PERSONAL DATA PROCESSING POLICY (PRIVACY POLICY)

  1. OBJECTIVE AND SCOPE OF APPLICATION OF THE PERSONAL DATA PROCESSING POLICY.

COMPLIANCE SOLUTIONS S.A.S. (hereinafter “COMPLIANCE SOLUTIONS”), in order to strictly comply with current regulations on the protection of Personal Data, in accordance with the provisions of Law 1581 of 2012, Decree 1377 of 2013, and other provisions that amend, add to, or supplement them, hereby presents its Personal Data Processing Policy (Privacy Policy) (hereinafter the “Policy”), which establishes general provisions for the protection of information related to, or that may be associated with, one or more identified or identifiable natural persons (“Personal Data”), by virtue of the prior authorization granted by the Data Subjects.

This Policy shall apply to all Data Subjects who have a relationship with COMPLIANCE SOLUTIONS and/or whose Personal Data has been collected and processed in any manner as a result of, or in connection with, a relationship established with COMPLIANCE SOLUTIONS, whether such Processing is carried out by COMPLIANCE SOLUTIONS or by third parties acting on its behalf.

This Policy shall apply to all Processing carried out in the territory of the Republic of Colombia by COMPLIANCE SOLUTIONS and, as applicable, by those third parties with whom agreements are entered into for the performance of all or part of any activity related to the Processing of Personal Data.

In this Personal Data Processing Policy (Privacy Policy), COMPLIANCE SOLUTIONS details the general corporate guidelines taken into account in order to protect Data Subjects’ Personal Data, the purposes of Processing, the rights of Data Subjects, the area responsible for handling complaints and claims, and the procedures to be followed to access, update, rectify, and delete the information.

COMPLIANCE SOLUTIONS, in compliance with the constitutional right to Habeas Data set forth in Article 15 of the Colombian Constitution, only collects and processes Personal Data when it has been previously authorized by the Data Subject, implementing clear measures regarding the confidentiality and privacy of Personal Data. In cases where Authorization is not required for the Processing of Personal Data, the Company shall also implement the necessary measures to process the information in accordance with current provisions.

2. DEFINITIONS.

The expressions used in capital letters in this Policy shall have the meaning given herein, or the meaning established by applicable Law or case law, as amended from time to time. Any discrepancy between the terms defined herein and those established in the Law shall be resolved in favor of the definitions provided by Law:

        1. Authorization: The prior, express, and informed consent of the Data Subject for the Processing of their Personal Data.
        2. Personal Data: Any information linked or that may be associated with one or more identified or identifiable natural persons.
        3. Sensitive Data: Personal Data that affects the Data Subject’s privacy or whose misuse may lead to discrimination, such as data revealing union membership, racial or ethnic origin, political orientation, religious, moral, or philosophical beliefs, membership in unions, social organizations, human rights organizations, or entities promoting political party interests or guaranteeing the rights of opposition political parties, as well as data relating to health, sex life, and biometric data.
        4. Processor: A natural or legal person, public or private, who, alone or in association with others, processes Personal Data on behalf of the Controller.
        5. Personal Data Processing Policy (Privacy Policy): Refers to this document.
        6. Controller: The natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the Processing of Personal Data. In this case, it refers to COMPLIANCE SOLUTIONS.
        7. National Database Registry: The public directory of databases subject to Processing, managed by the Superintendence of Industry and Commerce of Colombia.
        8. Data Subject: A natural person whose Personal Data is subject to Processing.
        9. Transfer: The transfer of Personal Data occurs when the Controller and/or Processor of Personal Data located in Colombia sends the Personal Data to a recipient, who in turn acts as Controller, located within or outside the country.
        10. Transmission: The Processing of Personal Data that involves communication of such data to a third party, within or outside the territory of the Republic of Colombia, when such communication is intended to allow the Processor to process the data on behalf of and under the responsibility of the Controller, in order to fulfill the Controller’s purposes.
        11. Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion, as well as their Transfer and/or Transmission to third parties through communications, queries, interconnections, assignments, or data messages.

 

3. PRINCIPLES.

COMPLIANCE SOLUTIONS, in the course of its business activities, shall collect, use, store, transmit, transfer, and in general, Process Data Subjects’ Personal Data in accordance with the purposes established in this Policy. In all Processing of Personal Data carried out by COMPLIANCE SOLUTIONS, the Controllers, Processors, and/or third parties to whom Personal Data is transferred shall comply with the principles and rules established in the Law and in this Policy, in order to guarantee Data Subjects’ right to Habeas Data and comply with the legal obligations and COMPLIANCE SOLUTIONS’ internal guidelines. These principles are:

        1. Principle of Legality in Processing Personal Data: The Processing of Personal Data is a regulated activity that must comply with the provisions of Law 1581 of 2012, Decree 1377 of 2013, and other applicable regulations.
        2. Principle of Purpose: Processing must serve a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
        3. Principle of Freedom: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior authorization, unless there is a legal or judicial mandate that exempts such consent.
        4. Principle of Truthfulness or Quality: The information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The Processing of partial, incomplete, fragmented, or misleading data is prohibited.
        5. Principle of Transparency: Processing must guarantee the Data Subject’s right to obtain from the Controller or Processor, at any time and without restrictions, information about the existence of data concerning them.
        6. Principle of Restricted Access and Circulation: Processing is subject to the limits derived from the nature of Personal Data. In this regard, Processing may only be carried out by those authorized by the Data Subject and/or by those provided for in Law 1581 of 2012.
        7. Principle of Security: Information subject to Processing by the Controller or Processor must be managed with the technical, human, and administrative measures necessary to ensure security of the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use, or access.
        8. Principle of Confidentiality: All persons involved in the Processing of Personal Data that is not public in nature, must guarantee the confidentiality of the information, even after their relationship with any of the activities involving Processing has ended, and may only supply or disclose Personal Data when such disclosure corresponds to the development of activities authorized by Law 1581 of 2012 and under its terms.

 

4. INFORMATION AND MECHANISMS PROVIDED BY COMPLIANCE SOLUTIONS AS THE CONTROLLER OF PERSONAL DATA PROCESSING.

Company name: COMPLIANCE SOLUTIONS S.A.S.

Tax ID (NIT): 901.623.271-1

Domicile: Bogotá D.C.

Address: Calle 86 # 8-05. Apt. 901.

Telephone (WhatsApp): (+57) 318 7346184

Email: maria@ice-consulting.co

Website: www.ice-consulting.co

5. AUTHORIZATION, PROCESSING, AND STORAGE OF PERSONAL DATA.

At the time of collection of Personal Data, prior authorization shall be requested from the Data Subjects, informing them of the specific purposes of the Processing for which such consent is obtained, except in such cases where any of the exceptions contained in Article 10 of Law 1581 of 2012 applies.

COMPLIANCE SOLUTIONS shall carry out the Processing of Personal Data voluntarily provided by the Data Subject. In general, COMPLIANCE SOLUTIONS shall collect, store, use, circulate, transmit, and transfer the Personal Data it processes. This information may only be used by COMPLIANCE SOLUTIONS, its employees, consultants, advisors, and expressly authorized business and strategic partners who require access to such information. In any case, COMPLIANCE SOLUTIONS shall provide the Data Subject, upon request, with complete information about the persons authorized and/or the third parties who carry out the Processing of their Personal Data.

COMPLIANCE SOLUTIONS may request Sensitive Data at any time, informing the Data Subject, at the time of collection, that the data requested is of such nature, and specifying which type of Sensitive Data is to be collected. COMPLIANCE SOLUTIONS may process sensitive data if (i) the Data Subject gives explicit and voluntary consent for specified purposes; (ii) Processing is necessary to comply with legal obligations; (iii) Processing is necessary to protect the vital interests of the Data Subject or another natural person; (iv) Processing refers to Personal Data made public by the Data Subject; (v) Processing is necessary for the formulation, exercise, or defense of claims or when judges or courts act in the exercise of their judicial function; (vi) Processing is necessary for reasons of essential public interest; or (vii) Processing is mandatory by Law.

COMPLIANCE SOLUTIONS shall strictly observe the legal limitations on the Processing of Sensitive Data. Under no circumstances shall COMPLIANCE SOLUTIONS condition any activity on the provision of Sensitive Data. Sensitive Data shall be processed with the greatest possible diligence and with the highest security standards. Limited access to Sensitive Data shall be a guiding principle to safeguard its privacy and, therefore, only authorized personnel shall have access to such information.

The authorization of Data Subjects for the Processing of their Personal Data may be expressed in: (i) writing, (ii) orally, or (iii) through unequivocal conduct that reasonably allows the conclusion that authorization was granted.

COMPLIANCE SOLUTIONS shall keep proof of such authorizations properly, respecting the principles of confidentiality and privacy of information.

6. PURPOSES OF THE PROCESSING OF PERSONAL DATA.

The Personal Data collected by COMPLIANCE SOLUTIONS is included in a Database accessible to authorized personnel of COMPLIANCE SOLUTIONS in the exercise of their duties, noting that under no circumstances is Processing of the information authorized for purposes other than those described herein, and which are communicated to the Data Subject no later than at the time of collection.

Specific purposes:

        1. Comply with legal and contractual obligations.
        2. Properly execute contracted services, as well as their billing and collection.
        3. Promote all services offered by COMPLIANCE SOLUTIONS.
        4. Comply with regulations and the law, including Colombian tax law.
        5. Send information related to advisory services, products, and other services.
        6. Validate legal and commercial adequacy.
        7. Control for statistical purposes.
        8. Comply with requirements of administrative or judicial authorities.
        9. Manage all information necessary to comply with tax obligations and commercial, corporate, and accounting records.
        10. Comply with internal processes related to the management of suppliers and contractors.
        11. Collect information for commercial and marketing research purposes.
        12. Control and prevent fraud, money laundering, financing of terrorism, and financing of the proliferation of weapons of mass destruction, including but not limited to checks against binding lists, and all necessary information required to comply with regulations on fraud prevention, money laundering, terrorist financing, and proliferation financing; among these activities: providing personal data to oversight and control authorities, whether administrative, police, judicial, national, or international. The foregoing shall be in compliance with a legal or regulatory requirement.
        13. Control and prevent illicit activities such as fraud, corruption, money laundering, and/or terrorist financing, including but not limited to checks against binding, restrictive, or public databases.
        14. Allow access to personal data by auditors or third parties contracted to carry out internal or external audit processes related to COMPLIANCE SOLUTIONS’ business activities. 
        15. Know, store, and process all information provided by the Data Subjects in one or more databases, in the format deemed most appropriate.
        16. Internal processes within COMPLIANCE SOLUTIONS for development, operational, and/or systems administration purposes.  
        17. Transmission and transfer of data to third parties with whom contracts have been signed for this purpose, for commercial, administrative, marketing, and/or operational purposes, including but not limited to the issuance of badges, personalized certificates, and certifications to third parties, in accordance with current legal provisions. In any case, third parties shall be bound under the terms of this Policy.
        18. Maintain and process, by computer or other means, any type of information related to the client’s business in order to provide relevant services and products. 
        19. Other purposes determined by the Controllers in processes for obtaining Personal Data for its Processing, in order to comply with legal and regulatory obligations.

The information provided by the Data Subject shall only be used for the purposes set forth herein. Once the need for Processing of the Personal Data ceases, such data shall be deleted from COMPLIANCE SOLUTIONS’ databases.

If COMPLIANCE SOLUTIONS requests sensitive data, it is noted that providing this information shall not be mandatory under any circumstances, and in the event of non-authorization by the Data Subject, no retaliation shall be taken.

7. RIGHTS OF THE PERSONAL DATA SUBJECT.

In accordance with Article 8 of Law 1581 of 2012, the Data Subject shall have the following rights:

        1. To know, update, and rectify their Personal Data before the Controllers or Processors. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fragmented data, data that may induce error, or data whose Processing is expressly prohibited or has not been authorized.
        2. To request proof of the authorization granted to the Controller, except where expressly exempted as a requirement for Processing, pursuant to Article 10 of Law 1581 of 2012.
        3. To be informed by the Controller or Processor, upon request, of the use given to their Personal Data.
        4. To file complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other rules that amend, add to, or supplement it.
        5. To revoke authorization and/or request deletion of the data, provided there is no legal or contractual obligation requiring the Data Subject to remain in the database.
        6. To access their Personal Data free of charge that has been subject to Processing, at least once per calendar month, and whenever substantial modifications to the Processing policies occur.

 

8. DUTIES OF THE CONTROLLER OF PERSONAL DATA PROCESSING.

When COMPLIANCE SOLUTIONS acts as Controller, it shall have the following obligations and/or commitments:

        1. Obtain prior authorization when required by applicable regulation.
        2. Classify the requested data.
        3. File and manage the authorization granted by the Data Subject.
        4. Comply with the principles set out in this Policy.
        5. Address queries, complaints, or claims filed by the Data Subject.
        6. Secure the data provided through information security procedures. 

 

9. PROCEDURES TO BE FOLLOWED BY THE DATA SUBJECT TO EXERCISE THEIR RIGHTS OVER PERSONAL DATA.

The Data Subject may exercise the aforementioned rights as follows:

        1. By electronic communication, via email: maria@ice-consulting.co
  1. Procedure to make inquiries (request proof of authorization, know which data has been collected, and know how such data has been processed).

The Data Subject of Personal Data, their successors, representatives, and/or attorneys-in-fact may make inquiries regarding the Personal Data held in the COMPLIANCE SOLUTIONS Databases, in accordance with the following rules:

        1. The request shall be reviewed to verify the identity of the Data Subject. If the request is made by a person other than the Data Subject and it is not proven that they are acting on their behalf in accordance with current laws, the request shall be rejected.
        2. All inquiries shall be answered within a maximum of ten (10) business days from the date of receipt. When it is not possible to respond within that period, the interested party shall be informed of the reasons for the delay and the date on which the inquiry will be answered, which shall not exceed five (5) business days after the initial deadline.
  2. Procedure for filing claims for updating, correction, deletion, or revocation of authorization.

The Data Subject or their successors, who consider that the information contained in the COMPLIANCE SOLUTIONS Databases should be corrected, updated, or deleted, or when they observe the alleged non-compliance with any of the duties, may file a claim in accordance with the following rules:

        1. The request shall be reviewed to verify the identity of the Data Subject. If the request is made by a person other than the Data Subject and it is not proven that they are acting on their behalf in accordance with current laws, the request shall be rejected.
        2. The claim must contain the following information: (i) Identification of the Data Subject; (ii) Contact details (physical and/or electronic address and telephone numbers); (iii) Documents proving the identity of the Data Subject, or representation; (iv) Clear and precise description of the Personal Data in respect of which the Data Subject seeks to exercise any rights; (v) Description of the facts giving rise to the claim; (vi) Supporting documents; and (vii) Signature and identification number.
        3. If the claim is incomplete, COMPLIANCE SOLUTIONS shall require the interested party to correct the deficiencies within five (5) days following receipt of the claim. If two (2) months pass from the date of the request without the applicant providing the required information, it shall be understood that the claim has been withdrawn.
        4. If the area receiving the claim is not competent to resolve it, it shall transfer the claim to the appropriate area within a maximum of two (2) business days and inform the interested party.
        5. Once the complete claim is received, a note stating “claim in process” and the reason for it shall be included in the database within a maximum of two (2) business days. This note shall be maintained until the claim is resolved.
        6. The maximum period to address the claim shall be fifteen (15) business days from the day following receipt. When it is not possible to respond within that period, the interested party shall be informed of the reasons for the delay and the date on which the claim will be resolved, which shall not exceed eight (8) business days after the initial deadline.

10. COOKIES

A cookie refers to a file that is sent with the purpose of requesting permission to be stored on your computer. Once you accept, the file is created, and the cookie is then used to gather information regarding web traffic, facilitating future visits to a recurring website. Another function of cookies is that they allow websites to recognize individual users and thereby provide a better and more personalized service.

The COMPLIANCE SOLUTIONS website uses cookies to identify the pages visited and their frequency. This information is used solely for statistical analysis and is then permanently deleted.

You can delete cookies at any time from your computer. However, cookies help provide better service to websites; they do not give access to your computer or personal information unless you provide it directly.

You may accept or decline the use of cookies; however, most browsers automatically accept cookies to improve web service. You can also change your computer’s settings to decline cookies. If you choose to decline, some of our services may not be available.

11. VALIDITY OF THE POLICY.

This Policy is effective as of 23/06/2023.

The Personal Data included in Databases subject to Processing shall remain and be processed based on the temporality criterion for the contractual term of the product or service, during the period in which the purpose for which it was collected subsists, plus the term established by law.

This Policy may be amended by COMPLIANCE SOLUTIONS when required without prior notice, provided such amendments are not substantial. Only modifications regarding the purposes of Processing and the Controller’s data, or any other substantial modification, shall be previously communicated to the Data Subjects.

2026

– Copyright  – ICE CONSULTING  | Bogotá, Colombia.

Personal Data Processing Policy