PROCESSING: For the processing of personal data, PHAREX S.A. It will be subject to the provisions of Law 1581 of 2012 and the other provisions that develop it.

5.2) PRINCIPLE OF PURPOSE: PHAREX S.A. will inform the Holder in a concrete, precise and prior manner of the purpose of the Treatment given to personal data, which must be legitimate in accordance with the Political Constitution and the law.

5.3) PRINCIPLE OF FREEDOM: PHAREX S.A. will only exercise the Treatment of personal data with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal, statutory or judicial mandate that reveals consent.

5.4) PRINCIPLE OF TRUTH OR QUALITY: The information subject to Treatment by PHAREX S.A. of personal data must be true, complete, accurate, updated, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited.

5.5) PRINCIPLE OF TRANSPARENCY: In the Processing, the Holder's right to obtain from PHAREX S.A., at any time and without restrictions, information about the existence of data that concerns him must be guaranteed. The Processing of partial, incomplete, fragmented or misleading data is prohibited. By virtue of this principle, PHAREX S.A. must offer at least the following information to the Holder:

a) The purpose of the processing of personal data.
b) To whom the data may be disclosed
c) How the Holder can exercise any right granted by data protection legislation.
d) All other information necessary for the fair processing of the data.

5.6) PRINCIPLE OF ACCESS AND RESTRICTED CIRCULATION: Personal data, except public information, may not be available on the internet or other means of disclosure or mass communication, except those whose access is technically controllable to provide restricted knowledge only to the Holders. or authorized third parties.
5.7) PRINCIPLE OF SECURITY: The information subject to Treatment by PHAREX S.A. will be protected through the use of technical, human and administrative measures that provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

5.8) PRINCIPLE OF CONFIDENTIALITY: The people who intervene in the processing of personal data, which are not of a public nature, are obliged to guarantee the confidentiality of the information provided. Even after the end of their relationship with any of the tasks included in the Treatment, they can only supply or communicate personal data when this corresponds to the development of activities authorized by law.

5.9) PRINCIPLE OF FACILITATION: The Treatment Managers must facilitate the exercise of the right of access to information, excluding demands or requirements that may obstruct or prevent it.

5.10) PRINCIPLE OF NON-DISCRIMINATION: PHAREX S.A., as Data Controller, must provide information to all Holders who request it, under equal conditions and without making arbitrary distinctions.

5.11) PRINCIPLE OF INTEGRAL INTERPRETATION OF CONSTITUTIONAL RIGHTS: The rights of the Holder will be interpreted in harmony and in a balanced plane with the right to information provided for in article 15 of the Political Constitution of Colombia and with the applicable constitutional rights such as Habeas data, the right to a good name, the right to honor and the right to privacy, among others.

5.12) PRINCIPLE OF SPEED: This principle seeks agility in the process and administrative management.

CHAPTER 6: RIGHTS THAT ASSIST THE HOLDER OF THE PERSONAL DATA

The Holders of the personal data contained in the databases held by PHAREX S.A. have the rights described in this section in compliance with the fundamental guarantees enshrined in the Political Constitution and Statutory Law 1581 of 2012 (Colombia).

The exercise of Habeas Data expressed in these rights will be free and unlimited by the Holder of the personal data, without prejudice to legal provisions that regulate the exercise of the same.

6.1) RIGHT OF ACCESS: This right includes the power of the Owner of the data to have free access and to obtain all the information regarding their own personal data, whether partial or complete, and the Treatment applied to them, the purpose of the Treatment and the location of the databases that contain your personal data.

6.2) RIGHT TO UPDATE: The Owner has the right to update their personal data when they have had some variation.

6.3) RIGHT TO RECTIFICATION: The Owner of the personal data has the power to request the rectification of the data that is inaccurate, incomplete or non-existent.

6.4) RIGHT OF CANCELLATION: The Owner of the data has the right to cancel their personal data or delete them when they are excessive, not pertinent or the Treatment is contrary to the regulations, except in those cases contemplated as exceptional by law or contractually agreed in contrary.

6.5) RIGHT TO REVOCATION OF CONSENT: The Holder of the personal data has the right to revoke the consent or authorization that enables PHAREX S.A. for a Treatment with a certain purpose, except in those cases considered as exceptional by law or contractually agreed otherwise.

6.6) RIGHT TO OPPOSITION: Includes the power of the Data Owner to oppose the Processing of their personal data, except in cases where such right does not proceed by legal provision or because it violates general interests superior to particular interest.

6.7) RIGHT TO SUBMIT COMPLAINTS AND CLAIMS OR TAKE ACTION: The Owner of the personal data has the right to submit complaints and claims to the Superintendence of Industry and Commerce or to the competent entity, as well as the actions that are relevant for the protection of your data. Prior to this, he must have exhausted the exercise of his right against PHAREX S.A. in accordance with Law 1581 of 2012.

6.8) RIGHT TO GRANT AUTHORIZATION FOR DATA PROCESSING: Pursuant to the principle of informed consent, the Owner of the data has the right to grant their authorization, by any means that may be subject to subsequent consultation, to process their personal data at PHAREX S.A.

Exceptionally, this authorization will not be required in the following cases:

a) When required by a public or administrative entity in compliance with its legal functions or by court order.
b) In the case of data of a public nature.
c) In case of medical or health emergency.
d) When it is Treatment of information authorized by law for historical, statistical or scientific purposes.
e) In the case of personal data related to the civil registry of persons.
In these cases, although the authorization of the Owner is not required, the other principles and legal provisions on the protection of personal data will apply.

6.9) RIGHTS OF CHILDREN AND ADOLESCENTS: The rights of children or adolescents will be exercised by the people who are empowered to represent them. In the Treatment, respect for the prevailing rights of children and adolescents will be ensured.

The Treatment of personal data of children and adolescents is prohibited, except for those data that are of a public nature.

It is the task of the State and educational entities of all kinds to provide information and train legal representatives and guardians on the possible risks that children and adolescents face regarding the improper treatment of their personal data, and provide knowledge about the responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of their personal information and that of others.

6.10) PERSONS AUTHORIZED TO EXERCISE THE RIGHTS: They may be exercised by the following persons:

• By the Holder, who must sufficiently prove her identity by the different means made available by the Responsible.
• By the representative and/or proxy of the Holder, prior accreditation of the representation or proxy.
• By stipulation in favor of another or for another.
• Due to the death of the Holder of the personal data (causable holder).

CHAPTER 7: DUTIES OF THE CONTROLLER AND THE DATA PROCESSOR AND SECURITY MEASURES

PHAREX S.A. will be responsible for the processing of personal data.

PHAREX S.A. will designate the areas and officials in charge of the Treatment and management of the databases where personal data is collected on behalf of PHAREX SA, who will be provided with information on each client, employee, supplier, partner and in general of any natural person to which data has been registered and that rests in a database, processing each of the obligations and rights that protect the Holder, in accordance with Law 1581 of 2012.

7.1) DUTIES FOR THOSE RESPONSIBLE FOR THE PROCESSING OF DATA: PHAREX SA, acting as Responsible for the Treatment of personal data, is obliged to comply with the duties and commandments imposed by the applicable regulations regarding the matter, without prejudice to the provisions set forth in this law and others that govern its activity:

a) Know this Policy and apply it in what corresponds to them.
b) Guarantee the Holder at all times the full and effective exercise of the right of Habeas data.
c) Request and keep, under the conditions set forth herein, a copy of the respective authorization granted by the Holder.
d) Clearly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted and the use that will be given to his personal data.
e) Keep the information under security conditions that prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
f) Guarantee that the information is truthful, complete, exact, up-to-date, verifiable and understandable.
g) Update the information, thus attending to all the news regarding the Holder's data. Additionally, all measures must be implemented so that the information is kept up to date.
h) Rectify the information when it is incorrect and communicate what is pertinent.
i) Process the queries and claims made by the Holders of the information in the terms indicated in the applicable legislation.
j) Ensure that the principles of truthfulness, quality, security and confidentiality are followed in the terms established in this Policy.
k) Respect the security and privacy conditions of the Holder's information and inform the Superintendence of Industry and Commerce and the data protection authority when there is a violation of its security and when there are risks in the administration of the information .
l) Allow access to information only to people who can have access to it.
m) Ensure the proper use of the personal data of children and adolescents in those cases in which the authorization of the Treatment of their data is carried out.
n) Comply with the requirements and instructions issued by the Superintendency of Industry and Commerce on the particular subject.
o) Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce.
p) Use only data whose Treatment is previously authorized in accordance with the provisions of Law 1581 of 2012.
q) PHAREX S.A. will use the personal data of the Holder only for those purposes for which it is duly empowered and respecting in all cases the current regulations on personal data protection.

7.2) DUTIES FOR THOSE IN CHARGE OF PERSONAL DATA PROCESSING: When PHAREX S.A. or any of the recipients of this rule assumes the quality of Person in Charge of the Processing of personal data, under their custody they must comply with the following duties, without prejudice to the other provisions provided by law and in others that govern their activity:

a) Know this Policy and apply it in what corresponds to them.
b) Guarantee the Holder, at all times, the full and effective exercise of the right of Habeas Data.
c) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
d) Carry out timely updating, rectification or deletion of data under the terms of the law.
e) Update the information reported by the Treatment Managers within five (5) business days from its receipt.
f) Process the queries and claims made by the Holders in the terms indicated in this regulation and in the law.
g) Carry out a database control of the claims that are in process in relation to the personal information that is discussed or questioned by the Holders, in accordance with the way in which it is regulated by law.
h) Carry out a control, registering by database the claims on Habeas Data that are in judicial discussion once it is notified by the competent authority of the judicial process related to the quality of the personal data.
i) Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce or by another competent authority.
j) Allow access to information only to people who can have access to it.
k) Inform the Superintendency of Industry and Commerce when there are violations of the "Security Codes" and there are risks in the administration of the Holders' information.
l) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
m) Use the personal data of the Holder only for those purposes for which it is duly empowered and respecting in all cases the current regulations on personal data protection.

7.3) SECURITY MEASURES: In compliance with the security principle established in the current Law 1581 of 2012, PHAREX S.A. will adopt the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access by third parties. PHAREX S.A. will adopt a general guideline on these measures that will be mandatory compliance by the recipients of these Policies.

In addition to the duties described above at the head of PHAREX S.A. and of any other person who assumes their status as Responsible or in Charge of the Treatment, in a complementary manner will assume the following duties whatever their condition:

a) Apply security measures in accordance with the classification of personal data processed by PHAREX S.A.
b) Apply the personal data protection standard in harmony with the information security procedures defined in PHAREX S.A.
c) Securely manage databases containing personal data.
d) Securely manage access to the personal databases contained in the information systems, in which it acts as Responsible or Responsible for Treatment.
e) Periodically audit compliance with the standard by the recipients of the same.
f) Keep a central registry of the databases that contain personal data that includes the history since its creation, Treatment of the information and cancellation of the database.
g) Have a procedure to manage security incidents regarding databases containing personal data.
h) Adopt disaster recovery procedures applicable to databases containing personal data.
i) Adopt backup or backup procedures for databases that contain personal data.
j) Regulate access to databases containing personal data in contracts with third parties.

PHAREX S.A. states that some of its portals may contain links to third-party web pages over which it has no control or management, for this reason it is not responsible for the content, privacy policies, security and / or handling of personal data that are established in them, being the obligation of the Owner of the personal data to know in the respective portals the Policies related to the protection and Treatment of their information.

CHAPTER 8: NATIONAL REGISTRY OF DATABASES - RNBD

8.1) DEFINITION OF THE NATIONAL DATABASE REGISTRY - RNBD: The National Database Registry - RNBD is the public directory of databases subject to Processing that operates in the country and will be administered by the Superintendency of Industry and Commerce and will be free consultation for citizens.

PHAREX S.A., as Responsible for the Processing of personal data in its custody, will register its databases and/or Policies before the Superintendency of Industry and Commerce, the competent administrative authority, at the time and place established by it.

8.2) REGISTRATION OF THE DATABASES IN THE NATIONAL REGISTRY OF DATABASES - RNBD: The registration of the databases in the RNBD will allow:

a) Register all personal databases contained in the information systems and other files of PHAREX S.A.. Each database will be assigned a name and file number.
b) The registration of personal databases will indicate:
I) The type of personal data it contains
II) The purpose and intended use of the database
III) Identification of the area of ​​PHAREX S.A. What does the treatment of the database do?
IV) Treatment System used (automated or manual) in the database
V) Indication of the level and security measures that apply to the database by virtue of the type of personal data it contains
VI) Location of the database in the information systems of PHAREX S.A.
VII) The group of people or interest group whose data is contained in the database
VIII) The condition of PHAREX S.A. as Responsible and/or Responsible for the Treatment of the databases
IX) Authorization for communication or assignment of the database, if any
X) Origin of the data and procedure for obtaining consent
XI) Employee of PHAREX S.A. database custodian
XII) The other requirements that are applicable according to the regulations of the law that will be issued
c) Register, for purposes of compliance and auditing, the changes made in the personal database in relation to the aforementioned requirements. In the event that the databases have not undergone changes, this will be recorded by the custodian of the same.
d) Document the occurrence and history of security incidents that occur against any of the personal databases guarded by PHAREX S.A.
e) The registry will indicate the sanctions that may be imposed with respect to the use of the personal database, indicating its origin.
f) The cancellation of the personal database will be registered indicating the reasons and the technical measures adopted by PHAREX S.A. to make the cancellation effective.

8.3) UPDATE OF THE INFORMATION CONTAINED IN THE NATIONAL REGISTRY OF DATABASES - RNBD: The information contained in the RNBD will be updated, according to the following indications:

a) Within the first ten (10) business days of each month, from the registration of the database, when substantial changes are made to the registered information.
b) Annually, between January 2 and March 31, starting in 2018.
c) Within the first fifteen (15) business days of the months of February and August of each year, from their registration, the Treatment Managers will update the information of the claims presented by the Holders.

Substantial changes are those related to the purpose of the database, the Person in Charge of the Treatment, the channels of attention to the Owner, the classification or types of personal data stored in each database, the information security measures implemented , the Information Processing Policy and the transfer and international transmission of personal data.

CHAPTER 9: AUTHORIZATION AND PRIVACY NOTICE

9.1) AUTHORIZATION AND CONSENT OF THE HOLDER: The collection, storage, Treatment, circulation, disclosure and deletion of personal data by PHAREX S.A. requires the free, prior, express and informed consent of the Holder of the personal data for the Treatment of the same, except in the cases expressly authorized by law, namely:

a) Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b) Data of a public nature.
c) Cases of medical or health emergency.
d) Treatment of information authorized by law for historical, statistical or scientific purposes.
e) Data related to the Civil Registry of Persons.

With the consented authorization procedure, it is guaranteed that the Holder of the data has been informed that his personal information will be collected and used for certain and known purposes, and the right that assists him to request access, updating, rectification and elimination of your personal data at any time, through the mechanisms made available by PHAREX SA The foregoing in order for the Owner to make informed decisions regarding their personal data and control the use of their personal information.

The authorization is a statement that informs the Owner of the personal data:

a) Who collects his personal information (Responsible or Manager).
b) What it collects (data that is collected).
c) For what purpose the data is captured.
d) How to exercise rights of access, correction, updating or deletion of the personal data provided.
e) Informs the Owner that because it is sensitive data (if applicable), he is not obliged to authorize its Treatment.

9.2) MANIFESTATION OF THE AUTHORIZATION: The authorization to PHAREX S.A. for the Treatment of personal data will be granted by: The Holder, who must prove his identity in a sufficient manner by the different means made available by PHAREX S.A. The successors in title of the Holder, who must prove such quality. The representative and/or proxy of the Holder prior accreditation of the representation or power of attorney. Other that the Holder has stipulated.

9.3) MEANS FOR OBTAINING THE AUTHORIZATION BY THE HOLDER: The authorization may consist of a physical, electronic document or in any other format that guarantees its subsequent consultation, or through a suitable technical or technological mechanism through which it can be concluded unequivocally that if the Holder's conduct had not been provided, the data would never have been collected and stored in the database. In accordance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013, the format for the authorization will be prepared by PHAREX S.A. and made available to the Holder prior to the processing of his personal data. For Holders who are already registered in the PHAREX S.A. database. will notify the Holders to send it.

PHAREX S.A. will do what is necessary to keep the authorization records of the Holders of personal data updated and safeguarded.

9.4) PROOF OF AUTHORIZATION: PHAREX S.A. will keep proof of the authorization granted by the Holders of the personal data for its Treatment, for which it will adopt the necessary actions to maintain records or suitable technical or technological mechanisms to determine when and how it was obtained. Consequently, PHAREX S.A. may establish physical files or electronic repositories made directly or through third parties hired for this purpose.

9.5) REVOCATION OF THE AUTHORIZATION: The Owners of the personal data may at any time revoke the authorization granted to PHAREX S.A. for the Treatment of your personal data or request the deletion of the same, as long as it is not prevented by a legal or contractual provision. PHAREX S.A. will establish simple and free mechanisms that allow the Holder to revoke his authorization or request the deletion of his personal data, at least by the same means by which he granted it.

9.6) PRIVACY NOTICE: It is the physical, electronic document or in any other format that is made available to the Owner for the Treatment of their personal data no later than the time of data collection. PHAREX S.A., through this document, informs the Owner of the existence of the Information Processing Policies that will be applicable to them, the way to access them and the characteristics of the Treatment that is intended to be given to their personal data.

9.7) MINIMUM CONTENT OF THE PRIVACY NOTICE: The Privacy Notice must contain at least the following information:

• The identity, address and contact information of PHAREX S.A., Responsible for the Treatment.
• The type of Treatment to which the data will be submitted and its purpose.
• The rights that assist the Holder.
• The general mechanisms arranged by PHAREX S.A. so that the Holder knows and accesses the Information Treatment Policy and the modifications or substantive changes that occur in it or in the corresponding Privacy Notice.

Notwithstanding the foregoing, when sensitive personal data is collected, the Privacy Notice will expressly indicate the optional nature of the response to questions that deal with this type of data.

9.8) PRIVACY NOTICE AND INFORMATION PROCESSING POLICIES: PHAREX S.A. will keep the model of the Privacy Notice that was transmitted to the Holders while the processing of personal data is carried out and the obligations derived from it endure; for the storage of the model, PHAREX S.A. may use computer, electronic or any other technology that it deems useful for said purposes.

CHAPTER 10: TREATMENT AND COLLECTION OF PERSONAL DATA

10.1) COLLECTION OF PERSONAL DATA: The provision and collection of data and Treatment authorizations by the Holders will be carried out through one of the following channels: By telephone, in writing, verbally or by electronic means such as the email of PHAREX SA or the email of the person in charge of processing the data that PHAREX S.A. appoint.

10.2) PROCESSING OF PERSONAL DATA: The data collected and the authorizations will be stored in the databases of PHAREX S.A. and will remain in their custody under generally accepted conditions of suitability, confidentiality and security. Only personnel authorized by PHAREX S.A. or the person in charge of the treatment that PHAREX S.A. designate, you will be able to access these Databases. The access and security protocols that are considered standard in these activities will be observed to avoid the violation or manipulation of the information collected.

Notwithstanding the foregoing, PHAREX S.A. may operate the databases through a Data Processing Manager, in which case, it will inform the Holders of the information that these Policies will be extended and, therefore, will be applicable to such Manager, so that the Holder can exercise the rights conferred by law, both against PHAREX SA as in front of the Person in Charge of the Treatment designated by it.

The Treatment of the personal data of clients, employees, suppliers, partners or of any person with whom PHAREX S.A. has established or establishes a permanent or occasional relationship, it will be done within the regulatory framework established in Law 1581 of 2012 and Decree 1377 of 2013. In any case, personal data may be collected and processed to:

a) Develop the mission of PHAREX S.A. in accordance with its corporate purpose.
b) Being able to provide services and comply with the commitments with its customers, employees, suppliers and partners.
c) Comply with the regulations applicable to suppliers and contractors, including, but not limited to, tax and commercial regulations.
d) Comply with the provisions of the Colombian legal system in labor and social security matters, among others, applicable to employees, former employees, current employees and candidates for future employment.
e) Comply with all contractual commitments.

10.3) PROCESSING OF SENSITIVE DATA: The processing of sensitive data is prohibited, except when:

a) The Holder has given his explicit authorization to said Treatment, except in cases where the granting of said authorization is not required by law.
b) The Treatment is necessary to safeguard the vital interest of the Holder and he is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
c) The Treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is Political, philosophical, religious or trade union, provided that it is refer exclusively to its members or to people who maintain regular contact by reason of its purpose. In these events, the data may not be provided to third parties without the authorization of the Owner.
d) The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
e) The Treatment has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Holders must be adopted.

CHAPTER 11: INTERNATIONAL AND DOMESTIC TRANSFERS AND TRANSMISSIONS OF PERSONAL DATA

11.1) INTERNATIONAL TRANSFER OF PERSONAL DATA: When data is sent or transferred to another country, it will be essential to have the authorization of the Holder of the information that is the subject of transfer. Unless the law says otherwise, it is a necessary premise and presupposition of said authorization to carry out the international circulation of data. In this sense, before sending personal data to Treatment Managers located in another country, those obliged to comply with this Policy must verify that they have the prior, express and unequivocal authorization of the Owner that allows their personal data to be transmitted.

11.2) INTERNATIONAL AND NATIONAL TRANSMISSIONS OF DATA TO MANAGERS: When the Data Controller wishes to send or transmit data to one or several Processors located within or outside the territory of the Republic of Colombia, it must by means of contractual clauses or through a data transmission contract. personal data stipulate the following:

a) The scope of the Treatment.
b) The activities that the Processor will carry out on behalf of the Data Controller.
c) The obligations that must be fulfilled by the Manager with respect to the Owner of the data and the Responsible for the Treatment.
d) The obligation of the Person in Charge to comply with the obligations of the Person in Charge by observing this Policy.
e) The duty of the Person in Charge to treat the data in accordance with the authorized purpose for the same and observing the principles established in Colombian law and this Policy.
f) The obligation of the Person in Charge to adequately protect personal data and databases as well as to maintain confidentiality regarding the Treatment of transmitted data.

CHAPTER 12: HABEAS DATA PROCEDURE - RIGHT OF ACCESS, CONSULTATION AND CLAIM

12.1) RIGHT OF ACCESS: The power of disposition or decision that the Holder has over the information that concerns him necessarily entails the right to access and know if his personal information is being processed as well as the scope, conditions and generalities of said Treatment.

PHAREX S.A. will guarantee the right of access when prior accreditation of the identity of the Holder or personality of his representative, the detail of the personal data is made available to him free of charge through physical or electronic means that allow the Holder direct access to them. Said access must be offered without a term limit and must allow the Holder the possibility of knowing and updating them.

12.2) INQUIRIES: In accordance with the provisions of article 14 of Law 1581 of 2012 and article 21 of Decree 1377 of 2013, the Holders or their successors in title may consult the personal information of the Holder that rests in any database. Consequently, PHAREX S.A. will guarantee the right to consultation by providing the Holders with all the information contained in the individual record or that is linked to the identification of the Holder.

For the attention of personal data queries PHAREX S.A. guarantees:

a) Enable electronic means of communication or others that it considers pertinent.
b) Establish forms, systems and other simplified methods for dealing with queries.
c) Use the customer service or claims services that are in operation.
In any case, regardless of the mechanism implemented to attend consultation requests, they will be attended to within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed before the expiration of ten (10) days, stating the reasons for the delay and indicating the date on which his query will be attended, which in no case may exceed the five (5) business days following the expiration of the first installment. Queries may be made to the email PROTECCIONDEDATOS@PHAREX.CO.

12.3) CLAIMS: In accordance with the provisions of article 14 of Law 1581 of 2012, the Holder or his successors in title who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged Failure to comply with any of the duties contained in this law, may file a claim with the Data Controller, which will be processed under the following rules:

1. The claim will formulate the request to the Treatment Manager or Treatment Manager with the identification of the Holder, the description of the facts that give rise to the claim, the address and accompanying the documents that you want to assert. If the claim is incomplete, the interested party will be required within five (5) days after receiving it to correct the faults. After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that he has withdrawn the claim. In the event that the person receiving the claim is not competent to resolve it, it will be forwarded to the appropriate person within a maximum term of two (2) business days and the interested party will be informed of the situation.

2. Once the complete claim has been received, PHAREX S.A. will register, in the database that it maintains to attend the claims, in a term not exceeding two (2) business days, the claim "As a claim in process", indicating the reason for it. Said claim must be maintained until it is decided.

3. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend to it within said term, the interested party will be informed before the expiration of the aforementioned period of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
The claim by the Holder, his representatives or heirs may be made by means of a request addressed to PHAREX S.A. to the email PROTECCIONDEDATOS@PHAREX.CO.

12.4) PROCEDIBILITY REQUIREMENT: The Holder or successor in title may only file a complaint with the Superintendence of Industry and Commerce once they have exhausted the query or claim process before the Data Controller or Data Processor.

12.5) IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO SUBMIT CLAIMS: The Holder has the right to request PHAREX S.A. the rectification of your personal data in case of being inaccurate or incomplete, to update them and to cancel them when they are not being used in accordance with legal or contractual purposes and terms or according to the purposes and terms contemplated in this Data Treatment Policy. The Holder must indicate the corrections to be made and provide the documentation that supports his request.

The rights of rectification, update or deletion may be exercised by:

a) The Holder or his heirs, after proof of her identity, or through electronic instruments that allow her to identify herself.
b) By the representative and/or proxy of the Holder, prior accreditation of the representation or power of attorney.
c) By stipulation in favor of another or for another.
d) The rights of children or adolescents will be exercised by the people who are empowered to represent them.

When the request is made by a person other than the Holder and it is not proven that the same acts on behalf of the former, it will be considered as not submitted.

The request for rectification, updating or deletion must be submitted through the means authorized by PHAREX S.A. indicated in the privacy notice and contain, at a minimum, the following information:

a) The name and address of the Holder or any other means to receive the response.
b) Documents proving the identity or personality of its representative.
c) The clear and precise description of the personal data with respect to which the Holder seeks to exercise any of the rights.
d) Where appropriate, other elements or documents that facilitate the location of personal data.

12.6) DELETION OF DATA: The Holder has the right, at any time, to request PHAREX S.A. the total or partial deletion (elimination) of your personal data from the records, files, databases or Treatments carried out by PHAREX S.A. when:

a) Consider that they are not being treated in accordance with the principles, duties and obligations set forth in Law 1581 of 2012 and Decree 1377 of 2013.
b) They have ceased to be necessary or pertinent for the purpose for which they were collected.
c) The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

It is important to bear in mind that the cancellation right is not absolute and the Responsible Party can deny the exercise of the same when:

a) The Holder has a legal or contractual duty to remain in the database.
b) The elimination of data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
c) The data is necessary to protect the legally protected interests of the Holder, to carry out an action based on the public interest, or to comply with an obligation legally acquired by the Holder.
d) If the cancellation of personal data is appropriate, PHAREX S.A. you must operationally perform the suppression in such a way that the elimination does not allow the recovery of the information.
CHAPTER 13: FINAL PROVISIONS

13.1) PERSONS AND AREAS RESPONSIBLE FOR THE PROTECTION OF PERSONAL DATA: PHAREX S.A. will designate the officials and areas responsible for them to comply with the function of Treatment and protection of personal data. Said officials and areas will process the requests of the Holders for the exercise of the rights of access, consultation, rectification, updating, deletion and revocation referred to in Law 1581 of 2012.

PHAREX S.A. designates the Administration area as Responsible for the adoption and implementation of the obligations set forth in Law 1581 of 2012.

13.2) VALIDITY: This Policy was approved after the issuance of Law 1581 of 2012 and recently modified to incorporate some aspects established by Decree 1377 of June 27, 2013, which is why it became effective as of June 27. of 2013.

The validity of the database will be the reasonable and necessary time to fulfill the purposes of the Treatment taking into account the provisions of article 11 of decree 1377 of 2013.