​

INFORMATION AND PERSONAL DATA MANAGEMENT POLICY OF PANELESA SAS Version: 1

Effective date: April 2019.

Last Update: February 2019.

GENERAL This policy is defined in accordance with the entry into force of Statutory Law 1581 of 2012, which aims to dictate the general provisions for the protection of personal data and develop the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files as well as the right to information; Therefore, PANELESA SAS, taking into account its status as the person responsible for the processing of personal data that assists it, is allowed to formulate this text in order to effectively comply with said regulations and especially for the attention of queries and claims about the treatment of personal data collected and handled by PANELESA SAS The right to HÁBEAS DATA is that which everyone has to know, update and rectify the information that has been collected about them in files and data banks of a public or private nature and It guarantees all citizens the power of decision and control over their personal information. Therefore, PANELESA SAS accepts such provisions taking into account that, for the development of its corporate purpose, it is continuously compiling and carrying out various treatments to databases of both customers, shareholders, suppliers, business partners and employees. By virtue of the foregoing, within the legal and corporate duty of PANELESA SAS to protect the right to privacy of people, as well as the power to know, update or request the information that is filed about them in databases, PANELESA SAS has designed this policy for the management of personal information and databases in which the treatment of Personal Information to which you have access through our website, email, physical information (invoices) is described and explained , text messages, voice messages, telephone calls, face-to-face, physical or electronic means, current or that in the future develop as other communications sent as well as through third parties that participate in our commercial or legal relationship with all our clients, employees, suppliers, shareholders, strategic allies and related parties. This will be adjusted to the extent that the regulations applicable to the matter are regulated and new provisions come into force. GENERAL OBJECTIVE With the implementation of this policy, it is intended to guarantee the reservation of information and security regarding the treatment that will be given to it to all clients, suppliers, employees and third parties from whom PANELESA SAS has legally obtained information and data. according to the guidelines established by the law regulating the right to Habeas Data. Likewise, through the issuance of this policy, the provisions of paragraph K of article 17 of the aforementioned law are complied with. DEFINITIONS 1. Authorization: Consent that, in a prior, express and informed manner is issued by the owner of some personal data so that the company can carry out the processing of your personal data. 2. Owner: natural person whose data is processed by the company. 3. Database: Set of personal data. 4. Personal data: Information that is linked to a person. It is any piece of information linked to one or more specific or determinable persons or that may be associated with a natural or legal person. Personal data can be public, semi-private or private. 5. Treatment: Any operation or set of operations on personal data within which its collection, storage, use, circulation or deletion can be included. 6. Person in charge of the treatment: Natural or legal person, public or private, that by itself or in association with others, carries out some treatment on personal data on behalf of the person responsible for the treatment. 7. Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and / or the treatment of the data. 8. Public data: It is that data classified as such according to the mandates of the law or the Political Constitution. The data contained in public documents, enforceable judicial decisions that are not subject to reserve and those relating to the civil status of individuals are public, among others. 9. Semi-private data: Data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may interest not only its owner but also a certain sector or group of people or society in general, such as financial data and credit of commercial activity. 10. Private data: It is the data that due to its intimate or reserved nature is only relevant for the owner. 11. Sensitive data: those related to racial or ethnic origin, membership in unions, social or human rights organizations, political, religious, sexual life, biometric or health data convictions. This information may not be provided by the Owner of these data. 12. Privacy notice: Physical, electronic document generated by the person in charge of the treatment that is made available to the owner with the information related to the existence of the information treatment policies that will be applicable, the way to access them and the characteristics of the treatment that is intended to give personal data. RIGHTS THAT ALL PERSONAL DATA HOLDERS HAVE IN FRONT OF THE COMPANY Any process that entails the treatment by any area of the company of personal data of both clients, suppliers, employees and in general any third party with whom PANELESA SAS maintains commercial relations and labor must take into account and inform you expressly and in advance, by any means by which a record of compliance can be kept, the rights that that data owner has, which are listed below: 1. Right to know, update, rectify, consult your personal data at any time in front of PANELESA SAS regarding the data that it considers partial, inaccurate, incomplete, fractioned and those that lead to error. 2. Right to request at any time a proof of the authorization granted to PANELESA SAS 3. Right to be informed by PANELESA SAS upon request of the owner of the data, regarding the use that has been given to them. 4. Right to present before the Superintendency of Industry and Commerce the complaints that it considers pertinent to enforce its right to Habeas Data against the company. 5. Right to revoke the authorization and / or request the deletion of any data when it considers that PANELESA SAS has not respected its rights and constitutional guarantees. 6. Right to free access to the personal data that you voluntarily decide to share with PANELESA SAS, for which the company, in support of the technology area, is in charge of preserving and filing the authorization formats of each one in a safe and reliable way. of the holders of personal data duly granted. CASES IN WHICH PANELESA SAS DOES NOT REQUIRE AUTHORIZATION FOR THE TREATMENT OF THE DATA IN ITS POWER 1. When the information is requested from the company by a public or administrative entity that is acting in the exercise of its legal functions or by court order. 2. In the case of data of a public nature because they are not protected by the scope of the standard. 3. Duly verified medical or health emergency events. 4. In those events where the information is authorized by law to fulfill historical, statistical and scientific purposes. 5. In the case of data related to the civil registry of persons because this information is not considered as data of a private nature. INFORMATION CAN BE DELIVERED TO THOSE BY PANELESA SAS WITHOUT THE NEED FOR THE AUTHORIZATION OF THE DATA OWNERS · To the owners of the data, their heirs or representatives at any time and through any means when requested to PANELESA SAS · To judicial or administrative entities in the exercise of functions that raise any requirement to the company for the information to be delivered. · To third parties that are authorized by any law of the Republic of Colombia. To third parties to whom the Data Owner expressly authorizes the delivery of the information and whose authorization is given to PANELESA SAS DUTIES THAT PANELESA SAS HAS REGARDING THE DATA HOLDERS PANELESA SAS recognizes that the personal data are the property of the owners of the data. themselves and that only such persons may decide on them. In this sense, it will make exclusive use for those purposes for which it is empowered in the terms of the law and for the sake of the above it is allowed to inform the duties that it assumes in its capacity as data controller: 1. The company must seek the means Through which to obtain express authorization from the owner of the data to carry out any type of treatment. 2. The company must clearly and expressly inform its customers, employees, suppliers and third parties in general from whom it obtains databases the treatment to which they will be subjected and the purpose of said treatment. For this, the company must design the strategy through which for each event, mechanism or request for data that is made, it will inform them of the respective treatment in question. Some of these means may be sending text messages, filling out physical formats, through the PANELESA SAS websites, among others. 3. The company must inform the owners of the data for each case, the optional nature of responding and granting the respective requested information. 4. In all cases in which data is collected, the rights that all holders have regarding their data must be informed. 5. The company must provide the identification, physical or electronic address and telephone number of the person or area that will be responsible for the treatment. 6. The company must guarantee at all times to the owner of the information, the full and effective exercise of the right to habeas data and petition, that is, the possibility of knowing the information that exists or resides in the data bank. , request the update or correction of data and process inquiries, all of which will be carried out through the mechanisms of inquiries or claims provided for in this policy. 7. The company must keep the records of stored personal data with due security to prevent their deterioration, loss, alteration, unauthorized or fraudulent use and periodically and timely update and rectify the data, each time the holders of the themselves report news or requests. PURPOSES IN THE CAPTURE, USE AND PROCESSING OF PERSONAL DATA PANELESA SAS in the development of its corporate purpose and its relationships with third parties, understood as these clients, employees, suppliers, creditors, strategic allies, among others; constantly collects data to carry out various purposes and uses within which can be framed: ● Administrative, commercial, promotional, informational, marketing and sales purposes. ● Offer all kinds of commercial services; as well as carrying out promotional, marketing and advertising campaigns. ● Search for a closer knowledge with all its clients, suppliers, employees and related third parties. In relation to the foregoing, PANELESA SAS may execute the following actions: 1. Obtain, store, compile, exchange, update, collect, process, reproduce and / or dispose of the data or partial or total information of those holders who grant it the due authorization in the terms required by law and in the formats deemed appropriate for each case. 2. Classify, order, separate the information provided by the owner of the data. 3. Carry out investigations, compare, verify and validate the data obtained in due form with credit risk centers with which they have commercial relationships. 4. Extend the information obtained in the terms of the habeas data law, to the companies with which it contracts the capture, storage and management services of its previous databases, the due authorizations obtained in this regard. 5. Transfer partial or total data or information to its subsidiaries, businesses, companies and / or affiliated entities and strategic allies. THE AUTHORIZATION For the purposes of carrying out the aforementioned purposes, PANELESA SAS freely, prior, expressly and duly informed of the authorization by the owners of the data and for this it has provided suitable mechanisms guaranteeing for each case that is possible to verify the granting of said authorization. It may appear in any medium, be it a physical or electronic document or in any format that guarantees its subsequent consultation through technical and technological tools and computer security developments. The authorization is a statement that informs the owner of the data the following information: ● Who is responsible or in charge of collecting the information ● Data collected ● Purposes of the treatment ● Procedure for the exercise of the rights of access, correction, updating or deletion data ● Information on sensitive data collection. DATA COLLECTED BEFORE THE ISSUE OF DECREE 1377 OF 2013 For the purposes of complying with the provisions of article 9 of Law 1581 of 2012, those Responsible for the processing of personal data will establish mechanisms to obtain the Authorization of the holders or whoever is find it legitimized in the terms of the Law. These mechanisms may be predetermined through technical means that provide the owner with its automated manifestation. The Authorization may be granted in accordance with any of the following options: (i) In writing, (ii) Verbally or (iii) Through unequivocal conduct of the holder that allows a reasonable conclusion that the authorization was granted. In no case may silence be assimilated to unequivocal conduct. Likewise, in accordance with the provisions of article 10 of Decree 1377 of 2013, PANELESA SAS published in newspapers with wide national circulation, the privacy notice through which I communicate the existence of this policy, informing the Superintendency of this. of Industry and Commerce. As indicated in this Decree, if within thirty (30) business days from the implementation of the previous mechanism, the owners did not contact the CONTROLLER or MANAGER to request the deletion of their personal data, the CONTROLLER and MANAGER may continue processing the personal data contained in its databases for the purpose or purposes foreseen and indicated in the information treatment policy. PROTECTION OF PERSONAL DATA OF MINORS AND ADOLESCENTS In accordance with the provisions of Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013, PANELESA SAS ensures that the Treatment of personal data of children and adolescents will be carried out respecting their rights , which is why, in the commercial and marketing activities carried out by PANELESA SAS, it must have the prior, express and informed authorization of the father or mother or the legal representative of the child or adolescent. HOW TO PROCEED WITH REGARD TO THE INQUIRIES AND REQUESTS MADE BY THE DATA HOLDERS Every owner of personal data has the right to make inquiries and submit requests to the company regarding the handling and treatment given to their information. TO). PROCEDURE FOR THE PROCESSING OF CLAIMS OR REQUESTS: Any request, petition, complaint or claim (PQR) that is presented to PANELESA SAS by any owner or their successors in title regarding the handling and treatment given to your information will be resolved in accordance with the law regulation of the right to habeas data and will be processed under the following rules: 1. The request or claim will be formulated in writing or any other means defined in this policy for this purpose, addressed to PANELESA SAS, with the identification of the owner, the description of the facts that give rise to the claim, the address or means through which you wish to obtain your response, and if applicable, accompanying the supporting documents that you want to enforce. In the event that the writing is incomplete, the company will request the interested party to correct the faults within five (5) days after receiving the claim. After two months from the date of the request, without the applicant presenting the required information, it will be understood that the claim or request has been withdrawn. 2. Once the complete petition or claim is received, the company will include in the individual registry within a term not exceeding two (2) business days a legend that says "claim in process" and its nature. Such information should be kept until the claim is decided. 3. The applicant will receive a response from PANELESA SAS within the following ten (10) business days from the date on which he has had effective knowledge of the request. 4. When it is not possible to attend the request within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their request will be attended, which in no case may exceed five (5) business days following the expiration of the first term. B). CONSULTATIONS: The Policy for the handling of personal information by PANELESA SAS and the basic rights that the owners of the data have in relation to it may be consulted through the following means: · www.panelesa.com Any query that has a holder over your information or personal data or when you consider it necessary to institute a request for information or consider that your rights have been violated in relation to the use and handling of your information; You can do so through the following email: atencionalcliente@panelesa.com If within the ten (10) days indicated, it is not possible for the company to attend the query, the corresponding area must inform the interested party, the reasons for the delay and indicate the date on which it will be attended, which in no case may exceed five (5) business days following the expiration of the first term. C). RESPONSIBLE FOR THE TREATMENT: PANELESA SAS Has the quality of data controller, through this policy it is allowed to inform your identification data: Company name: PANELESA SAS NIT: 811.038.400-1 Address: Carrera 50 100 B Sur 340 La Estrella , Antioquia. Person or agency responsible for the attention of requests, queries and claims: the area in charge of receiving and channeling all requests and concerns is the Commercial Management through the email atencionalcliente@panelesa.com D. MANAGER OF TREATMENT: Eventually, PANELESA SAS You may have the quality of TREATMENT MANAGER, in which case the identification data are the following: Company name: PANELESA SAS NIT: 811.038.400-1 Address: Carrera 50 100 B Sur 340 La Estrella, Antioquia. Person or agency responsible for the attention of requests, queries and claims: the area in charge of receiving and channeling all requests and concerns is the Commercial Management through the email atencionalcliente@panelesa.com INFORMATION SECURITY POLICIES For PANELESA SAS it is essential and It is a priority to adopt technical, legal, human and administrative measures that are necessary to ensure the security of personal data, protecting confidentiality, integrity, use, unauthorized and / or fraudulent access. Likewise, it is allowed to report that internally the company has implemented mandatory security protocols for all personnel with access to personal data and information systems. The internal security policies under which the information of the owner is kept to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access, are the following: 1. Policies on the perimeter technological infrastructure in the data network (System Intrusion Prevention (IPS), Firewalls, Secure Mail, Content Control, NAC Network Access Control, Antivirus and Anti X). 2. Policies in the Technological Infrastructure and access control policies to information, applications and databases (MS Active Directory Platform, security modules, PGP encryption). 3. Technological implementation policies that minimize the risk of critical disaster platforms (DRP Disaster Recovery Plan). 4. Technological implementation policies that protect the organization's computers and servers from malware. 5. Technological implementation policies that prevent the use of USB devices from unauthorized storage. 6. Technological implementation policies that control the sending and electronic transmission characterized as confidential (DLP - Data Loss Prevention-, Transfer). 7. Use of different environments in critical platforms, so that developers and consultants can work without problem (DEV development, QA quality and Productive PDN). 8. Technological implementation policies that support the information contained in the different platforms. 9. Written policy on information security and use of information tools. 10. Confidentiality agreement with suppliers and third parties. 11. Confidentiality clause in employee employment contracts. 12. Self-control procedures and response to internal and external audit. 13. In all the events that take place, in which customer information is captured, the Habeas data paragraph is included, with its respective implications. 14. Habeas Data Notice. By participating in the Event, every participant declares to know and authorize in a free, prior, voluntary, express and duly informed manner to PANELESA SAS to collect, register, process, disseminate, compile, exchange, update and dispose of the data or partial information that you provided, and for the purposes of participating in the Event; as well as to transfer said data or partial or total information to their businesses and companies so that PANELESA SAS can offer its products and / or services to its customers in a more personalized and direct way, and also to contact the person at In such case of turning out to be the winner of the Event, to send advertising information of own brands, mailing, sms, direct mail and, to commercialize all the data and information that you voluntarily provided at the time of participating in the Event. The use of the database will be from the start of the Event until the day PANELESA SAS goes into liquidation. PANELESA SAS guarantees that it complies with the protection of personal data supplied by its clients by virtue of the provisions of the regulatory norms of the right to HABEAS DATA, for which it is allowed to inform: 1. That the right to habeas data is that which Every person has to know, update and rectify, free of charge, the information that has been collected about them in files and databases of a public or private nature. 2. That the client as the owner of the information may access their data at any time, for which they may modify, correct, update, revoke and request proof of the authorization given if they consider it through this means or through the Warehouse Customer Service offices across the country. 3. That the client as the owner of the information has the power or not to inform those data that they freely have and to submit requests regarding the use that has been given to their data. 4. That, for the full and effective exercise of this right by all its clients, PANELESA SAS has provided the following means through which they may submit their requests,  complaints and / or claims: email: atencionalcliente@panelesa.com Telephone: (+57) 317 355 6309. DATA PROTECTION In accordance with the provisions of Law 1581 of 2012 and its regulatory decrees for the Protection of Personal Data, by the that the right to information is regulated in data collection, we inform you of the following: - The personal data that you have provided us in this and other communications with you will be processed in the files that are the responsibility of PANELESA SAS - The purpose of the Treatment is to properly manage the provision of the service that you have requested. Likewise, these data will not be disclosed to third parties, except for legally permitted assignments. - The data requested through this and other communications are mandatory for the provision of the service. These are adequate, relevant and not excessive. - Your refusal to supply the requested data implies the impossibility of providing the service. - Likewise, we inform you of the possibility of exercising the corresponding rights of access, rectification, cancellation and opposition in accordance with the provisions of Law 1581 of 2012 before PANELESA SAS as responsible for the handling of the data provided here. The aforementioned rights can be exercised through the email atencionalcliente@panelesa.com