PRIVACY POLICY

PRIVACY POLICY, TREATMENT AND PROTECTION OF PERSONAL DATA - NUTRISANO SAS

The company NUTRISANO SAS, domiciled in the city of Medellín – Antioquia, with address at Carrera 76 No. 22 - 38 Medellín – Antioquia, email address mercadonutrisano@gmail.com and contact telephone number (4) 4443616 – 3002457974 and identified with the Nit No. 900940223 - 3, hereinafter THE COMPANY, with a view to protecting and ensuring the owners of personal data due treatment of their personal information and complying with the stipulations indicated in Law 1581 of 2012, Decree 1377 of 2013 and Sole Decree 1074 of 2015, proceeds to issue the following information processing policy.

The main purpose of this policy is to inform the owners of personal data, the rights that assist them, the procedures and means of communication established by the company to make their rights effective and inform them of the scope and purpose of the treatment to which The personal data collected will be submitted.

TREATMENT AND PURPOSES

The registered data is managed by the area in charge as appropriate to the database of workers, clients, suppliers and/or contractors, with respect to which physical and digital processing is carried out in order to keep an updated record of the holders of the data. the information registered in the company, in order to comply with the internal and legal procedures against the owner of the data, public, administrative, judicial entities, data protection regulations and other treatments for which the information was collected. All managers, managers and authorized third parties who have access to personal data by virtue of Law, contract or request from a competent authority, will save and process the data within the following purposes:

GENERAL PURPOSES OF THE COMPANY'S DATABASES:

1. Compliance and development of the company's corporate purpose.
2. Maintain, archive and process by computer or other means, the information

collected and related to the owners of the information.

1. Comply with the company's internal processes regarding control and management

quality.

D. Comply with legal, contractual, administrative, fiscal,

tax and control. E. For publication, transfer and sending of: information, communications, requests,

quotes, products, goods and/or services.

1. Keep an updated record of the data collected from the information holders, for the development of statistics, surveys, economic proposals, action plans, reports and reports.
2. The location and location of the owners of the information for work purposes,

contractual or commercial.

1. Filing process, updating of computer systems, database,

protection and custody of information of data owners.

1. The transmission of data to third parties with whom contracts have been concluded

for commercial, administrative, contractual and/or operational purposes.

1. The other purposes that arise in the course of the relationships maintained

with the company according to the type of information and connection.

PURPOSE OF DATABASES FOR SHAREHOLDERS.

1. Manage all information and documentation necessary for compliance

of legal obligations to shareholders.

1. Comply with the company's internal processes regarding administration

and delivery of reports to shareholders.

1. Comply with summons to ordinary and extraordinary assembly in accordance

with the Law.

1. Carry out the archiving, system update, protection and

custody of information and shareholder databases.

1. Transmission of data to third parties with whom contracts have been concluded for this purpose, for commercial, administrative and/or operational purposes, including, but not limited to, the issuance of cards, personalized certificates and certifications to third parties, in accordance with legal provisions. current.
2. Maintain and process by computer or other means, any type of information related to the percentage of the shares or their disposal and/or acquisition.

G. The other purposes determined by those responsible in processes of obtaining personal data for processing, which will be communicated to the shareholders at the time of collection of personal data, in order to comply with legal and regulatory obligations. , as well as company policies.

PURPOSE OF DATABASES FOR WORKERS.

1. Manage all the information necessary for the collection of data from the worker and their family members for the purposes of affiliation to comprehensive social security systems, contractual affiliation, payroll payment and compliance with obligations as an employer.
2. For the location and location of the worker and/or family members, for information purposes of work, casual or circumstantial situations, when workers cannot inform by their own means.
3. Maintain and process by computer or other means, any type of

information related to the worker and/or their family members.

1. Comply with the company's internal processes regarding the administration of worker developments, disabilities, absenteeism, and authorizations. Likewise for the settlement of social and contractual benefits.
2. The transmission of data to third parties with whom contracts have been entered into for this purpose, for commercial, administrative and/or operational purposes, including, but not limited to, the issuance of cards, labor certificates, admission, periodic or discharge medical evaluations. , job and risk training, credit requests at the request of the worker, educational requests and others in accordance with current legal provisions.
3. To carry out interviews for promotion purposes, performance of duties, discharges and application of sanctions in accordance with the internal labor regulations, employment contract and labor standards.
4. The other purposes determined by those responsible in processes of obtaining personal data for processing, which will be communicated to workers at the time of collecting personal data, in order to comply with legal and regulatory obligations, as well as as well as company policies.

DATA HANDLING IN MINORS.

The origin of the data on minors comes only from the company's workers, who as legal representatives are empowered to grant them, for strictly connection purposes as beneficiaries of the health systems, plans, subsidies and/or aid that may be provided to them. correspond directly and through the company. This information has the express purposes of this policy and will be treated with the guidelines established in article 12 of regulatory decree 1377 of 2013.

PURPOSE OF CUSTOMER DATABASES.

1. Manage all the information necessary for the correct identification of the client

in compliance with legal and contractual obligations.

1. Maintain and process by computer or other means, any type of

information related to customer data.

1. Comply with the company's internal processes regarding administration

Of customers.

1. With the archiving process, systems update, protection and custody

of customer information and databases.

1. Processes within the company, for the purposes of operational development and/or client administration, credit applications, accounting, tax and portfolio management information.
2. Transmission of data to third parties with whom contracts have been entered into for this purpose, for commercial, administrative and/or operational purposes, including, but not limited to, the issuance of cards, personalized certificates, certifications to third parties, reporting and consultation in control centers. risks, consultation of financial capacity, and others that are required by suppliers and/or contractors in accordance with current legal provisions.
3. Prepare management and marketing studies, send advertising, offers and commercial information about the company and products and/or services, design advertising with clients for recognition and strategic positioning.
4. The other purposes determined by those responsible in processes of obtaining personal data for processing, which will be communicated to clients at the time of collection of personal data, in order to comply with legal and regulatory contractual obligations, as well as company policies.

PURPOSE OF SUPPLIERS AND CONTRACTORS DATABASES.

1. Manage all the information necessary for the verification of professional, technical and personal suitability, as well as for the registration and preparation of contracts with suppliers and contractors, in compliance with commercial and administrative obligations.
2. Request and keep a record of quotes, purchases and/or services,

acquired by the company with suppliers and contractors.

1. Comply with the company's internal processes regarding administration

of suppliers, contractors and third parties.

1. Comply with contracts entered into with suppliers and contractors, in the

acquisition of goods or services.

1. Processes within the company, for the purposes of operational development and/or administration of suppliers and contractors in the payment of credits, accounting, tax information, portfolio management and issuance of commercial certifications.
2. For the archiving process, updating of information systems, protection and custody of information and databases of suppliers and contractors.
3. The transmission of data to third parties with whom contracts have been entered into for this purpose, for commercial, administrative and/or operational purposes, including, but not limited to, the issuance of cards, personalized certificates, certifications to third parties, and others in accordance with the current legal provisions.
4. The transmission of data to clients in order to comply with obligations

contractual agreements through suppliers and contractors.

1. Maintain and process by computer or other means, any type of

information related to the registration of suppliers and contractors.

1. The other purposes determined by those responsible in processes of obtaining personal data for processing, which will be communicated to suppliers and contractors at the time of collection of personal data, in order to comply with legal and regulatory obligations. , as well as company policies.

MAIN DEFINITIONS

For the following information processing policy, the parameters established in Law 1581 of 2012 will be taken into account, in which the general provisions for data protection are dictated and the definitions provided by it will be taken into account, seeking to grant a more complete protection of personal data that the database has:

“Article 3. Definitions. For the purposes of this law, it is understood as:

1. Authorization: prior, express and informed consent of the owner to carry

carry out the processing of personal data;

1. Database: organized set of personal data that is subject to

treatment;

1. Personal Data: any information linked or that can be associated with one or

several determined or determinable natural persons;

1. Data Processor: natural or legal person, public or private, who, by themselves or in association with others, processes personal data on behalf of the data controller;
2. Data Controller: natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of data;
3. Owner: natural person whose personal data is processed;
4. Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

BEGINNING

The company, in the development of its commercial activities, will collect, use, store, transmit and carry out various operations on the personal data of the owners. In all personal data processing carried out by the company, those responsible, in charge and/or third parties to whom personal data is transferred, will observe and comply with the principles and rules established in the Law and in this Policy, in order to guarantee the right to habeas data of the owners and comply with the legal obligations of the company.

The principles that must be taken into account when carrying out a treatment are the following:

A. Legality regarding data processing: The company will be subject to the

established in the law and in the provisions that regulate it.

1. Purpose: Any personal data processing activity carried out by the company will obey the purposes mentioned in this policy or in the authorization granted by the owner of the personal data, or in the specific documents where each type or process of data processing is regulated. personal. The purpose of the processing of personal data must be informed to the owner of the personal data at the time of obtaining their authorization. Personal data may not be processed outside of the purposes informed and consented to by the data owners. The purpose for which personal data was collected is due to a legitimate purpose in accordance with the constitution and the law.
2. Freedom: The processing of personal data carried out by the company is carried out with prior authorization from the owner or taking into account the causes that require consent on the part of the owner and that are enshrined in the law.
3. Veracity or quality of the data: The personal data subjected to processing must be truthful, complete, accurate, updated, verifiable and understandable. The company does not process personal data that is partial, divided and that its processing may lead to an error, which may harm the owner of the information processing; When these cases arise, the company will ask the owner for the necessary correction and update so that this situation does not continue to arise. If it is not possible to update the information, the company will refrain from processing this data.
4. Transparency: Upon request from the owner, the company must provide a solution to the request made by the owner regarding the information stored in the database. The response to this request will be carried out by the privacy officer directly. The unit in charge of processing the information will accompany the response process in necessary cases.
5. Restricted access and circulation: Personal data can only be processed by company personnel who have authorization to do so, or who within their functions are in charge of carrying out such activities and have been authorized by the company. Personal data may not be delivered to those who do not have authorization or have not been enabled by the company to carry out the processing.

G. Temporality: The company, as a general rule, will not use the owner's information beyond the reasonable period required by the purpose that was informed to the owner of the personal data.

Paragraph. In cases where there is special legislation on the subject, the information will be kept for the period indicated by the special law.

1. Restricted access: except for expressly authorized data: The company may not make personal data available for access through the Internet or other mass media, unless technical and security measures are established that allow access to be controlled and restricted only to authorized persons.
2. Security: The company must always process the information by providing the technical, human and administrative measures that are necessary to maintain the confidentiality of the data and to prevent it from being adulterated, modified, consulted, used, accessed, eliminated, or known by unauthorized persons or by authorized and unauthorized persons fraudulently, or that personal data is lost. For any new project that involves the processing of personal data, this processing policy must be consulted to ensure compliance with it.
3. Confidentiality and subsequent treatment: All personal data that is not public data must be treated by those responsible as confidential, even when the contractual relationship or the link between the owner of the personal data and the company has ended. Upon termination of such link, such personal data must continue to be processed in accordance with this policy and the law.
4. Individuality: The company will maintain separately the databases in which it has the capacity of manager or that could become so, from the databases in which it acts as the person in charge.

RIGHTS OF THE OWNER OF PERSONAL DATA.

In accordance with the law, holders of personal data have the following rights:

1. Know, update and rectify your personal data before the company or those in charge of processing it. This right may also be exercised against partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.

B. Request proof of the authorization granted to the company, except in cases where the law indicates that authorization is not needed for the processing of said information.

1. Submit requests to the company or the person in charge of the treatment regarding the use that has been given to your personal data, and that they provide you with such information.
2. Submit complaints for violations to the Superintendence of Industry and Commerce

to the Law.

1. Freely revoke your authorization and/or request the deletion of your personal data from the company's databases or when the Superintendency of Industry and Commerce has determined by means of a definitive administrative act that in the processing the company or the person in charge of the treatment has incurred in conduct contrary to the law or when there is no legal or contractual obligation to maintain personal data in the data base of the person responsible.
2. Request access and access free of charge to your personal data that has been processed in accordance with article 21 of Decree 1377 of 2013.
3. Know the modifications to the terms of this policy prior to and efficiently implementing the new modifications or, failing that, the new information processing policy.
4. Have easy access to the text of this policy and its modifications.
5. Access in an easy and simple way the personal data that is under the control of the company to effectively exercise the rights that the law grants to the owners.
6. Know the agency or person authorized by the company to whom you can submit complaints, queries, claims and any other request regarding your personal data.
7. Holders may exercise their legal rights and carry out the procedures established in this policy, by presenting their citizenship card or original identification document. If they have personal data of minors, they may exercise their rights personally, or through their parents or the adults who have parental authority, who must prove it through the relevant documentation.

Likewise, the successors in title who prove said status, the representative and/or attorney of the owner with the corresponding accreditation and those who have made a stipulation in favor of another or for another may exercise the rights of the owner.

PRIVACY OFFICER

The company has appointed Ms. TANYA ALCARAZ SIERRA as privacy officer, who will from now on be in charge of receiving and responding to requests, complaints, claims and queries that the owners of the information have regarding the processing of their information. . Among the functions of the privacy officer are the following, without this being an exhaustive list of their functions, which can increase in favor of the protection of the rights of the owners of the information.

1. Receive requests from personal data holders, process and respond to those that are based on the law or these policies, such as: requests to update personal data; requests to know personal data; requests for deletion of personal data when the owner freely requests deletion or when the owner presents a copy of the decision of the Superintendency of Industry and Commerce in accordance with the provisions of the law, requests for information on the use and purpose given to your personal data, requests for proof of the authorization granted, when she has proceeded in accordance with the law.
2. Respond to the owners of personal data regarding those requests that

do not proceed in accordance with the law.

1. Serve as a link between regulatory organizations regarding the issue related to privacy, confidentiality and security of information, in this case the Superintendency of Industry and Commerce.
2. Carry out periodic evaluations about compliance with safety policies.

privacy, confidentiality and security.

1. Comply with the legal obligations established in the regulations on the processing of personal data, especially what is enshrined in Law 1581 of 2016 and its regulatory decrees.
2. Guide company personnel on the subject of information processing and

privacy of it.

1. Control and verify access to personal data within the company. The

Privacy Officer contact details are as follows:

• Email address: accounting@alimentosnutrisano.com

PROCEDURES TO EXERCISE THE RIGHTS OF THE HOLDERS OF PERSONAL DATA INQUIRIES

The company will have mechanisms so that the owner, his successors in title, his representatives, attorneys-in-fact, those who have been stipulated in favor of another or for another, or the representatives of minor holders; Ask questions regarding the personal data of the owner that resides in the company's databases.

These mechanisms can be carried out electronically through the email: accounting@alimentosnutrisano.com Telephone at (4) 4443616, or in person at the address 76 No. 22 - 38, Second floor Medellín – Antioquia.

Whatever the medium, the company will keep proof of the query and its response.

1. If the applicant has the capacity to formulate the query, in accordance with the accreditation criteria established in Law 1581 of 2012 and Decree 1377 of 2013, the company will collect all the information about the owner that is contained in the individual record of that person. or that is linked to the identification of the owner within the company's databases and will be made known to the applicant.
2. The person responsible for answering the query will respond to the applicant as long as they have the right to do so because they are the owner of the personal data, their successor in title, attorney-in-fact, representative, whether it has been stipulated by another or for another, or is the legal person responsible in the case of minors. This response will be sent within ten (10) business days from the date on which the request was received by the company.
3. In the event that the request cannot be attended to within ten (10) business hours, the applicant will be contacted to inform them of the reasons why the status of their request is in process. To do this, the same medium or one similar to that used by the owner to communicate their request will be used. Case in which the deadline to respond will be extended five (5) more days.
4. The final response to all requests will not take more than fifteen (15) business days from the date on which the initial request was received by the company.

CLAIMS

The company has mechanisms for the owner, his successors, representative and/or attorneys, those who stipulated for another or for another, and the representatives of minor holders, to make claims regarding the personal data processed by the company that must be be subject to correction, update or deletion, or the alleged breach of the company's legal duties.

These mechanisms may be electronic through the email accounting@alimentosnutrisano.com

1. The claim must be presented by the owner, his successors or representatives or accredited in accordance with Law 1581 and Decree 1377, as follows:

• You must contact the privacy officer, Ms. TANYA ALCARAZ SIERRA, electronically at the email address accounting@alimentosnutrisano.com.
• It must contain the name and identification document of the owner.
• It must contain a description of the facts that give rise to the claim and the objective pursued (updating, correction, deletion, or compliance with duties).
• You must indicate the address, contact information and identification of the claimant.

It must be accompanied by all the documentation that the claimant wants to assert. Before addressing the claim, the company will verify the identity of the owner of the personal data, its representative and/or attorney, or the accreditation that there was a stipulation by or for another. To do so, you may require the holder's original citizenship card or identification document, and any special or general powers or documents that may be required as the case may be.

1. If the claim or additional documentation is incomplete, the company will require the claimant once within five (5) days of receipt of the claim to correct the deficiencies. If the claimant does not present the required documentation and information within two (2) months following the date of the initial claim, it will be understood that the claim has been abandoned.
2. If for any reason the person who receives the claim within the company is not competent to resolve it, he or she will notify the privacy officer within two (2) business days after receiving the claim, and will inform the claimant of said referral. .
3. Once the claim is received with the complete documentation, a legend that says “claim in process” and the reason for it will be included in the company's database where the data of the owner subject to the claim is stored.

greater than two (2) business days. This legend must be maintained until the claim is decided.

1. The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

VALIDITY

This Policy applies as of the first day (1) of March 2018. The personal data that is stored, used or transmitted will remain in our database, based on the criteria of temporality and necessity, for the time necessary to the purposes mentioned in this policy, for which they were collected.