Privacy Policy - Microsoft Dynamics Partner LATAM

KCP DYNAMICS BOGOTA SL

Personal Data Processing Policy

I. General considerations

This data treatment policy is based on article 15 of the Political Constitution of Colombia, which establishes the right of the persons to know, update and rectify the personal data that exist about them in the data banks or files of public or private entities. Likewise, it orders those who have personal data of third parties to respect the constitutional rights and guarantees applicable to the collection, processing and circulation of this type of information.

In line with the above, the Statutory Law 1581 of 2012 establishes the minimum conditions to carry out the legitimate processing of personal data of customers, employees and any other natural person. There it is stated that those responsible and in charge of the processing of personal data must “adopt an internal manual of policies and procedures to ensure proper compliance with this law and especially for the attention of queries and complaints”.

According to said Law, data processing policies are mandatory, and therefore, failure to comply with them entails penalties. Such policies cannot guarantee a lower level of processing than that established in the Law.

In turn, Decree 1377 of 2013 regulates some aspects concerning the content and requirements of the Information Treatment Policies and Privacy Notices.

It is also taken into account normative bases ,External Circular No 02 of November 3, 2015 and Chapter 25 Article 2.2.2.2.25.3.2. of the Sole Regulatory Decree 1074 of 2015 and jurisprudential , Constitutional Court Rulings C – 1011 of 2008, and C – 748 of 2011.

KCP – is committed to respecting the rights of its customers, suppliers, employees and third parties in general. Therefore, it adopts the following policy of treatment of personal data, which is mandatory in all activities involving the processing of personal data.

II. Obligatory nature:

These KCP policies of all KCP employees contractors and third parties acting on behalf or for the account of KCP all of them must observe and respect these policies in the performance of their duties. In cases where there is no employment relationship, a contractual clause must be included, so that those who work on behalf of KCP or on account of KCP in such a way that compliance with these policies is mandatory. In any case, KCP makes these policies available and known to such persons, in KCP ‘s information systems, which are presumed to be known and accepted by those who may act or act as KCP employees or contractors or in the name or on behalf of KCP .

Failure to comply with the aforementioned policies shall give rise to labor sanctions or contractual liability as the case may be. The above, without prejudice to the duty to respond patrimonially for the damages caused to the owners of the data or to KCP, on the occasion of the breach of these policies or the improper processing of personal data .

III. Definitions

For the purposes of these Processing Policies and other legal and contractual purposes, the following definitions are established:

Administrator: The officer in charge of managing and managing the information, appointed by KCP. – GeneralManager , who leads all actions related to as a channel of communication between employees, suppliers, contractors, customers and customer data of customers, etc. on products or services developed by KCP and that have to do with the processing of personal data.

Authorization: Prior, express and informed consent of the owner of the data to carry out the treatment.

Privacy Notice: The Privacy Notice is the physical, electronic or any other format known or to be known, which is made available to the Data Subject for the processing of personal data. Through this document, the Holder is informed of the information regarding the existence of the information processing policies that will be applicable to him/her, how to access them and the characteristics of the processing that is intended to be given to the personal data.

– Database: It is the organized set of data that is subject to processing.

Consultation: request of the data owner or the persons authorized by him/her or by the Law to know the information that rests on it in databases or files.

Personal data: Any information linked or that may be associated to one or several determined or determinable natural persons, also including in these their image and biometric data as well as those that are within the scope and limitations of the Law, including any information linked or that may be associated to a KCP client or to one or several determined or determinable natural persons, corresponding to the personnel of such client.

This personal data is classified as sensitive, public, private and semi-private.

– Sensitive personal data: Information that affects the privacy of the person or whose improper use may lead to discrimination. This includes information that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data (fingerprints, among others);

– Public personal data: It is the data qualified as such according to the mandates of the Law or the Political Constitution, and all those that are not semi-private or private. Public are, among others, the data contained in public documents, public records, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality, those relating to the marital status of individuals, their profession or trade and their status as merchants or public servants. The personal data existing in the commercial registry of the Chambers of Commerce are public. This data may be obtained and offered without any reservation whatsoever and regardless of whether it refers to general, private or personal information; and

– Private personal data. This is data that, due to its intimate or reserved nature, is only relevant to the person who owns it. Examples: merchants’ books, private documents, information extracted from the inspection of the domicile.

– Semi-private personal data. Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general. This type of data includes data relating to the fulfillment or non-fulfillment of financial obligations or data relating to relations with social security entities.

– Data Processor: A natural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of KCP and its clients, the Administrator shall be a data processor.

Personnel: In general, this refers to employees or workers linked to KCP. For the purposes of certain legal and contractual obligations, personnel may also include consultants, advisors and other persons or third parties who, by reason of their professional skills and their relationship with a client, supplier or partner of KCP must necessarily and undoubtedly know the information corresponding to the services of KCP.

Products: Are the products, services, tools or deliverables that KCP.- makes available to a client .

Claim: request of the owner of the data or the persons authorized by the owner or by law to correct, update or delete their personal data.

– Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and / or data processing. Such person decides on the collection and purposes of data processing, KCP may be responsible for the processing of information. On the other hand, by linking with KCP a customer expressly accepts the possibility that KCP at its discretion, may be responsible for the processing of information, to develop its various products or its lines of business to third parties.

Services: Correspond to the object of a contract between KCP and a client, and are materialized or materialized in the respective products offered by KCP that the client chooses.

Information system: Shall mean any system used to generate, send, receive, transmit, transmit, file, present or otherwise process data or data messages.

Data subject: The natural person to whom the data refers.

Processing: Any operation or set of operations on personal data, such as, among others, the collection, storage, use, circulation or deletion of such information.

Transmission: Processing of personal data that involves the communication of such data within (national transmission) or outside Colombia (international transmission) and whose purpose is the performance of a processing operation by the processor on behalf of the data controller. It can be instrumented in an agreement or contract, subscribed between KCP- and a client, for the treatment of the data, which is an integral part of the respective main contract.

Transfer: The transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.

Computer and technological security: Tool for the protection and safeguarding of confidential and private information by protocols of its computer systems.

IV. Principles for the treatment of personal data

The following are the principles applicable to KCP ‘s Data Processing Policies Employees, contractors, customers, clients, suppliers and partners of KCP , among others, must comply with the Policies and, therefore, the principles, when dealing, in any capacity, with KCP.

➢ On the collection of personal data

Principle of freedom: Unless otherwise provided by law, data may only be collected with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without the prior consent of the holder, or in the absence of legal or judicial mandate that relieves the consent. The holder must be informed, in a prior, clear and sufficient manner, about the purpose of the information provided, for which reason no data may be collected without a clear explanation or specification of the purpose of such exercise. The principle of freedom must be observed both in the case of data that are collected through forms and those that are part of the attachments or documents provided by the owners of the data to KCP.

Principle of collection limitation: Only personal data that are strictly necessary for the fulfillment of the purposes of the treatment should be collected, so that the recording and disclosure of data that are not closely related to the purpose of the treatment is prohibited. Accordingly, every reasonable effort should be made to limit the processing of personal data to the minimum necessary. Thus, the data must be: (i) adequate, (ii) relevant and (iii) in accordance with the purposes for which they were intended.

➢ On the use of personal data:

Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the holder. The data owner must be informed clearly, sufficiently and in advance about the purpose of the information provided and, therefore, data may not be collected without a specific purpose.

The data must be processed according to the authorized uses. If, over time, the use of personal data changes in ways that the individual does not reasonably expect, it is necessary to obtain the prior consent of the data subject again. In any case, and given the nature of KCP ‘s business activity, it is understood that every supplier, customer or partner of KCP – acknowledges and accepts, from the very moment of the link with KCP that the use of data may have different legitimate purposes, such as statistical and scientific among others. In this sense, such client, supplier or partner of KCP guarantees that its personnel has full and complete knowledge of this circumstance, and will immediately communicate to KCP any inconvenience or difficulty derived from this situation.

Principle of temporality: Personal data will be kept only for the reasonable and necessary time to fulfill the purpose of the processing and the legal requirements or instructions of the supervisory and control authorities or other competent authorities. The data will be kept when this is necessary to comply with a legal or contractual obligation. To determine the term of the treatment, the applicable rules for each purpose will be considered and the administrative, accounting, fiscal aspects KCP may regulate or contemplate this circumstance regarding temporality. Without prejudice to the legitimate use of the data once the purpose or purposes have been fulfilled, the data will be deleted.

Principle of non-discrimination: It is forbidden to carry out any act of discrimination based on the information collected in the databases or files.

Principle of reparation: In accordance with the Law, and without prejudice to the right of defense that any natural or legal person may have, it is an obligation to compensate the damages caused by possible failures in the processing of personal data.

➢ On the quality of the information:

Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited. Reasonable measures must be taken to ensure that the data are accurate and sufficient and, when requested by the owner or when KCP so determines, are updated, rectified or deleted when appropriate. It is understood that KCP – in carrying out its commercial activity and, ultimately, in providing its services to customers, relies on legitimate confidence in the truthfulness, completeness, accuracy, updating, verifiable and understandable nature of the information. Additionally, it is understood that, for some uses or modalities of the product or service, there could be truthful information that is not presented in its entirety, precisely due to the use or modality inherent to the product or service.

Regarding the protection, access and circulation of personal data

Principle of security: Each person linked to KCP -shallensure, through technical, human and administrative measures that are timely, appropriate, relevant and effective, the security of personal data, avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access.

Principle of transparency: In the processing, the holder’s right to obtain, at any time and without restrictions, information about the existence of data concerning him/her must be guaranteed. The above, without prejudice to the channels of communication or dialogue, established between KCP and its customers, aimed at making this principle effective in an orderly and efficient manner.

Principle of restricted access: Only the following persons shall be allowed access to personal data: (i) The owner of the data; (ii) Persons authorized by the owner of the data; (iii) Persons who, by legal mandate or court order, are authorized to know the information of the owner of the data. Personal data, except for public information, may not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the owners or third parties authorized in accordance with this Law.

Principle of restricted circulation: Personal data may only be sent or provided to the following persons: (i) To the owner of the data; (ii) To persons authorized by the owner of the data; (iii) To public or administrative entities in the exercise of their legal functions or by court order. In the latter case, according to constitutional jurisprudence, the public or administrative entity must justify its request by indicating the link between the need to obtain the data and the fulfillment of its constitutional or legal functions. Subsequently, with the delivery of the information, the public or administrative entity will be informed that it must comply with the duties and obligations imposed by Law 1581 of 2012 as data controller. The receiving administrative entity must comply with the obligations of protection and guarantee derived from the aforementioned Law, in particular, the observance of the principles of purpose, legitimate use, restricted circulation, confidentiality and security.

Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only supply or communicate personal data when this corresponds to the development of the activities authorized by the Law. This circumstance may be regulated or contemplated in the contracts signed by KCP Treatment to which the personal data will be submitted and the purpose thereof.

Principle of proven responsibility or accountabillity: It implies that the person responsible for the processing of personal data is called to answer for the non-observance of the above principles, since it is the one who decides on the use and processing of personal data collected, so it can not escape from its responsibility in the event that the treatment is carried out by a manager and / or third party.

V. Processing to which the personal data will be subjected and the purpose of such processing

KCP will collect, use and treat the personal data in a loyal and lawful manner to fulfill the activities of its business line or main corporate purpose, whether with the supply of technological developments such as licensing and implementation of software under different types of distribution models, maintenance and support of the same, as well as training on technological models supplied to customers and may also manage such data for the purpose of using them for the purpose of carrying out tests in technological, statistical or methodological developments.

KCP may also process personal data for the following purposes: (a) To develop the object of its contracts, according to the products contracted by a client; (b) To contribute to the greater productivity of a client and its human talent, based on the products contracted by the latter; (c) In this sense, to offer the client the information, materialized in the contracted products, which serves the latter to analyze, follow up and make decisions to improve the productivity and management of the human talent of its company; d) To carry out the pertinent steps related to the pre-contractual, contractual and post-contractual stages with the client, with respect to any of the products offered, as well as to comply with Colombian or foreign law and the orders of judicial or administrative authorities; e) To carry out invitations to events, improve products and services or offer new products, and all those activities associated with the commercial relationship or existing link with the client; f) To disclose, transfer and/or transmit personal data within and outside the country to affiliated companies or part of the client’s business organization or to third parties as a consequence of a contract, law or lawful link that so requires or to implement cloud computing services; and g) To develop new products or lines of business vis-à-vis third parties, for historical or statistical purposes, and in an impersonal manner or with anonymity of its owners, without prejudice to other treatment modalities adjusted to the applicable constitutional and legal limits. This possible use by KCP- includes marketing activities, statistics, comparative and sectorial reports, business benchmarking, market analysis, business and consumer behavior analysis, and consulting, among others. It is also understood that this use may involve KCP as a data controller, and not only as a data processor. This modality of use will take place during the term of the respective contract signed by KCP -including its possible extensions, if any- and an additional estimated period of ten (10) years, situation that will or will not be reflected in the respective contract; h) To manage procedures (i.e. i ) In order to collect data of its employees, contractors in order to manage and develop the human talent policy of the company; j) To disclose, transfer and / or transmit personal data within and outside the country to third parties as a result of a contract, the law or a lawful relationship that requires it. K) With when it has the quality of data manager and administrator under technology transfer agreements.

VI. Rights of data subjects

The persons obliged to comply with these policies must respect and guarantee the following rights of the data owners:

To know, update and rectify personal data. This right may be exercised against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized. For this purpose, it is necessary to previously establish the identification of the person to prevent unauthorized third parties from accessing the data owner’s data.

Obtain proof of authorization; either because KCP required it in the first moment for its treatment or because a client or third party has requested and has such authorization, in which case the corresponding data transfer agreement will be provided.

Be informed about the use that KCP has given to the personal data of the holder or that his client has given by virtue of having provided by KCP the respective technological tools.

To process inquiries and claims following the guidelines established in the Law and in these Policies;

Access to the request for revocation of the authorization and / or deletion of personal data when the competent authority has determined that in the treatment, by KCP has incurred in conduct contrary to the Law. The holder may also revoke the authorization and request the deletion of the data, when there is no legal or contractual duty that imposes the duty to remain in the database or file of the responsible or in charge. The request for deletion of the information and the revocation of the authorization will not proceed when the holder has a legal or contractual duty to remain in the database of the data controller or processor. Such inappropriateness occurs, for example, (i) when the deletion of personal data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions, or (ii) when the personal data is necessary to protect the legally protected interests of the holder, to carry out an action on behalf of the holder. When a contract is signed between KCP and a client, it is understood that the duty to remain in the database of the person responsible or in charge, is essential for the fulfillment of the contractual expectations of the contracting parties, and that such permanence could be extended for a period after the termination of the respective contract, provided that the constitutional and legal provisions are respected;

Access free of charge to their personal data. The information requested by the holder may be provided by any means, including electronic ones, as required by the holder. The information must be easy to read, without technical barriers that impede its access and must correspond in its entirety to the information contained in the database; and

The rights of the owners may be exercised by the following persons: a) By the owner, who must prove his identity sufficiently by the different means made available by KCP; b) By his assignees, who must prove such quality; c) By the representative and/or attorney-in-fact of the owner, prior proof of representation or power of attorney; d) By stipulation in favor of another or for another. The rights of children or adolescents shall be exercised by the persons empowered to represent them.

The rights of the holders of the data in which they are administered by means of the technological tools that KCP provides to its clients must be treated according to the data treatment policies that KCP’s clients provide or have, otherwise KCP to have responsibility in the treatment of data must be catalogued by the client as a person in charge and that a data transfer agreement has been celebrated with the client.

VII. Duties of KCP – when acting as a data processor

All parties bound by this policy should be aware that KCP has duties imposed by law. Therefore, they must act in such a way as to comply with the following duties:

➢ Duties of KCP.-with respect to the data subject.

Request and keep, under the conditions set forth in this policy, a copy of the respective authorization granted by the data owner;
Inform in a clear and sufficient manner, by itself or through its respective client, the holder about the purpose of the collection and the rights he/she has by virtue of the authorization granted;

Guarantee the holder, at all times, the full and effective exercise of the right of habeas data, that is, to know, update or rectify their personal data both of third parties and employees or contractors of the company in which their treatment is carried out by the use of technological tools or by physical or traditional means.
Inform at the request of the owner about the use given to their personal data; and
To process the queries and claims formulated in the terms indicated in the present policy.
Provide data owners with the processes and forms of access or procedures to be able to exercise their rights.

KCP’s duties regarding the quality, security and confidentiality of personal data.

Observe the principles of truthfulness, quality, security and confidentiality in the terms established in this policy;
Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
Update the information when necessary; and
Rectify the personal data when appropriate.
KCP has the duty and responsibility to adopt the necessary computer and technological security measures to treat personal data of third parties provided by customers in the strict case that they perform data transfer processes as a person in charge of the information.
KCP may adopt tools of artificial intelligence data processing systems such as machine learning or deep learning for the custody, storage and management of data collected by KCP or customers for which it must adopt the necessary security measures for confidentiality and reserve.

➢ Duties of KCP when performing the processing through a processor:

To provide the processor with only the personal data whose processing is previously authorized. In the case of national and international transmissions, a contract for the transmission of personal data must be signed or contractual clauses containing the provisions required by law must be agreed;
Ensure that the information provided to the data processor is truthful, complete, accurate, updated, verifiable and understandable;
Communicate in a timely manner to the person in charge of the processing, all the news regarding the data previously provided and keep it updated;
Inform in a timely manner to the data processor the rectifications made on the personal data so that it proceeds to make the appropriate adjustments;
Require the data processor at all times to respect the security and privacy conditions of the owner’s information;
Inform the data processor when certain information is under discussion by the owner, once the claim has been filed and the respective process has not been completed;

Duties of KCP with respect to the Superintendence of Industry and Commerce.

To inform it of any violations to the security codes and existence of risks in the administration of the holder’s information; and

Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.

Register and update the National Registry of databases as well as the present data processing policy when required by law.

Attend to the requirements of the Superintendence regarding complaints, claims or denunciations presented.

VIII. Duties of KCP when it works as a person in charge of the treatment of personal data.

If KCP carries outthe data processing on behalf of another entity or organization that is responsible for the processing, it must comply with the following duties:

Guarantee the holder, at all times, the full and effective exercise of the right of habeas data;
Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
Timely updating, rectification or deletion of data;
Update the information reported by the data controllers within five (5) working days from its receipt;
Process queries and claims made by the owners in the terms set forth in this policy;
Register in the database the legend “claim being processed” in the manner set forth in this policy;

Insert in the database the legend “information under judicial discussion” once notified by the competent authority on legal proceedings related to the quality of personal data;

In the event that KCP as a technology service provider, provides distribution models of technological tools in modalities such as SaaS, IaaS, PaaS, the respective client must give the respective access and the necessary permissions to manage and treat the personal data that are entered in such platforms for this shall enter into the respective data transfer agreement in which the responsibilities of those responsible and responsible for the storage, custody and administration of personal data are delimited.

Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce;
Allow access to the information only to persons authorized by the owner or empowered by law for that purpose;
Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the holder’s information; and
Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

IX. Authorization

Those obliged to comply with this policy must obtain prior, express and informed authorization from the owner to collect and process his/her personal data. This obligation also includes when employees or contractors in their respective contracts or other agreements authorize the prior and express processing of their personal data, including the right to use their image for corporate matters and biometric data in KCP. The authorization is NOT required when dealing with data of public nature, processing of information for historical, statistical or scientific purposes in which the information is not linked to a specific person and data related to the civil registry of persons.

In a contract entered into between KCP and a client, it is understood that the client, as data controller, provides KCP with the personal data contained in its databases or files, under the firm and unequivocal understanding that said client – and KCP – has been previously, expressly and informedly authorized by the natural persons, linked to its organization, for the processing of personal data. The authorization given by each of these persons must be given after knowing the relevant information required for such purposes, including the respective privacy notice. A client, for the purpose of contracting with KCP

A client , for purposes of contracting with KCP, must have informed such personnel of the scope of the respective contract and the purposes for which the data will be processed.

It is also understood that the aforementioned authorization includes or covers the sensitive data of the client’s personnel. When entering into a contract with KCP , the client expressly declares to have obtained the authorization for the processing of sensitive data of its personnel, (i) after informing each member of the personnel, in his capacity as owner, that since it is sensitive data, he was not obliged to authorize its processing; (ii) after informing each member of staff, in his capacity as owner, explicitly and in advance, in addition to the general requirements of authorization for the collection of any type of personal data, which of the data to be processed are sensitive and the purpose of the processing; (iii) after informing each member of staff, in his capacity as owner, of the optional nature of the answers that each of them may give to questions concerning sensitive data or data referring to children or adolescents (i. e. their children); (iv) after informing each member of staff, in his capacity as owner, of the optional nature of the answers that each of them may give to questions concerning sensitive data or data referring to children or adolescents (i. e. their children); (iv) after informing each staff member of their rights as owners of the information, enshrined in Article 8 of Law 1581 of 2012 and the applicable regulatory provisions; and (v) after informing their staff of the identification, telephone and physical address of those who will process their information on the occasion of the contract.

In any case, it is understood that the processing of sensitive data or not, belonging to the client’s personnel, has a statistical, historical or scientific nature, a situation that the client also declares to have informed each member of its personnel.

The consent given by the holder, will be made with any means that may be subject to subsequent consultation.

Proof of the fulfillment of the obligation to inform and of the consent must be left. If the holder requests a copy of these, they must be provided.

Authorization may also be obtained on the basis of unequivocal conduct of the data owner, which allows the reasonable conclusion that he/she has given his/her consent for the processing of his/her information. Such conduct(s) must be very clear so as not to admit any doubt or mistake about the will to authorize the processing, and the silence of the data subject shall not be considered as unequivocal conduct.

KCP will provide proof of the authorization granted by the holder when acting in the capacity of manager of the administration, custody or storage of personal data in its technological developments as well as the contracts of transfer of personal data that are concluded by virtue of having the quality of managers of such treatment.

Authorization for the processing of sensitive data.

When applicable, and the collection of sensitive data is involved, the following requirements must be met: a) The authorization must be explicit; b) The holder must be informed that he/she is not obliged to authorize the processing of such information; c) The holder must be explicitly and previously informed which of the data to be processed are sensitive and the purpose of the processing.

➢ Authorization for the processing of data of children and adolescents (NNA).

When it comes to the collection and processing of data of children and adolescents, the following requirements must be met: a) The authorization must be granted by persons who are empowered to represent the children and adolescents. The representative of the children and adolescents must guarantee their right to be heard and to assess their opinion of the processing, taking into account the maturity, autonomy and capacity of the children and adolescents to understand the matter; b) It must be informed that it is optional to answer questions about the children and adolescents’ data; c) The processing must respect the best interests of the children and adolescents and ensure respect for their fundamental rights. It must be explicitly and previously informed which of the data to be processed are sensitive and the purpose of the processing.

The persons obliged to comply with this policy must identify the sensitive data and the data of children and adolescents (children and adolescents) that they may eventually collect or store with a view to: (a) Implementing a reinforced responsibility in the treatment of this data, which translates into a greater requirement in terms of compliance with the principles and duties; (b) Increasing the security levels of this information; (c) Increasing the restrictions on access and use by KCPpersonnel – andthird parties; and (d) Keeping in mind the legal requirements and this policy for its collection.

X. International Transfer of Personal Data

When sending or transferring data to another country it will be necessary to have the authorization of the owner of the information that is the object of the transfer. Unless otherwise provided by law, such authorization is a prerequisite for the international circulation of data. In this sense, before sending personal data to data controllers located in another country, those obliged to comply with this policy must verify that they have the prior, express and unequivocal authorization of the owner that allows the transfer of their personal data. When contracting with KCP , it must be accredited that this authorization has been given by the owners.

XI. International and national transmissions of data to data processors

When KCP wishes to send or transmit data to one or more data processors located within and outside the territory of the Republic of Colombia, it must have the contractual clauses or the agreement or contract for the transmission of personal data, where it is agreed (a) the scope of the treatment; b) the activities that the data processor will perform on behalf of KCP; c) the obligations that the data processor must fulfill with respect to the data subject and KCP d) the obligation of the data processor to comply with the obligations of the data controller observing this policy; e) the data processor’s duty to process the data in accordance with the authorized purpose and observing the principles established in the Colombian Law and the present policy; and f) the data processor’s obligation to adequately protect the personal data and the databases, as well as to keep confidentiality regarding the processing of the transmitted data.

XII. Procedures for data subjects to exercise their rights

The procedures for data owners to exercise the right to know, update, rectify and delete information or revoke the authorization, can be activated or developed by the entitled persons according to article 20 of decree 1377 of 2013:

All queries and claims will be channeled through the means enabled by KCPDYNAMICS through emails datospersonales@kcpdynamics.com and telephone (+57-1) 3162684835 in Bogota, who will adopt mechanisms of proof of the filing and processing of the same.

These are the guidelines for dealing with queries and claims:

➢ Consultations

All queries made by the persons entitled to know the personal data held by KCP will be processed according to the channels that KCP has. In any case, it is necessary to leave proof of the date of receipt of the query and the identity of the applicant.

Once the identity of the owner has been verified, the required personal data will be provided. The answer to the consultation shall be communicated to the applicant within a maximum term of ten (10) working days from the date of receipt thereof. When it is not possible to answer the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the consultation will be answered, which, in no case, may exceed five (5) business days following the expiration of the first term.

➢ Claims – procedure

Claims are intended to correct, update, or delete data or raise a complaint for the alleged breach of any of the duties contained in Law 1581 of 2012 and in this policy.

The claim must be submitted by request addressed to KCP Such claim must contain the following information: a) Name and complete identification of the data owner or the legitimate person, with their corresponding supports; b) Precise and complete description of the facts that give rise to the claim, as well as the personal data with respect to which the owner seeks to exercise any of their rights; c) Contact details such as physical and/or electronic address and contact telephone numbers to send the response and report on the status of the process; and d) Documents and other relevant evidence that you want to assert.

If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned.

If the claim is complete, a legend will be included in the database or information system stating “claim in process” and the reason for the claim, within a term not exceeding two (2) business days. This shall be maintained until the claim is decided.

The maximum term to address the claim shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be attended, which in no case may exceed eight (8) working days following the expiration of the first term.

Rectification and updating

KCP has the obligation to rectify and update at the request of the holder, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the procedure and terms indicated above. In this regard, the following shall be taken into account:

In requests for rectification and updating of personal data the holder must indicate the corrections to be made and provide documentation to support his request.

KCP, is free to enable mechanisms that facilitate the exercise of this right, as long as they benefit the holder. Consequently, electronic means may be enabled or others that it considers pertinent.

KCP may establish forms, systems and other simplified methods, which must be informed in the privacy notice and will be made available to the interested parties on the web pages.

➢ Person or area responsible for the protection of personal data.

KCPDYNAMICS Management is the person or unit responsible for the data protection function. It can be contacted via email info@kcpdynamics.com or telephone 3162684835 in Bogota.

XIII. National Database Registry:

KCP, reserves, in the events contemplated in the law and in its bylaws and internal regulations, the power to maintain and catalog certain information contained in its databases or data banks, as confidential in accordance with current standards, its bylaws and regulations. KCP will proceed in accordance with current legislation and regulations issued by the National Government, to register its databases with the National Registry of Databases (RNBD), which will be administered by the Superintendence of Industry and Commerce. The RNBD is the public directory of the databases subject to processing operating in the country; and it will be freely available for consultation by citizens, in accordance with the rules and regulations issued by the National Government for such purpose.

XIV. SECURITY MEASURES ADOPTED BY KCP FOR THE ADMINISTRATION, PROTECTION AND CUSTODY OF PERSONAL DATA

KCP will have within its company physical and technological tools in which it can prevent threats and vulnerabilities of confidential information and private information of both the company and third parties who have delegated and entrusted to KCP of such custody, storage and processing of data; likewise adopt the policies of computer security and technology that is relevant in order to adopt processes, procedures and protocols and patterns of safeguarding information and personal data. KCP will adopt as a technology development company the necessary tools and security measures when adopting artificial intelligence data processing systems such as machine learning or deep learning for the custody, storage and management of data collected by KCP or customers.

XV. MODIFICATIONS TO THE DATA PROCESSING POLICY

KCP may modify the terms and conditions of this Privacy Policy at any time. Any changes will be effective as soon as they are posted on the Website. Depending on the nature of the change, we may announce the change through: (a) the home page of the Website, or (b) an e-mail.

Validity : Due to legal provisions, the Policy is effective as of January 2024, leaving previous data processing policies without effect .