Facebook Instagram Linkedin Youtube Whatsapp

PERSONAL DATA PROCESSING POLICY

PERSONAL DATA PROTECTION POLICY

TABLE OF CONTENTS

1. INTRODUCTION

2. SCOPE

3. DEFINITIONS

4. PROCESSING OF PERSONAL DATA AND PURPOSES OF COLLECTION

4.1. PROCESSING OF EMPLOYEE PERSONAL DATA
4 4.2. PURPOSES – EMPLOYEES
4 4.3. PROCESSING OF CLIENT PERSONAL DATA
4.4. PURPOSES – CLIENTS
4.5. PROCESSING OF SUPPLIER PERSONAL DATA
4.6. PURPOSES – SUPPLIERS
4.7. PROCESSING OF PERSONAL DATA – JOB APPLICANTS
4.8. PURPOSES – JOB APPLICANTS
4.9. PROCESSING OF PERSONAL DATA – TEMPORARY STAFF
4.10. PURPOSES – TEMPORARY STAFF
4.11. PROCESSING OF PERSONAL DATA – VISITORS
4.12. PURPOSES – VISITORS

5. PRINCIPLES FOR PERSONAL DATA PROCESSING

6. RIGHTS OF DATA SUBJECTS

6.1. WHO MAY EXERCISE THESE RIGHTS
6.2. RIGHTS OF CHILDREN AND ADOLESCENTS

7. DATA SUBJECT’S AUTHORIZATION

8. DUTY TO INFORM THE DATA SUBJECT

9. PERSONS TO WHOM THE INFORMATION MAY BE PROVIDED

10.RIGHT TO ACCESS AND CONSULTATION

10.1 RIGHT TO SUBMIT COMPLAINTS AND CLAIMS
10.2. EXERCISING THE RIGHTS OF DATA SUBJECTS
10.2.1. RIGHT TO ACCESS

11. PROCEDURE TO ADDRESS DATA SUBJECT’S RIGHTS

11.1. CONSULTATION PROCEDURE
11.2. CONSULTATION RESPONSE RESPONSIBLE PARTY
11.3. CONSULTATION RESPONSE TIMEFRAMES
11.4. EXTENSION OF RESPONSE TIMEFRAME

12. CLAIMS PROCEDURE

12.1. RIGHTS GUARANTEED THROUGH CLAIMS PROCEDURE
12.2. MINIMUM INFORMATION REQUIRED IN CLAIMS

13. RIGHT TO UPDATE, RECTIFY AND DELETE DATA

14. SPECIAL CATEGORIES OF DATA

14.1. SENSITIVE DATA
14.1.1. PROCESSING OF SENSITIVE DATA – EMPLOYEES
14.1.2. PROCESSING OF SENSITIVE DATA – CLIENTS
14.1.3. PROCESSING OF SENSITIVE DATA – VISITORS
14.1.4. PROCESSING OF SENSITIVE DATA – TEMPORARY STAFF
14.1.5. PROCESSING OF BIOMETRIC SENSITIVE DAT

15. DATA SUBJECT SERVICE

16. DUTIES OF NEW STETIC AND DATA PROCESSORS

16.1. DUTIES OF NEW STETIC
16.2. DUTIES OF DATA PROCESSORS

17. SECURITY MEASURES

18. MANAGEMENT OF PERSONAL DATA INCIDENTS

19. RISK MANAGEMENT ASSOCIATED WITH DATA PROCESSING

20. DATA TRANSFER TO THIRD COUNTRIES

22. NATIONAL DATABASE REGISTRY

23. PROTECTION, SECURITY, AND CONFIDENTIALITY OF INFORMATION AND PERSONAL DATA

24. SCOPE OF APPLICATION

25. TERM OF VALIDITY 

  1. INTRODUCTION

NEW STETIC S.A. adopts this Personal Data Protection Policy in compliance with Statutory Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other applicable laws. Its purpose is to guarantee the right to privacy, intimacy, and good name of individuals in the processing of their personal data, which shall be carried out based on the principles of legality, purpose, freedom, truthfulness or quality, transparency, restricted access and circulation, security, and confidentiality.

The company is committed to safeguarding information and complying with data protection regulations and related obligations, ensuring responsible data processing in accordance with the consent given by the data subject, acting with discretion and confidentiality.

  1. SCOPE

This policy applies to all databases and/or files of NEW STETIC containing personal data and subject to processing by the data controller and/or data processor.

The company processes personal data under the terms, conditions, and scope authorized by the data subject, except in cases governed by special regulations where legal exceptions apply.

  1. DEFINITIONS
  • Personal Data: Any information linked or that can be associated with a specific person, such as name or identification number, or which may render them identifiable, such as physical traits.
  • Public Data: Includes data related to marital status, profession, occupation, and status as a merchant or public servant. Such data may be contained in public records, official documents, government gazettes, bulletins, and final judicial rulings not subject to confidentiality.
  • Semi-private Data: Data that is not intimate, reserved, or public, and whose knowledge or disclosure may be of interest to both the data subject and a certain group or society in general (e.g., financial and credit data).
  • Private Data: Intimate or reserved data relevant only to the data subject (e.g., personal preferences).
  • Sensitive Data: Data that affects the privacy of the data subject or may result in discrimination, such as racial or ethnic origin, political orientation, religious or philosophical beliefs, trade union membership, health data, sexual life, and biometric data.
  • Authorization: Consent granted by an individual for companies or responsible parties to process their personal data.
  • Database: An organized set of personal data subject to processing.
  • Processing: Any operation or set of operations on personal data such as collection, storage, use, circulation, or deletion.
  • Data Processor: A natural or legal person processing personal data on behalf of the data controller under their instructions.
  • Data Controller: A natural or legal person, public or private, who determines the purpose and processing of personal data.
  • Data Subject: The natural person whose personal data is subject to processing.
  • Privacy Notice: A verbal or written communication option by law to inform data subjects of the existence and means of accessing data processing policies, as well as the purpose of data collection and use.
  • Transfer: The action by which the data controller or processor sends personal data to another party who then becomes the data controller, either within or outside the country.
  • Transmission: The communication of personal data inside or outside the territory of the Republic of Colombia to a data processor for processing on behalf of the data controller.
  1. PROCESSING OF PERSONAL DATA AND PURPOSES OF COLLECTION

4.1. PROCESSING OF EMPLOYEE PERSONAL DATA

NEW STETIC processes personal and sensitive data of its employees, including collection, storage, use, circulation, transmission, updating, rectification, and deletion, for the following purposes:

4.2. PURPOSES – EMPLOYEES

  • Fulfill obligations arising from labor relationships, agreements, and/or service contracts.
  • Manage procedures, requests, document certification, communications, access registration, information updates, training, and other administrative tasks involving employees, retirees, and their family members (spouses, permanent partners, children, parents, siblings, or other relatives and personal references).
  • Collect information for company events or communications through photo or video records including employees and family members.
  • Manage administrative procedures, provide information for social security enrollment, family compensation funds, photograph registration, and company events for minors.
  • Contact family members in case of emergencies or other relevant events.
  • Safeguard medical opinions for employee follow-up and/or procedures with the competent medical personnel of the ARL (Occupational Risk Administrator).
  • Evaluate qualifications for job positions or functions, validate academic certificates, confirm references, and communicate job openings.
  • Share personal data with temporary employment agencies in relation to labor assignments.
  • Contact via electronic, mobile, physical, or personal means, or any known or future analog/digital communication methods, to send information.
  • Manage attendance and presence at NEW STETIC facilities, health reports, and other procedures to comply with legal obligations, through electronic/physical means, digital platforms, apps, mobile devices, or any known or future communication channels.
  • Transmit personal data to national third parties.
  • Collect biometric data through recordings or surveillance systems for identification, security, and internal/external monitoring.
  • Use the employee’s image in company communication media.
  • Conduct alcohol, drug, and addiction tests prior to hiring, upon justified suspicion, and randomly when deemed necessary.
  • Perform relevant actions for job promotion and recruitment management (résumé validation, psychometric testing, background checks, and security screening).
  • Conduct home visits and pre-employment security studies.
  • Carry out due diligence in compliance systems; consult restrictive lists and public or private databases related to money laundering, terrorism financing, corruption, fraud, bribery (including transnational), and other illicit activities.

4.3. PROCESSING OF CLIENT PERSONAL DATA

The company will collect, store, and use the personal data of its clients for the following purposes:

4.4. PURPOSES – CLIENTS

  • Carry out necessary activities to fulfill the company’s corporate purpose, particularly in executing the contractual and/or commercial relationship with the data subject.
  • Send commercial, advertising, or promotional information about products and/or services via electronic means (email, SMS, WhatsApp), or by phone, including for campaigns, promotions, or contests, and inform about events organized by the company, products, requests, complaints, and to evaluate the quality of our products/services.
  • Provide contact information to the commercial force and/or distribution network, telemarketing, market research agencies, or third parties under contract with NEW STETIC S.A. to carry out such activities.
  • Contact the data subject via email, SMS, WhatsApp, or telephone for surveys, studies, and/or verification of personal data necessary to execute a contractual or commercial relationship.
  • Send loyalty or service improvement campaign news via email, SMS, WhatsApp, or telephone.
  • Send account statements or invoices related to contractual obligations and manage collections.
  • Transmit personal data to foreign third parties under a data processing agreement necessary to fulfill contractual obligations.
  • Provide services offered by NEW STETIC S.A. and accepted under contract.
  • Collect and use the client’s image in photos and videos for internal and external company events, advertising, communications, and social media.
  • Record sales of controlled substances; file complaints as victims; control the sale of acids, alkalis, and corrosive substances; manage transaction reversals under consumer protection laws; implement security protocols; and execute settlement agreements to avoid litigation, among others.

4.5. PROCESSING OF SUPPLIER PERSONAL DATA

NEW STETIC S.A. is responsible for the collection, storage, and use of its suppliers’ personal data for the following purposes:

4.6. PURPOSES – SUPPLIERS

  • Fulfill obligations arising from the legal relationship established with the supplier.
  • Maintain the supplier’s file within the organization.
  • Request the services or products provided.
  • Issue purchase orders for goods and services.
  • Evaluate performance, compliance level, and quality of services or products delivered.
  • Monitor supplier-owned vehicles (goods).
  • Send invoices, process payments, and issue certificates.
  • Register internal procedures and comply with accounting, tax, and legal obligations.
  • Request commercial references, update information, and perform internal control.
  • Rate suppliers; manage assurance (purchase orders) and conduct audits.
  • Manage indicators and provide legal advice on contracts.
  • Handle information linking contractors and their employees with NEW STETIC S.A.

4.7. PROCESSING OF PERSONAL DATA – JOB APPLICANTS

During recruitment processes, personal data is processed through collection, storage, use, circulation, transmission, updating, rectification, and deletion.

4.8. PURPOSES – JOB APPLICANTS

  • Manage recruitment and employment promotion activities (résumé validation, psychometric testing, background checks, and security screenings).
  • Conduct home visits and pre-employment security studies.
  • Consult information in restrictive lists and public or private databases related directly or indirectly to money laundering, terrorism financing, corruption, bribery, and other illicit activities.

4.9. PROCESSING OF PERSONAL DATA – TEMPORARY STAFF

Although temporary workers are not employees of NEW STETIC S.A., the fact that they are present at the company’s premises subjects them to the collection, storage, use, circulation, transmission, updating, rectification, and deletion of their data for specific purposes.

4.10. PURPOSES – TEMPORARY STAFF

  • Collect information for internal communications or events via photo or video records, including family members and minors.
  • Collect biometric data through recordings or video surveillance for identification, security, and internal/external monitoring, as well as for identification badges.
  • Contact via electronic, mobile, physical, or personal means, or any current or future analog/digital communication method, for attendance and presence control and the distribution of general information.
  • Contact family members in case of emergencies or other relevant events.
  • Conduct home visits and security assessments according to BASC guidelines.
  • Perform due diligence in compliance systems; consult restrictive lists and public or private databases related to money laundering, terrorism financing, corruption, fraud, bribery (including transnational), and other illicit activities.

4.11. PROCESSING OF PERSONAL DATA – VISITORS

At the company’s entrance, the purpose is to maintain registration and control of access, which may involve the collection, storage, and use of personal data.

4.12. PURPOSES – VISITORS

  • Identify and verify visitor information, manage security controls, register entry and exit, and perform administrative tasks.
  • Send communications and make contact through registered electronic means.
  • Contact via electronic, mobile, physical, or personal means, or any current or future analog/digital communication method, to manage attendance and presence at the facilities and to send general information about NEW STETIC S.A.
  1. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

For the appropriate application of the law, the following principles must be fundamentally upheld:

Principle of Purpose:

The purpose of data processing must comply with a legitimate aim in accordance with the Constitution and the Law. The data subject must be informed of this purpose.

Principle of Legality in Data Processing:

Data processing is a regulated activity and must conform to the provisions of the law and all applicable regulations.

Principle of Freedom:

Data may only be processed with the prior, express, and informed consent of the data subject. The collection and disclosure of personal data without prior authorization is prohibited, except in cases of legal or judicial orders that waive the requirement for consent.

Principle of Veracity or Quality:

Data subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. Partial, incomplete, fragmented data or data that may lead to error shall not be processed.

Principle of Transparency:

The data controller or data processor must guarantee the data subject unrestricted access to information regarding the existence of their personal data. The data subject must be clearly and expressly informed, and proof of compliance with this duty must be retained. This includes:

  • The purpose for which the data will be processed.
  • The optional nature of the data subject’s responses when such information involves sensitive data or data relating to children or adolescents.
  • The rights held by the data subject.
  • The identity, physical address, email, and telephone number of the data controller.

Principle of Restricted Access and Circulation:

Personal data processing may only be performed by individuals authorized by the data subject and/or those permitted under Law 1581 of 2012. Processing is subject to the limitations inherent to the nature of personal data, as established by the Constitution and applicable laws. Personal data, except for public information, shall not be made available on the internet or through mass communication channels, unless access is technically controlled and restricted to the data subject or third parties authorized under the law.

Principle of Security:

Information processed by NEW STETIC S.A. or by the data processor must be protected through technical, human, and administrative measures to ensure the security of records and to prevent tampering, loss, unauthorized access, or fraudulent use. The company will ensure that all applicable security measures are implemented and communicated to all individuals who have direct or indirect access to the data. Users accessing NEW STETIC S.A.’s information systems must understand and comply with the security policies relevant to their duties. These policies are detailed in the Internal Security Manual, which is mandatory for all users and company personnel. Any changes to personal data security measures by the data controller must be communicated to users.

Principle of Confidentiality:

All individuals involved in the processing of personal data that are not considered public are obligated to maintain the confidentiality of the information, even after their relationship with any activity related to the processing has ended. Disclosure or communication of personal data is only permitted when it is necessary for the development of authorized activities in accordance with the law and under the terms of the same.

  1. RIGHTS OF THE DATA SUBJECTS

The following are the rights of individuals whose personal data is being processed, which may be exercised at any time as established in Law 1581 of 2012:

  • Right to know, update, and rectify their personal data with the Data Controller or Data Processor. This right may be exercised, among others, in cases of partial, inaccurate, incomplete, misleading data, or data whose processing is expressly prohibited or has not been authorized.
  • Right to request proof of the authorization granted to the Data Controller, except when such authorization is not required according to Article 10 of Law 1581 of 2012.
  • Right to be informed by the Data Controller or Data Processor, upon request, regarding the use of their personal data.
  • Right to file complaints with the Superintendence of Industry and Commerce for violations of the law and other regulations that modify, add to, or complement it.
  • Right to revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights, and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the Data Controller or Processor has engaged in conduct contrary to the law and the Constitution.
  • Right to free access to their personal data that has been processed.

6.1. THESE RIGHTS MAY BE EXERCISED BY:

  • The data subject, who must sufficiently prove their identity by the means provided by NEW STETIC S.A.
  • The successors of the data subject, who must prove this status.
  • The legal representative and/or attorney of the data subject, upon presentation of proof of representation or power of attorney.
  • Another party, on behalf of or for whom the data subject has explicitly authorized.

6.2. RIGHTS OF CHILDREN AND ADOLESCENTS

The processing of personal data of children and adolescents is not permitted, except when the data is of a public nature, and when the processing meets the following criteria:

  • It serves and respects the best interests of the child or adolescent.
  • It ensures respect for their fundamental rights.

The legal representative of the child or adolescent must provide authorization, following the minor’s exercise of their right to be heard. The opinion of the minor shall be considered in accordance with their maturity, autonomy, and ability to understand the matter, after fulfilling the above requirements.

  1. AUTHORIZATION OF THE DATA SUBJECT

In order to lawfully process personal data, NEW STETIC requires the prior and informed authorization of the data subject. This authorization must be obtained by any means that allows subsequent consultation, without prejudice to the exceptions provided by law. These mechanisms may include predetermined technical means that allow the data subject to express their consent in an automated manner.

7.1. AUTHORIZATION SHALL BE VALID IF IT IS OBTAINED:

  • In writing.
  • Through unequivocal conduct by the data subject that reasonably indicates that they have granted authorization.

7.2. AUTHORIZATION FROM THE DATA SUBJECT IS NOT REQUIRED IN THE FOLLOWING CASES:

  • When the information is requested by a public or administrative authority in the exercise of its legal functions, or by court order.
  • When the data is of public nature.
  • In medical or health emergencies.
  • When the processing is authorized by law for historical, statistical, or scientific purposes.
  • When the data is related to the Civil Registry of Persons.

An official record shall be kept of the delivery of personal information, indicating the obligation to guarantee the rights of the data subject, both to the requesting official and the receiving party, as well as the requesting entity.

Anyone who accesses personal data without prior authorization must still comply with the provisions of the applicable law.

  1. DUTY TO INFORM THE DATA SUBJECT

When authorization is requested to process personal data, NEW STETIC, as the data controller, must clearly and explicitly inform the data subject of the following:

  • The processing to which their personal data will be subjected and the purpose of such processing.
  • That responding to questions regarding sensitive data, or data about children and adolescents, is optional.
  • The rights available to the data subject.
  • The identity, physical or electronic address, and telephone number of the data controller.

In all cases, it is essential to keep evidence of compliance with the above requirements. If requested by the data subject, a copy of this information must be provided.

  1. PERSONS TO WHOM INFORMATION MAY BE PROVIDED

NEW STETIC may provide personal data to third parties, provided the conditions established by Law 1581 of 2012 are met:

  • To the data subjects, their successors, or their legal representatives.
  • To public or administrative entities in the exercise of their legal functions, or by court order.
  • To third parties authorized by the data subject or by law.
  1. RIGHT OF ACCESS AND INQUIRY
  • Data subjects or their successors may consult the personal information held by NEW STETIC in any of its databases. The Data Controller or Data Processor must provide all information contained in the individual record or that is linked to the identification of the data subject.
  • The inquiry must be submitted through the channels provided by the company in a way that maintains proof of the request.
  • The inquiry will be addressed within a maximum period of ten (10) business days from the date of receipt. If it is not possible to respond within that time frame, the requester will be informed of the reasons for the delay and the date on which the inquiry will be addressed, which may not exceed five (5) additional business days after the original deadline.

10.1. RIGHT TO COMPLAINTS AND CLAIMS

If the data subject or their successors believe that the information contained in a database should be corrected, updated, or deleted, or if they identify a possible breach of data protection regulations, they may file a claim with NEW STETIC, which will be processed in accordance with the following rules:

  • The claim must be submitted in a request addressed to the company, including the identification of the data subject, a description of the facts that give rise to the claim, a contact address, and any supporting documents. If the claim is incomplete, the company will request that the applicant provide the missing information within five (5) business days of receiving the claim. If two (2) months pass from the date of the request without the applicant providing the required information, it will be understood that the claim has been withdrawn.
  • If the person who receives the claim is not competent to resolve it, they must forward it to the appropriate party within two (2) business days, and notify the applicant of the situation.
  • 10.2. EXERCISE OF DATA SUBJECT RIGHTS

10.2.1. RIGHT OF ACCESS

  • Data subjects have the right to access their personal data that is being processed, free of charge, as well as to know the purpose and use that has been given to such data by the Data Controller.

    11. PROCEDURE FOR ADDRESSING DATA SUBJECTS’ RIGHTS

  • 11.1. INQUIRY PROCEDURE

Data subjects or their legal representatives may submit inquiries to NEW STETIC regarding their personal information. These inquiries must be made through the channels designated by the company and must include the necessary identification of the data subject.

  • The inquiries will be answered within a maximum of ten (10) business days from the date of receipt. If it is not possible to respond within that time frame, the requester will be informed of the reason for the delay and given a new response date, which shall not exceed five (5) additional business days after the expiration of the initial period.

  • 11.2. PERSON RESPONSIBLE FOR HANDLING INQUIRIES

NEW STETIC has designated personnel responsible for handling and responding to all inquiries related to the processing of personal data. These individuals must ensure that all

responses are provided clearly, accurately, and within the established timeframes, and that they are supported by documentation that proves compliance with legal obligations.

  • 11.3. RESPONSE TIMEFRAMES FOR INQUIRIES

The maximum period to respond to inquiries is ten (10) business days from the date they are received. If it is not possible to respond within that period, the data subject will be informed of the reasons for the delay and of the new response date, which shall not exceed five (5) additional business days.

  • 11.4. EXTENSION OF RESPONSE DEADLINE

When it is necessary to extend the response deadline, NEW STETIC will inform the requester within the initial ten (10) business days, stating the reasons and specifying a new date for the response, which may not exceed five (5) additional business days.

  1. CLAIMS PROCEDURE

When the data subject or their successors believe that the information contained in a database should be corrected, updated, or deleted, or if they observe a possible breach of legal obligations, they may file a claim with NEW STETIC. This claim will be processed under the following rules:

  1. The claim must be submitted through a written request addressed to the company, clearly identifying the data subject, providing a description of the facts that give rise to the claim, a contact address, and attaching the documents that are intended to support the claim.
  2. If the claim is found to be incomplete, the company will request the missing information from the claimant within five (5) business days of receipt of the claim. If two (2) months pass from the date of the request without the required information being provided, the claim will be considered withdrawn.
  3. If the person receiving the claim is not competent to resolve it, they must transfer it to the appropriate party within two (2) business days and inform the claimant accordingly.

12.1. RIGHTS GUARANTEED THROUGH THE CLAIMS PROCEDURE

This procedure ensures the data subject’s right to:

  • Request the correction, update, or deletion of their personal data.
  • Request a review in cases of presumed non-compliance with data protection laws.
  • Be informed of the status and result of their claim in a timely and accurate manner.

12.2. MINIMUM INFORMATION REQUIRED IN CLAIMS

All claims submitted by the data subject or their legal representatives must include, at a minimum, the following information:

  • Full name and identification of the data subject.
  • Description of the facts giving rise to the claim.
  • Specific request, such as correction, update, deletion, or clarification.
  • Contact address, including physical and/or electronic means for notifications.
  • Supporting documents, when applicable.
  • If acting through a legal representative or attorney, proof of such representation must be attached.

If any of the required information is missing, NEW STETIC will request that the claimant correct or complete the submission within five (5) business days of receiving it. If the claimant does not respond within two (2) months, the claim will be considered withdrawn.

  1. RIGHT TO UPDATE, RECTIFY, AND DELETE DATA

The data subject has the right, at any time, to request the update, correction, or deletion of their personal data held by NEW STETIC S.A., particularly when:

  • The data is partial, inaccurate, incomplete, misleading, or when its processing is expressly prohibited or not authorized.

The deletion of personal data shall not proceed when:

  • There is a legal or contractual obligation to retain the data.
  • The data must be preserved to safeguard the public interest or for the exercise of legal or administrative functions.
  • The data is required for judicial or administrative proceedings that are ongoing.

If deletion is not possible due to one of the above reasons, NEW STETIC S.A. will inform the data subject in writing and justify the grounds for refusing the deletion request.

  1. SPECIAL CATEGORIES OF DATA

14.1. SENSITIVE DATA

Sensitive data is defined as any information that affects the privacy of the data subject or whose misuse could lead to discrimination, including, but not limited to: racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human rights organizations, health data, sex life, and biometric data.

In accordance with applicable regulations, NEW STETIC S.A. may process sensitive data only when:

  • The data subject has explicitly authorized such processing.
  • The processing is required by law.
  • The data is necessary to safeguard the vital interests of the data subject and the data subject is physically or legally incapable of giving consent.
  • The data is related to medical procedures, provided that such processing is carried out by a health professional subject to professional secrecy.
  • The data is required for the recognition, exercise, or defense of a right in a judicial proceeding.

14.1.1. PROCESSING OF SENSITIVE DATA – EMPLOYEES

The company may process sensitive data of employees exclusively for the purposes of:

  • Occupational health monitoring and compliance with labor, social security, and risk prevention laws.
  • Evaluation of health conditions that may impact the performance of their duties.
  • Administration of benefits, subsidies, and employment-related programs.

14.1.2. PROCESSING OF SENSITIVE DATA – CLIENTS

Sensitive data of clients will be processed only when:

  • Necessary for the provision of services or compliance with legal obligations.
  • It involves the recording of health conditions required for proper product use or for providing adequate advice on their application or contraindications.

14.1.3. PROCESSING OF SENSITIVE DATA – VISITORS

Sensitive data such as biometric recordings (photos, videos, fingerprints) may be collected for purposes of security and access control to the company’s facilities.

14.1.4. PROCESSING OF SENSITIVE DATA – OUTSOURCED STAFF

In the case of mission or outsourced staff, sensitive data may be processed under the same purposes established for employees, and when necessary for the development of their duties within the company’s facilities.

14.1.5. PROCESSING OF BIOMETRIC SENSITIVE DATA

Biometric data such as fingerprints, facial recognition, and other physical identifiers will be collected and processed for:

  • Identification and authentication of individuals accessing the company.
  • Monitoring and control of work schedules, attendance, and physical access.
  • Internal and external security protocols, including video surveillance systems.
  1. DATA SUBJECTS ASSISTANCE

NEW STETIC S.A. has designated responsible personnel and established communication channels to address all requests, inquiries, complaints, and claims related to the processing of personal data.

Data subjects may exercise their rights to access, update, rectify, delete, and revoke consent through the following contact information:

Physical Address: Carrera 53 # 50 – 09 en Guarne, Antioquia

Email Address: [email protected]

The company will ensure that all requests are handled in a timely, clear, and complete manner, in accordance with the provisions of Law 1581 of 2012 and other applicable regulations.

  1. DUTIES OF NEW STETIC AND DATA PROCESSORS IN DATA PROCESSING

NEW STETIC S.A., in its capacity as data controller, and any third parties acting as data processors, must comply with the duties established by Law 1581 of 2012 and its regulatory decrees.

16.1. DUTIES OF NEW STETIC

NEW STETIC S.A. shall:

  • Ensure that the data subject is informed of the purpose and processing to which their personal data will be subjected.
  • Maintain a record of the authorization granted by the data subject, when required.
  • Guarantee the data subject’s rights to access, rectification, updating, and deletion.
  • Retain proof of compliance with informative and consent obligations.
  • Update the data in a timely manner, and communicate any modifications to third parties to ensure information consistency.
  • Rectify incorrect or incomplete data and notify any corrections to authorized third parties.
  • Implement security measures to protect personal data against unauthorized or fraudulent access, loss, or alteration.
  • Notify the data protection authority in case of security breaches that pose a risk to data subjects.
  • Use data only for authorized purposes, in accordance with the law and the data subject’s consent.
  • Ensure that the data processors comply with the same obligations outlined in this policy and in the law.
  • Register the databases in the National Database Registry, when applicable.
  • Respect the conditions for processing sensitive data and data of minors, as established by law.

16.2. DUTIES OF DATA PROCESSORS

Any individual or entity that processes personal data on behalf of NEW STETIC S.A. shall:

  • Process personal data in accordance with the instructions provided by NEW STETIC.
  • Use the data only for the authorized and contracted purposes.
  • Refrain from using the data for personal benefit or purposes not authorized by NEW STETIC.
  • Maintain the confidentiality of personal data at all times.
  • Implement technical, administrative, and organizational measures to safeguard the data.
  • Ensure that only authorized personnel have access to personal data.
  • Assist NEW STETIC in responding to requests, complaints, or claims from data subjects.
  • Delete or return the data once the contractual relationship ends or the purpose of processing has been fulfilled.
  • Promptly inform NEW STETIC of any incidents or breaches related to the data.
  1. SECURITY MEASURES

NEW STETIC S.A. adopts technical, human, and administrative measures necessary to guarantee the security of personal data and prevent its alteration, loss, unauthorized access, or fraudulent use.

These measures include, but are not limited to:

  • Access controls to physical and digital environments, allowing only authorized personnel to handle personal data.
  • Implementation of information security protocols, both internal and external.
  • Adoption of risk mitigation strategies, including internal audits, vulnerability assessments, and staff training.
  • Storage of information in secure environments, using encryption, authentication mechanisms, and restricted access policies.
  • Constant monitoring of technological tools used for the collection, storage, and processing of personal data.
  • Application of periodic reviews to ensure continued compliance with data protection regulations.

All users who have access to NEW STETIC’s information systems must know and comply with the company’s security policies, as established in the Internal Security Manual, which is mandatory for all employees and third parties.

Any modification to the policies or security measures for personal data must be communicated to all involved personnel and properly documented.

  1. PERSONAL DATA INCIDENT MANAGEMENT

NEW STETIC S.A. has established internal procedures for the identification, reporting, management, and resolution of any security incidents involving personal data.

In the event of an incident such as loss, theft, unauthorized access, disclosure, alteration, or destruction of personal data, the company shall:

  • Immediately contain and assess the impact and scope of the incident.
  • Notify the data protection authority (Superintendence of Industry and Commerce) when the incident poses a significant risk to data subjects’ rights and freedoms.
  • Inform affected data subjects, when applicable, indicating the nature of the incident, the data involved, and the actions taken.
  • Maintain a log of all incidents, which will include the date of occurrence, description, affected systems or data, measures taken, and final resolution.
  • Conduct an internal investigation to identify root causes and define preventive or corrective actions.
  • Reinforce security protocols and train staff when necessary to avoid recurrence.

The incident management process shall be carried out by the data protection officer or designated personnel responsible for data security, in coordination with the company’s legal and IT departments.

  1. RISK MANAGEMENT RELATED TO DATA PROCESSING

NEW STETIC S.A. is committed to identifying, evaluating, and managing the risks associated with the processing of personal data in order to protect the rights and freedoms of data subjects.

To this end, the company has established a Risk Management System that includes:

  • Identification of potential threats that may affect the confidentiality, integrity, or availability of personal data.
  • Assessment of the likelihood and impact of such risks, using objective and documented criteria.
  • Implementation of controls and mitigation measures proportional to the level of risk identified.
  • Continuous monitoring and review of risk factors related to data processing activities.
  • Training and awareness programs for employees and third parties with access to personal data.
  • Inclusion of data protection risk analysis in the planning and implementation of new processes, technologies, or services that involve personal data.

The company ensures that risk management is an ongoing and integral part of its data protection program, aligned with legal requirements and best practices in information security.

  1. DATA TRANSFERS TO THIRD COUNTRIES

NEW STETIC S.A. may transfer personal data to other countries only when the receiving country provides adequate levels of data protection, in accordance with the standards established by Colombian law and the competent data protection authority.

The company may carry out international data transfers in the following cases:

  • When the data subject has expressly authorized the transfer.
  • When the transfer is necessary for the performance of a contract between the data subject and NEW STETIC S.A., or for the execution of pre-contractual measures at the request of the data subject.
  • When the transfer is required or legally authorized by a public authority in the exercise of its legal duties.
  • When the transfer is made to countries that provide adequate levels of protection as recognized by the Superintendence of Industry and Commerce.
  • When there is a contractual agreement with the receiving party that ensures compliance with data protection obligations equivalent to those established in Colombian legislation.

All international data transfers made by NEW STETIC S.A. will be carried out with appropriate safeguards and subject to prior due diligence, ensuring that the rights of the data subjects are respected and protected at all times.

  1. NATIONAL DATABASE REGISTRY

NEW STETIC S.A. complies with the obligation to register its databases containing personal data in the National Database Registry (RNBD), as established by Law 1581 of 2012 and regulated by the Superintendence of Industry and Commerce.

The registration includes:

  • The identification and classification of each database under NEW STETIC’s responsibility.
  • The type of personal data contained in each database (public, private, sensitive, etc.).
  • The purposes of data processing.
  • The location and means of storage.
  • The security measures adopted to ensure the protection of personal data.
  • The designation of the person or area responsible for data processing within the company.

NEW STETIC S.A. ensures that the information recorded in the RNBD is updated, truthful, and complete, and will report any significant changes in accordance with the terms and deadlines established by law.

  1. PROTECTION, SECURITY, AND CONFIDENTIALITY OF INFORMATION AND PERSONAL DATA

NEW STETIC S.A. is committed to ensuring the protection, security, and confidentiality of all information and personal data in its custody, in accordance with current legal standards and internal policies.

To this end, the company guarantees that:

  • The collection, use, storage, and deletion of personal data are carried out under strict security protocols that prevent unauthorized access, alteration, loss, or disclosure.
  • The data is stored in secure environments, whether physical or digital, using tools such as encryption, access controls, authentication systems, and monitoring mechanisms.
  • All individuals who have access to personal data—whether employees, contractors, or third parties—are bound by strict confidentiality agreements and security procedures.
  • The use of personal data is limited to the purposes authorized by the data subject and outlined in this policy.
  • There are procedures in place for managing security incidents, breaches, or suspected misuse, ensuring immediate corrective actions and appropriate reporting to authorities when applicable.
  • The company promotes a culture of privacy and security, which includes continuous training and internal audits to ensure compliance with data protection standards.
  1. SCOPE OF APPLICATION

This policy applies to all databases and/or files that contain personal data and that are subject to processing by NEW STETIC S.A., in its capacity as data controller or data processor, as applicable.

It covers:

  • All areas, departments, and employees of NEW STETIC S.A. who participate in the collection, use, storage, or any other activity involving personal data.
  • All natural persons whose personal data is collected and processed by the company, including but not limited to: employees, customers, suppliers, job applicants, contractors, visitors, and temporary staff.
  • All manual or automated systems used for the processing of personal data.
  • All third parties acting on behalf of NEW STETIC S.A. who access or process personal data under contractual agreements.

Compliance with this policy is mandatory for all individuals involved in the processing of personal data within the organization.

  1. TERM OF VALIDITY

This policy becomes effective as of its date of publication and shall remain in force for an indefinite period, or until a new version is issued that expressly repeals or replaces it.

The personal data processed by NEW STETIC S.A. will be retained only for the time necessary to fulfill the purposes for which it was collected, or as required to comply with legal, contractual, or regulatory obligations. The company will regularly review and update this policy to ensure its alignment with applicable legislation, technological changes, and best practices in personal data protection.

This data processing policy has been in effect since November 2, 2016, and was updated on May 27, 2025.