13. NOTIFICATION, MANAGEMENT, AND RESPONSE PROCEDURE FOR INCIDENTS

    OGA SISTEMVAC SAS establishes a procedure for the notification, management, and response to incidents to ensure the confidentiality, availability, and integrity of the information contained in the databases under its responsibility.

    Users and procedure managers, as well as anyone involved in the storage, processing, or querying of databases outlined in this document, must be familiar with the procedure to follow in the event of an incident.

    The procedure for notification, management, and response to incidents is as follows:

    1. When a person becomes aware of an incident (loss, theft, and/or unauthorized access) that affects or may affect the confidentiality, availability, or integrity of the company’s protected information or any of the processors, they must immediately report it to the Data Protection Officer. The report should include a detailed description of the type of incident, individuals related to the incident, date and time of occurrence, the person reporting the incident, the person notified, and the effects produced.

    2. Once the incident is reported, an acknowledgment of receipt must be requested from the Data Protection Officer, confirming the notification with all the aforementioned requirements.

    3. OGA SISTEMVAC SAS creates an incident log containing the type of incident (Internal or external fraud, Physical asset damage, Technological failures, Process execution and administration), date and time of the incident, person reporting it, person notified, effects of the incident, and corrective measures when applicable. This log is managed by the Data Protection Officer, referring to FR-16 Incident Registry and Action Plan.

    4. Procedures for data recovery, including who executes the process, the restored data, and any manually recorded data during the recovery process, must be implemented.

    5. Additionally, the Data Protection Officer must inform the Superintendence of Industry and Commerce through the RNBD within 15 business days of detection.

    6. Finally, OGA SISTEMVAC SAS will notify affected Data Subjects when it is identified that they may be significantly affected.

    ADMINISTRATION OF RISKS ASSOCIATED WITH DATA PROCESSING

    OGA SISTEMVAC SAS has identified risks related to the processing of personal data and established controls to mitigate their causes through the implementation of internal security policies. Therefore, it will establish a risk management system along with the necessary tools, indicators, and resources for its administration when the organizational structure, internal processes and procedures, the quantity of databases, and types of personal data processed by the organization are considered exposed to frequent or high-impact events or situations that affect the proper provision of services or threaten the information of the data subjects.

    The risk management system will identify sources such as technology, human resources, infrastructure, and processes that require protection, their vulnerabilities, and threats to assess their risk level. To ensure the protection of personal data, considerations will be given to the type or group of internal and external individuals, different levels of access authorization. Additionally, the likelihood of any event or action that may cause harm (material or immaterial) will be observed, such as:

    • Criminality: Actions caused by human intervention that violate the law and are penalized by it.

    • Events of physical origin: Natural and technical events, as well as events indirectly caused by human intervention.

    • Negligence and institutional decisions: Actions, decisions, or omissions by individuals with power and influence over the system. These are the least predictable threats because they are directly related to human behavior.

    OGA SISTEMVAC SAS, in the risk management system, will implement protective measures to prevent or minimize damage in the event of a threat materializing.

15. DELIVERY OF PERSONAL DATA TO AUTHORITIES

    When a public or administrative entity, in the exercise of its legal functions or by court order, requests access and/or delivery of Personal Data from any of its databases, OGA SISTEMVAC SAS will verify the legality of the request, the relevance of the requested data in relation to the authority’s stated purpose, and will sign a record of the delivery of the requested personal information, specifying the obligation to guarantee the rights of the Data Subject to both the official making the request, the recipient, and the requesting entity.

    TRANSFER OF DATA TO THIRD COUNTRIES

    According to Title VIII of the LEPD, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. A country is deemed to offer an adequate level of data protection when it complies with the standards set by the Superintendence of Industry and Commerce on the matter, which, in no case, can be lower than what this law demands of its recipients. This prohibition does not apply in the case of:

    • Information for which the Data Subject has given express and unequivocal authorization.

    • Exchange of medical data when required for the Data Subject’s treatment for health or public hygiene reasons.

    • Bank or stock exchange transfers in accordance with applicable legislation.

    • Transfers agreed within the framework of international treaties in which the Republic of Colombia is a party, based on the principle of reciprocity.

    • Transfers necessary for the execution of a contract between the Data Subject and the data controller, or for the execution of pre-contractual measures, provided the Data Subject’s authorization is obtained.

    • Transfers legally required to safeguard public interest or for the recognition, exercise, or defense of a right in a judicial process.

    It should be noted that, in cases not covered as exceptions, it will be the responsibility of the Superintendence of Industry and Commerce to issue the conformity declaration regarding the international transfer of personal data.

    International transmissions of personal data between OGA SISTEMVAC SAS and a processor to allow the processor to carry out processing on behalf of the controller do not require informing the Data Subject or obtaining their consent, provided there is a personal data transmission contract.

    BIOMETRIC DATA PROCESSING

    Biometric data stored in databases are collected and processed strictly for security reasons, to verify personal identity and control access to employees, clients, and visitors. Biometric identification mechanisms capture, process, and store information related to, among others, physical traits of individuals (fingerprint, voice recognition, and facial features) to establish or “authenticate” the identity of each subject.

    The administration of biometric databases is carried out with technical security measures that ensure compliance with the principles and obligations derived from the Statutory Law on Data Protection, also ensuring the confidentiality and privacy of the information of the Data Subjects.

    NATIONAL DATABASE REGISTRATION – RNBD

    The term for registering databases in the RNBD will be as legally established. Likewise, according to Article 12 of Decree 886 of 2014, Data Controllers must register their databases in the National Database Registry on the date the Superintendence of Industry and Commerce enables said registry, following the instructions issued by that entity. Databases created after that deadline must be registered within two (2) months from their creation.

    INFORMATION AND PERSONAL DATA SECURITY

    Compliance with the regulatory framework on Personal Data Protection, the security, confidentiality, and/or privacy of the information stored in databases are of vital importance to OGA SISTEMVAC SAS. Therefore, we have established policies, guidelines, procedures, and information security standards, which may change at any time to adapt to new regulations and OGA SISTEMVAC SAS’s needs, aiming to protect and preserve the integrity, confidentiality, and availability of information and personal data.

    We also ensure that in the collection, storage, use and/or processing, destruction, or elimination of information provided, we rely on security technological tools and implement security practices including: transmission and storage of sensitive information through secure mechanisms, use of secure protocols, assurance of technological components, restriction of access to information only to authorized personnel, information backup, secure software development practices, among others.

    If it is necessary to provide information to a third party due to the existence of a contractual relationship, we enter into a transmission contract to ensure the confidentiality and privacy of the information, as well as compliance with this Data Processing Policy, information security policies and manuals, and protocols for addressing Data Subjects established in OGA SISTEMVAC SAS. In any case, we commit to protecting, caring for, securing, and preserving the confidentiality, integrity, and privacy of the stored data.

    DOCUMENT MANAGEMENT

    Documents containing personal data must be easily retrievable; hence, the location of each document, whether physical or digital, should be documented. Inspections of these storage routes must be conducted frequently, ensuring their preservation by defining the medium and conditions for conservation. Environmental conditions, storage locations, exposure risks, among others, should be considered. The retention time for documents is determined based on legal requirements, if applicable; otherwise, each organization defines it according to its needs. Additionally, the final disposition of the documents must be clear, identifying whether they are recycled, reused, preserved, digitized, among other options.

    Documents related to the protection of personal data must be created by competent personnel or entities. The organization itself should review and approve all documents, recording the approval in the document approval box.

    To ensure easy traceability, documents must be encoded, updated, and modified by responsible personnel whenever necessary. Justification for document elimination must be described in the history section at the bottom of all documents.

    Both physical and digital documents containing personal data must be protected from external or internal agents that may alter their content, following the guidelines described in the PL-02 Internal Security Policy Manual.

    The distribution of documents containing personal data will be carried out by the data controller, who will document evidence of the distribution, specifying the document type and the identification of the person to whom the information was delivered.

    A responsible person must be designated to ensure the confidentiality of the personal data of the data subjects. This individual will safeguard documents, ensure their physical and digital protection, prevent information alterations, and ensure that documents leaving their custody are identified and easily traceable.

    DURATION

    This policy update will be effective from 2018-03-23. Databases under the responsibility of OGA SISTEMVAC SAS will be subject to processing for a reasonable and necessary time for the purpose for which the data is collected and in accordance with the authorization granted by the data subjects.

    WEB PROCESSING POLICIES

    TABLE OF CONTENTS

    1. OBJECTIVE
    2. LEGAL BASIS AND SCOPE OF APPLICATION
    3. DEFINITIONS
    4. AUTHORIZATION OF THE PROCESSING POLICY
    5. DATA CONTROLLER
    6. PROCESSING AND PURPOSES OF DATABASES
    7. BROWSING DATA
    8. COOKIES OR WEB BUGS
    9. RIGHTS OF DATA SUBJECTS
    10. ATTENTION TO DATA SUBJECTS
    11. PROCEDURES TO EXERCISE DATA SUBJECT RIGHTS
    • Right of access or consultation
    • Rights of complaints and claims
    12. SECURITY MEASURES
    13. TRANSFER OF DATA TO THIRD COUNTRIES
    14. DURATION
    15. APPENDIX
    16. DOCUMENT CREATION AND APPROVAL
    17. DOCUMENT HISTORY

OBJECTIVE

To inform about the actions that OGA SISTEMVAC SAS takes when users visit or browse the website and to explain the proper use of personal data in compliance with internal security policies and the law on the protection of personal data.

LEGAL BASIS AND SCOPE OF APPLICATION

The information processing policy is developed in compliance with Articles 15 and 20 of the Political Constitution; Articles 17 letter k) and 18 letter f) of Statutory Law 1581 of 2012, which establishes general provisions for the Protection of Personal Data (LEPD); Article 2.2.2.25.1.1, Section 1, Chapter 25 of Decree 1074 of 2015, which partially regulates Law 1581 of 2012 (Article 13 of Decree 1377 of 2013).

This policy applies to all personal data registered in databases processed by the Data Controller.

DEFINITIONS

Defined in Article 3 of Statutory Law 1581 of 2012 and Article 2.2.2.25.1.3, Chapter 25 of Compilatory Decree 1074 of 2015 (Article 3 of Decree 1377 of 2013).

• Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing of personal data.

• Privacy Notice: Verbal or written communication generated by the Data Controller, addressed to the Data Subject for the processing of their personal data. It informs them about the existence of information processing policies applicable to them, how to access them, and the purposes of the intended data processing.

• Database: An organized set of personal data subject to processing.

• Cookie: Small information sent by a website and stored in the user’s browser, allowing the website to check the user’s previous activity. It performs functions such as i) controlling when a user enters their username and password, eliminating the need to enter them for each page. However, it does not identify a person but rather a combination of a computer class with a browser and a user. ii) Obtaining information about the user’s browsing habits and attempts of spyware by advertising agencies and others. This can raise privacy issues and is one reason why cookies have critics.

• Personal Data: Any information linked or that can be associated with one or more specific or determinable natural persons.

• Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, information about a person’s marital status, profession or occupation, and their status as a merchant or public servant. By nature, public data may be found in public records, public documents, gazettes and official bulletins, and duly executed court judgments that are not subject to confidentiality.

• Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse could lead to discrimination. This includes data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties. It also includes data related to health, sexual life, and biometric data.

• Data Processor: A natural or legal person, public or private, who, by itself or in association with others, processes personal data on behalf of the Data Controller.

• Data Controller: A natural or legal person, public or private, who, by itself or in association with others, decides on the database and/or the processing of data.

• Data Subject: A natural person whose personal data is being processed.

• Transfer: The transfer of data occurs when the Data Controller and/or Data Processor, located in Colombia, sends information or personal data to a recipient, who, in turn, is responsible for processing and is located inside or outside the country.

• Transmission: The processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the processor on behalf of the controller.

• Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

10. AUTHORIZATION OF THE PROCESSING POLICY

    According to Article 9 of the LEPD, the processing of personal data requires the prior and informed authorization of the Data Subject. By accepting this policy, every Data Subject providing information about their personal data is consenting to the processing of their data by OGA SISTEMVAC SAS under the terms and conditions outlined in it.

    DATA PROCESSOR

    The data processor for the databases covered by this policy is OGA SISTEMVAC SAS, with the following contact information:

    • Address: CRA 70 # 19 – 59, BOGOTÁ D.C., BOGOTÁ
    • Email: protecciondedatos@oga.com.co
    • Phone: 4120100

    PROCESSING AND PURPOSES OF THE DATABASES

    OGA SISTEMVAC SAS, in the course of its business activity, processes personal data related to natural persons contained and processed in databases for legitimate purposes, in compliance with the Constitution and the Law.

    In “Annex 1. PL-01. Database Organization,” various databases managed by the company, along with information and characteristics of each, are presented.

    NAVIGATION DATA

    It is possible to visit the website without providing any type of personal identification. However, the navigation system and the software necessary for the operation of this website may have the option to collect some personal data, the transmission of which is implicit in the use of Internet communication protocols.

    Due to its nature, the collected information could allow the identification of users through their association with third-party data, even if it is not obtained for that purpose. In this category of data are the IP address or domain name of the user’s device used to access the website, the URL, the date and time, and other parameters related to the user’s operating system.

    This data is used to obtain anonymous statistical information about the use of the website or to monitor its proper technical operation, and is immediately deleted after verification.

    When using the contact option, you can choose whether to provide personal information, such as your name and postal or email address, phone number, among others, so that we can communicate with you and process your request or provide information.

    COOKIES OR WEB BUGS

    This website does not use cookies or web bugs to collect user personal data; their use is limited to facilitating the user’s access to the website. The use of session cookies, not permanently stored on the user’s device and disappearing when the browser is closed, is limited to collecting technical information to identify the session for the purpose of facilitating secure and efficient access to the website, to provide better service on the page.

    If you do not wish to allow the use of cookies, you can reject or delete existing ones by configuring your browser (Internet Explorer, Firefox, Safari, Chrome, among others) and disabling the browser’s JavaScript code in the security settings.

    Most web browsers allow you to manage your cookie preferences; however, it should be noted that choosing to block them may affect or prevent the operation of the page. Also, one of the third-party services that may be used to track activity related to the service is Google Analytics. If you do not want information to be obtained and used, you can install a rejection system (“opt-out”) in your web browser, such as tools.google.com/dlpage/gaoptout?hl=None.

    RIGHTS OF DATA SUBJECTS

    In accordance with Article 8 of the LEPD and Articles 21 and Article 2.2.2.25.4.3, Chapter 25 of Compilatory Decree 1074 of 2015 (Article 22 of Decree 1377 of 2013), Data Subjects have the right to exercise a series of rights regarding the processing of their personal data. These rights can be exercised by the following persons:

    • By the Data Subject, who must prove their identity sufficiently by different means made available by the Data Controller.
    • By their heirs, who must prove such status.
    • By the representative and/or attorney of the Data Subject, upon accreditation of the representation or power of attorney.
    • By stipulation for the benefit of another and for another.
    • The rights of children or adolescents will be exercised by those authorized to represent them.

    The rights of the Data Subject include:

    1. Right of Access or Inquiry: The Data Subject has the right to be informed by the Data Controller, upon request, regarding the origin, use, and purpose given to their personal data.

    2. Rights of Complaints and Claims: The law distinguishes four types of claims:

       • Correction Claim: The right of the Data Subject to update, rectify, or modify partial, inaccurate, incomplete, fragmented data that induces error or those whose processing is expressly prohibited or has not been authorized.

       • Deletion Claim: The right of the Data Subject to have data that is inadequate, excessive, or does not respect constitutional and legal principles, rights, and guarantees deleted.

       • Revocation Claim: The right of the Data Subject to revoke the previously given authorization for the processing of their personal data.

       • Infringement Claim: The right of the Data Subject to request that non-compliance with the regulations on Data Protection be rectified.

    3. Right to Request Proof of the Authorization Granted to the Data Controller: Unless expressly exempted as a requirement for processing in accordance with Article 10 of the LEPD.

    4. Right to File Complaints with the Superintendence of Industry and Commerce for Violations: The Data Subject or heir can only file this complaint once they have exhausted the consultation or claim process with the Data Controller or Data Processor.

    ATTENTION TO DATA SUBJECTS

    The Data Protection Officer of OGA SISTEMVAC SAS will be responsible for handling requests, inquiries, and complaints, where the Data Subject can exercise their rights. Phone: 4120100. Email: protecciondedatos@oga.com.co.

    PROCEDURES FOR EXERCISING DATA SUBJECT RIGHTS

    Right of Access or Inquiry

    According to Article 2.2.2.25.4.2, Chapter 25 of Compilatory Decree 1074 of 2015 (Article 21 of Decree 1377 of 2013), the Data Subject may freely inquire about their personal data in two cases:

    1. At least once every calendar month.
    2. Whenever there are substantial modifications to the information processing policies that prompt new inquiries.

    For inquiries with a frequency greater than once per calendar month, OGA SISTEMVAC SAS can only charge the Data Subject for shipping, reproduction, and, if applicable, document certification. Reproduction costs cannot exceed the recovery costs of the corresponding material. To this end, the responsible party must demonstrate to the Superintendence of Industry and Commerce, when required, the support for such expenses.

    The Data Subject can exercise the right of access or inquiry of their data through a written request addressed to OGA SISTEMVAC SAS, sent via email to: protecciondedatos@oga.com.co, indicating in the Subject “Exercise of the right of access or inquiry,” or through postal mail sent to CRA 70 # 19 – 59, BOGOTÁ D.C., BOGOTÁ.

    The request must contain the following information:

    • Name and surname of the Data Subject.
    • Photocopy of the Data Subject’s Citizenship ID and, if applicable, that of the person representing them, as well as the document accrediting such representation.
    • A request specifying the access or inquiry. Notification address, date, and signature of the applicant.
    • Documents accrediting the formulated request, when applicable.

    The Data Subject can choose one of the following forms of database inquiry to receive the requested information:

    • On-screen visualization.
    • In writing, with a copy or photocopy sent by certified or non-certified mail. Fax.
    • Email or other electronic means.
    • Another system suitable for the database configuration or the nature of the treatment, offered by OGA SISTEMVAC SAS.

    Upon receiving the request, OGA SISTEMVAC SAS will resolve the inquiry request within a maximum period of ten (10) business days from the date of receipt. If it is not possible to address the inquiry within this term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their inquiry will be addressed, which in no case can exceed five (5) business days following the expiration of the initial term. These deadlines are established in Article 14 of the LEPD.

    Once the inquiry process is exhausted, the Data Subject or heir may file a complaint with the Superintendence of Industry and Commerce.

    Rights of Complaints and Claims

    The Data Subject can exercise the rights of complaint regarding their data through a written request addressed to OGA SISTEMVAC SAS, sent via email to protecciondedatos@oga.com.co, indicating in the Subject “Exercise of the right of access or inquiry,” or through postal mail sent to CRA 70 # 19 – 59, BOGOTÁ D.C., BOGOTÁ. The request must contain the following information:

    • Name and surname of the Data Subject.
    • Photocopy of the Data Subject’s Citizenship ID and, if applicable, that of the person representing them, as well as the document accrediting such representation.
    • Description of the facts and request specifying the correction, deletion, revocation, or inflation.
    • Notification address, date, and signature of the applicant.
    • Documents accrediting the formulated request that they wish to assert, when applicable.

    If the complaint is incomplete, the interested party will be required to rectify the deficiencies within five (5) days following the reception of the complaint. After two (2) months from the date of the requirement, without the applicant presenting the required information, it will be understood that they have withdrawn the complaint.

    Upon receiving the complete complaint, a legend will be included in the database stating “claim in process” and its reason, within a period not exceeding two (2) business days. This legend must be maintained until the complaint is decided.

    OGA SISTEMVAC SAS will resolve the complaint within a maximum period of fifteen (15) business days from the date of receipt. If it is not possible to address the complaint within this term, the interested party will be informed of the reasons for the delay and the date on which their complaint will be addressed, which in no case can exceed eight (8) business days following the expiration of the initial term.

    Once the complaint process is exhausted, the Data Subject or heir may file a complaint with the Superintendence of Industry and Commerce.

    SECURITY MEASURES

    In order to comply with the security principle established in Article 4 literal g) of the LEPD, OGA SISTEMVAC SAS has implemented technical, human, and administrative measures necessary to ensure the security of records, preventing their tampering, loss, consultation, use, or unauthorized or fraudulent access.

    On the other hand, OGA SISTEMVAC SAS, through the signing of the corresponding transmission contracts, has required data processors with whom it works to implement the necessary security measures to ensure the security and confidentiality of information in the processing of personal data.

    Below are the security measures implemented by OGA SISTEMVAC SAS, which are documented and developed in its Internal Security Manual (I, II, III, IV).