Pharmayect S.A. - Personal data protection and processing policy

This "Policy for the Protection and Processing of Personal Data" (hereinafter "the Policy") establishes the guidelines, rules, and commitments adopted by PHARMAYECT S.A. (hereinafter "PHARMAYECT") to ensure the proper processing of personal data, in accordance with Law 1581 of 2012, Decree 1377 of 2013 (compiled in Decree 1074 of 2015), and other applicable regulations in Colombia.
 
This Policy applies to personal data that PHARMAYECT collects, manages, stores, uses, circulates, transfers, or deletes, whether acting as Data Controller or Data Processor on behalf of a third party, in the context of its operations and activities. This Policy also applies to personal information that, by virtue of the operational model of PHARMAYECT as a subsidiary of PROCAPS S.A., is integrated into a centralized technological infrastructure managed by the latter, through which affiliated companies operate. In this sense, PHARMAYECT's information is processed, stored, and safeguarded within this corporate technological ecosystem, subject to the policies, standards, and controls defined by PROCAPS S.A. regarding information management, information security, cybersecurity, and data governance, without prejudice to compliance with applicable legal provisions and data transmission agreements entered into between the parties.
 
The purpose of this Policy is to compile the principles, rules, and best practices governing the processing of personal data of the data subjects with whom PHARMAYECT interacts (including, among others, clients, consumers, suppliers, contractors, candidates, employees, shareholders, and other stakeholders), in order to protect their rights, ensure regulatory compliance, and promote demonstrated accountability in all operations and activities.
 
In the context of its operational and technological model, PROCAPS S.A. may process personal data on behalf of its subsidiary PHARMAYECT, when the latter acts as Data Controller and PROCAPS S.A. acts as Data Processor for the provision of technological, operational, or support services. For these purposes, PHARMAYECT has entered into and may continue to enter into data transmission agreements with PROCAPS S.A. that define the scope of processing, the Controller's instructions, confidentiality and security obligations, the prohibition of use for the Processor's own purposes, incident management, sub-processor controls, remote access conditions, return or deletion of information, and other safeguards required by Colombian regulations.
 
This Policy incorporates mechanisms to ensure that personal data is:
 

This Policy is issued as part of the demonstrated accountability approach of PHARMAYECT, in order to evidence the implementation of controls and personal data protection measures and risk management associated with processing.
 
PHARMAYECT recognizes that, due to the nature of its operations and its technological infrastructure, some processing activities may involve cross-border access, international transmission, or the involvement of third parties located outside Colombia. In such cases, PHARMAYECT will adopt contractual, technical, and organizational safeguards to ensure standards equivalent to those required by Colombian regulations, especially when the processing involves jurisdictions with different levels of protection.
 
PHARMAYECT will apply a demonstrated accountability and risk management approach to personal data protection, incorporating privacy by design and by default into its processes and technologies. When a processing activity may pose a high risk to the rights of data subjects —including sensitive data, biometric data, automated decisions, or use of artificial intelligence— PHARMAYECT will conduct prior assessments and, where applicable, impact assessments, documenting technical, organizational, and contractual safeguards. This Policy is complemented by privacy notices and specific informed authorizations provided to the data subject at the time of collection, depending on the applicable channel or process.
 
This Policy does not constitute a contract; it reflects the commitment of PHARMAYECT to the protection of personal information of data subjects and compliance with the Colombian personal data protection framework. In compliance with Law 1581 of 2012 and its applicable regulations, PHARMAYECT makes available to data subjects this Policy for the Protection and Processing of Personal Data, as well as the channels for the exercise of their rights.
 
1.     OBJECTIVE
To establish the guidelines, criteria, and rules applicable to the collection, consultation, storage, ordering, classification, cataloging, analysis, processing, use, circulation, transfer, transmission, deletion, and other forms of processing carried out by PHARMAYECT, whether as Data Controller and/or Data Processor, in order to guarantee the protection of data subjects' rights, compliance with applicable legal principles and duties, and the proper management of risks associated with the processing of personal data, in accordance with Statutory Law 1581 of 2012, Decree 1074 of 2015, and other regulations that modify, regulate, add to, or replace them. This includes processing carried out through manual processes, automated processes, technological tools, digital platforms, and, where applicable, advanced analytics or artificial intelligence systems.
 
2.     SCOPE
This Policy applies to all personal data processing contained in databases, physical, electronic, or digital files, carried out by PHARMAYECT in the course of its corporate, administrative, labor, commercial, contractual, security, and stakeholder relationship activities, whether it acts as "Data Controller" and/or "Data Processor" on behalf of a third party.
 
3.     MANDATORY NATURE AND ADDRESSEES.
This Policy is mandatory for direct and indirect employees, contractors, consultants, suppliers, legal representatives, executives, interns, partners, Processors, third parties, and, in general, for any person who, by reason of their functions, activities, or relationship with PHARMAYECT, accesses, collects, stores, uses, consults, circulates, deletes, or carries out any processing of personal data on behalf of the company.
 
Process leaders and Senior Management must promote its effective implementation, ensure the allocation of necessary resources, and adopt the supervision and control measures that correspond within their competencies.
 

The Data Controller of the personal data covered by this Policy is PHARMAYECT S.A. a commercial company identified with Tax ID No. 802.013.031 - 4, with commercial registration No. 298.332 of August 14, 2000, with its principal place of business at Calle 80 NO. 78 B – 201, in the city of Barranquilla (Colombia). 
 
For the purposes of exercising data subjects' rights and handling inquiries, complaints, and requests related to personal data protection and processing, PHARMAYECT will provide the contact channels indicated in this Policy or in the corresponding Privacy Notice.
 

To exercise their rights to know, consult, update, rectify, or delete their personal data, revoke authorization where applicable, or submit petitions, inquiries, or complaints related to the processing of their personal data, data subjects, their successors in interest, or their authorized representatives may contact PHARMAYECT through the following service channels:
 

Area responsible for handling petitions, inquiries, and complaints: Legal Compliance Area.
 

 

This Policy is based, among others, on the following provisions:
 
a.     Political Constitution of Colombia, Article 15.
b.     Law 1266 of 2008, to the extent applicable.
c.      Law 1581 of 2012.
d.     Regulatory Decree 1377 of 2013 and Decree 886 of 2014, to the extent applicable and not compiled or developed by Decree 1074 of 2015.
e.     Sole Regulatory Decree 1074 of 2015, particularly the provisions applicable to personal data processing.
f.      Law 2300 of 2023, regarding channels, schedules, frequency, and contactability rules, where applicable.
g.      External Circular 01 of 2024 of the Superintendence of Industry and Commerce.
h.     External Circular 02 of 2024 of the Superintendence of Industry and Commerce.
i.       External Circular 03 of 2024 of the Superintendence of Industry and Commerce.
j.       External Circular 02 of 2025 of the Superintendence of Industry and Commerce.
k.      External Circular 03 of 2025 of the Superintendence of Industry and Commerce.
l.       All other rules, instructions, guidelines, circulars, and decisions of the competent authority that modify, add to, replace, or are otherwise applicable to the processing and protection of personal data in Colombia.
 
7.     DEFINITIONS
For purposes of interpretation, application, and implementation of this Policy, the following definitions shall apply:
 
a.   AUTHORIZATION: Prior, express, and informed consent of the data subject to carry out the processing of personal data.
b.   PRIVACY NOTICE: Verbal or written communication generated by the Data Controller directed to the data subject for the processing of their personal data, informing them about the existence of the applicable data processing policies, how to access them, and the purposes of the processing to be applied to the personal data.
c.    DATABASE: Organized set of personal data that is subject to processing.
d.   CHANNELS FOR EXERCISING RIGHTS: The means of receiving and handling petitions, inquiries, and complaints that the Data Controller and the Data Processor must make available to data subjects.
e.   DATA TRANSMISSION AGREEMENT: An agreement by which PHARMAYECT, acting as Data Processor, is authorized by one of its subsidiaries and/or affiliates to process personal data on their behalf, delimiting the scope of processing, confidentiality obligations, security, restricted use, subcontracting, incidents, and deletion or return of information.
f.    ANONYMIZED DATA: Information that has been subjected to a technical process that prevents the identification of the data subject in a reasonable manner, directly or indirectly, irreversibly or with a non-significant risk of re-identification.
g.   BIOMETRIC DATA: Sensitive personal data relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms their unique identification, such as fingerprints, facial recognition, iris, voice, hand geometry, or similar data.
h.   PERSONAL DATA: Any piece of information linked to one or more identified or identifiable natural persons, or that may be associated with a natural person.
i.     PUBLIC DATA: Data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person's civil status, profession or trade, and status as a merchant or public servant. By their nature, public data may be contained in, among others, public records, public documents, official gazettes and bulletins, and duly final judicial decisions not subject to confidentiality.
j.    SENSITIVE DATA: Sensitive data refers to data that affects the privacy of the data subject or whose improper use may generate discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or organizations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.
k.   AUTOMATED DECISION: A decision made wholly or partly by automated means, without or with minimal significant human intervention, which may produce legal effects or significantly impact a data subject.
l.     DATA PROCESSOR: A natural or legal person, public or private, that by itself or in association with others, processes personal data on behalf of the Data Controller.
m.  PERSONAL DATA PROTECTION IMPACT ASSESSMENT: A prior analysis tool through which PHARMAYECT identifies, evaluates, and documents the risks that a personal data processing activity may generate for the rights and freedoms of data subjects, as well as the measures envisaged to prevent, mitigate, or control them.
n.   HABEAS DATA: The right of any person to know, update, and rectify information that has been collected about them in the databases and files of public and private entities.
o.   INFORMATION SECURITY INCIDENT: A real or potential event that compromises or may compromise the confidentiality, integrity, availability, authenticity, or security of personal data processed by PHARMAYECT, including unauthorized access, loss, leakage, alteration, destruction, improper disclosure, or unauthorized use of information.
p.   PUBLICLY ACCESSIBLE INFORMATION: Information available in environments or sources accessible to an indeterminate number of persons, which does not imply, in itself, that it is public data, nor does it automatically enable its processing without sufficient legal basis.
q.   POLICY FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA: The formal document approved by PHARMAYECT that reflects the conditions applicable to any processing operation regarding Personal Data.
r.    PRIVACY BY DESIGN AND BY DEFAULT: An approach under which PHARMAYECT incorporates personal data protection measures from the planning, design, acquisition, development, implementation, and operation of processes, products, services, technologies, and information systems, ensuring that, by default, only the personal data necessary for each legitimate purpose is processed.
s.    DATA CONTROLLER: A natural or legal person, public or private, that by itself or in association with others, decides on the database and/or processing of the data.
t.    PSEUDONYMIZATION: The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures designed to ensure that the data are not attributed to an identified or identifiable natural person.
u.   ARTIFICIAL INTELLIGENCE SYSTEM: A machine-based system that, for explicit or implicit objectives, can infer from the information it receives how to generate outputs such as predictions, content, recommendations, classifications, or decisions that influence physical or virtual environments.
v.   DATA SUBJECT: The natural person whose personal data is subject to processing.
w.  PROCESSING: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
x.   TRANSFER: Data transfer takes place when the Data Controller and/or Data Processor of personal data, located in Colombia, sends the information or personal data to a recipient who is also a Data Controller and is located inside or outside the country.
y.   TECHNOLOGY TRANSFER: Any transaction or legal act by which PHARMAYECT acquires, licenses, implements, assigns, integrates, develops, receives, or makes available technologies, platforms, applications, tools, infrastructures, or solutions that involve or may involve personal data processing.
z.    TRANSMISSION: Personal data processing that involves the communication of data within or outside the territory of the Republic of Colombia for the purpose of processing by the Data Processor on behalf of the Data Controller.
 
8.     PRINCIPLES
In the development, interpretation, and application of Law 1581 of 2012, which sets forth general provisions for the protection of personal data, and the regulations that complement, modify, or add to it, the following guiding principles shall be applied in a harmonious and comprehensive manner:
 
a.      PRINCIPLE OF LEGALITY: The Processing of data is a regulated activity that must comply with the provisions of the law and other regulations that develop it.
b.     PRINCIPLE OF PURPOSE: Processing must be based on a legitimate purpose in accordance with the Constitution and the Law, which must be communicated to the data subject. Regarding the collection of personal data, PHARMAYECT will limit itself to data that is relevant, adequate, and necessary for the purpose for which it was collected or required, in accordance with applicable regulations and its internal procedures.
c.      PRINCIPLE OF FREEDOM: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may only be obtained or disclosed with prior authorization, or in the existence of a legal or judicial mandate that waives the requirement for consent.
d.     PRINCIPLE OF ACCURACY OR QUALITY: Information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and comprehensible. The processing of partial, incomplete, fragmented data, or data that could induce error, is prohibited.
e.      PRINCIPLE OF TRANSPARENCY: Processing must guarantee the right of the data subject to obtain, at any time and without restrictions, information from the Data Controller or the Data Processor about the existence of data concerning them.
f.      PRINCIPLE OF RESTRICTED ACCESS AND CIRCULATION: Processing is subject to the limits derived from the nature of personal data, the provisions of the law, and the Constitution. In this sense, processing may only be carried out by persons authorized by the data subject and/or by persons provided for by law. Personal data, except public information, may not be available on the internet or other mass dissemination or communication media, unless access is technically controllable to provide restricted knowledge only to data subjects or authorized third parties in accordance with the law.
g.      PRINCIPLE OF SECURITY: Information subject to processing by PHARMAYECT, must be handled with reasonable and proportionate technical, human, administrative, and organizational measures to provide security for the records and prevent their alteration, loss, unauthorized or fraudulent consultation, use, access, or disclosure.
h.     PRINCIPLE OF CONFIDENTIALITY: PHARMAYECT is obligated to guarantee the confidentiality of information, even after the conclusion of its relationship with any of the activities comprising the processing, and may only supply or communicate personal data when it corresponds to the development of activities authorized by law.
 
Without prejudice to the guiding principles set forth in Law 1581 of 2012, PHARMAYECT will adopt the following complementary corporate criteria for the interpretation and application of this Policy:
 
            I.    DEMONSTRATED ACCOUNTABILITY: PHARMAYECT will adopt useful, timely, efficient, verifiable, and documented measures to demonstrate compliance with the personal data protection framework, including the implementation of internal controls, assignment of responsibilities, preservation of evidence, incident management, training, and periodic monitoring.
 
          II.    NECESSITY, PROPORTIONALITY, AND MINIMIZATION: PHARMAYECT will ensure that personal data processing is limited to what is strictly relevant, adequate, and necessary for the legitimate purpose communicated to the data subject, avoiding excessive collection, use, or retention of information.
 
         III.    PRIVACY BY DESIGN AND BY DEFAULT: PHARMAYECT will incorporate personal data protection measures from the planning, design, acquisition, development, implementation, and operation of processes, products, services, contracts, technological tools, and information systems, ensuring that, by default, only the personal data necessary for each purpose is processed.
 
         IV.    COMPREHENSIVE RISK MANAGEMENT: PHARMAYECT will identify, evaluate, document, and manage the risks associated with the processing of personal data, especially when it involves emerging technologies, mass processing, sensitive data, biometric data, automated decisions, international transfers, or third parties acting on behalf of the company.
 
9.     RIGHTS OF THE DATA SUBJECT.
The data subject of personal data shall have the following rights:
 
a.     To know, update, and rectify their personal data with respect to PHARMAYECT, in its capacity as Data Controller and/or Data Processor. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fragmented data, data that could induce error, or data whose processing is expressly prohibited or has not been authorized.
b.     To request proof of the authorization granted to PHARMAYECT except when expressly excluded as a requirement for processing, in accordance with the law.
c.      To be informed by PHARMAYECT, upon request, of the use given to their personal data.
d.     To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to, or complement it, once the inquiry or complaint procedure before PHARMAYECT has been exhausted, where applicable.
e.     To revoke authorization and/or request the deletion of data when the processing does not respect the constitutional and legal principles, rights, and guarantees.
f.      To access their personal data that has been subject to processing free of charge.
 
10.   RIGHTS OF CHILDREN AND ADOLESCENTS.
PHARMAYECT will ensure at all times the respect for the prevailing rights of children and adolescents. As a general rule, the processing of their personal data is prohibited, except for data of a public nature or those cases where such processing is exceptionally permitted in accordance with the law.
 
In cases where PHARMAYECT must process personal data of children and adolescents, such processing shall only be carried out when:
 
a.     it responds to and respects the best interests of the child or adolescent;
b.     it ensures respect for their fundamental rights;
c.      it is strictly necessary and proportionate to the purpose pursued;
d.     it has the prior and express authorization of the minor's legal representative; and
e.     the right of the child or adolescent to be heard has been guaranteed, valuing their opinion according to their maturity, autonomy, and capacity to understand the matter, to the extent possible.
 
PHARMAYECT will ensure the proper use of personal data of children and adolescents and will apply, in all cases, the principles and obligations set forth in the applicable personal data protection regulations.
 
11.   DUTIES OF PHARMAYECT.
a.     To use the information contained in databases only for the purpose for which it is authorized.
b.     To guarantee the data subject, at all times, the full and effective exercise of the Habeas Data right.
c.      When collecting personal data, it must be limited to data that is relevant and adequate for the purpose for which it is required in accordance with established law. For this purpose, deceptive or fraudulent means shall not be used.
d.     To store information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.
e.     To promptly update, rectify, or delete data within the terms indicated in this Policy under the Procedures-Complaints section.
f.      To enable electronic communication channels or other means it deems appropriate to timely handle inquiries and complaints submitted by data subjects.
g.     The requested information must be provided free of charge and by any means, as required by the data subject. The information must be easy to read, without technical barriers that prevent access, and must strictly correspond to that contained in the database.
h.     In the event that the certification of authorized information is requested in person and/or it needs to be sent by certified mail, the company PHARMAYECT may require the requester to pay the corresponding expenses, without at any time charging more than what is actually invoiced; in the event it is required, the company PHARMAYECT must demonstrate to the Superintendence of Industry and Commerce the support for said expenses.
i.      To adopt the other necessary measures to keep the information provided to it up to date.
j.      To rectify the information when it is incorrect.
k.     To comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
l.      To refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
m.    To permit access to information only to persons who may have access to it.
n.     To inform the Superintendence of Industry and Commerce when security code violations occur and there are risks in the administration of data subjects' information.
o.     To establish the necessary mechanisms to obtain authorization from data subjects for the processing of their data, which may be granted through physical, electronic documents, or in any other format that allows for subsequent consultation.
p.     It is the obligation of PHARMAYECT to preserve proof of authorization and deliver a copy to the data subject if required.
q.     To establish simple and free mechanisms that allow the data subject to request the report, modification, deletion, or update of data, which may be the same mechanisms used for granting consent, without prejudice to the expenses that may arise from the issuance and sending thereof.
r.      Information subject to processing must be protected through the use of necessary technical, human, and administrative measures to provide security for the records, preventing their alteration, loss, unauthorized or fraudulent consultation, use, or access. For this purpose, PHARMAYECT will maintain mandatory security protocols for personnel with access to personal data and information systems.
s.      Personnel of PHARMAYECT involved in the processing of personal data are obligated to guarantee the confidentiality of information, even after the conclusion of their relationship with any of the activities comprising processing, in accordance with the employment contract and/or other provisions applicable to the relationship between the employee and the company.
t.      To designate a "Personal Data Officer" who assumes the function of personal data protection and who will also ensure that, through the service channels, data subjects' requests are processed.
u.     In principle, the processing of personal data of children and adolescents is prohibited by law, except for data of a public nature and/or when such processing complies with the parameters and requirements established in this Policy.
v.     The company PHARMAYECT will use personal data in accordance with the authorization given by the data subject and will only transmit or transfer it to partners, affiliates or subsidiaries, and third parties who may use the information to carry out their work on behalf of PHARMAYECT and/or in compliance with authority requirements, adhering to the laws applicable to the subject matter and respecting current Service Agreements with third parties.
w.    Personal data may only be collected, stored, used, or circulated for the time that is reasonable and necessary, in accordance with the purposes that justified its processing, taking into account legal provisions and administrative, accounting, fiscal, legal, and historical aspects of the information. Once the purpose of the processing has been fulfilled, and without prejudice to legal regulations that provide otherwise, PHARMAYECT must delete personal data. However, personal data must be retained when required to comply with a legal or contractual obligation.
x.     To certify the existence of the "Policy for the Protection and Processing of Personal Data" and how to access it, which shall be published on the company's website, social media, and at the main headquarters.
y.     For the collection, use, and processing of personal data, PHARMAYECT must comply with the following parameters:  (i) The processing of collected personal data must be based on a legitimate purpose which must be communicated to the data subject; (ii) The processing of personal data may only be carried out with the prior, express, and informed consent of the data subject; (iii) Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate waiving consent; (iv) Information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and comprehensible; (v) The processing of partial, incomplete, fragmented data, or data that could induce error is prohibited; (vi) The data subject's right to obtain at any time and without restrictions information about the existence of data concerning them must be guaranteed.
z.      In the event of a material modification to this "Policy for the Protection and Processing of Personal Data," the company PHARMAYECT, must request authorization from the data subject again for the processing of their data.
aa.   To identify, evaluate, manage, and monitor the risks associated with personal data processing, especially when they involve sensitive data, biometric data, minors, video surveillance, artificial intelligence, automated decisions, international transfers, or third parties.
bb.  To incorporate privacy-by-design and by-default criteria into processes, products, services, technologies, information systems, and relationships with third parties that involve personal data processing.
cc.   To conduct personal data protection impact assessments when processing may generate high risks to the rights of data subjects, especially in cases involving new technologies, artificial intelligence, mass processing, biometric data, automated decisions, or sensitive data.
dd.  To maintain verifiable evidence of compliance with personal data protection regulations and the measures adopted for its implementation.
ee.   When PHARMAYECT uses artificial intelligence, advanced analytics, profiling, or automated processes involving personal data processing, it must ensure that its use is legitimate, necessary, proportionate, verifiable, and supervised, and adopt measures to prevent biases, errors, discrimination, and disproportionate impacts on data subjects.
ff.     To guarantee mechanisms of supervision and human review when personal data processing serves as the basis for automated or semi-automated decisions with legal effects or significant impacts on data subjects.
gg.   To refrain from processing personal data obtained from the internet, social networks, or open sources solely because they are publicly accessible, without first verifying the existence of a sufficient legal basis.
hh.  To verify that third parties who access personal data on behalf of PHARMAYECT offer sufficient guarantees of confidentiality, security, and regulatory compliance, and to execute the corresponding contractual instruments.
ii.     To conduct prior due diligence in the acquisition, implementation, or update of technologies involving personal data processing, in order to identify their privacy and security impacts and risks.
jj.     To implement internal procedures for the identification, reporting, containment, analysis, mitigation, documentation, remediation, and closure of security incidents that compromise personal data, as well as adopting corrective and preventive measures aimed at preventing their recurrence.
kk.   To implement periodic training, awareness, and update programs directed at personnel involved in the processing of personal data, according to the level of access, the criticality of the process, and the risks associated with their functions.
ll.     To respect, where applicable, the channels authorized by data subjects for the sending of commercial or advertising communications, to attend to exclusion, opposition, or revocation requests, and to consult current legal exclusion mechanisms before conducting commercial prospecting activities. To define and implement internal criteria, deadlines, or tables for the retention, blocking, anonymization, archiving, and secure elimination of personal data, taking into account the purpose of the processing, the nature of the data, legal or contractual obligations, and the risks of excessive retention. To periodically review and update this Policy, as well as internal personal data protection procedures, when there are regulatory, operational, technological, contractual, or risk changes that make it necessary.
 
12.   AUTHORIZATION POLICY
Without prejudice to the exceptions set forth by law, the processing of personal data by PHARMAYECT requires the prior, express, and informed authorization of the Data Subject, which must be obtained through any means that can be subsequently consulted. Authorization may be expressed in writing, orally, or through unambiguous conduct of the data subject that reasonably leads to the conclusion that it was granted. In no case shall silence be understood as authorization.
 
When requesting authorization, PHARMAYECT must clearly and expressly inform:
 
a.     The name and identification of the person being requested to grant authorization.
b.     The identification and contact channels of PHARMAYECT as Data Controller.
c.      Identification of the data being collected, where applicable.
d.     The specific purposes for which authorization is requested.
e.     The service channels and procedure for exercising their rights of inquiry, update, rectification, deletion, and revocation.
f.      The rights of the data subject.
g.     The optional nature of responses to questions or requests concerning sensitive data or data of children and adolescents, where applicable.
 
When authorization includes multiple purposes, PHARMAYECT will endeavor to differentiate them clearly, distinguishing necessary from accessory or optional ones. The data subject's refusal regarding the latter will not affect the main relationship, unless they involve strictly essential data or purposes.
 
PHARMAYECT may use privacy notices, short formats, forms, messages, electronic interfaces, or any other suitable mechanism to inform the data subject about the processing of their personal data and how to access this Policy, without prejudice to the obligation to obtain authorization when legally required.
 
When PHARMAYECT uses a privacy notice, it shall serve to inform the data subject about the existence of this Policy, how to access it, the purposes of the processing, the rights that apply to them, and the mechanisms available to be informed of material changes thereto. The disclosure of the privacy notice does not exempt PHARMAYECT from making this Policy known to the data subject.
 
In case of material changes to the identification of PHARMAYECT or to the purposes of processing that may affect the content of the authorization, PHARMAYECT will timely inform the data subject of such changes before implementing them. When the material change affects the purpose of the processing, PHARMAYECT will request a new authorization.
 
Paragraph. When, for technical, operational, space, format, character count, or channel-nature reasons, it is not possible to incorporate all the information indicated herein into the authorization, PHARMAYECT may supplement it by expressly referring to this Policy for the Protection and Processing of Personal Data and/or the corresponding Privacy Notice, which shall be deemed incorporated in a complementary manner for all purposes, provided that the data subject is clearly, simply, and permanently informed of how to access or consult them.
 
13.   PRIVACY NOTICE.
When it is not possible to make this Policy for the Protection and Processing of Personal Data available to the data subject at the time of information collection, PHARMAYECT will inform them through a Privacy Notice of the existence of this Policy, how to access it, the purposes of the processing, and other relevant information about the processing of personal data, no later than at the time of collection.
 
PHARMAYECT may use general or specific privacy notices, depending on the channel, medium, process, activity, service, form, application, microsite, event, program, or point of contact through which personal data is collected. These notices may supplement this Policy and develop in greater detail aspects related to the scope of processing, the categories of data collected, specific purposes, the use of technologies such as cookies, recipients of information, retention conditions, channels for exercising rights, and other particular conditions applicable in each case.
 
The Privacy Notice shall contain, at a minimum:
 
a.     The identification and contact information of PHARMAYECT.
b.     The processing to which personal data will be subjected and its purpose.
c.      The rights of the data subject.
d.     The mechanisms available to the data subject to learn about this Policy and any material changes to it or to the corresponding Privacy Notice.
 
The Privacy Notice may be disseminated through physical or electronic documents, forms, data messages, web pages, applications, microsites, banners, printed notices, bulletin boards, telephone recordings, or any other suitable mechanism that guarantees the duty to inform the data subject.
 
The current Privacy Notice may be consulted by data subjects in the privacy section available on the following website: www.sofgenpharma.com
 
Paragraph. The Privacy Notice may be modified, updated, or replaced by PHARMAYECT when necessary. Material changes thereto will be communicated to data subjects through the same means or mechanisms used for its dissemination, or through any other suitable medium that allows for their knowledge and consultation.
 
14.   CASES IN WHICH DATA SUBJECT AUTHORIZATION IS NOT REQUIRED.
The data subject's authorization will not be required in the following cases:
 
a.     Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b.     Data of a public nature.
c.      Cases of medical or sanitary emergency.
d.     Processing of information authorized by law for historical, statistical, or scientific purposes.
e.     Data related to the Civil Registry of persons.
 
First Paragraph. When PHARMAYECT processes personal data under one of the legal exceptions that does not require data subject authorization, it will keep an internal record of the applicable grounds, the purpose of the processing, the source of the information, and, where applicable, the legal, administrative, contractual, health-related, or judicial basis justifying it.
 
Second Paragraph. Where applicable, PHARMAYECT may obtain data subject authorization through unambiguous conduct that reasonably leads to the conclusion that the data subject authorized the processing of their personal data, provided that they have been previously clearly informed of the existence of the processing, its purpose, and how to access the Policy for the Protection and Processing of Personal Data or the corresponding Privacy Notice. In telephone channels, the voluntary continuation of the call after the warning about data processing may constitute unambiguous conduct, when there is sufficient prior information. In video surveillance systems, voluntary entry or presence in duly signposted areas may constitute unambiguous conduct for the capture of images for security, access control, or protection of goods and facilities purposes.
 
15.   LEGITIMACY TO EXERCISE THE DATA SUBJECT'S RIGHT
The data subject's rights established by law may be exercised by the following persons:
 
a.     By the data subject, who must sufficiently prove their identity through the various means made available by PHARMAYECT.
b.     By the successors in interest of the data subject, who must prove such status.
c.      By the representative and/or attorney-in-fact of the data subject, upon proof of representation or power of attorney.
d.     Through a stipulation for the benefit of another or in favor of another.
 
The rights of children and adolescents shall be exercised by those authorized to represent them.
 
Paragraph. Before handling a petition, inquiry, or complaint, PHARMAYECT may verify the identity of the requester and require proof of the capacity in which they act, including, where appropriate, documents demonstrating their status as successor in interest, legal representative, or attorney-in-fact. The information requested for these purposes must be relevant and limited to what is strictly necessary to validate legitimacy.
 
16.   PROCESSING TO WHICH DATA WILL BE SUBJECTED AND ITS PURPOSE.
The processing of personal data of the data subjects with whom PHARMAYECT interacts in the course of its corporate purpose, including clients, suppliers, consumers, distributors, contractors, candidates, employees, shareholders, and other stakeholders, shall be carried out in accordance with the applicable legal framework and according to the following general purposes, without prejudice to the specific purposes that are communicated to the data subject at the time of collection of their personal data:
 
a.     To internally manage the commercial, contractual, operational, and administrative relationship with clients, distributors, suppliers, and other stakeholders of the various business segments of PHARMAYECT.
b.     To send communications, correspondence, text messages, instant messaging messages, emails, or make telephone contact with clients, distributors, and consumers, through the channels authorized and permitted by law, in connection with commercial, advertising, marketing, promotional, sales, and other related activities.
c.      To conduct personnel selection processes, manage contractual and labor relationships, ensure compliance with obligations derived from them, and provide benefits to employees, directly or through third parties.
d.     To conduct potential analysis, segmentation, and profiling for commercial purposes regarding suppliers, distributors, and/or clients, where applicable and in accordance with the authorizations granted and applicable regulations.
e.     To manage procedures, requests, petitions, complaints, and claims; conduct risk analyses; and carry out satisfaction surveys regarding PHARMAYECT's products and services.
f.      To manage, analyze, and investigate events, incidents, quality complaints, and other developments related to pharmaceutical products and/or products marketed by PHARMAYECT, including pharmacovigilance activities, where applicable.
g.     To follow up with persons who consume and/or acquire products marketed by PHARMAYECT, for the purposes of service, support, quality, product safety, request management, and other related activities.
h.     To develop corporate social responsibility activities aimed at the various stakeholder groups of PHARMAYECT.
i.      To manage the security of persons, goods, facilities, and information assets in the custody of PHARMAYECT.
j.      To organize, structure, store, safeguard, and manage databases for the development of the purposes described in this Policy.
k.     To comply with legal, regulatory, contractual, administrative, and judicial obligations, as well as to attend to requirements from competent authorities.
 
In particular, and depending on the stakeholder group concerned, PHARMAYECT may process personal data for the following specific purposes:
 
a.     Purposes with respect to clients or users of products or services:
 

b.     Purposes with respect to Job Candidates:
 

c.      Purposes with respect to Employees: 

 
d.     Purposes with respect to Suppliers or Contractors:
 
-        To register the Data Subject in the systems, lists, records, files, or indexes, physical or electronic, managed by PHARMAYECT, for the purposes of providing contracted services.
-        To carry out electronic invoicing procedures for contracted services.
-        To maintain operational support, incident tracking, and compliance with contractual and legal obligations.
-        To comply with the legal, contractual, regulatory, and administrative obligations of PHARMAYECT.
-        To send electronic messages, make telephone contact, or communicate through channels authorized and permitted by law, to confirm or validate the Data Subject's personal data necessary for the execution of the legal relationship established with PHARMAYECT.
-        To contact the Data Subject via email, instant messaging, text messages, formal communications, or telephone calls, for the sending of contractual, informative, account statement, or invoice documents related to obligations derived from contracts with PHARMAYECT.
-        To grant access to portals or supplier and/or contractor interaction platforms to carry out internal PHARMAYECT processes associated with the contractual relationship.
-        To provide information to third parties contractually linked to PHARMAYECT, when necessary for the execution of the contracted purpose, the provision of the service, the associated operational management, or compliance with legal or contractual obligations.
-        To carry out archiving and document management activities of PHARMAYECT, in accordance with applicable legal provisions.
-        To validate, verify, and consult the Data Subject's economic, commercial, and transactional information for the purpose of establishing, executing, and maintaining the legal relationship with PHARMAYECT.
-        To carry out administrative and analytical activities, such as administration of accounting, billing, auditing, marketing information systems, and, where applicable, check processing and verification.
-        To share information with commercial partners for the offering of products and services, complying with all authorizations required by law and this Policy.
-        To communicate PHARMAYECT product news and invite to events or programs organized by the company.
-        To consult, verify, and confirm the Data Subject's credit and commercial information with credit or information bureaus, or before public or private, national or foreign entities that manage credit, financial, commercial, or service databases, when applicable to the relationship with PHARMAYECT.
-        To make reports to credit and information bureaus, complying with all the conditions and procedures established in current regulations, especially Law 1266 of 2008 and concordant regulations.
-        To conduct validations related to ethics, transparency, fraud prevention, conflicts of interest, and other integrity verifications applicable to the engagement, execution, and monitoring of the contractual relationship.
-        To manage and mitigate the risks of Money Laundering, Terrorism Financing, corruption, and other applicable compliance risks, through knowledge, verification, due diligence, and list screening procedures defined by PHARMAYECT.
-        To manage physical and logical access to facilities, restricted areas, systems, or information assets of PHARMAYECT necessary for the execution of the contract, including security controls, credentials, entry logs, and traceability measures.
-        To attend audits, reviews, controls, and supplier or contractor performance evaluations, as well as improvement plans, where necessary to ensure quality, continuity, and compliance with the service.
-        To manage occupational health and safety (OHS) obligations applicable to contract execution, when the supplier/contractor provides services on PHARMAYECT premises or under conditions requiring it.
 
e.     Purposes with respect to Shareholders of PHARMAYECT:
 
-        To fulfill obligations and rights arising from their status as shareholders of PHARMAYECT.
-        To send electronic, physical, and/or telephone communications to their contact details to inform, cite, or convene them to meetings of the corporate bodies of PHARMAYECT, and/or to send them documents and reports to be considered at such meetings.
-        To send communications and information necessary for the exercise of their rights as shareholders, and/or for the fulfillment of PHARMAYECT's obligations to its shareholders.
-        To carry out comprehensive management activities of the shareholder registry book, including updates, certifications, annotations, and corresponding controls.
-        To contact the Data Subject via email, instant messaging, text messages, formal communications, telephone calls, and other channels authorized and permitted by law, for the sending of documents, informative communications, account statements, or documentation related to their status as a shareholder of PHARMAYECT.
-        To carry out archiving and document management activities, in accordance with applicable legal provisions.
-        To handle procedures, requests, complaints, and claims submitted by shareholders and provide responses through the designated channels.
-        To communicate PHARMAYECT product news and invite to events or programs organized by PHARMAYECT, where applicable and in accordance with applicable authorizations.
-        To provide access to information to judicial or administrative authorities that request it in the exercise of their legal functions.
-        To manage and mitigate the risks of Money Laundering, Terrorism Financing, corruption, and other applicable compliance risks, through knowledge, verification, due diligence, list screening, and validations defined by PHARMAYECT.
-        To conduct validations related to ethics, transparency, fraud prevention, conflicts of interest, and other integrity verifications applicable to the issuer-shareholder relationship and compliance with corporate obligations.
-        To comply with the activities and purposes necessary for the issuer-shareholder relationship, in accordance with applicable regulations and the bylaws and decisions of the corporate bodies of PHARMAYECT.
f.      Processing of Sensitive Personal Data Obtained Through Video Surveillance.
PHARMAYECT uses video surveillance systems installed in different internal and external areas of its facilities or offices. For this reason, it informs the general public about the existence of these mechanisms through visible and sufficient notices, indicating the existence of the system, contact channels, and how to access the Policy governing the processing of the information captured.
 
The information collected through these systems is used to: (i) protect the security of persons, goods, facilities, and information assets; (ii) control, verify, and support access control to headquarters, offices, and establishments; (iii) prevent, detect, and investigate security incidents and attend to requirements from competent authorities; and (iv) serve as evidentiary support in internal or external proceedings, when necessary and appropriate.
 
Images and/or video recordings shall have restricted access and may only be consulted by authorized personnel or by third parties that, acting as Processors, provide services associated with the system (e.g., monitoring, maintenance, or support), under confidentiality and security obligations.
 
First Paragraph. PHARMAYECT may provide images or video recordings only: (i) to competent judicial or administrative authorities, when there is a valid request or order; (ii) to the data subject or legitimately authorized persons, where applicable in the context of the exercise of rights, after verification of identity and legitimacy; and (iii) in other cases permitted by law. In all cases, PHARMAYECT will adopt reasonable measures to protect the rights of third parties who may appear in the images.
 
Second Paragraph. Authorization for the processing of images captured by video surveillance may be obtained through unambiguous conduct, when the data subject, duly informed through visible notices, voluntarily enters or remains in areas designated as video surveillance zones.
 
Third Paragraph. Recordings shall be retained only for the time strictly necessary to fulfill the purposes described, in accordance with internal retention criteria and applicable legal provisions, and shall then be deleted or subjected to secure restriction/archiving measures, as appropriate.
 
Fourth Paragraph. PHARMAYECT will inform the data subject, at the time of collection or through the notices and channels provided, of the purposes of the processing and how to exercise their rights.
 
g.      Processing of biometric data for security and access control to restricted areas.
PHARMAYECT may implement biometric validation-based access control mechanisms in restricted or enhanced-security areas, when this is necessary, proportionate, and reasonable for the protection of persons, goods, facilities, information assets, and compliance with internal security controls.
 
These areas may include, among others, areas for storing or handling controlled raw materials, inventory warehouses, laboratories, quality areas, production areas, technical rooms, server rooms, areas with sensitive or regulated documentation, and other spaces that, due to their operational or regulatory criticality, require strict entry and presence controls.
 
For these purposes, PHARMAYECT may require the prior collection of biometric data from employees and/or contractors authorized to access such areas, for the exclusive purpose of authentication, identity verification, and access control. Biometric data, by its nature, will be treated as sensitive personal data, and its collection and use will be carried out under a reinforced standard of protection.
 
In implementing these mechanisms, PHARMAYECT:
 
                I.         Will provide prior, clear, and express information about the specific purpose of biometric processing, the type of biometric data to be collected, the system to be used, the scope of the control, and the areas to which it applies.
              II.         Will obtain explicit, prior, and informed authorization from the data subject (employee or contractor), leaving verifiable and consultable evidence of such authorization, unless a legal exception applies.
             III.         Will inform of the optional nature of providing biometric data, since it constitutes sensitive data, and will evaluate and implement, when reasonable, less intrusive authentication alternatives for those who do not grant authorization, especially when this does not compromise the security of the area.
             IV.         Will limit processing to what is strictly necessary for access control, avoiding secondary or incompatible uses (e.g., commercial purposes, disciplinary matters unrelated to security, or reuse for different purposes).
              V.         Will implement reinforced technical, human, and administrative security measures, including strict access control, encryption or equivalent measures, environment segregation, audit logs, and restrictions on consultation and use.
             VI.         Will restrict access to biometric data exclusively to strictly authorized personnel and/or to third-party Processors providing services associated with the system, under contractual obligations of confidentiality, security, prohibition of use for their own purposes, and incident management.
           VII.         Will define retention and deletion criteria: biometric data will be retained only for the time necessary for access control or while the data subject has valid authorization to enter the restricted area, and will be deleted or rendered unusable when the purpose ceases, the authorization is revoked (where applicable), or the contractual/labor relationship ends, without prejudice to legal retention obligations.
          VIII.         Will adopt procedures to handle requests for consultation, update, deletion, or revocation of authorization, where applicable in accordance with the law and without affecting the fulfillment of security obligations and internal controls.
             IX.         In the event of security incidents that may compromise biometric data, it will activate internal incident management protocols and adopt corrective and preventive measures.
 
The implementation of biometric mechanisms shall not imply that PHARMAYECT processes this data for purposes other than authentication and access control to restricted areas. Any expansion of purposes will require prior information and, where applicable, a new authorization.
 
17.   COLLECTION, MARKETING, AND COMMERCIAL COMMUNICATIONS.
PHARMAYECT may process personal data for the management of commercial, advertising, promotional, marketing, and/or collection communications, when there is sufficient legal basis and, where applicable, prior, express, and informed authorization from the data subject, in accordance with personal data protection regulations and Law 2300 of 2023 where applicable.
 
1. Contact channels and data subject preferences.
PHARMAYECT will conduct commercial or collection communications through suitable, authorized, and legally permitted channels, respecting the preferences, revocations, oppositions, exclusions, and non-contact requests registered by the data subject. PHARMAYECT will implement mechanisms for the data subject to request, at any time, the cessation of commercial or promotional communications through the channels set forth in the Policy and the Privacy Notice.
 
2. Exclusion registry and control measures.
For commercial and advertising communications, PHARMAYECT will verify, where applicable, the Registry of Excluded Numbers (REN) and/or equivalent exclusion mechanisms defined by competent authority, and will adopt internal controls (exclusion lists, segmentation, consent and "do not contact" logs) to avoid improper mailings.
 
3. Direct or third-party collection.
When PHARMAYECT conducts collection activities directly or through third parties, it will establish controls to ensure that the activity is conducted in a proportionate, respectful, and law-compliant manner, and will require from suppliers or third-party Processors contractual obligations of confidentiality, security, restricted use, and traceability. This includes the third party's obligation to comply with PHARMAYECT's instructions, the authorized channels, and the restrictions applicable to processing.
 
4. Contact with references or third parties.
When the operation involves contact with references or third parties, PHARMAYECT will limit processing to the minimum necessary, refrain from disclosing irrelevant information, and apply criteria of necessity, purpose, and restricted access, in accordance with the personal data protection framework and applicable contactability rules.
 
 
 
 
5. Evidence and demonstrated accountability.
PHARMAYECT will retain verifiable evidence of (i) authorizations granted when required, (ii) exclusion or opposition mechanisms, (iii) traceability of relevant campaigns or communications, and (iv) measures adopted to handle cancellation or non-contact requests.
 
18.   SENSITIVE DATA.
PHARMAYECT will restrict the processing of sensitive personal data and, in general, will refrain from collecting or processing it unless strictly necessary, proportionate, and legally permitted. In all cases, when PHARMAYECT collects sensitive data, it will inform the data subject of: (i) the optional nature of responding to questions or providing sensitive data, and (ii) the specific purpose of the processing:
 
In the case of sensitive personal data, PHARMAYECT may use and process it when:
 
a.       The Data Subject has given their explicit authorization for such Processing, except in cases where the law does not require such authorization.
b.       The Processing is necessary to safeguard the vital interests of the Data Subject and the Data Subject is physically or legally incapacitated. In such cases, legal representatives must provide their authorization.
c.        The Processing refers to data that is necessary for the recognition, exercise, or defense of a right in judicial proceedings.
d.       The Processing has a historical, statistical, or scientific purpose. In this case, measures must be adopted to suppress the identity of the Data Subjects.
 
First Paragraph.  Without prejudice to the provisions of this chapter, PHARMAYECT will apply reinforced rules for the processing of sensitive personal data. In particular, PHARMAYECT:
 
            I.        Will inform the data subject, in advance and clearly, of the optional nature of providing sensitive data and the specific purpose of the processing, unless a legal exception applies.
          II.        Will limit the collection and processing of sensitive data to what is strictly necessary and proportionate to the purpose communicated, avoiding excessive collection or incompatible uses.
         III.        Will restrict access to sensitive data to strictly authorized personnel under the principle of need-to-know, applying reinforced security and confidentiality measures (including access controls, traceability, segregation, and reasonable technical measures such as encryption or equivalent).
         IV.        Will retain sensitive data only for the time necessary to fulfill the communicated purpose or for the periods required by law, and will then proceed to its deletion, anonymization, or restriction, as appropriate.
 
PHARMAYECT, as a general rule, will not subject sensitive personal data to automated decision-making or profiling processes that produce legal effects or significant impacts on the data subject.
 
Likewise, PHARMAYECT will restrict the use of artificial intelligence or advanced analytics for the processing of sensitive data whenever possible, favoring less intrusive alternatives. When, exceptionally, it is necessary to use automated technologies or AI to process sensitive data, PHARMAYECT:
 
-         Will verify the existence of sufficient legal basis and, where applicable, obtain explicit authorization;
-         Will conduct a prior risk assessment and, where a high risk is likely, a personal data protection impact assessment;
-         Will implement significant human oversight, controls to prevent biases or discrimination, and precautionary measures when there is uncertainty about relevant harm;
-         Will document the justification, purpose, mitigation measures, and traceability of the processing.
 
Paragraph. Access to sensitive data will be restricted to strictly authorized personnel and reinforced security, confidentiality, and minimization measures will be applied. Sensitive data will be retained only for the time necessary to fulfill the communicated purpose or for the periods required by law. Biometric data is considered sensitive data and will be processed under reinforced standards as set forth in the preceding chapter.
 
19.   PROCESSING OF PERSONAL DATA IN ARTIFICIAL INTELLIGENCE SYSTEMS AND AUTOMATED DECISIONS.
When PHARMAYECT uses, develops, contracts, or implements artificial intelligence (AI) systems, advanced analytics, profiling, or automation involving personal data processing —including training, testing, validation, deployment, monitoring, and continuous improvement— it will apply the principles of the Colombian personal data protection framework and the guidelines issued by the Superintendence of Industry and Commerce.
 
1. Weighing, necessity, and proportionality.
PHARMAYECT will previously evaluate whether the processing of personal data through AI is suitable, necessary, reasonable, and proportionate to the intended purpose, favoring less intrusive alternatives when possible.
 
2. Precautionary approach and risk management.
PHARMAYECT will adopt a preventive and risk management approach, so that, if there is reasonable uncertainty about relevant impacts on data subjects, it will implement mitigation measures, restrictions, or abstain from processing where appropriate.
 
3. Impact assessment (PIA/DPIA).
When a high risk to the rights of data subjects is likely (for example, use of sensitive or biometric data, mass processing, automated decisions with significant effects, use of new models or sources), PHARMAYECT will conduct a personal data protection impact assessment that, at a minimum, describes the processing, identifies risks, establishes mitigation measures, defines security controls, and leaves a record of decisions.
 
4. Open source data and "publicly accessible" information.
PHARMAYECT will not process personal data obtained from the internet, social networks, or open sources solely because they are publicly accessible, without first verifying a sufficient legal basis and the applicable information and transparency conditions.
 
5. Sensitive data and minors.
PHARMAYECT will restrict the use of AI for the processing of sensitive data and data of children and adolescents, favoring non-automated alternatives when possible. As a general rule, PHARMAYECT will not subject sensitive data to automated decision-making processes with legal effects or significant impacts on the data subject, except in the presence of legal authorization and reinforced controls.
 
6. Quality, biases, and operational explainability.
PHARMAYECT will adopt measures to ensure quality, relevance, and updating of data used by AI systems, and will apply controls to prevent improper biases, discrimination, and significant errors. When processing involves automated decisions with significant impact, PHARMAYECT will implement significant human oversight and review mechanisms.
 
7. Providers, platforms, and sub-processor chain.
When PHARMAYECT uses third-party tools (including AI as a service), it will require contractual and technical guarantees: restricted use, confidentiality, security, sub-processors, incidents, auditing, international transfer/transmission, and deletion/return of data as appropriate.
 
8. Evidence and demonstrated accountability.
PHARMAYECT will document: the legal basis, purposes, risk assessment, impact assessment where applicable, mitigation decisions, implemented controls, relevant tests, and audits, in order to demonstrate compliance to data subjects and authorities.
 
20.   DATA OF CHILDREN AND ADOLESCENTS
The processing of personal data of children and adolescents is prohibited, except when such data is of a public nature, and when such processing complies with the following parameters and/or requirements:
a. That they respond to and respect the best interests of children and adolescents.
b. That prior, express, and informed authorization is obtained from the legal representative of the child or adolescent, unless a legal exception applies.
c. That the right of the child or adolescent to be heard is guaranteed, and that their opinion is taken into account considering their maturity, autonomy, and capacity to understand the matter.
d. That respect for their fundamental rights is ensured.
e. That the processing is limited to data strictly necessary for the communicated purpose and that reinforced security, confidentiality, and restricted access measures are adopted.

Paragraph. The processing of personal data of children and adolescents will be exceptional and will be carried out with reinforced security, confidentiality, and restricted access measures. PHARMAYECT will not use this data for advertising or commercial prospecting purposes, nor will it subject it to profiling or automated decisions with significant impacts, unless expressly authorized by law. PHARMAYECT may implement reasonable mechanisms to verify the identity and status as legal representative of the person granting authorization and will retain such data only for the time strictly necessary for the communicated purpose, unless there is a legal obligation to do so.
 
21.   TECHNOLOGY TRANSFER AND ADOPTION OF PLATFORMS THAT PROCESS PERSONAL DATA.
PHARMAYECT recognizes that the acquisition, licensing, implementation, integration, updating, or use of technologies involving personal data processing (including platforms, software, cloud services, analytical tools, AI systems, cybersecurity, HR, CRM, ERP, quality management, and laboratory solutions) may generate risks for the rights of data subjects. Therefore, it will adopt the applicable instructions issued by the Superintendence of Industry and Commerce for technology transfer processes with implications for personal data.
 
1. Prior due diligence.
Before implementing or contracting a technology that processes personal data, PHARMAYECT will conduct a prior assessment that includes, as appropriate:
a) description of the processing, data categories, purposes, and roles (Controller/Processor);
b) identification of flows, remote accesses, sub-processors, and possible international transfers/transmissions;
c) review of security measures (access control, segregation, audit logs, encryption or equivalent measures, retention, and deletion);
d) evaluation of risks and definition of mitigation measures; and
e) when high risk is likely, a personal data protection impact assessment.
 
2. Privacy by design and by default.
PHARMAYECT will incorporate privacy-by-design and by-default controls in technological planning and adoption, so that by default only the information necessary for each purpose is processed and exposure surfaces are reduced.
 
3. Contracts and minimum guarantees.
PHARMAYECT will require that contracts with suppliers or related companies participating in processing include, at a minimum: scope, instructions, purposes, confidentiality, security, incident management, sub-processors, auditing, return/deletion, cooperation with data subjects and authorities, and international transmission/transfer rules where applicable.
 
4. Countries with lower levels of protection and equivalent standards.
When a technology involves access or processing from jurisdictions with lower levels of protection, PHARMAYECT will establish agreements ensuring minimum standards equivalent to those required by Colombian regulations, including contractual, technical, and organizational safeguards. PHARMAYECT may use standard contractual clauses as a complementary tool where appropriate.
 
5. Implementation, monitoring, and continuous improvement.
PHARMAYECT will not put critical technologies into operation without having implemented the safeguards defined in the prior assessment. Subsequently, it will conduct periodic technical and compliance follow-up and reviews to verify continuity of controls, provider changes, new sub-processors, software updates, international flow variations, and emerging risks.
 
6. Evidence.
PHARMAYECT will retain evidence of the prior assessment, internal approvals, mitigation decisions, contracts, audits, and reviews, as part of its demonstrated accountability.
 
22.   PERSONS TO WHOM INFORMATION MAY BE PROVIDED
Information meeting the conditions established by law may be provided to the following persons:
a.     To data subjects, their duly accredited successors in interest, or their legal representatives or attorneys-in-fact.
b.     To public or administrative entities in the exercise of their legal functions or by court order.
c.      To third parties authorized by the data subject or by law.
 
Paragraph. Before providing information, PHARMAYECT may request and verify the identity of the requester and the capacity in which they act, in order to ensure restricted access and prevent unauthorized disclosures. Likewise, when PHARMAYECT communicates personal data to third parties acting as Data Processors, such communication shall be carried out under applicable legal and contractual conditions, with obligations of confidentiality, security, and restricted use of the information.

23.   INTERNATIONAL TRANSFER OF DATA
PHARMAYECT will not carry out transfers of personal data to countries that do not provide adequate levels of protection, in accordance with Article 26 of Law 1581 of 2012 and the standards set by the Superintendence of Industry and Commerce.

A country is understood to offer an adequate level of protection when it meets the standards set by the Superintendence of Industry and Commerce. When the destination country is not recognized as having an adequate level, PHARMAYECT will verify whether the transfer falls under a legal exception or whether a declaration of conformity should be requested from the Superintendence of Industry and Commerce.

Exceptionally, PHARMAYECT may carry out international transfers of personal data when one of the grounds provided in Article 26 of Law 1581 of 2012 is present, including:
a.     The data subject has given their prior, express, and unambiguous authorization for the transfer.
b.     Exchange of medical data when required for health or public hygiene treatment reasons.
c.      The transfer is necessary for the execution of a contract between the data subject and PHARMAYECT as Data Controller and/or Data Processor.
d.     Banking and securities transfers in accordance with legislation applicable to such transactions.
e.     Transfers agreed within the framework of international treaties in which Colombia is a party, based on the principle of reciprocity.
f.      Legally required transfers to safeguard a public interest or for the recognition, exercise, or defense of a right in judicial proceedings.
 
First Paragraph. When an international transfer takes place, PHARMAYECT will execute agreements detailing the obligations, burdens, and duties of the parties, including technical, human, and administrative measures ensuring a standard of protection equivalent to that required by Colombian regulations, especially when the destination country has a lower level of protection.
 
Second Paragraph. When the destination country is not on the list of countries with an adequate level of protection and the transaction falls within the exceptions of Article 26, PHARMAYECT may incorporate standard contractual clauses (External Circular 003 of 2025) as a tool to reinforce the protection of data subjects and standardize obligations between the parties.
 
Third Paragraph. Prior to executing an international transfer, PHARMAYECT must: (i) classify the flow as transfer or transmission according to the role of the recipient; (ii) document the legal basis (exception, adequacy, or declaration of conformity); (iii) verify technical (security, access, encryption/equivalent measures, access logs, segregation) and contractual safeguards; and (iv) retain evidence of the analysis and agreements executed, for demonstrated accountability purposes.
 
The technical viability opinion must be issued by the Technology and Information Security area, and the legal viability opinion by the data protection and/or legal area, in accordance with PHARMAYECT's internal procedures.
 
24.   INTERNATIONAL TRANSMISSION OF PERSONAL DATA
The international transmission of personal data (i.e., the communication of data from PHARMAYECT as Data Controller to a third party abroad acting as Data Processor to process data on behalf of PHARMAYECT) will not require notification to the data subject or their additional consent, provided that there is a contract in accordance with Article 25 of Decree 1377 of 2013.
 
First Paragraph. When affiliated companies of the corporate group (parent, affiliates, or subsidiaries) access from abroad the technological infrastructure anchored in PROCAPS S.A. to carry out support, technological operations, or other processing activities on behalf of PHARMAYECT, such cross-border access will be managed as an international transmission and will be subject to the legal, technical, and contractual safeguards provided herein.
 
In all cases, PHARMAYECT will require the execution of a contract (or intercompany agreement) regulating at a minimum:
a. Scope of processing and data categories.
b. Specific activities to be carried out by the Processor on behalf of PHARMAYECT.
c. Obligations of the Processor to PHARMAYECT and to data subjects, in accordance with the Colombian framework.
d. Use limited to instructed purposes and prohibition of own or unauthorized use.
e. Confidentiality rules, restricted access, and security measures proportionate to the criticality of the information.
f. Incident management: immediate notification to PHARMAYECT and cooperation in containment, investigation, and remediation.
g. Sub-processors: prior authorization (general or specific), equivalent obligations, and traceability.
h. Location/processing environments, remote access, access logs, and auditing.
i. Return or deletion of data upon completion of the provision, unless applicable legal retentions apply.
j. Cooperation in handling inquiries, complaints, and authority requirements.
 
First Paragraph. PHARMAYECT may incorporate standard contractual clauses (External Circular 003 of 2025) as a complementary instrument to standardize obligations and reinforce safeguards in international transmissions, especially when the Processor is located in countries without an adequate level of protection.
 
Second Paragraph. PHARMAYECT will ensure that PROCAPS S.A. maintains central control and administration of its technological infrastructure and that security controls are applied for cross-border accesses (identity management, role-based profiles, strong authentication where applicable, access logs, monitoring, environment segregation, and cryptographic or equivalent measures), so that access from abroad does not imply a reduction in the protection standards required by Colombian regulations.
 
25.   RETENTION, BLOCKING, AND DELETION OF PERSONAL DATA
PHARMAYECT will retain personal data only for as long as necessary to fulfill the purposes for which it was collected and/or authorized, or while there is a legal, contractual, administrative, or judicial obligation requiring its retention.
 
Retention periods may be communicated to the data subject at the time of collection and/or defined internally by PHARMAYECT according to: (i) the purpose of the processing, (ii) the nature of the data, (iii) the type of relationship with the data subject (labor, contractual, commercial, corporate, etc.), and (iv) the deadlines provided in special regulations (labor, accounting, fiscal, tax, regulatory, security, and risk management).
 
PHARMAYECT may establish and maintain internal retention and final disposition tables, criteria, or matrices. Upon expiration of the applicable deadlines, and provided there is no obligation to retain, PHARMAYECT will proceed to:
 
a. Delete data securely, preventing recovery; or
b. Anonymize the information when possible and appropriate; or
c. Restrict/Block processing, when it must be retained only for archiving, evidentiary support, claims handling, legal compliance, or rights defense purposes.
 
The deletion or restriction shall be carried out applying reasonable technical and organizational measures to prevent unauthorized access, improper disclosures, or re-identification, as applicable.
 
26.   PROCEDURES FOR HANDLING INQUIRIES, COMPLAINTS, AND PETITIONS.
Data subjects, their successors in interest, legal representatives, or attorneys-in-fact may exercise their rights through the service channels provided by PHARMAYECT. Before handling a request, PHARMAYECT may verify the identity of the requester and the capacity in which they act, in order to prevent unauthorized access or disclosures.
 
Service channels:

 
INQUIRIES. Data subjects or their successors in interest may consult the personal information of the data subject contained in any database of PHARMAYECT. The data subject may send their questions or inquiries related to their personal data collected and processed by PHARMAYECT through the designated service channels.
 
PHARMAYECT will resolve the inquiry within ten (10) business days following the date of receipt. When it is not possible to address the inquiry within this period, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the inquiry will be addressed, which in no case may exceed five (5) additional business days from the expiration of the first period.
 
COMPLAINTS. The data subject (or their successors in interest) who considers that the information contained in any database of PHARMAYECT should be corrected, updated, or deleted, or who detects alleged non-compliance with any legal duty, may file a complaint through the designated service channels.
 
The complaint must contain at a minimum: (i) identification of the data subject, (ii) description of the facts giving rise to the complaint, (iii) address and contact information to receive a response, and (iv) documents to be considered.
 
If the complaint is incomplete, PHARMAYECT will notify the interested party within five (5) business days of receipt to rectify the deficiencies. If two (2) months elapse from the date of the notice without the requester providing the required information, it will be understood that they have withdrawn the complaint.
 
Once the complete complaint has been received, PHARMAYECT will include a legend in the database reading "COMPLAINT IN PROCESS" and the reason for it, within no more than two (2) business days. This legend must be maintained until the complaint is resolved.
 
The maximum period to address the complaint is fifteen (15) business days from the day following the date of receipt. When it is not possible to address it within this period, the interested party will be notified before the expiration of the said period of the reasons for the delay and the date on which the complaint will be addressed, which in no case may exceed eight (8) additional business days from the expiration of the first period.
 
REVOCATION OF AUTHORIZATION. The data subject may request the revocation of authorization granted for the processing of their personal data when applicable. PHARMAYECT will evaluate the request and, if viable, will cease processing for the affected purposes. Revocation will not have retroactive effects on processing validly carried out previously and will not apply when there is a legal or contractual duty requiring the retention or continued processing of certain information.
 
DELETION. The right to data deletion is not absolute; PHARMAYECT may deny it when:
a.      The data subject has a legal or contractual duty to remain in the database.
b.     The deletion of data would obstruct judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the update of administrative sanctions.
c.      The data is necessary to protect the legally protected interests of the data subject; to perform an action in the public interest; or to comply with a legally acquired obligation of the data subject.
d.     When the deletion of personal data is appropriate, PHARMAYECT must operationally carry out the deletion in a manner that does not allow recovery of the information.
 
27.   AREA RESPONSIBLE FOR PERSONAL DATA PROTECTION
PHARMAYECT has designated a person and/or area responsible for the personal data protection function, tasked with handling data subjects' requests for the exercise of rights provided by law and coordinating the implementation of the personal data protection program within the organization.
 
PERSONAL DATA PROTECTION OFFICER
This will be the person and/or department responsible for leading the personal data protection program at PHARMAYECT, handling data subjects' requests, and coordinating the transversal implementation of the system. In carrying out the foregoing, they will have, among others, the following functions:
a. To receive, process, and handle requests, petitions, inquiries, or complaints submitted by data subjects, their successors in interest, representatives, or attorneys-in-fact, including reasonable identity and legitimacy verification when necessary.
b. To administer and maintain the internal personal data protection system at PHARMAYECT and coordinate its implementation with the relevant areas.
c. To maintain an inventory of databases and coordinate compliance with obligations associated with the NDBR, including registrations, updates, and periodic reports in accordance with the requirements of the competent authority.
d. To coordinate the management of international transfers and transmissions from a data protection perspective, including the review of contractual safeguards and, where applicable, the management of declarations of conformity or other applicable instruments.
e. To plan and coordinate training and organizational culture strategies in personal data protection, with a focus on profiles and access levels.
f. To coordinate internal audits or periodic reviews to verify compliance with the Policy and associated procedures.
g. To assist in attending to visits, requirements, investigations, and communications from competent authorities regarding personal data protection.
h. To manage and follow up on the personal data processing risk management program, promoting controls and continuous improvements.
i. To coordinate the management of security incidents compromising personal data and their reporting to the Superintendence of Industry and Commerce within the applicable deadlines, including reporting through the NDBR when applicable.
j. To present periodic reports to Senior Management on the status of the program, relevant risks, incidents, audits, and improvement plans.
k. To propose adjustments, updates, or new internal guidelines regarding personal data protection and submit them for approval when appropriate.
 
The Personal Data Protection Officer will act in coordination with the Technology/Information Security, Legal/Compliance, Human Resources, and process leader areas, to ensure effective implementation of technical, administrative, and contractual controls, as well as incident, access, and risk management associated with processing.
 
28.   INFORMATION SECURITY
PHARMAYECT implements and maintains technical, human, administrative, physical, and organizational measures that are reasonable and proportionate to the risk, aimed at protecting personal data against unauthorized access, loss, misuse, alteration, destruction, or unauthorized disclosure. These measures are part of PHARMAYECT's information security system and are applied in conjunction with this Policy.
 
PHARMAYECT may allow access to personal data to third parties acting as Data Processors (including technology providers and/or affiliated companies providing services to PHARMAYECT), provided that there are agreements or contracts imposing obligations of confidentiality, security, restricted use, incident management, subcontracting, and other conditions required by applicable regulations and this Policy.
 
PHARMAYECT does not guarantee the absolute absence of security incidents; however, it commits to maintaining reasonable and proportionate controls, as well as prevention, detection, response, and continuous improvement procedures.
 
First Paragraph. In the event of a security incident that may compromise personal data, PHARMAYECT will activate its internal response protocols, including containment, analysis, remediation, documentation, and adoption of corrective measures. Where applicable, PHARMAYECT will report the incident to the Superintendence of Industry and Commerce within the applicable terms, including reporting through the NDBR when appropriate.
 
Second Paragraph. Before implementing, acquiring, contracting, licensing, integrating, or using platforms, applications, technological tools, cloud services, software, advanced analytics systems, or artificial intelligence involving personal data processing, PHARMAYECT will conduct a prior assessment aimed at verifying privacy and security risks and safeguards.
 
Such assessment may include, as appropriate: (i) definition of the scope of processing, data categories, and purposes; (ii) identification of roles (Controller/Processor), flows, and international transfers or transmissions; (iii) review of access controls, encryption or equivalent measures, audit logs, segregation, retention, and deletion; (iv) verification of sub-processors and the technological supply chain; (v) risk analysis and mitigation measures, including, when high risk is likely, a personal data protection impact assessment; and (vi) review of contractual clauses regarding confidentiality, security, incidents, cooperation, and restricted use.
 
PHARMAYECT will document the conclusions of this assessment and adopt corrective or preventive measures before putting the technology into operation, especially when it involves AI-based tools or processing involving sensitive, biometric, or automated decision data.
 
29.   HANDLING OF REQUIREMENTS FROM ADMINISTRATIVE AND JUDICIAL ENTITIES
The Personal Data Protection Officer, together with the legal representative and/or internally designated responsible areas, will handle visits, information requests, or requests related to personal data submitted by competent judicial or administrative authorities.
 
PHARMAYECT may disclose personal data when there is a valid request or order issued by a competent authority, in accordance with applicable regulations. In such cases, PHARMAYECT will verify the scope of the request and provide only the strictly necessary information, maintaining internal records of the request and the response provided.
 
30.   VALIDITY AND AMENDMENTS
This Policy was approved by the Senior Management of PHARMAYECT and supersedes all provisions previously issued within the organization.  
 
The databases in which personal data will be recorded shall remain in force for as long as the information is retained and used for the purposes described in this Policy. Once those purposes have been fulfilled and provided there is no legal or contractual duty to retain the information, the data will be deleted from the databases.
 
31.   APPROVAL AND DISCLOSURE
This document was reviewed, analyzed, and approved for implementation by the Board of Directors of PHARMAYECT. PHARMAYECT will carry out the corresponding disclosure to the stakeholder groups and a record will be kept thereof.