Data processing policy

1. SCOPE AND APPLICATION OF THE POLICY

MERIDIAN GROUP SAS, to fulfill its corporate purpose, collects, stores and uses personal data and information from its employees, its clients, its contractors, its suppliers, among others. Through this manual, and in accordance with the provisions of Law 1581 of October 17, 2012, and its Regulatory Decrees 1377 of 2013 and 886 of 2014, and other applicable and concordant regulations, adopts a Policy Manual for the Treatment of Data that regulates the way in which MERIDIAN GROUP SAS collects, uses, stores, custody, circulates, transfers, deletes, modifies, updates, corrects and any other form of processing of information and personal data of the announced owners. MERIDIAN GROUP SAS within its company has taken all the measures and technological mechanisms necessary to apply these policies, thus fully complying with current regulations, to meet the objectives of strengthening the level of trust between Controller and Owners in relation to the treatment. of your information; Inform the Owners of the purposes and transfers to which their personal data are subjected and the mechanisms and forms for the exercise of their rights.

2. IDENTIFICATION OF THE RESPONSIBLE

COMPANY NAME: MERIDIAN GROUP SAS. Non-profit commercial company identified with NIT. No. 900.076.943-1, is established as a Colombian company, with the fundamental objective of the development, promotion and promotion of knowledge, science, technology and associative entrepreneurship; all aimed at the sustainable socioeconomic improvement of the communities served; through research and implementation of solutions, services, programs and projects for social development, education, production, housing and environmental sustainability; orienting them to the well-being of man and the improvement of his standard of living, and the other activities registered in the Registry of the Chamber of Commerce.

3. DEFINITIONS

  • a) Habeas Data: The right of every person to know, update and rectify the information that has been collected about them in files and data banks of a public or private nature.
  • b) Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons.
  • c) Sensitive personal data: These are data that affect the privacy of the Owner or whose improper use may generate discrimination.
  • d) Database: Organized set of personal data that is subject to processing.
  • e) Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
  • f) Authorization: Prior, express and informed consent of the Owner to carry out the processing of personal data.
  • g) Privacy notice: It is the physical, electronic document or in any other format known or unknown, which is made available to the Owner in order to inform about the processing of their personal data.
  • h) Owner: Natural person whose personal data is processed.
  • i) Incumbent: Person who, by succession or transmission, acquires the rights of another person.
  • j) Responsible for the Treatment: Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of the data.
  • k) Data Processor: Natural or legal person, public or private, who, by themselves or in association with others, processes personal data on behalf of the Data Controller.

4. GUIDING PRINCIPLES REGARDING PERSONAL DATA

In terms of personal data protection, the following guiding principles will apply:

  • a) Principle of legality in matters of data processing: The processing referred to in the Habeas Data Law is a regulated activity that must be subject to what is established in it and in the other provisions that develop it.
  • b) Principle of purpose: The treatment must obey a legitimate purpose in accordance with the Constitution and the law, which must be informed to the Owner.
  • c) Principle of freedom: Treatment can only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that requires consent.
  • d) Principle of truthfulness or quality: The information subject to processing must be truthful, complete, exact, updated, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.
  • e) Principle of transparency: In the treatment, the right of the Owner to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data that concerns him or her must be guaranteed.
  • f) Principle of restricted access and circulation: The processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the treatment can only be carried out by people authorized by the Owner and/or by the people provided for by law. Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide knowledge restricted only to the Owners or authorized third parties in accordance with the law.
  • g) Security principle: The information subject to processing by the data controller or Data Processor referred to in the Habeas Data Law must be managed with the technical, human and administrative measures that are necessary to provide security to the records. avoiding its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  • h) Principle of confidentiality:

    All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the processing has ended, and may only supply or communicate of personal data when this corresponds to the development of activities authorized by law and in its terms.

5. RIGHTS OF THE INDIVIDUAL

The holders of personal data will enjoy the following rights, and those granted to them by law:

  • a) Know, update and rectify your personal data in front of the person responsible for the treatment or those in charge of the treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.
  • b) Request proof of the authorization granted to the Data Controller except when it is expressly excepted as a requirement for the treatment, in accordance with the provisions of article 10 of the law.
  • c) Be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been given to your personal data.
  • d) Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of the law and other regulations that modify, add or complement it.
  • e) Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the processing the person responsible or in charge has engaged in conduct contrary to the law and the Constitution.
  • f) Access free of charge to your personal data that has been processed.

6. DUTIES OF MERIDIAN GROUP SAS AS RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

MERIDIAN GROUP SAS as Responsible for the processing of personal data, will fulfill the following duties:

  • a) Guarantee the owner of the data the full and effective exercise of the right of habeas data.
  • b) Request and keep a copy of the respective authorization granted by the data owner.
  • c) Inform the owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.
  • d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • e) Guarantee that the information provided to the Data Processor is true, complete, exact, updated, verifiable and understandable.
  • f) Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it remains updated.
  • g) Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor.
  • h) Provide the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this law.
  • i) Demand that the Data Processor at all times respect the security and privacy conditions of the Owner's information.
  • j) Process queries and claims made by data owners in the terms and opportunities established by law.
  • k) Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, to respond to queries and complaints.
  • l) Inform the Data Processor when certain information is under discussion by the Owner, once the claim has been submitted and the respective process has not been completed.
  • m) Inform at the request of the data owner about the use given to their data.
  • n) Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the data owners.
  • o) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

7. SPECIFIC POLICIES FOR THE PROCESSING OF PERSONAL DATA

Processing of personal data of Employees of MERIDIAN GROUP SAS , collects the personal data of its Workers which are classified by the company as reserve, and will only be revealed by the company with the express authorization of the owner or when a Competent Authority requests it. The purposes for which the personal data of the company's Employees are used will be:

  • Comply with the obligations imposed by Colombian labor law on employers, or the orders issued by the competent Colombian authorities.
  • Issue certifications related to the relationship of the data owner with the company.
  • Comply with the obligations imposed on the company as an employer, in relation to Occupational Health and Safety standards, and the so-called Occupational Health and Safety Management System (SG-SST).
  • Manage the functions carried out by workers.
  • Consult memos or calls for attention.
  • Develop and apply the disciplinary process.
  • Contact family members in emergency cases.
  • Achieve efficient communication, by any means known or unknown, related to our products, services, offers, alliances, studies, content, as well as those of our related companies, and to facilitate general access to their information.
  • Transfer your data to allied companies of MERIDIAN GROUP SAS anywhere in the national territory.
  • Send or transfer your data to potential clients for the purpose of participating in bidding processes with different entities, which require it within the specifications.

MERIDIAN GROUP SAS stores the personal data of its employees, including those obtained during the selection process, and keeps them in a folder identified with the name of each of them. This folder will only be accessed and processed by the Human Talent Area, with the purpose of managing the contractual relationship between MERIDIAN GROUP SAS and the employee. MERIDIAN GROUP SAS processes sensitive data of its workers such as image and voice with the sole purpose of controlling the quality of the services provided by the company. For the purposes of this processing, the respective authorization is collected in accordance with the law, clearly indicating the sensitive data subject to processing and its purpose. Likewise, it will have adequate security systems for the management of sensitive data and its reservation, with the understanding that such sensitive data will only be used by MERIDIAN GROUP SAS for the aforementioned purposes. Once the employment relationship has ended, MERIDIAN GROUP SAS will proceed to store all the personal data obtained from the selection process and the documentation generated in the development of the employment relationship, in a central file with restricted access, subjecting the information to measures and measures at all times. adequate security levels, given that employment information may contain sensitive data. In any case, the information will not be processed for a period of more than twenty (20) years from the termination of the employment relationship, or in accordance with the legal or contractual circumstances that make the handling of the information necessary.

Processing of personal data of Clients MERIDIAN GROUP SAS collects the personal data of its Clients and Potential Clients and stores them in a database which is classified by the company as reserve, and will only be revealed with the express authorization of the owner or when a Competent Authority requests it. The purposes for which the personal data of MERIDIAN GROUP SAS Clients are used will be:

  • a) Carrying out procedures for the pre-contractual, contractual and post-contractual stages.
  • b) General connection of each client.
  • c) Achieve efficient communication related to our products, services, alliances, studies, content, as well as those of our related companies, and to facilitate general access to their information.
  • d) Comply with obligations contracted with our clients, suppliers, and employees.
  • e) Inform about changes to our products and/or services.
  • f) Corroborate any requirement that arises in the development of the contract entered into.
  • g) Verify cases in which there is non-compliance by any of the parties.
  • h) Evaluate the quality of our products and/or services.
  • i) Sending invitations to events scheduled by the company and informing about new products and/or services that are related to the one(s) contracted or acquired.
  • j) Carry out customer loyalty activities and marketing operations.
  • k) Carry out internal studies on consumer habits.
  • l) Transfer your data to allied companies of MERIDIAN GROUP SAS anywhere in the national territory.

MERIDIAN GROUP SAS processes sensitive data of its clients such as voice and image, with the purpose of using the recordings of the conversations held with the company's commercial agents, for quality purposes and to be used as proof of the purchase and sale contract; make recordings of some of the classes that are taught in the company, with the intention of evaluating and improving their quality. For the purposes of this processing, the respective authorization is collected, which in any case will be express and optional, clearly indicating the sensitive data subject to processing and its purpose. Likewise, it will have adequate security systems for the management of sensitive data and its reservation, with the understanding that such sensitive data will only be used by MERIDIAN GROUP SAS, for the aforementioned purposes. In any case, the information will not be processed for a period greater than the duration of the client's relationship with the company, and the additional time required in accordance with the legal or contractual circumstances that make the handling of the information necessary.

Treatment of personal data of Visitors in the Entry Control MERIDIAN GROUP SAS collects the personal data of its visitors and stores them in a database which is classified by the company as reserve, and will only be revealed by the company with express authorization of the owner or when a Competent Authority requests it. The purposes for which the personal data of those who enter the facilities of MERIDIAN GROUP SAS are used will be:

  • a) Ensure entry to the company facilities to people who have authorization for free transit and restrict passage to those who are not authorized.
  • b) Guarantee security in monitored environments.
  • c) Allow adequate work environments for the safe development of activities within the company.

In any case, the information will not be processed for a period of more than one (1) year from its collection in accordance with the legal or contractual circumstances that make the handling of the information necessary.

Treatment of personal data of Video Surveillance Registry MERIDIAN GROUP SAS collects biometric data of its workers and visitors through its Surveillance Cameras and stores them in a database which is classified by the company as reserve, and will only be revealed with the express authorization of the owner or when a Competent Authority requests it. The purposes for which the personal data contained in the MERIDIAN GROUP SAS Surveillance Cameras are used will be:

  • a) Guarantee safety in work environments.
  • b) Allow adequate work environments for the safe development of the company's work activities.
  • c) Control the entry, stay and exit of employees and contractors in the company's facilities.

To comply with the duty of information that corresponds to MERIDIAN GROUP SAS as administrator of personal data, the company will implement Privacy Notices in the areas where images that involve processing of personal data are captured.

In any case, the information will not be processed for a period of more than thirty (30) days from its collection in accordance with the legal or contractual circumstances that make the handling of the information necessary.

8. PROCESSING OF PERSONAL DATA OF GIRLS, BOYS AND ADOLESCENTS

MERIDIAN GROUP SAS only handles data on children and adolescents corresponding to the children of employees, with the sole purpose of being registered as beneficiaries of their parents' social security.

9. PROCEDURE FOR ATTENDING QUERIES, CLAIMS AND PETITIONS AND MECHANISMS TO EXERCISE THE RIGHTS OF THE OWNERS

The Owner, his successors, his representative and/or attorney-in-fact, or whoever is determined by stipulation in favor of another; You may exercise your rights by contacting us through written communication addressed to the area in charge of personal data protection in the company. The communication can be sent to the following email pqrs@meridiangroupsa.com.

Inquiries regarding the processing of personal data may consult the personal information of the Owner that resides in the databases of MERIDIAN GROUP SAS, and the company will be responsible for providing all the information contained in the individual record or that is linked to the identification. From applicant.

  • The consultation will be formulated through the means enabled by MERIDIAN GROUP SAS, already announced.
  • MERIDIAN GROUP SAS will respond to the query within a maximum period of ten (10) business days from the date of receipt thereof. When it is not possible to attend to the query within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be attended to, which in no case will exceed five (5) business days following the expiration date. of the first term. Through a written request from an individual, and when MERIDIAN GROUP SAS has confirmed the information that allows it to identify the person making the request, and if it has stored such personal data about said individual, MERIDIAN GROUP SAS will: a) Inform the person if the corporation has personal data about them; b) It will describe the data it has, the reason and purpose for which it maintains it; and c) Provide the individual with copies of the personal data held about him or her, together with an indication of the source(s) thereof.

Claims for the processing of personal data When it is considered that the information contained in a MERIDIAN GROUP SAS database must be corrected, updated or deleted, or when the alleged breach of any of the duties contained in the Law of Habeas Data, a claim may be submitted to MERIDIAN GROUP SAS, which will be processed under the following rules:

  • The claim will be formulated by written communication addressed to MERIDIAN GROUP SAS, with the identification of the Owner, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert.
  • The claim will be made through a request addressed to MERIDIAN GROUP SAS with the identification of the data owner, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert.
  • If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the data owner presenting the required information, it will be understood that he or she has withdrawn the claim.
  • In the event that MERIDIAN GROUP SAS is not competent to resolve the claim, it will notify the interested party within a maximum period of two (2) business days.
  • Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the database within a period of no more than two (2) business days. The legend will remain until the claim is decided.
  • The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case will exceed eight (8) business days following the expiration of the first term. .

Request to update and/or rectify the Data MERIDIAN GROUP SAS will rectify and update, at the request of the owner, the information that is inaccurate or incomplete, in accordance with the procedure and terms indicated above, for which the Owner must submit the request according to the channels provided by the company, indicating the update and rectification of the data and in turn must provide the documentation that supports such request.

Opposition to direct marketing actions MERIDIAN GROUP SAS will comply with any request from an individual not to use their personal data for direct marketing purposes.

Revocation of authorization and/or deletion of Data The Owner may revoke at any time the consent or authorization given for the processing of his or her personal data, as long as there is no impediment enshrined in a legal or contractual provision. Likewise, the Owner has the right to request at all times from MERIDIAN GROUP SAS the deletion or elimination of his or her personal data when:

  • a) Consider that they are not being treated in accordance with the principles, duties and obligations provided for in current regulations.
  • b) They have ceased to be necessary or relevant for the purpose for which they were obtained.
  • c) The time necessary to fulfill the purposes for which they were obtained has elapsed.

Such deletion implies the elimination of either all or part of the personal information, in accordance with what is requested by the owner in the records, files, databases or treatments carried out by MERIDIAN GROUP SAS.

The right of cancellation is not absolute and therefore you may deny revocation of authorization or deletion of personal data in the following cases:

  • a) The owner has a legal or contractual duty to remain in the database.
  • b) The deletion of data hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
  • c) The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.

Procedural requirement The Owner, his successors, his representative and/or attorney-in-fact, or whoever is determined by stipulation in favor of another; You may only file a complaint with the Superintendency of Industry and Commerce for the exercise of your rights once you have exhausted the Consultation or Claim process directly with the company.

10. POLICY MODIFICATIONS

MERIDIAN GROUP SAS reserves the right to modify the Personal Data Treatment and Protection Policy at any time. However, any modification will be communicated in a timely manner to the owners of the personal data through the usual means of contact ten (10) business days prior to its entry into force. In the event that an owner does not agree with the new General or special Policy and with valid reasons that constitute a just cause for not continuing with the authorization for the processing of personal data, the Owner may request the company to withdraw of your information through the channels already indicated. However, Owners may not request the withdrawal of their personal data when the company has a legal or contractual duty to process the data.

11. VALIDITY

This policy applies as of January 4, 2019. The respective update of the Legal Representative is made on January 1, 2024.

Elaborated Revised approved Date
Jhilian Vasquez Jhilian Vasquez Luis Javier Barrera González January 1, 2020
Jhilian Vasquez Jhilian Vasquez Luis Javier Barrera González January 1, 2024