Data processing policy

POLICY FOR THE PROTECTION AND TREATMENT OF PERSONAL DATA EDUCATIONAL FOUNDATION GYMNASIUM LOS CAOBOS — CHÍA, C/MARCA.

This document contains a description of the personal data treatment and protection policies that must be applied by the entities of the LOS CAOBOS GYMNASIUM EDUCATIONAL FOUNDATION, hereinafter THE GYMNASIUM, in accordance with the provisions of data protection regulations in Colombia.

LEGAL FRAMEWORK
• Political Constitution, Article 15.
• Law 1581 of 2012.
• Regulatory Decrees 1377 of 2013 and 886 of 2014.
• Decree 090 of January 18, 2018
• Constitutional Court Jurisprudence.
• Concepts of the Superintendency of Industry and Commerce of Colombia.

FIRST CHAPTER I: PRELIMINARY ASPECTS
1.1 INTRODUCTION
On October 18, 2012, the Congress of the Republic of Colombia issued Statutory Law 1581 of 2012, which “dictates general provisions for the protection of personal data”. By virtue of the above-mentioned Act, the obligation was established for entities (natural persons, legal persons of a public or private nature) that carry out processing on Databases, to adopt treatment policies as responsible and responsible for the personal data registered in the databases.

Since the above-mentioned Act constitutes the general framework for the protection of personal data in Colombia and in order to facilitate its implementation and compliance, Decree 1377 of 2013 was issued, which partially regulates Law 1581 of 2012 in aspects related to database processing and other matters that complement it, as well as Decree 886 of 2014.

For the effective development of its educational objective, the GYMNASIUM requires personal data, which are stored in its databases, which in turn are subject to the regulations that regulate the subject.

Therefore, it is of great importance to comply with current legislation on data protection, creating this policy, which will be applicable to all databases managed by EL GIMNASIO.

1.2 GLOSSARY

a. Authorization: Prior, express and informed consent of the Owner to carry out the processing of personal data;

b. Database: Organized set of personal data that is subject to Treatment;

c. Personal data: Any information linked to or that you can associate is one or more specific or determinable natural persons. For example, identity document, place of birth, marital status, age, place of residence, academic, work, or professional background. There is also more sensitive information, which is also personal data, such as the state of health, your physical characteristics, political ideology, sexual life, among other aspects.

d. Data Processor: Natural or legal person, public or private, who, on their own or in association with others, carries out the processing of personal data on behalf of the Data Controller;

and. Data Controller: Natural or legal person, public or private, who, on their own or in association with others, decides on the database and/or data processing;

f. Owner: Natural person whose personal data are subject to processing;

g. Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or pressure.

1.3 POLICY OBJECTIVES

The GIMNASIUM's premise is that the processing carried out on information organized in databases must be carried out in an appropriate manner, in order to guarantee the processing of personal data that protects the fundamental rights of the owners of the information.

In this document, holders of personal data that are subject to processing by EL GIMNASIO will find the legal and corporate guidelines under which their data and personal information will be processed, the purposes, their rights as owner, as well as the procedures established for the exercise of such rights.

The GYM understands data protection as all those necessary measures that must be taken, both physically, technically and legally, to ensure that data stored in databases is completely secure, complying with the laws that regulate the matter.

1.4 SCOPE OF APPLICATION

This policy will cover personal data, information and files registered in the EL GIMNASIO Databases, which are susceptible to processing, by virtue of contractual or service relationships maintained or that have been maintained between the owners of the information and the School, including students, student managers, workers, contractors, suppliers, etc.

SECOND CHAPTER II: PRINCIPLES 2.1

The GYM will apply the principles set out below, which constitute the rules to be followed in the collection, management, use, treatment, storage and exchange of personal data:

a. Principle of legality: In the use, capture, collection and processing of personal data, the current and applicable provisions governing the processing of personal data and other related fundamental rights will apply.

b. Principle of freedom: The use, capture, collection and processing of personal data can only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal, statutory, or judicial mandate to relieve consent.

c. Principle of purpose: The use, capture, collection and processing of personal data to which you have access and are collected and collected by THE GYMNASIUM, will be subordinate to and will serve a legitimate purpose, which must be informed to the respective owner of the personal data.

d. Principle of veracity or quality: Information subject to the use, capture, collection and processing of personal data must be true, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractional or misleading data is prohibited.

and. Principle of transparency: In the use, capture, collection and processing of personal data, the right of the Owner to obtain from EL GIMNASIO, at any time and without restrictions, information about the existence of any type of information or personal data that is of interest or ownership must be guaranteed.

f. Principle of access and restricted circulation: Personal data, with the exception of public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties. For these purposes, the obligation of THE GYMNASIUM shall be of a half.

g. Security principle: Personal data and information used, captured, collected and subject to processing by EL GIMNASIO, will be protected to the extent that technical resources and minimum standards allow it, through the adoption of technological protection measures, protocols, and all types of administrative measures that are necessary to provide security to electronic records and repositories, avoiding their adulteration, modification, loss, consultation, and in general against any unauthorized use or access.

h. Principle of confidentiality: Each and every person who manages, manages, updates or has access to information of any kind found in Databases, undertakes to keep and keep in a strictly confidential manner and not to disclose it to third parties, all personal, commercial, accounting, technical, or any other type of information provided in the execution and exercise of their functions.

THIRD CHAPTER III: AUTHORIZATIONS

3.1 WAY TO OBTAIN AUTHORIZATION

Notwithstanding the exceptions provided by law, the processing requires the prior, express and informed authorization of the owner, which must be obtained by any means that may be subject to subsequent consultation and verification.

The authorization will be understood to meet these requirements when it is expressed (i) in writing, (ii) orally or (iii) through unambiguous conduct on the part of the owner that allows us to reasonably conclude that the authorization was granted. In no case can silence be assimilated to unambiguous behavior.

3.2 CASES WHERE AUTHORIZATION IS NOT NECESSARY

The authorization of the owner will not be necessary when it comes to:

· Delivery of information required by a public or administrative entity in the exercise of its legal functions or by court order.

· Data processing of a public nature.

· Treatment in other events provided for in Law 1581 of 2012 or its regulatory decrees.

3.3 REVOCATION OF AUTHORIZATION

The Data Controllers may at any time request the person responsible or processor to delete their personal data and/or revoke the authorization granted for the processing of the same, by filing a complaint, in accordance with the provisions of article 15 of Law 1581 of 2012.

The request to delete the information and the revocation of the authorization will not proceed when the Owner has a current legal or contractual duty to remain in the database.

FOURTH CHAPTER IV: RIGHTS OF THE OWNERS

4.1 PEOPLE EMPOWERED TO EXERCISE THE RIGHTS

The rights of the owners of the information may be exercised by the following persons:

· By the Owner, who must prove his identity sufficiently by the various means made available to him by the person responsible.

· For their cause in law, who must prove such quality.

· By the representative and/or agent of the Owner, after accreditation of the representation or power of attorney.

· By stipulation in favor of another or for another.

4.2 LIST OF RIGHTS OF THE OWNER OF THE INFORMATION

Notwithstanding the provisions of the law, the owners shall have the following rights:

a. The owners of the information may access the personal data that are under the control of EL GIMNASIO when acting as responsible for the information, and exercise their rights over them. The owner may consult their personal data free of charge.

b. When required by the Owner or when THE GYMNASIUM as Responsible has been able to warn it, it may request information, update or rectification of the data contained in the databases, in such a way that it meets the purposes of the treatment.

c. Go, without any limitation, to the person or area designated by THE GYMNASIUM, who assumes the function of contact in matters of personal data.

d. Request proof of the authorization granted, when such authorization is required in accordance with the provisions of Law 1581 of 2012.

and. Go to the supervisory authority to file complaints for violations of the rules on the processing of personal data, once the relevant procedure before THE GYMNASIUM has been exhausted.

4.5 PRIVACY NOTICE

The privacy notice through which EL GIMNASIO will inform the owners of the existence of the information processing policies that will apply to them, the way to access them and the purpose of the treatment they intend to give to their personal data, will be published on the institution's website permanently.

CHAPTER FIVE V: DUTIES

5.1 DUTIES OF THE GYM WHEN ACTING AS A DATA CONTROLLER

THE GYMNASIUM, when acting as Responsible for the Processing of Personal Data, will fulfill the following duties:

a. Guarantee the Owner, at all times, the full and effective exercise of the right to habeas data.

b. Request and keep a copy of the respective authorization granted by the owner.

c. Duly inform the owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.

d. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

and. Ensure that the information provided to the data processor is true, complete, accurate, updated, verifiable and understandable.

f. Update the information, informing the data processor in a timely manner, of all the news regarding the data you have previously provided and take the other necessary measures to keep the information provided to the data controller up to date.

g. Rectify the information when it is incorrect and communicate the pertinent thing to the person in charge of the treatment.

h. Provide the Data Processor, as the case may be, only data whose Processing is previously authorized.

i. Require the Data Processor, at all times, to respect the security and privacy conditions of the Data Controller's information.

j. Process inquiries and complaints made.

k. Inform the Data Processor when certain information is under discussion by the Data Controller, once the complaint has been submitted and the respective procedure has not been completed.

l. Inform at the request of the Owner about the use given to their data.

m. Inform the data protection authority when there are violations of security codes and there are risks in the management of the information of the Holders.

CHAPTER 6 VI: PERSON OR AREA RESPONSIBLE FOR DEALING WITH REQUESTS, INQUIRIES AND COMPLAINTS

6.1 ENABLED CHANNELS

When the owner considers that the information contained in the database must be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, they may exercise their rights and file a complaint with THE GYMNASIUM at the facilities located in the village of la balsa, via Guaymaral, Chía -Cundinamarca. Email: glcaobos@gmail.com rectoria@gimnasioloscaobos.com Phone: 0318611166.

CHAPTER SEVEN VII: PROCEDURE FOR INFORMATION HOLDERS TO EXERCISE THEIR RIGHTS TO KNOW, UPDATE, RECTIFY AND DELETE INFORMATION AND REVOKE AUTHORIZATION.

7.1 PROCEDURE

The Owner or his dependants who consider that the information contained in a database must be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a complaint with the Data Controller or the Data Processor, which will be processed under the following rules:

1. The complaint will be made by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Data Controller, the description of the facts giving rise to the complaint, the address, and accompanying the documents that you want to assert. If the complaint is incomplete, the interested party will be required within five (5) days of receiving the complaint to remedy the flaws. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn the claim. In the event that whoever receives the complaint is not competent to resolve it, they will send it to the appropriate party within a maximum period of two (2) business days and will inform the interested party of the situation.

2. Once the complete claim has been received, a legend that says “pending claim” and the reason for the claim will be included in the database, within a period not exceeding two (2) business days. This legend must be kept until the claim is decided.

3. The maximum period for dealing with the claim will be fifteen (15) business days from the day following the date of its receipt. When it is not possible to deal with the claim within that period, the interested party will be informed of the reasons for the delay and the date on which their claim will be dealt with, which in no case may exceed eight (8) business days following the expiration of the first term.

CHAPTER 8: USE OF PERSONAL DATA.

8.1 USE OF PERSONAL DATA

According to article 15 of the Political Constitution of Colombia, all people have the right to know, update and rectify the information that is held about them in data centers. At EL GIMNASIO, we have a special regulation on the Protection of the Data of our clients, and we define institutional processes that seek to guarantee trust, security and quality in the use of information. For this purpose, the institution receives, records, keeps, modifies, reports, consults, delivers, shares and removes information with the authorization of the owner of the same. Data allows us to provide and provide product and service information to consult, report and update information to information operators; update the status of contractual relationships, comply with agreed obligations, prevent the risk of money laundering and terrorist financing, control the school transport service, provide information to insurance companies about insurance taken by customers, monitor the safety of our customers through a closed circuit system, work on marketing issues and advertising with our strategic partners, nourishing our web portal with the information necessary for its correct application, and providing the authorities with the information they require for the provision of educational services on platforms such as SIMAT, among others.

All of the above, while respecting the right to “habeas data” of which our associates are the owners, and strengthening relationships with our suppliers through confidentiality agreements and information security clauses.

NINTH CHAPTER: VALIDITY.

8.1 DATE OF ENTRY INTO FORCE OF THE PERSONAL DATA PROTECTION AND PROCESSING POLICIES.

This policy is effective as of February Eleven (11), 2019.