POLICY FOR THE PROTECTION AND TREATMENT OF PERSONAL DATA

 
The purpose of this "Policy for the Protection and Processing of Personal Data" (hereinafter "The Policy") is to establish the rules on the protection of Personal Data that C.I. NATURMEGA S.A. (hereinafter "C.I. NATURMEGA") will adopt and accept when it is Responsible for the Processing of Personal Data and/or in Charge.
 
The purpose of this Policy is to compile the principles and rules that regulate the processing of personal data with respect to all the Data Holders that are related to C.I. NATURMEGA in order to ensure regulatory compliance in all operations and activities.
 
In compliance with the provisions of Decree 255 of 2022 (Binding Corporate Rules), the provisions set forth in this Policy are mandatory for compliance by C.I. NATURMEGA, acting as Controller and/or Data Processor as appropriate, as well as by its shareholders, collaborators, employees and stakeholders.
 
This Policy includes mechanisms to ensure that the data are:
 
  • Processed in a lawful, fair and transparent manner in relation to the owner of the personal data.
  • Collected for specified, explicit and legitimate purposes, and will not be further processed in a manner incompatible with those purposes.
  • Adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are used.
  • Accurate and shall be kept up to date; all reasonable steps shall be taken to ensure that inaccurate personal data is promptly deleted or rectified.
  • Retained in a form that permits identification of the owner for no longer than is necessary for the purpose for which the information was collected.
  • Processed under the control of the Controller, who, for each processing operation, ensures and demonstrates compliance.
 
This Policy is issued as part of the adoption of Accountability measures to verify that useful, timely, relevant and efficient measures have been implemented at C.I. NATURMEGA.
 
This Policy is binding for PROCAPS S. A., company with which C.I. NATURMEGA has signed a Back Office Services Agreement (hereinafter, the "Services Agreement") in which it expresses its acceptance, and which is included as Annex I.
 
In accordance with the regulations in force in Colombia and the applicable labor legislation, this Policy is binding and enforceable on the employees of C.I. NATURMEGA, who have been informed of its existence, indicating that it is a Policy of mandatory compliance and establishing that, in accordance with the applicable legislation and the employment contracts signed with each of them, the corresponding disciplinary regime is applicable in the event of non- compliance with the same.
 
Transfers of personal data are made between C.I. NATURMEGA and PROCAPS S.A., within the framework of the Service Agreement, during the normal course of their activities; and such data may be stored in centralized databases accessible by both companies from anywhere in the world where they have a presence.
 
This Policy is not a Contract, it simply signals our willingness to protect your nonpublic personal information.
 
In compliance with the provisions of the Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, the company C.I. NATURMEGA S. A. [hereinafter "C.I. NATURMEGA"] informs the Policy for the Protection and Treatment of Personal Data.
 
  1. OBJECTIVE
    To establish the criteria for the collection, consultation, storage, ordering, classification, cataloging, analysis, processing, use, circulation and suppression of personal data that are subject to treatment by C.I. NATURMEGA, either as Responsible and/or Responsible for them, in compliance with the current legal regime contained in the Statutory Law 1581 of 2012 and other concordant rules.
  2. SCOPE
    This Policy applies to all personal information registered in the databases of C.I. NATURMEGA either as "Responsible" and/or "Entrusted" and in relation to all activities carried out in execution of its corporate purpose and in relation to all stakeholders with whom it relates.
  3. LIABILITY
    It is addressed to direct and indirect collaborators, contractors, consultants, suppliers and third parties related to C.I. NATURMEGA.
  4. IDENTIFICATION OF THE COMPANY RESPONSIBLE FOR THE PROCESSING
    This Policy applies in relation to the company C.I. NATURMEGA S.A. private company identified with NIT No. 900.115.386 - 7, commercial registration No. 127524 of October 27, 2006, with its main address at CL 80 No 78 B - 201 in the city of Barranquilla (Colombia).
  5. CHANNELS OF ATTENTION
    The holders of the information or their assignees may access the information about them that is registered in the database of the company.

    C.I. NATURMEGA through the following channels of attention:
 
City Address E-mail address
Barranquilla (Colombia) CL 80 No 78 B - 201 Habeasdata@naturmega.com.co
 

 
  1. LEGAL BASIS
    1. Political Constitution of Colombia, Article 15. 2. Law 1266 of 2008.
    2. Regulatory Decrees 1727 of 2009 and 2952 of 2010. 4. Law 1581 of 2012.
    3. Partial Regulatory Decree 1377 of 2013.
    4. Decree 886 of 2014.
    5. Sole Decree 1074 of 2015.
    6. Decree 255 of 2022.
    7. All other concordant norms related to personal data protection in Colombia.
  2. DEFINITIONS
    For purposes of interpretation, application and implementation of this Policy, the following definitions shall apply:
    1. AUTHORIZATION: Prior, express and informed consent of the holder to carry out the processing of personal data.
    2. PRIVACY NOTICE: Verbal or written communication generated by the person responsible for the information addressed to the holder for the processing of personal data, through which he/she is informed about the existence of the information processing policies that will be applicable, the way to access them and the purposes of the processing that is intended to be given to the personal data.
    3. SERVICE AGREEMENT: It is the contract signed between C.I. NATURMEGA S.A. and PROCAPS S.A., by means of which the latter provides the former with Back Office or integral administrative support services.
    4. DATA BASE: Organized set of personal data that is the object of processing.
    5. CHANNELS FOR EXERCISING RIGHTS: These are the means for receiving and attending to requests, queries and claims that the Data Controller and the Data Processor must make available to the Data Subjects.
    6. PERSONAL DATA: Any piece of information linked to one or several determined or determinable persons or that may be associated to a natural person.
    7. PUBLIC DATA: Data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the civil status of individuals, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.
    8. SENSITIVE DATA: Sensitive data are understood as those that affect the privacy of the holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
    9. PERSON IN CHARGE OF PROCESSING: Natural or legal person, public or private, who by himself or in association with others, performs the Processing of personal data on behalf of the Controller.
    10. HABEAS DATA: The right of any person to know, update and rectify the information that has been collected about him/her in the data bank and in the files of public and private entities.
    11. BINDING CORPORATE STANDARDS: the policies, principles of good governance or codes of good business practices of mandatory compliance assumed by the data controller, established in the Colombian territory, to carry out transfers or a set of transfers of personal data to a data controller located outside the Colombian territory and that is part of the same business group.
    12. PERSONAL DATA PROTECTION AND PROCESSING POLICY: The formal document approved by C.I. NATURMEGA reflecting the conditions applicable to any processing operation involving Personal Data.
    13. PERSON RESPONSIBLE FOR THE PROCESSING: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or data processing.
    14. OWNER: Natural person whose personal data is the object of processing.
    15. PROCESSING: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
    16. TRANSFER: The transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.
    17. TRANSMISSION: Processing of personal data that involves the communication of such data within or outside the territory of the

      Republic of Colombia when the purpose of the processing is to be carried out by the processor on behalf of the controller.
  3. PRINCIPLES
    In the development, interpretation and application of Law 1581 of 2012, which establishes general provisions for the protection of personal data and the rules that complement, modify or add to it, the following guiding principles shall be applied in a harmonious and comprehensive manner:
  4. PRINCIPLE OF LEGALITY: Data processing is a regulated activity that must be subject to the provisions of the law and other provisions that develop it.
  5. PRINCIPLE OF PURPOSE: The treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the owner. Regarding the collection of personal data, C.I. NATURMEGA will limit itself to those data that are relevant and adequate for the purpose for which they were collected or required in accordance with the internal procedure manual for the management of information and databases.

 
  1. PRINCIPLE OF FREEDOM: The treatment can only be exercised with the prior, express, and informed consent of the holder. Personal data may only be obtained or disclosed with prior authorization, or with the existence of a legal or judicial mandate that relieves the consent.
  2. PRINCIPLE OF TRUTH OR QUALITY: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
  3. PRINCIPLE OF TRANSPARENCY: The right of the holder to obtain from the controller or processor, at any time and without restriction, information about the existence of data concerning him/her, must be guaranteed in the processing.
  4. PRINCIPLE OF ACCESS AND RESTRICTED CIRCULATION: Processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the processing may only be carried out by persons authorized by the owner and/or by the persons provided for by law. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or third parties authorized by law.
  5. SECURITY PRINCIPLE: The information subject to treatment by C.I. NATURMEGA, shall be handled with the technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
  6. PRINCIPLE OF CONFIDENTIALITY: C.I. NATURMEGA is obliged to guarantee the confidentiality of the information, even after the end of its relationship with any of the tasks that comprise the treatment and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law.
  7. RIGHTS OF THE OWNER OF THE INFORMATION.
    The holder of the personal data shall have the following rights:
    1. Know, update and rectify your personal data against C.I. NATURMEGA in its capacity as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading, or those whose treatment is expressly prohibited or have not been authorized.
    2. Request proof of the authorization granted to C.I. NATURMEGA except when expressly exempted as a requirement for treatment.
    3. Be informed by C.I. NATURMEGA, upon request, regarding the use it has made of your personal data.
    4. File complaints before the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it.
    5. To revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees.
    6. Access free of charge to your personal data that has been processed.

 
  1. RIGHTS OF CHILDREN AND ADOLESCENTS. The processing shall ensure respect for the prevailing rights of children and adolescents. The processing of personal data of children and adolescents is prohibited, except for those data that are of a public nature.
  2. DUTIES OF C.I. NATURMEGA.
    1. Make use of the information contained in the databases only for the purpose for which it is authorized.
    2. Guarantee the holder, at all times, the full and effective exercise of the right of Habeas Data.
    3. When personal data is collected, it shall be limited to those relevant and adequate for the purpose for which they are required in accordance with the provisions of the law. No misleading or fraudulent means shall be used for this purpose.
    4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
    5. Timely update, rectification or deletion of data in the terms indicated by this policy in the section on Procedures - Claims.
    6. Enable electronic means of communication or other means it deems appropriate to allow timely response to queries and complaints submitted by the owners of the information.
    7. The requested information must be provided free of charge and by any means, as required by the holder. The information must be easy to read, without technical barriers that prevent its access and must strictly correspond to the information contained in the database.
    8. In the event that the certification of the authorized information is physically requested and/or needs to be sent by certified mail, the company C.I. NATURMEGA may require the applicant to pay the corresponding amount in expenses, without being able to charge more than the amount actually invoiced at any time; in the event of being required, the company C.I. NATURMEGA must demonstrate to the Superintendence of Industry and Commerce the support of such expenses.
    9. Adopt the other necessary measures to ensure that the information provided to it is kept up to date.
    10. Rectify the information when it is incorrect.
    11. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
    12. Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.
    13. Allow access to information only to those who can access it.
    14. Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the owners.
    15. Establish the necessary mechanisms to obtain the authorization of the owners for the processing of their data, which may be granted through a physical or electronic document or in any other format that allows guaranteeing its subsequent consultation.
    16. It is the obligation of C.I. NATURMEGA to keep the proof of the authorization and to deliver a copy to the owner of the information in case it is required.
    17. Establish simple and free mechanisms that allow the holder to request the report, modification, deletion or updating of the data, which may be the same mechanisms used for the granting of consent without prejudice to the costs that may arise on the occasion of the issuance and sending of the same.
    18. The information subject to processing must be protected through the use of technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. To this end, C.I. NATURMEGA will maintain security protocols of mandatory compliance for personnel with access to personal data and information systems.
    19. The personnel of C.I. NATURMEGA involved in the processing of personal data is obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing in accordance with the provisions of the employment contract and/or other provisions subject to the relationship between the employee and the company.
    20. Designate a "Personal Data Officer" to assume the function of personal data protection and who will also ensure that, through the channels of attention, the requests of the owners are processed.
    21. In principle, the processing of personal data of children and adolescents is prohibited by law, unless the data is of a public nature and/or when such processing complies with the parameters and requirements set forth in this Policy.
    22. The company C.I. NATURMEGA will use the personal data in accordance with the authorization given by the holder and will only transmit or transfer them to allies, affiliates or subsidiaries, third parties that may use the information for the development of their work acting on behalf of C.I. NATURMEGA and/or complying with the requirements of the authorities, in compliance with the laws that apply on the matter and respecting the Service Agreements in force with third parties.
    23. They may only collect, store, use or circulate personal data for the time that is reasonable and necessary, according to the purposes that justified their treatment, taking into account the legal provisions and administrative, accounting, fiscal, legal and historical aspects of the information. Once the purpose of the processing has been fulfilled and without prejudice to legal regulations that provide otherwise, C.I. NATURMEGA shall delete the personal data. Notwithstanding the foregoing, personal data must be retained when required for compliance with a legal or contractual obligation.
    24. Acknowledge the existence of the "Policy of Protection and Treatment of Personal Data" and how to access it, which will be published on the company's website, on social networks and at the main office.
    25. For the collection, use and processing of personal data, C.I. NATURMEGA shall comply with the following parameters:
      1. The processing of personal data collected must obey a legitimate purpose of which the owner must be informed.
      2. The processing of personal data can only be carried out with the prior, express and informed consent of the owner.
      3. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
      4. The information subject to processing must be truthful, complete, accurate, current, verifiable and understandable.
      5. The processing of partial, incomplete, fragmented or misleading data is prohibited.
      6. Guarantee the holder's right to obtain, at any time and without restrictions, information about the existence of data concerning him/her.
  3. In the event of a substantial modification to the present "Policy for the Protection and Treatment of Personal Data", the company C.I. NATURMEGA, shall request again the authorization for the treatment of data from the owner of the information.
  4. AUTHORIZATION POLICY
    Notwithstanding the exceptions provided by law, the processing of personal data of the holder requires the prior and informed authorization of the Holder, which must be obtained by any means that may be subject to subsequent consultation.

    The authorization must contain the following information:
    1. Name and identification of the person from whom authorization is being requested.
    2. Identification of the data being collected.
    3. Purpose of the data subject to authorization.
    4. Information on the procedure to exercise rights of access, correction, updating or deletion of personal data provided.
    5. The rights you have as a holder.
    6. Channels of attention provided by C.I. NATURMEGA.
 
C.I. NATURMEGA in the terms set forth in the Law generated a notice (Privacy Notice) in which the owners are informed that they can exercise their right to the processing of personal data through the following channels of attention:
 
City Address E-mail ad
Barranquilla (Colombia) CL 80 No 78 B - 201 Habeasda
 
  1. EVENTS IN WHICH THE AUTHORIZATION OF THE OWNER OF THE PERSONAL DATA IS NOT NECESSARY. The authorization of the owner of the information will not be necessary in the following cases:
    1. Information required by a public or administrative entity in the exercise of its legal functions or by court order.
    2. Data of a public nature.
    3. Cases of medical or sanitary emergency.
    4. Processing of information authorized by law for historical, statistical or scientific purposes. Data related to the Civil Registry of persons.
  2. LEGITIMACY TO EXERCISE THE RIGHTS OF THE OWNER The rights of the owners established in the Law may be exercised by the following persons:
    1. By the holder, who must provide sufficient proof of identity.
    2. By the assignees of the holder, who must prove their status as such.
    3. By the holder's representative and/or attorney-in-fact, upon proof of representation or power of attorney.
    4. By stipulation in favor of another or for another. The rights of children and adolescents shall be exercised by the persons empowered to represent them.
  3. TREATMENT TO WHICH THE DATA WILL BE SUBJECTED AND ITS PURPOSE. The treatment for the personal data of all persons who revolve around the corporate purpose of C.I. NATURMEGA, including customers, suppliers and consumers, will be framed in the legal order and in accordance with the following purposes in general terms or those that are reported at every moment in which personal data collection operations are carried out:
    1. Internal management and commercial relationship management of its stakeholders, customers, distributors and suppliers of the different business segments.
    2. Sending communications, correspondence, text messages, instant messaging systems, e-mails or telephone contact with its customers, distributors and consumers in connection with its commercial, advertising, marketing, promotional, sales and other related activities.
    3. Personnzel selection processes, management of contractual relations, labor relations and ensuring compliance with the obligations arising therefrom, granting benefits to its employees by itself or through third parties.
    4. Analysis of potential for essentially commercial purposes, whether suppliers, distributors and/or customers.
    5. Manage procedures (requests, complaints, claims), perform risk analysis, conduct satisfaction surveys regarding the company's assets.
    6. Investigation of events emanating from the products manufactured and/or marketed.
    7. Follow up on the people who consume and/or purchase the products manufactured and/or marketed by the company.
    8. Deploy corporate social responsibility activities to stakeholders.
    9. Manage the security of people, property and information assets in custody of the organization.
    10. Create databases for the purposes described in this authorization.
In a precise manner in relation to each group of interest, C.I. NATURMEGA may have the following purposes:
 
  1. Purposes with respect to Customers or Users of the Products or services:
  • To carry out the pertinent steps for the development of the pre- contractual, contractual and post-contractual stage with C.I. NATURMEGA, with respect to any of the products or services offered by C.I. NATURMEGA, whether or not the Holder has acquired them or with respect to any underlying business relationship that the Holder has with them.
  • Register the Holder in the systems, spreadsheets, lists, files, physical or electronic, managed by C.I. NATURMEGA, for the purposes of the execution of the legal commercial relationship established with C.I. NATURMEGA.
  • To advance the electronic invoicing procedures of the products or services acquired by the Holder.
  • Maintain operations support, incident tracking and compliance with contractual and legal obligations.
  • To comply with its legal and contractual obligations.
  • Send messages, notifications or alerts by any means to send and disseminate legal information, security, promotions, commercial, advertising, marketing, institutional or educational campaigns, sweepstakes, events or other benefits.
  • Send electronic messages or make telephone contacts, or through any means, to advance the confirmation of personal data of the Holder necessary for the execution of the legal relationship that has been established with C.I. NATURMEGA.
  • Contacting the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any means known or to be known for sending contractual documents, information, account statements or invoices in connection with the obligations arising from the contracts entered into with C.I. NATURMEGA, in its various commercial establishments.
  • To provide information to third parties with which it has a contractual relationship and which it is necessary to provide for the fulfillment of the contracted object.
  • To carry out the archiving and document management tasks of C.I. NATURMEGA, in accordance with the legal provisions in force.
  • For administrative and analytical purposes, such as information systems management, accounting, billing and auditing, marketing, check processing and verification.
  • Share information with commercial partners for the offering of products and services, complying with all authorizations required by law and this Policy.
  • Communicate news of C.I. NATURMEGA products, invite to events or programs organized by the company.
  • Consult, verify and confirm credit and commercial information of the Holder, in Risk and/or Information Centers or any other public or private, national, foreign or multilateral entity that administers or manages databases or credit information, or any other financial entity in Colombia, or abroad or of multilateral nature, all the information that refers to the Holder, about its credit, financial, commercial, services and third countries of the same nature, for the purpose of evaluating and granting financing in the goods or products purchased with C.I. NATURMEGA, provided it has the corresponding authorization.
  • In order to report to the credit and information centers, all the conditions and procedures established in the laws in force and especially in relation to Law 1266 of 2008 and concordant regulations shall be complied with.
  • Manage the risk of Money Laundering and Financing of Terrorism and corruption.
  1. Purposes with respect to Employee Candidates:
  • Process the applications for employment that C.I. NATURMEGA receives from the candidates, process them and define them within the stipulated time, according to the selection process or the call.
  • Contacting the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any means known or to be known in connection with the selection process or the call for applications.
  • Evaluate the worker's work capacity, to establish his or her suitability for future employment and/or to comply with the requirements of occupational preventive medicine.
  • To carry out the archiving and document management tasks of C.I. NATURMEGA, in accordance with the legal provisions in force.
  • Manage the risk of Money Laundering and Financing of Terrorism and corruption.
 
  1. Purposes with respect to workers (employees):
  • To manage compliance with the terms established in the labor relationship such as: affiliation and contributions to social security entities, creation of labor contract, generation and processing of payroll payments and labor benefits.
  • Comply with labor, social security, pensions, professional risks, family compensation funds (Integral Social Security System) and taxes regulations.
  • Comply with the instructions of the competent judicial and administrative authorities.
  • Implement labor and organizational policies and strategies.
  • Include the employee in the development of the different training, development, welfare, occupational health and safety programs and activities established by C.I. NATURMEGA for its employees.
  • To carry out preventive or occupational medicine procedures, in conjunction with the occupational risk management company.
  • Contact you to instruct you on orders related to your assigned job duties.
  • To carry out the archiving and document management tasks of C.I. NATURMEGA, in accordance with the legal provisions in force.
  • Create cards and/or identification mechanisms of the employee Holder, with his/her biometric data, so that he/she can carry it and identify him/herself as an employee of C.I. NATURMEGA. This purpose is necessary according to the security policy of C.I. NATURMEGA and will be handled as sensitive information with express authorization.
  • Establish and keep a record of access control to the facilities of C.I. NATURMEGA, using biometric data, in order to facilitate access and circulation in the physical facilities of C.I. NATURMEGA. This purpose is necessary in accordance with the security policy of C.I. NATURMEGA and the sensitive information to be treated will be managed in accordance with current law and this Policy.
  • Contacting the Holder via email, instant messaging, text messages, formal communications, telephone calls and/or any means known or to be known for the sending of contractual documents, information or invoices in relation to the obligations arising from the contracts entered into with C.I. NATURMEGA.
  • Share information with commercial partners for the offering of products and services, complying with all authorizations required by law and this Policy.
  • Communicate news of C.I. NATURMEGA products, invite to events or programs organized by the company.
  • For administrative and analytical purposes, such as information systems management, accounting, billing and auditing, marketing, check processing and verification.
  • Publish your face and personal image in management reports, communications, billboards and corporate material of C.I. NATURMEGA, to document the organizational structure or training activities, development, welfare, occupational health and safety established by C.I. NATURMEGA.
  • In the case of former employees, C.I. NATURMEGA may store, even after the termination of the employment contract, the information necessary to comply with the obligations that may arise under the employment relationship that existed under Colombian law, as well as provide labor certifications that are requested by the former employee or by third parties against whom the former employee carries out a selection process.
  • Manage the risk of Money Laundering and Financing of Terrorism and corruption.
 
 
 
 
 
 
 
  1. Purposes with respect to Suppliers or Contractors:
  • Register the Holder in the systems, spreadsheets, lists, files, physical or electronic, managed by C.I. NATURMEGA, for the purpose of providing the contracted services.
  • Advance electronic invoicing procedures for contracted services.
  • Maintain operations support, incident tracking and compliance with contractual and legal obligations.
  • To comply with its legal and contractual obligations.
  • Send electronic messages or make telephone contacts, or through any means, to advance the confirmation of personal data of the Holder necessary for the execution of the legal relationship that has been established with C.I. NATURMEGA.
  • Contact the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any other means known or to be known, to send contractual documents, information, account statements or invoices in connection with the obligations arising from the contracts entered into with C.I. NATURMEGA, in its various commercial establishments or offices.
  • Grant access to the interaction portals of suppliers and/or contractors in order to fulfill all the processes required internally by C.I. NATURMEGA.
  • To provide information to third parties with which it has a contractual relationship and which it is necessary to provide for the fulfillment of the contracted object.
  • To carry out the archiving and document management tasks of C.I. NATURMEGA, in accordance with the legal provisions in force.
  • Validate, verify and consult the economic and transactional information of the Holder for the purpose of establishing the legal relationship with C.I. NATURMEGA.
  • For administrative and analytical purposes, such as information systems management, accounting, billing and auditing, marketing, check processing and verification.
  • Share information with commercial partners for the offering of products and services, complying with all authorizations required by law and this Policy.
  • Communicate news of C.I. NATURMEGA products, invite to events or programs organized by the company.
  • To consult, verify and confirm credit and commercial information of the Holder, in Risk or Information Centers, or any other public or private, national, foreign or multilateral entity that administers or manages databases or credit information, or any other financial entity in Colombia, or abroad or of multilateral nature, all the information that refers to the Holder, about its credit, financial, commercial, services and third country behavior of the same nature.
  • In order to report to the credit and information centers, all the conditions and procedures established in the laws in force and especially in relation to Law 1266 of 2008 and concordant regulations shall be complied with.
  • Manage the risk of Money Laundering and Financing of Terrorism and corruption.
 
 
 
 
  1. Purposes with respect to C.I. NATURMEGA Shareholder:
  • To comply with the obligations and rights derived from its quality of shareholder of C.I. NATURMEGA.
  • To send you electronic, physical and/or telephone communications to your contact information to inform you, summon you or call you to meetings of the corporate bodies of C.I. NATURMEGA where required, and/or to send you documents and reports that will be submitted for consideration at such meetings.
  • To send you communications and information necessary for the exercise of your rights as a shareholder of C.I. NATURMEGA, and/or for the fulfillment of the obligations of C.I. NATURMEGA in favor of its shareholders.
  • To carry out the activities of integral administration of the shareholders' registry book.
  • Contacting the Holder through email, instant messaging, text messages, formal communications, telephone calls and/or any other means known or to be known, to send contractual documents, information, account statements in relation to its quality of shareholder of C.I. NATURMEGA.
  • To carry out the archiving and document management tasks of C.I. NATURMEGA, in accordance with the legal provisions in force.
  • Provide information related to procedures, complaints and shareholder requests.
  • Communicate news of C.I. NATURMEGA products, invite to events or programs organized by the Organization.
  • To provide access to information to judicial or administrative authorities that request such data in the exercise of their functions.
  • Manage the risk of Money Laundering and Financing of Terrorism and corruption.
  • Fulfillment of the necessary activities and purposes of the issuer- shareholder relationship.
 
  1. Treatment of Sensitive Personal Data Obtained through Video  Surveillance
    C. I. NATURMEGA uses various means of video surveillance installed in different internal and external sites of its facilities or offices. For this reason, it informs the general public about the existence of these mechanisms through the posting and dissemination of informative notices detailing the contact channels and policies governing such treatment.
 
The information collected through this mechanism is used for security purposes, control and identify access to the headquarters, offices and commercial establishments C.I. NATURMEGA; maintain security and access control to buildings, establishments open to the public and other facilities; strive for the safety of people, property and facilities; improving our service and experience in the facilities of C.I. NATURMEGA, likewise, as evidence in anytypeofprocessbeforeanyauthorityororganization.
 
C.I. NATURMEGA does not deliver video recordings obtained to any third party, except by court order or competent authority or as permitted by law.
 
The authorization in relation to the handling of this personal data is understood to be conferred by the unequivocal action of entering the facilities that are the object of C.I. NATURMEGA's video surveillance and monitoring.
 
In any case, C.I. NATURMEGA reserves the right to inform the Holders the purpose of each Processing of information on personal data at the time of collecting them through the Authorization. In case the personal data ceases to fulfill the purpose for which they were obtained, they will be deleted from our databases under the terms and conditions set forth in the Colombian legislation and/or the Policy.
 
  1. SENSITIVE DATA
    In the case of sensitive personal data, it may be used and processed when:
    1. The Data Subject has given his/her explicit authorization to such Processing, except in those cases whereby law the granting of such authorization is not required.
    2. The processing is necessary to safeguard the vital interest of the Data Subject and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
    3. The Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
    4. The processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Controllers must be adopted.
 
 
 
 
 
  1. DATA OF CHILDREN AND ADOLESCENTS The processing of personal data of children and adolescents is prohibited, except in the case of data of a public nature, and when such processing complies with the following parameters and/or requirements:
    1. That they respond to and respect the best interests of children and adolescents.
    2. To ensure respect for their fundamental rights.
Once the above requirements have been met, the legal representative of the children or adolescents will grant the authorization, after the minor has exercised his or her right to be heard, an opinion that will be assessed taking into account the maturity, autonomy and capacity to understand the matter. The company C.I. NATURMEGA will ensure the proper use of the processing of personal data of children or adolescents.
 
  1. PERSONS TO WHOM THE INFORMATION MAY BE DISCLOSED Information that meets the conditions set forth in the law may be provided to the following persons:
    1. To the owners, their successors in title (when they are absent) or their legal representatives.
    2. To public or administrative entities in the exercise of their legal functions or by court order.
    3. To third parties authorized by the owner or by law.
  2. INTERNATIONAL TRANSFER OF DATA The transfer of personal data to any person whose seat is a country that is not safe for data protection is prohibited. Safe countries are understood.
 
to be those that have adopted in their internal legislation Personal Data Protection Guidelines and/or comply with the standards set by the SuperintendenceofIndustryandCommerce.
 
Exceptionally, international data transfers may be carried out by C.I. NATURMEGA when:
  1. The owner of the data has given prior, express and unequivocal authorization to carry out the transfer.
  2. The transfer is necessary for the performance of a contract between the holder and C.I. NATURMEGA as controller and/or processor.
  3. Bank and stock exchange transfers in accordance with the legislation applicable to such transactions.
  4. The transfer of data within the framework of international treaties that are part of the Colombian legal system.
  5. Transfers legally required to safeguard a public interest.
  6. Transfers included within the framework of the existing Service Agreement.
At the time of an international transfer of personal data, prior to sending or receiving them, C.I. NATURMEGA will sign the agreements that regulate in detail the obligations, burdens and duties that arise for the intervening parties.
The agreements or contracts entered into shall comply with the provisions of this Policy, as well as with the applicable legislation and jurisprudence on the protection of personal data.
 
It shall be the responsibility of the information technology area at C.I. NATURMEGA to give a favorable opinion on agreements or contracts involving an international transfer of personal data, taking into account as guidelines the applicable principles contained in this Policy. Likewise, it will be the responsibility of this area to make the pertinent consultations before the Superintendence of Industry and Commerce to ensure the circumstance of "safe country" in relation to the territory of destination and/or origin of the data.
  1. INTERNATIONAL TRANSMISSION OF PERSONAL DATA In the contractual relationships that C.I. NATURMEGA enters into with suppliers located in third countries that do not have an adequate level of protection, in which these, in their capacity as Agents, carry out any type of processing of personal information, the owners do not need to be informed or obtain prior consent from them. The above, provided that there is a contract in which it is regulated:
    1. Scope of treatment.
    2. Activities that the third party in charge will carry out on behalf of C.I. NATURMEGA.
    3. The obligations of the third-party provider as responsible to the owners and C.I. NATURMEGA as responsible, in accordance with the provisions of Colombian law.
    4. The obligation to process personal data only for the contracted purposes.
    5. The prohibition of processing personal data for unauthorized uses.
    6. To treat personal data in compliance with the Colombian legislation in force.
    7. Comply with the principles applicable to the treatment of personal data in force in Colombia.
    8. Adopt security measures according to the criticality of the personal information processed under the contract.
    9. To treat personal data in compliance with the principle of confidentiality.
    10. To notify within the term of the law in force in Colombia of any security incident that compromises the personal data processed.
    11. The obligation to comply with the policy and internal regulations adopted by C.I. NATURMEGA regarding personal data protection.
    12. Establish the channels for the exercise of habeas data to the holders of personal data, as well as the information requirements that C.I. NATURMEGA has.
    13. The other obligations required of the persons in charge by virtue of the provisions of the Colombian personal data protection regime.
 
  1. CONSERVATION OF PERSONAL DATA The custody of the information in each Database will be the one informed at the time of data collection or the one established by C.I. NATURMEGA according to the purpose. C.I. NATURMEGA's Databases will have the period of validity that corresponds to the purpose for which its treatment was authorized and the special rules that regulate the matter, as well as those rules that establish the exercise of C.I. NATURMEGA's corporate purpose. In any case, the information provided will remain stored for all the time necessary to allow us to comply with the purposes set forth herein and to comply with legal and / or contractual obligations of C.I. NATURMEGA, especially in labor, accounting, fiscal and tax matters or for all the time necessary to meet the provisions applicable to the matter in question and the administrative, labor, accounting, tax, legal and historical aspects of the information, or in any event provided by law.
 
In order to determine the reasonableness of the time of permanence of the Personal Data in the Databases, by virtue of the nature of each Personal Data, the document retention times contained in Annex II of this Policy shall be applied.
 
  1. PROCEDURES
    1. PROCEDURES FOR HANDLING INQUIRIES, CLAIMS AND PETITIONS.
      1. CONSULTATIONS. The owners or their successors in title may consult the personal information of the owner that is contained in any database of C.I. NATURMEGA. The holder may send their questions or queries related to their personal data collected and processed by C.I. NATURMEGA in the channels of attention set forth in this Policy. The company C.I. NATURMEGA will resolve your concern or inquiry within ten (10) working days from the date it was received. When it is not possible to attend the consultation within such term, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.
      2. CLAIMS. The holder (or his assignees) who considers that the information contained in any database of C.I. NATURMEGA should be corrected, updated or deleted, or when they notice the alleged breach of any of the legal duties, may file a claim through the channels of attention set forth in this Policy. The claim must contain at least The identification of the holder of the personal data, the description of the facts giving rise to the claim, the address of the holder, and must be accompanied by the documents they wish to assert. If this information is not included, the interested party will be required within five (5) days of receipt to correct the faults. After two (2) months have elapsed from the date of the requirement without the applicant submitting the required information, it shall be understood that the claim has been withdrawn. Once the complete claim has been received, a legend will be included in the database maintained by C.I. NATURMEGA stating, "CLAIM IN PROCESS" and the reason for the claim, within a term no longer than two (2) business days. Said legend shall be maintained until the claim is decided. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend it within such term, the interested party shall be informed before the expiration of such term the reasons for the delay and the date on which the claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.
      3. DELETION. The right of data deletion is not absolute, C.I. NATURMEGA can deny it when:
        1. The holder has a legal or contractual duty to remain in the database.
        2. The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
        3. The data is necessary to protect the legally protected interests of the holder; to carry out an action in the public interest, or to comply with an obligation legally acquired by the holder.
        4. In the event that the cancellation of the personal data is appropriate, C.I. NATURMEGA must carry out the deletion in such a way that the deletion does not allow the recovery of the information.
  2. AREA RESPONSIBLE AND IN CHARGE OF THE PROTECTION OF PERSONAL DATA C.I. NATURMEGA in compliance with the provisions of Law 1581 of 2012 and other rules governing the protection of personal data in Colombia, has established an internal structure responsible for full compliance with all rules and this Policy, as shown below:

PERSONAL DATA PROTECTION OFFICER
Shall be the person in charge of leading the personal data protection program at C.I. NATURMEGA, processing the requests of the Holders for the exercise of the rights and has the following functions:
  1. To attend all requests, petitions, queries or claims submitted by the Holders.
  2. To manage the personal data protection system of C.I. NATURMEGA.
  3. Serve as liaison and coordinator with the other areas of C.I. NATURMEGA to ensure transversal implementation of the System.
  4. Maintain an inventory of the Databases within C.I. NATURMEGA and update the annual report according to the indications of the Competent Authority in Colombia (Superintendence of Industry and Commerce).
  5. Register and update the Databases before the National Registry of Databases (RNBD).
  6. Obtain declarations of conformity when required.
  7. Integrate the policies of protection and processing of personal data within the activities of C.I. NATURMEGA.
  8. Measure participation and rate performance in personal data protection trainings.
  9. Ensure the implementation of audit plans to verify compliance with this Policy.
  10. Accompany and assist C.I. NATURMEGA in the attention of visits, information requests, disciplinary processes and/or response to requirements by the Competent Authorities.
  11. Follow up on the personal data management program.
  12. Perform information security incident reporting.
  13. Consolidate and continuously improve the activities that are part of the personal data protection program.
  14. Promote the implementation of a system to manage the risks of personal data processing.
  15. Promote the culture of personal data protection in C.I. NATURMEGA.
  16. Review of all C.I. NATURMEGA operations that may have an impact in relation to the protection of personal data.
  17. Analyze the responsibilities of C.I. NATURMEGA's positions in order to design a training program appropriate to each profile.
  18. Conduct a general training program on personal data protection at C.I. NATURMEGA.
  19. Require that within the evaluation of C.I. NATURMEGA's employees and officers, they must have satisfactorily passed the training on personal data protection.
  20. Submit internal reports addressed to the Senior Management of C.I. NATURMEGA and/or to the authorities in charge of controlling compliance with the rules and policies.
  21. Make proposals for improvement, adjustments, modifications or new internal provisions in accordance with the rules that are issued in relation to personal data protection in C.I. NATURMEGA.
  22. Submit to Senior Management the approval of documents related to personal data protection in C.I. NATURMEGA.
 
The PERSONAL DATA PROTECTION OFFICER of C.I. NATURMEGA will be the unit.
responsible for ensuring the protection of personal data and who will also ensure that through the channels of attention the requests of the owners are processed for the exercise of the rights of access, consultation, rectification, updating, suppression and revocation referred to in this manual, in accordance with the regulations related to the subject.
 
Inquiries and complaints must be processed through the service channels set forth in this Policy.
 
  1. INFORMATION SECURITY
Information security is important for C.I. NATURMEGA; therefore, it has physical, electronic and procedural protection measures for the confidential handling of the information contained in its database and institutional documents that make up the Information Security System, whichmustbeappliedinharmonywiththisPolicy.
 
Likewise, C.I. NATURMEGA is committed to take all necessary security measures to protect your personal data from loss, misuse, unauthorized or fraudulent access, unauthorized disclosure, alteration, among others. PROCAPS S. A., under the Back Office Services Agreement is obliged to protect your personal data in the same way, keeping absolute confidentiality on the content of the same, in accordance with this Policy.
C.I. NATURMEGA is exonerated from illicit manipulations by third parties, technical or technological failures, which are outside its scope of protection.
 
The PROCAPS PERSONAL DATA PROTECTION OFFICER will be the person in charge, together with the legal representative of the company, of attending any visit, request for information or request in relation to personal data. C.I. NATURMEGA may disclose the personal information of its Owners upon request of the competent Judicial or Administrative Authorities in accordance with current legislation. C.I. NATURMEGA will not assume the damages derived from this disclosure of information, in compliance with orders from competent administrative or judicial authorities.
 
  1. This policy was approved by the Senior Management of C.I. NATURMEGA and came into force on March 24, 2023, and modifies all the provisions that had been issued previously in the organization.

The databases in which the personal data will be registered will be valid for the time in which the information is kept and used for the purposes described in this Policy. Once these purposes are fulfilled and provided that there is no legal or contractual duty to keep your information, your data will be deleted from our databases.
 
  1. APPROVAL AND DISCLOSURE
This document was reviewed, analyzed and approved for implementation by the General Management of C.I. NATURMEGA S. A. on March 24, 2023.