POLICY FOR THE TREATMENT AND PROTECTION OF PERSONAL DATA IN ALIMENTOS SAS S.A.S.

Introduction

Through this document, the personal data treatment policy for ALIMENTOS SAS S.A.S., hereinafter SAS, is established, in accordance with the guidelines indicated in the current regulations on the matter. This policy applies to the treatment of the personal information of all those who have a relationship with the company, whether they are customers, suppliers or employees of the same in accordance with the provisions of the law.

The most important aspects to take into account according to the data protection laws in Colombia are: law 1581 of 2012, decree 1377 of June 27, 2013, decree 886 of 2014 and other regulations that modify, add or complement the which must be applied in SAS. Law 1581 of 2012 constitutes the general framework for the protection of personal data in Colombia.

The fundamental right to the protection of personal data in Colombia is to guarantee citizens the power of decision and control they have over the information of which they are holders, SAS as the person responsible for the processing of personal data, through this policy, it complies with the provisions of literal k) of article 17 of Law 1581 of 2012.

Important definitions in data processing

The following definitions allow a correct and appropriate interpretation of Law 1581 of 2012 and its regulatory decrees, and are essential for the protection of Habeas Data, which contributes to determining the responsibilities of those involved in the processing of personal data.

Authorization: Prior, express and informed consent of the Holder to carry out the Processing of personal data, with the exception of public data that can be processed by anyone as long as, by their nature, they are public data.

Privacy Notice: Verbal or written communication generated by the person in charge, addressed to the owner for the processing of their personal data, by means of which they are informed about the existence of the information processing policies that will be applicable, the way to access to the same and the purposes of the treatment that is intended to give personal data.

Database: Organized set of personal data that is subject to Treatment.

Personal Data: Any information linked to or that may be associated with one or more specific or determinable natural or legal persons. Personal data can be public, semi-private or private.

Public Personal Data: All personal information that is free and open to the general public. It is the data that is not semi-private, private or sensitive. Public data, among others, are data related to people's marital status, their profession or trade and their status as a merchant or public servant. By its nature, public data may be contained, among others, in public records, public documents, gazettes and official gazettes, and duly enforceable judicial decisions that are not subject to reserve.

Private Personal Data: All personal information that has a restricted knowledge, and in principle private to the general public.

Semi-private Data: The data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest not only to its owner but to a certain sector or group of people or to society in general is semi-private.

Sensitive Data: That data that affects the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, of human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data, among others, the capture of still images or in movement, fingerprints, photographs, iris, voice, facial or palm recognition, etc.

Biometric Data: Are those physical, biological or behavioral traits of an individual that identify him as unique from the rest of the population, such as fingerprints or DNA analysis. Employee. Natural person who by virtue of an employment contract is obliged to provide a personal service to another natural or legal person, under the continued dependence or subordination of the second and through remuneration.

Former employee: Natural person who was related to SAS.

Visitor: Person (s) who are in a place for a duration of less than 8 hours without exercising a remunerative activity in the place visited.

Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the processing of personal data on behalf of the Responsible for the Treatment.

Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, that decides on the database and / or the treatment of the data.

Treatment policy: This document is referred to as the personal data treatment policy applied by SAS in accordance with the guidelines of current legislation on the matter.

Supplier: Any natural or legal person that provides a service to SAS by virtue of a contractual relationship. Headline. Natural person whose personal data are subject to Treatment.

Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.

Transfer: The transfer of data takes place when the person in charge and / or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is inside or outside from the country.

Transmission: Processing of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a treatment by the person in charge on behalf of the person in charge.

Guiding principles for the processing of personal data

Law 1581 establishes in article 4 that the following principles are guiding the processing of your personal data and that SAS, as a law-abiding entity, will abide by:

Principle of legality: The processing of personal data is a regulated activity that must be subject to the provisions of Law 1581 of 2012, Decree 1377 of 2013 and the other provisions that develop it.

Principle of purpose: The Treatment must obey a legitimate purpose and this must always be informed to the Owner.

Principle of freedom: The processing of personal data can only be exercised with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.

Principle of truthfulness and quality: The information subject to treatment must be truthful, complete, accurate, up-to-date, verifiable and understandable. The processing of partial, incomplete, fractional data that may lead to error is prohibited.

Principle of transparency: In the treatment, the right of the owner to obtain from the person responsible for the treatment or the person in charge of the treatment, at any time and without restriction, information about the existence of data that concerns him must be guaranteed.

Principles of access and restricted circulation: The treatment is subject to the limits that derive from the nature of the personal data, the provisions of the law and the constitution. In this sense, the treatment can only be done by people authorized by the owner and / or by the people provided by law. Personal data, except for public information, may not be available on the internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or authorized third parties in accordance with the law.

Security principle: The information subject to treatment by the person in charge of the treatment and / or in charge of the treatment, must be handled with the technical, human, and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, unauthorized use or access to fraudulent.

Principle of confidentiality: All persons who intervene in the processing of personal data that are not public in nature are obliged to guarantee the reservation of the information, even after the end of the relationship with any of the tasks that comprise the treatment, being able only carry out the supply or communication of Personal Data when this corresponds to the development of the activities authorized in the Law and in the terms of the same.

How do we receive information about you?

We receive your personal information as a result of various actions or origins:

When you voluntarily provide us with your personal data when registering on our Site,

When you use or use our Site in connection with your use of our services,

From external providers, services and public records (such as providers of traffic statistics

Databases

Databases in which SAS acts as responsible and in charge of the treatment. In the treatment of the data contained in the following databases, SAS acts both as "Responsible", since it is the one who collects the information and makes decisions about the treatment of the data, and as "Manager", insofar as it is who performs the data processing.

1. SAS Payroll Management Database

Description: this database corresponds to the information that is collected on the employees (directly linked, temporary) students in internships and is managed by Human Management and Accounting.

Content: The data that is collected in this database are the following: Personal data such as: name, identification document, date of birth, address, telephone, email, blood group, fingerprint, academic information, work history, data financial, family data and socio-cultural information of the employee.

How the data is collected: The data is captured from the main form in the system interface and stored in the database to be consulted, modified or updated by authorized persons. The resume is filed in physical folders. This database is fed by the information contained in the following documents:

·      Work contract

·      Resume format

·      Additional data update forms

·      Documents attached to the resume such as academic certifications

Purpose: The aforementioned data is collected in order to comply with the obligations derived from the employment contract with employees, students in practice, etc., make links to the social security system and family compensation funds, to make reports to the government entities, pay taxes, communication in case of absence, internal security and to carry out the general purposes established in this manual. Sensitive data such as fingerprint is used to control working hours.

Treatment:This database is subject to the following treatment:

a. Information is collected

b. It is stored in a physical and electronic file

c. Information is updated

d. A backup is made and it circulates internally between the Human Management and Accounting processes.

F. It is used to send reports to the DIAN and to the administrative entities that request it based on the rules of the Social Security System and complementary ones.

g. It is for the exclusive use of SAS and can be deleted in accordance with the provisions of the Law in this regard.

h. To give it the general uses established in this manual.

Those in charge of the information processing are all the officials who are part of the Human Management and Accounting processes. The information of each process is managed by the Human Management and Accounting areas. Only authorized personnel have access to full employee information.

Validity: This database will be valid as long as the employment relationship between the employee and SAS exists. The data remains stored indefinitely in the databases, except in cases of labor termination, in which they will be marked with indicators of labor inactivity. There is also a physical file of employees and former employees who have been at SAS.

2. Customer and supplier database

Description: This database collects information from customers and suppliers with whom the company has a business relationship.

Content: Personal data via email or in physical form or by telephone.

The data collected are: personal, commercial and financial data.

How the data is collected: The data is collected as follows:

a. Via email with a detailed form.

b. By telephone, the official in charge of the company requests the information and in turn completes the form that is uploaded to the database.

Purpose: The aforementioned data is collected for SAS's commercial relationship with customers and suppliers that are part of its supply chain in order to register them as customers or suppliers of the company, keep track of them, request offers, invoice them. goods and services, control payments and purchase levels, send reports to DIAN and the Secretary of the District Finance and in general to government entities, in accordance with the provisions of Colombian regulations and to carry out the general purposes established in this manual.

Treatment: This database is stored in the central SIIGO system. This database is subject to the following treatment

a. Information is collected.

b. Information is updated.

c. It is used to send reports to government entities to comply with the law, and in general to give it the uses established in this policy.

d. It is for the exclusive use of the company and can be deleted in accordance with what is regulated by law.

 i. A backup copy is made and stored in the cloud in order to guarantee the continuity of the company's operation in the event of a contingency; which is done through a documented internal company procedure.

Validity: The information remains stored indefinitely in the databases of our central SIIGO system, in accordance with the company's document management program and the other regulations established by law. This information remains stored as long as the commercial relationship with the customer and the supplier subsists.

3. Database of requests, complaints and claims (PQR) of the company's customer service area

Description: This database corresponds to the information obtained from all requests, complaints and claims (PQR) that are made through channels such as: account executives, customer service, quality mail or directly to the line of attention of the SAS company, of any matter related to the company.

Content: The data that is collected in this database are the following: personal data of the client and object of the complaint or claim.

How the data is collected: For this database, information is collected through telephone service lines and through customer service, commercial and quality emails.

Purpose: The objective of collecting this data is to give an adequate procedure, to follow up and offer a solution to the requests, complaints or claims that are made through these customer service lines.

Treatment: This database is subject to the following treatment:

a. Information is collected.

b. It is stored in an electronic file.

c. The information is updated.

d. It is for the exclusive use of the company and can be deleted in accordance with what is regulated by law.

i. To give it the uses established in this manual.

Validity: The information contained in this database will be valid as long as the request, complaint or claim is resolved and for two (2) more years, in addition, records are purged that have been more than three (3) years without being requested by customers , this in order to free up information space that is not applicable.

Database registration

In accordance with the provisions of Decree 886 of 2014 and External Circular 002 of 2015, the aforementioned databases will be registered in the National Database Registry.

Authorization of the owner for data processing

In accordance with article 5 of Decree 1377 of 2013, SAS as Responsible for the treatment has prepared a form of "authorization for the processing of personal data" and has adopted procedures to request at the time of the collection of personal data, your authorization to the treatment thereof and inform you of the personal data that will be collected as well as all the specific purposes of the treatment for which your consent is obtained.

Personal data found in publicly accessible sources, regardless of the means by which it is accessed, may be processed by SAS, as long as, by their nature, they are Public Data.

It will be understood that the authorization granted by the owner to SAS, complies with the requirements of the applicable current legislation, when it is manifested: in writing, orally, through unequivocal conduct of the owner that allows to reasonably conclude that it granted to SAS the respective authorization.

Authorization of the owner for the treatment of sensitive data

In the treatment of sensitive personal data, when such treatment is possible in accordance with the provisions of Article 6 of Law 1581 of 2012, SAS will comply with the following obligations:

Inform the owner that because it is sensitive data, he is not obliged to authorize its treatment.

Inform the owner of the general requirements of the authorization for the collection of any type of personal data, which of the data that will be processed are sensitive and the purpose of their treatment, and also obtain their express consent.

None of the activities carried out by SAS is nor will be conditioned on you, as the owner, providing your sensitive personal data.

Use and purpose of the processing of personal data

SAS, as an entity that respects the privacy of people, recognizes that you, as the owner of personal data, have the right to have adequate elements that guarantee it, taking into account your responsibilities, rights and obligations in any case.

By virtue of the relationship that has been established with SAS, it is important that you know that SAS collects, records, stores and uses your personal data, for the purpose for which they were requested or at the request of public entities.

The personal data of the holders are used by SAS to:

a. Execute the activities of SAS to fulfill its corporate purpose, all of which it will do based on the purpose of the database in which the personal data of the owners rests.

b. Offer the products, services and or benefits that seek to satisfy the needs of the holders, or the products and services of SAS, which can be done by physical means or through emails and / or mobile terminals.

c. Send the information to private government entities by legal requirement.

d. Consult information from the control lists (National and International Lists) consult the CIFIN at the information centers. Clinton list. Attorney's Office. Comptroller. National Police. DIJIN. DATACREDITO and others in order to preserve trust and transparency between the owner of the data and SAS.

e. Support external and internal audit processes.

f. For the execution of judicial and extrajudicial processes in the cases allowed by the Statutes and Regulations of SAS.

g. Register the information of employees, former employees, suppliers, customers (active and inactive) in SAS databases, for the sending of contractual, commercial and mandatory information that may arise.

h. For verification of references of employees, former employees, suppliers, clients (active and inactive) in the databases.

i. Regarding the collection and processing of data carried out through automated mechanisms in order to generate records of visitor activity.

The personal data will be used by SAS only for the purposes indicated here, therefore, SAS will not sell, transmit or disclose the personal data, unless

a. the owner expressly authorizes to do so.

b. your information is related to a merger, consolidation, acquisition or other restructuring process of SAS.

c. is allowed by law.

For the internal management of the data, these may be known by the authorized personnel of SAS, which includes the General Assembly of Shareholders, the Board of Directors, the Statutory Auditor and the Management.

SAS may subcontract to third parties for the procedure of certain functions or information. When this occurs, said third parties will be obliged to protect the Personal Data in the terms required by law and in their capacity as managers of the SAS databases.

In the case of transmission of personal data, SAS will sign the transmission contract that may be applicable in the terms of decree 1377 of 2013. Likewise, SAS may transfer or transmit (as appropriate), keeping the due security measures, your personal data to other entities in Colombia or abroad for the provision of a better service, in accordance with the authorizations that have been granted by the holders of personal data.

Once the need for personal data processing is met, members will be removed from SAS databases in safe terms.

Rights of the data owners

Law 1581 of 2012, in its article 8, establishes the following rights that assist you as the owner in relation to your personal data.

a. Know, update and rectify your personal data in front of those responsible for the treatment or those in charge of the treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned data that lead to error, or those whose treatment is expressly prohibited or has not been authorized.

b. Request proof of the authorization granted to the person responsible for the treatment except when expressly excepted as a requirement for the treatment.

c. Be informed by the person responsible for the treatment or the person in charge of the treatment, upon request, regarding the use that has been given to your personal data.

d. Present before the Superintendency of Industry and Commerce complaints for infractions to the provisions of Law 1581 of 2012 and the other regulations that modify, add or complement it.

e. Revoke the authorization and / or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the treatment.

f. Access your personal data that have been processed.

Procedure for the exercise of your rights as a data holder

According to article 20 of Decree 1377, the rights of the holders established in Law 1581 may be exercised before SAS by the following persons:

a. By the owner of the data, who must sufficiently prove their identity to SAS by the different means or mechanisms that we have at their disposal.

b. By the successors in title of the data owner, who must prove such quality to SAS.

c. By stipulation in favor of another or for another. In accordance with the provisions of Law 1581, in its articles 14 and 15, for the exercise of any of the rights that assist you as the owner of the data, you may use before SAS any of the mechanisms established below.

Consultation procedure

The owners, their successors in title, their representatives or proxies, may consult the personal information of the owner that resides in the SAS database.

SAS as responsible and / or in charge of the treatment will supply the requested information that is contained in the database or that which is linked to the identification of the owner.

The consultation will be made through the channels that have been enabled by SAS for this purpose and especially through written or electronic communication.

The query will be attended by SAS within a maximum term of ten (10) business days from the date of receipt.

When it is not possible for SAS to attend to the query within said term, it will inform the interested party, expressly of the reasons for the delay and indicating the date on which it will attend to the query, which in no case will exceed five (5) business days following the expiration of the first term.

Personal data may be consulted at least once every calendar month, and whenever there are substantial modifications to the policies established in this manual that motivate new consultations.

Complaints procedure

The owners, their successors in title, their representatives or proxies, who consider that the information that is contained in the SAS databases should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in the law, you may file a claim with SAS as responsible and / or in charge of the treatment, which will be processed under the following rules:

The claim will be formulated by means of a written request addressed to SAS, with the identification of the owner, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to enforce.

A photocopy of the identification document of the owner of the data must be attached to the claim.

The claim will be made through the channels that have been enabled by SAS for this purpose.

a. If the claim is incomplete, SAS will require the interested party within five (5) business days following receipt of the claim to correct the faults.

b. After two (2) months from the date of the request made by SAS, without the applicant submitting the required information, SAS will understand that the claim has been withdrawn.

c. In the event that the person who receives the claim is not competent to resolve it, he / she will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.

d. Once SAS receives the complete claim, it will include in the database a legend that indicates “claim in process” and the reason for it, within a period of no more than two (2) business days.

Said legend must be kept until the claim is decided.

a. The maximum term to attend the claim by SAS will be fifteen (15) business days from the day following the date of receipt.

b. When it is not possible for SAS to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following expiration. of the first term.

Channels enabled

The rights of the holders may be exercised by the aforementioned persons through the channels that have been enabled by SAS for this purpose, which are at their disposal, as follows:

Through the email address: protecciondatos@sas.com.co

Rights & Duties of the company as responsible and in charge of the treatment

Article 17 of Law 1581 establishes the following duties for SAS, as responsible for the processing of your personal data:

a. Guarantee the holder, at all times, the full and effective exercise of the right to habeas data.

b. Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the owner.

c. Properly inform the owner about the purpose of the collection and the rights that assist him by virtue of the authorization granted.

d. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

e.Guarantee that the information provided to the person in charge of the treatment is true, complete, exact, updated, verifiable and understandable.

f. Update the information, communicating in a timely manner to the person in charge of the treatment, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it is kept updated.

g. Rectify the information when it is incorrect and communicate the pertinent to the person in charge of the treatment.

h. Provide the person in charge of the treatment, as the case may be, only data whose treatment is previously authorized in accordance with the provisions of the law.

i. Require the person in charge of the treatment, at all times, to respect the security and privacy conditions of the owner's information.

j. Process inquiries and claims formulated in the terms indicated in the law.

k. Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for the attention of queries and complaints.

l. Inform the data controller when certain information is under discussion by the owner, once the claim has been submitted and the respective process has not been completed.

m. Inform at the request of the owner about the use of their data.

n. Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the holders.

o. Comply with the instructions and requirements issued by the superintendency of industry and commerce

Article 18 of Law 1581 establishes the following duties for SAS, as the person in charge of processing your personal data, without prejudice to the other provisions set forth in said law and in others that govern its activity:

a. Guarantee the holder, at all times, the full and effective exercise of the right to habeas data.

b. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

c. Timely update, rectify or delete the data.

d. Update the information reported by those responsible for the treatment within five (5) business days from its receipt.

e. Process the queries and claims made by the owners in the terms indicated in the law in this manual.

f. Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for the attention of inquiries and complaints from the owners.

g. Register in the database "claim in process" in the manner in which they are regulated by law.

h. Insert in the database the legend "information in judicial discussion" once notified by the competent authority about judicial processes related to the quality of personal data.

i. Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.

j. Allow access to information only to people who can have access to it.

k. Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the holders.

l. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

Information is protected through mechanisms that preserve its confidentiality, integrity and availability, using the following mechanisms:

a. Protection of access to data through passwords and roles of different levels of authority.

b. Password protection through encryption and assurance of the level of complexity and periodicity of user passwords.

c. Backup copies storage and redundancy thereof.

d. Password protection of the computers from which the data is manipulated.

e. All the standards established by the Technology Department in the Manual of Security Policies and Control of Access to Information

Designation of the area or person in charge of the treatment so that the owner of the data can exercise their rights of requests, queries or claims

To process inquiries, complaints, claims and requests related to the treatment and protection of personal data of workers, clients, suppliers, and other holders of personal data handled by SAS in its databases, you must contact the email protecciondatos@sas.com.co or go to diagonal 19D No. 39-20 in the city of Bogotá DC, telephone: 4058899.

Modification of the treatment policy

We inform you that if there are substantial changes in the content of this manual of personal data treatment policies, referring to the identification of the person in charge and / or manager and the purpose of processing your personal data, which may affect the content of the authorization that you have granted to SAS, these changes will be communicated no later than when the new policies are implemented. In addition, when the change refers to the purpose of processing your personal data, SAS will obtain a new authorization from you.

Entry into force of the treatment policy

This personal data treatment policy was created on the eighteenth (18) day of May 2014 and governs from the date of its publication.

Last modified March 20, 2019.