Juan Valdez - Corporate Site

Policy for the treatment of personal data Promotora De Café Colombia S.A.

arrow

Policy for the treatment of personal data Promotora De Café Colombia S.A.

I. GENERAL

In order to comply with the provisions of Law 1581 of 2012, Decree 1377 of 2013 and other complementary regulations, PROMOTORA DE CAFÉ COLOMBIA S.A., domiciled at Calle 73 No. 8-13, Torre A Piso 3 Bogotá D.C, Colombia, with NIT No. 830112317-1, telephone (57+601) 4824151 and email datos.personales@juanvaldezcafe.com (hereinafter, the “ENTITY” or “PROCAFECOL”), as Data Controller, hereby informs the Data Controllers of this Personal Data Processing Policy (hereinafter, the “Policy”).

This Policy establishes the guidelines applicable to the Processing of Personal Data that the COMPANY collects in an authorized manner through different means and stores in its Databases. Therefore, all Data Owners must read in advance and in detail the information contained in this Policy to know the type of personal data that the COMPANY collects, the Processing that is given to them and the procedures available to them to enforce their rights. If the Data Subject does not agree with this Policy, he/she should refrain from providing his/her Personal Data to the COMPANY.

For public knowledge, in addition to this Policy, PROCAFECOL has a Policies and Procedures Manual that includes information security guidelines and a whole system of processes designed to combat risks of adulteration, loss, consultation, unauthorized or fraudulent use or access of those Databases.

II. DEFINITIONS

Terms whose first letter is capitalized (except when it is exclusively because they begin a sentence or are proper nouns) have the meaning assigned to them below:

  • “Authorization”: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data.
  • “Database”: Organized set of personal data that is the object of Processing.
  • “Personal Data(s)”: Any information linked or that can be associated to one or several determined or determinable natural person(s).
  • “Data Processor”: Natural or legal person, public or private, who by itself or in association with others, performs the Processing of personal data on behalf of the Data Controller.
  • “Data Controller”: Natural or legal person, public or private, who by himself or in association with others, decides on the personal data and/or the processing of the data.
  • “Data Subject(s)”: Natural person whose personal data is subject to Processing.
  • “Processing”: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

III. CATEGORIES OF PERSONAL DATA CONTAINED IN THE DATABASES:

Depending on the nature of each of the Databases, the COMPANY collects and processes specific Personal Data necessary to carry out the Processing in each case with the authorization of the Data Subject. However, in order to give the Data Subject an idea of the type of Personal Data that the COMPANY collects, some examples are mentioned below:

  • General identification data. Ex: First name, last name, type of identification, identification number, date and place of issue, name, marital status, gender, etc.
  • Specific identification data of the person. Ex: signature, nationality, family data, electronic signature, other identification documents, age,
  • Location data. Ex: address, telephone, e-mail, etc.
  • Socio-economic data.

It is also possible that, in exceptional cases and prior express authorization of the holder, Sensitive Personal Data may be collected and processed. Including data on persons with disabilities, data related to the health status of the person and biometric data of the person such as, for example, fingerprint, DNA, iris, facial or body geometry, photographs, videos, voice, among others.

IV. TREATMENT

The Personal Data contained in the ENTITY’s Databases are subject to different forms of Processing, including, but not limited to collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization and organization, all of them partially or totally in compliance with the purposes set forth in the Policy. The Data Subject is informed that the Processing is carried out in an automated manner.

Personal Data may be delivered, transmitted or transferred to third parties as Processors or Data Controllers as the case may be (the “Third Parties”) within the framework of the development of the corporate purpose and outsourcing of services of the COMPANY. These Third Parties must sign the commitments or agreements necessary to safeguard the confidentiality of the information and shall act in accordance with the obligations set forth in Article 18 of Law 1581 of 2012, ensuring the protection and security of this information.

The COMPANY may transmit by any means the Personal Data contained in files, databases or similar means, to the parent company, subsidiaries, subsidiaries of its parent company (related) or allied entities with which the COMPANY maintains a business relationship, without payment or remuneration to the holder. Also, in compliance with legal duties, the COMPANY may provide Personal Data to judicial or administrative entities.

The COMPANY may also transfer, sell or assign the information collected in the event of a sale, merger, consolidation, change in corporate control, substantial transfer of assets, and/or reorganization or liquidation of the company.

In case of requesting Personal Data that have the quality of sensitive, the COMPANY expressly states to the Data Subject that it will not be obliged to authorize the collection or processing thereof and that, in any case, it will ensure the proper treatment thereof in compliance with the legal requirements applicable to this type of information.

In all cases, the COMPANY will ensure that the Processing of Personal Data collected is subject to the principles of legality, purpose, freedom, truthfulness, transparency, access and restricted circulation, security and confidentiality enshrined in the applicable legislation.

V. PURPOSE

The information collected by the ENTITY is intended to allow the proper development of its purpose and the activities associated with it and the relationship between the ENTITY and the Registrants. In addition, the ENTITY keeps the information necessary to comply with legal duties, mainly in accounting, corporate, and labor matters.

Information about customers, suppliers, partners, shareholders, store tenants, applicants, and employees, current or former, is processed in order to facilitate, promote, enable or maintain labor, civil and commercial relationships.

By reason of its activity, the COMPANY stores information about customers participating in marketing programs and social networks that have voluntarily submitted them for the promotion of its commercial activities.

The COMPANY collects, stores and uses the Personal Data of its customers and members of any loyalty program it carries out in order to create their user accounts in the Juan Valdez APP and website; identify them as customers of the COMPANY and as users of the Juan Valdez APP; conduct fraud studies of the Juan Valdez APP and website; send them communications with corporate information, purchase confirmations, advertising about products and services, offers, new product launches, data verifications; advance payment processes, shipment of goods and services purchased, which involves the processing of orders and cancellations of orders; attend PQR’s related to the right to data protection; conduct market research and consumer habits, statistical analysis and reporting of their behavior and; transmit and / or transfer your personal data to other Third Party Processors or Data Controllers, respectively. The Data Subject expressly authorizes the COMPANY to obtain personal information provided directly, or through public and private sources, such as social networks among others, and so that the previously mentioned communications can be sent using the means of contact provided by the Data Subject, as well as contact through social networks and instant messaging such as Whatsapp and Telegram.

The COMPANY collects and processes Personal Data of candidates, with the sole purpose of carrying out the selection processes and considering potential candidates for future positions.

The COMPANY collects, stores and uses the Personal Data of employees in order to carry out activities aimed at the payment of payroll and social benefits, affiliations, send internal communications and other activities necessary for the execution of the employment contract signed with the COMPANY. It also stores Personal Data of former employees in order to comply with legal obligations.

In addition, the ENTITY treats the information for corporate compliance purposes, so it is also used for the verification of: (i) judicial, criminal, fiscal, disciplinary, liability for damage to state assets, (ii) disqualifications and incompatibilities, (iii) money laundering, (iv) financing of terrorism, (v) corruption, (vi) transnational bribery, (vii) wanted by justice, and in the other Databases that report on the linkage of persons with illicit activities of any kind.

The personal information provided by the Data Subjects to the COMPANY is stored and maintained for the time necessary for the efficient provision of these services, unless the Data Subjects have given different instructions or in any case, for the retention period contemplated in the applicable laws.

VI. RIGHTS OF THE OWNERS

In accordance with the provisions of Article 8 of Law 1581 of 2012, the Holders may:

  • To know, update and rectify their Personal Data with respect to the COMPANY or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
  • Request proof of the Authorization granted to the COMPANY, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
  • Be informed by the COMPANY or the Data Processor, upon request, regarding the use that has been made of their Personal Data.
  • File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other rules that modify, add or supplement it.
  • To revoke the Authorization and/or request the deletion of Personal Data when the Processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the COMPANY or the Processor has incurred in conduct contrary to Law 1581 of 2012 and the Constitution.

Access free of charge to your Personal Data that has been subject to Processing.

VII. OBLIGATIONS OF THE ENTITY.

The ENTITY shall:

  • Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas corpus.
  • Request and keep, under the conditions set forth in Law 1581 of 2012, a copy of the respective authorization granted by the Data Subject.
  • Duly inform the Holder about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
  • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Guarantee that the information provided to the person in charge is truthful, complete, accurate, updated, verifiable and understandable.
  • Update the information, communicating in a timely manner to the Data Processor, all developments with respect to the Personal Data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.
  • Rectify the information when it is incorrect and communicate the pertinent to the Data Processor.
  • To provide to the Data Processor, as the case may be, only Personal Data whose Processing is previously authorized in accordance with the provisions of Law 1581 of 2012.
  • To demand from the Data Processor, at all times, respect for the security and privacy conditions of the Data Subject’s information.
  • To process the queries and claims formulated in the terms set forth in Law 1581 of 2012.
  • Adopt an internal manual of policies and procedures to ensure proper compliance with this law and especially for the attention of queries and claims.
  • Inform the Data Controller when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.
  • Inform at the request of the Data Subject about the use given to his/her Personal Data.
  • Inform the personal data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Holders.
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

VIII. SUBMISSION AND RESPONSE TO REQUESTS OR INQUIRIES

The Data Subjects whose Personal Data contained in the COMPANY’s Databases, their successors in title or other parties entitled by law, may consult the Personal Data under the terms provided in the applicable legislation. Any request for consultation of Personal Data must be submitted in accordance with the information contained in this document. Data Subjects who wish to make inquiries must take into account that the COMPANY, as Data Controller, will provide such persons with all the information contained in the individual record or that is linked to the identification of the Data Subject.

Queries will be answered within ten (10) working days from the date of receipt of the respective request. When it is not possible to attend the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.

IX. PRESENTATION AND RESPONSE TO INQUIRIES, COMPLAINTS AND CLAIMS

The Data Subject who considers that the information contained in a Database of the COMPANY should be corrected, updated or deleted, or when he/she notices the alleged breach of any of the duties contained in the regulations on personal data protection, may file complaints with the COMPANY or the Data Processor, which must be formulated according to the information contained in this document, and must contain, at least, the following information:

  • Identification of the Claimant
  • Clear description of the facts giving rise to the claim
  • Contact details of the Claimant
  • Documentation to be submitted as proof

If the claim is incomplete, the interested party will be required within five (5) days of receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

In the event that the person receiving the claim is not competent to resolve it, he/she will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.

Once the complete claim has been received, a legend will be included in the Data Base stating “claim in process” and the reason for the claim, within a term no longer than two (2) business days. Such legend shall be maintained until the claim is decided.

The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

The area responsible for dealing with queries, requests and claims, and in general to monitor compliance with the rules of protection of personal data within the COMPANY is the Customer Service area. In this regard, any request, inquiry or complaint related to the handling of Personal Data, in application of the provisions of Law 1581 of 2012 and Decree 1377 of 2013, should be sent to:

Entity Responsible for the Processing: PROMOTORA DE CAFÉ DE COLOMBIA S.A.

Address: Calle 73 No. 8-13 Torre A Piso 3 Bogotá D.C, Colombia

E-mail: datos.personales@juanvaldezcafe.com

Telephone: (601) 4824151 in Bogotá or 01 8000 517 711 in the rest of the country.

X. MODIFICATIONS TO THIS POLICY

This Policy may be modified at any time by the COMPANY, for legal or institutional reasons. The Owners of Personal Data and/or consumers will be notified of substantial modifications to this policy through its website: www.juanvaldezcafe.com.

According to the third paragraph of article five (5) of Decree 1377 of 2013, substantial modification shall be understood as those changes to the content of this Policy related to the identification of the Controller and the purpose of the Processing of Personal Data that affect the content of the Authorization; event in which PROCAFECOL will obtain a new Authorization or ratify it according to those new purposes.

XI. VALIDITY

This Policy shall be effective as of July 27, 2013. The COMPANY reserves the right to modify it, under the terms and with the limitations provided by law.

The COMPANY may only carry out the Processing of Personal Data for the time that is reasonable and necessary, according to the purposes that justified the Processing, taking into account the provisions applicable to the matter in question and the administrative, accounting, fiscal, legal and historical aspects of the information.

Once the purpose for the Processing is fulfilled, the Personal Data will be deleted from the files of the COMPANY, unless there is a legal or contractual duty that requires it to keep them in its Databases.

XII. CONTACT US

If you have any questions or concerns about this Policy, or about the collection and processing of information by the COMPANY, you can contact us at datos.personales@juanvaldezcafe.com. Messages will be answered as soon as possible.

Date of last update: September 29, 2023.