AV-01 Privacy Notice

In compliance with Statutory Law 1581 of 2012 on Data Protection (LEPD) and related regulations, this Privacy Notice aims to inform the Data Subject about the processing to which the data stored in our databases will be subjected and to indicate whether they will be subject to transmission and/or transfer to third parties. The conditions of the processing are as follows:

OGA SISTEMVAC SAS, identified with NIT No. 830015534, will be responsible for the processing of your personal data. In order to receive comprehensive attention as a client or supplier, the collected personal data will be processed for the following purposes: historical, scientific, or statistical purposes, internal statistical management, customer management, historical records of commercial relationships, marketing, opinion surveys, commercial prospecting, and self-advertising. It is optional to provide information related to Sensitive Data, understood as those that affect privacy or generate any type of discrimination, or information about minors. The Data Subject’s data processing policy, as well as substantial changes that occur in it, can be consulted at the following email address: protecciondedatos@oga.com.co. This website does not use cookies or web bugs to collect user’s personal data; its usage is limited to facilitating the user’s access to the website. The use of session cookies, not permanently stored on the user’s device and disappearing when the browser is closed, is solely for collecting technical information to identify the session, with the purpose of facilitating secure and efficient access to the website to provide better service on the page. The Data Subject can exercise the rights of access, correction, deletion, revocation, or complaint for infringement of their data by sending a written request to OGA SISTEMVAC SAS at the email address protecciondedatos@oga.com.co, indicating the right they wish to exercise; or by regular mail sent to CRA 70 # 19 – 59, BOGOTÁ D.C., BOGOTÁ.

CL-02 Web Consent Clause

In accordance with Statutory Law 1581 of 2012 on Data Protection and related regulations, the user is informed that the data provided in this form will be included in a database under the responsibility of OGA SISTEMVAC SAS, and will be processed for administrative management, marketing, and commercial prospecting purposes.

It is optional to provide information related to Sensitive Data, understood as those that affect privacy or generate any type of discrimination, or information about minors.

The Data Subject’s data processing policy, as well as substantial changes that occur in it, can be consulted through the following email address: protecciondedatos@oga.com.co. Similarly, it will be kept updated on the entity’s website, whose address is http://www.oga.com.co.

You can exercise the rights of access, correction, deletion, revocation, or complaint for infringement of data by sending a written request to OGA SISTEMVAC SAS, to the email address protecciondedatos@oga.com.co, indicating the right you wish to exercise, or by ordinary mail sent to the address CRA 70 # 19 – 59, BOGOTÁ D.C., BOGOTÁ.

INTERNAL DOCUMENT OF POLICIES AND PROCEDURES (TREATMENT POLICIES)

TABLE OF CONTENTS

LEGAL BASIS AND SCOPE

Scope Applicable

Regulations

DEFINITIONS

  • Authorization Database
  • Personal Data Public
  • Data Semiprivate
  • Data Private
  • Data Sensitive
  • Data Processing Manager
  • Data Processing Responsible
  • Responsible for Administering Databases
  • Data Protection Officer
  • Data Subject Processing
  • Privacy Notice Transfer Transmission

PRINCIPLES OF DATA PROTECTION

  • Principle of Legality
  • Principle of Purpose
  • Principle of Freedom
  • Principle of Truth or Quality
  • Principle of Transparency
  • Principle of Restricted
  • Access and Circulation
  • Principle of Security
  • Principle of Confidentiality
  • AUTHORIZATION OF THE TREATMENT POLICY DATA
  • PROCESSING RESPONSIBLE
  • PROCESSING AND PURPOSES OF DATABASES
  • RIGHTS OF DATA SUBJECTS

    – Right of access or consultation
    – Right to file complaints and claims
    – Right to request proof of authorization granted to the Data Processing Responsible
    – Right to file complaints with the Superintendence of Industry and Commerce for infringement

  • REQUEST FOR AUTHORIZATION TO THE DATA SUBJECT
  • PROCESSING OF MINOR’S DATA
  • ATTENTION TO DATA SUBJECTS
  • PROCEDURES TO EXERCISE DATA SUBJECT RIGHTS

    – Right of access or consultation.
    – Rights of complaints and claims

  • SECURITY MEASURES
  • NOTIFICATION, MANAGEMENT, AND RESPONSE PROCEDURE TO INCIDENTS
  • ADMINISTRATION OF RISKS ASSOCIATED WITH DATA PROCESSING
  • DELIVERY OF PERSONAL DATA TO AUTHORITIES
  • TRANSFER OF DATA TO THIRD COUNTRIES
  • BIOMETRIC DATA PROCESSING
  • NATIONAL DATABASE REGISTRY – RNBD
  • INFORMATION AND PERSONAL DATA SECURITY
  • DOCUMENT MANAGEMENT
  • VALIDITY
  • APPENDIX
  • CREATION AND APPROVAL OF THE DOCUMENT
  • DOCUMENT HISTORY
  • LEGAL BASIS AND SCOPE OF APPLICATION

Information Treatment Policy

The information treatment policy is developed in compliance with articles 15 and 20 of the Political Constitution; articles 17 letter k) and 18 letter f) of Statutory Law 1581 of 2012, which establishes general provisions for the Protection of Personal Data (LEPD); article 2.2.2.25.1.1 section 1 chapter 25 of Decree 1074 of 2015, which partially regulates Law 1581 of 2012 (Article 13 of Decree 1377 of 2013).

This policy will be applicable to all personal data registered in databases that are subject to processing by the data controller.

1.1 Scope

This document applies to all personal data or any other type of information used or stored in the databases and files of OGA SISTEMVAC SAS, respecting criteria for obtaining, collecting, using, processing, exchanging, transferring, and transmitting personal data. It also outlines the responsibilities of OGA SISTEMVAC SAS and its employees in the handling and treatment of personal data stored in their databases and files.

1.2 Applicable Regulations

  • Political Constitution of Colombia
  • Law 1581 of 2012
  • Decree 1074 of 2015 Chapter 25 and Chapter 26 compilations of decrees:
    • Decree 1377 of 2013
    • Decree 886 of 2014
    • Circular 01 of November 8, 2016

Definitions

The following definitions are established in Article 3 of the LEPD and Article 2.2.2.25.1.3 section 1 Chapter 25 of Decree 1074 of 2015 (Article 3 of Decree 1377 of 2013).

2.1 Authorization

Prior, express, and informed consent of the data subject to carry out the processing of personal data.

2.2 Database

Organized set of personal data subject to processing.

2.3 Personal Data

Any information linked or that can be associated with one or more specific or identifiable natural persons.

2.4 Public Data

Data that is not semi-private, private, or sensitive. Public data includes, among others, information related to individuals’ marital status, profession or occupation, and their status as a trader or public servant. Public data may be contained in public records, official documents, gazettes, and duly executed court judgments that are not subject to confidentiality.

2.5 Semi-Private Data

Data that is not intimate, reserved, or public and whose knowledge or disclosure may be of interest not only to the data subject but also to a certain sector or group of people or society in general. Examples include databases containing financial, credit, commercial, service-related information, and information from third countries.

2.6 Private Data

Personal data that, due to its intimate or reserved nature, is of interest only to the data subject and requires prior, informed, and express authorization for processing. Examples include databases containing personal phone numbers, email addresses, employment-related data, information on administrative or criminal offenses, managed by tax administrations, financial entities, and entities managing common social security services, databases containing sufficient information to evaluate the personality of the data subject, and databases of operators responsible for providing electronic communication services.

2.7 Sensitive Data

Data that affects the privacy of the data subject or whose misuse may lead to discrimination. Examples include data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

2.8 Data Processor

Natural or legal person, public or private, who, either alone or in association with others, processes personal data on behalf of the data controller.

2.9 Data Controller

Natural or legal person, public or private, who, either alone or in association with others, decides on the database and/or the processing of data.

2.10 Database Administrator

Employee responsible for controlling and coordinating the proper implementation of data treatment policies once stored in a specific database, as well as implementing the guidelines issued by the data controller and the Data Protection Officer.

2.11 Data Protection Officer

A natural person who coordinates the implementation of the legal framework for the protection of personal data, handles requests from data subjects for the exercise of rights under Law 1581 of 2012.

2.12 Data Subject

A natural person whose personal data is subject to processing.

2.13 Processing

Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

2.14 Privacy Notice

Verbal or written communication generated by the data controller, addressed to the data subject for the processing of their personal data. It informs them about the existence of information treatment policies that apply, how to access them, and the purposes of the intended data processing.

2.15 Transfer

Data transfer occurs when the data controller and/or data processor, located in Colombia, sends information or personal data to a recipient, who is also a data controller, located inside or outside the country.

2.16 Transmission

Processing of personal data involving the communication of such data within or outside the territory of the Republic of Colombia, aiming to carry out specific treatment by the processor on behalf of the controller.

DATA PROTECTION PRINCIPLES

Article 4 of the LEPD establishes principles for the processing of personal data that must be applied harmoniously and comprehensively in the development, interpretation, and application of the Law. The legal principles of data protection are as follows:

3.1. Principle of Legality

Data processing is a regulated activity that must adhere to the provisions of the LEPD, Decree 1377 of 2013 Compiled in Chapter 25 of Decree 1074 of 2015, and other regulations that develop it.

3.2. Principle of Purpose

Processing must comply with a legitimate purpose according to the Constitution and the Law, which must be informed to the Data Subject.

3.3. Principle of Freedom

Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data cannot be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate revealing consent. Data processing requires the prior and informed authorization of the Data Subject through any means that can be consulted later.

3.4. Principle of Truth or Quality

Information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

3.5. Principle of Transparency

The right of the Data Subject to obtain, at any time and without restrictions, information about the existence of data concerning them must be guaranteed during processing. When requesting authorization from the Data Subject, the data controller must clearly and expressly inform them of the following, retaining proof of compliance with this duty:

  • The processing to which their data will be subjected and its purpose.
  • The voluntary nature of the Data Subject’s response to questions related to sensitive data or data of children or adolescents.
  • The rights they have as Data Subject.
  • The identification, physical address, email, and phone number of the data controller.

3.6. Principle of Restricted Access and Circulation

Processing is subject to limits derived from the nature of personal data, LEPD, and the Constitution. In this regard, processing can only be done by persons authorized by the Data Subject and/or those provided for in the Law. Personal data, except for public information, cannot be available on the Internet and other means of disclosure or mass communication, unless access is technically controllable to provide restricted knowledge only to Data Subjects or third parties authorized by Law.

3.7. Principle of Security

Information subject to processing by the data controller or data processor must be handled with the technical, human, and administrative measures necessary to provide security to the records, preventing their tampering, loss, consultation, use, or unauthorized or fraudulent access. The data controller is responsible for implementing the corresponding security measures and informing all personnel with direct or indirect access to the data. Users accessing the information systems of the data controller must be aware of and comply with the security rules and measures corresponding to their functions. These rules and security measures are outlined in the Internal Security Manual, mandatory for all users and company personnel. Any modification of the rules and measures regarding the security of personal data by the data controller must be communicated to the users.

3.8. Principle of Confidentiality

All persons involved in the processing of personal data that are not public in nature are obliged to ensure the confidentiality of the information, even after the completion of their relationship with any of the tasks comprising the processing. They can only provide or communicate personal data when it corresponds to the development of activities authorized by the LEPD and within its terms.

AUTHORIZATION OF THE TREATMENT POLICY

According to Article 9 of the LEPD, the prior and informed authorization of the Data Subject is required for the processing of personal data. By accepting this policy, every Data Subject providing information about their personal data is consenting to the processing of their data by OGA SISTEMVAC SAS under the terms and conditions outlined in it.

Authorization from the Data Subject will not be necessary in the following cases:

  • Information required by a public or administrative entity exercising its legal functions or by order.
  • Public nature data.
  • Cases of medical or health emergencies.
  • Information processing authorized by law for historical, statistical, or scientific purposes.
  • Data related to the Civil Registry of individuals.

DATA CONTROLLER

The data controller for the databases covered by this policy is OGA SISTEMVAC SAS, with the following contact information:

PROCESSING AND PURPOSES OF DATABASES

In the course of its business activity, OGA SISTEMVAC SAS processes personal data related to natural persons contained and treated in databases for legitimate purposes, complying with the Constitution and the Law.

Annex 1 PL-01 named Database Organization contains information about the different databases under the responsibility of the company and the purposes assigned to each of them for processing.

RIGHTS OF DATA SUBJECTS

According to Article 8 of the LEPD, article 2.2.2.25.4.1 section 4 chapter 25 of Decree 1074 of 2015 (Articles 21 and 22 of Decree 1377 of 2013), Data Subjects have the right to exercise various rights regarding the processing of their personal data. These rights can be exercised by the following persons:

  • By the Data Subject, who must prove their identity adequately through various means provided by the Data Controller.
  • By their heirs, who must prove such status.
  • By the representative and/or attorney of the Data Subject, after proving representation or power of attorney.
  • By stipulation for another and on behalf of another.
  • The rights of children or adolescents will be exercised by those authorized to represent them.

The rights of the Data Subject include:

7.1. Right of Access or Inquiry

This is the right of the Data Subject to be informed by the data controller, upon request, regarding the origin, use, and purpose given to their personal data.

7.2. Rights of Complaints and Claims

The Law distinguishes four types of claims:

  • Correction claim: The right of the Data Subject to update, rectify, or modify partial, inaccurate, incomplete, fragmented data, leading to error, or data expressly prohibited or unauthorized for processing.
  • Deletion claim: The right of the Data Subject to delete data that is inappropriate, excessive, or does not respect constitutional and legal principles, rights, and guarantees.
  • Revocation claim: The right of the Data Subject to revoke the previously given authorization for the processing of their personal data.
  • Infringement claim: The right of the Data Subject to request rectification of non-compliance with Data Protection regulations.

7.3. Right to Request Proof of Authorization Granted to the Data Controller

Unless expressly exempted as a requirement for processing in accordance with Article 10 of the LEPD.

7.4. Right to File Complaints for Violations with the Superintendence of Industry and Commerce

The Data Subject or heir can only submit a complaint to the SIC – Superintendence of Industry and Commerce once they have exhausted the consultation or claim process with the Data Controller or Data Processor.

REQUEST FOR AUTHORIZATION FROM THE DATA SUBJECT

In advance and/or at the time of collecting personal data, OGA SISTEMVAC SAS will request authorization from the Data Subject for the collection and processing of their data, indicating the purpose for which the data is requested. This will be done using automated technical means, written or oral communication, allowing for the preservation of proof of authorization and/or the unequivocal conduct described in Article 2.2.2.25.2.2. section 2 of Chapter 25 of Decree 1074 of 2015 (Article 7 of Decree 1377 of 2013).

PROCESSING OF MINOR’S DATA

In accordance with Article 7 of Law 1581 of 2012, the processing of personal data of children and adolescents is prohibited, except as provided in Article 2.2.2.25.2.9 section 2 of Chapter 25 of Decree 1074 of 2015 (Article 12 of Decree 1377 of 2013) and in compliance with the following parameters and requirements:

  • It must respond to and respect the best interests of children and adolescents.
  • It must ensure the respect of their fundamental rights.

Once these requirements are met, OGA SISTEMVAC SAS will request authorization from the legal representative of the child or adolescent, after the exercise of the minor’s right to be heard. This opinion will be considered, taking into account maturity, autonomy, and the ability to understand the matter. The Data Controller and Processor involved in the processing of personal data of children and adolescents must ensure their appropriate use, applying the principles and obligations established in Law 1581 of 2012 and regulatory norms.

10. ATTENTION TO DATA SUBJECTS

The Data Protection Officer of OGA SISTEMVAC SAS will handle requests, inquiries, and complaints where the Data Subject can exercise their rights. Phone: 4120100. Email: protecciondedatos@oga.com.co.

11. PROCEDURES TO EXERCISE DATA SUBJECT RIGHTS

11.1. Right of Access or Inquiry

According to Article 2.2.2.25.4.2. section 4 chapter 25 of Decree 1074 of 2015 (Article 21 of Decree 1377 of 2013), the Data Subject can freely consult their personal data under two conditions:

  • At least once every calendar month.
  • Whenever substantial modifications to the information processing policies prompt new inquiries.

For consultations with a frequency greater than once a calendar month, OGA SISTEMVAC SAS may only charge the Data Subject for shipping, reproduction, and, if applicable, certification of documents. Reproduction costs may not exceed the recovery costs of the corresponding material. For this purpose, OGA SISTEMVAC SAS will provide support for these expenses to the Superintendence of Industry and Commerce when required.

The Data Subject can exercise the right of access or inquiry of their data by sending a written request to OGA SISTEMVAC SAS, via email to protecciondedatos@oga.com.co, with the subject “Exercise of the right of access or inquiry,” or by postal mail to CRA 70 # 19 – 59, BOGOTÁ D.C., BOGOTÁ. The request must contain the following information:

  • Name and surname of the Data Subject.
  • Photocopy of the ID of the Data Subject and, if applicable, of the person representing them, as well as the document accrediting such representation.
  • Specific request for access or inquiry.
  • Address for notifications, date, and signature of the applicant.
  • Supporting documents for the request, when applicable.

The Data Subject can choose one of the following ways to access the database to receive the requested information:

  • On-screen visualization.
  • In writing, with a copy or photocopy sent by certified or non-certified mail.
  • Email or other electronic means.
  • Another system suitable for the configuration of the database or the nature of the treatment, offered by OGA SISTEMVAC SAS.

Once the request is received, OGA SISTEMVAC SAS will respond to the consultation within a maximum period of ten (10) business days from the date of receipt. If it is not possible to respond within this period, the interested party will be informed of the reasons for the delay and the date on which their inquiry will be addressed, which, in any case, cannot exceed five (5) business days following the expiration of the initial term. These deadlines are set out in Article 14 of the LEPD.

Once the consultation process is exhausted, the Data Subject or heir may file a complaint with the Superintendence of Industry and Commerce.

11.2. Rights of Complaints and Claims

The Data Subject can exercise the right to file complaints regarding their data by sending a written request to OGA SISTEMVAC SAS, via email to protecciondedatos@oga.com.co, with the subject “Exercise of the right of access or inquiry,” or by postal mail to CRA 70 # 19 – 59, BOGOTÁ D.C., BOGOTÁ. The request must contain the following information:

  • Name and surname of the Data Subject.
  • Photocopy of the ID of the Data Subject and, if applicable, of the person representing them, as well as the document accrediting such representation.
  • Description of the facts and specific request for correction, deletion, revocation, or infringement.
  • Address for notifications, date, and signature of the applicant.
  • Supporting documents for the request, when applicable.

If the complaint is incomplete, the interested party will be required to remedy the deficiencies within five (5) days following the receipt of the complaint. After two (2) months from the date of the requirement, if the applicant has not provided the requested information, it will be understood that they have withdrawn the complaint.

Once the complete complaint is received, a legend stating “complaint in process” and its reason will be included in the database within a period not exceeding two (2) business days. This legend must be maintained until the complaint is decided.

OGA SISTEMVAC SAS will respond to the consultation within a maximum period of fifteen (15) business days from the date of receipt. If it is not possible to respond to the complaint within this period, the interested party will be informed of the reasons for the delay and the date on which their complaint will be addressed, which, in no case, can exceed eight (8) business days following the expiration of the initial term.

After the Complaint Process is Exhausted, the Data Subject or Heir May Lodge a Complaint with the Superintendence of Industry and Commerce.

SECURITY MEASURES

OGA SISTEMVAC SAS, in order to comply with the security principle established in Article 4, letter g) of the LEPD, has implemented technical, human, and administrative measures necessary to ensure the security of records, preventing their tampering, loss, consultation, use, or unauthorized or fraudulent access.

Furthermore, OGA SISTEMVAC SAS, through the signing of corresponding transmission contracts, has required data processors with whom they work to implement the necessary security measures to guarantee the security and confidentiality of information in the processing of personal data.

Below are the security measures implemented by OGA SISTEMVAC SAS, which are outlined and developed in its Internal Security Manual (Tables I, II, III, and IV).

  1. NOTIFICATION, MANAGEMENT, AND RESPONSE PROCEDURE FOR INCIDENTS

    OGA SISTEMVAC SAS establishes a procedure for the notification, management, and response to incidents to ensure the confidentiality, availability, and integrity of the information contained in the databases under its responsibility.

    Users and procedure managers, as well as anyone involved in the storage, processing, or querying of databases outlined in this document, must be familiar with the procedure to follow in the event of an incident.

    The procedure for notification, management, and response to incidents is as follows:

    1. When a person becomes aware of an incident (loss, theft, and/or unauthorized access) that affects or may affect the confidentiality, availability, or integrity of the company’s protected information or any of the processors, they must immediately report it to the Data Protection Officer. The report should include a detailed description of the type of incident, individuals related to the incident, date and time of occurrence, the person reporting the incident, the person notified, and the effects produced.

    2. Once the incident is reported, an acknowledgment of receipt must be requested from the Data Protection Officer, confirming the notification with all the aforementioned requirements.

    3. OGA SISTEMVAC SAS creates an incident log containing the type of incident (Internal or external fraud, Physical asset damage, Technological failures, Process execution and administration), date and time of the incident, person reporting it, person notified, effects of the incident, and corrective measures when applicable. This log is managed by the Data Protection Officer, referring to FR-16 Incident Registry and Action Plan.

    4. Procedures for data recovery, including who executes the process, the restored data, and any manually recorded data during the recovery process, must be implemented.

    5. Additionally, the Data Protection Officer must inform the Superintendence of Industry and Commerce through the RNBD within 15 business days of detection.

    6. Finally, OGA SISTEMVAC SAS will notify affected Data Subjects when it is identified that they may be significantly affected.

    ADMINISTRATION OF RISKS ASSOCIATED WITH DATA PROCESSING

    OGA SISTEMVAC SAS has identified risks related to the processing of personal data and established controls to mitigate their causes through the implementation of internal security policies. Therefore, it will establish a risk management system along with the necessary tools, indicators, and resources for its administration when the organizational structure, internal processes and procedures, the quantity of databases, and types of personal data processed by the organization are considered exposed to frequent or high-impact events or situations that affect the proper provision of services or threaten the information of the data subjects.

    The risk management system will identify sources such as technology, human resources, infrastructure, and processes that require protection, their vulnerabilities, and threats to assess their risk level. To ensure the protection of personal data, considerations will be given to the type or group of internal and external individuals, different levels of access authorization. Additionally, the likelihood of any event or action that may cause harm (material or immaterial) will be observed, such as:

    • Criminality: Actions caused by human intervention that violate the law and are penalized by it.

    • Events of physical origin: Natural and technical events, as well as events indirectly caused by human intervention.

    • Negligence and institutional decisions: Actions, decisions, or omissions by individuals with power and influence over the system. These are the least predictable threats because they are directly related to human behavior.

    OGA SISTEMVAC SAS, in the risk management system, will implement protective measures to prevent or minimize damage in the event of a threat materializing.

  1. DELIVERY OF PERSONAL DATA TO AUTHORITIES

    When a public or administrative entity, in the exercise of its legal functions or by court order, requests access and/or delivery of Personal Data from any of its databases, OGA SISTEMVAC SAS will verify the legality of the request, the relevance of the requested data in relation to the authority’s stated purpose, and will sign a record of the delivery of the requested personal information, specifying the obligation to guarantee the rights of the Data Subject to both the official making the request, the recipient, and the requesting entity.

    TRANSFER OF DATA TO THIRD COUNTRIES

    According to Title VIII of the LEPD, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. A country is deemed to offer an adequate level of data protection when it complies with the standards set by the Superintendence of Industry and Commerce on the matter, which, in no case, can be lower than what this law demands of its recipients. This prohibition does not apply in the case of:

    • Information for which the Data Subject has given express and unequivocal authorization.

    • Exchange of medical data when required for the Data Subject’s treatment for health or public hygiene reasons.

    • Bank or stock exchange transfers in accordance with applicable legislation.

    • Transfers agreed within the framework of international treaties in which the Republic of Colombia is a party, based on the principle of reciprocity.

    • Transfers necessary for the execution of a contract between the Data Subject and the data controller, or for the execution of pre-contractual measures, provided the Data Subject’s authorization is obtained.

    • Transfers legally required to safeguard public interest or for the recognition, exercise, or defense of a right in a judicial process.

    It should be noted that, in cases not covered as exceptions, it will be the responsibility of the Superintendence of Industry and Commerce to issue the conformity declaration regarding the international transfer of personal data.

    International transmissions of personal data between OGA SISTEMVAC SAS and a processor to allow the processor to carry out processing on behalf of the controller do not require informing the Data Subject or obtaining their consent, provided there is a personal data transmission contract.

    BIOMETRIC DATA PROCESSING

    Biometric data stored in databases are collected and processed strictly for security reasons, to verify personal identity and control access to employees, clients, and visitors. Biometric identification mechanisms capture, process, and store information related to, among others, physical traits of individuals (fingerprint, voice recognition, and facial features) to establish or “authenticate” the identity of each subject.

    The administration of biometric databases is carried out with technical security measures that ensure compliance with the principles and obligations derived from the Statutory Law on Data Protection, also ensuring the confidentiality and privacy of the information of the Data Subjects.

    NATIONAL DATABASE REGISTRATION – RNBD

    The term for registering databases in the RNBD will be as legally established. Likewise, according to Article 12 of Decree 886 of 2014, Data Controllers must register their databases in the National Database Registry on the date the Superintendence of Industry and Commerce enables said registry, following the instructions issued by that entity. Databases created after that deadline must be registered within two (2) months from their creation.

    INFORMATION AND PERSONAL DATA SECURITY

    Compliance with the regulatory framework on Personal Data Protection, the security, confidentiality, and/or privacy of the information stored in databases are of vital importance to OGA SISTEMVAC SAS. Therefore, we have established policies, guidelines, procedures, and information security standards, which may change at any time to adapt to new regulations and OGA SISTEMVAC SAS’s needs, aiming to protect and preserve the integrity, confidentiality, and availability of information and personal data.

    We also ensure that in the collection, storage, use and/or processing, destruction, or elimination of information provided, we rely on security technological tools and implement security practices including: transmission and storage of sensitive information through secure mechanisms, use of secure protocols, assurance of technological components, restriction of access to information only to authorized personnel, information backup, secure software development practices, among others.

    If it is necessary to provide information to a third party due to the existence of a contractual relationship, we enter into a transmission contract to ensure the confidentiality and privacy of the information, as well as compliance with this Data Processing Policy, information security policies and manuals, and protocols for addressing Data Subjects established in OGA SISTEMVAC SAS. In any case, we commit to protecting, caring for, securing, and preserving the confidentiality, integrity, and privacy of the stored data.

    DOCUMENT MANAGEMENT

    Documents containing personal data must be easily retrievable; hence, the location of each document, whether physical or digital, should be documented. Inspections of these storage routes must be conducted frequently, ensuring their preservation by defining the medium and conditions for conservation. Environmental conditions, storage locations, exposure risks, among others, should be considered. The retention time for documents is determined based on legal requirements, if applicable; otherwise, each organization defines it according to its needs. Additionally, the final disposition of the documents must be clear, identifying whether they are recycled, reused, preserved, digitized, among other options.

    Documents related to the protection of personal data must be created by competent personnel or entities. The organization itself should review and approve all documents, recording the approval in the document approval box.

    To ensure easy traceability, documents must be encoded, updated, and modified by responsible personnel whenever necessary. Justification for document elimination must be described in the history section at the bottom of all documents.

    Both physical and digital documents containing personal data must be protected from external or internal agents that may alter their content, following the guidelines described in the PL-02 Internal Security Policy Manual.

    The distribution of documents containing personal data will be carried out by the data controller, who will document evidence of the distribution, specifying the document type and the identification of the person to whom the information was delivered.

    A responsible person must be designated to ensure the confidentiality of the personal data of the data subjects. This individual will safeguard documents, ensure their physical and digital protection, prevent information alterations, and ensure that documents leaving their custody are identified and easily traceable.

    DURATION

    This policy update will be effective from 2018-03-23. Databases under the responsibility of OGA SISTEMVAC SAS will be subject to processing for a reasonable and necessary time for the purpose for which the data is collected and in accordance with the authorization granted by the data subjects.

    WEB PROCESSING POLICIES

    TABLE OF CONTENTS

    1. OBJECTIVE
    2. LEGAL BASIS AND SCOPE OF APPLICATION
    3. DEFINITIONS
    4. AUTHORIZATION OF THE PROCESSING POLICY
    5. DATA CONTROLLER
    6. PROCESSING AND PURPOSES OF DATABASES
    7. BROWSING DATA
    8. COOKIES OR WEB BUGS
    9. RIGHTS OF DATA SUBJECTS
    10. ATTENTION TO DATA SUBJECTS
    11. PROCEDURES TO EXERCISE DATA SUBJECT RIGHTS
    • Right of access or consultation
    • Rights of complaints and claims
    1. SECURITY MEASURES
    2. TRANSFER OF DATA TO THIRD COUNTRIES
    3. DURATION
    4. APPENDIX
    5. DOCUMENT CREATION AND APPROVAL
    6. DOCUMENT HISTORY

OBJECTIVE

To inform about the actions that OGA SISTEMVAC SAS takes when users visit or browse the website and to explain the proper use of personal data in compliance with internal security policies and the law on the protection of personal data.

LEGAL BASIS AND SCOPE OF APPLICATION

The information processing policy is developed in compliance with Articles 15 and 20 of the Political Constitution; Articles 17 letter k) and 18 letter f) of Statutory Law 1581 of 2012, which establishes general provisions for the Protection of Personal Data (LEPD); Article 2.2.2.25.1.1, Section 1, Chapter 25 of Decree 1074 of 2015, which partially regulates Law 1581 of 2012 (Article 13 of Decree 1377 of 2013).

This policy applies to all personal data registered in databases processed by the Data Controller.

DEFINITIONS

Defined in Article 3 of Statutory Law 1581 of 2012 and Article 2.2.2.25.1.3, Chapter 25 of Compilatory Decree 1074 of 2015 (Article 3 of Decree 1377 of 2013).

  • Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing of personal data.

  • Privacy Notice: Verbal or written communication generated by the Data Controller, addressed to the Data Subject for the processing of their personal data. It informs them about the existence of information processing policies applicable to them, how to access them, and the purposes of the intended data processing.

  • Database: An organized set of personal data subject to processing.

  • Cookie: Small information sent by a website and stored in the user’s browser, allowing the website to check the user’s previous activity. It performs functions such as i) controlling when a user enters their username and password, eliminating the need to enter them for each page. However, it does not identify a person but rather a combination of a computer class with a browser and a user. ii) Obtaining information about the user’s browsing habits and attempts of spyware by advertising agencies and others. This can raise privacy issues and is one reason why cookies have critics.

  • Personal Data: Any information linked or that can be associated with one or more specific or determinable natural persons.

  • Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, information about a person’s marital status, profession or occupation, and their status as a merchant or public servant. By nature, public data may be found in public records, public documents, gazettes and official bulletins, and duly executed court judgments that are not subject to confidentiality.

  • Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse could lead to discrimination. This includes data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties. It also includes data related to health, sexual life, and biometric data.

  • Data Processor: A natural or legal person, public or private, who, by itself or in association with others, processes personal data on behalf of the Data Controller.

  • Data Controller: A natural or legal person, public or private, who, by itself or in association with others, decides on the database and/or the processing of data.

  • Data Subject: A natural person whose personal data is being processed.

  • Transfer: The transfer of data occurs when the Data Controller and/or Data Processor, located in Colombia, sends information or personal data to a recipient, who, in turn, is responsible for processing and is located inside or outside the country.

  • Transmission: The processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the processor on behalf of the controller.

  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

  1. AUTHORIZATION OF THE PROCESSING POLICY

    According to Article 9 of the LEPD, the processing of personal data requires the prior and informed authorization of the Data Subject. By accepting this policy, every Data Subject providing information about their personal data is consenting to the processing of their data by OGA SISTEMVAC SAS under the terms and conditions outlined in it.

    DATA PROCESSOR

    The data processor for the databases covered by this policy is OGA SISTEMVAC SAS, with the following contact information:

    PROCESSING AND PURPOSES OF THE DATABASES

    OGA SISTEMVAC SAS, in the course of its business activity, processes personal data related to natural persons contained and processed in databases for legitimate purposes, in compliance with the Constitution and the Law.

    In “Annex 1. PL-01. Database Organization,” various databases managed by the company, along with information and characteristics of each, are presented.

    NAVIGATION DATA

    It is possible to visit the website without providing any type of personal identification. However, the navigation system and the software necessary for the operation of this website may have the option to collect some personal data, the transmission of which is implicit in the use of Internet communication protocols.

    Due to its nature, the collected information could allow the identification of users through their association with third-party data, even if it is not obtained for that purpose. In this category of data are the IP address or domain name of the user’s device used to access the website, the URL, the date and time, and other parameters related to the user’s operating system.

    This data is used to obtain anonymous statistical information about the use of the website or to monitor its proper technical operation, and is immediately deleted after verification.

    When using the contact option, you can choose whether to provide personal information, such as your name and postal or email address, phone number, among others, so that we can communicate with you and process your request or provide information.

    COOKIES OR WEB BUGS

    This website does not use cookies or web bugs to collect user personal data; their use is limited to facilitating the user’s access to the website. The use of session cookies, not permanently stored on the user’s device and disappearing when the browser is closed, is limited to collecting technical information to identify the session for the purpose of facilitating secure and efficient access to the website, to provide better service on the page.

    If you do not wish to allow the use of cookies, you can reject or delete existing ones by configuring your browser (Internet Explorer, Firefox, Safari, Chrome, among others) and disabling the browser’s JavaScript code in the security settings.

    Most web browsers allow you to manage your cookie preferences; however, it should be noted that choosing to block them may affect or prevent the operation of the page. Also, one of the third-party services that may be used to track activity related to the service is Google Analytics. If you do not want information to be obtained and used, you can install a rejection system (“opt-out”) in your web browser, such as tools.google.com/dlpage/gaoptout?hl=None.

    RIGHTS OF DATA SUBJECTS

    In accordance with Article 8 of the LEPD and Articles 21 and Article 2.2.2.25.4.3, Chapter 25 of Compilatory Decree 1074 of 2015 (Article 22 of Decree 1377 of 2013), Data Subjects have the right to exercise a series of rights regarding the processing of their personal data. These rights can be exercised by the following persons:

    • By the Data Subject, who must prove their identity sufficiently by different means made available by the Data Controller.
    • By their heirs, who must prove such status.
    • By the representative and/or attorney of the Data Subject, upon accreditation of the representation or power of attorney.
    • By stipulation for the benefit of another and for another.
    • The rights of children or adolescents will be exercised by those authorized to represent them.

    The rights of the Data Subject include:

    1. Right of Access or Inquiry: The Data Subject has the right to be informed by the Data Controller, upon request, regarding the origin, use, and purpose given to their personal data.

    2. Rights of Complaints and Claims: The law distinguishes four types of claims:

      • Correction Claim: The right of the Data Subject to update, rectify, or modify partial, inaccurate, incomplete, fragmented data that induces error or those whose processing is expressly prohibited or has not been authorized.

      • Deletion Claim: The right of the Data Subject to have data that is inadequate, excessive, or does not respect constitutional and legal principles, rights, and guarantees deleted.

      • Revocation Claim: The right of the Data Subject to revoke the previously given authorization for the processing of their personal data.

      • Infringement Claim: The right of the Data Subject to request that non-compliance with the regulations on Data Protection be rectified.

    3. Right to Request Proof of the Authorization Granted to the Data Controller: Unless expressly exempted as a requirement for processing in accordance with Article 10 of the LEPD.

    4. Right to File Complaints with the Superintendence of Industry and Commerce for Violations: The Data Subject or heir can only file this complaint once they have exhausted the consultation or claim process with the Data Controller or Data Processor.

    ATTENTION TO DATA SUBJECTS

    The Data Protection Officer of OGA SISTEMVAC SAS will be responsible for handling requests, inquiries, and complaints, where the Data Subject can exercise their rights. Phone: 4120100. Email: protecciondedatos@oga.com.co.

    PROCEDURES FOR EXERCISING DATA SUBJECT RIGHTS

    Right of Access or Inquiry

    According to Article 2.2.2.25.4.2, Chapter 25 of Compilatory Decree 1074 of 2015 (Article 21 of Decree 1377 of 2013), the Data Subject may freely inquire about their personal data in two cases:

    1. At least once every calendar month.
    2. Whenever there are substantial modifications to the information processing policies that prompt new inquiries.

    For inquiries with a frequency greater than once per calendar month, OGA SISTEMVAC SAS can only charge the Data Subject for shipping, reproduction, and, if applicable, document certification. Reproduction costs cannot exceed the recovery costs of the corresponding material. To this end, the responsible party must demonstrate to the Superintendence of Industry and Commerce, when required, the support for such expenses.

    The Data Subject can exercise the right of access or inquiry of their data through a written request addressed to OGA SISTEMVAC SAS, sent via email to: protecciondedatos@oga.com.co, indicating in the Subject “Exercise of the right of access or inquiry,” or through postal mail sent to CRA 70 # 19 – 59, BOGOTÁ D.C., BOGOTÁ.

    The request must contain the following information:

    • Name and surname of the Data Subject.
    • Photocopy of the Data Subject’s Citizenship ID and, if applicable, that of the person representing them, as well as the document accrediting such representation.
    • A request specifying the access or inquiry. Notification address, date, and signature of the applicant.
    • Documents accrediting the formulated request, when applicable.

    The Data Subject can choose one of the following forms of database inquiry to receive the requested information:

    • On-screen visualization.
    • In writing, with a copy or photocopy sent by certified or non-certified mail. Fax.
    • Email or other electronic means.
    • Another system suitable for the database configuration or the nature of the treatment, offered by OGA SISTEMVAC SAS.

    Upon receiving the request, OGA SISTEMVAC SAS will resolve the inquiry request within a maximum period of ten (10) business days from the date of receipt. If it is not possible to address the inquiry within this term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their inquiry will be addressed, which in no case can exceed five (5) business days following the expiration of the initial term. These deadlines are established in Article 14 of the LEPD.

    Once the inquiry process is exhausted, the Data Subject or heir may file a complaint with the Superintendence of Industry and Commerce.

    Rights of Complaints and Claims

    The Data Subject can exercise the rights of complaint regarding their data through a written request addressed to OGA SISTEMVAC SAS, sent via email to protecciondedatos@oga.com.co, indicating in the Subject “Exercise of the right of access or inquiry,” or through postal mail sent to CRA 70 # 19 – 59, BOGOTÁ D.C., BOGOTÁ. The request must contain the following information:

    • Name and surname of the Data Subject.
    • Photocopy of the Data Subject’s Citizenship ID and, if applicable, that of the person representing them, as well as the document accrediting such representation.
    • Description of the facts and request specifying the correction, deletion, revocation, or inflation.
    • Notification address, date, and signature of the applicant.
    • Documents accrediting the formulated request that they wish to assert, when applicable.

    If the complaint is incomplete, the interested party will be required to rectify the deficiencies within five (5) days following the reception of the complaint. After two (2) months from the date of the requirement, without the applicant presenting the required information, it will be understood that they have withdrawn the complaint.

    Upon receiving the complete complaint, a legend will be included in the database stating “claim in process” and its reason, within a period not exceeding two (2) business days. This legend must be maintained until the complaint is decided.

    OGA SISTEMVAC SAS will resolve the complaint within a maximum period of fifteen (15) business days from the date of receipt. If it is not possible to address the complaint within this term, the interested party will be informed of the reasons for the delay and the date on which their complaint will be addressed, which in no case can exceed eight (8) business days following the expiration of the initial term.

    Once the complaint process is exhausted, the Data Subject or heir may file a complaint with the Superintendence of Industry and Commerce.

    SECURITY MEASURES

    In order to comply with the security principle established in Article 4 literal g) of the LEPD, OGA SISTEMVAC SAS has implemented technical, human, and administrative measures necessary to ensure the security of records, preventing their tampering, loss, consultation, use, or unauthorized or fraudulent access.

    On the other hand, OGA SISTEMVAC SAS, through the signing of the corresponding transmission contracts, has required data processors with whom it works to implement the necessary security measures to ensure the security and confidentiality of information in the processing of personal data.

    Below are the security measures implemented by OGA SISTEMVAC SAS, which are documented and developed in its Internal Security Manual (I, II, III, IV).

13. DATA TRANSFER TO THIRD COUNTRIES

In accordance with Title VIII of the LEPD, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. A country is considered to offer an adequate level of data protection when it meets the standards set by the Superintendence of Industry and Commerce on the matter, which in no case may be lower than those required by this law for its recipients. This prohibition shall not apply when it comes to:

  • Information for which the Data Subject has given express and unequivocal authorization for the exchange of medical data when required for the Data Subject’s treatment for health or public hygiene reasons.
  • Banking or stock exchange transfers, in accordance with applicable legislation.
  • Transfers agreed upon within the framework of international treaties in which the Republic of Colombia is a party, based on the principle of reciprocity.
  • Transfers necessary for the execution of a contract between the Data Subject and the data controller or for the execution of pre-contractual measures, provided there is the Data Subject’s authorization.
  • Transfers legally required to safeguard the public interest, or for the recognition, exercise, or defense of a right in a judicial process.

In cases not contemplated as exceptions, it will be the responsibility of the Superintendence of Industry and Commerce to issue the conformity declaration regarding the international transfer of personal data. The Superintendent is empowered to request information and carry out proceedings to establish compliance with the prerequisites required for the viability of the operation.

International transmissions of personal data carried out between a data controller and a data processor to allow the processor to process data on behalf of the controller will not need to be reported to the Data Subject or require their consent, provided there is a data transmission contract.

14. EFFECTIVENESS

This policy update will be effective from 2018-03-23. The databases under the responsibility of OGA SISTEMVAC SAS will be subject to processing for as long as is reasonable and necessary for the purpose for which the data is collected and in accordance with the authorization granted by the Data Subjects.

Scroll to Top
¿Necesitas Ayuda?