PERSONAL DATA PROCESSING POLICY

CHAPTER ONE
GENERAL PROVISIONS

1.1 Identification of the Data Controller

Obice SAS, hereinafter The Company, owner of the brand “Efinetico.com” acting as Responsible for the processing of personal information, is allowed to identify through the following data:

OBICE SAS
900188077-3
Address call 124 7c-09
[email protected]
6201770
www.efinetico.com

1.2 Definitions

The following definitions are listed below for a proper understanding of this policy:

a.Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.
b.Database: Organized set of personal data that is subject to Processing;
c.Personal data: Any information linked or that can be associated to one or several determined or determinable natural persons;
d.Data Processor: Natural or legal person, public or private, that by itself or in association with others, performs the Processing of personal data on behalf of the Data Controller;
e.Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of the data;
f.Data Subject: Natural person whose personal data is the object of processing;
g.Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
h.End users: The holders of information who have a relationship with the Company because they have acquired a product and/or service.

1.3 Policy Objective

The purpose of the Personal Data Processing Policy is to establish the criteria under which the processing of personal information contained in the Company’s databases, physical and digital files is carried out.

1.4 Scope of the Policy

The Personal Data Processing Policy establishes the criteria that the Company has incorporated for the processing of personal data, mechanisms to exercise the right of habeas data, as well as the purposes, security measures, and other aspects related to the protection of personal information.

1.5 Policyholders to whom the Policy is addressed

The present Personal Data Treatment Policy is addressed to:

A.End users
B.Corporate Clients
C.Suppliers
D.Employees
E.Contractors
F.Advertising and/or marketing agencies
G.Technical Service Centers
H.Information Managers, and in general,
I.Any holder of the information, either acting on his own behalf or as a legal representative, who on occasion, to the activities that are linked to the Company, requires his personal information for the development of the same.

1.6 Regulatory Compliance with the Personal Data Protection Regime

This Personal Data Treatment Policy complies with the Personal Data Protection Regime in Colombia, especially Articles 15 and 20 of the National Constitution, Law 1581 of 2012, Chapter 25 of Decree 1074 of 2015, Ruling C-748 of 2011 and Circular 002 of 2015 of the Superintendence of Industry and Commerce.

CHAPTER TWO
PROCESSING OF PERSONAL DATA

2.1 Types of Personal Databases

The Company has different types of databases, which are classified into five categories as follows: Human Resources, Customers, Administrative/Commercial, Services and Applications:

1HUMAN RESOURCESIn this category are databases related to payroll management, periods of entry and exit from the company, education and training, occupational health and safety, employee’s resume and in general personnel administration.
2END USERSIn this category are all databases relating to personal information of end users that are collected in different activities carried out by the Company for the dissemination and marketing of its products and services, as well as educational activities.
3ADMINISTRATIVE / COMMERCIALIn this category are all the databases related to the management of financial, commercial and credit information, as well as treasury management, administrative aspects, management of suppliers and contractors, customers and in general information for the commercial management of the Company .
4SERVICESThis category includes all the databases with end-user information related to the provision of the service, related to the provision of after-sales services, such as technical services, PQR, warranties, as well as support on the characteristics of the products marketed by the company. The Company and others related to post-sale requirements of the products.
5APPLICATIONS AND SOCIAL NETWORKSIn this category are all databases with personal information of end users and customers related to additional services offered by Samsung for the improvement of user experience, as well as customer service and product dissemination activities.
6VIDEOSThis category includes the databases, which contain personal information captured through filming cameras, with the purpose of preserving the security of the assets and people in the facilities and controlling the entry and exit of personnel and visitors.

2.2 Types of Personal Data Collected by the Company

The Company collects public, semi-private, private, sensitive and Children and Adolescents’ personal data. According to the classification of the National Registry of Personal Data Bases, the categories of data that the Company has in its databases are the following:

General identification data of the person: first name, last name, type of identification, identification number, date and place of issue, name, marital status, sex, etc.AppliesAppliesAppliesAppliesApplies
Data specific to the identification of the person: Signature, nationality, family data, electronic signature, other identification documents, place and date of birth, death, age, etc.AppliesAppliesAppliesAppliesApplies
Biometric data of the person: Fingerprint, DNA, iris, facial or body geometry, photographic videos, dactyloscopic formula, voice, etc.AppliesAppliesAppliesApplies
Morphological description of the person: skin color, iris color, hair color and type, particular signs, height, weight, complexion.AppliesAppliesApplies
Location data related to the business or professional activity of the persons: address, telephone, e-mail, etc.AppliesAppliesAppliesApplies
Personal location data related to the private activity of individuals: address, telephone, email, etc.AppliesAppliesAppliesApplies
Data related to the person’s health: Image, endoscopies, pathologies, studies, etc.Applies
Financial data, credit data and/or economic rights of individualsAppliesApplies
Individual’s tax information dataAppliesApplies
Data related to the economic activity of the personApplies
Data related to the person’s work history, work experience, position, dates of entry and retirement, annotations, calls for attention, etc.Applies
Data related to the person’s educational level, training and/or academic backgroundAppliesApplies
General data related to affiliation and contributions to the integral social security system: EPS; IPS; ARL, dates of entry/withdrawal EPS, AFP, etc.Applies
Judicial and/or disciplinary background data of the persons involvedApplies
Personal data for access to information systems: users, IP, passwords, profiles, etc.Applies

2.3 Processing to which personal data is subjected

The personal data obtained are subject to the following treatment:

2.3.1 Collection

The Company collects personal information through different activities related to its corporate purpose, and the obligations it has as an employer. The information is requested directly from the owner.
The instruments used The Company The data collection procedures comply with all the requirements established in the regulations on personal data protection, and obey the principles of freedom and purpose, so that in each of them, the authorization for the processing of personal data is incorporated. These instruments are:

Human TalentHuman ResourcesResumesApplies
Home visit reportsApplies
Medical Entrance ExaminationApplies
Academic and professional experienceAppliesApplies
Personal identification documentsApplies
Access control systems (ingress and egress)Applies
MarketingEnd UsersEvents, congresses, trainings and related activities spreadsheetAppliesApplies
Gift delivery formAppliesApplies
Form to participate in contests, events, activities, trainings and to receive information about products.AppliesApplies
Bundle control template
1
AppliesApplies
Applications and information captured through social networksApplies
Contact Center GroupServices/Applications and Social NetworksContact Us form Samsung websiteApplies
Landline phone 6001272 (Recorded call)Applies
ApplicationsApplies
Mails electrónicos:[email protected], (other customer service related mails)Applies
Customer/supplier/consumer service pointsAppliesApplies
Chat- Live ChatApplies
Samsung Remote Support (restricted access)Applies
Video chat (Customer Service)Applies
General AffairsAdministrative and CommercialSupplier Creation Form

Supplier Reports submitted by Informa or Infolaft, or similar companies.

AppliesApplies
FI Credit AreaRUT and Certificate of existence and legal representation.

Customer creation form

Customer reports submitted by Informa or Infolaft, or similar companies.

Applies
TreasuryContracts/AgreementsApplies
MIS & SecurityVideoSecurity camerasAppliesApplies

________________________


1
Combo delivered with a product

2.3.2 Other sources of data collection

A.Videos and photographs: The Company collects personal data through security cameras, to protect and control the entry and exit of its personnel and assets of its facilities, likewise, due to the performance of marketing activities, conducting events related to the Samsung brand, eventually captures images and videos of people, likewise, information is collected for activities that performs non-profit and social purposes.
B.Cookies and web bugs: The Company occasionally uses “cookies” to provide certain information. A “cookie” is a small piece of data that a website sends to your browser, which stores it on your hard drive so that Samsung can recognize it when you revisit the website.
C.Applications: Through the applications generated by The Company and Head Office, the holders of the information enter their basic personal data, this, in order to be able to access the functions offered by the applications.

Both the capture of images through filming cameras, the capture of information through the website www.efinetico.com and the current and future applications generated by the Company, shall be governed by this policy of personal data protection.

2.3.3 Storage

The storage of personal information contained in the databases is located in our own servers inside and outside the country, and in external servers of third parties, and has all the physical, technical and administrative security measures, and has access controls to the information, ensuring the principle of restricted access and circulation.

As for images and voice of the owners, which are captured through the security cameras, the duration of storage is thirty (30) calendar days, at which time such information is deleted.

2.3.4 Uses and Purposes of Data Collection

The use and purpose of the information collected and stored in the databases, has different objectives, among them, are:

A.Management of internal statistics, citizen/customer service (PQR management) Customer loyalty, Sending of communications.
B.Administrative procedures, information systems administration, key management, user administration, operational development, etc.
C.Invoicing management, accounting management, supplier and contractor management, economic and accounting management, history of commercial relations, requirements by control bodies.
D.Opinion surveys, Commercial prospecting, Own advertising, Market segmentation, Offering of products and services.
E.Time control, personnel training, personnel management, temporary employment management, social benefits, occupational risk prevention, promotion and selection of personnel.
F.Accounting, tax and administrative management: requirements by control agencies, private and sensitive data, attention and follow-up of judicial or administrative authority requirements.
G.Management of basic administrative tasks; informing, by any of the means provided at the time the information is provided, about promotions, news, current and future products and services related to events, contests, activities, awarding of prizes, benefits and purchased products; responding to specific requests from end users and other commercial purposes directly or indirectly related to the activity of The Company promotions, news, products and services promoted directly by strategic partners, for-profit and non-profit activities.

Notwithstanding the foregoing, all communication channels where there is transmission of information by the owners, establishes the purpose of the collection of information.

2.3.5 Circulation

As a general rule, The Company does not share the personal data it collects with third parties. However, Samsung Electronics Colombia S.A for the effective fulfillment of its obligations may deliver personal data to its subsidiaries, its parent company and affiliated companies to Samsung, covered by paragraph e) of Article 26 of Law 1581 of 2016, which states that the transfer of personal data is permitted when necessary for the execution of a contract between the holder and the controller, or for the execution of pre-contractual measures provided that the authorization of the holder is obtained.

For marketing purposes, the Company delivers to advertising and marketing agencies with which it has commercial and confidentiality agreements the contact data of end users for sending commercial information, which are authorized by the owner of the data and formalized by contracts for the transmission of personal data.

Likewise, The Company has technical service centers throughout the country, which are third parties that provide this assistance on behalf of the company. The Company They capture personal information from the end customer, which is then delivered to The Company for the purpose of verifying the effective provision of service.

2.3.6 Deletion

The personal information that is requested in order to comply with legal, contractual, tax, auditing purposes, among other related aspects, will remain stored according to the maximum times established in the Colombian legislation for its retention.

The suppression of personal information collected in databases, the end of which is not mandatory by law, will be carried out once the purpose has been fulfilled, in accordance with the authorizations, contracts and/or agreements that the owner of the information has previously agreed with The CompanyHowever, some information may be retained for audit purposes.

2.4 Authorization for the processing of personal data

The Company requests in a free, prior, express and duly informed manner, the authorization of the owners of the data and for this purpose has provided suitable mechanisms to ensure in each case that it is possible to verify the granting of such authorization. The same may be recorded in any medium, whether a physical or electronic document or in any format that guarantees its subsequent consultation through technical tools, complying with the requirements established by law.

 

2.5 Protection Measures

The Company has adopted technical, legal, human and administrative measures necessary to ensure the security of personal data protecting confidentiality, integrity, use, unauthorized access and / or fraudulent. Likewise, internally The Company has implemented mandatory security protocols for all personnel with access to personal data and information systems.

The internal security policies under which the holder’s information is kept to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access, are the following:

a.Personal Data Processing Policies
Procedures for assigning responsibilities and authorizations in the processing of personal information.
Confidentiality agreements for all personnel and external parties who have access to personal information.
Information Security Management System

2.6 Obligations of the Persons in Charge of the Information

Companies and/or persons external to The Company, who by virtue of a business relationship perform the processing of personal data on behalf of The Company, must comply with the following obligations:

1.To guarantee the holder the access, consultation, updating, rectification of his personal data.
2.Request and keep a copy of the respective authorization for the processing of personal data informing the purpose of the collection, either at the technical service points and/or electronic and/or digital media.
3.Keep the information under security conditions that prevent adulteration, loss, consultation, unauthorized or fraudulent use or access.
4.Adopt an internal manual of policies and procedures to ensure compliance with Law 1581 of 2012, regarding the protection of personal data.
5.Allow access to information only to those who can access it.
6.Comply with the obligations established in Article 18 of Law 1581 of 2012, and its respective regulatory decrees, regarding the protection of personal data.

2.7 Cases in which The Company operates as a Data Controller

In cases where Samsung operates as a data processor, the data controllers must request and retain the authorization of the owner of the information, for the processing of personal data by Samsung, so Samsung assumes that the data controller has the prior and express authorizations of the owners with whom it has contact, to make use of their personal data and will provide a copy of such authorizations in case Samsung requires it, for the purposes set forth in the policy of processing of personal data.

 

CHAPTER THREE
RIGHTS OF THE HOLDERS OF PERSONAL DATA

3.1 Rights you have as data owner.

The Fundamental Right to Habeas Data entitles the owner of the data to request access, updating, rectification and suppression of his personal data held by a third party, and to revoke the authorization granted for the processing. If a holder of personal data considers that The Company has access to his/her personal data, this person may at any time request the consultation of his/her data, or if he/she considers that The Company is misusing his/her data, he/she may make the respective claim.
The holder is entitled to request:

A.Updating of your personal data in case it is incomplete or incomplete, among others.
B.Rectification and/or correction of your personal data in case they are erroneous, partial or misleading.
C.Deletion of your personal data from the databases. The information will continue to be retained for the purposes determined by law.
D.Revocation of the authorization to process your personal data, as long as it does not generate non-compliance by Samsung with other legal obligations regarding the permanence of the data.

3.2 Procedure for the holders of information to exercise their rights

3.2.1 Inquiry

Through the consultation mechanism, the owner of the data, may request the Company, access to their personal information contained in the databases.
The consultation will be answered within a maximum term of ten (10) business days from the date of receipt of the same. If it is not possible to respond to the consultation within the referenced term, you will be informed of the reasons for the delay and a response will be given within five (5) business days following the expiration of the first term.

3.2.2 Claim

Through the complaint mechanism, the owner of the data, may complain to the Company, any disagreement he/she may have about the use that is being given to his/her data.
The claim will be attended within a maximum term of fifteen (15) fifteen working days counted from the day following the date of its receipt. In case it is not possible to attend the claim within said term, you will be informed of the reasons for the delay and you will be given an answer within eight (8) working days following the expiration of the first term.
In the event that the claim is incomplete, you will be required, within five (5) days after receipt of the claim, to correct the faults. After two (2) months from the date of the request, without submitting the required information, it will be understood that the claim has been withdrawn.
In the event that The Company is not competent to resolve the claim, it will transfer it to the appropriate person within a maximum term of two (2) business days and inform the holder of the situation.

3.3 Persons entitled to make an inquiry or complaint

The persons entitled to request a consultation with Samsung are as follows:

a.Employees, contractors, suppliers and collaborators who have had any relationship with the Company.
b.End-users and customers of any service and/or product line
c.To third parties authorized by the Registrant or by law.
d.In general, to any holder of personal information whose data is stored in Samsung’s databases.

These cases are merely exemplary and are neither exclusive nor excluding.

3.3.1 Information to be provided by the owner of the data

For consultation and claims purposes, the owner of the data must prove his identification data as:

a.Full names and surnames
b.Type and identification number
c.Home address
e.Contact telephone number
f.Email
g.Provide the necessary information to process your application.

In case it is a claim, you must attach the documents you wish to assert, support or prove such request. In the case of a minor, the request must be made with the responsible adult, without denying the exercise of their rights at any time.

3.4 Request for images and videos

In case the owner of the information requests access to images and/or videos where his/her information is captured, he/she must follow the following procedure:

a.State the facts of the request, establishing date and time.
b.Justify the need for the request
c.Provide the documents that allow to justify that the holder is the right person to make such request. In case the interested party is a third party, it must provide the authorization document for access to such information by the owner of the data.

3.4.1 Procedure for processing requests for images and/or videos

In order for the procedure to proceed, The Company:

a.Verify that the information is still stored in its servers, in accordance with the provisions of section 2.3.3 of this policy.
b.Review such request and verify whether it is appropriate, checking that it does not affect the right to privacy and other fundamental rights of third parties, other than the owner of the information contained in such images and/or video.
c.In case it affects fundamental rights of third parties, the Company will verify internally if the facts described by the holder, were generated, and will inform the holder about the findings.
d.In case it does not affect fundamental rights of third parties, The Company will summon the owner of the information in its facilities so that he/she can view the information required.

3.5 Channels enabled for the exercise of Habeas Data Rights

Samsung has enabled the following channels for holders to exercise their right to Habeas Data:

A.ELECTRONIC CHANNELS
a.E-mail:
[email protected]
b.Website:
At the bottom of the web page, click on the “Contact us” link and then on the “More help options” option.

3.6 Responsible for compliance with the Personal Data Protection Policy

The Company‘s Personal Data Protection Committee, formed by the legal area, the services area, and the market area, are responsible for the effective compliance with the Policy, as well as for the queries and claims related to the protection of personal data of the owners.
In any case, other areas of the Company may be required within the framework of the committee in order to verify compliance with personal data protection regulations.

CHAPTER FOUR
FINAL PROVISIONS

 

4.1 Permanent measures

In the processing of personal data, The Company permanently verify in its processes, protocols, procedures and policies, that the right of habeas data is guaranteed to the owners of the information and that the authorization of the owner for the processing of personal data is obtained with the requirements of law. If any area and/or process establishes another source of personal information collection, different from those mentioned in point 2.3.1, it must inform and request prior authorization from the Personal Data Protection Committee to carry out the new form of collection; however, this procedure is established in the internal policies and procedures manual.

4.2 Binding nature of the Policy

Any holder of the information that has any relationship with The Company must abide by this policy.
The owners of the information, other than the end users, must comply with the internal procedure manual and policies related to the protection of personal data, depending on each specific case.

4.3 Compliance with the principles for the Processing of Personal Data

Samsung guarantees the principles of legality, purpose, freedom, truthfulness or quality, transparency, restricted access and circulation, security and confidentiality of the data contained in the databases in Samsung’s possession.

4.4 Registration of Databases with the National Registry of Databases

In compliance with Circular 02 of 2015, it registers the databases in its possession and every six (6) months, or depending on the flow of personal information, it will update the report before the National Registry of Databases (RNBD).

4.5 Internal Manual of Policies and Procedures for the Processing of Personal Data

This policy for the treatment of personal data is articulated with the internal Manual of Policies and Procedures for the treatment of personal data, which establishes the criteria, requirements and procedures to make this policy effective.

 

Signature