PERSONAL DATA TREATMENT POLICY

Article 15 of the Constitution of the Republic of Colombia establishes the right of any person to know, update and rectify the personal data that exists about him/her in data banks or files of public or private entities. Likewise, it orders those who have personal data of third parties to respect the rights and guarantees provided in the Constitution when such information is collected, treated and circulated.

MONASTERY COUTURE S.A.S. is committed to compliance with the regulations on personal data protection and respect for the rights of the owners of the information. Therefore, it adopts the following Personal Data Processing Policy, which is mandatory in all activities involving the processing of personal data and mandatory for the company, employees, contractors and third parties acting on behalf of MONASTERY COUTURE S.A.S.

MONASTERY COUTURE S.A.S., within the development of its corporate purpose, receives, transmits and treats Personal Data internally and externally for the mission and support activities that it develops in accordance with its bylaws, its corporate purpose, and the law.

IDENTIFICATION OF THE COMPANY: MONASTERY COUTURE S.A.S. is a company dedicated to the manufacture of clothing except leather garments and retail trade carried out through the Internet. Activity Codes 1410 and 4791.

 

 


IDENTIFICATION DATA

COMPANY NAME

MONASTERY COUTURE S.A.S.

NIT

901.259.856-9

TELEPHONE

3160172877

EMAIL

contabilidad@monastery.com.co

ADDRESS

Carrera 52 # 6 sur - 91

 

1. OBJECTIVE: With the present document, MONASTERY COUTURE S.A.S. guarantees the adequate compliance with the applicable personal data protection law and for the attention of queries and claims of the owners of the Personal Data on which the Company carries out Processing.

2. SCOPE: The policy and procedures shall be applicable to the databases that are under the administration of MONASTERY COUTURE S.A.S., or are likely to be known by virtue of business relationships developed with other entities with which it makes business alliances, strategic alliances or agreements. In the first case MONASTERY COUTURE S.A.S. will act as RESPONSIBLE, in the other cases it could have the quality of CHARGED, depending on whether it receives them from a third party or it manages them itself.

A. DEFINITIONS:

- Authorization: prior, express and informed consent of the data owner to carry out the processing. This may be written, verbal or through unequivocal conduct that allows the reasonable conclusion that the owner granted authorization.
- Data Base: It is the organized set of Personal Data that are subject to Processing, electronic or not, whatever the modality of its formation, storage, organization and access.
- Consultation: Request of the owner of the data or of the persons authorized by law to know the information about him/her in databases or files.
- Personal data: Any information linked or that may be associated to one or several determined or determinable natural persons. These data are classified as sensitive, public, private and semi-private.
- Sensitive personal data: Information that affects the privacy of the person or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data (fingerprints, among others).
- Public personal data: It is the data qualified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private or private. Public are, among others, the data contained in public documents, public records, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality, those relating to the marital status of individuals, their profession or trade and their status as merchants or public servants. The personal data existing in the commercial registry of the Chambers of Commerce are public. Likewise, public data are those which, by virtue of a decision of the owner or a legal mandate, are in files of free access and consultation. These data may be obtained and offered without any reservation and regardless of whether they refer to general, private or personal information.
- Private personal data. This is data that, due to its intimate or reserved nature, is only relevant to the person who owns it. Examples: merchants' books, private documents, information extracted from a home inspection.
- Semi-private personal data. Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as, among others, data relating to the fulfillment or non-fulfillment of financial obligations or data relating to relations with social security entities.
- Data processor: Person who carries out data processing on behalf of the data controller.
- Claim: Request of the data owner or the persons authorized by him or her or by law to correct, update or
- by law to correct, update or delete their personal data or when they notice that there is an alleged breach of the data protection regime, according to Article 15 of Law 1581 of 2012.
- Data subject: The natural person to whom the information refers.
- Processing: Any operation or set of operations on personal data such as, among others, the collection, storage, use, circulation or deletion of that kind of information.
- Transmission: Processing of personal data that involves the communication of such data within (national transmission) or outside Colombia (international transmission) and whose purpose is the performance of a processing operation by the Processor on behalf of the Controller.
- Transfer: The transfer of data takes place when the Controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.
- Procedural Requirement: The Data Subject or assignee may only file a complaint before the Superintendence of Industry and Commerce once the consultation or complaint process has been exhausted before the Data Controller or Data Processor, in accordance with Article 16 of Law 1581 of 2012.
B. Principles for the Processing of Personal Data: The processing of personal data must be carried out respecting the general and special rules on the subject and for activities permitted by law. In the development, interpretation and application of this policy, the following principles shall be applied in a harmonious and comprehensive manner:

 

FREEDOM:

Unless otherwise provided by law, the collection of data may only be exercised with the prior, express and informed authorization of the holder. Personal data may not be obtained or disclosed without the prior consent of the holder, or in the absence of legal or judicial mandate that relieves the consent.

LEGALITY:

Only personal data that are strictly necessary for the fulfillment of the purposes of the processing should be collected, so that the recording and disclosure of data that are not closely related to the purpose of the processing is prohibited. Consequently, every reasonable effort must be made to limit the processing of personal data to the minimum necessary. In other words, the data must be: (i) adequate, (ii) relevant and (iii) in accordance with the purposes for which they were intended.

PURPOSE:

The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the holder. The owner of the data must be informed clearly, sufficiently and in advance about the purpose of the information provided and, therefore, data may not be collected without a specific purpose.

TEMPORARITY:

Personal data will be kept only for the reasonable and necessary time to fulfill the purpose of the processing and the legal requirements or instructions of the supervisory and control authorities or other competent authorities. The data will be kept when this is necessary to comply with a legal or contractual obligation. To determine the term of the processing, the rules applicable to each purpose and the administrative, accounting, fiscal, legal and historical aspects of the information will be considered.

VERACITY:

The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited. Reasonable measures must be taken to ensure that the data are accurate and sufficient and, when requested by the Holder or when MONASTERY COUTURE S.A.S. so determines, are updated, rectified or deleted when appropriate.

SAFETY:

Each person linked to MONASTERY COUTURE S.A.S. shall comply with the technical, human and administrative measures established by the entity to provide security to personal data avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access.

CONFIDENTIALITY:

All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only supply or communicate personal data when this corresponds to the development of the activities authorized by law.

 

C. TREATMENT TO WHICH THE PERSONAL DATA WILL BE SUBJECTED AND THE PURPOSE THEREOF: MONASTERY COUTURE S.A.S. will carry out the treatment (collection, storage, use, among others) of the personal data in accordance with the conditions established by the owner, the law or public entities to comply in particular with the activities of its corporate purpose such as contracting, execution and marketing of MONASTERY COUTURE S.A.S. goods.

The processing of personal data may be carried out through physical, automated or digital means according to the type and form of collection of personal information. MONASTERY COUTURE S.A.S. may also process personal data, among others, for the following purposes:

- Exercise its right to know sufficiently the user with whom it intends to enter into relationships, market goods, and assess the present or future risk of the same relationships.
- To carry out the relevant steps for the development of the pre-contractual, contractual and post-contractual stage with MONASTERY COUTURE S.A.S., with respect to any of the products offered by MONASTERY COUTURE S.A.S., whether or not acquired or with respect to any underlying relationship you have with it, as well as to comply with Colombian law and orders of judicial or administrative authorities.

- Implement relationship strategies with customers, suppliers, shareholders and other third parties with which the company has contractual or legal relationships.
- Carry out invitations to events, improve products or offer new products, and all those activities associated with the existing commercial relationship or link with MONASTERY COUTURE S.A.S., or that which may come to have.
- Manage procedures (requests, complaints, claims), conduct satisfaction surveys regarding the goods of MONASTERY COUTURE S.A.S. or related companies and MONASTERY COUTURE S.A.S. commercial allies;
- To disclose, transfer and/or transmit personal data within and outside the country to parent companies, affiliates or subsidiaries of MONASTERY COUTURE S.A.S. or third parties as a result of a contract, law or lawful link that so requires or to implement cloud computing services.
- The data collected or stored on MONASTERY COUTURE S.A.S. employees by filling out forms, via telephone, or with the delivery of documents (resumes, attachments) will be treated for everything related to labor issues of legal or contractual order. By virtue of the above, MONASTERY COUTURE S.A.S. will use personal data for the following purposes: (1) To comply with laws such as, among others, labor law, social security, pensions, professional risks, family compensation funds (Integral Social Security System) and taxes; (2) To comply with the instructions of the competent judicial and administrative authorities; (3) To implement labor and organizational policies and strategies. These purposes shall apply to data collected or stored on MONASTERY COUTURE S.A.S. employees by filling out forms, via telephone, or with the delivery of documents (resumes, attachments) will be treated for everything related to labor issues of legal or contractual order.
- Order, catalog, classify, divide or separate the information provided by the data owners. Verify, corroborate, check, validate, investigate or compare the information provided by data subjects, with any information legitimately available to it, such as business relationships.
- Access, consult, compare and evaluate all the information about the Data Subject stored in the databases of any credit, financial, judicial or security risk center, of state or private, national or foreign nature, or any commercial or service database, which allows establishing in a comprehensive and complete historical manner, the behavior as debtor, user, client, guarantor, endorser, affiliate, beneficiary, subscriber, taxpayer and/or as holder of financial, commercial or any other type of services.

- MONASTERY COUTURE S.A.S. in the development of its corporate purpose and its relationships with third parties, understood by these customers, employees, contractors, subcontractors, creditors, strategic and commercial allies, subordinates among others; constantly collects data whose owners grant their authorization to perform on them the treatment to which these personal data will be subjected, among others for the following purposes: To comply with the obligations arising from contracts that are perfected with its customers, suppliers and employees; to comply with legal provisions or court decisions. To answer queries about products and services offered, to conduct studies for statistical purposes, customer knowledge; to inform the owners of the data about news, products, services and special offers; for the development of activities related to telephone customer service, collections or others of similar nature also for administrative, informational, marketing and sales purposes. In relation to the above, MONASTERY COUTURE S.A.S. may carry out the following treatment to which the personal data collected will be subjected: 1. Obtain, store, compile, custody, exchange, update, collect, process, reproduce and/or dispose of the data or partial or total information of those owners who grant the due authorization in the terms required by law and in the formats and media that for each case it deems appropriate. 2. Classify, order, separate the information provided by the data owner. 3. Extend the information obtained under the terms of the Habeas Data law, to the companies with which it contracts the services of capture, collection, storage and management of its databases, prior the due authorizations obtained in that sense. 4. Transfer or transmit the data or partial or total information to its subsidiaries, businesses, companies and / or affiliated entities and strategic allies operating or not in another jurisdiction or territory.
- For purposes of security of persons, property and facilities of MONASTERY COUTURE S.A.S. may be used as evidence in any type of process, with respect to data (i) collected directly at security points, (ii) taken from documents provided by individuals to security personnel and (iii) obtained from video recordings that are made inside or outside the premises of MONASTERY COUTURE S.A.S., these will be used for security purposes of people, goods and facilities of MONASTERY COUTURE S.A.S. and may be used as evidence in any type of process.
- To know, store and process all the information provided by the data owners in one or more databases, in the format it deems most convenient.
- To carry out all tax, accounting, fiscal and invoicing procedures.

D. RIGHTS OF THE DATA SUBJECTS: The holders of the information have the right to:

- Access, Rectify, Cancel, Oppose.
- Know, update and rectify the personal data. For this purpose, it is necessary to previously establish the identification of the person in order to prevent unauthorized third parties from accessing the data of the data owner.
- Obtain a copy of the authorization.
- Inform about the use that MONASTERY COUTURE S.A.S. has given to the holder's personal data.
- To process queries and claims following the guidelines established by law and in this policy.
- Access the request for revocation of authorization and/or deletion of personal data when the Superintendence of Industry and Commerce has determined that the treatment by MONASTERY COUTURE S.A.S. has incurred in conduct contrary to Law 1581 of 2012 or the Constitution. The Data Subject may also revoke the authorization and request the deletion of the data, when there is no legal or contractual duty that imposes the duty to remain in the database or file of the Controller or Processor. The request for deletion of the information and the revocation of the authorization shall not proceed when the holder has a legal or contractual duty to remain in the database of the Controller or Processor.

- Free access to their personal data. The information requested by the holder may be provided by any means, including electronic ones.
E. MONASTERY COUTURE S.A.S. DUTIES WHEN ACTING AS PERSONAL DATA CONTROLLER: All those obliged to comply with this policy must be aware that MONASTERY COUTURE S.A.S. is obliged to comply with the duties imposed by law. Therefore, they must act in such a way that they comply with the following obligations:

- Guarantee the holder, at all times, the full and effective exercise of the right of habeas data, i.e., to know, update or rectify their personal data.

- Request and keep, under the conditions set forth in this policy, a copy of the respective authorization granted by the owner.

- To clearly and sufficiently inform the holder about the purpose of the collection and the rights that he/she has by virtue of the authorization granted.

- Inform, at the request of the holder, on the use given to their personal data.

- To process the consultations and claims formulated in the terms indicated in the present policy.

- Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

- Update the information when necessary.

- Rectify personal data when appropriate.

- To provide the data processor only with the personal data whose processing is previously authorized.

- Ensure that the information provided to the data processor is truthful, complete, accurate, updated, verifiable and understandable.

- Communicate in a timely manner to the data processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.

- Inform in a timely manner to the data processor the rectifications made on personal data so that it proceeds to make the appropriate adjustments.

- Require the data processor at all times to respect the security and privacy conditions of the data subject's information.

- Inform the data processor when certain information is under discussion by the data owner, once the claim has been filed and the respective process has not been completed.
F. AUTHORIZATION FOR DATA PROCESSING: Those obliged to comply with this policy must obtain prior, express and informed authorization from the data subject to collect and process his/her personal data. This obligation is not necessary in the case of public data. In order to obtain the authorization, the following instructions must be followed:
First, before the person authorizes it is necessary to clearly and expressly inform him/her of the following:
- The processing to which their personal data will be subjected and the purpose of the processing;
- The optional nature of the answer to the questions that will be asked, when they deal with sensitive data or data of children and adolescents;
- The rights to which you are entitled as holder provided in Article 8 of Law 1581 of 2012;
- The identification, physical or electronic address of MONASTERY COUTURE S.A.S.
Secondly, it will obtain the consent of the holder through any means that may be subject to subsequent consultation, such as the website, forms, formats, activities, contests, face-to-face or in social networks, PQR, data messages or Apps. Proof of compliance with the obligation to inform and consent must be provided. Authorization may also be obtained from unequivocal conduct of the Data Subject that allows to reasonably conclude that he/she gave his/her consent for the processing of his/her information. Such conduct(s) must be very clear so as not to admit any doubt or mistake about the will to authorize the processing.

When it comes to the collection of sensitive data, the following requirements must be met:
- The authorization must be explicit.
- The Data Subject must be informed that he/she is not obliged to authorize the processing of such information.
- The Data Controller must be informed explicitly and in advance which of the data to be processed are sensitive and the purpose of the processing.
In the case of the collection and processing of data of children and adolescents, the following requirements must be complied with:

- Authorization must be granted by persons who are empowered to represent the CHILDREN AND ADOLESCENTS. The representative of the CHILDREN AND ADOLESCENTS must guarantee them the right to be heard and to value their opinion of the treatment, taking into account the maturity, autonomy and capacity of the CHILDREN AND ADOLESCENTS to understand the matter.
- It should be informed that it is optional to answer questions about data of CHILDREN AND ADOLESCENTS.
- MONASTERY COUTURE S.A.S. assures that the processing of personal data of children and adolescents will be carried out respecting their rights, which is why, in the commercial and marketing activities it carries out, it must have the prior, express and informed authorization of the parent or legal representative of the child or adolescent.


G. NATIONAL OR INTERNATIONAL TRANSFER OF PERSONAL DATA: MONASTERY COUTURE S.A.S. may transfer data to other data controllers when authorized by the owner of the information or by law or by an administrative or judicial mandate.


H. PROCEDURES FOR THE OWNERS TO EXERCISE THEIR RIGHTS: The following are the procedures for the owners of the data to exercise their rights to know, update, rectify and delete information or revoke the authorization. The rights of the Holders, may be exercised by the following entitled persons in accordance with Article 20 of Decree 1377 of 2013:

- By the Holder, who must prove his identity sufficiently by the various means made available to him by MONASTERY COUTURE S.A.S.

- By their successors, who must prove such capacity.

- By the representative and/or attorney-in-fact of the Holder, prior accreditation of the representation or power of attorney.

- By stipulation in favor of another or for another.

The rights of children or adolescents shall be exercised by the persons authorized to represent them. That for the full and effective exercise of the rights of the owners of the data MONASTERY COUTURE S.A.S. has provided the following means through which they can submit all inquiries, complaints and / or claims, email juridico@monastery.com.co

All inquiries made by persons entitled to know the personal data held by MONASTERY COUTURE S.A.S. will be channeled EXCLUSIVELY through the channels that MONASTERY COUTURE S.A.S. has for this purpose. In any case it is necessary to leave proof of the following:

- Date of receipt of the consultation.

- Identity of the applicant.

Once the identity of the owner has been verified, the required personal data will be provided. The answer to the consultation shall be communicated to the applicant within a maximum term of ten (10) working days from the date of receipt thereof. When it is not possible to answer the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the consultation will be answered, which in no case may exceed five (5) working days following the expiration of the first term. In order to adequately address the inquiries, it will be necessary to have the identification of the person who, in accordance with the law, is entitled to the inquiry and / or claim about personal data.

Claims are intended to correct, update, or delete data or raise a complaint for the alleged breach of any of the duties established for the data protection regime and in this policy. The claim must be submitted through a request addressed to MONASTERY COUTURE S.A.S. containing the following information:

- Name and identification of the owner of the data or the legitimized person.

- Precise and complete description of the facts that give rise to the claim.

- Physical or electronic address to send the response and report on the status of the process.

- Documents and other relevant evidence that you want to assert.

If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned. The maximum term to address the claim will be fifteen (15) working days from the day following the date of receipt. When it is not possible to address the claim within that period, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) working days following the expiration of the first term.

MONASTERY COUTURE S.A.S. is committed to guarantee the exercise of the rights of the holders of personal data, which may be exercised by written communication sent to the email juridico@monastery.com.co

I. PERSON RESPONSIBLE FOR THE PROTECTION OF PERSONAL DATA: The DATA PROTECTION OFFICER is the person and unit in charge of the data protection function and can be contacted via email juridico@monastery.com.co.
Any new project within the Company that involves the Processing of Personal Data must be consulted with the DATA PROTECTION OFFICER, who is the person and unit in charge of the data protection function to ensure compliance with the policy and the necessary measures to maintain the confidentiality of the Personal Data.


J. INFORMATION SECURITY POLICIES: MONASTERY COUTURE S.A.S. will adopt the technical, administrative and human measures necessary to ensure the security of personal data with which it makes any treatment, protecting the confidentiality, integrity, use, unauthorized access and / or fraudulent of these data. Implemented security protocols of mandatory compliance for all personnel with access to personal data and information systems.
The internal security policies under which the holder's information is kept to prevent adulteration, loss, consultation, use or unauthorized or fraudulent access are included in the security policy manual for the protection of personal data.


K. DATE OF ENTRY INTO EFFECT OF THIS POLICY AND PERIOD OF VALIDITY OF THE DATABASE: This policy was approved after the issuance of Law 1581 of 2012 and the amendments set forth in Decree 1377 of June 27, 2013, so it is effective as of July 22, 2021. The validity of the database will be the reasonable and necessary time to fulfill the purposes of the treatment taking into account the provisions of Article 11 of Decree 1377 of 2013.


L. ADJUSTMENTS TO THE INFORMATION PROCESSING POLICY: In order to maintain the validity of the personal data processing policy, MONASTERY COUTURE S.A.S. may adjust and modify, indicating the date of the update on the website or through the use of other means, such as data messages, physical materials at points of sale, etc.