HomePrivacy Policy
Legal

Personal Data Privacy Policy

S.I.M. Consultores S.A.S. · Code: QA-TI-001.23 · Date: 10/26/2023

Table of Contents

  1. Objective of the Processing Policy
  2. Definitions
  3. Principles for Personal Data Processing
  4. Authorization
  5. Purposes of Processing
  6. Processing Procedures
  7. Contact Information and Mechanisms
  8. Area Responsible for Processing
  9. Rights of the Data Subject
  10. Transfer of Personal Data
  11. Duties of the Data Controller
  12. Validity and Amendment
  13. Other Provisions

I. Objective

In order to establish the policies and procedures of S.I.M. Consultores S.A.S. regarding the processing of personal data and to comply with Law 1581 of 2012, Decree 1377 of 2013 and all other provisions that amend, add to or complement them, and committed to the security of personal information, the Company also discloses the obligations it has regarding the handling of information it collects from those with whom it maintains any legal, commercial or employment relationship.

In this Policy, the Company details the general corporate guidelines taken into account to protect the Personal Data of Data Subjects, including the purpose of data collection, Data Subject rights, the area responsible for handling complaints, and the procedures to be followed to know, update, rectify and delete information.

The Company, in compliance with the constitutional right to Habeas Data, only collects Personal Data when previously authorized by the Data Subject, implementing clear measures regarding the confidentiality and privacy of Personal Data.

II. Definitions

For purposes of this Policy, the definitions set forth in Law 1581 of 2012 shall apply:

  • Data Subject: Natural or legal person whose Personal Data is subject to Processing.
  • Data Controller: Natural or legal person, public or private, who alone or jointly with others decides on the database and/or the Processing of data. In this case, the Company shall be considered the Data Controller.
  • Data Processor: Natural or legal person, public or private, who alone or jointly with others processes personal data on behalf of the Data Controller.
  • Personal Data: Any information linked or linkable to one or more specific or identifiable natural persons.
  • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation or deletion.
  • Sensitive Data: Data that affects the privacy of the Data Subject or whose improper use may generate discrimination.

III. Principles for Personal Data Processing

In accordance with Article 4 of Law 1581 of 2012:

  • Principle of Legality: Processing is a regulated activity that must comply with Law 1581 of 2012 and other applicable provisions.
  • Principle of Purpose: Processing must serve a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
  • Principle of Freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate relieving such consent.
  • Principle of Accuracy or Quality: Information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable and comprehensible. Processing of partial, incomplete, fragmented or misleading data is prohibited.
  • Principle of Transparency: The Data Subject's right to obtain information from the Controller or Processor at any time and without restrictions about the existence of data concerning them must be guaranteed.
  • Principle of Restricted Access and Circulation: Processing is subject to the limits arising from the nature of the Personal Data and may only be carried out by persons authorized by the Data Subject and/or as provided by law.
  • Principle of Security: Information must be handled with the technical, human and administrative measures necessary to ensure the security of records, preventing their alteration, loss, unauthorized or fraudulent access or use.
  • Principle of Confidentiality: All persons involved in the Processing of personal data that is not of a public nature are obligated to preserve the confidentiality of the information, even after their relationship with Processing activities has ended.

IV. Authorization for Personal Data Processing

The Company, at the time of collecting Personal Data, will request authorization from Data Subjects, informing them of the specific purposes of the Processing for which such consent is obtained.

In accordance with the principle of freedom established by Law 1581 of 2012, Data Subject authorization may be expressed: (i) in writing, (ii) orally or (iii) through unequivocal conduct that reasonably leads to the conclusion that authorization was granted. The Company shall preserve proof of such authorizations appropriately.

Considering that the Company has collected Personal Data prior to the publication and entry into force of this Policy, the following measures will be implemented:

  1. The Company will request authorization from Data Subjects to continue processing their Personal Data through efficient written communication mechanisms.
  2. If communication mechanisms impose disproportionate burdens, the following alternative measures will be implemented:
    • Publication via email to clients and suppliers.
    • Publication on the website of a "Personal Data Protection" link.

V. Purposes of Processing

Personal Data is collected by the Company in the development of its corporate purpose, for the following purposes:

  1. Informing about our products and/or services.
  2. Evaluating the quality of our products or services.
  3. Managing proper delivery of our services.
  4. Conducting advertising and marketing campaigns.
  5. Processing support events registered by clients and/or suppliers.
  6. Sending newsletters and marketing documents.
  7. Conducting statistical studies.
  8. Pursuing commercial agreements, events or institutional programs.
  9. Data verification through queries to public databases or credit bureaus.
  10. Sending information about activities conducted by the Company.
  11. Complying with legal information obligations to regulatory authorities.
  12. Sharing with third parties who collaborate with the Company and who, to fulfill their functions, must access information (courier service providers, advertising agencies, call centers, etc.).
  13. Executing contracts to which the Company is a party.
  14. Supporting client support processes.
  15. Occasional sending of commercial and advertising communications through any electronic or physical means.
  16. Any other purpose arising from the contract or commercial relationship between the Company and the Data Subject.

Information provided by the Data Subject will only be used for the purposes stated herein, and once the need for Processing ceases, Personal Data may be deleted or securely archived.

Types of Personal Data Collected

The Company collects information regarding: (i) Type of identity document; (ii) Document number; (iii) First and last names (Company name); (iv) Address; (v) Office phone; (vi) Mobile phone; (vii) Email address; (viii) City; (ix) State/Department and (x) Country, or other information provided by the Data Subject concerning their identification.

VI. Processing Procedures

Personal Data included in the Company's Database comes from information collected through: (i) commercial; (ii) contractual; (iii) employment, or any other type of relationship with its users, clients, suppliers, contractors, employees and/or the general public.

Collection is carried out through the website, telephone service line, commercial and employment contracts, direct sales, distributors, service channels and commercial events. This activity requires the prior, express and informed authorization of the Data Subject.

Collected Personal Data is stored through a CRM Software called Synergy and an Accounting solution called Dynamics GP, duly licensed, with confidentiality agreements for the adequate protection of information.

VII. Contact Information and Mechanisms

S.I.M. Consultores S.A.S. will address via email all requests from Data Subjects to consult, request data deletion, revoke granted authorization, or correct or update their personal data.

Complaint Procedure

  1. The Data Subject must submit the complaint via email, providing: identification of the Data Subject, description of the facts and related documents.
  2. If the information is incomplete, the Data Subject will be notified that it must be completed within five (5) days. If the required information is not provided within two (2) months, the complaint will be considered withdrawn.
  3. Once the complete complaint is received, the notation "complaint in process" will be included in the database within a maximum of two (2) business days.
  4. The maximum period to address the complaint is fifteen (15) business days. If not possible, the interested party will be informed of the reasons for the delay (maximum eight (8) additional business days).

Inquiry Procedure

Inquiries will be addressed within a maximum of ten (10) business days. The second period may not exceed five (5) business days.

Persons Authorized to File Complaints or Inquiries

  1. The Data Subject.
  2. Heirs of the Data Subject, who must demonstrate their status.
  3. The Data Subject's legal representative and/or attorney-in-fact.
  4. By stipulation in favor of another.

VIII. Data Controller and Processor

Controller: S.I.M. Consultores S.A.S., domiciled in Medellín (Antioquia - Colombia) – Carrera 43A No. 1 Sur 188, Office 901 Torre Davivienda, PBX (57604) 5576606; email: soporte@qanttic.com

Processor: The Customer Support Area (soporte@qanttic.com) will be responsible for receiving petitions, complaints or claims from Personal Data Subjects.

IX. Rights and Duties

Duties of S.I.M. Consultores S.A.S.

  1. Guarantee the Data Subject the full and effective exercise of the right to Habeas Data.
  2. Request and retain a copy of the authorization granted by the Data Subject.
  3. Inform the Data Subject about the purpose of data collection and the rights available to them.
  4. Maintain information under necessary security conditions.
  5. Address update requests.
  6. Provide the Processor only with data whose Processing has been previously authorized.
  7. Comply with the guidelines of regulatory authorities.
  8. Require the Processor to respect security and privacy conditions.
  9. Process submitted inquiries and complaints.
  10. Adopt an internal policies and procedures manual.
  11. Inform the Processor when certain information is under dispute.
  12. Inform the Data Subject upon request about the use made of their data.
  13. Inform authorities when security code violations occur.
  14. Comply with the instructions and requirements of the Superintendence of Industry and Commerce.

Rights of the Data Subject

In accordance with Article 8 of Law 1581 of 2012, the Data Subject shall have the following rights:

  1. Know, update and rectify their Personal Data.
  2. Request proof of the authorization granted.
  3. Be informed about the use made of their personal data.
  4. File complaints with the Superintendence of Industry and Commerce.
  5. Revoke authorization and/or request deletion of their data.
  6. Access their personal data free of charge.

These rights may be exercised by the Data Subject, their heirs, legal representative and/or attorney-in-fact, or by stipulation in favor of another. The rights of children and adolescents shall be exercised by their legal representatives.

X. Policy Validity

This Personal Data Processing Policy is effective from the date of its publication.

This Policy may be modified by the Company at any time to adapt it to legislative or jurisprudential developments and best practices. Any modifications will be communicated through the website www.qanttic.com.

Personal Data or databases subject to Processing shall remain active for the duration of the contractual relationship that the Data Subject has with the product or service, plus the period established by law.

XI. Other Provisions

  1. The Company, for the Processing of Sensitive Data, will inform Data Subjects that they are not required to authorize its Processing and will indicate which data is Sensitive and the purpose of the Processing.
  2. For the Processing of Personal Data of children and adolescents, the Company will respect their best interests and ensure respect for their fundamental rights, requesting authorization from their legal Representative.
  3. The Company will collect, store, use or circulate Personal Data for which proper authorization has been obtained, for a reasonable and necessary period, which in any case may not be less than the duration of the Company's existence.