Privacy policy and treatment of personal data.

PREAMBLE

CERTILABOR S.A.S (hereinafter, “Xertify” or the “Company”) is an entity respectful of personal data and information provided by its staff, customers, business partners and potential stakeholders in the services and / or products of the Company; for this reason, it proceeds to issue this Privacy Policy and Personal Data Processing (hereinafter, the “Policy”) which establishes the purposes, scope, measures, and procedures of databases, as well as the mechanisms that the Owners of the information have to know, update, rectify or delete the data provided, or revoke the authorization granted with the acceptance of this Policy.

The acquisition of the services offered by the Company (hereinafter, the “Services”) and/or the express and unequivocal acceptance of the present Policy, implies the acceptance of the Holders of the information with respect to the Policy and their authorization for the uses and other treatments described herein.

CHAPTER I

DEFINITIONS, SCOPE, AND PRINCIPLES OF THE POLICY

  • Definitions. The following concepts shall have the following meanings, whether used in the singular or plural form throughout the text of the Policy.

“Privacy Notice”: Verbal or written communication to inform the owners of the information, the existence, and ways to access the policies of treatment of information and the purpose of its collection and use.

“Authorization”: Consent given by any person so that the companies or persons Responsible for the treatment of the information, may use their personal data.

“Database”: Organized set of personal data that are subject to processing.

“Cookies”: Text file that is downloaded to the hard drive of the computer or saved in the memory of the web browser when you visit our websites (hereinafter, “Sites”) – property of Xertify.

“Proprietary Cookies”: Cookies used only by Xertify Sites.

“Third Parties Cookies”: Cookies originated by a third parties website.

“Session Cookies”: Cookies that expire when your browser session ends.

“Persistent Cookies”: Cookies that are stored on your device between browser sessions and allow us to remember your preferences or actions.

Strictly Necessary Cookies”: Cookies that enable you to use our Site and its features. These cookies do not collect information about you, nor do they remember where you were or when you browsed our Site.

Analytical Cookies”: Cookies that collect information about how you and other visitors use our Site, how you arrive at the Site, how often you visit, and what part of the Site you use. We use this information to improve the Site’s capabilities and ensure that it meets your needs.

Functionality Cookies”: Cookies that allow us to store information about the choices you make on our Site and to provide better personalized content. For example, these cookies show when you log in to our website and help us remember your user preferences.

Targeted Cookies”: Cookies that collect information that is used to provide advertisements relevant to you and your interests.

“Personal Data”: Any information linked or that can be associated with a particular person (e.g., name, identification number, physical traits, etc.).

“Public Data”: It is the data qualified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private or private, in accordance with Law 1266 of 2008. Among others, the data contained in public documents, duly executed judicial sentences that are not subject to reserve and those related to the civil status of persons are public.

“Semi-private data”: Data that are not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to the Data Subject but also to a certain sector or society in general (e.g., e.g., financial, credit, commercial or service activity data, etc.).

“Private Data”: Data that due to its intimate or reserved nature is only relevant to the Data Subject (e.g., tastes, preferences, etc.).

“Sensitive Data”: Data that affect the privacy of the Data Subject or may result in discrimination against him/her (e.g., those that reveal his/her racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations, data related to health, sex life, and biometric data, etc.).

“Anonymized Data”: Data that does not personally identify you or other users of the Site and that may be used by the Company for administration and statistical analysis, including trend analysis, customized products and services, risk assessment, and analysis of costs and charges related to our products, services, and solutions.

“Data Processor”: Natural or legal person who carries out the processing of personal data, based on a delegation made by the Controller, receiving instructions on how the data should be managed.

“Data Controller”: Natural or legal person, public or private, who decides on the purpose of the databases and/or the processing thereof.

“Data subjects”: Natural or legal persons whose personal data are subject to processing.

“Processing”: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

“Transfer”: Operation carried out by the Controller or Processor of Personal Data, when he/she sends the information to another recipient, who, in turn, becomes the Controller of the Processing of such data.

“User”: Third parties who enter the Xetify platform to use its services in any capacity or modality.

  • Scope of the Information Processing Policy. This Policy applies to all personal information recorded in the databases of Xertify, who acts as Responsible for the Processing of Personal Data for these purposes.
  • Principles of Personal Data Processing. The treatment of Personal Data of this Policy will be guided by the principles set forth in Article 4 of Law 1581 of 2012 and the rules that update or amend it.

CHAPTER II

PURPOSE OF THE PROCESSING OF PERSONAL DATA

  • Purpose of the Processing of the Database of employees, contractors and aspiring employees, former employees and Xertify personnel.

The purpose of this Policy in relation to the Databases it administers with respect to Xertify’s partners, employees, contractors and aspiring, former and current employees and staff is:

  • Keep and manage the information of the labor, civil or commercial relationship of the Holders.
  • To comply with the legal, accounting, commercial and regulatory duties that apply to it.
  • Control and preserve the security of people, goods, and information of the Company.
  • Fulfill the purpose of the labor, commercial or civil relationship acquired with the Holders.
  • Protect the health of the Company’s employees and contractors.
  • Prevent and verify the commission of crimes or criminal conduct by employees, contractors, applicants, and personnel in general, for which different databases and sources may be consulted, such as databases of the National Police, Comptroller’s Office, Interpol, FBI, SDNT, list (or “Clinton List”), as well as the corresponding social networks, in the form in which they are available.
  • Maintain direct communication with the Holders for issues related to their labor, civil or commercial situation.
  • Select personnel, administer hiring, manage labor relations, grant benefits to its employees by itself or through third parties, as well as allow employees access to the Company’s IT resources.
  • Keeping a record of disciplinary sanctions imposed on contractors and employees of the Company.
  • To carry out statistical, commercial, financial, social, and technical analyses.
  • Communicating with Data Holders for contractual, informational, and commercial purposes.
  • Checking and verifying the identity and criminal, disciplinary, financial and credit history of the Holders.
  • Transmit, transfer, and provide the information and personal data of the Holders to third parties in charge of administering the social security system in Colombia, as well as to insurance companies.
  • To transmit, transfer and provide the information and personal data of the Holders to third parties, in those cases in which there is an employer substitution or in those cases in which the Company assigns its contractual position, or when it is part of an acquisition or business integration process.
  • Transmit, transfer, and provide the information and personal data of the Holders to third parties, with the purpose of providing labor and/or professional references about the Holders.
  • Transmit, transfer, and provide the information and personal data of the Data Holders to payroll operating companies for them to consult the pertinent information for the purpose of granting goodwill loans.
  • To keep the historical memory and background of former employees of the Company.
  • Purposes of the Treatment in relation to the database of customers, suppliers, and business partners.

The purpose of this Policy in relation to the Databases managed with respect to customers, suppliers, business partners and users of Xertify is:

  • The fulfillment of the Company’s corporate purpose.
  • The performance of statistical, commercial, strategic, financial, social, and technical analysis.
  • The development, execution, and fulfillment of the contractual relationship that the Holder has with the Company.
  • To comply with the value proposition and the level of service offered to each segment of customers and suppliers.
  • Compliance with legal, accounting, commercial and regulatory duties.
  • Communicating with the Holders for contractual, informative, and commercial purposes.
  • The control and preservation of the security of persons, goods, and information of the Company, for which different databases and sources may be consulted, such as databases of the National Police, Comptroller’s Office, Interpol, FBI, SDNT list (or “Clinton List”), credit risk centers, as well as the social networks of the Holder, in the form in which they are available.
  • Verification and verification of the identity and information in general, and criminal, disciplinary, financial and credit background of the Holders.
  • Transmit, transfer, and provide the information and personal data of the Holders to the Company’s subsidiaries, subsidiaries or affiliates, commercial allies or other national and/or international companies or persons that the Company entrusts to carry out the processing of the information and comply with the purposes described in this Policy and the purpose of the commercial or civil relationship with the Holders, or for such third parties to assume the position of Responsible Parties.
  • Transmit, transfer, and provide, free of charge or for a fee, the information, and personal data of the Holders to national and/or international commercial allies so that they may contact the Holders to offer them their products, information, or services that, in the Company’s opinion, may be of interest to the Holder.
  • Transmit, transfer, and provide the information and personal data of the Holders to national and/or international third parties, in those cases in which the Company participates in merger, integration, spin-off, liquidation, acquisition and/or disposal of assets.
  • Carry out marketing activities, such as market research, and perform acts of promotion of products and services, among other similar concepts.
  • Define consumption profiles of its customers, to perform statistical analysis or improve the marketing and sales processes of Xertify’s services and/or products.
  • Purposes of the Treatment in relation to the database of potential end customers.

The purpose of this Policy in relation to the Databases it manages with respect to potential end customers of Xertify is:

  • The fulfillment of the Company’s corporate purpose.
  • The performance of statistical, commercial, strategic, financial, social, and technical analysis.
  • To carry out marketing activities, such as market research, and to carry out acts of promotion of products and services, among other similar concepts.
  • Communicating with the Holders for commercial purposes.
  • Purposes of the treatment in relation to the database of potential suppliers.

The purpose of this Policy in relation to the Databases it manages with respect to potential suppliers of Xertify is:

  • The fulfillment of the Company’s corporate purpose.
  • The performance of statistical, commercial, strategic, financial, social, and technical analysis.
  • To carry out marketing activities, such as market research, and to carry out acts of promotion of products and services, among other similar concepts.
  • Communicating with the Holders for commercial purposes.

CHAPTER III

PERSONAL DATA PROVIDED AND OBTAINING METHOD

  • Data collection. Overall, Xertify collect personal data of the holders in the following cases:
  • When are visiting our web page and are using our platform.
  • When bring personal data volunteering, for instance, by adhering to company emails, registering their account in one the websites of Xertify, filling a form in the web page for obtaining trade information or register for one of the Xertify events.
  • When the company for who works provide information to Xertify.
  • When the educative center for who are you studying provides information to Xertify.
  • When are participating in Webinars, seminars, trade shows and events organized for Xertify.
  • When Xertify takes information from internet, including, but limitless, some social media such as LinkedIn, Facebook, and other, also webpages where your dates are fixed.
  • When the services of Xertify are used, as customer service, technical assistance, and others.
  • When Xertify require contact with you or the company you belong with the objective of request, ask for new services as well as do business.
  • When Xertify hire services of third persons which are employed by dates and cookies oriented to advertised according to the characters in common with the holder, having in account the industry.
  • When Xertify informs you in advance about the collection and intended use of your data, through this Policy or at the time of collection.

The Company may expressly request personal data from its Data Subjects or collect them based on their behavior, except for the exceptions related to sensitive data or data of children and adolescents.

9.0 Data Collected by the Company. The data collected includes, but is not limited to, the following:

9.1 Employee and contractor data: name and surname, nationality, marital status, identification number, military passbook, professional card, signature and handwriting, fingerprint, date, and place of birth, marital status, correspondence address, contact telephone number, e-mail, work, clinical or health, academic and property history, references, commercial background or biographical, financial, judicial, disciplinary and family information, and that related to other companies or public entities, recent photographs, images in surveillance cameras; occupational medical history; telephone, sex, date, and place of birth, place of work, position, or profession of the spouse or permanent partner, employees, and contractors and their relatives up to the fourth degree of consanguinity, second degree of affinity and/or first civil degree, and any other data necessary to achieve the purposes described.

9.2 Data of clients, suppliers, Users and commercial allies: name and surname, identification number, date of birth, mailing address, identity gender, contact telephone, email, photographs published in your profile, age, consumption habits, transactional media data, such as credit cards or bank accounts, solely for the purpose of charging for Xertify’s services, website browsing history, academic kardex, academic grades, academic history, authorizations to develop activities related to products or services offered by Xertify, purchase history, history of open cases with customer service, favorite content, intention to attend events, history of questions to experts on the website, commercial history, and family relationships, and information related to other companies or public entities, needs and interests, place of work, qualifications, and studies of suppliers, permits, and authorizations required to provide services or sell products, content created for publication, company name or corporate name, tax identification, description, photographs, and videos of the company, description, photographs, and videos of the portfolio of services and products, history of orders received, satisfaction rating received, operational performance indicators, customer comments received, promotional investment, purchase incentives caused, prizes given, and any other data that may be necessary to achieve the purposes described.

9.3 Data of potential end customers purchased from third parties, obtained in the context of commercial alliance or formed by website users who have not yet purchased from the website: name and surname, identification number, date of birth, correspondence address, contact telephone, email, photographs published in their profile, names, age, consumption habits, browsing history on the site, favorite content, intention to attend events, history of questions to experts on the website and content created for publication on the website, and any other data that may be necessary to achieve the purposes described.

9.4 Data of potential independent suppliers purchased from third parties, obtained in the context of commercial alliance or formed by users of the website who have not yet applied to sell on the website: name and surname, identification number, date of birth, correspondence address, contact telephone, e-mail, photographs published in their profile, age, company name or corporate name, tax identification, correspondence address, contact telephone, e-mail, contact name and surname, contact identification number, commercial and judicial background, commercial and family relationships, as well as information with other companies or public entities, needs and interests, and history of open cases with customer service, and any other data that may be necessary to achieve the purposes described.

9.5 Data of participants in forums, events, or Webinars: name and surname, e-mail, history of forums created and participation in other forums, events or webinars, history of open cases with customer service, opinions expressed in their participation in forums or webinars, and any other data that may be necessary to achieve the purposes described.

9.6 Sensitive data and its treatment. In accordance with Law 1581 of 2012, the following are considered sensitive data: racial or ethnic origin, political orientation, religious or philosophical convictions, trade union membership, social organizations, data related to health status, sex life and biometric data, or any other data that may affect the privacy of the Holder or whose improper use may lead to discrimination. Considering the characteristics of the Company, the activities it develops, and the purposes described in this Policy, the Company requires the processing of some sensitive data, in the manner and under the conditions indicated throughout the document.

CHAPTER IV

AUTHORIZATION FOR COLLECTION AND PROCESSING OF PERSONAL DATA AND OTHER INFORMATION

  • Manifestations of the Data Subject. At the time of voluntarily providing his/her data, granting the authorization for the processing thereof, and/or accepting the terms and conditions of use, the Data Subject declares that:
  • Expressly and unequivocally authorizes the Company to collect the personal data and any other information he/she provides, as well as to carry out the processing on his/her personal data, in accordance with this Policy and the law.
  • You authorize the Company to occasionally send you a link to this Policy and give you the opportunity to set your communication preferences in the Preference Center.
  • You authorize the Company to ask you, where required by applicable law, to provide your express consent to direct, electronic and online marketing activities and to the use of Cookies. If necessary, the Company will request that your express consent be provided to collect and use personal data as outlined in this Policy. Such consent will be requested on the web form or hard copy form used to collect personal data or to confirm registrations or preferences (e.g., for offline activities such as trade shows, seminars, and other events).
  • You authorize the Company to access and process the personal data of Users that you represent and/or with whom Xertify has business relationships. The above, because it is possible that Xertify may need to collect them at the time of providing services related to its economic activity.
  • You were informed and understand that sensitive data are those that affect the privacy of the Holder or whose improper use can generate discrimination. Likewise, that they can be identified as those of racial or ethnic origin, political orientation, religious or philosophical convictions, trade union membership, social organizations, data related to health status, sex life and biometric data.
  • Was informed that, in case of collection of sensitive information, he/she has the right not to answer the questions asked and not to provide the requested data.
  • Was informed about the purposes for which the collected sensitive data will be used, which are described in chapter II of this Policy.
  • Was informed and understands the security measures that Xertify implements to provide protection to the personal data it collects and, therefore, accepts them.

CHAPTER V

PROCESSING OF PERSONAL DATA STORED IN XERTIFY’S DATABASES

  • Uses under the Policy. The Company will only process the personal data and other information of the Data Subject for the purposes described and the uses authorized in this Policy or in the applicable laws. In addition to what is mentioned in other sections, the Data Subject expressly authorizes the Company to Process his/her personal data and other information for the following purposes and in the following circumstances:
  • Issuance of documents, certificates, diplomas, among others, that are processed by Xertify’s platforms.
  • Establish communication between the Company and the Holders for any purpose related to the purposes set forth in this Policy, either through calls, text messages, emails and/or physical mails.
  • Audit, study and analyze the information in the databases to design and execute administrative, labor, security and financial strategies related to the Company’s personnel.
  • Incorporate the data of the owners in national or international web servers.
  • To provide the information and personal data of the Data Holders to commercial allies or other companies or persons that the Company entrusts to carry out the processing of the information and comply with the purposes described in this Policy and the purpose of the work, commercial or civil relationship with the Data Holders.
  • To preserve the security of the Company, analyze and verify the information of employees and collaborators of the Company and those who participate in selection processes.
  • Transfer, transmit and provide, free of charge or for a fee, the information and personal data of the Holders to national and/or foreign commercial partners so that they may contact the Holders to offer their products, information, or services that, in the Company’s opinion, may be of interest to the Holder.
  • Transfer, transmit and provide the information and personal data of the Holders to third parties, in those cases in which the Company participates in merger, integration, spin-off, acquisition and/or liquidation processes.
  • Verify conflicts of interest or possible irregularities with new contractors, allies, suppliers, customers and/or employees of the Company.
  • Perform financial, legal, commercial, and security risk rating.
  • Consult, store and use financial information obtained from third parties database administrators, with prior authorization from the Data Subject for such consultation.
  • Combine personal data with information obtained from other allies, companies, and university centers, or send it to them to implement joint commercial strategies.
  • When the information must be disclosed to comply with laws, regulations, or legal processes, to stop or prevent fraud, attacks on the security of the Company or others, as well as to prevent technical problems or protect the rights of others.
  • Audit, study and analyze the information in the databases to design business strategies and increase and/or improve the products and/or services offered by the Company.
  • Audit, study, analyze and use database information to design, implement and develop programs, projects, and events.
  • Audit, study, analyze and use the information in the database for the socialization of policies, projects, programs, results, and organizational changes.
  • Sell or transfer the data to national and/or foreign third parties, prior compliance with the regulations.
  • To carry out marketing activities of the services and products offered, within the framework of direct marketing activities. The Company guarantees that the direct marketing or market research that you receive or about which you are contacted by e-mail, will provide simple means for you to no longer receive such communication by e-mail. For example, in the email the Company will provide you with an “unsubscribe” link or an email to send an opt-out request. In these cases, your personal data will not necessarily be removed from the databases, but the change in direct marketing preferences will be considered and respected.
  • To inform you about the scope and features of the Company’s services and products, solutions, Webinars, seminars, trade shows and other new and existing events, as well as promotions and offers.
  • Manage our Sites and registered user accounts, analyze trends and improve the functionality of our Site.
  • To customize our Sites and some third parties websites based on user-selected preferences and to personalize and enhance your online experience, which may include targeted advertisements about our products, services, and solutions so that you receive relevant information. To display targeted digital ads on third parties websites, the Company uses ad networks.
  • To consider a job application submitted by the Registrant.
  • As deemed necessary for the Company to protect its legal rights and property, as well as to protect other users or third parties, or to prevent personal injury or loss.
  • Generate leads: Identify the particular interest a customer or potential customer has in our products, solutions, and services.
  • Invite users to provide feedback or participate in customer surveys, to better understand the nature and quality of the Company’s service provision, and to improve and develop products, services, and solutions.
  • To share information with selected service providers and subcontractors who provide services to or on behalf of the Company, such as hosting sites, sending information, conducting surveys, providing technology services, analyzing data, organizing events and other professional services. Service providers only receive the personal information they need to provide services to or on behalf of the Company.
  • Share the information with selected service providers and subcontractors who provide services to or on behalf of the Company, such as marketing and advertising services, including telemarketing, who are provided with information, such as information collected about users through Cookies to generate and deliver advertising for more relevant and useful products, services, and solutions.
  • Sharing the information with governmental authorities or regulatory bodies as required by applicable law or pursuant to an administrative, court or similar order.
  • Any other use that falls within the purposes already stated and that is related to the Company’s corporate purpose and its activity.
  • Authorization for new uses.
    The Company may request authorization from the Data Controllers for new uses of their data or information, for which purpose it shall publish the changes to this Processing Policy on its website or in any medium it deems appropriate.
  • Storage of Personal Data. The Data Subject expressly authorizes the Company to store the data in the manner it deems most appropriate and complies with the security required for the protection of the data of the Data Subject.

CHAPTER VI

RIGHTS OF THE HOLDERS, PROCEDURE TO EXERCISE THEIR RIGHTS, AND INSTANCES OF ATTENTION TO THE HOLDERS

  • General Right of the Holders. The Holders have the right to know, update, rectify their information, and/or revoke the authorization for its processing. In particular, the following are the rights of the Holders as set forth in Article 8 of Law 1581 of 2012:
  • To know, update and rectify their personal data.
  • To request proof of the authorization granted.
  • To be informed, upon request, regarding the use given to their personal data.
  • File complaints before the Superintendence of Industry and Commerce for violations of the provisions of the law.
  • To revoke the authorization and/or request the deletion of the data.
  • Access free of charge to your personal data that have been subject to processing.
  • Refrain from answering questions about sensitive data or data of children and adolescents. In this case, the Data Controllers, or their respective legal representatives, are informed that they are not required to provide authorization for the processing of sensitive data or data of children and adolescents.
  • Procedure for exercising your rights. If the Data Subject wishes to exercise his or her rights, he or she should email the contact address set forth in section 17.0 of this Policy. The procedure to be followed for such communication shall be as indicated below:
    • When the Data Subject or his/her assignees wish to consult the information contained in the database, the Company will respond to the request within a maximum period of ten (10) days. In compliance with the provisions of Law 1581 of 2012, when it is not possible to answer the consultation within such term, the Data Subject will be informed, the reasons for the delay will be expressed and the date on which the consultation will be answered will be indicated, which may not exceed five (5) business days following the expiration of the first term.
    • When the Data Subject or its assignees consider that the information contained in the databases should be corrected, updated, or deleted, or when they notice the alleged breach of the duties contained in Law 1581 of 2012, they may file a claim with the Company, which will be processed under the following rules:
    • The claim shall be formulated by means of a request addressed to the Company with the identification of the Holders, the description of the facts that give rise to the claim, the address, and the documents that they wish to assert shall be attached. If the claim is incomplete, the Company may require the interested party within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the request, if the applicant does not submit the required information, it shall be understood that the claim has been withdrawn.
    • In the event that the Company is not competent to resolve the claim, it will transfer the claim to the appropriate person within a maximum period of two (2) business days and inform the Holder of the situation, which will relieve the Company of any claim or liability for the use, rectification, or deletion of the data.
    • Once the complete claim has been received, a legend will be included in the database stating “claim in process” and the reason for the claim, within a term no longer than two (2) business days. Said legend shall be maintained until the claim is decided.
    • The maximum term to address the claim shall be fifteen (15) business days from the day following the date of its receipt. When it is not possible to address the claim within such term, the Holder shall be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. The withdrawal or deletion will not proceed when there is a contractual duty to remain in Xertify’s database.
  • Security measures for the protection of personal data and other information. The security measures that the Company has in place seek to protect the data of the Holders to prevent their adulteration, loss, use and unauthorized access. To this end, the Company diligently implements human, administrative and technical protection measures that are reasonably within its reach. The Holder expressly accepts this form of protection and declares that he/she considers it convenient and sufficient for all purposes.
  • Area in charge of requests, queries, and claims. The area in charge of handling the requests, queries and claims of the Data Controllers to exercise their rights to know, update, rectify and delete their data and revoke their authorization is the customer service area. Requests, queries, and claims may be sent to the e-mail felipe@xertify.co.

CHAPTER VII

MISCELLANEOUS

  • Any questions or additional information will be received and processed by sending them to the contact addresses set forth in section 17.0 of this Policy.
  • Period of validity of the database and the Policy. The personal data included in the databases will be valid for the period necessary to fulfill their purposes. On the other hand, the Policy will enter into force on August 1, 2020.
  • Changes in the policy of treatment and protection of personal data. Any substantial change in the Policy will be communicated in a timely manner to the Data Holders through publication on the Company’s web portals.
  • Legislation in force. The national legislation in force regarding the protection of personal data is contained in Law 1581 of 2012, Decree 1377 of 2013 and Law 1266 of 2008 and the rules that modify, supplement, or surrogate it.
  • All those corporate policies of the Company that are related to it, such as the terms and conditions of use of the Xertify platform, are understood to be incorporated into this Policy.