Personal Data Processing Policies
PRAGMA S.A., a limited company with Tax ID (NIT) 811,004,057-1 incorporated by public instrument on February 19, 1996, registered with the Medellín Chamber of Commerce on February 21, 1996 (hereinafter “Pragma” or the “COMPANY”), as the data controller under Law 1581/2012 and Regulatory Decree 1377/2013, informs that this Policy aims to lay down the necessary guidelines to guarantee the right to privacy of individuals through the protection and processing of personal data contained in the COMPANY’s databases as provided for by the law.
This policy shall apply to Pragma S.A. and unless otherwise indicated, to its parent companies, subsidiaries, branches, and/or corporations toward whom there is a situation of control or temporary business grouping.
The Personal Data Processing Policy applies to personal data contained in the databases in the care of Pragma, its parents, subsidiaries, affiliates, and, generally, the members of its group of companies (hereinafter, the “DATA CONTROLLER”) that are susceptible to any access or processing by the COMPANY, its staff, or any related third party.
By accepting or consenting to Pragma’s Personal Data Processing Policy, you state that you are the legitimate data subject or have the relevant authorizations or legal powers to transfer the data. You further state that you are competent under the applicable legislation. Therefore, you accept the guidelines and policies contained herein.
DEFINITIONS
Authorization: Prior, express, and informed consent of the Data Subject to process personal data.
Database: An organized set of personal data subject to Processing.
Personal Data: Any information linked to or that can be associated with one or several specific or determinable natural persons.
Sensitive Data: Data that involve the privacy of the Data Subject whose improper use may result in discrimination, such as racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social, human rights, or other organizations that promote the interests of any political party or guarantee the rights of the opposition, as well as health, sex life, and biometric data.
Data Processor: A natural person or legal entity, either public or private, who, by themselves or in association with others, processes personal data on behalf of the Data Controller.
Data Controller: A natural person or legal entity, either public or private, who, by themselves or in association with others, decides on the database and/or data Processing.
Data Subject: A natural person whose personal data is subject to Processing.
Data Transfer: When the Data Controller and/or Processor, located in Colombia, sends the information or personal data to a recipient, who in turn becomes the Data Controller and is located inside or outside the country.
Data Transmission: Data processing involves the communication of data within or outside the Republic of Colombia, and the purpose is for the Data Processor to process data on behalf of the Data Controller.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
I. DATA CONTROLLER IDENTIFICATION
COMPANY NAME AND IDENTIFICATION: PRAGMA S. A., hereinafter referred to as THE COMPANY, a business corporation identified by Taxpayer ID (NIT) 811,004,057-1 and incorporated by public deed on February 19, 1996, registered with the Chamber of Commerce on February 21, 1996.
DOMICILE AND ADDRESS: THE COMPANY is domiciled in Medellín and its registered office is at Carrera 42 # 5 sur 47, piso 16, edificio SELF.
EMAIL: info@pragma.com.co
PHONE: +57 323 563 9223
II. DATA PROCESSING PRINCIPLES
In any personal data processing by the COMPANY, the principles contained in the Colombian General Regulation for Personal Data Protection will apply, especially the following:
1.1. Principle of legality: For personal data processing by the COMPANY, the rules of the Colombian legal system relating to the General Regulation for Personal Data Processing and those contained in this policy apply.
1.2. Principle of purpose: The personal data processing carried out by THE COMPANY fulfills the purposes established in this policy, which are in harmony with the Colombian legal system. Where not provided for in this policy, higher rules that regulate, add, modify, or repeal it will apply.
1.3 Principle of freedom: The COMPANY processes personal data with the data subject’s prior, express, and informed authorization.
1.4. Principle of truthfulness or quality: The information subject to processing by the COMPANY will be truthful, complete, updated, verifiable, and understandable.
1.5. Principle of transparency: The COMPANY guarantees that the data subject can obtain information about their data at any time and without restrictions according to the procedures described in this policy.
1.6. Principle of restricted access and circulation: The COMPANY ensures that the personal data in the databases it controls is processed by authorized and/or other persons permitted by law.
1.7. Principle of security: The COMPANY will implement technical, human, and administrative measures to protect the personal data processed in its databases, avoiding unauthorized or unwanted use, alteration, loss, or access.
1.8. Principle of confidentiality: The personal data in the COMPANY’s databases will be processed with strict confidentiality and reserve according to the purposes described in this policy.
To expand on these principles, please check Law 1581/2012 and Decree 1377/2013 as amended, clarified, supplemented, or repealed.
III. PROCESSING TO WHICH DATA WILL BE SUBMITTED AND PURPOSE
The personal data of the individual with whom the COMPANY has established or will establish a permanent or temporary relationship will be processed within the applicable legal framework. In any case, personal data may be collected and processed in the following cases:
- To fulfill the corporate purpose of the COMPANY under its bylaws.
- To perform legal obligations involving personal data.
- To measure and analyze non-sensitive data freely provided by data subjects.
- For business management and networking with customers, prospects, and stakeholders.
- For prospective analysis of customers, prospects, and stakeholders’ trends, preferences, behaviors, and habits.
- To inform about products and their quality, the COMPANY, trends, benefits, events, partnerships, and general information.
- To query information about Data Subjects in public databases and/or other information operators such as Datacrédito/Experian, Cifin/TransUnion, or any other credit bureau that manages databases with financial information to support processes such as application study, credit behavior verification, delinquency reporting, credit granting checks, and collection efforts.
- To report to credit bureaus with which the COMPANY has an agreement the creation, modification, extinction, performance, or non-performance of the obligations contracted by the Data Subject.
- To achieve efficient communication related to products, services, offerings, special offers, partnerships, studies, contests, and content.
- To share information with contractors providing services for the COMPANY that require access to the data of Data Subjects.
- To carry out business or marketing activities through our website, Facebook, and other media, using them as part of our business or marketing campaigns.
- To make contacts for business and promotional purposes either about our services and products or those of third parties with whom the COMPANY has business relationships or partnerships.
- To deliver job references.
- For administrative and commercial management.
- To fulfill legal obligations concerning the COMPANY’s shareholders.
- To monitor the management of services offered.
- To comply with the provisions of the Colombian legal system on labor and social security, applicable to former, current, and future employees.
- To conduct queries and checks on money laundering, terrorist financing, transnational bribery, and corruption risks.
- To share and exchange with its subsidiaries, parents, partners, and/or financial entities the information of Data Subjects contained in the COMPANY’s databases for risk control, disbursement and payment of obligations, business partnerships, service procurement, statistics, marketing activities for services, and advertising.
- To collect information about transactions or services acquired by means provided by the COMPANY.
- To process financial data related to user payments for services with some cost.
- To transfer data to third parties for corporate purposes and activities carried out by the COMPANY.
- For usage and log-in information; transaction information; cookies to provide internet-based services; transfer and transmission of data to third parties for activities related to the COMPANY; and fulfillment of any contractual or legal obligations acquired by the parties.
- To conduct surveys related to the COMPANY’s services or goods.
- To fulfill any contractual, statutory, or legal commitments.
- For security and surveillance of the COMPANY’s facilities and information.
Authorization is not necessary when the processing is related to some instances in respect of which, however, all legal provisions on the processing of information are complied with, such as:
- When the data is public.
- In cases of medical or health emergency.
- When the law authorizes the processing.
In each medium that can be used for data processing or collection, there will be an authorization paragraph, privacy notice, or, in the case of technological methods, a box or sign of consent and acceptance of data processing aimed at validating authorization through unequivocal conduct where possible. This authorization will contain a link or access to this Data Processing Policy.
IV. SENSITIVE DATA PROCESSING
The COMPANY considers biometric data, such as the face, fingerprint, retina, voice, and signature, and any other data that affects the privacy of people whose improper use may result in discrimination against the Data Subject, sensitive. Therefore, The COMPANY and the people who access the data in their capacity as DATA PROCESSORS protect these data more rigorously.
The processing of personal or sensitive data by the COMPANY and its DATA PROCESSORS is restricted; it will be exclusive to the fulfillment of authorized contractual obligations, performance of legal obligations, or the purposes that the Data Subject has expressly and voluntarily authorized. The data will never be used for marketing, sale of databases, and/or other purposes other than those strictly necessary without prior authorization.
The COMPANY will only process sensitive data if the Data Subject consents or the law authorizes it. The sensitive data subject will always have the power to decide whether to provide it.
Exceptionally, the data of minors, such as the children of COMPANY employees, managers, and collaborators, may be processed, in which case express and informed authorization must be obtained from the minor’s legal representative for the specific purposes reported.
It is optional for the Data Subject to grant authorization to process their sensitive data.
V. RIGHTS OF THE DATA SUBJECT
As provided in the currently applicable regulations on data protection, data subjects have the right to:
a. Access, know, update, and rectify their data with the COMPANY in its capacity as the data controller. This right may be exercised, among others, on partial, inaccurate, incomplete, fragmented, misleading data or those whose processing is expressly prohibited or has not been authorized.
b. Request proof of the authorization granted to the COMPANY for data processing by any valid means, except in cases where authorization is unnecessary.
c. Be informed by THE COMPANY, upon request, of the use given to their data.
d. File complaints with the Superintendence of Industry and Trade for violations of Law 1581/2012, as amended, added, or supplemented, after making a query or request to the COMPANY.
e. Revoke the authorization or request the deletion of the data.
f. Access their data processed free of charge at least once every calendar month or whenever substantial modifications to this policy give rise to new queries.
These rights may be exercised by:
- The data subject, who must prove their identity sufficiently by the means made available by the COMPANY.
- The successors in title of the data subject, who must prove such capacity.
- The representative or attorney-in-fact of the data subject, upon certification of the representation or power of attorney.
- Any other person that the data subject has stipulated.
VI. DATA CONTROLLER AND DATA PROCESSOR
The COMPANY will be the data controller. The COMPANY may assign its status as CONTROLLER at any time to any third party that meets the conditions set in this Policy and current applicable legislation.
Transfers and Transmissions for Third-party Processing of Personal Data Provided to the COMPANY.
Acceptance of this policy implies that the data subject accepts the COMPANY’s possibility to transmit or transfer all of the subject’s data to its parent, subordinates, or third parties in the country or abroad to fulfill the purposes of the processing, always respecting the applicable legal provisions. In this case, the third party or third parties who receive the information will acquire the capacity of DATA PROCESSOR and, consequently, will assume the same obligations of care, good management, and security of the COMPANY as data controller, in the terms defined by current regulations. The COMPANY may revoke the authorization granted in each case to the respective third-party data processor at any time.
In turn, the COMPANY undertakes to inform third parties of the parameters under which authorization has been granted, the due respect they must accord to this policy, and that they may only use the data and/or information while the legal or contractual relationship with the COMPANY subsists and solely and exclusively for the uses expressly defined by the COMPANY.
The information will be transmitted physically or digitally through mechanisms that have adequate security levels established by the COMPANY and its technology advisors, according to physical, logistical, technological, and economic capacities, seeking confidentiality and security in data delivery and reception.
VII. PROCEDURE FOR RESPONDING TO QUERIES, CLAIMS, AND REQUESTS FOR DATA RECTIFICATION, UPDATE, AND DELETION
The data subjects or their successors in title may access the data subject’s personal information held by the COMPANY, which will provide all the data contained in the individual record or linked to the data subject’s identification. The COMPANY also provides a mechanism through which the data subject can file claims for updating, rectifying, deleting, or definitively revoking the authorization.
In any case, regardless of the mechanism implemented to respond to requests, these will be answered within ten (10) business days of the date of receipt. When it is not possible to respond to the query within this term, the interested party will be informed before the expiration of the ten days, expressing the reasons for the delay and specifying the date on which their query will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.
The data subject or their successors may query the personal information of the data subject that is on file in THE COMPANY, who will supply all the information contained in the individual record or linked to the identification of the data subject. THE COMPANY also provides a mechanism through which the data subject can file claims to update, rectify, delete their data, or permanently revoke the authorization.
In any case, regardless of the mechanism implemented for query requests, they will be answered within ten (10) business days from the date of receipt. When not answered within this term, the interested party will be informed before its expiration, stating the reasons for the delay and the date on which the query will be answered, which in no case may exceed five (5) business days from the expiration of the first term.
If you have any query, please contact us at info@pragma.com.co
The COMPANY reserves the right to modify the Data Processing Policy at any time unilaterally. The Policy will always be available on the website. Any substantial change in the Policy that may affect the content of the authorization granted by the data subject will be communicated to the data subject or made available to them under the terms of current regulations. In addition, previous versions of the Information Processing Policy will be preserved.
The data subject’s failure to object to the use of their data within thirty (30) days of notification of the new Data Processing Policy constitutes acceptance thereof.
VIII. INFORMATION SECURITY MEASURES
Adhering to the security principle in current regulations, the COMPANY will adopt the technical, human, and administrative measures necessary to secure the records and prevent their adulteration, loss, unauthorized or fraudulent query, use, or access.
The COMPANY is committed to correctly using and processing the personal data of its customers and users, avoiding unauthorized access from third parties that allow them to know or violate, modify, disclose, and/or destroy the information that resides in the COMPANY’S databases. For this reason, the COMPANY has security and access protocols for its information, storage, and processing systems, including physical measures to control security risks.
Therefore, the COMPANY must adopt the measures to comply with Law 1581/2012, as amended or replaced. As a result of this legal obligation, among others, the COMPANY must implement logical, administrative, and physical security measures according to the criticality of the personal information it accesses to ensure that this information will not be used, commercialized, assigned, transferred, and/or subjected to any other processing contrary to the purpose of this contract. Any suspicion of loss, leak, or attack against personal information in the COMPANY’s databases will be reported. Notice that must be given once the COMPANY becomes aware of such contingencies through the most relevant or effective mechanisms, such as publication on the COMPANY’s website or social media, direct communication to the reported email address of the affected party, by the means determined by the latter for such purposes, or in any way that guarantees the data subject’s right to information. Any loss, leak, or attack against personal information implies the obligation to manage the security incident under the applicable legal guidelines.
According to the logistical, physical, and economic possibilities, multiple information security measures may be implemented, including:
- Antivirus and firewalls on the COMPANY’s computer equipment
- User, data access and manipulation, and monitoring profiles
- Backup plans with the established frequency
- Video surveillance and access control
- Query logs and copies of protocols requested by users
- Periodic updating of Personal Data Protection Policies and procedures
- Continuous identification of legal requirements that the COMPANY must meet
- Monitoring of new regulations
- Training on Information Security issues
- Reviews of procedures and documentation
IX. EFFECTIVENESS
This policy is effective as of March 1, 2023.
Marcos Velez Botero
President