Privacy Policy


PERSONAL DATA PROCESSING POLICIES

ADA S.A.S., a commercial company identified with NIT 800.167.494-4 duly registered in the Chamber of Commerce of Medellín for Antioquia, hereinafter "ADA" or "THE COMPANY", in accordance with Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, as responsible for the processing of personal data, informs that the objective of this Policy is to define the guidelines necessary to guarantee the exercise of the right to privacy of individuals, through the protection of personal data contained in the different databases of the company, so that they receive the treatment in accordance with the purposes provided by law.
This policy will apply, unless otherwise indicated, to ADA S.A.S., as well as to its parent companies, subsidiaries and branches and/or companies with respect to which there is a situation of control or business group.

The Policies for the Treatment of Personal Data are applicable to personal data contained in the databases that are under the responsibility of ADA, as well as its parent companies, subsidiaries, affiliates and in general, the members of its group of companies, hereinafter "THE CONTROLLER" and that are susceptible to some access or treatment by the company, its staff or a related third party.
By accepting or consenting to the Policies for the Treatment of Personal Data of ADA, you declare that you are the legitimate owner of the data, or that you have the respective authorizations or legal powers to transfer the data. Additionally, you declare that you are a capable person under the terms of the applicable legislation. Therefore, you accept the guidelines and policies contained in this document.

DEFINITIONS

Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data.

Database: Organized set of personal data that is the object of Processing.

Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.

Sensitive data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as data that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.

Data Processor: Natural or legal person, public or private, that by itself or in association with others, processes personal data on behalf of the Data Controller.

Data Controller: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the processing of data.

Data Subject: Natural person whose personal data is subject to processing.
Transfer: Data transfer occurs when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is also the Controller and is located within or outside the country.

Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out a Processing by the Processor on behalf of the Controller.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

I. IDENTIFICATION OF THE DATA CONTROLLER
COMPANY NAME AND IDENTIFICATION: ADA S.A.S. IDENTIFIED WITH NIT 800.167.494-4.
DOMICILE AND ADDRESS: THE COMPANY has its domicile in the city of Medellín and its main office is located at Carrera 35A No. 15B 35, Office 501, Ed. Prisma.
EMAIL: direccion.administrativa@ada.co
PHONE: +57 300 282 16 49


II. PRINCIPLES OF DATA PROCESSING

In all processing of personal data carried out by THE COMPANY, the principles enshrined in the Colombian General Regime for the Protection of Personal Data will be applied, especially the following:
1.1 Principle of legality of data processing: For the processing of personal data carried out by THE COMPANY, the rules of the Colombian legal system relating to the General Regime for the Processing of Personal Data and those contained in this policy apply.
1.2 Principle of purpose: The processing given by THE COMPANY to the personal data it processes obeys the purposes established in this policy, which are in harmony with the Colombian legal system. In matters not regulated in this policy, the higher standards that regulate, add to, modify or repeal it will apply.
1.3 Principle of freedom: The processing of personal data by THE COMPANY is done in accordance with the prior, express and consented authorization of the owner of the personal data.
1.4 Principle of truthfulness or quality: The information subject to processing by THE COMPANY will be truthful, complete, up-to-date, verifiable and understandable.
1.5 Principle of transparency: THE COMPANY guarantees that the owner of the personal data can obtain information about his or her data at any time and without restrictions in accordance with the procedures described in this policy.
1.6 Principle of restricted access and circulation: THE COMPANY guarantees that the processing of personal data given to the databases for which it is responsible is carried out by authorized persons and/or other persons permitted by law.
1.7 Principle of security: THE COMPANY will implement all necessary technical, human and administrative measures to protect the personal data processed in its databases, avoiding unauthorized or unwanted use, alteration, loss and consultation.
1.8 Confidentiality principle: The processing of personal data in THE COMPANY's databases will be carried out with strict confidentiality and secrecy, in accordance with the purposes described in this policy.
For further information on these principles, please consult Law 1581 of 2012 and Decree 1377 of 2013, as well as other regulatory provisions that modify, clarify, complement or repeal them.



III. PROCESSING TO WHICH THE DATA WILL BE SUBJECTED AND ITS PURPOSE
The processing of the personal data of the person with whom THE COMPANY has established or will establish a permanent or occasional relationship will be carried out within the legal framework that regulates the matter. In any case, personal data may be collected and processed in the following cases:
• To develop THE COMPANY's corporate purpose in accordance with its legal statutes.
• Compliance with legal obligations involving personal data.
• Measurement and analysis of non-sensitive data freely provided by their respective owners.
• For commercial management and relationships with its clients, potential clients and interest groups.
• For prospective analysis of trends, preferences, behaviors and habits of its clients, potential clients and interest groups.
• To inform about products and their quality, about THE COMPANY, trends, benefits, events, alliances, general information, among others.
• To consult information about the Data Holders in public databases and/or different information operators such as Datacrédito/Experian, Cifin/TransUnion or any other entity that may manage databases with the same objectives and in credit risk and financial information centers, in support of the application study processes, verification of credit behavior, reporting of delinquent clients, verifications for granting credits and collection management.
• To report to the risk centers with which COMPANY has an agreement the generation, modification, extinction, fulfillment or non-fulfillment of the obligations contracted by the Data Holder.
• To achieve efficient communication related to products, services, offers, promotions, alliances, studies, contests, content.
• To share information with contractors in charge of providing services for COMPANY that require access to the Holders' data.
• Conducting commercial or marketing activities through our website, Facebook and other media and using them as part of our commercial or marketing campaigns.
• Making contacts for commercial and promotional purposes, whether about our own services and products, or those of third parties with whom the COMPANY has commercial relations or alliances.
• To provide employment references.
• Performing administrative and commercial management.
• Complying with legal obligations in relation to the company's shareholders.
• Monitoring the management of services offered.
• Complying with the provisions of the Colombian legal system in labor and social security matters, applicable to former employees, current employees and candidates for future employment.
• Conducting inquiries and verifications of risks of money laundering, financing of terrorism, transnational bribery, corruption.
• Share and exchange with its subsidiaries, parent companies, allies and/or financial entities, the information of the Data Holders, contained in the databases of the entity for the purposes of risk control, disbursement and payment of obligations, commercial alliances, contracting of services, statistical purposes, carrying out marketing activities of the services and advertising.
• Compilation of information on transactions or services acquired through means provided by THE COMPANY.
• Processing of financial data related to payments made by users for services used that have a cost.
• Transfer of data to third parties for the purposes of the object and activities carried out by THE COMPANY.
• Obtain information on use and records; information on transactions; cookies to provide internet-based services; transfer and transmission of data to third parties for activities of the object of THE COMPANY and compliance with all contractual or legal obligations acquired by the parties.
• Conduct surveys related to the services or goods of THE COMPANY.
• Comply with all contractual, statutory or legal commitments.
• Security and surveillance functions of THE COMPANY's facilities and information.

Authorization is not necessary when the treatment is related to certain cases in which, however, all legal provisions related to the treatment of information are complied with, such as:
• When the data is of a public nature.
• When cases of medical or health emergency arise.
• When the treatment is authorized by law.

In each medium that may be used for the treatment or collection of data, there will be an authorization text, privacy notice or, in the case of technological methods, a box or sign of consent and acceptance in the treatment of data.


IV. PROCESSING OF SENSITIVE DATA
THE COMPANY considers that biometric data, such as face, fingerprint, retina, voice and signature style, as well as any data that affects the privacy of individuals, the improper use of which may lead to discrimination against the owner, are sensitive data and therefore, this type of data is protected with greater rigor by the COMPANY and by the persons who access them in their capacity as INFORMATION MANAGERS.
The processing of personal or sensitive data by THE COMPANY and its INFORMATION MANAGERS is restricted; it will be exclusively for the fulfillment of authorized contractual obligations, compliance with legal obligations or the purposes that the owner has expressly authorized voluntarily. At no time, without prior authorization, will they be used for marketing purposes, sale of databases and/or other purposes other than those strictly necessary.
THE COMPANY will only process sensitive data provided that the owner gives his authorization or is authorized by law. The owner of sensitive data will always have the power to decide whether or not to provide them.
Exceptionally, the processing of data of minors may be carried out, corresponding to the children of employees, administrators and collaborators of the company, in which case express and informed authorization must be obtained from the legal representative of the minor for the specific purposes that are reported.
It is optional for the Owner of personal data to grant authorization for the processing of their sensitive data.

V. RIGHTS OF THE DATA OWNER
In accordance with the provisions of current regulations applicable to data protection, the owners of personal data have the right to:
• Access, know, update and rectify their personal data vis-à-vis THE COMPANY in its capacity as data controller. This right may be exercised, among others, in the case of partial, inaccurate, incomplete, fragmented data, data that are misleading or data whose processing is expressly prohibited or has not been authorized.
• Request proof of the authorization granted to THE COMPANY for data processing, by any valid means, except in cases where authorization is not necessary.
• Be informed by THE COMPANY, upon request, regarding the use that has been given to your personal data.
• Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to or complement it, after a consultation or request process before THE COMPANY.
• Revoke the authorization or request the deletion of the data.
• Access free of charge to your personal data that have been processed, at least once each calendar month, and each time there are substantial modifications to this policy that motivate new consultations.
These rights may be exercised by:
• The owner, who must prove his identity sufficiently by the different means made available by THE COMPANY.
• The successors in title of the owner, who must prove such status.
• The representative or agent of the owner, after proving the representation or power of attorney.
• Another in favor of or for whom the owner has stipulated.

VI. CONTROLLER AND PERSON IN CHARGE OF PERSONAL DATA
THE COMPANY shall be responsible for the processing of personal data. THE COMPANY may transfer its status as CONTROLLER at any time to any third party that proves compliance with the conditions established in this Policy and in the applicable legislation in force.

Transfers and transmissions for processing by third parties of personal data provided to THE COMPANY

Acceptance of this policy implies that the owner of the personal data accepts the possibility that THE COMPANY has, respecting at all times the legal provisions that regulate the matter, to transmit or transfer all of the owner's data to its parent company, subordinate companies or third parties in the country or abroad for the fulfillment of the purposes of the treatment. In this case, the third party or third parties that receive the information will acquire the status of DATA PROCESSOR and, consequently, will assume the same obligations of care, good management and security assumed by THE COMPANY as responsible, in the terms defined by current regulations. THE COMPANY may at any time revoke the authorization that has been granted in each case to the respective third party in charge of processing the information.

In turn, THE COMPANY undertakes to inform third parties of the parameters under which the authorization has been granted and the due respect that must be made of this policy, informing third parties that they may only use said data and/or information while the legal or contractual link with THE COMPANY subsists, solely and exclusively, for the uses expressly defined by it.
The transmission of information, whether physical or digital, will be carried out through mechanisms that have adequate levels of security, established by THE COMPANY and its technology advisors, in accordance with the physical, logistical, technological and economic capacity, ensuring that the data is delivered and received in a confidential and secure manner.

VII. PROCEDURE FOR HANDLING INQUIRIES, COMPLAINTS, REQUESTS FOR RECTIFICATION, UPDATING AND DELETION OF DATA
The holders or their successors in title may consult the holder's personal information held by THE COMPANY, which will provide all the information contained in the individual record or that is linked to the holder's identification. Likewise, THE COMPANY provides the mechanism through which the holder may raise claims for the purpose of updating, rectifying, deleting the data or revoking the authorization permanently.

In any case, regardless of the mechanism implemented to handle consultation requests, these will be attended to within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend to the query within said period, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the query will be attended to, which in no case may exceed five (5) business days following the expiration of the first period.
Queries may be made to the email address direccion.administrativa@ada.co
THE COMPANY reserves the right to modify, at any time, unilaterally, the Information Processing Policy. The Information Processing Policy in force at any time will be available on the website. Any substantial change in the Information Processing Policy that may affect the content of the authorization granted by the owner will be communicated to the latter or made available to him in the terms established by current regulations. In addition, previous versions of the Information Processing Policy will be kept.


The non-opposition of the owner to the use of his/her data, within thirty (30) days following notification of the new Information Processing Policy, constitutes acceptance of the same.

VIII. INFORMATION SECURITY MEASURES

In compliance with the security principle established in current regulations, THE COMPANY will adopt the technical, human and administrative measures necessary to ensure the security of the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.
The company is committed to the correct use and treatment of the personal data of its clients and users, avoiding unauthorized access by third parties that allows them to know or violate, modify, disclose and/or destroy the information stored in the company's databases. For this reason, the company has security and access protocols for its information, storage and processing systems, including physical measures to control security risks.

Therefore, you must adopt the measures that allow you to comply with the provisions of Law 1581 of 2012, and any other law or regulation that modifies or replaces them. As a consequence of this legal obligation, among others, you must adopt logical, administrative and physical security measures, according to the criticality of the personal information you access, to guarantee that this type of information will not be used, marketed, assigned, transferred and/or will not be subjected to any other treatment contrary to the purpose included in the provisions of the object of this contract. Any suspicion of loss, leak or attack against personal information that is stored in THE COMPANY's databases will be reported, and notice must be given once you become aware of such eventualities through the most pertinent or effective mechanisms, such as publication on the company's website or networks, direct communication to the reported email of the affected party or to the means established by the latter for such purposes or in any way that guarantees the owner's right to information. The loss, leakage or attack on personal information also implies the obligation to manage the security incident in accordance with the legal guidelines on the matter.


Depending on the logistical, physical and economic possibilities, different information security measures may be implemented, including:
• Antivirus and firewalls on THE COMPANY's computer equipment.
• User profiles and data access and manipulation and monitoring.
• Backup plans or backup copies with the established periodicity.
• Video surveillance and access control.
• Registration of queries and copies of protocols requested by users.
• Periodic updating of the Personal Data Protection Policies and procedures.
• Continuous identification of legal requirements that must be implemented by THE COMPANY.
• Monitoring of new regulations.
• Training in Information Security issues.
• Reviews of procedures and documentation


IX. VALIDITY
This policy is effective as of March 1, 2023.

Cesar Augusto Echeverri Perez
Executive Director
  • 1800 North Bayshore Drive, Miami, EE. UU. 03313
  • Prisma Building, Floor 5, Office 501 Medellín - Colombia 050016
  • Central Tower Building, Office 531-1 Bogotá - Colombia 110931
  • 07:00am to 05:30pm (UTC) Monday to friday
  • secretaria.bogota@ada.co