INTRODUCTION

INVERSIONES GG OASIS S.A.S. (HOTEL EUTOPIQ – RESTAURANTE ARBORO), hereinafter referred to as "THE COMPANY," in its capacity as the data controller for the Processing of Personal Data, has established this Personal Data Protection Policy to ensure trust, security, and quality in the management of Personal Data Processing conducted by THE COMPANY. This is done in accordance with the authorization of the Data Subjects and the General Personal Data Protection Framework of Colombia (“GPDP”). THE COMPANY is committed to safeguarding the privacy and protection of the personal data of its stakeholders: customers, employees, and suppliers ("Stakeholders"), as well as the personal data of all individuals from whom it collects and processes such data.

Through this Personal Data Processing Policy ("Policy"), THE COMPANY outlines the principles governing the Processing of Personal Data under its management, making its data protection policies explicit.

This Policy complies with the General Personal Data Protection Framework of Colombia, including Statutory Law 1581 of 2012, Regulatory Decree 1074 of 2015, and any regulations that amend, supplement, or clarify these laws.

SCOPE: This Policy applies to all Personal Data recorded in Databases under the responsibility or administration of THE COMPANY, which acts as the data controller for the Processing of Personal Data. Likewise, the guidelines established in this Policy must be observed during the Processing of all Personal Data handled by THE COMPANY through its employees, collaborators, or agents responsible for such Processing on behalf of THE COMPANY.

This Policy addresses the following topics:

  1. Relevant terms included in this Policy
  2. What guides THE COMPANY in the Processing of Personal Data?
  3. What Personal Data does THE COMPANY collect and process?
  4. How is Personal Data collected?
  5. How is Personal Data processed?
  6. For what purposes is Personal Data processed?
  7. How is Customers' Personal Data processed?
  8. How is Sensitive Data processed?
  9. How is Personal Data of children and adolescents processed?
  10. How is unsolicited Personal Data processed?
  11. Who has access to Personal Data?
  12. What is THE COMPANY's security commitment?
  13. Updating of Personal Data and Processing of unauthorized Personal Data
  14. For how long is Personal Data processed?
  15. How is Personal Data of third parties not part of the Stakeholders processed?
  16. What are the rights of the Data Subjects?
  17. Who is responsible for handling Queries and Claims in THE COMPANY?
  18. What should a Data Subject do to submit Queries, Claims, or exercise their rights?
  19. How will web browser Cookies be used?
  20. Validity of the Policy and the Databases.

 

PERSONAL DATA PROTECTION POLICY

1. Relevant terms included in this Policy

In this Policy, the following terms will have the definitions provided in the right-hand column of the table:

Authorization: The prior, express, and informed consent granted by the Data Subject to the Data Controller or Processor, allowing the Processing of their Personal Data.

Privacy Notice: A verbal or written communication made available by the Data Controller to the Data Subjects, informing them about the existence of the applicable Data Processing Policy, how to access it, and the purposes to which their Personal Data will be subject.

Database(s): The organized set of Personal Data subject to Processing, which is stored in physical or digital media under the administration of THE COMPANY.

Client(s): Natural or legal persons who contract THE COMPANY to use its services.

Inquiry: A request made by a Data Subject, their successor, or representative to the Data Controller or Processor regarding their Personal Data stored in any of the Databases.

Personal Data: Any information linked or that can be linked to one or more identified or identifiable natural persons.

Public Data: Data that is not classified as semi-private, private, or sensitive. Public Data includes, among others, Personal Data related to a person’s marital status, profession or occupation, and their status as a merchant or public servant.

Sensitive Data: Personal Data that affects the Data Subject’s privacy or whose improper use may lead to discrimination. Sensitive Data includes, but is not limited to, racial or ethnic origin, political orientation, religious beliefs, health-related data, sexual life, and biometric data.

Data Processor: A natural or legal person, public or private, that processes Personal Data on behalf of the Data Controller.

Purpose: The objectives for which Personal Data is processed, which must be disclosed and authorized by the Data Subject.

Data Protection Policy/Policy: This Data Processing Policy established by THE COMPANY.

Claim: A request submitted by the Data Subject, their successor, or representative when they believe that information contained in a Database should be corrected, updated, or deleted, or when they notice a potential breach of a duty under the General Data Protection Regime.

General Data Protection Regime (GDPR-Colombia): Refers to the legal framework regulating the protection of Personal Data in Colombia, including Statutory Law 1581 of 2012, Regulatory Decree 1377 of 2013, Decree 886 of 2014, Unified Regulatory Decree 1074 of 2015, Title V of the Single Circular of the Superintendency of Industry and Commerce, and subsequent amendments or supplements.

Data Controller: The entity that decides on the Databases and/or Processing of Personal Data for its Stakeholder Groups. For the purposes of this Policy, THE COMPANY will act as the Data Controller unless expressly stated otherwise.

Data Subject: The natural person whose Personal Data is processed by THE COMPANY.

Employees: All natural persons employed by THE COMPANY to carry out activities aligned with its objectives, regardless of the type of employment or contract. The term also includes individuals engaged by Data Processors.

Data Transfer: The delivery of Personal Data or Databases by a Data Controller or Processor in Colombia to a recipient that, in turn, acts as a Data Controller, located either within or outside the country.

Data Transmission: The Processing of Personal Data that involves communication of such data within or outside Colombia for Processing by a Processor on behalf of a Data Controller.

Processing: Any operation or set of operations performed on Personal Data, including collection, storage, use, circulation, or deletion.

2. What Guides THE COMPANY in the Processing of Personal Data?

2.1 Principle of Restricted Access and Circulation: Access to Personal Data must be adequate, relevant, and limited to authorized personnel. Databases and Personal Data, except Public Data, must not be available on the Internet or other mass communication media unless access is technically controlled to provide restricted knowledge only to authorized parties, Data Subjects, or third parties.

2.2 Principle of Confidentiality: Confidentiality and integrity of Personal Data will be ensured through technical, legal, and administrative controls.

2.3 Principle of Freedom: Processing may only be carried out with the prior, express, and informed Authorization of the Data Subject. Personal Data must not be obtained or disclosed without prior Authorization, unless legally or judicially mandated.

2.4 Principle of Purpose: The Authorization for collecting and processing Personal Data must serve legitimate purposes expressly authorized, in accordance with the Constitution, the Law, and the General Data Protection Regime.

2.5 Principle of Legality: The Processing of Personal Data must comply with applicable regulations under the General Data Protection Regime.

2.6 Principle of Security: All necessary technical, human, and administrative measures will be implemented to secure Databases and Personal Data, preventing their alteration, loss, unauthorized consultation, use, or fraudulent access.

2.7 Principle of Veracity or Quality of Information: Personal Data subject to Processing must be accurate, complete, current, and understandable. Partial, incomplete, fragmented data or data that leads to errors will not be processed.

2.8 Principle of Transparency: The right of the Data Subject to obtain, at any time and without restrictions, information about the existence of their Personal Data will be guaranteed.

2.9 Principle of Minimization: Only Personal Data that is adequate, relevant, and limited to what is necessary for the specific purposes of Processing will be processed.

 

3. What Personal Data is Collected and Processed by THE COMPANY?

THE COMPANY collects various types of Personal Data depending on its interactions with Stakeholder Groups, requests made by Data Subjects regarding the Processing of their information, or the services provided by THE COMPANY. The Personal Data collected may include:

a. Name, type, and identification number.
b. Contact details.
c. Position or profession.
d. Demographic, social, and/or geolocation data.
e. Voice, images, and/or videos.
f. Data related to health status and physical condition.
g. Electronic identification data, web credentials, and browser information, including technical data on connection media or Internet service provider number.

Data listed from point (d) onwards is classified as Sensitive Data, and its Processing will adhere to the guidelines for such data as outlined in this Policy.

 

4. How Are Personal Data Collected?

THE COMPANY will only process Personal Data that has been previously, expressly, and knowingly authorized by the Data Subject through written or verbal consent, by an unequivocal act on the part of the Data Subject, or through any means that allows for its proper storage and future consultation.

A copy of the mentioned Authorization will be retained by THE COMPANY. At the time the Data Subject provides their Authorization, THE COMPANY will inform them of the Purposes and Processing to which their Personal Data will be subject, their rights, and the means through which they may exercise them. The Data Subject may revoke their Authorization and request the immediate deletion of their Personal Data through the channels established in this Policy unless there is a contractual or legal obligation to keep the data in the Database.

THE COMPANY will not be required to request the Data Subject's Authorization in the following cases: i) information required by a public or administrative entity in the exercise of its legal duties or by court order; ii) Public Data; iii) cases of medical or health emergencies; and iv) information authorized by law for historical, statistical, or scientific purposes.

In these cases, and in compliance with their legal obligations, THE COMPANY may collect Personal Data, including Sensitive Data, and transmit, transfer, or deliver it to the corresponding public or administrative entities, or to entities designated by them, in the exercise of their duties, without the need to notify the Data Subject of this action. In these scenarios, THE COMPANY will refrain from using the Personal Data for their own purposes or for purposes other than those permitted by their legal obligations or authorized by the Data Subject.

 

5. How Are Personal Data Processed?

THE COMPANY will process the Personal Data of individuals who are part of their Stakeholder Groups directly, through their Employees, or through their Processors, and in this regard, will have all the obligations and rights established under the GDPR. THE COMPANY may process the Databases and/or Personal Data under their management in physical or electronic formats. If processed electronically, it may be done on their own servers or those of third parties. Specifically, the Processing of Personal Data will be subject to the provisions set forth in this Policy.

 

6. What Are the Purposes of Processing Personal Data?

Without prejudice to the specific Purposes expressly authorized by the Data Subjects through their Authorization, THE COMPANY will process Personal Data for the following Purposes:

6.1 Shareholders and Board Members

a) Maintain efficient communication with information that is useful for the development and fulfillment of existing obligations.
b) Carry out the registration procedures required before the respective Chamber of Commerce, when applicable.
c) Perform all administrative, accounting, and tax activities that enable THE COMPANY to meet its social, corporate, credit, or other obligations.
d) Verify compliance with the disqualifications and incompatibilities regime provided by law and THE COMPANY's internal policies for holding office, as applicable.
e) Keep shareholders informed about current topics related to THE COMPANY's activities and the development of its corporate purpose.
f) Perform verification and updating of Personal Data.
g) Verify information in credit bureaus or restrictive lists as an element of analysis.
h) Present information to oversight and control authorities and support internal or external audit processes.

6.2 Workers, Potential Workers, and Collaborators

a) Establish and manage the pre-contractual, contractual, and post-contractual relationship of a commercial, labor, civil nature, or any other arising from fulfilling a legal or contractual obligation of THE COMPANY.
b) Comply with current laws, such as but not limited to labor legislation, social security, pensions, occupational risks, family compensation funds (Integrated Social Security System), and taxes. This includes all necessary processing required by the employment contract.
c) Fulfill instructions from competent judicial and administrative authorities.
d) Confirm personal information provided by cross-referencing it with public databases, credit bureaus, restrictive lists, anti-money laundering and counter-terrorism financing lists, illicit activities, or situations regulated by the Colombian Penal Code, as well as specialized companies, references, and contacts.
e) Monitor activities carried out within THE COMPANY's premises through video surveillance systems to ensure the safety of goods and persons related to THE COMPANY.
f) Occasionally, THE COMPANY may share some of your personal data with clients or suppliers to fulfill contractual obligations entrusted to or assumed by THE COMPANY.
g) Send general, institutional, commercial, and/or marketing information and notifications through any known or future communication medium, including text messages, emails, or WhatsApp, regarding THE COMPANY's products and services.
h) Consult your information for the execution of occupational wellness and health activities and for feedback purposes.
i) Incorporate personal data into folders and files related to the worker's employment history at THE COMPANY.
j) Process requests made by the worker related to their work experience.
k) Monitor and use images captured through video surveillance systems to control and oversee the development and performance of labor activities in the workspace.
l) Assign work tools, permissions, roles, and uses in THE COMPANY's information assets.
m) Use personal data of employees, interns, and apprentices to correctly process payroll, deductions, and related reports.
n) Fill out forms for life insurance and personal accident policies.
o) Prepare reports, such as but not limited to: DIAN, DANE, SENA, ICBF, UGPP, supervisory entities, Prosecutor's Office, Courts, government agencies, COPNIA, cooperatives, family compensation funds, and occupational risk insurers (ARLs).
p) Update socio-demographic information with compensation funds and suppliers.
q) Transfer and/or transmit personal data to suppliers, business partners, or third parties with whom THE COMPANY establishes commercial relationships, provided that such processing is relevant. This may be carried out in the Cloud or through any existing or future technology suitable for this purpose. Transfer and/or transmission may occur to third countries with adequate personal data protection levels.
r) Publish and disclose the use of images, personal data, voices, photos, sounds, and magnetic recordings, among others, on THE COMPANY's website, Facebook, Twitter, Instagram, or any other social network, as well as during events, programs, templates, and bulletins carried out by the company. This includes authorization for use even after the employment relationship has ended.

THE COMPANY may collect, store, and process personal data that affects privacy or whose use may lead to discrimination, categorized as Sensitive Data, which you are not obligated to provide.

  • Data related to health status.
  • Data revealing economic income.
  • Data revealing labor conditions.
  • Data revealing racial or ethnic origin.
  • Data revealing union membership or affiliation with social organizations promoting political rights or interests.
  • Biometric data such as voice and fingerprints.
  • Data revealing an individual’s image.

THE COMPANY may process sensitive data to achieve the following purposes:

  • Perform identity authentication processes.
  • Conduct commercial and market analyses and research.

6.3 Suppliers and Contractors

a) Contact and hire service or product suppliers that THE COMPANY requires for the development of its activities and the provision of its facilities; as well as make the necessary requests to report accounting, legal, and tax information related to them.
b) Perform all necessary activities to properly execute existing contracts.
c) Verify compliance with THE COMPANY’s policies regarding the selection and hiring of suppliers and third parties.
d) Verify information in credit bureaus or restrictive lists, with the purpose of using it as an analytical element.
e) Perform accounting, fiscal, administrative tasks, due diligence, invoicing, and other activities related to the commercial relationship.
f) Send communications via physical mail, email, mobile devices, or any other communication medium with commercial, advertising, or promotional information about THE COMPANY’s services, events, campaigns, and/or contests.
g) Consult, request, provide, report, process, obtain, collect, compile, confirm, exchange, modify, use, analyze, study, preserve, receive, and send all information regarding the data subject’s credit, financial, commercial, service behavior, and information from third countries of the same nature, in order to determine the possibility of establishing commercial relationships or any other kind of relationship.
h) Present information to control and oversight authorities.
i) Verify and update Personal Data.
j) Support internal or external audit processes and conduct statistical studies or accounting processes.
k) Perform commercial analysis and research, credit studies, market segmentation, promotion, ethnographic studies, statistical analysis, and risk, market, and financial analysis.

THE COMPANY may collect, store, and process personal data that affects privacy or whose use could generate discrimination, which qualifies as Sensitive Data; and which individuals are not required to provide.

a) Data related to health status.
b) Data revealing income.
c) Data revealing labor conditions.
d) Data revealing racial or ethnic origin.
e) Biometric data such as voice and fingerprints.
f) Data that reveals the image.

THE COMPANY may process sensitive data for the following purposes:

• Conduct identity authentication processes.
• Perform commercial and market analysis and research.
• Distribute photographs or videos taken in public spaces of the restaurant or hotel, on our communication channels, and on Facebook, Twitter, Instagram, or any integrated social network, with informational purposes about the various activities conducted.

6.4 Clients and Potential Clients

a) Provide the contracted services and carry out all necessary activities to enable THE COMPANY to meet its obligations.
b) Conduct satisfaction campaigns and follow-up on the services provided by THE COMPANY, even after the commercial relationship ends.
c) Send communications via physical mail, email, mobile devices, or any other communication medium with commercial, advertising, or promotional information about THE COMPANY’s services, events, promotions, and/or commercial or advertising contests, in connection with THE COMPANY and its business partners.
d) Process orders, requests, or any type of request made by the client through any available means of contact.
e) Conduct statistical studies or data analytics.
f) Inform about changes in information processing policies.
g) Present information to control and oversight authorities.
h) Support internal or external audit processes and accounting processes.
i) Perform accounting, fiscal, administrative tasks, due diligence, invoicing, and other activities related to the commercial relationship.
j) Verify information in credit bureaus or restrictive lists, for analytical purposes.
k) Verify and update Personal Data.
l) Send information regarding current and future commercial campaigns, and other necessary communications to keep clients informed through: phone calls, text messages, emails, Facebook, Twitter, Instagram, or any integrated social network, among others; conduct satisfaction surveys concerning the services provided by THE COMPANY.
m) Perform commercial analysis and research, credit studies, market segmentation, promotion, ethnographic studies, statistical analysis, and risk, market, and financial analysis.
n) Transfer and/or transmit personal data to suppliers, business partners, or third parties with whom THE COMPANY establishes commercial relationships, provided that the processing is relevant; this may be done in the cloud or through any appropriate technological medium. The transfer and/or transmission may occur to third countries that provide adequate levels of personal data protection.
o) Distribute photographs or videos taken in public spaces of the restaurant or hotel, on our communication channels, and on Facebook, Twitter, Instagram, or any integrated social network, with informational purposes about the various activities conducted.

THE COMPANY may collect, store, and process personal data that affects privacy or whose use could generate discrimination, which qualifies as Sensitive Data; and which individuals are not required to provide.
a) Data related to health status.
b) Data revealing income.
c) Data revealing racial or ethnic origin.
d) Biometric data such as voice and fingerprints.
e) Data that reveals the image.

THE COMPANY may process sensitive data for the following purposes:

a) Conduct identity authentication processes.
b) Perform commercial and market analysis and research.
c) Conduct data analytics projects.
d) Distribute photographs or videos taken in public spaces of the restaurant or hotel, on our communication channels, and on Facebook, Twitter, Instagram, or any integrated social network, with informational purposes about the various activities conducted.

 

7. How are Clients’ Personal Data Handled?

THE COMPANY may receive Personal Data corresponding to its Clients’ stakeholders in order to provide its services, including, but not limited to, accommodation services in hotels, prepared meals served at the table, and the sale of alcoholic beverages for consumption within the establishment.
In these cases, regarding the information collected for the provision of THE COMPANY’s services, the information will be processed as Data Processors, meaning that the clients will be responsible for the processing of the information under the terms of the GDPR. THE COMPANY will sign Data Transmission Agreements with its Clients to regulate the type of information to be provided, the purposes, activities, terms, and conditions of the Processing to which the provided data will be subjected.

a) The Client must have Authorization for the Processing of Personal Data under their responsibility, in compliance with the GDPR requirements, prior to the provision of any information. Clients will also retain a copy of such authorization.
b) The Client and the respective COMPANY will sign a data transmission agreement in compliance with GDPR requirements, which will define the purposes, Processing, and operations that THE COMPANY may carry out on the Personal Data as Data Processor.
c) The Client will provide the Databases or Personal Data using the means established in the data transmission agreement, ensuring the security of the information.
d) Through the Authorization that Clients request from individuals within their stakeholder groups, THE COMPANY will be authorized to process the Personal Data as Data Processor and under the terms indicated in this section.
e) THE COMPANY will request Clients to provide copies of the Authorization when deemed necessary.
f) Clients will be responsible for addressing inquiries, complaints, and requests made by the Data Subjects within their stakeholder groups relating to Personal Data Processing. If THE COMPANY receives any inquiry, complaint, or request, it will forward it directly to the respective Client. If the inquiry, complaint, or request concerns THE COMPANY’s processing of Personal Data, it will follow the procedures established in Section 20 of this Policy.
g) Clients will be the data controllers in accordance with GDPR and will be responsible for fulfilling the obligations and responsibilities based on their role.

 

8. How are Sensitive Data treated?

In general, THE COMPANY will obtain authorization to collect and process Sensitive Data. In these cases, THE COMPANY will inform the Data Subjects whose Sensitive Data will be processed about the specific purposes of their processing and that, since they are Sensitive Data, they are not obligated to provide them unless there is a legal requirement to do so. If there are any doubts regarding the need to provide Sensitive Data, please contact THE COMPANY prior to submitting the data.

THE COMPANY will not condition the existence and maintenance of its relationship with the Data Subject on the provision of Sensitive Data unless such data must indeed be obtained as they are essential for the existence and/or proper maintenance of the relationship or for compliance with the duties of THE COMPANY and/or the Data Subject.

 

9. How are the Personal Data of children, minors, and/or adolescents treated?

In general, THE COMPANY will refrain from collecting and processing Personal Data of children, minors, or adolescents. If necessary, THE COMPANY will limit itself to processing Public Personal Data or will request the corresponding Authorization from the legal representative. THE COMPANY will make its best effort to verify that the person acting as the legal representative of the child, minor, or adolescent is indeed authorized to do so. However, it will rely on the good faith of the person granting the Authorization for the Processing of the child’s, minor's, or adolescent's Personal Data and stating that they have the legal representative status.

 

10. How are Unsolicited Personal Data treated?

Before establishing formal business or labor relationships with THE COMPANY, Personal Data may be sent to us without the Authorization granted by the Data Subject. In these cases, the Data Subject agrees that by their unequivocal conduct of sending their information to THE COMPANY, they grant their Authorization for the Processing of their Personal Data strictly related to the process or request made.

The Authorization by unequivocal conduct will apply, including but not limited to, the sending of information about: i) people wishing to work at THE COMPANY; ii) people wishing to become suppliers or clients of THE COMPANY; and iii) people submitting requests, complaints, or claims of any nature to THE COMPANY. Notwithstanding the above, and only if the relationship with these third parties is formalized, the corresponding Authorization will be requested to continue processing the Personal Data for other purposes.

 

11. Who has access to the Personal Data?

Access to the Databases under the responsibility of THE COMPANY will only be available to THE COMPANY's Workers who need access and must process this information for their duties. THE COMPANY will not share or hand over the Databases or Personal Data stored in them to third parties with whom it has no relationship.

However, where necessary to achieve the authorized Purposes, Personal Data may be legitimately transmitted to providers, who may be located inside or outside the country, including in jurisdictions with different standards and levels of data protection, such as the United States. Agreements will be signed with these providers to protect the information, the rights of the Data Subjects, and to take all necessary measures to ensure that the Processing of the Database and Personal Data complies with this Policy.

The providers who usually share Personal Data include those providing website hosting and moderation services, including cloud storage, mobile app hosting, data processing, digital infrastructure provision, and IT services.

For all purposes, THE COMPANY may only provide information contained in its Databases to the Data Subjects, their heirs, or legal representatives, public or administrative entities exercising their legal functions or by court order, third parties authorized by the Data Subject or by the General Personal Data Protection Regime. THE COMPANY reserves the right to request additional documentation to verify the identity of the person requesting the information. Additionally, THE COMPANY will implement mechanisms that allow the Data Subjects to access their personal data, the purposes for which they have been processed, and the treatment that has been given to them.

Notwithstanding the above, THE COMPANY may share generic aggregated information with its commercial partners, trusted affiliates, or advertisers, which is not linked to any identified or identifiable person.

 

12. What is THE COMPANY's commitment to security?

THE COMPANY is committed to the confidentiality and security of the Personal Data stored in its Databases, under restrictions of access, availability, and inquiry by unauthorized third parties. THE COMPANY will ensure that the Personal Data in its files and Databases are stored and managed under reasonable security and confidentiality conditions.

Therefore, THE COMPANY informs the Data Subjects that it has adopted appropriate measures and practices for the preservation of Personal Data under industry-standard security conditions, designed to prevent alteration, loss, theft, public inquiry, unauthorized or fraudulent use or access, as well as the implementation of internal practices to contribute to a secure information environment. However, THE COMPANY cannot guarantee total security of any Personal Data Processing over the Internet or by data storage systems. If any Data Subject considers that their Personal Data is not being processed securely, THE COMPANY appreciates being notified as soon as possible to review the matter with the appropriate priority.

All Workers of THE COMPANY must ensure the confidentiality and security of the Databases and Personal Data and ensure that the Data Processors who access them are also responsible for this. The duty of confidentiality of employees regarding the Personal Data to which they have access extends even after their activity in relation to the processing is completed.

 

13. Updating Personal Data and Processing of Unauthorized Personal Data

THE COMPANY is committed to processing information in strict compliance with the principle of accuracy or quality, which is why it reminds Data Subjects of their right to update and rectify their Personal Data and encourages them to report any updates, changes, and/or modifications regarding their Personal Data as soon as possible. Furthermore, THE COMPANY reserves the right to carry out activities aimed at keeping the Personal Data of the Data Subjects within its Interest Groups up to date.

In the event of updates, changes, and/or modifications of Personal Data not properly reported to THE COMPANY, we ask for the understanding of any Processing of third-party data (not part of our Databases) caused by this fact. In these cases, and as soon as it is reported to THE COMPANY, the Data Subject's Personal Data not related to THE COMPANY's Interest Groups will be immediately deleted, and the relevant database will be updated accordingly.

 

14. How long is Personal Data processed?

THE COMPANY will keep the files or Databases containing Personal Data for the period required by applicable regulations. The minimum period for retaining Personal Data will correspond to the duration of the legal or contractual relationship with THE COMPANY, the period required for THE COMPANY to comply with its obligations, or the period necessary for the Data Subject to exercise their rights within the scope of the nature of the relationship that links them. Once this time has passed, THE COMPANY may destroy the Personal Data or remove it from its Databases, unless a legal or contractual obligation requires otherwise.

 

15. How are Personal Data of third parties who are not part of the Stakeholder Groups handled?

In the event that the COMPANY has access to Personal Data of third parties, provided by a person who is part of its Stakeholder Group, the COMPANY will understand that the latter has the explicit Authorization of the third party as the Data Subject to provide their Personal Data. Thus, the person who is part of the Stakeholder Group and provides the Data Subject's information to the COMPANY declares and acknowledges that they have the Authorization granted by the Data Subject for the COMPANY to access and process their Personal Data in accordance with the provisions of this Policy. This applies, without limitation, to Personal Data shared by Clients or Suppliers, legal entities, regarding their employees, contractors, or collaborators.

If the person in the Stakeholder Group does not have the explicit Authorization granted by the Data Subject, the COMPANY will limit its Processing of Public Data.

 

16. What are the rights of the Data Subjects?

The Data Subjects have the following rights:

a. To access, know, update, and rectify the Personal Data they have provided to the COMPANY.
b. To request proof of the Authorization granted to the COMPANY, in its role as the data controller, unless this is exempted as a requirement for Data Processing under the exceptions established by the GDPR.
c. To be informed by the COMPANY, upon request, about how their Personal Data has been used.
d. To file complaints with the Superintendence of Industry and Commerce for violations of the GDPR, after having first pursued a Consultation or Claim with the COMPANY.
e. To modify and/or revoke the Authorization and/or request the deletion of Personal Data.
f. To access their Personal Data that has been processed free of charge.
g. Any other rights recognized by the GDPR.

 

17. Who is responsible for handling Consultations and Claims at the COMPANY?

The department responsible for handling queries and claims related to the processing of personal data: Legal Department
Email: servicioalcliente@eutopiq.com

This same contact address can be used to raise any questions or inquiries regarding the Policy and practices related to Personal Data Processing by the COMPANY.

 

18. What should a Data Subject do to submit Queries, Claims, or exercise their rights?

Data Subjects can exercise their rights to authorize, know, update, rectify, delete the information provided, or revoke the authorization granted by sending a written communication to our offices, located at Carrera 69 Circular 1-32 Medellín – Antioquia, phone +57 (604) 3227069, or via email: servicioalcliente@eutopiq.com

In this way, and in compliance with the regulations on personal data protection, the COMPANY, as the data controller, presents the procedure and minimum requirements for exercising rights:

a) To file and attend to your request, please provide the following information:

b) Full name and surname, along with contact details (physical and/or electronic address and phone numbers);

c) Reason(s)/fact(s) giving rise to the claim, with a brief description of the right you wish to exercise (to know, update, rectify, request proof of the authorization granted, revoke it, delete, access the information).

d) Signature (if applicable) and identification number.

e) In the case of Consultations: the Data Subject or requester must fully identify themselves and clearly describe the consultation. If not acting as the Data Subject, the requester must state their capacity and attach the document that authorizes them to make the request or inquiry, such as a power of attorney, civil registry, etc.

The COMPANY will attend to Consultations within a maximum period of ten (10) business days from the date of receipt. If it is not possible to attend to the Consultation within the mentioned period, the COMPANY will inform the interested party of the reasons for the delay and provide a new deadline to address their request or inquiry, which will not exceed five (5) business days from the expiration of the initial period.

f) In the case of Claims: the interested party must clearly indicate the reason for the non-compliance. The COMPANY will address the Claim within a maximum of fifteen (15) business days from the day after its receipt. If it is not possible to resolve the claim within this period, the COMPANY will inform the interested party of the reasons for the delay and the new date for addressing the Claim, which will not exceed eight (8) business days following the initial deadline.

If the Claim received is incomplete, the COMPANY will request the interested party to provide the necessary information within five (5) business days from its receipt. If two (2) months pass without the required information being submitted, the COMPANY will consider the Claim to be abandoned.

If the Claim requests the deletion of Personal Data and/or revocation of Authorization for the use of Personal Data, the COMPANY will proceed accordingly. However, it will keep a copy of the Claim, including related information, for documentary purposes in potential administrative processes.

 

19. How will web browser Cookies be used?

The COMPANY will use "cookies," which are tools that collect information about users' navigation on their websites, to improve the user experience. The COMPANY will act as the controller of the information collected through cookies and will process it in accordance with the protection standards established by the GDPR.

If the COMPANY decides to implement cookies, it will inform users in their role as Data Subjects, through the corresponding Privacy Notice, about the use of this technology, its terms, and scope. In this way, Data Subjects who do not want cookies to be installed can reject or disable this option in their browser settings. If the user rejects or disables cookies, it may affect certain functional aspects of the website during their browsing experience.

 

20. Validity of the Policy and Databases

a) The Policy came into effect on September 1, 2020.

b) The Databases under the management of the COMPANY will have a validity equal to the time during which the Personal Data is used for the purposes described in this Policy; and, Personal Data in these databases will be retained unless the Data Subject requests its deletion and there is no legal or contractual obligation to retain the information.

c) The COMPANY informs that any substantial changes to the Personal Data Processing Policy will be communicated promptly through its website.

INVERSIONES GG OASIS S.A.S. NIT: 901407100-5
Address: Carrera 69 Circular 1-32 (Medellín – Antioquia)
Email: servicioalcliente@eutopiq.com
Phone: +57 (604) 3227069