DATA TREATMENT POLICY

  • IDENTIFICATION

NAME: NEXOS SOFTWARE SAS (hereinafter NEXOS)

ADDRESS: Calle 49 Sur 45-300 Oficina 1803, Envigado (Antioquia)

ELECTRONIC MAIL: [email protected]

PHONE OF THE RESPONSIBLE PARTY: (4) 604-6935

  • LEGAL FRAMEWORK

Article 15 of the Constitution of the Republic of Colombia establishes that any person has the right to know, update and rectify the personal data that exists about him/her in data banks or files of public or private entities. Likewise, it orders those who have personal data of third parties to respect the rights and guarantees provided in the Constitution when such information is collected, processed and circulated.

Statutory Law 1581 of October 17, 2012 establishes the minimum conditions to carry out the legitimate processing of personal data of customers, employees and any other natural person. Article 18 (k) of said law obliges those responsible for the processing of personal data to “adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, for the handling of queries and complaints”. Article 25 of the same law establishes that data processing policies are mandatory and that failure to comply with them will result in sanctions. Said policies cannot guarantee a lower level of treatment than that established in Law 1581 of 2012.

That Decree 1377 of 2013, defines the information that must contain as a minimum the data processing policies.

  • DEFINITIONS

  • AUTHORIZATION: prior, express and informed consent of the holder to carry out the processing of personal data.

  • PRIVACY NOTICE: verbal or written communication generated by the responsible party, addressed to the holder for the processing of his/her personal data, by means of which he is informed about the existence of the information processing policies that will be applicable to him, the way to access them and the purposes of the processing that is intended to be given to the personal data.

  • DATABASE: organized set of personal data that is subject to processing, either on physical or magnetic media.

  • SUCCESSOR: person who has succeeded another due to the death of the latter (heir).

  • PERSONAL DATA: any piece of information linked to one or several determined or determinable persons or that may be associated to a natural or legal person.

  • PUBLIC DATA: data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public

documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.

  • SENSITIVE DATA: sensitive data are understood as those that affect the privacy of the holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data.

  • INDISPENSABLE DATA: are understood as those personal data of the holders essential to carry out the activity of higher education in teaching, research and extension. Data of an indispensable nature must be provided by the holders of the data or those entitled to exercise these rights.

  • OPTIONAL DATA: are those data that NEXOS requires to offer additional services in research, teaching, extension, job offers, etc.

  • PROCESSOR: natural or legal person, public or private, who by himself/herself or in association with others, performs the Processing of personal data on behalf of the Data Controller.

  • DATA PROTECTION LAW: Law 1581 of 2012 and its regulatory Decrees or the rules that modify, supplement or replace them.

  • HABEAS DATA: the right of any person to know, update and rectify the information that has been collected about them in the data bank and in the files of public and private entities.

  • DATA CONTROLLER: natural or legal person, public or private, who by himself or in association with others, decides on the database and / or data processing.

  • HOLDER: natural person whose personal data is the object of Processing.

  • PROCESSING: any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.

  • TRANSFER: the transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.

  • TRANSMISSION: processing of personal data that involves the communication of it within or outside the territory of the Republic of Colombia when the purpose of the processing is carried out by the processor on behalf of the controller.

  • PRINCIPLES

In the development, interpretation and application of Law 1581 of 2012, which establishes general provisions for the protection of personal data and the rules that complement, modify or add to it, the following guiding principles shall be applied in a harmonious and comprehensive manner:

  • PRINCIPLE OF LEGALITY: The processing of personal data shall be subject to the application of the legal provisions in force governing such process and other related fundamental rights.

  • PRINCIPLE OF PURPOSE: the processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the holder.

  • PRINCIPLE OF FREEDOM: The processing of personal data may only be carried out with the prior, express and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal, statutory, or judicial mandate that relieves the consent.

  • PRINCIPLE OF TRUTH OR QUALITY: the information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.

  • PRINCIPLE OF TRANSPARENCY: the right of the holder to obtain from the data controller or data processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the processing.

  • PRINCIPLE OF ACCESS AND RESTRICTED CIRCULATION: the processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the processing may only be carried out by persons authorized by the holder and/or by the persons provided for by law. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the holders or third parties authorized by law.

  • SECURITY PRINCIPLE: the information subject to treatment by NEXOS, shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

  • PRINCIPLE OF CONFIDENTIALITY: Each and every one of the persons involved in the processing of personal data, undertake to keep and maintain strict confidentiality of such data; likewise undertake not to disclose to third parties the information, or part of it, collected in the course of their duties. All persons linked by employment and/or contractual relationship with NEXOS for the development of activities must sign an additional document or addendum to their employment or service contract in order to ensure such commitment. This obligation persists and is maintained even after the end of their relationship with any of the tasks included in the Processing.

  • PURPOSE OF THE PERSONAL DATA COLLECTED

The purpose for which the collection of personal data and their treatment by NEXOS is carried out is proper to the development of the corporate purpose and includes requesting personal data for:

  1. Executing the existing contractual relationship with its customers, suppliers and employees, including the payment of contractual obligations.

  2. Providing the services and/or products required by its users.

  3. Informing about new products or services and/or changes in them.

  4. Evaluating the quality of service

  5. Conducting internal studies on consumption habits

  6. Sending to the physical mail, email, cell phone or mobile device, via text messages (SMS and/or MMS) or through any other analog and/or digital means of communication created or to be created, commercial, advertising or promotional information about the products and/or services, events and/or promotions of commercial or non-commercial nature of these, in order to promote, invite, direct, execute, inform and in general, carry out campaigns, promotions or contests of commercial or advertising nature, conducted by NEXOS.

  7. Developing the process of selection, evaluation and employment.

  8. Registering the information of employees and/or pensioners (active and inactive).

If a personal data is provided, such information will be used only for the purposes stated herein, and therefore, NEXOS will not proceed to sell, license, transmit, or disclose it, unless:

  1. There is express authorization to do so.

  2. It is necessary to allow contractors or agents to provide the services entrusted.

  3. It is necessary in order to provide our services and/or products.

  4. It is required or permitted by law. NEXOS may subcontract with third parties for the processing of certain functions or information, where it effectively subcontracts with third parties for the processing of personal information or provides personal information to third party service providers.

NEXOS advises such third parties of the need to protect such personal information with appropriate security measures, prohibits the use of the information for its own purposes, and requests that personal information not be disclosed to others.

  • RIGHTS OF THE HOLDER OF THE INFORMATION

The holder of the personal information will have the following rights:

  1. Know, update and rectify their personal data against NEXOS in its capacity as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading, or those whose treatment is expressly prohibited or has not been authorized.

  2. Request proof of the authorization granted to NEXOS except when expressly exempted as a requirement for the treatment (cases in which authorization is not necessary).

  3. Be informed by NEXOS, upon request, regarding the use given to their personal data.

  4. File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012, once the consultation or complaint process has been exhausted before the Data Controller.

  5. Revoke the authorization and/or request the deletion of the data when the Processing does not respect the principles, rights and constitutional and legal guarantees.

  6. Access free of charge to their personal data that have been subject to processing.

  7. When the request is made by a person other than the holder and it is not certified that he/she is acting on behalf of the holder, it will be considered as not submitted.

  • RIGHTS OF CHILDREN AND ADOLESCENTS

In the Processing, respect for the prevailing rights of boys, girls and adolescents shall be ensured. The processing of personal data of boys, girls and adolescents is prohibited, except for data of a public nature. It is the task of the State and educational entities of all kinds to provide information and train legal representatives and guardians on the possible risks faced by boys, girls and adolescents regarding the improper processing of their personal data, and to provide knowledge about the responsible and safe use by boys, girls and adolescents of their personal data, their right to privacy and protection of their personal information and that of others.

  • DUTIES OF NEXOS

By virtue of this policy of treatment and protection of personal data, NEXOS has the following duties, without prejudice to the provisions of the law:

  1. Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.

  2. Request and keep a copy of the respective authorization granted by the holder.

  3. Duly inform the holder about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted.

  4. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

  1. Guarantee that the information is truthful, complete, exact, updated, verifiable and understandable.

  2. Update the information, thus covering all new events with respect to the holder’s data. Additionally, all necessary measures must be implemented to keep the information updated.

  3. Rectify the information when it is incorrect and communicate accordingly.

  4. Respect the security and privacy conditions of the holder’s information.

  5. Process the consultations and claims formulated in the terms indicated by law.

  6. Identify when certain information is under discussion by the holder.

  7. Inform at the request of the holder about the use given to his/her data.

  8. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the holder’s information.

  9. Comply with the requirements and instructions given by the Superintendence of Industry and Commerce on the particular subject.

  10. Use only data whose treatment is previously authorized in accordance with the provisions of Law 1581 of 2012.

  11. NEXOS will use the personal data of the holder only for those purposes for which it is duly authorized and respecting in any case the current regulations on protection of personal data.

  • THE NATIONAL REGISTRY OF DATABASES

NEXOS will proceed in accordance with current legislation and regulations issued for that purpose by the National Government, to register the databases held by the company before the National Registry of Databases (RNBD), which will be administered by the Superintendence of Industry and Commerce and free consultation for citizens.

  • AUTHORIZATIONS AND CONSENTS OF THE HOLDER

Notwithstanding the exceptions provided for in the Law, the processing of personal data of the holder requires the prior and informed authorization of the holder, which must be obtained by any means that may be subject to subsequent consultation.

The authorization of the Holder shall not be necessary when dealing with:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.

  • Data of a public nature.

  • Cases of medical or health emergency.

  • Processing of information authorized by law for historical, statistical or scientific purposes.

  • Data related to the Civil Registry of Individuals.

NEXOS in the terms set forth in the Law generated a notice in which the holders are informed that they can exercise their right to the processing of personal data through the web page www.nxs.com.co and the e-mail [email protected].

  1. Means and manifestations to grant the authorization. The authorization may be recorded in a physical document, electronic, data message, Internet, Websites, in any other format that allows to guarantee its subsequent consultation, or through a suitable technical or technological mechanism, which allows to express or obtain the consent via click or double click, by which it can be concluded unequivocally, that if there had not been a conduct of the holder, the data would never have been captured and stored in the database.

  2. Proof of authorization. NEXOS will use the mechanisms currently in place, and will implement and adopt the necessary actions to maintain records or suitable technical or technological mechanisms of when and how it obtained authorization from the holders of personal data for the processing thereof. In order to comply with the above, physical files or electronic repositories may be established.

I accept

  • LEGITIMACY FOR THE EXERCISE OF THE HOLDER’S RIGHT

The rights of the holders established in the Law may be exercised by the following persons:

  1. By the holder, who must prove his/her identity sufficiently by the various means made available to him/her by NEXOS.

  2. By the successors of the holder, who must prove such capacity.

  3. By the representative and/or attorney-in-fact of the holder, prior accreditation of the representation or power of attorney.

  4. By stipulation in favor of another or for another.

  5. The rights of boys, girls and adolescents shall be exercised by the persons empowered to represent them.

  • TREATMENT OF SENSITIVE DATA

In the case of sensitive personal data, it may be used and processed when:

  1. The Holder has given his/her explicit authorization to such Processing, except in cases where the granting of such authorization is not required by law;

  2. The Processing is necessary to safeguard the vital interest of the Holder and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization;

  3. The Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or to persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the authorization of the Holder;

  4. The processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process;

  1. The Processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Holders must be adopted.

The processing of personal data of boys, girls and adolescents is prohibited, except in the case of data of a public nature, and when such processing complies with the following parameters and/or requirements:

  1. that they respond to and respect the best interests of boys, girls and adolescents.

  2. that it ensures respect for their fundamental rights.

Once the above requirements are met, the legal representative of the boys, girls or adolescents will grant the authorization, after the minor has exercised his or her right to be heard, an opinion that will be assessed taking into account the maturity, autonomy and ability to understand the matter. NEXOS will ensure the proper use of the processing of personal data of boys, girls or adolescents.

  • PERSONS TO WHOM THE INFORMATION MAY BE PROVIDED

The information that meets the conditions established by law may be provided to the following persons:

  1. To the holders, their successors (when those are absent) or their legal representatives.

  2. To public or administrative entities in the exercise of their legal functions or by court order.

  3. To third parties authorized by the holder or by the law.

  • PERSON OR AREA RESPONSIBLE FOR ADDRESSING OF REQUESTS, QUERIES AND COMPLAINTS

NEXOS has designated the Administrative Management as the area responsible for ensuring compliance with this policy within the company, with the support of the Legal Department, Functional areas that handle the Personal Data of Data Holders and professionals in Information Security. This unit will be attentive to resolve requests, inquiries and complaints from the holders and to make any update, rectification and deletion of personal data, through email [email protected] or in writing and in person at the offices of NEXOS.

  • PROCEDURE FOR HANDLING QUERIES, CLAIMS AND PETITIONS

When the request is made by a person other than the holder, the legal capacity or mandate to act must be duly accredited; and if such capacity is not accredited, the request will be considered as not submitted.

  1. CONSULTATIONS: The Holders or their successors may consult the personal information of the Holder held by NEXOS, who will provide all the information contained in the individual record or that is linked to the identification of the Holder. The consultation shall be made through the mail [email protected] or in writing and in person at the offices of NEXOS with the following information:

  1. The name and means of contact to receive the answer such as telephone, e-mail, residence address.

  2. Documents proving the identity or representation of his/her representative.

  3. The clear and precise description of the personal data with respect to which the holder seeks to exercise any of the rights.

  4. If necessary, other elements or documents that facilitate the location of the personal data.

The consultation will be answered within a maximum term of ten (10) business days from the date of receipt thereof. When it is not possible to address the consultation within such term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the consultation will be addressed, which in no case may exceed five (5) working days following the expiration of the first term.

  1. CLAIMS: The Holder or his/her successors who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a claim with NEXOS by email [email protected] or in writing and in person at the NEXOS Offices, which will be processed under the following rules:

  1. The claim shall be formulated by means of a request addressed to NEXOS with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) days of receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned. In the event that the person receiving the claim is not competent to resolve it, he/she will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.

  2. Once the complete claim is received, it will be catalogued with the label “claim in process” and the reason for it within a term not exceeding two (2) business days. Said label will be maintained until the claim is decided.

  3. The maximum term to address the claim shall be fifteen (15) business days from the day following the date of its receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

  1. UPDATING, RECTIFICATION AND DELETION OF DATA. NEXOS will rectify and update, at the request of the holder, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the procedure and the terms indicated above, for which the holder will attach the request to the email [email protected] or in writing and in person at the offices of NEXOS, indicating the update, rectification and deletion of the data and provide documentation to support his/her request.

  1. SUPPRESSION OF DATA. The holder has the right, at any time, to request NEXOS the suppression (deletion) of some or all of his personal data when:

  1. He/she considers that they are not being treated in accordance with the principles, duties and obligations provided in Law 1581 of 2012.

  2. They are no longer necessary or relevant for the purpose for which they were collected.

  3. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

This deletion implies the total or partial elimination of personal information as requested by the holder in the records, files, databases or processing carried out by NEXOS. It is important to note that the right of cancellation is not absolute and the data controller may deny the exercise of the same when:

  1. The request for deletion of information will not proceed when the holder has a legal or contractual duty to remain in the database.

  2. The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.

  3. The data is necessary to protect the legally protected interests of the holder; to carry out an action in the public interest, or to comply with an obligation legally acquired by the holder.

  4. In the event that the cancellation of the personal data is appropriate, NEXOS must carry out the deletion in such a way that the deletion does not allow the recovery of the information.

  1. REVOCATION OF AUTHORIZATION. The holders of personal data may revoke consent to the processing of their personal data at any time, provided that it is not prevented by a legal or contractual provision, for this NEXOS will make available to the Holder email [email protected] or in writing and in person at the offices of NEXOS. If upon expiration of the respective legal term, NEXOS, as the case may be, has not deleted the personal data, the Holder shall have the right to request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the deletion of the personal data. For these purposes, the procedure described in Article 22 of Law 1581 of 2012 shall apply.

  1. COMPLAINT. The Holder or successor may file a complaint before the Superintendence of Industry and Commerce once he/she has exhausted the consultation or complaint process before NEXOS, according to the aforementioned procedure.

  • INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA

NEXOS, in compliance with its corporate purpose and in consideration of its possible links, permanent or occasional, of a commercial nature with companies located abroad, may transfer and transmit personal data of the holders. For the international transfer of personal data of the holders, NEXOS will take the necessary measures so that third parties know and undertake to observe this Policy, under the understanding that the personal information they receive, may only be used for matters directly related to NEXOS and only while it lasts and may not be used or intended for a different purpose or objective. For the international transfer of personal data, the provisions of Article 26 of Law 1581 of 2012 will be observed.

The international transmissions of personal data carried out by NEXOS, will not require to be informed to the Holder or have their consent when there is a contract for the transmission of personal data in accordance with Article 26 of Decree 1377 of 2013. With the acceptance of this policy, the Holder expressly authorizes the transfer and transmission of Personal Information. The information will be transferred and transmitted, for all relationships that may be established with NEXOS.

  • PRIVACY NOTICE

Your personal information will be included in a database and will be used directly for the following purposes related to the corporate purpose and purposes of NEXOS:

  1. To achieve an efficient communication related to our services and other activities of NEXOS as a service provider company.

  2. To inform about new services related to those offered by the Company.

  3. To comply with obligations contracted with our clients, suppliers, and employees.

  4. To inform about changes in the Company’s services.

  5. To evaluate the quality of service.

The holders of information are informed that they can consult the policy for the treatment of personal data collected, as well as the procedures for consultation and claims that will allow them to enforce their rights to access, consultation, rectification, updating and deletion of data, through the website of NEXOS www.nxs.com.co.

  • INFORMATION SECURITY

NEXOS requests the necessary data for the recruitment of employees, for the provision of services and interaction with its customers, for the contracting of services, as well as those required by the government for the billing and payment process. In some cases, it may request additional and sensitive information which is of free and voluntary delivery by the holder of the data.

Once the data is obtained, NEXOS is committed to make a correct use and treatment of the personal data contained in its databases, avoiding unauthorized access to third parties who may know or violate, modify, disclose and / or destroy the information contained therein. For this purpose, it has security protocols and access to information, storage and processing systems, including physical measures to control security risks. Access to the different databases is restricted even for employees and collaborators. All employees are committed to confidentiality and proper handling of the databases in accordance with the guidelines on the treatment of information established by law.

  • MODIFICATION AND/OR UPDATING OF THIS POLICY

NEXOS reserves the right to modify, at any time, unilaterally, its policies and procedures for the treatment of personal data, all within the legal framework. Any changes will be published on the website https://nxs.com.co.

CONTRACTING MODEL

  1. DEFINITION OF THE VACANCY: Definition of skills and technical competencies required for the position.

  2. SEARCH AND ANALYSIS IN THE LABOR MARKET: Internal and external recruitment.

  3. PRESELECTION OF THE BEST PROFILES: Technical and professional validation of resumes to identify the best profiles for the vacancy.

  4. APPLICATION OF TECHNICAL TESTS: Evaluation and measurement of aptitudes, competencies and skills that fit the requirements of the profile, accompanied by technical interview.

  5. PSYCHOSOCIAL EVALUATION: Evaluation of soft skills and psychosocial competencies, accompanied by a competency-based interview.

  6. RECRUITMENT: Selection of the suitable person according to the results of the testing process and technical and psycho-technical interviews.

  7. HIRING: Legal formalization of the selection process.

  8. INCORPORATION INTO THE COMPANY: Adaptation and Onboarding of the new human capital to the company.

  9. TRAINING AND EDUCATION: Internal training that allows the continuous improvement of human capital, with the acquisition of attitudes, concepts, knowledge, skills or personal and professional dexterity.