C.I. PROCAPS S.A.
NIT 802.009.120 - 6
Street 80 No. 78 B – 201
Barranquilla (Atlántico) – Colombia.
This “Personal Data Protection and Processing Policy” (hereinafter “The Policy”) establishes the guidelines, rules and commitments adopted by the company
C.I. PROCAPS S.A (hereinafter “
C.I. PROCAPS”) to guarantee the adequate processing of personal data, in accordance with Law 1581 of 2012, Decree 1377 of 2013 (compiled in Decree 1074 of 2015), and other applicable regulations in Colombia.
This Policy applies to the personal data that
C.I. PROCAPS collects, manages, stores, uses, circulates, transfers or deletes, whether acting as Data Controller or as Data Processor on behalf of a third party, within the framework of its operations and activities. Likewise, this Policy applies to the personal information that, by virtue of the operating model of
C.I. PROCAPS as a branch or subsidiary of
PROCAPS S.A., is integrated into a centralized technological structure managed by the latter, on which the related companies operate. In this sense, the information of
C.I. PROCAPS is processed, stored and safeguarded within said corporate technological ecosystem, being subject to the policies, standards and controls defined by
PROCAPS S.A. regarding information management, information security, cybersecurity and data governance, without prejudice to compliance with the applicable legal provisions and the data transmission agreements entered into between the parties.
The purpose of this Policy is to compile the principles, rules and best practices that govern the processing of personal data with respect to the Data Subjects with whom
C.I. PROCAPS relates (including, among others, clients, consumers, suppliers, contractors, candidates, employees, shareholders and other stakeholders), in order to protect their rights, ensure regulatory compliance and promote demonstrated accountability in all operations and activities.
In the development of its operating and technological model,
PROCAPS S.A. may process personal data on behalf of its branch or subsidiary
C.I. PROCAPS, when the latter acts as Data Controller and
PROCAPS S.A. acts as Data Processor for the provision of technological, operational or support services. For these purposes,
C.I. PROCAPS has entered into and may continue to enter into with
PROCAPS S.A. data transmission agreements that define the scope of the processing, the Controller’s instructions, the confidentiality and security obligations, the prohibition of use for its own purposes, incident management, control of sub-processors, the conditions for remote access, the return or deletion of the information, and the other safeguards required by Colombian regulations.
This Policy incorporates mechanisms to ensure that personal data are:
· Processed in a lawful, fair and transparent manner in relation to the data subject.
· Collected for specified, explicit and legitimate purposes, and not subsequently processed in a manner incompatible with those purposes.
· Adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed.
· Accurate and up to date; reasonable measures being adopted for their rectification or deletion when appropriate.
· Kept only for the time necessary to fulfill the purposes of the processing and the applicable legal or contractual obligations.
· Processed under reasonable security controls and measures proportional to the risk, and under a demonstrated accountability approach.
This Policy is issued as part of the demonstrated accountability approach of
C.I. PROCAPS, in order to evidence the implementation of controls and measures for the protection of personal data and the management of risks associated with the processing.
C.I. PROCAPS recognizes that, due to the nature of its operation and its technological infrastructure, some processing may involve cross-border access, international transmission or the intervention of third parties located outside Colombia. In those cases,
C.I. PROCAPS will adopt contractual, technical and organizational safeguards that ensure standards equivalent to those required by Colombian regulations, especially when the processing involves jurisdictions with different levels of protection.
C.I. PROCAPS will apply a demonstrated accountability and risk management approach in personal data protection, incorporating privacy by design and by default in its processes and technologies. When a processing operation may involve high risk to the rights of data subjects —including sensitive data, biometric data, automated decisions or the use of artificial intelligence—
C.I. PROCAPS will carry out prior assessments and, when appropriate, impact assessments, documenting technical, organizational and contractual safeguards. This Policy is complemented by privacy notices and specific authorizations informed to the data subject at the time of collection, according to the applicable channel or process.
This Policy does not constitute a contract; it reflects the commitment of
C.I. PROCAPS to the protection of the personal information of data subjects and to compliance with the Colombian personal data protection regime. In compliance with Law 1581 of 2012 and its applicable regulations,
C.I. PROCAPS makes available to data subjects this Personal Data Protection and Processing Policy, as well as the channels for the exercise of their rights.
1. OBJECTIVE
To establish the guidelines, criteria and rules applicable to the collection, consultation, storage, ordering, classification, cataloging, analysis, processing, use, circulation, transfer, transmission, deletion and other forms of processing carried out by
C.I. PROCAPS, whether as Data Controller and/or Data Processor, in order to guarantee the protection of the rights of data subjects, compliance with the applicable principles and legal duties, and the adequate management of the risks associated with the processing of personal data, in accordance with Statutory Law 1581 of 2012, Decree 1074 of 2015 and the other regulations that modify, regulate, add to or replace them. The foregoing includes processing carried out by means of manual processes, automated processes, technological tools, digital platforms and, where applicable, advanced analytics or artificial intelligence systems.
2. SCOPE
This Policy applies to all processing of personal data contained in databases, physical, electronic or digital files, carried out by
C.I. PROCAPS in the development of its corporate purpose, its corporate, administrative, labor, commercial, contractual, security and stakeholder-relationship processes, whether acting as “Data Controller” and/or “Data Processor” on behalf of a third party.
3. MANDATORY NATURE AND ADDRESSEES.
This Policy is of mandatory compliance for direct and indirect collaborators, contractors, consultants, suppliers, legal representatives, directors, interns, allies, Processors, third parties and, in general, for any person who, by reason of their functions, activities or relationship with
C.I. PROCAPS, accesses, collects, stores, uses, consults, circulates, deletes or carries out any processing of personal data on behalf of the company.
Process leaders and Senior Management must promote its effective implementation, ensure the allocation of necessary resources and adopt the supervision and control measures that correspond within their competencies.
- IDENTIFICATION OF THE COMPANY RESPONSIBLE FOR THE PROCESSING
The Data Controller of the personal data subject to this Policy is
C.I. PROCAPS S.A. a commercial company identified with NIT No. 802.009.120-6, with commercial registration No. 270.639 of February 12, 1999, with principal domicile at Street 80 No. 78 B – 201 in the city of Barranquilla (Colombia).
For purposes of the exercise of the rights of data subjects and the handling of inquiries, claims and requests related to the protection and processing of personal data,
C.I. PROCAPS will provide the contact channels reported in this Policy or in the corresponding Privacy Notice.
- SERVICE CHANNELS
For the exercise of their rights to know, consult, update, rectify, delete their personal data, revoke the authorization when applicable, or submit petitions, inquiries or claims related to the processing of their personal data, data subjects, their successors or their attorneys may contact
C.I. PROCAPS through the following service channels:
| City |
Address |
Email |
|
Phone |
|
| Barranquilla (Colombia) |
Street 80 No. 78 B - 201 |
habeasdata@procaps.com.co |
|
+57 (605) 3854321 |
|
Area responsible for handling petitions, inquiries and claims: Legal Compliance Area.
- The service channels reported here may be updated by C.I. PROCAPS when necessary for operational, administrative or technological reasons. Such changes will not constitute a substantial modification of this Policy and will be reported to data subjects through the update of the information published on the website, privacy notice or other corporate means provided for that purpose.
- APPLICABLE REGULATORY FRAMEWORK.
This Policy is based, among others, on the following provisions:
a. Political Constitution of Colombia, article 15.
b. Law 1266 of 2008, to the extent applicable.
c. Law 1581 of 2012.
d. Regulatory Decree 1377 of 2013 and Decree 886 of 2014, to the extent applicable and in what is not compiled or developed by Decree 1074 of 2015
e. Sole Regulatory Decree 1074 of 2015, in particular the provisions applicable to the processing of personal data.
f. Law 2300 of 2023, in relation to channels, hours, frequency and contactability rules, when applicable.
g. External Circular 01 of 2024 of the Superintendence of Industry and Commerce.
h. External Circular 02 of 2024 of the Superintendence of Industry and Commerce.
i. External Circular 03 of 2024 of the Superintendence of Industry and Commerce.
j. External Circular 02 of 2025 of the Superintendence of Industry and Commerce.
k. External Circular 03 of 2025 of the Superintendence of Industry and Commerce.
l. All other regulations, instructions, guidelines, circulars and decisions of a competent authority that modify, add to, replace or are applicable to the processing and protection of personal data in Colombia.
7. DEFINITIONS
For purposes of interpretation, application and implementation of this Policy, the following definitions shall apply:
a. AUTHORIZATION: Prior, express and informed consent of the data subject to carry out the processing of personal data.
b. PRIVACY NOTICE: Verbal or written communication generated by the Controller of the information, directed to the data subject for the processing of their personal data, by means of which they are informed about the existence of the information processing policies that will be applicable to them, the way to access them and the purposes of the processing intended for the personal data.
c. DATABASE: Organized set of personal data that is subject to processing.
d. CHANNELS TO EXERCISE RIGHTS: These are the means of reception and handling of petitions, inquiries and claims that the Data Controller and the Data Processor must make available to the Data Subjects of the information.
e. DATA TRANSMISSION AGREEMENT: Agreement by means of which
C.I. PROCAPS, as Data Processor, is authorized by one of its subsidiaries and/or branches to process personal data on their behalf, delimiting the scope of the processing, the obligations of confidentiality, security, restricted use, subcontracting, incidents and deletion or return of information.
f. ANONYMIZED DATA: Information that has been subjected to a technical process that prevents the data subject from being reasonably identified, directly or indirectly, irreversibly or with a non-significant risk of re-identification.
g. BIOMETRIC DATA: Sensitive personal data relating to physical, physiological or behavioral characteristics of a natural person, which allows or confirms their unique or unequivocal identification, such as fingerprints, facial recognition, iris, voice, hand geometry or others similar.
h. PERSONAL DATA: Any piece of information linked to one or several determined or determinable persons or that may be associated with a natural person.
i. PUBLIC DATA: Data that is not semi-private, private or sensitive. Among others, data relating to the marital status of persons, their profession or trade, and their status as a merchant or public servant are considered public data. By their nature, public data may be contained, among others, in public registries, public documents, official gazettes and bulletins, and duly enforceable judicial rulings that are not subject to confidentiality.
j. SENSITIVE DATA: Sensitive data is understood as that which affects the data subject’s privacy or whose improper use may generate discrimination, such as that which reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social or human rights organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.
k. AUTOMATED DECISION: Decision adopted totally or partially by automated means, without or with minimal significant human intervention, that may produce legal effects or significantly impact a data subject.
l. DATA PROCESSOR: Natural or legal person, public or private, who by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller.
m. PERSONAL DATA PROTECTION IMPACT ASSESSMENT: Prior analysis tool by means of which
C.I. PROCAPS identifies, evaluates and documents the risks that a processing of personal data may generate for the rights and freedoms of data subjects, as well as the measures envisaged to prevent, mitigate or control them.
n. HABEAS DATA: Right of any person to know, update and rectify the information that has been collected about them in the data bank and in files of public and private entities.
o. INFORMATION SECURITY INCIDENT: Real or potential event that compromises or may compromise the confidentiality, integrity, availability, authenticity or security of the personal data processed by
C.I. PROCAPS, including unauthorized access, loss, leakage, alteration, destruction, improper disclosure or unauthorized use of the information.
p. PUBLICLY ACCESSIBLE INFORMATION: Information available in environments or sources accessible to an indeterminate number of people, which does not imply, by itself, that it has the nature of public data nor automatically enables its processing without sufficient legal basis.
q. PERSONAL DATA PROTECTION AND PROCESSING POLICY: The formal document approved by
C.I. PROCAPS that reflects the conditions applicable to any processing operation involving Personal Data
r. PRIVACY BY DESIGN AND BY DEFAULT: Approach according to which
C.I. PROCAPS incorporates personal data protection measures from the planning, design, acquisition, development, implementation and operation of processes, products, services, technologies and information systems, guaranteeing that, by default, only the personal data necessary for each legitimate purpose are processed.
s. DATA CONTROLLER: Natural or legal person, public or private, who by themselves or in association with others, decides on the database and/or the Processing of the data.
t. PSEUDONYMIZATION: Processing of personal data by means of which the information can no longer be attributed to a specific data subject without using additional information, provided that such additional information is kept separately and is subject to technical and organizational measures intended to ensure that the data are not attributed to an identified or identifiable person.
u. ARTIFICIAL INTELLIGENCE SYSTEM: Machine-based system that, for explicit or implicit objectives, can infer from the information it receives how to generate results such as predictions, content, recommendations, classifications or decisions that influence physical or virtual environments
v. DATA SUBJECT: Natural person whose personal data are subject to processing.
w. PROCESSING: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
x. TRANSFER: The transfer of data takes place when the Data Controller and/or Data Processor, located in Colombia, sends the information or the personal data to a recipient, who in turn is a Data Controller and is located inside or outside the country.
y. TECHNOLOGY TRANSFER: Any operation or legal transaction by means of which
C.I. PROCAPS acquires, licenses, implements, assigns, integrates, develops, receives or makes available technologies, platforms, applications, tools, infrastructures or solutions that imply or may imply the processing of personal data.
z. TRANSMISSION: Processing of personal data that implies the communication of such data inside or outside the territory of the Republic of Colombia when its purpose is the performance of processing by the Processor on behalf of the Controller.
8. PRINCIPLES
In the development, interpretation and application of Law 1581 of 2012, which sets forth general provisions for the protection of personal data, and the regulations that complement, modify or add to it, the following guiding principles shall be applied in a harmonious and integral manner:
a. PRINCIPLE OF LEGALITY: The Processing of data is a regulated activity that must comply with the provisions of the law and the other provisions that develop it.
b. PRINCIPLE OF PURPOSE: The processing must respond to a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the data subject. With respect to the collection of personal data,
C.I. PROCAPS will limit itself to those data that are relevant, adequate and necessary for the purpose for which they were collected or required, in accordance with the applicable regulations and its internal procedures.
c. PRINCIPLE OF FREEDOM: The processing may only be carried out with the prior, express and informed consent of the data subject. Personal data may only be obtained or disclosed with prior authorization, or with the existence of a legal or judicial mandate that relieves the consent.
d. PRINCIPLE OF TRUTHFULNESS OR QUALITY: The information subject to processing must be truthful, complete, accurate, up to date, verifiable and comprehensible. The processing of partial, incomplete, fractioned data or data that induce error is prohibited.
e. PRINCIPLE OF TRANSPARENCY: In the processing, the right of the data subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning them, must be guaranteed.
f. PRINCIPLE OF RESTRICTED ACCESS AND CIRCULATION: The processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the processing may only be carried out by persons authorized by the data subject and/or by the persons provided for by law. Personal data, except public information, may not be available on the internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to the data subjects or third parties authorized in accordance with the law.
g. PRINCIPLE OF SECURITY: The information subject to processing by
C.I. PROCAPS must be handled with the technical, human, administrative and organizational measures that are reasonable and proportional to the risk, in order to provide security to the records and avoid their adulteration, loss, consultation, use, access or unauthorized or fraudulent disclosure.
h. PRINCIPLE OF CONFIDENTIALITY: C.I. PROCAPS is obliged to guarantee the confidentiality of the information, even after the end of its relationship with any of the tasks that the processing comprises, being able to only carry out the supply or communication of personal data when it corresponds to the development of the activities authorized by law.
Without prejudice to the guiding principles provided for in Law 1581 of 2012,
C.I. PROCAPS will adopt as complementary corporate criteria for the interpretation and application of this Policy the following:
I. DEMONSTRATED ACCOUNTABILITY: C.I. PROCAPS will adopt useful, timely, efficient, verifiable and documented measures to demonstrate compliance with the personal data protection regime, including the implementation of internal controls, allocation of responsibilities, preservation of evidence, incident management, training and periodic monitoring.
II. NECESSITY, PROPORTIONALITY AND MINIMIZATION: C.I. PROCAPS will seek that the processing of personal data is limited to what is strictly relevant, adequate and necessary for the legitimate purpose informed to the data subject, avoiding the excessive collection, use or retention of information.
III. PRIVACY BY DESIGN AND BY DEFAULT: C.I. PROCAPS will incorporate personal data protection measures from the planning, design, acquisition, development, implementation and operation of processes, products, services, contracts, technological tools and information systems, guaranteeing that, by default, only the personal data necessary for each purpose are processed.
IV. COMPREHENSIVE RISK MANAGEMENT: C.I. PROCAPS will identify, evaluate, document and manage the risks associated with the processing of personal data, especially when it involves emerging technologies, massive processing, sensitive data, biometric data, automated decisions, international transfers or third parties acting on behalf of the company.
9. RIGHTS OF THE DATA SUBJECT OF THE INFORMATION.
The data subject of the personal data shall have the following rights:
a. Know, update and rectify their personal data with respect to
C.I. PROCAPS, in its capacity as Data Controller and/or Data Processor. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fractioned data, data that induce error, or those whose processing is expressly prohibited or has not been authorized.
b. Request proof of the authorization granted to
C.I. PROCAPS except when it is expressly excepted as a requirement for the processing, in accordance with the law.
c. Be informed by
C.I. PROCAPS, upon request, regarding the use it has made of their personal data.
d. File before the Superintendence of Industry and Commerce complaints for violations of the provisions of Law 1581 of 2012 and the other regulations that modify, add to or complement it, once the inquiry or claim procedure before
C.I. PROCAPS has been exhausted, when applicable.
e. Revoke the authorization and/or request the deletion of the data when, in the Processing, the constitutional and legal principles, rights and guarantees are not respected.
f. Access free of charge their personal data that have been subject to processing.
10. RIGHTS OF CHILDREN AND ADOLESCENTS.
C.I. PROCAPS will ensure at all times respect for the prevailing rights of children and adolescents. As a general rule, the processing of their personal data is prohibited, except for data of a public nature or those cases in which such processing is exceptionally appropriate in accordance with the law.
In the events in which
C.I. PROCAPS must process personal data of children or adolescents, such processing will only be carried out when it:
a. responds to and respects the best interest of the child or adolescent;
b. ensures respect for their fundamental rights;
c. is strictly necessary and proportional for the purpose pursued;
d. has the prior and express authorization of the minor’s legal representative; and
e. the right of the child or adolescent to be heard has been guaranteed, valuing their opinion according to their maturity, autonomy and capacity to understand the matter, to the extent possible.
C.I. PROCAPS will ensure the adequate use of the personal data of children and adolescents and will apply, in all cases, the principles and obligations provided for in the current regulations on personal data protection.
11. DUTIES OF C.I. PROCAPS.
a. Make use of the information contained in the databases only for the purpose for which it is authorized.
b. Guarantee the data subject, at all times, the full and effective exercise of the right of Habeas Data.
c. When personal data are collected, it must be limited to those relevant and adequate for the purpose for which they are required in accordance with the provisions of the laws. For this purpose, deceptive or fraudulent means will not be used.
d. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
e. Carry out in a timely manner the update, rectification or deletion of the data in the terms indicated by this Policy in the Procedures – Claims section.
f. Enable electronic means of communication or others it deems relevant that allow timely handling of the inquiries and claims submitted by the data subjects of the information.
g. The requested information must be supplied free of charge and by any means, as required by the data subject. The information must be easy to read, without technical barriers that prevent its access and must correspond strictly to that which is in the database.
h. In the event that the certification of the authorized information is requested physically and/or it needs to be sent by certified mail, the company
C.I. PROCAPS may require the requester to pay the amount that corresponds to expenses, without at any time being able to charge more than what is actually billed; in the event of being required, the company
C.I. PROCAPS must demonstrate to the Superintendence of Industry and Commerce the support of said expenses.
i. Adopt the other measures necessary so that the information supplied to it is kept up to date.
j. Rectify the information when it is incorrect.
k. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
l. Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
m. Allow access to the information only to the persons who may have access to it.
n. Inform the Superintendence of Industry and Commerce when violations of the security codes occur and there are risks in the administration of the information of the data subjects.
o. Establish the mechanisms necessary to obtain the authorization of the data subjects for the processing of their data, which may be granted through a physical or electronic document or in any other format that allows guaranteeing its subsequent consultation.
p. It is the obligation of
C.I. PROCAPS to keep proof of the authorization and to deliver a copy to the data subject of the information in case they require it.
q. Establish simple and free mechanisms that allow the data subject to request the report, modification, deletion or update of the data, which may be the same mechanisms used for granting consent, without prejudice to the expenses that may arise on the occasion of its issuance and sending.
r. The information subject to processing must be protected through the use of the technical, human and administrative measures necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. For this purpose,
C.I. PROCAPS will maintain security protocols of mandatory compliance for personnel with access to personal data and information systems.
s. The personnel of
C.I. PROCAPS that intervene in the processing of personal data are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that the processing comprises, in accordance with the provisions of the employment contract and/or other provisions subject to the relationship between employee and company.
t. Designate a “Personal Data Officer” who assumes the personal data protection function and who will also ensure that, through the service channels, the requests of data subjects are processed.
u. In principle, the processing of personal data of children and adolescents is prohibited by law, except for data of a public nature and/or when such processing meets the parameters and requirements set forth in this Policy.
v. The company
C.I. PROCAPS will use the personal data in accordance with the authorization given by the data subject and will only transmit or transfer them to allies, branches or subsidiaries, third parties who may use the information for the development of their tasks acting on behalf of
C.I. PROCAPS and/or in compliance with the requirements of the authorities, abiding by the laws that apply on the matter and respecting the Service Agreements in force with third parties.
w. They may only collect, store, use or circulate the personal data during the time that is reasonable and necessary, in accordance with the purposes that justified their processing, taking into account the legal provisions and administrative, accounting, fiscal, legal and historical aspects of the information. Once the purpose of the processing has been fulfilled and without prejudice to legal regulations that provide otherwise,
C.I. PROCAPS must delete the personal data. However, the personal data must be kept when required for compliance with a legal or contractual obligation.
x. Prove the existence of the “Personal Data Protection and Processing Policy” and the way to access it, which will be published on the company’s website, on social media and at the main office.
y. For the collection, use and processing of personal data,
C.I. PROCAPS must comply with the following parameters: (i) The processing of the personal data collected must respond to a legitimate purpose of which the data subject must be informed; (ii) The processing of the personal data may only be carried out with the prior, express and informed consent of the data subject; (iii) The personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves the consent; (iv) The information subject to processing must be truthful, complete, accurate, up to date, verifiable and comprehensible; (v) the processing of partial, incomplete, fractioned data or data that induce error is prohibited; (vi) The right of the data subject to obtain at any time and without restrictions, information about the existence of data concerning them, must be guaranteed.
z. In the event of a substantial modification to this “Personal Data Protection and Processing Policy”, the company
C.I. PROCAPS must again request from the data subject of the information the authorization for the processing of data.
aa. Identify, evaluate, manage and monitor the risks associated with the processing of personal data, especially when they involve sensitive data, biometric data, minors, video surveillance, artificial intelligence, automated decisions, international transfers or third parties.
bb. Incorporate privacy by design and by default criteria in the processes, products, services, technologies, information systems and relationships with third parties that imply the processing of personal data.
cc. Carry out personal data protection impact assessments when the processing may generate high risks to the rights of data subjects, especially in cases of new technologies, artificial intelligence, massive processing, biometric data, automated decisions or sensitive data.
dd. Maintain verifiable evidence of compliance with the personal data protection regulations and of the measures adopted for their implementation.
ee. When
C.I. PROCAPS uses artificial intelligence, advanced analytics, profiling or automated processes that imply the processing of personal data, it must ensure that their use is legitimate, necessary, proportional, verifiable and supervised, and adopt measures to prevent biases, errors, discrimination and disproportionate effects on data subjects.
ff. Guarantee mechanisms of human supervision and review when the processing of personal data serves as the basis for automated or semi-automated decisions with legal effects or relevant impacts on data subjects.
gg. Refrain from processing personal data obtained from the internet, social media or open sources merely because they are accessible to the public, without previously verifying the existence of a sufficient legal basis.
hh. Verify that the third parties that access personal data on behalf of
C.I. PROCAPS offer sufficient guarantees of confidentiality, security and regulatory compliance, and subscribe the corresponding contractual instruments.
ii. Carry out prior due diligence in the acquisition, implementation or update of technologies that imply the processing of personal data, in order to identify their impacts and risks regarding privacy and security.
jj. Implement internal procedures for the identification, reporting, containment, analysis, mitigation, documentation, remediation and closure of security incidents that compromise personal data, as well as adopt corrective and preventive measures aimed at avoiding their recurrence.
kk. Implement periodic training, awareness and update programs aimed at the personnel that intervene in the processing of personal data, in accordance with the level of access, the criticality of the process and the risks associated with their functions.
ll. Respect, when applicable, the channels authorized by data subjects for sending commercial or advertising communications, handle requests for exclusion, opposition or revocation, and consult the current legal exclusion mechanisms before carrying out commercial prospecting activities. Define and implement internal criteria, terms or tables for the retention, blocking, anonymization, archiving and secure deletion of personal data, attending to the purpose of the processing, the nature of the data, the legal or contractual obligations and the risks of excessive retention. Periodically review and update this Policy, as well as the internal procedures related to personal data protection, when there are regulatory, operational, technological, contractual or risk changes that make it necessary.
12. AUTHORIZATION POLICY
Without prejudice to the exceptions provided for by Law, the processing of personal data by
C.I. PROCAPS requires the prior, express and informed authorization of the Data Subject, which must be obtained by any means that may be subject to subsequent consultation. The authorization may be expressed in writing, orally or by means of unequivocal conduct of the data subject that allows reasonably concluding that it was granted. In no case may silence be understood as authorization.
At the time of requesting the authorization,
C.I. PROCAPS must inform clearly and expressly:
a. Name and identification of the person from whom authorization is being requested.
b. The identification and channels of
C.I. PROCAPS as Data Controller.
c. Identification of the data being collected, when applicable.
d. The specific purposes for which the authorization is requested.
e. The service channels and the procedure for the exercise of their rights of consultation, update, rectification, deletion and revocation.
f. The rights of the data subject.
g. The optional nature of the answers to the questions or requests concerning sensitive data or data of children and adolescents, when applicable.
When the authorization includes several purposes,
C.I. PROCAPS will seek to differentiate them clearly, distinguishing the necessary ones from the accessory or optional ones. The data subject’s refusal regarding the latter will not affect the main relationship, unless it concerns strictly indispensable data or purposes.
C.I. PROCAPS may use privacy notices, short formats, forms, messages, electronic interfaces or any other suitable mechanism to inform the data subject about the processing of their personal data and the way to access this Policy, without prejudice to the obligation to obtain the authorization when it is legally necessary.
When
C.I. PROCAPS uses the privacy notice, it will have the purpose of informing the data subject about the existence of this Policy, the way to access it, the purposes of the processing, the rights they have and the mechanisms provided to know its substantial changes. The disclosure of the privacy notice does not exempt
C.I. PROCAPS from making this Policy known to the data subject.
In case of substantial changes in the identification of
C.I. PROCAPS or in the purposes of the processing that may affect the content of the authorization,
C.I. PROCAPS will inform the data subject of said changes in a timely manner before implementing them. When the substantial change concerns the purpose of the processing,
C.I. PROCAPS will request a new authorization.
Paragraph. When, for technical, operational, space, format, number of characters reasons or due to the nature of the channel used, it is not possible to incorporate in the authorization all of the information indicated here,
C.I. PROCAPS may complement it by express reference to this Personal Data Protection and Processing Policy and/or to the corresponding Privacy Notice, which will be understood to be incorporated in a complementary manner for all purposes, provided that the data subject is informed of the clear, simple and permanent way to access or consult them.
13. PRIVACY NOTICE.
When it is not possible to make this Personal Data Protection and Processing Policy available to the data subject at the time of the collection of the information,
C.I. PROCAPS will inform, by means of a Privacy Notice, the existence of this Policy, the way to access it, the purposes of the processing and other relevant information about the processing of personal data, at the latest at the time of its collection.
C.I. PROCAPS may use general or specific privacy notices, depending on the channel, means, process, activity, service, form, application, microsite, event, program or point of contact through which the personal data are collected. Said notices may complement this Policy and develop in greater detail aspects related to the scope of the processing, the categories of data collected, the specific purposes, the use of technologies such as cookies, the recipients of the information, the retention conditions, the channels for the exercise of rights and other particular conditions applicable in each case.
The Privacy Notice will contain, at a minimum:
a. The identification and contact details of
C.I. PROCAPS.
b. The processing to which the personal data will be subjected and the purpose thereof.
c. The rights of the data subject.
d. The mechanisms provided so that the data subject knows this Policy and the substantial changes that occur in it or in the respective Privacy Notice.
The Privacy Notice may be disclosed through physical or electronic documents, forms, data messages, web pages, applications, microsites, banners, printed notices, bulletin boards, telephone recordings or any other suitable mechanism that guarantees the duty to inform the data subject.
The current Privacy Notice may be consulted by data subjects in the privacy section available on the following website:
www.sofgenpharma.com
Paragraph. The Privacy Notice may be modified, updated or replaced by
C.I. PROCAPS when necessary. The substantial changes that occur in it will be informed to the data subjects through the same means or mechanisms used for its disclosure, or by any other suitable means that allows its knowledge and consultation.
14. EVENTS IN WHICH THE AUTHORIZATION OF THE DATA SUBJECT OF THE PERSONAL DATA IS NOT NECESSARY.
The authorization of the data subject of the information will not be necessary in the following cases:
a. Information required by a public or administrative entity in the exercise of its legal functions or by judicial order.
b. Data of a public nature.
c. Cases of medical or sanitary emergency.
d. Processing of information authorized by law for historical, statistical or scientific purposes.
e. Data related to the Civil Registry of persons.
First Paragraph. When
C.I. PROCAPS carries out processing of personal data under any of the legal exceptions in which the data subject’s authorization is not required, it will keep an internal record of the applicable ground, the purpose of the processing, the source of the information and, when applicable, the legal, administrative, contractual, sanitary or judicial support that justifies its appropriateness.
Second Paragraph. When applicable,
C.I. PROCAPS may obtain the authorization of the data subject by means of unequivocal conduct that allows reasonably concluding that they authorized the processing of their personal data, provided that they have previously been clearly informed of the existence of the processing, its purpose and the way to access the Personal Data Protection and Processing Policy or the corresponding Privacy Notice. In telephone channels, the voluntary continuation of the call after the warning about the processing of the data may constitute unequivocal conduct, when there is sufficient prior information. In video surveillance systems, the voluntary entry or permanence in duly marked areas may constitute unequivocal conduct for the capture of images for security, access control or protection of property and facilities purposes.
15. LEGITIMATION FOR THE EXERCISE OF THE DATA SUBJECT’S RIGHT
The rights of the data subject established by Law may be exercised by the following persons:
a. By the data subject, who must sufficiently prove their identity by the various means that
C.I. PROCAPS makes available to them.
b. By the successors of the data subject, who must prove such status.
c. By the representative and/or attorney of the data subject, upon accreditation of the representation or power of attorney.
d. By stipulation in favor of another or for another.
The rights of children and adolescents will be exercised by the persons who are empowered to represent them.
Paragraph. Before handling a petition, inquiry or claim,
C.I. PROCAPS may verify the identity of the requester and require accreditation of the capacity in which they act, including, when applicable, documents that demonstrate the status of successor, legal representative or attorney. The information requested for these purposes must be relevant and limited to what is strictly necessary to validate the legitimation.
16. PROCESSING TO WHICH THE DATA WILL BE SUBJECTED AND THE PURPOSE THEREOF.
The processing of the personal data of the data subjects with whom
C.I. PROCAPS relates in the development of its corporate purpose, including clients, suppliers, consumers, distributors, contractors, candidates, collaborators, shareholders and other stakeholders, will be carried out in accordance with the applicable legal framework and in accordance with the following general purposes, without prejudice to the specific purposes informed to the data subject at the time of the collection of their personal data:
a. Internally manage the commercial, contractual, operational and administrative relationship with clients, distributors, suppliers and other stakeholders of the different business segments of
C.I. PROCAPS.
b. Send communications, correspondence, text messages, instant messaging messages, emails or make telephone contact with clients, distributors and consumers, through the channels authorized and permitted by law, in relation to commercial, advertising, marketing, promotional, sales and other related activities.
c. Carry out personnel selection processes, manage contractual and labor relationships, guarantee compliance with the obligations derived therefrom and grant benefits to employees, directly or through third parties.
d. Carry out potential analysis, segmentation and profiling for commercial purposes with respect to suppliers, distributors and/or clients, when applicable and in accordance with the authorizations granted and the applicable regulations.
e. Manage procedures, requests, petitions, complaints and claims; carry out risk analysis; and conduct satisfaction surveys with respect to the products and services of
C.I. PROCAPS.
f. Manage, analyze and investigate events, incidents, quality complaints and other developments related to the pharmaceutical and/or marketed products of
C.I. PROCAPS, including pharmacovigilance activities, when applicable.
g. Carry out follow-up of the persons who consume and/or acquire the products marketed by
C.I. PROCAPS, for purposes of service, support, quality, product safety, request management and other related activities.
h. Develop corporate social responsibility activities aimed at the different stakeholders of
C.I. PROCAPS.
i. Manage the security of persons, property, facilities and information assets under the custody of
C.I. PROCAPS.
j. Organize, structure, store, safeguard and manage databases for the development of the purposes described in this Policy.
k. Comply with legal, regulatory, contractual, administrative and judicial obligations, as well as attend to requirements of competent authorities.
In particular, and depending on the stakeholder concerned,
C.I. PROCAPS may process the personal data for the following specific purposes:
a. Purposes regarding clients or users of the products or services:
- Carry out the relevant procedures for the development of the pre-contractual, contractual and post-contractual stage with
C.I. PROCAPS, with respect to any of the products or services offered by the company, whether or not they have been acquired by the Data Subject, or with respect to any underlying business relationship they have with
C.I. PROCAPS.
- Register the Data Subject in the systems, spreadsheets, listings, files or records, physical or electronic, managed by
C.I. PROCAPS, for purposes of the execution of the commercial legal relationship established with the company.
- Carry out the electronic invoicing procedures of the products or services acquired by the Data Subject.
- Maintain the support of operations, the follow-up of incidents and compliance with contractual and legal obligations.
- Comply with the legal, regulatory and contractual obligations of
C.I. PROCAPS.
- Send messages, notifications or alerts through the channels authorized and permitted by law, to send and disclose legal, security, contractual, business, educational, commercial, advertising, promotional, marketing information, raffles, events or other benefits.
- Send electronic messages, make telephone contacts, or carry out communications through the channels authorized and permitted by law, to confirm, update or validate the personal data of the Data Subject when necessary for the execution of the legal relationship established with
C.I. PROCAPS.
- Contact the Data Subject through email, instant messaging, text messages, formal communications or telephone calls, for the sending of contractual, informative documents, account statements or invoices related to the obligations derived from the contracts entered into with
C.I. PROCAPS.
- Supply information to third parties contractually linked to
C.I. PROCAPS, when necessary for the execution of the contracted object, the provision of associated services or compliance with legal or contractual obligations.
- Carry out archiving and document management tasks, in accordance with the current legal provisions.
- Carry out administrative and analytical activities, such as the administration of information systems, accounting, invoicing, audits, marketing and, when applicable, processing and verification of checks.
- Share information with commercial allies for the offering of products and services, complying with the authorizations required by law and by this Policy.
- Communicate news about
C.I. PROCAPS products and invite to events or programs organized by the company.
- Attend to petitions, complaints, claims, requests, returns, warranties and other procedures related to the products or services offered by
C.I. PROCAPS.
- Consult, verify and confirm credit and commercial information of the Data Subject in Risk and/or Information Centers, or before any other public or private, national, foreign or multilateral entity that administers or manages databases or credit, financial, commercial or service information, for purposes of evaluating and, when applicable, granting financing with respect to the goods or products acquired with
C.I. PROCAPS, provided that it has the corresponding authorization.
- Make reports to the risk and information centers, complying with the conditions and procedures established in the current regulations, especially in Law 1266 of 2008 and its concordant regulations.
- Administer and manage the risks of Money Laundering, Terrorism Financing, corruption and, when applicable, financing of the proliferation of weapons of mass destruction, through procedures for the knowledge and verification of counterparties and beneficial owners, due diligence, consultation of lists, identification of alerts, monitoring, adoption of control measures and attention to requirements of competent authorities.
- Manage reports, alerts, quality complaints, events related to product safety and pharmacovigilance or technovigilance activities, when applicable.
b. Purposes regarding Candidates for employment:
- Process the employment applications that
C.I. PROCAPS receives from candidates, handle them and resolve them within the stipulated time, according to the selection process or the call;
- Contact the Data Subject through email, instant messaging, text messages, formal communications, telephone calls and other channels authorized and permitted by law, in relation to the selection process or the call.
- Verify and validate the information supplied by the candidate, including, when applicable, their resume, academic background, work experience, references and other supports related to the selection process.
- Schedule, conduct and evaluate interviews, tests, assessments or other selection mechanisms defined by
C.I. PROCAPS.
- Evaluate the aptitude and suitability of the candidate for the position to which they aspire and, when applicable, comply with the requirements of preventive and occupational medicine in accordance with the current regulations.
- Carry out the archiving and document management tasks of
C.I. PROCAPS, in accordance with the current legal provisions.
- Keep the candidate’s information for future selection processes, when this has been informed to the data subject and is appropriate in accordance with the law.
- Administer and manage the risks of Money Laundering, Terrorism Financing, corruption and other applicable compliance risks, through procedures of knowledge, validation and verification defined by
C.I. PROCAPS.
- Share the candidate’s information with branches, subsidiaries or associated companies with which
C.I. PROCAPS maintains corporate or collaboration ties, when there is a vacancy or selection process in which their profile may be considered, provided that this has been informed to the data subject and the applicable regulations are complied with.
- Carry out validations related to ethics, transparency, fraud prevention, conflicts of interest and other integrity verifications that are appropriate within the selection process.
c. Purposes regarding workers (employees):
- Manage compliance with the terms established in the labor relationship, including affiliation and contributions to the social security system, signing of the employment contract, administration of developments, generation and processing of payroll payments and labor benefits.
- Comply with the applicable regulations regarding labor matters, social security, pensions, occupational risks, family compensation funds, taxes and other legal obligations of
C.I. PROCAPS.
- Comply with instructions, requirements and orders issued by competent judicial, administrative or control authorities.
- Implement and execute labor, organizational, administrative and operational policies, procedures and strategies of
C.I. PROCAPS.
- Include the Data Subject in training, education, evaluation, development, welfare, occupational safety and health, organizational culture programs and activities and other initiatives aimed at the personnel of
C.I. PROCAPS.
- Carry out preventive and occupational medicine, occupational health and health surveillance of workers, together with the occupational risk administrator, occupational health providers and other authorized third parties, in accordance with the applicable regulations.
- Contact the Data Subject to give instructions, coordinate activities, send communications and manage matters related to the functions, responsibilities and obligations derived from the labor relationship.
- Carry out archiving, custody and document management tasks of the labor information, in accordance with the current legal provisions.
- Create cards, credentials and/or identification mechanisms of the Data Subject, including, when necessary, proportional and legally appropriate, the processing of biometric data for identification and security purposes, which will be managed as sensitive data with the measures and authorizations required by law.
- Establish and carry out access controls to the facilities, restricted areas and physical or technological resources of
C.I. PROCAPS, including, when necessary, proportional and legally appropriate, the use of biometric data for authentication, security and access control purposes, subject to the applicable regulations on sensitive data.
- Contact the Data Subject through email, instant messaging, text messages, formal communications, telephone calls and other channels authorized and permitted by law, for the sending of contractual, labor, administrative, informative or support documents related to the labor relationship.
- Share information with commercial allies for the offering of products and services, complying with the authorizations required by law and by this Policy.
- Communicate news about
C.I. PROCAPS products and invite the Data Subject to events, programs or activities organized by the company.
- Carry out administrative and analytical activities, such as the administration of information systems, accounting, invoicing, audits and, when applicable, processing and verification of checks.
- Publish the face and personal image of the Data Subject in management reports, internal communications, bulletin boards and corporate material of
C.I. PROCAPS, to document the organizational structure or training, development, welfare, occupational safety and health activities and other institutional activities, in accordance with the authorizations that are applicable.
- In the case of former employees,
C.I. PROCAPS may keep, even after the end of the employment contract, the information necessary to comply with legal or contractual obligations derived from the labor relationship, attend to requirements of competent authorities and issue labor certifications requested by the former employee or by third parties authorized by them.
- Carry out validations related to ethics, transparency, fraud prevention, conflicts of interest and other integrity verifications that are appropriate within the framework of the labor relationship.
- Administer and manage the risks of Money Laundering, Terrorism Financing, Corruption and other applicable compliance risks, through procedures of knowledge, verification, due diligence and validation defined by
C.I. PROCAPS.
- Administer the Data Subject’s access to platforms, information systems, technological tools, corporate accounts, devices, credentials and other physical or digital resources necessary for the development of their functions.
- Evaluate performance, follow up on the fulfillment of objectives, competencies and responsibilities of the Data Subject, as well as support training, development, promotion, internal mobility and succession processes.
- Carry out internal actions, verifications and investigations related to compliance with labor obligations, internal regulations, corporate policies, confidentiality duties, adequate use of resources, business ethics and other provisions applicable to the Data Subject.
- Manage the security of the Data Subject, business continuity, emergency response, the activation of contingency protocols and the protection of persons, property, facilities and information assets of
C.I. PROCAPS.
- Administer the emergency contact information of the Data Subject and use it when necessary to attend to incidents, emergencies, health situations or contingencies related to their employment.
- Manage occupational safety and health activities, including reports, investigations of incidents or accidents, occupational evaluations, follow-up of labor restrictions or recommendations and compliance with preventive programs, in accordance with the applicable regulations.
- Manage travel, per diems, reservations, accesses, authorizations and other logistical aspects associated with the development of the Data Subject’s functions.
- Administer extra-legal benefits, agreements, subsidies, welfare programs, insurance and other initiatives offered by
C.I. PROCAPS or by third parties in favor of the Data Subject, in accordance with the authorizations that are applicable.
- Use the Data Subject’s information for the attention of requirements, complaints, audits, administrative, judicial or extrajudicial actions, as well as for the defense of the rights and interests of
C.I. PROCAPS.
- Keep and use the information of former employees to attend to legal or contractual obligations, issue certifications, manage authorized labor references, attend to requirements of authorities and defend the interests of
C.I. PROCAPS.
d. Purposes regarding Suppliers or Contractors:
- Register the Data Subject in the systems, spreadsheets, listings, files or records, physical or electronic, managed by
C.I. PROCAPS, for purposes of the provision of the contracted services.
- Carry out the electronic invoicing procedures of the contracted services.
- Maintain the support of operations, the follow-up of incidents and compliance with contractual and legal obligations.
- Comply with the legal, contractual, regulatory and administrative obligations of
C.I. PROCAPS.
- Send electronic messages, make telephone contacts or carry out communications through the channels authorized and permitted by law, to confirm or validate personal data of the Data Subject necessary for the execution of the legal relationship established with
C.I. PROCAPS.
- Contact the Data Subject through email, instant messaging, text messages, formal communications or telephone calls, for the sending of contractual, informative documents, account statements or invoices related to the obligations derived from the contracts entered into with
C.I. PROCAPS.
- Grant access to portals or interaction platforms of suppliers and/or contractors to carry out internal processes of
C.I. PROCAPS associated with the contractual relationship.
- Supply information to third parties contractually linked to
C.I. PROCAPS, when necessary for the execution of the contracted object, the provision of the service, the associated operational management or compliance with legal or contractual obligations.
- Carry out archiving and document management tasks of
C.I. PROCAPS, in accordance with the current legal provisions.
- Validate, verify and consult economic, commercial and transactional information of the Data Subject with the purpose of establishing, executing and maintaining the legal relationship with
C.I. PROCAPS.
- Carry out administrative and analytical activities, such as the administration of information systems, accounting, invoicing, audits, marketing and, when applicable, processing and verification of checks.
- Share information with commercial allies for the offering of products and services, complying with all the authorizations required by law and by this Policy.
- Communicate news about
C.I. PROCAPS products and invite to events or programs organized by the company.
- Consult, verify and confirm credit and commercial information of the Data Subject in risk or information centers, or before public or private, national or foreign entities that administer credit, financial, commercial or service databases, when applicable for the relationship with
C.I. PROCAPS.
- To make reports to risk and information centers, all the conditions and procedures established in the current regulations will be complied with, especially Law 1266 of 2008 and concordant regulations.
- Carry out validations related to ethics, transparency, fraud prevention, conflicts of interest and other integrity verifications that are appropriate for the linking, execution and follow-up of the contractual relationship.
- Administer and manage the risks of Money Laundering, Terrorism Financing, corruption and other applicable compliance risks, through procedures of knowledge, verification, due diligence and consultation of lists defined by
C.I. PROCAPS.
- Manage physical and logical access to facilities, restricted areas, systems or information assets of
C.I. PROCAPS that are necessary for the execution of the contract, including security controls, credentials, entry records and traceability measures.
- Attend to audits, reviews, controls and performance evaluations of the supplier or contractor, as well as improvement plans, when necessary to ensure the quality, continuity and compliance of the service.
- Manage occupational safety and health (OSH) obligations applicable to the execution of the contract, when the supplier/contractor provides services on the premises of
C.I. PROCAPS or under conditions that require it.
e. Purposes regarding Shareholders of C.I. PROCAPS:
- Comply with the obligations and rights derived from their status as a shareholder of
C.I. PROCAPS.
- Send electronic, physical and/or telephone communications to their contact details to inform, summon or convene them to meetings of the corporate bodies of
C.I. PROCAPS, and/or to send them documents and reports that will be submitted for consideration at said meetings.
- Send communications and information necessary for the exercise of their rights as a shareholder, and/or for the compliance with the obligations of
C.I. PROCAPS towards its shareholders.
- Carry out the activities of comprehensive administration of the shareholders’ registry book, including updates, certifications, annotations and corresponding controls.
- Contact the Data Subject through email, instant messaging, text messages, formal communications, telephone calls and other
channels authorized and permitted by law, for the sending of documents, informative communications, account statements or documentation related to their status as a shareholder of
C.I. PROCAPS.
- Carry out archiving and document management tasks, in accordance with the current legal provisions.
- Attend to procedures, requests, complaints and claims submitted by shareholders and respond through the channels provided for that purpose.
- Communicate news about
C.I. PROCAPS products and invite to events or programs organized by
C.I. PROCAPS, when applicable and in accordance with the applicable authorizations.
- Give access to the information to judicial or administrative authorities that request it in the exercise of their legal functions.
- Administer and manage the risks of Money Laundering, Terrorism Financing, corruption and other applicable compliance risks, through procedures of knowledge, verification, due diligence, consultation of lists and validations defined by
C.I. PROCAPS.
- Carry out validations related to ethics, transparency, fraud prevention, conflicts of interest and other integrity verifications that are appropriate for the issuer–shareholder relationship and compliance with corporate obligations.
- Comply with the activities and purposes necessary for the issuer–shareholder relationship, in accordance with the applicable regulations and the bylaws and decisions of the corporate bodies of
C.I. PROCAPS.
f. Processing of Sensitive Personal Data Obtained Through Video Surveillance.
C.I. PROCAPS uses video surveillance systems installed in different internal and external areas of its facilities or offices. As a result, it informs the general public about the existence of these mechanisms through visible and sufficient notices, in which the existence of the system, the contact channels and the way to access the Policy that governs the processing of the captured information are indicated.
The information collected through these systems is used to: (i) protect the security of persons, property, facilities and information assets; (ii) control, verify and support the access control to sites, offices and establishments; (iii) prevent, detect and investigate security incidents and attend to requirements of competent authorities; and (iv) serve as evidentiary support in internal or external actions, when necessary and appropriate.
The images and/or video recordings will have restricted access and may only be consulted by authorized personnel or by third parties who, as Processors, provide services associated with the system (for example, monitoring, maintenance or support), under obligations of confidentiality and security.
First paragraph. C.I. PROCAPS may supply images or video recordings only: (i) to competent judicial or administrative authorities, when there is a valid requirement or order; (ii) to the data subject or to legitimate persons, when appropriate within the framework of the exercise of rights, upon verification of identity and legitimation; and (iii) in the other cases permitted by law. In any case,
C.I. PROCAPS will adopt reasonable measures to protect the rights of third parties who may appear in the images.
Second paragraph. The authorization for the processing of images captured by video surveillance may be obtained by means of unequivocal conduct, when the data subject, duly informed through visible notices, enters or voluntarily remains in areas marked as areas under video surveillance.
Third paragraph. The recordings will be kept only for the time strictly necessary to fulfill the described purposes, in accordance with the internal retention criteria and the applicable legal provisions, and will then be deleted or subjected to restriction/secure archiving measures when applicable.
Fourth paragraph. C.I. PROCAPS will inform the data subject, at the time of the collection or through the notices and channels provided, the purposes of the processing and the way to exercise their rights.
g. Processing of biometric data for security and access control to restricted areas.
C.I. PROCAPS may implement access control mechanisms based on biometric validation in restricted access areas or reinforced security areas, when necessary, proportional and reasonable for the protection of persons, property, facilities, information assets and compliance with internal security controls.
These areas may include, among others, areas for the storage or handling of controlled raw materials, inventory warehouses, laboratories, quality areas, production zones, technical rooms, server rooms, areas with sensitive or regulated documentation, and other spaces that, due to their operational or regulatory criticality, require strict entry and permanence controls.
For these purposes,
C.I. PROCAPS may require the prior collection of biometric data of employees and/or contractors authorized to access said areas, for the exclusive purpose of authentication, identity verification and access control. The biometric data, by their nature, will be treated as sensitive personal data, and their collection and use will be carried out under a reinforced protection standard.
In the implementation of these mechanisms,
C.I. PROCAPS:
I. Will inform in advance, clearly and expressly the specific purpose of the biometric processing, the type of biometric data to be collected, the system to be used, the scope of the control and the areas to which it applies.
II. Will obtain explicit, prior and informed authorization from the data subject (employee or contractor), leaving verifiable and consultable evidence of said authorization, unless a legal exception applies.
III. Will inform the optional nature of supplying biometric data, as they are sensitive data, and will evaluate and implement, when reasonable, less intrusive authentication alternatives for those who do not grant authorization, especially when this does not compromise the security of the area.
IV. Will limit the processing to what is strictly necessary for access control, avoiding secondary or incompatible uses (for example, commercial purposes, disciplinary purposes not related to security, or reuse for different purposes).
V. Will implement reinforced technical, human and administrative security measures, including strict access control, encryption or equivalent measures, segregation of environments, audit logs, and consultation and use restrictions.
VI. Will restrict access to the biometric data only to strictly authorized personnel and/or to third-party Processors that provide services associated with the system, under contractual obligations of confidentiality, security, non-use for their own purposes and incident management.
VII. Will define retention and deletion criteria: the biometric data will be kept only during the time necessary for access control or while the data subject has valid authorization to enter the restricted area, and will be deleted or rendered unusable when the purpose ceases, the authorization is revoked (when applicable) or the contractual/labor relationship ends, without prejudice to legal retention obligations.
VIII. Will adopt procedures to attend to requests for consultation, update, deletion or revocation of authorization, when appropriate in accordance with the law and without affecting compliance with security obligations and internal controls.
IX. In case of security incidents that may compromise biometric data, it will activate the internal incident management protocols and adopt corrective and preventive measures.
The implementation of biometric mechanisms will not imply that
C.I. PROCAPS processes these data for purposes other than authentication and access control to restricted areas. Any extension of purposes will require prior information and, when applicable, a new authorization.
17. COLLECTION, MARKETING AND COMMERCIAL COMMUNICATIONS.
C.I. PROCAPS may process personal data for the management of commercial, advertising, promotional, marketing and/or collection communications, when there is a sufficient legal basis and, when applicable, prior, express and informed authorization of the data subject, in accordance with the personal data protection regulations and with Law 2300 of 2023 to the extent applicable.
1. Contact channels and preferences of the data subject.
C.I. PROCAPS will carry out commercial or collection communications through suitable channels, authorized and permitted by law, respecting the preferences, revocations, oppositions, exclusions and no-contact requests registered by the data subject.
C.I. PROCAPS will implement mechanisms so that the data subject may request, at any time, the cessation of commercial or promotional communications through the channels provided in the Policy and the Privacy Notice.
2. Exclusion registry and control measures.
For commercial and advertising communications,
C.I. PROCAPS will verify, when applicable, the Registry of Excluded Numbers (RNE) and/or equivalent exclusion mechanisms defined by a competent authority, and will adopt internal controls (exclusion lists, segmentation, registry of consents and “no contact”) to avoid improper sendings.
3. Direct collection or by third parties.
When
C.I. PROCAPS carries out collection actions directly or through third parties, it will establish controls so that the management is carried out in a proportional, respectful and lawful manner, and will require from suppliers or third-party Processors contractual obligations of confidentiality, security, restricted use and traceability. The foregoing includes the obligation of the third party to respect the instructions of
C.I. PROCAPS, the authorized channels and the restrictions applicable to the processing.
4. Contact with references or third parties.
When the operation involves contact with references or third parties,
C.I. PROCAPS will limit the processing to the minimum necessary, will refrain from disclosing irrelevant information and will apply criteria of necessity, purpose and restricted access, in accordance with the personal data protection regime and the rules applicable to contactability.
5. Evidence and demonstrated accountability.
C.I. PROCAPS will keep verifiable evidence of (i) the authorizations granted when they are required, (ii) the exclusion or opposition mechanisms, (iii) the traceability of relevant campaigns or communications, and (iv) the measures adopted to attend to cancellation or no-contact requests.
18. SENSITIVE DATA.
C.I. PROCAPS will restrict the processing of sensitive personal data and, in general, will refrain from collecting or processing them except when it is strictly necessary, proportional and legally permitted. In any case, when
C.I. PROCAPS collects sensitive data, it will inform the data subject: (i) the optional nature of answering questions or supplying sensitive data, and (ii) the specific purpose of the processing:
In the case of sensitive personal data,
C.I. PROCAPS may make use and processing of them when:
a. The Data Subject has given their explicit authorization to said Processing, except in cases where by law such authorization is not required.
b. The Processing is necessary to safeguard the vital interest of the Data Subject and they are physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
c. The Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process
.
d. The Processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Subjects must be adopted.
First paragraph. Without prejudice to the provisions of this chapter,
C.I. PROCAPS will apply reinforced rules for the processing of sensitive personal data. In particular,
C.I. PROCAPS:
I. Will inform the data subject, in advance and clearly, the optional nature of supplying sensitive data and the specific purpose of the processing, unless an applicable legal exception exists.
II. Will limit the collection and processing of sensitive data to what is strictly necessary and proportional for the informed purpose, avoiding excessive collection or incompatible uses.
III. Will restrict access to sensitive data to strictly authorized personnel under the principle of access by necessity, applying reinforced security and confidentiality measures (including access controls, traceability, segregation and reasonable technical measures such as encryption or equivalents).
IV. Will keep the sensitive data only for the time necessary to fulfill the informed purpose or for the terms required by law, and will then proceed to their deletion, anonymization or restriction, as appropriate.
C.I. PROCAPS, as a general rule, will not subject sensitive personal data to automated decision-making or profiling processes that produce legal effects or significant impacts on the data subject.
Likewise,
C.I. PROCAPS will restrict the use of artificial intelligence or advanced analytics systems for the processing of sensitive data whenever possible, privileging less intrusive alternatives. When, exceptionally, it is necessary to use automated technologies or AI to process sensitive data,
C.I. PROCAPS:
- Will verify the existence of a sufficient legal basis and, when applicable, will obtain explicit authorization;
- Will carry out a prior risk assessment and, when a high risk is likely, a personal data protection impact assessment;
- Will implement significant human supervision, controls to prevent biases or discrimination, and precautionary measures when there is uncertainty about relevant harms;
- Will document the justification, the purpose, the mitigation measures and the traceability of the processing.
Paragraph. Access to sensitive data will be restricted to strictly authorized personnel and reinforced measures of security, confidentiality and minimization will be applied. Sensitive data will be kept only for the time necessary to fulfill the informed purpose or for the terms required by law. Biometric data are considered sensitive data and will be treated under reinforced standards as provided in the previous chapter.
19. PROCESSING OF PERSONAL DATA IN ARTIFICIAL INTELLIGENCE SYSTEMS AND AUTOMATED DECISIONS.
When
C.I. PROCAPS uses, develops, contracts or implements artificial intelligence (AI) systems, advanced analytics, profiling or automation that imply the processing of personal data —including training, testing, validation, deployment, monitoring and continuous improvement— it will apply the principles of the Colombian personal data protection regime and the guidelines issued by the Superintendence of Industry and Commerce.
1. Weighing, necessity and proportionality.
C.I. PROCAPS will previously evaluate whether the processing of personal data by means of AI is suitable, necessary, reasonable and proportional for the intended purpose, privileging less intrusive alternatives when possible.
2. Precautionary approach and risk management.
C.I. PROCAPS will adopt a preventive and risk management approach, so that, if there is reasonable uncertainty about relevant effects on data subjects, it will implement mitigation measures, restrictions or abstention from the processing when applicable.
3. Impact assessment (PIA/EIPD).
When a high risk to the rights of data subjects is likely (for example, use of sensitive data, biometric data, massive processing, automated decisions with relevant effects, use of new models or sources),
C.I. PROCAPS will carry out a personal data protection impact assessment that, at a minimum, describes the processing, identifies risks, establishes mitigation measures, defines security controls and leaves traceability of decisions.
4. Data from open sources and “publicly accessible” information.
C.I. PROCAPS will not process personal data obtained from the internet, social media or open sources merely because they are accessible to the public, without previously verifying a sufficient legal basis and the applicable information and transparency conditions.
5. Sensitive data and minors.
C.I. PROCAPS will restrict the use of AI for the processing of sensitive data and data of children and adolescents, privileging non-automated alternatives when possible. As a general rule,
C.I. PROCAPS will not subject sensitive data to automated decision-making processes with legal effects or significant impacts on the data subject, except for legal authorization and reinforced controls.
6. Quality, biases and operational explainability.
C.I. PROCAPS will adopt measures to ensure quality, relevance and updating of the data used by AI systems, and will apply controls to prevent undue biases, discrimination and relevant errors. When the processing involves automated decisions with significant impact,
C.I. PROCAPS will implement significant human supervision and review mechanisms.
7. Suppliers, platforms and chain of sub-processors.
When
C.I. PROCAPS uses third-party tools (including AI as a service), it will require contractual and technical guarantees: restricted use, confidentiality, security, sub-processors, incidents, audit, international transfer/transmission, and deletion/return of data as appropriate.
8. Evidence and demonstrated accountability.
C.I. PROCAPS will document: the legal basis, purposes, risk assessment, impact assessment when applicable, mitigation decisions, controls implemented, relevant tests and audits, in order to demonstrate compliance before data subjects and authorities.
20. DATA OF CHILDREN AND ADOLESCENTS
The processing of personal data of children and adolescents is prohibited, except when it concerns data of a public nature, and when such processing complies with the following parameters and/or requirements:
a. That they respond to and respect the best interest of children and adolescents.
b. That the prior, express and informed authorization of the legal representative of the child or adolescent be obtained, unless an applicable legal exception exists.
c. That the right of the child or adolescent to be heard be guaranteed, and that their opinion be valued taking into account their maturity, autonomy and capacity to understand the matter.
d. That respect for their fundamental rights be ensured.
e. That the processing be limited to the data strictly necessary for the informed purpose and that reinforced measures of security, confidentiality and restricted access be adopted.
Paragraph. The processing of personal data of children and adolescents will be exceptional and will be carried out with reinforced measures of security, confidentiality and restricted access.
C.I. PROCAPS will not use these data for advertising or commercial prospecting purposes, nor will it subject them to profiling or automated decisions with significant impacts, except for express legal authorization.
C.I. PROCAPS may implement reasonable mechanisms to verify the identity and the status of legal representative of the person granting the authorization and will keep said data only for the time strictly necessary for the informed purpose, except for legal obligation.
21. TECHNOLOGY TRANSFER AND ADOPTION OF PLATFORMS THAT PROCESS PERSONAL DATA.
C.I. PROCAPS recognizes that the acquisition, licensing, implementation, integration, update or use of technologies that imply the processing of personal data (including platforms, software, cloud services, analytical tools, AI systems, cybersecurity solutions, HR, CRM, ERP, quality management and laboratories) may generate risks to the rights of data subjects. Therefore, it will adopt the applicable instructions issued by the Superintendence of Industry and Commerce for technology transfer processes with incidence on personal data.
1. Prior due diligence.
Before implementing or contracting a technology that processes personal data,
C.I. PROCAPS will carry out a prior assessment that includes, depending on the case:
a) description of the processing, categories of data, purposes and roles (Controller/Processor);
b) identification of flows, remote accesses, sub-processors and possible international transfers/transmissions;
c) review of security measures (access control, segregation, audit logs, encryption or equivalent measures, retention and deletion);
d) risk assessment and definition of mitigation measures; and
e) when a high risk is likely, a personal data protection impact assessment.
2. Privacy by design and by default.
C.I. PROCAPS will incorporate privacy controls by design and by default in technological planning and adoption, so that by default only the information necessary for each purpose is processed and exposure surfaces are reduced.
3. Contracts and minimum guarantees.
C.I. PROCAPS will require that the contracts with suppliers or related companies that participate in the processing include, at a minimum: scope, instructions, purposes, confidentiality, security, incident management, sub-processors, audit, return/deletion, cooperation with data subjects and authorities, and rules of international transmission/transfer when applicable.
4. Countries with a lower level of protection and equivalent standards.
When a technology implies access or processing from jurisdictions with a lower level of protection,
C.I. PROCAPS will establish agreements that ensure minimum standards equivalent to those required by Colombian regulations, including contractual, technical and organizational safeguards.
C.I. PROCAPS may use model contractual clauses as a complementary tool when applicable.
5. Implementation, monitoring and continuous improvement.
C.I. PROCAPS will not put critical technologies into operation without having implemented the safeguards defined in the prior assessment. Subsequently, it will carry out periodic follow-up and reviews (technical and compliance) to verify the continuity of controls, supplier changes, new sub-processors, software updates, variations in international flow and emerging risks.
6. Evidence.
C.I. PROCAPS will keep evidence of the prior assessment, internal approvals, mitigation decisions, contracts, audits and reviews, as part of its demonstrated accountability.
22. PERSONS TO WHOM THE INFORMATION MAY BE SUPPLIED
The information that meets the conditions established by law may be supplied to the following persons:
a. To the data subjects, their duly accredited successors or their legal representatives or attorneys.
b. To public or administrative entities in the exercise of their legal functions or by judicial order.
c. To third parties authorized by the data subject or by law.
Paragraph. Before supplying information,
C.I. PROCAPS may request and verify the identity of the requester and the capacity in which they act, in order to guarantee restricted access and avoid unauthorized disclosures. Likewise, when
C.I. PROCAPS communicates personal data to third parties acting as Data Processors, said communication will be carried out under the applicable legal and contractual conditions, with obligations of confidentiality, security and restricted use of the information.
23. INTERNATIONAL DATA TRANSFER
C.I. PROCAPS will not carry out the transfer of personal data to countries that do not provide adequate levels of protection, in accordance with article 26 of Law 1581 of 2012 and the standards set by the Superintendence of Industry and Commerce.
It is understood that a country offers an adequate level of protection when it complies with the standards set by the Superintendence of Industry and Commerce. When the country of destination is not recognized with an adequate level,
C.I. PROCAPS will verify whether the transfer is covered by a legal exception or whether it is appropriate to request the declaration of conformity before the Superintendence of Industry and Commerce.
Exceptionally,
C.I. PROCAPS may carry out international transfers of personal data when any of the grounds provided for in article 26 of Law 1581 of 2012 is configured, among them:
a. The data subject has granted their prior, express and unequivocal authorization to carry out the transfer.
b. Exchange of medical data when required by the processing for reasons of public health or hygiene.
c. The transfer is necessary for the execution of a contract between the data subject and
C.I. PROCAPS as Data Controller and/or Data Processor.
d. Bank and stock market transfers in accordance with the legislation applicable to said transactions.
e. Transfer of data agreed within the framework of international treaties to which Colombia is a party, based on the principle of reciprocity.
f. Transfers legally required to safeguard a public interest or for the recognition, exercise or defense of a right in a judicial process.
First paragraph. When an international transfer occurs,
C.I. PROCAPS will subscribe the agreements that regulate in detail the obligations, burdens and duties of the parties, including technical, human and administrative measures that ensure a standard of protection equivalent to that required by Colombian regulations, especially when the country of destination has a lower level of protection.
Second paragraph. When the country of destination is not on the list of countries with an adequate level and the operation falls within the exceptions of article 26,
C.I. PROCAPS may incorporate model contractual clauses (External Circular 003 of 2025) as a tool to reinforce the protection of data subjects and standardize obligations between the parties.
Third paragraph. Prior to executing an international transfer,
C.I. PROCAPS must: (i) classify the flow as a transfer or transmission according to the role of the recipient; (ii) document the legal basis (exception, adequacy or declaration of conformity); (iii) verify technical safeguards (security, access, encryption/equivalent measures, access logs, segregation) and contractual safeguards; and (iv) keep evidence of the analysis and of the agreements subscribed, for purposes of demonstrated accountability.
The technical feasibility concept must be issued by the Technology and Information Security area, and the legal feasibility concept by the area responsible for data protection and/or legal, in accordance with the internal procedures of
C.I. PROCAPS.
24. INTERNATIONAL TRANSMISSION OF PERSONAL DATA
The international transmission of personal data (that is, the communication of data from
C.I. PROCAPS as Controller to a third party abroad that acts as Processor to carry out processing on behalf of
C.I. PROCAPS) will not require being informed to the data subject nor having their additional consent, provided that there is a contract in the terms of article 25 of Decree 1377 of 2013.
First paragraph. When related companies of the business group (parent, branches or subsidiaries) access from abroad the technological infrastructure anchored in
PROCAPS S.A. to execute support activities, technological operation or other processing on behalf of
C.I. PROCAPS, said cross-border access will be managed as international transmission and will be subject to the legal, technical and contractual safeguards provided herein.
In any case,
C.I. PROCAPS will require the subscription of a contract (or intercompany agreement) that regulates at a minimum:
a. Scope of the processing and categories of data.
b. Specific activities that the Processor will carry out on behalf of
C.I. PROCAPS.
c. Obligations of the Processor towards
C.I. PROCAPS and the data subjects, in accordance with the Colombian regime.
d. Use limited to the instructed purposes and prohibition of own or unauthorized use.
e. Rules of confidentiality, restricted access, and security measures proportional to the criticality of the information.
f Incident management: immediate notification to
C.I. PROCAPS and cooperation in containment, investigation and remediation.
g. Sub-processors: prior authorization (general or specific), equivalent obligations and traceability.
h. Location/environments of processing, remote access, access logs and audit.
i. Return or deletion of data at the end of the provision, except for applicable legal retentions.
j. Cooperation in the attention of inquiries, claims and requirements of authorities.
First paragraph.
C.I. PROCAPS may incorporate model contractual clauses (External Circular 003 of 2025) as a complementary instrument to standardize obligations and reinforce safeguards in international transmissions, especially when the Processor is located in countries without an adequate level of protection.
Second paragraph. C.I. PROCAPS will ensure that
PROCAPS S.A. maintains the central control and administration of its technological infrastructure and that security controls are applied for cross-border accesses (identity management, profiles by role, strong authentication when applicable, access logs, monitoring, segregation of environments, and cryptographic or equivalent measures), so that access from abroad does not imply a reduction of the protection standards required by Colombian regulations.
25. RETENTION, BLOCKING AND DELETION OF PERSONAL DATA
C.I. PROCAPS will keep the personal data only during the time necessary to fulfill the purposes for which they were collected and/or authorized, or as long as there is a legal, contractual, administrative or judicial obligation that requires their retention.
The retention periods may be informed to the data subject at the time of the collection and/or defined internally by
C.I. PROCAPS in accordance with: (i) the purpose of the processing, (ii) the nature of the data, (iii) the type of relationship with the data subject (labor, contractual, commercial, corporate, etc.), and (iv) the terms provided for in special regulations (labor, accounting, fiscal, tax, regulatory, security and risk management).
C.I. PROCAPS may establish and maintain internal tables, criteria or matrices for the retention and final disposition of the information. Once the applicable terms have expired, and provided that there is no retention obligation,
C.I. PROCAPS will proceed to:
a. Delete the data securely, avoiding their recovery; or
b. Anonymize the information when possible and appropriate; or
c. Restrict/Block the processing, when it must be kept only for purposes of archiving, evidentiary support, attention of claims, legal compliance or defense of rights.
The deletion or restriction will be carried out by applying reasonable technical and organizational measures to avoid unauthorized access, improper disclosures or re-identification, as appropriate.
26. PROCEDURES FOR THE ATTENTION OF INQUIRIES, CLAIMS AND PETITIONS.
Data subjects, their successors, legal representatives or attorneys may exercise their rights through the service channels provided by
C.I. PROCAPS. Before handling a request,
C.I. PROCAPS may verify the identity of the requester and the capacity in which they act, in order to avoid unauthorized access or disclosures.
Service channels:
| City |
Address |
Email |
| Barranquilla (Colombia) |
Street 80 No. 78 B - 201 |
habeasdata@procaps.com.co |
INQUIRIES. Data subjects or their successors may consult the personal information of the data subject that is in any database of
C.I. PROCAPS. The data subject may send their questions or inquiries related to their personal data collected and processed by
C.I. PROCAPS through the indicated service channels.
C.I. PROCAPS will resolve the concern or inquiry within ten (10) business days following the date on which it was received. When it is not possible to attend to the inquiry within said term, the interested party will be informed before the expiration of the 10 days, expressing the reasons for the delay and indicating the date on which the inquiry will be attended, which in no case may exceed five (5) business days following the expiration of the first term.
CLAIMS. The data subject (or their successors) who considers that the information contained in any database of
C.I. PROCAPS should be corrected, updated or deleted, or when they notice the alleged non-compliance with any of the legal duties, may submit a claim through the indicated service channels.
The claim must contain at a minimum: (i) identification of the data subject, (ii) description of the facts that give rise to the claim, (iii) address and contact details to receive a response, and (iv) the documents to be presented.
If the claim is incomplete,
C.I. PROCAPS will require the interested party within the five (5) business days following its receipt to remedy the faults. After two (2) months have elapsed from the date of the requirement without the requester presenting the required information, it will be understood that they have withdrawn the claim.
Once the complete claim has been received,
C.I. PROCAPS will include in the database a legend that says “CLAIM IN PROCESS” and the reason for it, within a term no greater than two (2) business days. Said legend must be maintained until the claim is decided.
The maximum term to attend to the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to attend to it within said term, the interested party will be informed before the expiration of the referred term of the reasons for the delay and the date on which the claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.
REVOCATION OF THE AUTHORIZATION. The data subject may request the revocation of the authorization granted for the processing of their personal data when applicable.
C.I. PROCAPS will evaluate the request and, if viable, will cease the processing for the affected purposes. The revocation will not have retroactive effects on processing validly carried out previously and will not proceed when there is a legal or contractual duty that obliges to keep or continue processing certain information.
DELETION. The right to deletion of data is not absolute,
C.I. PROCAPS may deny it when:
a. The data subject has a legal or contractual duty to remain in the database.
b. The deletion of data hinders judicial or administrative actions linked to fiscal obligations, to the investigation and prosecution of crimes or to the update of administrative sanctions.
c. The data are necessary to protect the legally protected interests of the data subject; to carry out an action in the public interest, or to comply with an obligation legally acquired by the data subject.
d. In case the cancellation of the personal data is appropriate,
C.I. PROCAPS must operationally carry out the deletion in such a way that the deletion does not allow the recovery of the information.
27. AREA RESPONSIBLE FOR AND IN CHARGE OF THE PROTECTION OF PERSONAL DATA
C.I. PROCAPS has designated a person and/or area responsible for the personal data protection function, in charge of processing the requests of data subjects for the exercise of the rights provided for by law and of coordinating the implementation of the personal data protection program within the organization.
PERSONAL DATA PROTECTION OFFICER
This will be the person and/or unit in charge of leading the personal data protection program in
C.I. PROCAPS, processing the requests of data subjects and coordinating the cross-cutting implementation of the system. In development of the foregoing, it will have, among others, the following functions:
a. Receive, process and attend to the requests, petitions, inquiries or claims submitted by data subjects, their successors, representatives or attorneys, including reasonable verification of identity and legitimation when necessary.
b. Administer and maintain the internal personal data protection system in
C.I. PROCAPS and coordinate its implementation with the areas involved.
c. Maintain an inventory of databases and coordinate compliance with obligations associated with the RNBD, including registrations, updates and periodic reports in accordance with the requirements of the competent authority.
d. Coordinate the management of international transfers and transmissions from the perspective of data protection, including the review of contractual safeguards and, when applicable, the management of declarations of conformity or other applicable instruments.
e. Plan and coordinate training and organizational culture strategies in personal data protection, with an approach by profiles and access levels.
f. Coordinate internal audits or periodic reviews to verify compliance with the Policy and the associated procedures.
g. Accompany the attention of visits, requirements, investigations and communications of competent authorities regarding personal data protection.
h. Manage and follow up on the risk management program of personal data processing, promoting controls and continuous improvements.
i. Coordinate the management of security incidents that compromise personal data and their report to the Superintendence of Industry and Commerce within the applicable terms, including the report through the RNBD when applicable.
j. Present periodic reports to Senior Management on the status of the program, relevant risks, incidents, audits and improvement plans.
k. Propose adjustments, updates or new internal guidelines regarding personal data protection and submit them for approval when applicable.
The Personal Data Protection Officer will act in coordination with the areas of Technology/Information Security, Legal/Compliance, Human Talent and process leaders, to ensure the effective implementation of technical, administrative and contractual controls, as well as the management of incidents, accesses and risks associated with the processing.
28. INFORMATION SECURITY
C.I. PROCAPS implements and maintains reasonable technical, human, administrative, physical and organizational measures proportional to the risk, aimed at protecting personal data against unauthorized access, loss, misuse, alteration, destruction or unauthorized disclosure. These measures are part of the information security system of
C.I. PROCAPS and are applied in harmony with this Policy.
C.I. PROCAPS may allow access to personal data to third parties acting as Data Processors (including technological suppliers and/or related companies that provide services to
C.I. PROCAPS), provided that there are agreements or contracts that impose obligations of confidentiality, security, restricted use, incident management, subcontracting and other conditions required by the applicable regulations and by this Policy.
C.I. PROCAPS does not guarantee the absolute non-existence of security incidents; however, it undertakes to maintain reasonable controls proportional to the risk, as well as procedures for prevention, detection, response and continuous improvement.
First paragraph. In the event of a security incident that may compromise personal data,
C.I. PROCAPS will activate its internal response protocols, including containment, analysis, remediation, documentation and adoption of corrective measures. When applicable,
C.I. PROCAPS will report the incident to the Superintendence of Industry and Commerce in the applicable terms, including the report through the RNBD when appropriate.
Second paragraph. Before implementing, acquiring, contracting, licensing, integrating or using platforms, applications, technological tools, cloud services, software, advanced analytics or artificial intelligence systems that imply the processing of personal data,
C.I. PROCAPS will carry out a prior assessment aimed at verifying privacy and security risks and safeguards.
Said assessment may include, depending on the case: (i) definition of the scope of the processing, categories of data and purposes; (ii) identification of roles (Controller/Processor), flows and international transfers or transmissions; (iii) review of access controls, encryption or equivalent measures, audit logs, segregation, retention and deletion; (iv) verification of sub-processors and technological supply chain; (v) risk analysis and mitigation measures, including, when a high risk is likely, the performance of a personal data protection impact assessment; and (vi) review of contractual clauses of confidentiality, security, incidents, cooperation and restricted use.
C.I. PROCAPS will document the conclusions of this assessment and will adopt corrective or preventive measures before putting the technology into operation, especially when it concerns tools based on artificial intelligence or processing that involves sensitive data, biometric data or automated decisions.
29. ATTENTION OF REQUIREMENTS OF ADMINISTRATIVE AND JUDICIAL ENTITIES
The Personal Data Protection Officer, together with the legal representative and/or the responsible areas determined internally, will attend to visits, requirements for information or requests related to personal data made by competent judicial or administrative authorities.
C.I. PROCAPS may disclose personal data when there is a valid requirement or order issued by a competent authority, in accordance with the applicable regulations. In these cases,
C.I. PROCAPS will verify the scope of the requirement and will supply only the information strictly necessary, leaving internal traceability of the request and of the response delivered.
30. VALIDITY AND MODIFICATIONS
This Policy was approved by the Senior Management of
C.I. PROCAPS and modifies all the provisions that had been issued previously in the organization.
The databases in which the personal data will be registered will have a validity equal to the time during which the information is maintained and used for the purposes described in this Policy. Once those purposes are fulfilled and provided that there is no legal or contractual duty to keep the information, the data will be deleted from our databases.
31. APPROVAL AND DISCLOSURE
This document was reviewed, analyzed and approved for its implementation by the Board of Directors of
C.I. PROCAPS.
C.I. PROCAPS will carry out the corresponding disclosure with the stakeholders and a record thereof will be kept.