PERSONAL DATA TREATMENT POLICY

En cumplimiento a lo dispuesto en la Ley Estatutaria 1581 de 2012 y sus Decretos Reglamentarios, la empresa SERACOMEX SAS. establece las Políticas aplicables para el Tratamiento y Protección de Datos Personales en la organización.

1. IDENTIFICATION OF THE DATA CONTROLLER

• NOMBRE DE LA EMPRESA: SERACOMEX SAS., sociedad comercial identificada con NIT. No. 800.230.052-1 se constituye como una empresa colombiana, con el objeto social de: (I) transporte de carga marítimo y de cabotaje, (ii) transporte aéreo internacional de carga, y (iii) actividades de consultoría de gestión.
• ADRESS: AC 26 NO. 85 D 55 LC 135.
• WEBSITE: www.seracomex.com
• PHONE NUMBER: 4161611

2. PURPOSE

La presente Política establece las directrices generales para la protección y el tratamiento de datos personales al interior de SERACOMEX SAS., permitiendo de esta manera fortalecer el nivel de confianza entre Responsables y Titular con relación al tratamiento de su información; Informar al Titular las finalidades y transferencias a que son sometidos sus datos personales y los mecanismos y formas para el ejercicio de sus derechos.

3. SCOPE

Esta Política de Protección de Datos Personales será aplicada a todas las Bases de Datos y/o Archivos que incluyan Datos Personales que sean objeto de Tratamiento por parte de SERACOMEX SAS. como Responsable del tratamiento de Datos Personales.

4. CONCEPTS

• Habeas Data: The right every subject has to know, update and rectify their personal information stored in files and Databases of natural or public nature.
• Personal Data: Any information related to an identified or identifiable natural person.
• Database: Organized set of Personal Data subject to Processing by the Data Controller. 
• Data Processing: Any operation or set of operations about personal data such as data collection, data storage, data use, data circulation or data suppression.
• Consent of the data subject: Previous consent, expressed and stated by the Subject to carry out Data Processing.
• Privacy Notice: The physical, electronic, or in any other unknown format document which made available to the Holder for the processing of the Personal Data.
• Owner: Natural person whose personal data are subject to Treatment
• • Successor: Person who by succession or transmission acquires the rights of another person.
• Data Controller: Natural or legal person, public or private, that by him/her self or in association with others, decides on the database and/or the Processing of the Data.
• Data Processor: Natural or legal person, public or private who processes personal data only on behalf of the controller.

5. APPLICABLE GUIDING PRINCIPLES IN TERMS OF PERSONAL DATA

Regarding Personal Data privacy, the following guiding principles will be applied:

a) Principle of legality in terms of Personal Data Processing: The Treatment referred to in this law is a regulated activity that must be subject to what is established in it and in the other provisions that develop it.

b) Principle of finality: Personal Data may only be processed for specified and explicitly stated purposes according to the Constitution and the Law, which must be informed to the Data Subject.

c) Principle of freedom: Data Processing can only be done under previously expressed and stated consent by the Data Subject. Personal Data can not be obtained or placed in circulation without previous consent, or in absence of legal or judicial mandate that relieves the consent.

d) Principle of clarity or quality: Personal Data subject to Processing must be veracious, complete, exact, updated, verifiable and comprehensible. It is absolutely forbidden to exercise Data Processing from partial, incomplete and/or fractioned Data.

e) Principle of transparency: Under the applicable data protection legislation, the Subject is entitled, at any time, to request access to the personal data that is processed about him/her from the Data Controller.

f) Principle of access and restricted circulation: Data Processing is subject to the limits that derive from the Personal Data nature, and from the dispositions from the present Law and Constitution. For that matter, Data Processing will only be done by people authorized by the subject and/people expected in the present law.

Personal Data, excluding public information, will not be available on the Internet or other media, except if the access is controlled to provide restricted knowledge only to the Subjects or third parties authorized according to the present law.

g) Principle of security: Personal Data will be safeguarded with a high level of security and the Data Controller has to this end taken appropriate technical and organizational security measures to protect personal Data from unauthorized access, amendment, dissemination or destruction.

h) Principle of confidentiality: Every single person that intervenes in Personal Data Processing that is not of public nature, is in the obligation of assuring the reservation of the information, even after terminated his/her relation with any of the labors regarding the Processing. He/she can only supply Personal Data when doing so corresponds to the development of authorized tasks in the present law and according to the terms.

6. RIGHTS OF THE SUBJECTS

Personal Data Holders shall have the following wrights, and those granted by the Law:

a) You are entitled, at any time, to request access to the personal data that is processed about you, to update it, rectify it, and to have erroneous personal data corrected by the Data Controller. This right can be exercised, amongst others, with partial, inconclusive, incomplete, fractioned or mistaken Data, or those which are expressively prohibited to be subject to Processing or not authorized;

b) You are entitled, at any time, to request proof of the previous consent granted to the Data Controller, except when openly presented as a requirement for the Processing, in accordance with the provisions of the article number 10 of the present law;

c) You have the right to be informed by the Data Controller and by previous request, about the use given to your Personal Data.

d) You are entitled, at any time, to lodge a complaint with the Industry and Commerce Superintendence if you consider that your personal data has been processed in contravention of the applicable data protection legislation.

e) You have the right to revoke and/or request the suppression of any Personal Data when in Processing, any of the principles, wrights and constitutional and legal guaranties are not followed by the rule. The revoke and/or suppression of any Personal Data will only proceed when the Industry and Commerce Superintendence has determined that the Data Processing executed by the Data Controller has incurred in conducts contrary to the legislation and to the Constitution.

f) You have the right to get free access of your Personal Data that has been subject to Processing.

6.1. MECANISMS TO EXCERSISE THE RIGHTS OF THE SUBJECTS

The Subject is entitled to exercise his/her rights by contacting the entity trough strict communication directed to the area in charge or Personal Data Protection, the ADMINISTRATIVE DEPARTMENT. The communication can be done through the following e-mail: documentos@seracomex.com , or by written correspondence settled in AV CALLE 16 No. 85D-55 LC 135 in the city of Bogota.

7. CONSENT OF THE DATA SUBJECT

Without detriment to the derogations determined by the Statuary Law 1581 of 2012, by general constitution in the Processing of Personal Data, SERACOMEX LETDA. will gather the previous and stated consent from the Subject, which can be obtained by any medium that can be subject for further consultation. SERACOMEX SAS. recolectará la autorización previa e informada del Titular, la cual podrá ser obtenida por cualquier medio que pueda ser objeto de consulta posterior.

7.1. Events in which previous consent is not needed

Consent of the Subject will not be needed when it comes to:

a) Information required by a public or administrative entity in function of its legal purposes or by judicial order;

b) Data of public nature;

c) Medical or sanitary emergency cases;

d) Data processing authorized by law for historic, statistical or scientific terminations;

e) Data related to Civil Registry.

8. DEBERES DE SERACOMEX SAS. COMO RESPONSABLE DEL TRATAMIENTO DE DATOS PERSONALES

SERACOMEX SAS. como Responsables del Tratamiento de datos personales, cumplirá los siguientes deberes:

a) Guarantee the Subject, in every time, the full wright to exercise habeas data.

b) Request and keep, in the conditions stated by Law, a copy of the respective previous consent granted by the Subject.

c) Inform properly to the Subject about the Data recollection purpose and the wrights that assist him/her by virtue of the given consent.

d) Keep the information under the highest security conditions needed to prevent disturbance, loss, consultation, use or unauthorized access.

e) Guarantee that the information provided to the Data Controller is veracious, complete, exact, updated, probable and comprehensible.

f) Update the information, communicating in a timely manner to the Processing Controller about all the latest changes made regarding the Data that was previously supplied and adopt the necessary measures to guarantee the constant update of the information.

g) Rectify any incorrect data and communicate it to the Data Controller.

h) Provide the person in charge of the Data Processing, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this legislation.

i) Require the Processing Controller, at all times, to respect the security and privacy conditions of the Subject’s information.

j) Process the queries and claims formulated, in the terms indicated by the Statuary Law 1581 of 2012.

k) Adopt an internal policies and procedures manual to guarantee adequate compliance with the Law, especially for the attention of queries and complaints.

l) Inform the Processing Controller when certain information is under discussion by the Subject, once the claim has been submitted and the respective process has not been completed.

m) Inform at the request of the Subject about the use given to their data.

n) Inform the data protection authority when there are violations of the security codes and when there are risks in the administration of the personal data from the Subjects.

o) Comply with the instructions and requirements issued by the Commerce and Industry Superintendence.

9. SPECIFIC POLICIES FOR PERSONAL DATA PROCESSING

9.1. Processing of Personal Data from the Staff

SERACOMEX SAS. recolecta los datos personales de sus Trabajadores y Contratistas los cuales son calificados por la compañía como de reserva, y solo serán revelados por la empresa con la expresa autorización del titular o cuando una Autoridad Competente lo solicite.

Personal Data from employees of the company is used for the following purposes:

a) Fulfil the duties imposed by the Colombian employment law to the employees, and/or the orders issued by competent Colombian authorities.

b) Issue certifications regarding the existing relationship between Data Subject and the company.

c) Comply with the obligations imposed to the company as an employer, regarding the Occupational Health and Safety standards, and the entitled Occupational Health Management System.

d) Manage the functions developed by the employees.

e) Consult Memorandums or warning calls.

f) Develop and apply the corresponding disciplinary procedure.

g) Contact family members in case of emergency.

SERACOMEX SAS. almacena los datos personales de sus empleados, incluidos los que hayan sido obtenidos en desarrollo del proceso de selección, y los conserva en una carpeta identificada con el nombre de cada uno de ellos.

A tal carpeta solo tendrá acceso y será tratada por el Área de Recursos Humanos, con la finalidad de administrar la relación contractual entre SERACOMEX SAS. y el empleado.

Así mismo, contará con elevados sistemas de seguridad para el manejo de aquellos datos sensibles y su reserva, en el entendido que tales datos sensibles solo serán usados por SERACOMEX SAS., para los fines antes mencionados.

Terminada la relación laboral, SERACOMEX SAS. procederá a almacenar todos los datos personales que haya obtenido del proceso de selección y la documentación generada en desarrollo de la relación laboral, en un archivo central con acceso restringido, sometiendo en todo momento la información a medidas y niveles de seguridad adecuados, dado que la información laboral pueda contener datos de carácter sensible.

In any case, the information will not be subject to processing for a period greater than twenty (20) years starting from the termination of the employment relationship, or according to legal or contractual circumstances that make the processing of the information necessary.

9.2. SHAREHOLDER PERSONAL DATA PROCESSING

SERACOMEX SAS. recolecta los datos personales de sus Accionistas y los almacena en una base de datos la cual es calificada por la compañía como de reserva, y que solo será revelada por la empresa con la expresa autorización del titular o cuando una Autoridad Competente lo solicite.

Las finalidades para las cuales son utilizadas los datos personales de los Accionistas de SERACOMEX SAS. serán:

a) Allow the exercise of the duties and private wrights in the quality of Shareholder;

b) Enviar invitaciones a eventos programados por la empresa y en general contactar al Accionista;

c) Issue certifications regarding the relation between the Data Subject and Society;

d) The rest of the purposes stated specifically in the authorizations issued by the Shareholders.

In any case, the information will not be subject to Data Processing for a period greater than the time the person is Shareholder to the company, and the additional time required according to legal or contractual circumstances that make Data Processing necessary.

Finally, access to the personal information will be granted under the terms of the Code of Commerce and the rest of the norms that regulate the matter.

9.3 DATA PROCESSING OF VENDORS

SERACOMEX SAS. recolecta los datos personales de sus Proveedores y los almacena en una base de datos la cual es calificada por la compañía como de reserva, y solo será revelada por la empresa con la expresa autorización del titular o cuando una Autoridad Competente lo solicite.

Las finalidades para las cuales son utilizadas los datos personales de los Proveedores de SERACOMEX SAS. serán:

a. Sending invitations to hire, and management performance for pre-contractual, contractual and post- contractual phases.

b. Sending invitations to events scheduled by the Company or its allies.

c. The rest of the purposes stated specifically in the authorizations granted by the Vendors themselves.

SERACOMEX SAS. solo recaudará de sus proveedores los datos que sean necesarios, pertinentes y no excesivos para la finalidad de selección, evaluación y ejecución del contrato a que haya lugar.

La recolección de los datos personales de empleados de los proveedores por parte de SERACOMEX SAS., tendrá en todo caso como finalidad verificar la idoneidad moral y competencia de los empleados; es decir, una vez verificado este requisito, SERACOMEX SAS. devolverá tal información al proveedor, salvo cuando se autorice expresamente su conservación.

9.4. PERSONAL DATA PROCESSING FROM THE CUSTOMERS

SERACOMEX SAS. recolecta los datos personales de sus Clientes y los
almacena en una base de datos la cual es calificada por la compañía como de reserva, y solo será revelada por la empresa con la expresa autorización del titular o cuando una Autoridad Competente lo solicite.

Las finalidades para las cuales son utilizadas los datos personales de los Clientes de SERACOMEX SAS. serán:

a) Management performance for pre-contractual, contractual and post- contractual phases.

b) To send invitations to events scheduled by the Company.

c) Bear out any requirement in the occasion of the development of the held contract.

d) Comply with the object of the held contract.

e) Verify cases of non-compliance by any of the parties.

f) General bonding of each client.

g) Carry out customer loyalty activities and marketing operations.

9.5. PERSONAL DATA PROCESSING FROM VIDEO SURVEILLANCE RECORD

SERACOMEX SAS. recolecta los datos biométricos contenidos en sus Cámaras de Vigilancia y los almacena en una base de datos la cual es calificada por la compañía como de reserva, y solo será revelada por la empresa con la expresa autorización del titular o cuando una Autoridad Competente lo solicite.

Las finalidades para las cuales son utilizadas los datos personales contenidos en las Cámaras de Vigilancia de SERACOMEX SAS. serán:

a) Guarantee security in the work environment.

b) Allow suitable work environments for the safe development of the company’s work activities.

c) Control de entry, stay and exit of employees and contractors in the company’s facilities.

Para cumplir con el deber de información que le corresponde a SERACOMEX SAS. como administrador de datos personales, la empresa implementará Avisos de Privacidad en las zonas en donde se realice la captura de imágenes que impliquen tratamiento de datos personales.

In any case, the information will not be processed for a period exceeding ten (10) days from its collection in accordance with the legal or contractual circumstances that make the handling of the information necessary.

9.6. PROCESSING OF PERSONAL DATA FOR ENTRY CONTROL

SERACOMEX SAS. recolecta los datos personales de sus visitantes y los almacena en una base de datos la cual es calificada por la compañía como de reserva, y solo será revelada por la empresa con la expresa autorización del titular o cuando una Autoridad Competente lo solicite.

Las finalidades para las cuales son utilizadas los datos personales de quienes ingresan a las instalaciones de SERACOMEX SAS., y a las instalaciones de los clientes de la empresa serán:

a) Ensure entry to the company’s facilities to people who have the authorization of free transit and restrict the passage to those who are not authorized.

b) Guarantee safety in the guarded environments.

c) Allow suitable work environments for the safe development of activities within the company.

In any case, the information will not be processed for a period exceeding three (3 years) from its collection in accordance with the legal or contractual circumstances that make the handling of the information necessary.

10. INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA

La empresa actualmente no realiza Transmisión o Transferencia internacional de datos personales. En el evento que la empresa decida realizar la Transferencia Internacional de datos personales, además de contar con la autorización expresa e inequívoca por parte del Titular, SERACOMEX SAS. se asegurará que la acción proporcione los niveles adecuados de protección de datos y atienda a los requisitos fijados en Colombia por la Ley Estatutaria 1581 de 2012 y sus decretos reglamentarios. De otro lado, cuando SERACOMEX SAS. decida realizar Transmisión Internacional de datos, podrá hacerlo sin autorización de los titulares, siempre y cuando garantice la seguridad de la información, confidencialidad y las condiciones que regulen en alcance del tratamiento de los datos, de acuerdo al artículo 10 de la Ley 1581 de 2012.

11. DATA OF CHILDREN AND ADOLESCENTS

SERACOMEX SAS. no realiza el Tratamiento de Datos Personales de menores de Edad. Sin embargo, en el momento que lo hiciere, la empresa garantizará el respeto de los derechos de los niños, niñas y adolescentes, los cuales priman en todo caso, y recolectará en todos los casos la respectiva autorización para su tratamiento.

12. PROCEDURE FOR THE ATTENTION OF INQUIRIES, CLAIMS AND PETITIONS

12.1. Queries

Los Titulares o sus causahabientes podrán consultar la información personal del Titular que repose en SERACOMEX SAS. quien se encargará de suministrar toda la información contenida en el registro individual o que esté vinculada con la identificación del Titular.

Once the inquiry has been received by the company, it will be attended within a maximum term of ten (10) business days from the date of receipt.

When it is not possible to attend the consultation within said term, the interested party will be informed, stating the reasons for the delay and indicating the new date that the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.

12.2. CLAIMS

El Titular o sus causahabientes que consideren que la información contenida en una base de datos debe ser objeto de corrección, actualización o supresión, o cuando adviertan el presunto incumplimiento de cualquiera de los deberes contenidos en esta ley, podrán presentar un reclamo ante SERACOMEX SAS. el cual será tramitado bajo las siguientes reglas:

1. El reclamo se formulará mediante comunicación escrita dirigida a SERACOMEX SAS., con la identificación del Titular, la descripción de los hechos que dan lugar al reclamo, la dirección, y acompañando los documentos que se quiera hacer valer.

If the claim is incomplete, the interested party will be required within five (5) days of receiving the claim to correct the faults. After two (2) months from the date, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

En caso que SERACOMEX SAS. reciba un Reclamo del cual no sea competente para resolverlo, la empresa dará traslado a quien efectivamente corresponda en un término máximo de dos (2) días hábiles e informará al Titular.

2. Once the complete claim is received, the company will include in the respective database a legend that says “claim in process” and the reason for it, within a period of no more than two (2) business days. The company will keep the given legend in the data under discussion until the claim is received.

3. The maximum term to attend the claim will be 15 business days from the day following the date of receipt. When it is not possible to attend the claim within the given term, the company will inform the Holder of the reasons for the delay and the new date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

12.3. Procedure requirement

The Owner or the successor in title may only file a complaint with the Superintendence of Industry and Commerce once they have exhausted the process of Consultations or Claims directly with the company.

12.4. REQUEST FOR UPDATE AND/OR RECTIFICATION

SERACOMEX SAS. rectificará y actualizará, a solicitud del titular, la información que sea inexacta o se encuentre incompleta, atendiendo al procedimiento y los términos antes señalados, para lo cual el Titular deberá allegar la solicitud según los canales dispuestos por la compañía, indicando la actualización y rectificación del dato y a su vez deberá aportar la documentación que soporte tal petición.

12.5. REVOCATION OF AUTHORIZATION AND/OR DELETION OF DATA

The owner may revoke at any time the consent or authorization given for the processing of their personal data, as long as there is no impediment enshrined in a legal or contractual provision.

Así también el Titular tiene derecho a solicitar en todo momento a SERACOMEX SAS., la supresión o eliminación de sus datos personales cuando:

a) He/she considers that the personal data is not being treated in accordance with the principles, duties and obligations provided in the current regulation.

b) When the personal data is no longer necessary or relevant for the purpose for which they were obtained initially.

c) When the time necessary for the fulfillment of the purposes for which they were obtained has been completed.

Such deletion implies the total or partial elimination of personal information, in accordance with what is requested by the owner in the records, files, databases or treatments carried out by SERACOMEX LTDA. SERACOMEX SAS.

El derecho de cancelación no es absoluto y por lo tanto SERACOMEX SAS. podrá negar revocatoria de autorización o eliminación de los datos personales en los siguientes casos:

a) The owner has a legal or contractual duty to remain in the database.

b) The elimination of data hinders administrative judicial actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.

c) The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.

13. POLICY MODIFICATION

The entity reserves the right to modify the personal data treatment policy at any time. However, any modification will be communicated in a timely manner to the Holders of the personal data through the usual means of contact ten (10) business days prior to its entry.

In the event that a holder does not agree with the new policies and with valid reasons that constitute a fair cause for not continuing with the authorization for the processing of personal data, the holder may request the company to withdraw their information through the channels indicated in chapter 11. However, the holders may not request the withdrawal of their personal data when the company has a legal or contractual duty to process the data.

14. VALIDITY
This Policy is effective as of the first of June, 2017.