Define guidelines and establish standards and general criteria for the management of personal data of Altea Pharmaceutical employees, customers and suppliers.
2. Scope:
This Policy applies to all ALTEA employees who, due to their functions, have access to databases and / or files that contain information on semi-private, private or sensitive data that are subject to processing by Altea.
3. Content of the policy:
This policy is issued in compliance with Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, Circular 002 of 2015 of the Superintendence of Industry and Commerce and the other norms that regulate, ammend or add the personal data protection regime and seeks to ensure that ALTEA FARMACEUTICA SA hereafter (ALTEA), who is in charge of processing information, processes such information in strict compliance with the applicable regulations, guaranteeing all information owners rights.
For processing information, Altea will apply the principles mentioned below:In the development of the principles of purpose and freedom, the collection of personal data by Altea will be limited to those personal data that are relevant and appropriate for the purpose for which they are collected or required in accordance with current regulations. Except in the cases expressly provided in the Law, personal data may not be collected without authorization from the owner. In compliance with the regulations in force, in the normal course of the functions of Altea no children or adolescent data is collected or stored, however in case of collection, they will be processed as sensitive information.Altea has the obligation to maintain confidentiality and transparency of personal data subject to processing and may only disclose them at the express request of the surveillance and control entities and authorities that have the legal power to request it and will allow the owner to know, update and correct their personal information. All employees working in Altea are obliged to maintain confidentiality on any personal information they have access to during their work.In the development of the principles of legality and truthfulness, Altea guarantees that the processing of personal data will be carried out in accordance with the applicable legal provisions and that the information subject to processing by Altea will be truthful, complete, accurate, updated, verifiable and understandable.
Altea has the obligation to maintain the security, access and restricted circulation of personal data and only those authorized by the Owner and/or by any person who is authorized by Law. Personal Data will be processed adopting all the necessary security measures to avoid their loss, falsification, consultation, use or unauthorized or fraudulent access.
3.4 Processing and purposesIn the exercise of its corporate purpose, Altea acts directly, through its parent company, business group or third parties to carry out the processing of the information of its employees, former employees, employees of its contractors, relatives of employees, suppliers, customers, shareholders and users of their products. Likewise, in compliance with applicable legislation and corporate policies, Altea may request to transmit or transfer said data to its parent companies, subsidiaries and/or national or foreign subsidiaries.The data processing may include the collection, storage, administration, use, transfer, transmission and destruction, in the manner allowed by law and is carried out with the following specific purpose for each case:Processing information of employees and former employees, employees relatives: It is collected by means of the information provided by the employees in admission documents or later to comply with Altea’s labor obligations, such as payroll payments, payments and reports to the general system of social security, attention to queries, petitions, requests, contract of labor benefits with third parties, notify relatives and/or contacts in cases of emergency, business activities, etc.
Processing information of employees of contractors, and/or contractors that provide services in facilities of Altea:
It is collected through the information provided to the contractors by their employees or directly by the contractors or collected through public information channels and transferred or transmitted to ALTEA according to its functions, in order to allow Altea to comply with the contractual obligations under his charge, such as assignment and control of technological elements, materials, equipment, identification of income, monitoring compliance with obligations by Contractors, attention to eventual emergencies. Processing inquiries, requests, and claims made by the Owner of the information or by his successors.
Processing information of Suppliers:
It is collected through the information provided by the suppliers, or through public information channels to allow the fulfillment of contractual obligations by Altea, such as payment of fees, payment of invoices and/or collection accounts, payment reports, reports or interactions that Altea must perform per law or internal policies. Processing inquiries, requests, and claims made by the Owner of the information or by his successors.
Processing of Customer information:
It is collected through the information provided by customers or through public channels, so that Altea can comply with its contractual obligations, such as billing, payment reports, product records, and obligations. Processing inquiries, requests, and claims made by the Owner of the information or by his successors.
Users of Products:
It is collected through the information provided by users or through public channels. Processing these data allows Altea to comply with the obligations under its responsibility in terms of product quality, for the effective processing of consumer queries and complaints and as statistical information.
Processing biometric data:
It is collected through the information provided by the owners, or in security recording means with the sole purpose of serving as evidence in a judicial instance. Processing data such as fingerprints, photographs, videos and other data that may be considered as sensitive in accordance with the Data Protection Act, this information will not be published, nor will it be shared for purposes other than those authorized by law and as to guarantee the control, monitoring, surveillance and, in general, to guarantee the security of Altea facilities.
Processing shareholders information:
It is collected through the information provided by the shareholders. Processing these data allows Altea to comply with its obligations to shareholders, payment of dividends..
3.5 Altea duties as responsible for processing information: Altea as responsible for processing information must comply with the following duties, without prejudice to the other provisions provided by law 1581 of 2012 and others that govern its activity:
Guarantee the holder, at all times, the full and effective exercise of habeas data right.
Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the owner.
Properly inform the owner about the purpose of the collection and their rights by virtue of the authorization granted.
Keep the information under the necessary security conditions to prevent its falsification, loss, consultation, use or unauthorized or fraudulent access.
Ensure that the information provided to the person in charge of processing is truthful, complete, accurate, updated, verifiable and understandable.
Update the information, communicating in a timely manner to the person in charge of processing, all the news regarding the data previously provided and adopt the other necessary measures so that the information provided to the latter is kept up to date.
Rectify the information when it is incorrect and communicate accordingly to the person in charge of processing.
Provide the data processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this law.
Always require the person in charge of processing to respect the conditions of security and privacy of the owner’s information.
Process inquiries and claims submitted in the terms established by law.
Inform the person in charge of processing when certain information is in discussion by the Holder, when the claim has been filed and the respective procedure has not been completed.
Inform at the request of the owner about the use given to their data.
Inform the data protection authority when there are violations of the security codes and the administration of the owner’s information involves risks.
Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
3.6 Rights of holders. Information holders have the following rights:
Know, update and rectify their personal data in front of those responsible for/in charge of processing. This right may be exercised, among others, for partial, inaccurate, incomplete, fractioned, misleading data, or those whose processing is expressly prohibited or has not been authorized.
Request evidence of the authorization granted to the person responsible for processing, except when expressly excepted as a requirement for processing, in accordance with the provisions of article 10 of Law 1581 of 2012.
To be informed by the person responsible of processing or the person in charge of processing, upon request, regarding the use that has been given to their personal data.
Submit complaints to the Superintendency of Industry and Commerce for infractions of the provisions of the law and other regulations that modify, add or complement it.
Revoke the authorization and / or request the deletion of data when processing is performed ignoring the principles, rights and constitutional and legal guarantees. The revocation and / or suppression will proceed when the Superintendence of Industry and Commerce has determined that the person responsible or in charge of processing information have incurred in conduct contrary to the Constitution and the law.
Free of charge access to their personal data that have been subject to processing.
3.7. Procedure for attention and response to requests for data processing by holders Information holders or their successors should direct their queries, requests, complaints or claims to the email protecciondedatos@alteafarma.com.co or by written communication to be filed in Cl 10 no . 65 – 28, in Bogotá.
This channel may be used by personal data holders or third parties authorized by law to act on their behalf.
The owner or successor who considers that the information contained in a database must be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in the law or in this Policy, may file a claim to Altea which will be processed under the following rules: Queries and requests:
The claim will be formulated by means of a request addressed to the person responsible for processing the information or to the one in charge of doing so, to the e-mail protecciondedatos@alteafarma.com.co or by written communication to be filed in Cl 10 no. 65 – 28, Bogotá. It should include owner’s ID number, description of the facts that give rise to the claim, address, and any pertaining document. ALTEA must provide the owners with all the information contained in the individual record or that is linked to the identification of the owner, within a maximum term of ten (10) business days from the date of receipt thereof.
When it is not possible to process the query within said term, the interested party will be informed, stating the reasons for the delay and stating the date on which the consultation will be answered, which in no case may exceed five (5) business days following the expiration of the first term.
Claims and complaints:
The claim will be formulated by means of a request addressed to the person responsible of processing the information or to the one in charge of doing so, to the e-mail protecciondedatos@alteafarma.com.co or by written communication sent to Cl 10 no. 65 – 28, Bogotá. It should include owner’s ID number, description of the facts that give rise to the claim, address, and any pertaining document. If the claim is incomplete, Altea will require the interested party within five (5) days after receiving it to correct it. After two (2) months from the date of the request, if the applicant has not submitted the required information, it shall be understood that the claim has been abandoned.
Once the complete claim has been received, a legend that says «claim in process» and the reason thereof will be included in the database, in a term not exceeding two (2) business days. This text must be maintained until the claim is solved.
The maximum term to process a claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to process the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be resolved, which in no case may exceed eight (8) business days following the expiration of the first term.
Owners of the information may at any time request Altea the deletion of their personal data and / or revoke the authorization granted for the treatment thereof, by submitting a claim, in accordance with the provisions of Article 15 of Law 1581 of 2012 , Decree 1377 of 2013 and the procedure indicated in this Policy.
Notwithstanding the foregoing, personal data must be retained when required for the fulfillment of a legal or contractual obligation.
Revocation
The request for revocation will be performed by means of a request addressed to the person responsible for processing information or to the person in charge of doing so, to the e-mail protecciondedatos@alteafarma.com.co or by written communication filed in Cl 10 no. 65 – 28, Bogotá. It should include owner’s ID number, description of the facts that give rise to the claim, address, and any pertaining document.
Owners of personal data may revoke the consent to the processing of their personal data at any time, provided it is not prevented by a legal or contractual provision.
Update, rectification or deletion
The request for revocation will be performed by means of a request addressed to the person responsible for processing information or to the person in charge of doing so, to the e-mail protecciondedatos@alteafarma.com.co or by written communication filed in Cl 10 no. 65 – 28, Bogotá. It should include owner’s ID number, description of the facts that give rise to the claim, address, and any pertaining document.
ALTEA has the obligation to rectify and update, at the request of the owner, the owner’s information that is incomplete or inaccurate, in accordance with the procedure and the terms indicated above.
In the requests for rectification and updating of personal data, the owner must indicate the corrections to be made and provide the documentation supporting his request.
Information processing authorization
Information processing by Altea requires the free, express and informed consent of the owner thereof. Altea, as the person responsible for the processing of personal data, has provided the necessary mechanisms to obtain the authorization of the owners, guaranteeing in any case that it is possible to verify the granting of such authorization. These mechanisms are: In writing, filling out an authorization form for processing information which is provided by Altea. Orally, through telephone conversation or video conference.
Altea will implement and adopt the necessary actions to maintain records or technical or technological mechanisms suitable for when and how it obtained authorization from the holders of personal data for their processing. To comply with the above, physical files or electronic repositories made directly or through third parties hired for that purpose may be established.
Owners of personal data may revoke their consent to the processing of their personal data at any time, provided it is not prevented by a legal or contractual provision. To do this, a written communication addressed to Altea should be sent to the e-mail and/or address provided in numeral 2 of this policy
Information security and security measures.
In development of the security principle established in the current regulations, Altea will adopt the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
Department responsible for information processing protection and owners requests processing.
The ADMINISTRATIVE department will be in charge of complying with the function of protecting information function. It will process the owners requests, for the exercise of the rights of access, consultation, rectification, updating, suppression and revocation referred to in the current regulations. Holders of personal data or their successors should address their inquiries or requests to the e-mail protecciondedatos@alteafarma.com.co or by written communication to be filed in Cl 10 no. 65 – 28, in Bogotá.
Validity
This policy is effective as of May 1, 2017. The information provided by the stakeholders will remain stored for as long as the existing relationship with the owner lasts and up to 10 more years, or as determined by law for file preservation.
This policy may be modified at any time and unilaterally by Altea.
.
4. Annexes:
N.A
5. Glossary
Authorization Database: Personal data
Public data: Sensitive data
Semiprivate data
Private data: Successor
In charge of information processing
Responsible for information processing
Owner Processing
Data transmission:
Data transfer