POLICY INFORMATION PROCESSING

Table of Contents
General considerations
Mandatorias
Definitions
Principles for the processing of personal data.
Principles relating to the collection of personal data.
Principles relating to the use of personal data.
Principles relating to the quality of information.
Principles relating to the protection, access and movement of personal data.
Treatment which will be submitted personal data and the purpose of it.
Rights holders data.
COMPANY duties when he acts as controller of personal data.
COMPANY duties against the holder of the data.
COMPANY duties concerning the quality, safety and confidentiality of personal data.
COMPANY duties when performing the treatment through a manager.
COMPANY duties with respect to the Superintendency of Industry and Commerce.
COMPANY duties when he works as a processor of personal data.
Authorization.
Authorization for processing sensitive data:
Treatment Authorization data of children and adolescents (NNA)
Classification and special treatment of certain personal data
International transfer of personal data
International and national data transmissions Managers
Procedures for holders to exercise their rights
Consulations
Claims
Person or area responsible for the protection of personal data
Video surveillance
Date of entry into force of this policy and duration of the database.

GENERAL CONSIDERATIONS
Article 15 of the Constitution of the Republic of Colombia enshrines the right of anyone to know, update and rectify the personal data that exists on it in database or files public or private entities. It also directs those with personal data of third parties respect the rights and guarantees provided in the Constitution when it is collected, treated and circulating such information.
Enacting Law 1581 of 17 October 2012 lays down minimum conditions for the lawful processing of personal data of customers, employees and any other natural person. Both the literal k) of Article 17 and f) of Article 18 of the Act requires responsible and processors of personal data to “adopt an internal manual of policies and procedures to ensure proper compliance with this law and especially for answering inquiries and complaints. ”
Article 25 of the same law mandates that data processing policies are mandatory and that their ignorance will lead to sanctions. Such policies can not guarantee a level lower than the 1581 law established in the 2012 treatment.
Chapter III of Decree 1377 of June 27, 2013 regulates some aspects related to the content and requirements of treatment policies Information and Privacy Notices.
The company LEFEBRE AND LONG S.A.S (hereinafter and for all purposes the Company) is committed to respecting the rights of its customers, employees and third parties in general. Therefore, adopts the following policy processing of personal data mandatory in all activities involving the processing of personal data.

MANDATORIES
These policies are mandatory and strict compliance by all employees of the company in Colombia, contractors and third parts who act on behalf of the company.
All company employees must observe and respect these policies in the performance of their duties. In cases where there is no employment relationship should include a contractual clause to agents acting on behalf of the Company undertake to enforce these policies.
Failure to comply with the same result in sanctions work and other contractual responsibility as appropriate. This notwithstanding the duty to respond compensation for any damages caused to the owners of the data or the company for breach of these policies or the improper processing of personal data.

DEFINITIONS
• Authorization: Prior consent, express and informed the owner of the information to carry out treatment.
• Consultation: request of the holder of data or persons authorized by it or by law to release the information resting on it in databases or files.
• Personal Data: Any information related or may be associated with one or more specific or determinable natural persons
These data are classified as semi-private, public, sensitive, private.
– Sensitive Personal Data: Information that affects personal privacy or whose misuse can lead to their discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade union membership, social organizations , human rights or promote interests of any political party or to guarantee the rights and guarantees of opposition political parties, as well as data concerning health, sexual life and biometric data (fingerprints, etc.)
– Public Personal Data: The qualified as such by the mandates of the law or the Constitution and those who are not semiprivate or private data. They are public, among others, the data contained in public records, public records, official gazettes and and judgments duly executory that are not subject to reserve those relating to the civil status of persons, to their profession or trade and his quality merchant or public servant. Are public personal data existing in the trade register of the Chambers of Commerce (Article 26 of C.Co).
These data can be obtained and offered without reservation and regardless of whether hint general, private or personal information.
– Private Personal Data. It is the fact that by their intimate or confidential nature is only relevant for the individual owner of the data. Examples: books of traders, private documents, information extracted from the inspection of the home.
– Personal Data semiprivate. Is semiprivate the data that has intimate nature, reserved, not public and whose knowledge or disclosure may be of interest not only to its owner but to a certain sector or group of persons or society in general, as, inter alia, data concerning compliance and breach of financial obligations or data relating to relations with institutions of social security.
• Processor: person performing data processing on behalf of the controller.
• Claim: request of the holder of data or persons authorized by it or by law to correct, update or delete your personal data.
• Responsible treatment: who decides on, among others, collection and treatment purposes. Can be, by way of example, the company that owns the database or information system containing personal data.
• Data Holder: The natural person the data refer.
• Treatment: Any operation or set of operations on personal data as, inter alia, the collection, storage, use, movement or deletion of such information.
• Transmission: Processing of personal data that involves communication of the same in (national broadcast) or outside Colombia (international transmission) and aims to carry out a treatment by the Manager on behalf of the Principal.
• Transfer: The data transfer takes place when the charge and / or processor of personal data, located in Colombia, sends the information or personal data to a receiver, which in turn is responsible for the treatment and is within or Out of country.

PRINCIPLES FOR THE TREATMENT OF PERSONAL DATA
The processing of personal data should be in compliance with the general and special rules on the subject and for activities permitted by law.
In the development, interpretation and implementation of this policy shall apply the following principles harmonic and integral way:

PRINCIPLES RELATED TO PERSONAL DATA COLLECTION
• Principle of liberty: Unless legal rule to the contrary, the data collection can be exercised only with the prior express and informed consent of the owner. Personal data may not be obtained or disclosed without the prior consent of the owner, or in the absence of legal or judicial mandate relieve consent.
It shall inform the owner of the data in a clear, adequate and prior way about the purpose of the information provided and therefore data can not be collected without clear specification about the purpose thereof.
The principle of freedom should be observed both in the case of the data collected through formats like those who are part of the annexes or documents that provide data holders to the company.
You may not use misleading or fraudulent means to collect and perform processing of personal data
• limitation principle of harvest: should only be collected personal data that are strictly necessary to fulfill the purposes of treatment, so that is prohibited registration and disclosure of data which are not closely related to the goal of treatment . Consequently, efforts should be made reasonable efforts to limit the processing of personal data to the minimum necessary. That is, the data must be: (i) adequate, (ii) relevant and (iii) consistent with the purposes for which they were intended.

PRINCIPLES RELATING TO THE USE OF PERSONAL DATA
• Principle of purpose: Treatment must obey a legitimate purpose in accordance with the Constitution and the law, which must be reported to the owner. It shall inform the owner of the data in a clear, adequate and prior way about the purpose of the information provided and therefore can not be collected data without a specific purpose.
The data should be treated according to authorized uses. If, eventually, the use of personal data changes to forms that the person does not expect, is necessary to obtain the prior consent of the holder again.
• Principle of temporality: Personal data is kept only for reasonable and necessary to fulfill the purpose of processing time and legal requirements or instructions of surveillance and control authorities or other competent authorities. The data will be retained where necessary for compliance with a legal or contractual obligation. To determine the end of treatment the rules applicable to each purpose and administrative, accounting, tax, legal and historical aspects of information will be considered.
Following completion of the purpose or proceed to the deletion of data
• Principle of non-discrimination: It is prohibited to perform any act of discrimination on the information collected in databases or files.
• repair Principle: It is the obligation to compensate the damage caused by possible failures in the processing of personal data.

PRINCIPLES RELATING TO THE QUALITY OF INFORMATION
• Principle of accuracy or quality: the information subject to treatment must be truthful, complete, accurate, current, verifiable and understandable. the treatment of partial, incomplete, split or misleading data is prohibited. .se Must take reasonable steps to ensure that data is accurate and sufficient and, when requested by the Contractor or when the company determines, are updated, correct or delete as appropriate.

PRINCIPLES RELATING TO PROTECTION, ACCESS AND CIRCULATION OF PERSONAL DATA
• Safety principle: Every person connected with the company must meet the technical, human and administrative measures to establish the entity to provide security to personal data avoiding adulteration, loss, consultation, use, or unauthorized or fraudulent access.
• Principle of transparency: the holder the right treatment must be guaranteed to obtain at any time and without limitation, information about the existence of data concerning them.
• Principle of restricted access: access to personal data only allow the following persons:
– The holder of the data
– Persons authorized by the owner of the data
– A people which by law or court order are authorized to release the information holder’s data.
Personal data, except public information may not be available on the Internet or other means of disclosure or mass, unless access is technically controllable to provide knowledge restricted only to holders or third parties authorized under this Act communication.
• restricted circulation principle: You can only send or provide personal information to the following persons:
– The holder of the data
– Persons authorized by the owner of the data
– A public or administrative entities in the exercise of their legal functions or court order
In the latter case, in accordance with the Constitutional Court, it proceeds as follows:
First, public or administrative entity must justify its request indicating the link between the need to obtain the data and the fulfillment of their constitutional or legal duties.
Second, with the delivery of the information will be reported to the public or administrative entity which must fulfill the duties and obligations under the law 1581 of 2012 as controller. The administrative entity receiving must fulfill obligations to protect and guarantee derived from the Act, particularly the observance of the principles of purpose, legitimate use, restricted circulation, confidentiality and security.
• Principle of confidentiality: all persons involved in the processing of personal data that do not have the nature of public are obliged to ensure the confidentiality of information, even after the end of his relationship with some of the work comprising the treatment can only perform supply or communication of personal data where this is in the development of activities authorized by law.

WHICH WILL BE SUBJECT TO TREATMENT OF PERSONAL DATA AND THE PURPOSE OF THE SAME
COMPANY collect, use and process personal data fairly and lawfully to fulfill the activities of the social object of the society especially contracting, implementation and marketing of goods and services of the company.
The company may also process personal data for the following purposes:
• Perform the necessary steps for the development of pre-contractual, contractual and contractual post with the company on any of the products offered by the company that has or has not acquired or in respect of any underlying business relationship you have with her stage and comply with Colombian or foreign law and orders judicial or administrative authorities;
• Perform telemarketing activities (telemarketing), customer service, brand activation activities, awards and promotions
• Implement strategies CRM (customer relationship management), comprising, among others, (i) a management model of the entire organization, based on customer orientation and relationship marketing; (Ii) Create databases or computer systems supporting the management of customer relations, sales and marketing.
• Make invitations to events, improve products and services or offer new products, and all activities associated with the business relationship or link with the company, or that which has come to have
• Manage procedures (requests, complaints, claims), conduct surveys of satisfaction with the goods and services of the company or related companies, such as those that are part of the holding company and business partners of the company;
• Provide contact information and relevant documents to the sales force and / or distribution network, telemarketing, and any third party with which the company holds a contractual relationship of any kind;
• Introduce, transfer and / or transmit personal data within and outside the country aa affiliated companies or part of holding the Company or third parties as a result of a contract, law or legal link required or to implement computing services Cloud.
The data collected or stored on company employees by filling out forms, telephone, or delivery of documents (resumes, annexes) will be treated to everything related to labor issues of legal or contractual order. Under this, the company will use the personal data for the following purposes: (1) To comply with the laws as, inter alia, labor law, social security, pensions, occupational hazards, family compensation (Integral System Social security) and taxes; (2) Comply with the instructions of the competent judicial and administrative authorities; (3) Implement labor policies and strategies and organizational headquarters.
In the data (i) collected directly at the point of security, (ii) taken from documents that provide people security personnel and (iii) obtained from video recordings that are made inside or outside the company premises , they will be used for security of people, property and facilities of the Company and may be used as evidence in any type of process.

RIGHTS OF HOLDERS OF DATA
Mandated persons comply with these policies must respect and ensure the rights of holders following data:
• Understand, update and correct personal data. For this purpose it is necessary to establish the identification of the person to prevent unauthorized third parties from accessing data holder’s data
• Obtain a copy of the authorization
• Report on the use the company has given to the personal data of the holder;
• to process inquiries and complaints following the guidelines established by law and this policy
• Access the application for revocation of the authorization and / or deletion of personal data when the Superintendency of Industry and Commerce has determined that the treatment by the company has engaged in conduct contrary to the law 1581 of 2012 or the Constitution ;
The Contractor may also revoke the authorization and request the deletion of data, where there is no legal or contractual duty imposed upon him the duty to remain in the database or file manager or manager.
The request for deletion of information and revocation of authorization shall not proceed when the owner has a legal or contractual duty to remain in the database manager or manager.
• Access free of charge to your personal data. The information requested by the holder may be provided by any means, including electronic, as required by the owner. The information should be easy to read, no technical barriers to access and must correspond as a whole to that which rests in the database
Holders rights may be exercised by the following:
to. For the Contractor, who must prove his identity sufficiently by the various means available to put you COMPANY
b. For their successors, who must prove that quality.
c. The representative and / or agent of the Contractor, upon proof of the representation or empowerment.
d. By stipulation for another or for another.
The rights of children or adolescents be exercised by persons who are authorized to represent them.

DUTIES OF THE COMPANY RESPONSIBLE WHEN WORK AS PERSONAL DATA PROCESSING.
All required to enforce this policy should be aware that the company is obliged to fulfill duties imposed by law. Hence, one should act so that meet the following obligations:

DUTIES OF THE COMPANY WITH RESPECT TO THE HOLDER OF DATA.
• Order and maintain, as provided in this policy, a copy of their authorization granted by the holder;
• Report clear and sufficient to the holder of the purpose of the collection and the rights given by the authorization granted under way;
• Ensure the holder, at any time, the full and effective exercise of the right of habeas data, ie know, update or modify your personal data
• Inform request of the holder of the personal data given to use
• To deal with inquiries and complaints made under the terms stated in this policy;

DUTIES OF THE COMPANY WITH RESPECT TO THE QUALITY, SAFETY AND CONFIDENTIALITY OF PERSONAL DATA
• Apply the principles of truthfulness, quality, security and confidentiality in the terms established in this policy
• Keep the information under the security conditions necessary to prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access;
• Update information as needed
• Rectify personal data whenever appropriate

DUTIES OF THE COMPANY WHEN PERFORMING TREATMENT THROUGH A KEEPER
• Provide the processor only the personal data processed is previously authorized. In the case of national and international transmissions must sign a contract transfer of personal data or agree contractual terms containing the provisions of Article 25 of Decree 1377 of 2013
• Ensure that the information supplied to the data processor is truthful, complete, accurate, current, verifiable and understandable;
• Communicate the processor timely manner, all the news in the data previously supplied him and take other necessary measures to ensure that the information provided this is kept current;
• Report the processor timely manner corrections made on the personal data may proceed to make appropriate adjustments
• Require the processor at all times, respect the security and privacy of information Holder;
• Report the processor when certain information is under discussion by the holder, once the complaint was filed and not yet completed the respective procedure;

DUTIES OF THE COMPANY WITH RESPECT TO THE SUPERINTENDENT OF INDUSTRY AND TRADE
• Inform any violations of safety codes and there are risks in managing information holders.
• Comply with the instructions and requirements that imparts the Superintendency of Industry and Commerce.

DUTIES OF THE COMPANY WHEN WORK AS MANAGER PROCESSING OF PERSONAL DATA
If the company performs data processing on behalf of another entity or organization (Head of Treatment) shall comply with the following duties:
• Ensure the holder, at any time, the full and effective exercise of the right of habeas data.
• Keep the information under the security conditions necessary to prevent adulteration, loss, consultation, use, or unauthorized or fraudulent access.
• Perform timely update, correct or delete the data.
• Update the information reported by the controllers within five (5) working days of your receipt.
• To process queries and complaints made by holders under the terms stated in this policy.
• Register in the database the legend “claim pending” in the way set out in this policy.
• Insert in the database the legend “information in court discussion” once notified by the competent authority on judicial proceedings related to the quality of personal data.
• Refrain from circulating information that is being contested by the holder and whose lock has been ordered by the Superintendency of Industry and Commerce.
• Allow access to information only to persons authorized by the owner or entitled by law to that effect.
• Inform the Superintendency of Industry and Commerce as violations of safety codes are presented and there are risks in managing information holders.
• Comply with the instructions and requirements that imparts the Superintendency of Industry and Commerce.

AUTHORISATION
Obligated to enforce this policy shall obtain from the holder the prior express and informed to collect and treat your personal data authorization. This obligation is not necessary in the case of data of a public nature, information processing for historical, statistical or scientific purposes in which information is not linked to a specific person and data related to the Civil Registry of Persons.
For the authorization shall follow the following instructions:
First, before the authorized person is required to inform clearly and reads as follows:
• Treatment which will be submitted personal data and purpose thereof;
• The optional nature of the response to the questions that will be made when these relate to sensitive data or data on children and adolescents;
• The rights of that person as holder under Article 8 of Law 1581 of 2012;
• The identification, physical or electronic address and telephone number of the company.
Second, you obtain the consent through any means that may be subject to further consultation. It should leave proof of compliance with the obligation to inform and consent. If the Contractor requests a copy of these you must supply them.
The authorization may also be obtained from Holder’s unequivocal conduct Data which demonstrate reasonably that it gave its consent to the processing of your information. Such (s) conduct (s) (s) must be very clear (s) so that does not support (n) doubt or mistake about will authorize treatment and in no case the silence of the Holder may be regarded as an unequivocal conduct
They are entitled to give consent:
a) The Contractor, who must prove his identity sufficiently by the various means available to put you COMPANY
b) The persons entitled Holder, who must prove that quality.
c) The (the) representative and / or guardian (a) of the Holder, subject to proof of the representation or empowerment.
The authorization may also be granted when cases of stipulation for another or to another den.
Authorization for processing sensitive data:
In the case of the collection of sensitive data must meet the following requirements:
a) The authorization should be explicit
b) Inform the Holder is not obliged to authorize the processing of such information
c) should be informed explicitly and Holder prior to which the data will be processed are sensitive and the purpose of it
Treatment Authorization data of children and adolescents (NNA)
In the case of data collection and treatment of children and adolescents must meet the following requirements:
a) The authorization must be granted by persons who are authorized to represent the NNA. The representative of the NNA must guarantee the right to be heard and value your opinion treatment given maturity, autonomy and ability to understand the issue NNA
b) should be informed that it is optional answer questions about data NNA
c) Treatment should respect the interests of the NNA and ensure respect for their fundamental rights should be informed explicitly and Holder prior to which the data will be processed are sensitive and the purpose of it

CLASSIFICATION AND SPECIAL TREATMENT OF CERTAIN PERSONAL DATA
The required to comply with this policy should identify sensitive people and children and adolescents (NNA) that eventually collect or store data with a view to:
• Implement enhanced responsibility in the treatment of these data results in a more demanding in terms of compliance with the principles and duties
• Increase levels of security of this information
• Increase access and use restrictions by the staff of the company and third parties
• Keep in mind the legal requirements and policy for collection

INTERNATIONAL PERSONAL DATA TRANSFER
When sending or transfer data to another country will require the authorization of the information that is subject to transfer. Unless the law says otherwise, it is a prerequisite that authorization for the international movement of data.
INTERNATIONAL AND NATIONAL DATA TRANSMISSIONS MANAGERS
When the company wishes to send or transmit data to one or more managers located within outside the territory of the Republic of Colombia, will be through contractual clauses or through a contract transfer of personal data in which, among others, the following is agreed:
(I) The scope of treatment;
(Ii) Activities that the charge made on behalf of the company,
(Iii) The obligations to be met by the Manager regarding Holder’s data and the company.
(Iv) The obligation of the Manager to comply with the obligations of the Responsible observing this policy
(V) The duty of the Manager to process data in accordance with the purpose authorized for it and observing the principles established by Colombian law and this policy
(Vi) The obligation of the Manager adequately protect personal data and databases as well as maintain confidentiality regarding the treatment of the transmitted data.

PROCEDURES FOR HOLDERS MAY YOUR RIGHTS
Below are detailed procedures for data holders to exercise their rights to know, update, modify and delete information or revoke the authorization.
Holders rights may be exercised by the following persons entitled under Article 20 of Decree 1377 of 2013:
to. For the Contractor, who must prove his identity sufficiently by the various means available to put you COMPANY
b. For their successors, who must prove that quality.
c. The representative and / or agent of the Contractor, upon proof of the representation or empowerment.
d. By stipulation for another or for another.
The rights of children or adolescents be exercised by persons who are authorized to represent them.
All inquiries and complaints are channeled through the means provided by the COMPANY through:
LEFEBRE AND LONG S.A.S.
Tel. 1 211 1695
Street 79B # 8-31, 2nd floor
Bogotá D.C. / Colombia
Guidelines for consultation and complaints:

CONSULTATIONS
All inquiries carried out by persons entitled to know the personal data they rest in the company will be channeled through the channels that the company has for effect. In any case it is necessary to leave proof of the following:
• Date of receipt of the query
• Identity of the applicant
After verifying the identity of the holder will provide the required personal data. The response to the consultation should be provided to the applicant within a maximum period of ten (10) working days from the date of receipt thereof. When it is not possible to attend the consultation within that period, he shall inform the person concerned, stating the reasons for the delay and indicating the date your inquiry will be addressed, which in no case exceed five (5) working days expiration of the first term.

COMPLAINTS
The claims are intended to correct, update, or delete data or file a complaint alleging a breach of any of the duties contained in the law of 2012 and 1581 in this policy.
The claim must be submitted by writing to the address COMPANY notification containing the following information:
a) Name and identification of the data holder or the person entitled
b) accurate and complete description of the facts giving rise to the claim
c) physical or electronic address to send the response and report on the status of the processing
d) Documents and other relevant evidence that want to assert
If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to remedy failures days. After two (2) months from the date of request, without the applicant submits the required information shall be deemed to have waived the claim.
If the claim is complete, will be included in the database or information system is a legend that says “claim pending” and the reason for it, within a period not exceeding two (2) business days. This should be maintained until the claim is decided.
The maximum term to address the claim will be fifteen (15) working days from the day following the date of its receipt. When it is not possible to meet the demand within that period, it shall inform the data subject of the reasons for the delay and the date your claim will be met, which in no case exceed eight (8) working days following the expiry of the first finished.

VIDEO SURVEILLANCE
• The company uses various means of installed video surveillance in different internal and external sites of our facilities or offices.
• The company reports about the existence of these mechanisms by disseminating advertisements visible video surveillance sites.
• The information collected will be used for security of people, property and facilities. This information can be used as evidence in any proceedings before any kind of authority and organization.

DATE OF ENTRY INTO FORCE AND DURATION OF THE DATABASE
This policy was approved after the issuance of the law 1581, 2012 and modified to incorporate some aspects established by the decree 1377 of June 27, 2013 why will come into effect from the first (1st.) August two thirteen thousand (2013).
The validity of the database will be reasonable and necessary to fulfill the purposes of the processing time taking into account the provisions of Article 11 of Decree 1377 of 2013.
In the premises of the company LEFEBRE AND LONG S.A.S. in Lacalle 79B # 8-31, 2nd floor Bogotá D.C.

by MOLA