Data privacy policy

Goal

Law 1581 of 2012, “By which general provisions are issued for the protection of personal data,” aims to develop the constitutional right that all people have to know, update and rectify the information that has been collected about them on databases or files, and the other rights, freedoms and constitutional guarantees referred to in article 15 of the Political Constitution; as well as the right to information enshrined in article 20 of the same.

FLUIDSIGNAL GROUP S.A.S. certifies the protection of rights such as Habeas Data, privacy, intimacy, good name, image and autonomy. For this purpose, all actions will be governed by principles of good faith, legality, computer self-determination, freedom and transparency.

FLUIDSIGNAL GROUP S.A.S. will keep in mind, at all times, that the personal data are the property of the people to whom they refer and that only they can decide about them.

FLUIDSIGNAL GROUP S.A.S. will guarantee the right of access when, after accreditation of the identity of the owner, it makes the respective personal data available to the owner free of charge. Said access must be offered without any limit and must allow the owner the possibility of knowing and updating them.

Guiding principles of the personal data processing policy

The following specific principles will apply to the processing of personal data:

Principle of legality: The current provisions for the processing of personal data and other fundamental rights will be applied.
Security principle: Personal data will be protected to the extent that technical resources allow, avoiding adulteration, loss, consultation, and, in general, against any unauthorized use.
Principle of confidentiality: All people who administer, manage, or have access to information found in databases undertake to keep all personal information received in the exercise of their duties strictly confidential. People who currently work or are linked in the future for this purpose, in the administration and management of databases, must sign an additional agreement to their employment or service provision contract for the purposes of ensuring commitment. This obligation persists and is maintained even after its relationship with any of the tasks included in the treatment has ended.
Principle of freedom: Data processing can only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal, statutory, or judicial mandate.
Principle of truthfulness: The information must be true, complete, accurate, up-to-date, verifiable and understandable.
Principle of transparency: The processing of personal data must guarantee the right of the owner to obtain information about the existence of any type of information or data of theirs that is of interest to them.
Purpose principle: Data processing will serve a legitimate purpose, which must be informed to the respective owner of the personal data.
Principle of restricted access and circulation: Personal data, except public information, may not be available on the Internet or other means of mass dissemination, unless access is technically controllable.

The principles on data protection will be applicable to all databases, including those excepted in this article, with the limits provided in this law and without conflicting with data that have characteristics of being covered by legal reserve. In the event that the special regulations that regulate the excepted databases provide for principles that take into consideration the special nature of the data, they will apply concurrently to those provided for in this law.

Definitions

Authorization: Prior, express and informed consent of the owner to carry out the processing of personal data.
Database: Organized set of personal data that is subject to processing.
Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons.
Sensitive data: Those that affect the privacy of the owner, such as racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights, data related to health, sexual life and biometric data.
Data processor: Natural or legal person who processes personal data on behalf of the data controller.
National Registry of Databases (RNBD): It is the public directory of databases subject to processing that operate in the country, it is administered by the Superintendence of Industry and Commerce and will be freely consulted by users and citizens.
Data controller: Natural or legal person who decides on the database and/or the processing of data.
Owner: Natural person whose personal data is processed.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

Scope of application

Databases containing personal data whose automated or manual processing is carried out by natural or legal persons, public or private in nature, in Colombian territory or outside of it, will be subject to registration in the National Registry of Databases. This last case, provided that Colombian legislation is applicable to the data controller or data processor by virtue of international standards and treaties. The foregoing without prejudice to the exceptions provided for in Article 2 of Law 1581 of 2012.

Exception to the regulatory framework

The personal data protection regime established in this law will not apply:

To databases or files maintained in an exclusively personal or domestic environment. When these databases or files are going to be provided to third parties, the owner must be informed in advance and their authorization must be requested. In this case, those responsible and in charge of the databases and files will be subject to the provisions contained in this law.
To databases and files whose purpose is national security and defense, as well as the prevention, detection, monitoring and control of money laundering and the financing of terrorism.
To databases whose purpose is and contain intelligence and counterintelligence information.
To databases and archives of journalistic information and other editorial content.
To the databases and files regulated by Law 1266 of 2008.
To the databases and files regulated by Law 79 of 1993.

The data controller and data processor for personal data processing

Name: FLUIDSIGNAL GROUP S.A.S.

Address: Street 43 No. 9 South - 195 Office 736 Square Building, Medellín

Email: info@fluidattacks.com

Phone: (604) - 4442637

Enrollment in the National Database Registry

FLUIDSIGNAL GROUP S.A.S. must register in the National Registry of Databases each of the databases that contain personal data subject to processing independently.

Duties of data controllers

The data controllers must comply with the following duties, without prejudice to the other provisions provided for in this law and in others that govern their activity:

Guarantee to the holder, at all times, the full and effective exercise of the right of habeas data.
Request and keep, under the conditions provided in this law, a copy of the respective authorization granted by the owner.
Duly inform the owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.
Maintain the information under the security conditions necessary to prevent its adulteration, loss, unauthorized or fraudulent consultation, use or access.
Guarantee that the information provided to the data processor is true, complete, accurate, updated, verifiable and understandable.
Update the information, communicating in a timely manner to the data processor, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it remains updated.
Rectify the information when it is incorrect and communicate the pertinent information to the data processor.
Provide the data processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this law.
Demand that the data processor at all times respect the security and privacy conditions of the owner’s information.
Process queries and claims made in the terms indicated in this law.
Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, to respond to queries and complaints.
Inform the data processor when certain information is under discussion by the owner, once the claim has been submitted and the respective procedure has not been completed.
Inform, at the request of the owner, about the use given to their data.
Inform the data protection authority when violations of security codes occur and there are risks in the administration of the owners’ information.
Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

Collection of personal data

In the development of the principles of purpose and freedom, data collection must be limited to those personal data that are relevant and appropriate for the purpose for which they are collected or required in accordance with current regulations. Except in cases expressly provided for by law, personal data may not be collected without authorization from the owner.

At the request of the Superintendence of Industry and Commerce, the controllers must provide a description of the procedures used for the collection, storage, use, circulation and deletion of information, as well as a description of the purposes for which the information is collected and an explanation of the need to collect data in each case.

Deletion of personal data

The owner has the right, at all times, to request FLUIDSIGNAL GROUP S.A.S to delete their personal data when they consider it so. This deletion implies the total or partial elimination of personal information as requested by the owner. It is important to keep in mind that the right of cancellation is not absolute and the person responsible may deny its exercise when:

The owner who has a legal or contractual duty to remain in the database.
The deletion of data hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
The data that is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.

Processing and purpose of personal data

Purposes for the general processing of information of employees, retired workers, pensioners and candidates to fill vacancies:

For purposes relevant to the employment relationship (EPS, ARL, Pension and severance funds, family compensation funds, etc.)
In the case of employees, with the signing of the employment contract, express authorization is understood to process the information
Accounting and payment of payroll
Recruit and select personnel to fill vacancies
Process, confirm and comply with legal and extralegal labor obligations derived from the employment contract
Audits
Statistical analysis
Training and education
Share personal data with banking entities, companies that offer benefits to our active workers, among others
Occupational health and safety programs
Establish technological and physical access controls to maintain security in the physical infrastructure of the facilities and applications
Transfer and/or transmit personal data to entities and/or judicial and/or administrative authorities, when these are required in relation to its corporate purpose and necessary for the fulfillment of its functions
Consult and/or verify the information in national and international control lists related to money laundering and terrorist financing, illicit activities or situations regulated by the Colombian penal code
Carry out home safety visits and socioeconomic studies whenever the company requires it
Confirm the personal information that the employee gives us by cross-checking it with public databases, central and risk prevention systems, specialized companies, references and contacts

Other databases that may subsist outside of those directly binding to the company will be processed for pre-contractual, contractual, post-contractual, commercial, customer service and marketing purposes, processing, research, training, accreditation, consolidation, organization, updating, report, statistics, surveys, attention and processing.

Rights of the information owner

The owner of the personal data will have the following rights:

Know, update and rectify your personal data before the data controllers or data processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or those whose processing is expressly prohibited or has not been authorized.
Request proof of the authorization granted to the data controller, except when it is expressly excepted as a requirement for the treatment, in accordance with the provisions of Article 10 of this law.
Be informed by the data controller or the data processor, upon request, regarding the use that has been given to your personal data.
Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add or complement it.
Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees.
The revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that in the Treatment the Controller or Processor has engaged in conduct contrary to this law and the Constitution.
Access free of charge to your personal data that has been processed.

Legitimization for the exercise of data subject rights

The rights of the owners may be exercised by the following people:

By the owner, who must prove their identity sufficiently by the different means made available by the person responsible
By their successors, who must prove such quality
By the representative and/or attorney of the owner, prior accreditation of the representation or power of attorney
By stipulation in favor of another or for another

The rights of children or adolescents will be exercised by the people who are empowered to represent them.

Responsible for managing requests

FLUIDSIGNAL GROUP S.A.S designates the administrative and financial area, or the agency that takes its place, as the person who will receive, process and channel the different requests that are received and must process the requests of the owners, in the terms, deadlines and conditions established by current regulations, for the exercise of the rights of access, consultation, rectification, updating, deletion and revocation that each person has over their personal data.

Channels and procedures for data subjects to exercise their rights

The owner who considers that the information contained in a database must be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a claim with FLUIDSIGNAL GROUP S.A.S.; said request rectification, update or deletion must be submitted through the medium enabled by FLUIDSIGNAL GROUP S.A.S, which thinking about well-being, confidentiality and agility in attention, designates the email info@fluidattacks.com.

The request must contain the following information:

The name, identification document and address of the owner or any other means to receive the response.
Documents that prove the identity of your representative.
The description of the personal data with respect to which the owner seeks to exercise any of the rights.

Effectiveness

This policy will be applicable to the personal databases for which the company is responsible and in charge. It will come into effect upon its signature and complements the associated policies and formats, with indefinite validity.

Any change that is valuable (whether in structure or updating of regulations) in the personal data processing policies will be communicated in a timely manner to the data owners through the usual means of contact and/or through our website.

For holders who do not have access to electronic media or those who cannot be contacted, they will be communicated through open notices at the company’s main headquarters.

The database policy will have an indefinite period of validity in accordance with the duration of the company’s corporate purpose.

The databases in which personal data will be recorded will have a validity equal to the time during which the information is kept and used for the purposes described in this policy.

Once that purpose is fulfilled and as long as there is no legal or contractual duty to retain your information, your data will be deleted from our databases.

FLUIDSIGNAL GROUP S.A.S. will socialize this policy to workers via email and will publish it on the company’s website for their respective information.

Validity and application

This policy governs from its publication and effective socialization through digital channels of dissemination to all workers, repeals provisions that are contrary to it, and is governed based on the guidelines established in Law 1581 of 2012, Law 1032 of 2006 and/or subsequent ones that modify what is regulated there.