Personal data processing policy

Process: LEGAL MANAGEMENT

Document approved by

  Revised Approved
Name  Adriana García Andres Quinter
Position Senior Counsel Chief Legal Office
Date 01/12/2022 12/12/2022
 

1. Index

The Personal Data Processing Policy The Personal Data Processing Policy 3.1. Definitions 3.2. Principles for the processing of data 3.3 Responsible 3.4. Dabase content 3.5 Treatment 3.6 Processing of sensitive data and data on children and adolescents 3.7 Purposes for the processing of sensitive data and data on children adolescents 3.8 Transfer and transmission of personal data 3.9 Purposes of treatment 3.10 Rights of holders 3.11 Company oblications 3.12 Responsible Area and Channels of Care 3.13 Persons who may exercise the rights of the owner 3.14 Producers of presentation and answer a inquiries 3.15 Procedures of presentation and answer complaints and grievances 3.16 Database lifetime

2. History of versions

Date Version Author Description
18/02/2016 01 Lina Marcela Lozano Carvajal Creating the Document
11/12/2018 02 Risks & Processes The document is updated due to the change of company name by adjusting “Sophos Banking” by “Sophos Solutions”.
24/04/2019 03 Risks & Processes Biometric information is included
23/10/2019 04 Risks & Processes Document is updated due to corporate image logo change
18/12/2020 05 Legal Area The document is updated in relation to the purposes for processing. This version shall apply from 20 November 2020.
13/12/2022 06 Adriana García The policy is updated and supplemented by attending to the processing of data in subsidiaries, purposes, responsibilities and responsibilities, procedures
 

The Personal Data Processing Policy of SOPHOS SOLUTIONS (“The Company” and/or “SOPHOS”), establishes the general guidelines for the proper handling of personal data collected by The Company, which may or may not be incorporated into databases, on which Sophos has the capacity of responsible for the information.

In this way, SOPHOS has defined the following Objectives:

Establish the criteria for the collection, storage, use, circulation, deletion, processing, compilation, exchange, processing, updating and transfer of the data that have been provided and that have been incorporated in different databases or in electronic repositories of all types that SOPHOS has because of its activities.

 

Establish the responsibilities of SOPHOS and its data controllers with regard to the processing of personal data.

 

Communicate the purposes for which the processing of information is carried out, as well as the rights of the holders of the information and the procedures to exercise them.

 

Establish appropriate measures to ensure the processing of personal data in a secure, confidential and subject to the determined purpose, compliance with applicable regulations and in accordance with the provisions of Law 1581 of 2012 of the Republic of Colombia.
  • Authorization: Free, unequivocal, prior, tacit or express and informed consent of the Owner to carry out the processing of personal data.
  • Privacy Notice: Verbal or written communication generated by the data controller, aimed at the Data Controller for the processing of your personal data, by which you are informed about the existence of the information processing policies that will be applicable to you, the way of accessing them and the purposes of the processing that is intended to give the personal data.
  • Database: An organized set of personal data that is a subject to Treatment.
  • Personal Data: Any information linked or which may be associated with one or more specific or determinable natural persons.
  • Public Data: Is data that is not semi-private, private or sensitive.
  • Sensitive Data: Sensitive data means data that affect the privacy of the Owner or whose misuse may lead to discrimination. Sensitive personal data may be considered as including but not limited to those that may reveal such things as: ethnic or racial origin, religious beliefs, political opinions, sexual orientation, genetic or biometric data, health status.
  • Data Controller: Any natural or legal person, public or private, who alone or in association with others, carries out the processing of personal data on behalf of the controller of the processing.
  • Recipient of Personal Data: Natural or legal person, including subsidiaries, related or similar, customers, as well as public entities that could receive data in case of transfer or transmission, either as manager or responsible for the database.
  • Data Controller: Natural or legal person, public or private, who alone or in association with others, decides on the database and / or the treatment of the data.
  • Owner: Natural person whose personal data are subject to processing.
  • Transfer: The transfer of data takes place when the controller and / or Processor of the personal data, located in Colombia, sends the information or personal data to a recipient, who is in turn Responsible for the processing and is located in or outside the country, likewise it will be understood in this case the transfer of information between the companies belonging to the SOPHOS group.
  • Transmission: Processing of personal data that involves the communication of these inside or outside the territory of the Republic of Colombia when it has the purpose of carrying out a processing by the Controller on behalf of the responsible, likewise the transmission of information between the companies belonging to the SOPHOS group will be understood in this case.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

SOPHOS shall apply the following principles for the processing of data:

 

  • Principle of legality in matters of data processing: The processing of information will be governed by the provisions of the regulations governing the matter.
  • Purpose principle: The processing of data subject to this policy is for a legitimate purpose and compatible with the purposes for which they were requested.
  • Principle of freedom: Processing shall only be carried out with the prior, tacit, authentic expressed or informed consent of the holder. The data will be collected without deception, falsehood and without using fraudulent, unfair or illicit means.
  • Principle of transparency: The right of the holder to obtain from SOPHOS, at any time and without restrictions, information about the existence of data concerning him or her should be guaranteed in the processing. Any information or communication to the holder shall be in clear language, and the holder shall be kept informed of all his rights as a holder.
  • Principle of access and restricted circulation: Personal data, except public information, may not be available on the Internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to the holders or third parties authorized by them.
  • Principle of truthfulness or quality: The information subject to treatment will be considered truthful, complete, accurate, updated, verifiable and understandable.
  • Principle of security: The information subject to processing by the Company, will be subject to protection, to the extent that the technical resources of SOPHOS allow, through the adoption of technological measures of protection and all kinds of administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, and in general any use or access not authorized.
  • Principle of confidentiality: All persons involved in the processing of personal data that are not public, undertake to keep and maintain them strictly confidential and not to disclose them to third parties, and only to provide or communicate personal data where appropriate. People involved in the processing of personal data will maintain the reservation even after their relationship with any of the tasks covered by the processing has ended.

The controller of the databases is SOPHOS SOLUTIONS S.A.S., a commercial company duly incorporated and domiciled in Bogota D.C., with the following contact details:

 

Main Office: Cr 11 # 71 – 73 – Office 404, Bogota D.C.
Phone: 7433001 Ext. 1041
Email: habeasdata@sophossolutions.com

 

The data collected by the companies linked to the SOPHOS Group will be treated in accordance with this policy, taking into account that it is possible that the information will be stored in the Databases managed, stored or processed by Sophos Solutions S.A.S

In SOPHOS databases, general information such as full name, identification number and type, gender, image or any other physical trait that may be recorded in audio, photographs and video recording, fingerprint, signature and contact data (e-mail, physical address, landline and mobile phone) may be stored. In addition to these, The Company may collect data related to information about employment history, academic background, and sensitive data required by the nature of the employment relationship and/or for security reasons.

The information contained in the SOPHOS databases is subject to different forms of processing, such as collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization and organization, all of them partially or totally in compliance with the purposes established here.

 

The information may be delivered, transmitted or transferred to public entities, business partners, contractors, affiliates, subsidiaries, solely for the purpose of fulfilling the purposes of the corresponding database. In any case, the delivery, transmission or transfer shall be made after underwriting the commitments that are necessary to safeguard the confidentiality and security of the information.

In the processing of sensitive data, SOPHOS will strictly observe the limitations and obligations established by the Law and other concordant rules. Therefore, in case of sensitive data processing, SOPHOS will ensure that:

  • Obtain the express consent of the owner.
  • Inform the data controller that, because sensitive data are involved, he is not obliged to authorize their processing.
  • • To inform the holder explicitly and in advance, which of the data to be processed are sensitive and the purpose of the processing.


Additionally, in the processing of personal data of children and / or adolescents carried out by SOPHOS, the limitations and obligations established in the Law, its regulatory decrees and / or other concordant regulations will be strictly observed. Therefore, in case of processing of personal data of children and/or adolescents, SOPHOS will ensure the following:

 

  • Whoever gives consent to process the personal data of the minor enjoys parental authority or is his duly authorized guardian.
  • Treatment should be in the best interests of children and adolescents..
  • Treatment should ensure respect for the fundamental rights of children and adolescents.
  • To assess the child’s opinion when the child has the maturity, autonomy and capacity to understand the matter.

SOPHOS collects and processes images, audio recordings, photographs and videos, fingerprints, signatures and information related to the health of the owners, among others, for the following purposes:

 

  • Verify whether the holders meet the physical requirements necessary to perform the position and/or obligations for which they are applying or were engaged.
  • To have the necessary information to attend to any medical emergency that arises during the provision of services in the facilities of SOPHOS.
  • Comply with occupational safety and health regulations and implement the MS-OSH, and any other program, system and/or plan that seeks to protect the health of the worker, caregivers and people in the workplace.
  • To carry out epidemiological surveillance activities within the framework of the Occupational Health program.
  • Compliance with the legal obligations arising from the employment and/or contractual relationship, such as carrying out all the necessary formalities for the registration of beneficiaries with the Social Security System, or any other activity derived from the applicable legislation.
  • Provide respective security in SOPHOS training and activities.
  • Identify personnel accessing SOPHOS facilities.

 

In addition, the Company will process personal data of members of the family human resource group, including sensitive information of beneficiaries who are of legal age and children and adolescents, in order to grant the benefits offered by SOPHOS or for the registration of members of the family group in the events and welfare activities organized by SOPHOS.

SOPHOS may transfer and transfer, including at international level, personal data that it has in its databases, mainly to other companies of the SOPHOS group, to public entities when these require, to customers who need to validate the personal information of SOPHOS collaborators, among other third parties, provided that the Company has the express authorization of the owner and / or has signed the contracts required by the regulations of personal data protection.

 

Therefore, SOPHOS will implement appropriate mechanisms that allow compliance with the provisions of this Policy by third parties, on the understanding that the personal information that they receive solely will be used for matters related to SOPHOS and in accordance with the purposes authorized by the owner.

SOPHOS will process the personal data of the owners for the following purposes:

 

Customer Data:

  • Develop all the activities and administrative commercial management typical of the services provided by SOPHOS or its clients.
  • To conduct surveys and/or research studies to evaluate the care process and the satisfaction of the service provided.
  • Send information (e.g. to emails and contact numbers) about SOPHOS products, services, events and/or promotions.
  • Transfer and/or transmit corporate contact information to other SOPHOS group entities and to third parties, for the purposes described above.
  • Transfer the personal data of customers in the framework of the definition, structuring and execution of strategic transactions, such as the sale of assets or shares in the event that The Company or parts of its business are sold, merged or acquired by third parties.
  • Control and prevention of fraud, bribery, corruption and money laundering/financing of terrorism or proliferation of weapons of mass destruction. It includes the possibility of reporting data on non-compliance with obligations, as well as unusual or suspicious operations. As well as research, verification and validation of the information provided, with any information from SOPHOS that legitimately holds, and international lists on the commission of crimes and money laundering for the purpose of initiating, executing, developing and terminating the contractual relationship.
  • To establish an efficient communication in compliance with the provisions of the contractual links and for the administrative management of the same.
  • PCC management.
  • Storage of the information in databases, as well as the custody or maintenance of these by itself or through a third party.
  • Communicate your personal data to judicial and/or administrative authorities and/or other control entities, when requested.
  • The other purposes provided in the data processing authorization formats and / or privacy notices.

 

Candidate Data

  • Request the media and related information in the resume.
  • Send and receive by email communications and requests related to the selection process.
  • Verify and consult with third parties the information contained in the resume (authenticity of documents, work and academic certifications, home visit) which will be carried out directly or through a specialized third party, likewise SOPHOS may require them to verify and / or consult in the risk centers of the financial or commercial sector.
  • Record the selection process in the SOPHOS database in order to have support with internal and external authorities.
  • Communicate to contact telephones and electronic and physical addresses in order to schedule the interviews and tests required for SOPHOS workers or third parties to perform the validations of the information indicated in their resume and evaluations of all tests advanced in the selection process.
  • Retain personal data for possible selection processes.
  • Evaluate the suitability of the candidate, taking into account the characteristics of the vacancy that needs to be hired.
  • Carry out the necessary checks and inquiries on different restrictive lists.
  • Consult and access at any time the databases of risk, credit, financial, judicial or security registers legitimately constituted, state or private, national or foreign.
  • To carry out the relevant procedures for the development of the pre-contractual, contractual and post-contractual phase.
  • Contact them in compliance with the provisions of the contract and for the administrative management of the same.
  • Ensure security at the premises where appropriate.
  • Be invited to training, training, reinforcements, or the development of institutional activities.
  • Conduct surveys or surveys.
  • Transfer the personal data of the candidates in the framework of the definition, structuring and execution of strategic transactions, such as the sale of assets or shares in case The Company or parts of its business are sold, merged or acquired by third parties.
  • Control and prevention of fraud, bribery, corruption and money laundering/financing of terrorism or proliferation of weapons of mass destruction. It includes the possibility of reporting data on non-compliance with obligations, as well as unusual or suspicious operations. As well as research, verification and validation of the information provided, with any information from SOPHOS that legitimately holds, and international lists on crime and money laundering for the purpose of initiating, executing, developing and terminating the contractual relationship
  • Storage of the information in databases, as well as the custody or maintenance of these by itself or through a third party.
  • Transfer the personal data of the candidates in the framework of SOPHOS’s business relationship with its customers or suppliers.
  • The other purposes provided in the data processing authorization formats and / or privacy notices.

 

Collaborators

  • Identify staff as SOPHOS collaborators.
  • Communicate to the staff and make their knowledge relevant information according to the quality of SOPHOS collaborator.
  • Verify the fulfillment of the employee’s employment and/or contractual obligations.
  • Review of the criminal, contractual and tax records of the holders before the relevant authorities.
  • Full identification of the owners, through archiving and handling of their contact data, professional and academic information, among others.
  • Conclude the contract of employment, apprenticeship, provision of services or any other contract that it applies.
  • To comply with SOPHOS obligations, such as: membership of the social security system, payment of contributions, membership of the compensation fund, holidays, delivery of bonds, payments to tax entities, issuing income and withholding certificates and employment certificates requested by the holders, and / or any entity or national authority that requires personal data, in accordance with current rules.
  • To comply with any other service that derives from the contractual relationship between the collaborators and SOPHOS.
  • Provide instructions on the occasion of the contract with partners, if applicable.
  • Evaluate the performance of the collaborators.
  • Manage the payroll, the payment of financial support, among others, by the Company or a third party; manage and make the necessary payments in the bank account indicated by the employees.
  • Contracting life and medical expenses insurance with SOPHOS or a third party.
  • Notify family members of employees in cases of emergency during working hours or during the contract development.
  • The communication, reproduction and publication of photographs of the collaborators by SOPHOS for marketing, advertising, internal SOPHOS or other purposes.
  • Maintain the safety and health of employees in the workplace directly by The Company or by a third party, in accordance with the rules applicable to the Occupational Safety and Health Management System (hereinafter “SG-SST”).
  • Collect information and evidence in order to perform disciplinary processes, if applicable.
  • To carry out epidemiological surveillance activities within the framework of the Occupational Health program.
  • To perform the check of entry or exit records, as well as other eventualities that may arise due to security issues in the physical and virtual facilities of Sophos.
  • As evidence of administrative procedures that SOPHOS must carry out under the application of the Employment Contract, the internal rules of work, Code of Ethics, among other internal policies defined by the company. It may also be used in the event of any proceedings relating to existing rules on harassment at work, disciplinary proceedings or termination of employment.
  • Store the personal data of the collaborators in the internal physical and computer file of SOPHOS, databases constituted and/or managed by the company, the other companies of the group and/or third parties in charge of storage.
  • Transfer and / or transmit the information of the collaborators to other entities of the SOPHOS group, to public entities, customers, suppliers and third parties.
  • Transfer the personal data of the collaborators in the framework of the definition, structuring and execution of strategic transactions, such as the sale of assets or shares in case The Company or parts of its business are sold, merged or acquired by third parties.
  • The other purposes provided in the data processing authorization formats and / or privacy notices.

 

Providers

  • To carry out the relevant procedures for the development of the pre-contractual, contractual and post-contractual phase with SOPHOS, regarding the commercial relationship with the supplier.
  • Report to central banks at risk to central banks at risk.
  • Request for information from suppliers and contractors for the purpose of concluding the applicable contract with SOPHOS.
  • Fulfillment of SOPHOS obligations in the context of the contractual relationship.
  • Investigation, verification and validation of information provided by suppliers and contractors, with any information from SOPHOS that is legitimately held, and international lists on the commission of crimes and money laundering for the purpose of initiating, executing, developing and terminating the contractual relationship.
  • Management of supplier and contractor information for authorization and submission of purchase orders and payment of invoices.
  • Contact, meetings and visits with suppliers and contractors, their collaborators, shareholders and/or any person who represents them in the framework of the contractual relationship.
  • Communication, consolidation, organization, updating, control, accreditation, assurance, statistics, reporting, maintenance, interaction and management of the actions, information and activities in which suppliers and contractors are related or linked with SOPHOS.
  • Perform check-in or check-out, for security reasons required at Sophos physical and virtual facilities (where applicable).
  • Other purposes which are necessary and which are provided in the context of the contractual relationship for the purpose of fulfilling the object and obligations arising therefrom.
  • Transfer and/or transmit the personal information of providers to other entities of the SOPHOS Group and to third parties for the purposes described above.
  • Storage of the information in databases, as well as the custody or maintenance of these by itself or through a third party.
  • Transfer the personal data of suppliers in the framework of the definition, structuring and execution of strategic transactions, such as the sale of assets or shares in case The Company or parts of its business are sold, merged or acquired by third parties.
  • The other purposes provided in the data processing authorization formats and / or privacy notices.

The Company undertakes to carry out all the activities necessary to guarantee the following rights of the owners of personal data:

 

  • Know, update and rectify your personal data in front of the Company or the Managers. This right may be exercised, inter alia, against partial, inaccurate, incomplete, fragmented, misleading data, or those whose processing is expressly prohibited or has not been authorized.
  • Request proof of the authorization granted to SOPHOS, except when expressly exempted as a requirement for processing.
  • To be informed by the Company or the Data Controller, upon request, about the use that has been given to your personal data.
  • Revoke the authorization and / or request the deletion of the data at any time and when the processing does not respect the principles, rights and guarantees. The revocation and/or suppression will proceed when the competent entity has determined that SOPHOS or the Entrant has engaged in contrary conduct.
  • Access free of charge to your personal data that has been subject to Treatment. The information requested by the holder may be provided by any means, including electronic ones, as required by the holder.

SOPHOS as controller shall perform the following duties:

 

  • Guarantee to the holder, at all times, the full and effective exercise of the Habeas Data Right.
  • Request and keep, under the conditions provided for in the Law, a copy of the respective authorization granted by the holder.
  • Duly inform the holder about the purpose of the collection and the rights granted to him by virtue of the authorization granted.
  • Retain information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  • Ensure that the information provided to the Processor is truthful, complete, accurate, up-to-date, verifiable and understandable.
  • Update the information, communicating in a timely manner to the Data Controller, all the news regarding the data previously provided to him and take the other necessary measures to keep the information provided to him updated.
  • Rectify the information when it is incorrect and communicate the relevant to the Manager.
  • Provide the Data Controller, as the case may be, with only data that has been previously authorized to be processed in accordance with the provisions of the Law.
  • Require the Data Controller at all times to respect the security and privacy conditions of the holder’s information.
  • Handle inquiries and complaints made in terms set in.
  • Inform the Manager when certain information is in dispute by the owner, once the claim has been filed and has not completed the respective procedure.
  • Inform the owner on request about the use made of their data.
  • Inform the data protection authority when breaches of security codes occur and there are risks in the management of the information of the data subjects.
  • To comply with the instructions and requirements that are given by the Superintendency of Industry and Commerce, as well as other competent authorities that may operate in the territories where Sophos Solutions has a presence.
  • The Company reserves the right to modify the content of this document, in the terms and with the limitations provided in the Law. Undertaking in such a way to inform the holders of personal data in a timely manner, any substantial changes.

The risk area of Sophos will be in charge of managing any request, complaint or claim related to the handling of personal data, should be sent to the email: habeasdata@sophossolutions.com

The rights of holders may be exercised by the following persons:

 

  • By the owner, who must prove his identity in sufficient form by the different means established by the Company.
  • By their successors in position, who must prove such quality in accordance with legal standards.
  • By the representative and/or agent of the holder, after accreditation of the representation or proxy, in accordance with the legal provisions.
  • By stipulation in favor of another or for another in accordance with the legal provisions.

The holders of the information or authorized person under the terms of paragraph 3.15. of this Policy, may exercise their right to know, update, correct or delete information contained in the database, as well as may revoke the authorization granted to the controller for the Processing of the Information.

 

Any request for consultation, correction, updating or deletion must be submitted in writing by e-mail, in accordance with the information contained in this document. Sophos will attend to inquiries in compliance with the terms established by the applicable law. For inquiries and requests addressed to subsidiaries in which there is no special rule for the processing of personal data regulating response times, the Company will comply with the requirement in compliance with the term established by the Colombian regulations.

Complaints are intended to correct, update, delete or file a complaint about the alleged breach of any of the duties contained in the Act and this policy. In this regard, claims must be made by email, in accordance with the information contained in this document, and must contain at least the following information:

  • Identification of the holder.
  • Description of the facts giving rise to the complaint.
  • Address of the holder.
  • Documentation to be submitted as evidence.

 

The maximum term for the complaint will be that defined by the applicable law from the following day to the date of your receipt.

The databases managed by The Company will be maintained indefinitely as long as they are necessary or relevant for the purpose for which they were collected, or for the term established in a legal provision in force, however, the personal data may be deleted at any time at the request of its owner, as long as this request does not breach contractual or legal obligations. Sophos may update its databases and delete specific data at its discretion and/or in compliance with the applicable legal framework.

Read more