| Makaia

Data processing and protection policies

1. Purpose of the Processing Policy

This website is owned by CORPORACIÓN MAKAIA ASESORÍA INTERNACIONAL, hereinafter Makaia, identified with NIT 900.106.664-1, a non-profit entity, domiciled in the city of Medellín.

This policy manual establishes the principles, rights, duties, and procedures regarding the processing of personal data stored in MAKAIA's databases. MAKAIA, in order to strictly comply with current regulations on the protection of personal data, in particular the provisions of Law 1581 of 2012, Decree 1377 of 2013, Law 1266 of 2008, and other provisions that modify, add to, or complement them, and committed to the security of the personal information of its customers, suppliers, contractors, users, employees, beneficiaries, and the general public, hereby presents MAKAIA's Personal Data Protection Information Processing Policy (hereinafter the “Policy”), in relation to the collection, use, and transfer of such data, by virtue of the authorization granted by the data subjects. In this Policy, MAKAIA details the general guidelines that are taken into account for the purpose of protecting the personal data of the Owners, such as the purpose of collecting the information, the rights of the Owners of the information, the area responsible for handling inquiries, requests, and complaints, as well as the procedures that must be followed to access, update, rectify, and delete the information. MAKAIA, in compliance with the constitutional right to Habeas Data, only collects personal data when previously authorized by the owner, implementing clear measures regarding the confidentiality and privacy of personal data for this purpose.

2. Definitions for the purposes of the Personal Data Processing Policy

For the purposes of this Policy, the definitions set forth in Law 1581 of 2012 shall be taken into account, which are outlined below:

Personal data: Any information linked or that can be associated with one or more specific or identifiable individuals.
Owner of the information: Natural or legal person whose personal data is subject to processing.
Data Controller: Natural or legal person, public or private, who, alone or in association with others, decides on the basis of the data and/or the processing of the data. In this specific case, MAKAIA will be considered the Data Controller;
Data Controller: Natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the Data Controller.
Treatment: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
Personal Data Protection Processing Policies: refers to this document.
Sensitive data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose misuse could lead to discrimination.
Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of personal data;
Database: Organized set of personal data that is subject to processing;

3. Principles for the Processing of Personal Data

The principles that MAKAIA applies in the processing of personal data are as follows:

Principle of Legality in Data Processing: The processing referred to in Law 1581 of 2012 is a regulated activity that must comply with the provisions of that law and other provisions that develop it.;
Principle of Purpose: The processing must serve a legitimate purpose in accordance with the Constitution and the law, which must be communicated to the data subject;
Principle of Freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.;
Principle of Truthfulness or Quality: Information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.;
Principle of Transparency: The processing must guarantee the right of the data subject to obtain from the data controller or data processor, at any time and without restriction, information about the existence of data concerning him or her;
Principle of Restricted Access and Circulation: The Processing is subject to the limits derived from the nature of the personal data, the provisions of this law, and the Constitution. In this regard, the Processing may only be carried out by persons authorized by the Owner and/or by the persons provided for in Law 1581 2012;
Safety Principle: The information subject to processing by the Data Controller or Data Processor referred to in Law 1581 of 2012 must be handled with the technical, human, and administrative measures necessary to ensure the security of the records, preventing their adulteration, loss, consultation, unauthorized or fraudulent use or access.;
Principle of Confidentiality: All persons involved in the processing of personal data that is not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended, and may only supply or communicate personal data when this corresponds to the performance of the activities authorized in this law and under the terms thereof.

4. Sensitive data

4.1 Definition
Sensitive data is understood to mean¹ those that affect the privacy of the Data Subject or whose misuse may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or those that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data.

4.2 Processing of sensitive data.
The processing of sensitive data is prohibited, except when:

The Data Subject has given their explicit authorization for such Processing, except in cases where such authorization is not required by law;
The processing is necessary to safeguard the vital interests of the Data Subject and the Data Subject is physically or legally incapacitated. In such cases, legal representatives must give their authorization;
The processing is carried out in the course of legitimate activities and with the appropriate safeguards by a foundation, NGO, association, or any other non-profit organization whose purpose is political, philosophical, religious, or trade union-related, provided that it relates exclusively to its members or to persons who maintain regular contact with it for reasons related to its purpose. In these cases, the data may not be provided to third parties without the authorization of the Data Subject;
The processing refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial proceeding;
The processing has a historical, statistical, or scientific purpose. In this case, measures must be taken to suppress the identity of the Data Subjects.

¹Article 5 of Law 1581 of 2012.

5. Purposes of processing

5.1 Purposes of Personal Data Processing
The personal data of the Data Subjects is collected by MAKAIA in the course of its business activities, for the following purposes:

To comply with MAKAIA's commercial, labor, corporate, and accounting obligations.
To provide services in accordance with the specific needs of MAKAIA's customers, partners, and beneficiaries, in order to fulfill the contracts signed by MAKAIA, send information about new services or lines of action, and send internal and external newsletters with relevant information.
Comply with MAKAIA's internal processes regarding the management of suppliers and contractors.
The process of archiving, updating systems, protecting and safeguarding information and MAKAIA databases.
Registration of employee, supplier, and customer information in the MAKAIA database.
The transmission of data to third parties with whom contracts have been entered into for this purpose, for technical, commercial, contractual, administrative, marketing, and/or operational purposes.
For security or fraud prevention purposes.
Any other purpose that may arise in the course of the contract or commercial relationship between MAKAIA and the owner of the information.

The information provided by the Data Subject will only be used for the purposes indicated herein, and once the need for the processing of personal data ceases, it may be deleted from MAKAIA's databases or archived in secure terms for the sole purpose of disclosure when required by law.

5.2 Type of Personal Data included in MAKAIA's databases
MAKAIA, within its corporate purpose and for the purpose of carrying out the activities described above, collects information from its Data Subjects regarding their personal data, such as: name, address, telephone number, identity document, email address, employment details, occupation, among others.This is justified by the fact that MAKAIA's main corporate purpose is to contribute to the social and economic development of Colombia and other countries through the promotion and appropriation of technology, innovation, and international cooperation, as well as other issues related to improving quality of life and promoting human rights.

6. Information and contact mechanisms provided by MAKAIA as the entity responsible for processing personal data

Company name: MAKAIA INTERNATIONAL CONSULTING CORPORATION
Tax ID Number: 900.106.664-1
Address: Medellín, Antioquia, Colombia
Address: Carrera 43ª #34 –155. Almacentro. North Tower. Office 701.
Phone: (57 4) 448 03 74
Email: communications@makaiaorg
Website: www.makaia.org

7. Person responsible for processing personal data

The person responsible for MAKAIA, the Operations Department, will be in charge of receiving requests, queries, or complaints from the owners of the information. This person will be responsible for carrying out the necessary internal procedures to ensure a clear, efficient, understandable, and timely response to the owner of the information.

8. Rights of the owner of personal data

In accordance with Article 8 of Law 1581 of 2012, the owner of the information shall have the following rights:

To know, update, and rectify your personal data before the Data Controllers or Data Processors. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized;
Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for Processing, in accordance with the provisions in cases where authorization is not necessary;
Be informed by the Data Controller or Data Processor, upon request, regarding the use that has been made of your personal data;
File complaints with the Superintendency of Industry and Commerce for violations of Law 1581 of 2012 and other regulations that modify, add to, or complement it;
Revoke authorization and/or request the deletion of data when the principles, rights, and constitutional and legal guarantees are not respected in the processing. The revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined
that in the Processing, the Controller or Processor has engaged in conduct contrary to this law and the Constitution;
Access your Personal Data that has been processed free of charge.

In accordance with Article 20 of Decree 1377 of 2013, the aforementioned rights may be exercised:

By the owner of the information, who must sufficiently prove their identity using the various means made available by the controller.
By their successors, who must prove their status as such.
By the representative and/or attorney-in-fact of the owner of the information, upon proof of representation or power of attorney.
By stipulation in favor of another or for another. The rights of children and adolescents shall be exercised by persons who are authorized to represent them.

The processing of information by the Data Controller requires the free, prior, express, and informed consent of the Data Subject. MAKAIA, in its capacity as Data Controller, has put in place the necessary mechanisms to obtain the Authorization of the Data Subjects, ensuring in all cases that it is subject to subsequent consultation.

The authorization of the Data Subject shall not be required in the following cases:

Information required by a public or administrative entity in the exercise of its legal functions or by court order.
Public data.
Medical or health emergencies.
Processing of information authorized by law for historical, statistical, or scientific purposes.
Data related to the Civil Registry of Persons.

9. The Data Controller

In accordance with Article 17 of Law 1581 of 2012, the Data Controller shall have the following duties:

To guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
Request and retain, under the conditions set forth in Law 1581 of 2012, a copy of the respective authorization granted by the Owner.
Properly inform the Data Subject about the purpose of the collection and the rights they have by virtue of the authorization granted.
Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
Update the information, promptly communicating to the Data Controller any changes to the data previously provided, and take any other necessary measures to ensure that the information provided to the Data Controller remains up to date.
Correct any incorrect information and communicate the relevant details to the Data Controller.
Provide the Data Processor, as applicable, only with data whose processing has been previously authorized in accordance with the provisions of this law.
Require the Data Processor to respect the security and privacy conditions of the Data Subject's information at all times.
Process inquiries and complaints made in accordance with the terms set forth herein.
Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, to address inquiries and complaints.
Inform the Data Processor when certain information is being disputed by the Data Subject, once the complaint has been filed and the respective procedure has not been completed.
Inform the Data Subject, upon request, about the use of their data.
Inform the data protection authority when security breaches occur and there are risks in the management of the information of the Data Subjects.
Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

The requested information may be provided by any means, including electronic means, as required by the Data Subject. The information must be easy to read, without technical barriers that prevent access, and must correspond in its entirety to that stored in the database.

In accordance with Law 1581 of 2012 and Chapter 26 of Decree 1074 of 2015, the National Government established the manner in which Data Controllers and Data Processors must provide the information of the Data Subject in their databases to the National Database Registry, which will be administered by the Superintendency of Industry and Commerce.

10. Privacy Notice

The privacy notice is a verbal or written communication generated by the Data Controller, addressed to the Data Subject for the processing of their Personal Data, through which they are informed about the existence of the information processing policies that will be applicable to them, how to access them, and the purposes of the Processing that is intended to be carried out on the Personal Data.².

In cases where it is not possible to make the Personal Data Protection Policy available to the Owner, MAKAIA must inform the Owner of the existence of such a policy and how to access it by means of a Privacy Notice, in a timely manner and in any case no later than at the time of collection of the Personal Data.

MAKAIA has a Privacy Notice on its website, which can be consulted.

²Article 3 of Decree 1377 of 2013.

11. Procedure for the processing of personal data

The personal data included in the MAKAIA Database comes from information collected in the course of activities carried out as a result of: (i) commercial; (ii) contractual; (iii) employment, or any other type of relationship with its users, customers, suppliers, contractors, employees, beneficiaries, and/or the general public.

Personal data is collected through commercial and employment contracts, written documents, online registrations, among others. This activity requires the prior, express, and informed consent of the data subject.

11.1 Procedure for accessing, updating, rectifying, or deleting information related to Personal Data

In order to protect and maintain the confidentiality of the personal data of the Data Subjects, MAKAIA determines that the procedure for accessing, updating, rectifying, and deleting information requires the Data Subject to submit their request to MAKAIA through the means provided for this purpose, namely: (i) By email [email protected] by sending the request accompanied by a copy of the identity document of the owner of the information; or (ii) by sending a written request to the registered office of MAKAIA, Carrera 43ª # 34 –155. Almacentro. Torre Norte. Oficina 701, which must be accompanied by a copy of the identity document of the owner of the information.

MAKAIA's Operations Department will be responsible for processing personal data and responding to queries, requests, and complaints from the data subject, in compliance with current regulations on the matter, via email. [email protected]

11.2 Procedure for deleting information and revoking authorization for the processing of personal data

The owners of the information may, at any time, request MAKAIA to delete their data and/or revoke their authorization by filing a claim in accordance with the provisions of Article 15 of Law 1581 of 2012.

MAKAIA will provide the owners of the information with an email address. [email protected], and its website www.makaia.org for the purpose of proceeding accordingly.

It is essential to note that requests for the deletion of information and the revocation of authorization will not be processed when the owner of the information has a legal or contractual obligation to MAKAIA.

8.1 Inquiries

The Data Subjects or their legal representatives may consult the personal information of the Data Subject stored in the MAKAIA database.

Requests for Personal Data will be processed according to the following rules:

i. Send written communication with the subject line “Personal Data Protection Inquiry” by email to the address [email protected].

ii. The inquiry will be addressed within a maximum of ten (10) business days from the date of receipt.

iii. When it is not possible to respond to the inquiry within said period, the interested party shall be informed, stating the reasons for the delay and indicating the date on which their inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the first period.

If the person receiving the complaint is not competent to resolve it, they will forward it to the appropriate person within a maximum of two (2) business days and inform the interested party of the situation.

i. Once the complete claim has been received, a note stating “claim pending” and the reason for the claim will be included in the database within two (2) business days. This note must remain until the claim has been decided.

ii. The maximum period for responding to the complaint shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to respond to the complaint within this period, the interested party shall be informed of the reasons for the delay and the date on which their complaint will be addressed, which in no case may exceed eight (8) business days following the expiration of the first period.

12. Data transfer

MAKAIA may transfer the personal data of Data Subjects among itself and other companies or entities that belong or may come to belong to the same control group and/or financial group, domiciled in Colombia and/or abroad, in strict compliance with the provisions of this Policy and the regulations governing this matter.

13. Policy validity

This MAKAIA Personal Data Protection Information Processing Policy shall come into effect upon its publication.

This Policy may be modified by MAKAIA at any time in order to adapt it to new legislation or case law, as well as to best practices developed on the subject, in which case the Data Subjects will be informed in a timely manner.

Any modification or update to this Policy will be communicated through the website www.makaia.org, where the latest version of the Policy will be made available to the Data Subjects, indicating the effective date of the corresponding modification or update, as applicable.

The use or acquisition of the products or services offered by MAKAIA by the Owner of the information or their failure to disassociate themselves from them, after the new Policy has been made available, constitutes acceptance of the same.

Personal data or databases subject to processing shall remain valid for the contractual term during which the data subject has the product or service, plus the term established by law.

14. Other provisions

For the purposes of processing the personal data of children and adolescents, MAKAIA will respond to and respect their best interests and will also ensure that their fundamental rights are respected. In addition, MAKAIA will request authorization from the representative of the child or adolescent in order to process their personal data; otherwise, this data will not be collected.

MAKAIA will collect, store, use, or circulate personal data for which it has the proper authorization, for as long as is reasonable and necessary, which in any case may not be less than the duration of MAKAIA.

As the owner of the information, I authorize Corporación Makaia Asesoría Internacional to share my information with financial institutions with which it has commercial alliances so that they may: (i) Contact me to offer their products and services and evaluate the possibility of granting them to me (ii) Consult, report, and process my information with database consultation entities or other information and risk operators (iii) Conduct commercial research, data analytics, statistics, risk analysis, market, interbank, and financial analysis, and the construction of aggregated information that may be shared with customers and third parties. This purpose includes the possibility of contacting me for these purposes.