FRAQ CO S.A.S.

Personal Data Processing Policy

Scope

This policy applies to all personal information registered in the databases of FRAQ CO S.A.S., which acts as the data controller for personal data.

Obligations

Fraq CO S.A.S. acknowledges that Personal Data belongs to the individuals to whom it refers, and only they can decide on its use. Accordingly, Fraq CO S.A.S. will use the collected Personal Data solely for the purposes for which it is duly authorized and will always respect the current regulations on Personal Data Protection.

Fraq CO S.A.S. will comply with the duties established for Data Controllers, as contained in Article 17 of Law 1581 of 2012 and other regulations that modify, regulate, or replace it.

Data Controller

Fraq CO S.A.S., a legally constituted commercial company, identified with NIT 901.723.658 - 7, with its main domicile at Carrera 15 No. 97-40 Office 405 in the city of Bogotá D.C. – Colombia.

Processing and Purpose

The processing of personal data carried out by Fraq CO S.A.S. will consist of the collection, storage, use, and circulation in the following events and/or activities:

General Purposes for the Processing of Personal and Client Data:
  • Transferring the collected information to different areas of Fraq CO S.A.S. when necessary for the development of its operations (portfolio collection and administrative charges, treasury, accounting, development of activities and workshops, among others);
  • Responding to judicial or administrative requirements and complying with judicial or legal mandates;
  • Registering personal data in Fraq CO S.A.S.'s information systems and its commercial and operational databases;
  • Any other activity of a similar nature to those previously described that is necessary to develop the corporate purpose of Fraq CO S.A.S;
  • Fulfilling the obligations contracted by Fraq CO S.A.S. with its Clients and Consumers when acquiring our services;
  • Strengthening relationships with its Consumers and Clients by sending relevant information, taking orders, and evaluating service quality;
Regarding the Personal Data of Our Employees:
  • Administering and operating, directly or through third parties, the processes of personnel selection and hiring, including the evaluation and qualification of participants, verification of work and personal references, and conducting security studies;
  • Developing Human Resources management activities within Fraq CO S.A.S., such as payroll, affiliations to entities of the general social security system, welfare and occupational health activities, exercise of the employer's disciplinary power, among others;
  • Making necessary payments derived from the execution of the employment contract and/or its termination, and other social benefits as applicable according to the law;
  • Contracting employee benefits with third parties, such as life insurance, medical expenses, among others;
  • Notifying authorized contacts in case of emergencies during working hours or in connection with work activities;
  • Coordinating the professional development of employees, employee access to the employer's computer resources, and providing support for their use;
  • Planning business activities;
Regarding Supplier Data:
  • Inviting them to participate in selection processes and events organized or sponsored by Fraq CO S.A.S;
  • Evaluating the fulfillment of their obligations;
  • Registering them in Fraq CO S.A.S.'s systems;
  • Processing their payments and verifying outstanding balances.

Special Provisions for the Processing of Personal Data

Processing of Sensitive Personal Data

The Processing of sensitive Personal Data is prohibited by law, except with the express, prior, and informed authorization of the Data Subject, among other exceptions established in Article 6 of Law 1581 of 2012.

In this case, in addition to complying with the requirements established for authorization, THE COMPANY will inform the Data Subject of the following:

  • That because it involves sensitive data, they are not obliged to authorize its Processing.
  • Which of the data subject to Processing are sensitive and the purpose of the Processing.

Additionally, Fraq CO S.A.S. will process the sensitive data collected under security and confidentiality standards appropriate to its nature. For this purpose, Fraq CO S.A.S. has implemented administrative, technical, and legal measures contained in its Manual of Policies and Procedures, mandatory for its employees and, where applicable, for its suppliers, affiliated companies, and business partners.

Processing of Personal Data of Children and Adolescents

As provided by Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013, Fraq CO S.A.S. will only carry out the Processing corresponding to children and adolescents, provided that this Processing responds to and respects the best interests of the children and adolescents and ensures respect for their fundamental rights.

Once the above requirements are met, Fraq CO S.A.S. must obtain the Authorization of the legal representative of the child or adolescent, after the minor exercises their right to be heard, an opinion that will be assessed taking into account their maturity, autonomy, and capacity to understand the matter.

Rights of Data Subjects

As the owner of your personal data, you have the right to:

  1. Access the provided data that has been subject to processing, free of charge.
  2. Know, update, and rectify your information regarding partial, inaccurate, incomplete, fragmented data, data that induces error, or data whose processing is prohibited or has not been authorized.
  3. Request proof of the authorization granted.
  4. File complaints with the Superintendence of Industry and Commerce (SIC) for violations of the provisions of current regulations.
  5. Revoke the authorization and/or request the deletion of the data, provided there is no legal or contractual duty that prevents their elimination.
  6. Refrain from answering questions about sensitive data. Responses concerning sensitive data or data of children and adolescents will be optional.

Handling Petitions, Queries, and Complaints

In compliance with personal data protection regulations, Fraq CO S.A.S. presents the procedure and minimum requirements for exercising your rights:

Data Subjects have the right to make queries and requests to Fraq CO S.A.S. to know, update, rectify, delete information, and revoke authorization, or to submit petitions, complaints, and claims regarding personal data or its processing via email at admin@fraq.com.co.

Data Subjects can contact the person responsible for handling petitions, complaints, and claims via the email address admin@fraq.com.co.

For the submission and handling of your request, we ask you to provide the following information:

  • Full name and surnames;
  • Contact details (Physical and/or electronic address and contact telephone numbers);
  • Means to receive a response to your request;
  • Reason(s)/fact(s) giving rise to the claim with a brief description of the right you wish to exercise (know, update, rectify, request proof of authorization granted, revoke it, delete, access information);
  • Signature (if applicable) and identification number.

The maximum period provided by law to resolve your claim is fifteen (15) business days, counted from the day following the date of its receipt.

When it is not possible to address the claim within said term, Fraq CO S.A.S. will inform the interested party of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

Once the terms indicated by Law 1581 of 2012 and other regulations that regulate or supplement it have been met, the Data Subject who is denied, totally or partially, the exercise of the rights of access, updating, rectification, deletion, and revocation, may bring their case to the attention of the Superintendence of Industry and Commerce – Delegation for the Protection of Personal Data.

Validity

This Policy for the Processing of Personal Data is effective as of January 1, 2023.

The databases in which personal data will be registered will remain valid as long as their deletion is not requested by the interested party and provided there is no legal duty to retain them.