OPNICER FOUNDATION, in compliance with the provisions of the Colombian Political Constitution and Statutory Law 1581 of 2012 and its regulatory and complementary norms, comprehensively guarantees the protection and exercise of the fundamental right to Habeas Data of all holders of personal information, for which it is responsible or in charge of processing, and also complies at all times with the fundamental rights to privacy, good name and confidentiality of natural persons, which is why it adopts and applies this Information Processing Policy.

‍

‍This Policy defines and establishes the principles, policies, procedures, rights, and obligations that Law 1581 of 2012 and its complementary regulations have developed, guaranteed, and implemented for the holders of personal information.

‍

‍OPNICER FOUNDATION is responsible for the processing of Personal Data and, in compliance with the provisions of Article 13 of Regulatory Decree 1377 of 2013, adopts and makes public to all interested parties this Policy, which contains all the essential elements for compliance with the legislation corresponding to the Protection of Personal Data.

‍

‍Likewise, it will serve as a source of knowledge for all stakeholders that maintain some type of relationship with the OPNICER Foundation, thus contributing to a proper understanding of the fundamental right to Personal Data Protection.

‍

‍The personal data managed or processed by the OPNICER FOUNDATION arise from the exercise of its private functions and within the normal development of its activity as a Foundation with its current statutes and Regulatory Decree 2649 of 1993, articles 18 and 125, section 3.

‍

‍DEFINITIONS

Privacy Notice: Verbal or written communication generated by the data controller, addressed to the data subject for the processing of their personal data, through which they are informed of the existence of the information processing policies that will apply to them, how to access them, and the purposes of the processing intended to be given to their personal data.

‍

‍Authorization: Prior, express, and informed consent of the owner of the personal data to carry out the processing of personal data.

‍

‍Database: Organized set of personal data that is subject to processing.

‍Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons. "Personal data" should therefore be understood as information related to a natural person (an individual considered as an individual).

‍

‍Public data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person's marital status, their profession or occupation, and their status as a merchant or public servant. By its nature, public data may be contained in, among others, public registries, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality. It is also understood that all data contained in public registries will be of this same nature.

‍

Public personal data: All personal information that is freely and openly available to the general public.

‍

‍Private personal data: All personal information that is restricted in its knowledge and, in principle, private to the general public.

‍

‍Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

‍

‍Data Processor: Any natural or legal person, public or private, who, either on their own or in association with others, processes personal data on behalf of the Data Controller.

‍

‍Data Controller: A natural or legal person, public or private, who, either alone or in association with others, decides on the databases and/or the processing.

‍

‍Data Subject: A natural person whose personal data is being processed, who must provide sufficient proof of identity through the various means made available by the data controller. Likewise, their successors in title, who must provide proof of such status; also, the Data Subject's representative and/or attorney, upon proof of representation or power of attorney; and finally, by stipulation in favor of or for another party.

‍

‍Transfer: Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is in turn the controller and is located within or outside the country.

‍

‍Transmission: Processing of personal data that involves communicating the same within or outside the territory of the Republic of Colombia when the purpose is to carry out processing by the data processor on behalf of the controller.

‍

‍Processing: Any operation or set of operations that the OPNICER Foundation performs on personal data, such as collection, processing, disclosure, storage, use, circulation, or deletion. The foregoing applies exclusively to natural persons.

‍

‍Personal Data Protection Committee: A multidisciplinary group of collaborators responsible for defining, establishing, and implementing guidelines for personal data protection.

‍

‍DATA OF THE CONTROLLER AND/OR PERSON IN CHARGE OF THE PROCESSING PROTECTION OF PERSONAL DATA

• ‍Company Name: OPNICER FOUNDATION  
• ‍Address: Diagonal 1ª No 8 - 40, Bogotá DC.
• Email: funopnicer@gmail.com.

‍

The OPNICER Foundation will be responsible for handling requests, inquiries, and complaints. The data subject may exercise his or her rights to access, update, rectify, and delete the data, and revoke the corresponding authorization when applicable.

‍

‍TREATMENT AND PURPOSE

‍

PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

In order to comply with the Personal Data Protection Policy, as well as the obligations imposed by Law 1581 of 2012 and its regulatory Decree, which involves the handling and processing of personal, sensitive, and minor data within the OPNICER FOUNDATION, it is framed under the following principles:

‍

‍Access and Circulation: In accordance with legal provisions, the data managed by the OPNICER FOUNDATION in the exercise of its activities is intended to fulfill a flexible and comprehensive logistics function; therefore, access to it will be guaranteed in accordance with the provisions of the Law.

‍

‍For data from other sources, access and circulation will be restricted according to the nature of the data and the authorizations granted by the Data Subject or other persons provided for by law. Personal data, except for those of a public nature, may not be publicly available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge to Data Subjects or authorized third parties. For these purposes, the OPNICER Foundation's obligation will be one of means, not results. Technical controls have been implemented to reasonably ensure controlled access to the foundation's information systems and/or databases.

‍

‍Confidentiality: Based on the previous definition, data confidentiality is guaranteed depending on the nature of the data. Therefore, information confidentiality will be maintained during and after the completion of the activities justifying the processing of personal data. All individuals within the Foundation or outside of it who are involved in the processing of personal data that are not public are required to guarantee the confidentiality of this information, even after their relationship with any of the tasks involved in the processing has ended. They may only provide or communicate personal data when it corresponds to the development of the activities authorized by law and any applicable regulations.

‍

‍Consequently, the OPNICER Foundation undertakes to preserve and maintain strictly confidential information and not disclose to third parties any personal, accounting, technical, commercial, or any other type of information provided or obtained in the performance of functions other than social or representative functions. All individuals with a current employment or contractual relationship, or who may be assigned in the future to administer and manage databases, must sign a confidentiality agreement to ensure such accountability.

‍

‍This obligation persists and is maintained even after your relationship with any of the tasks that comprise the Processing has ended.

‍

‍Purpose: Legitimate, informed, temporary, and material. The purpose corresponds to the functions of the OPNICER FOUNDATION. Likewise, the OPNICER FOUNDATION will process personal data when required for the development of its activities. The processing of personal data that the OPNICER FOUNDATION carries out in compliance with the law complies with the legitimate purpose in accordance with the Political Constitution, Law 1581 of 2012 and Decree 1377 of 2013, as well as with the provisions of other regulations applicable to its corporate purpose.

‍

‍Legality: All personal data processing activities carried out by FUNDACIÓN OPNICER are strictly causally linked to the performance of its activities and are therefore for legitimate purposes and subject to Law 1581 of 2012.

‍

‍Freedom: The OPNICER Foundation guarantees the right to informational self-determination of data subjects who provide personal data. Consequently, it respects the exercise of the rights that data subjects have and is committed to and assumes the policy contained in this document to guarantee the exercise of these rights and the fulfillment of its obligations.

‍

‍Security: The OPNICER Foundation, as the party responsible for and/or in charge of processing personal data, has adopted all reasonable technical, human, and administrative measures to prevent unauthorized or fraudulent alteration, loss, consultation, use, or access to the personal information contained in its database.

‍Transparency: The OPNICER Foundation guarantees that data subjects have the right to access and know about the personal information being processed, in accordance with Regulatory Decree 1377 of 2013.

‍

‍Veracity or Quality: The OPNICER Foundation guarantees that the information contained in its databases will be truthful, complete, accurate, up-to-date, verifiable, and understandable. The veracity and quality of personal data will be subject to the information provided by each data subject, and the OPNICER Foundation is exempt from any liability regarding its quality.

‍

‍TREATMENT

Processing of public data: The OPNICER Foundation warns that it processes public personal data that it manages in the performance of its activities without prior authorization from the Owner.

‍

‍Processing of sensitive data: The OPNICER Foundation uses and processes data classified as sensitive when: The processing has been expressly authorized by the owner of the sensitive data, except in cases where such authorization is not required by law; it is necessary to safeguard the vital interests of the owner; it relates to data that is necessary for the recognition, exercise, or defense of a right in a judicial process; or when the processing has a historical, statistical, or scientific purpose, or within the framework of improvement processes.

‍

‍Processing of data concerning minors: The OPNICER Foundation, pursuant to the legal mandate established by law, only processes personal data concerning minors; provided that the best interests of the children and adolescents are respected and their fundamental rights are ensured. In this case, once the above requirements have been met, the OPNICER Foundation will request authorization from the child's or adolescent's legal representative or guardian to process the minor's data.

‍

Authorization for the use and processing of personal data: When the data is different from that of a public nature, as defined in section 2 of article 3 of Regulatory Decree 1377 of 2013, the OPNICER FOUNDATION will request prior authorization for the processing of personal data by any means that allows it to be used as evidence.

‍

‍On the right of access: The OPNICER FOUNDATION guarantees the right of access in accordance with Law 1581 of 2012 only to the Holders of personal data that correspond to natural persons, upon prior accreditation of the identity of the holder, legitimacy, or personality of his representative, making available to the latter, without cost or expense, in a detailed and itemized manner, the respective personal data processed, through any means of communication including electronic means.

‍

Such access is subject to the limits established in Article 21 of Regulatory Decree 1377 of 2013.

‍

‍Right of Consultation: Holders of personal data may consult personal information held in any OPNICER Foundation database, and such consultation will be subject to the provisions of the law. Consequently, the OPNICER Foundation guarantees the right of consultation, in accordance with the provisions of Law 1581 of 2012, exclusively for private, sensitive, and minor personal data belonging to natural persons. The Foundation provides the holders of such personal data with the information contained in each of the corresponding databases under the responsibility of the OPNICER Foundation.

‍

‍The OPNICER Foundation will establish authentication measures that allow the secure identification of the personal data subject making the query or request. Regarding the processing of personal data requests, the OPNICER Foundation

Enable electronic or other means of communication that you consider relevant and secure.

Establish the different formats, systems and other methods that will be reported in this document.

‍

Use the complaint and claim handling services that are in operation.

‍Right to lodge a complaint: Holders of private personal data belonging to a natural person who consider that the information contained or stored in our database does not correspond to the public records managed by the OPNICER Foundation may be subject to correction, updating, or deletion, or when they become aware of a presumed breach of any of the duties and principles contained in the regulations on Personal Data Protection; in this regard, they may file a complaint with the Controller or the Person in Charge of the personal data.

‍

‍The OPNICER Foundation has the necessary authentication measures in place to securely identify the data subject making the claim.

‍

‍On the right to rectification and updating of data: The OPNICER FOUNDATION undertakes to rectify and update, at the Data Subject's request, any personal information belonging to natural persons that is incomplete or inaccurate, in accordance with the procedure and terms indicated above. In this regard, the OPNICER FOUNDATION will take into account, in requests for rectification and updating of personal data, that the Data Subject indicates the corrections to be made and provides documentation supporting their request. The OPNICER FOUNDATION is fully free to enable mechanisms that facilitate the exercise of this right, provided they benefit the Data Subject. Consequently, electronic or other means that the OPNICER FOUNDATION deems relevant and secure may be enabled. Likewise, the OPNICER FOUNDATION may establish forms, formats, systems, and other methods for this purpose, which will be made available to interested parties.

‍

‍On the right to data deletion: The owner of personal data has the right, at any time, to request that the OPNICER Foundation delete (eliminate) personal data that exceeds the mandatory information, if any. For all other data, the following conditions will apply:

That they are not being treated in accordance with the principles, duties, and obligations set forth in current regulations on Personal Data Protection.

That they are no longer necessary or relevant for the purpose for which they were collected.

‍

The period necessary to fulfill the purposes for which it was collected has been exceeded. This deletion entails the secure elimination or deletion, in whole or in part, of the personal information, as requested by the data subject, from the records, files, databases, or processing carried out by the OPNICER FOUNDATION, as provided by law.

‍

The right to erasure is not an absolute right, and the OPNICER FOUNDATION, as the controller of personal data, may deny or limit the exercise of this right when:

1. The data subject has a legal or contractual obligation to remain in the database.
2. The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
3. The data may be necessary to protect the legally protected interests of the data subject; to carry out an action based on the public interest; or to comply with a legal obligation of the data subject.
4. The data must be public in nature and correspond to public records, which are intended to be made public.

‍

‍On the right to revoke authorization: Any data subject whose personal data corresponds to a natural person may revoke their consent to the processing of such data at any time, provided that the information exceeds what is required by law and is not prohibited by a legal or contractual provision. To this end, the OPNICER Foundation has established mechanisms that allow the data subject to revoke their consent or authorization.

‍The right of revocation is not an absolute right and the OPNICER FOUNDATION, as the controller of personal data, may deny or limit the exercise of this right when:

• The data subject has a legal or contractual obligation to remain in the database.
• The revocation of the processing authorization hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
• The data may be necessary to protect the legally protected interests of the data subject; to carry out an action based on the public interest, or to comply with a legal obligation of the data subject.
• The data must be public in nature and correspond to public records, which are intended to be made public.

‍

‍Data Protection in Agreements or Contracts: Any contract or agreement entered into or established by the OPNICER FOUNDATION will include clauses that allow for prior and general authorization to process personal data related to the execution of the contract. This authorization includes the collection, modification, or correction of personal data of the Data Subject corresponding to natural persons at a future time. Authorization has also been included for some personal data, if necessary, to be delivered or transferred to third parties with whom the OPNICER FOUNDATION has a relationship. In contracts for the provision of external services, when the contractor requires personal data, the OPNICER FOUNDATION will provide said information provided that the Data Subject has prior and express authorization for this transfer. Excluded from this authorization are personal data of a public nature, as defined in section 2 of article 3 of Regulatory Decree 1377 of 2013, and data contained in public registries. For its part, the OPNICER FOUNDATION, when receiving data from third parties and acting as the Controller of personal data, will verify that the purpose or purposes of the processing authorized by the owner or permitted for legal, contractual or jurisprudential reasons are in force and that the content of the purpose is related to the reason why said personal information is going to be received from the third party, since only in this way will it be authorized to receive and process said personal data.

‍Transfer of personal data to third countries: In the hypothetical events in which the OPNICER FOUNDATION, in the development of any of its activities, at an international level, international cooperation and representation or participating in international programs for economic, cultural and social development, or any other activity that involves the transfer of personal data to third countries, will be governed by the following condition:

‍

The transfer of personal data to third countries will only be carried out with the corresponding authorization of the data subject and with prior authorization from the SIC's Personal Data Office, if applicable. Any processing that involves the transmission of data outside of Colombian territory is considered an international transfer, whether it involves a data transfer or the provision of a service to the data controller outside of Colombia.

‍Video Surveillance: Anyone entering the OPNICER FOUNDATION facilities may be recorded by our security cameras, and by simply authorizing access, the procedure described above is considered expressly accepted.

‍

Images captured by the cameras and closed-circuit television system will be used for your own safety, that of our residents, and that of all our visitors, and may be archived for a reasonable period of time. Likewise, in the event of any incidents of any kind, they will be forwarded to the appropriate authorities.

‍

‍Validity of databases: Databases that include personal data will have a validity equal to the duration of the OPNICER FOUNDATION.

‍

PURPOSE

The processing (collection, storage, use, circulation or deletion) of personal data collected from data subjects will have the following purposes:

• For the efficient development and effective provision of the services that comprise the corporate purpose of the OPNICER FOUNDATION.
• Compliance with legal provisions, contractual and other commitments.
• Activities inherent to a human talent selection process, labor relations and quality of life programs, including those involving the family nucleus of benefactors, volunteers and/or assistants, their descendants and collaborators.
• For the sending of information related to activities, events, programs and services promoted by the OPNICER FOUNDATION.

‍

‍RIGHTS OF THE HOLDERS

The OPNICER Foundation recognizes and guarantees the following fundamental rights to the holders of personal data:

The OPNICER Foundation recognizes and guarantees the following fundamental rights to the holders of personal data:

1. Access, know, update, and rectify your personal data with the OPNICER FOUNDATION, as the controller of personal data.
2. Request proof of the existence of the authorization granted to the OPNICER FOUNDATION except in cases where the Law exempts the authorization. 
3. Receive information from the OPNICER FOUNDATION, upon request, regarding the use of your personal data.
4. File complaints for violations of current regulations with the Superintendency of Industry and Commerce (SIC). 
5. Modify and revoke authorization and/or request the deletion of personal data when the processing does not respect the constitutional and legal principles, rights, and guarantees in force. This right to revoke authorization is not always absolute and is not applicable when there is a legal or contractual obligation limiting this right.
6. To be aware of and access free of charge your personal data that has been processed. 

‍

‍DUTIES IN RELATION TO THE PROCESSING OF PERSONAL DATA

The OPNICER FOUNDATION, as the Controller and/or the Controller of personal data, complies with the duties and obligations set forth in Article 17 of Law 1581 of 2012, and the regulations or amendments thereto, namely:

1. ‍Guarantee the Holder, at all times, the full and effective exercise of the right of habeas data.
2. Request and retain, under the conditions provided for in this law, the authorizations granted by the Owner.
3. Properly inform the Owner about the purpose of the collection and the rights that he or she has by virtue of the authorization granted.
4. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable and understandable.
6. Update the information, promptly communicating to the Data Processor all new developments regarding the data previously provided and adopting other necessary measures to ensure that the information provided to the Data Processor remains up-to-date.
7. Rectify information when it is incorrect and communicate the relevant information to the Data Controller.
8. Provide the Data Processor, as the case may be, only with data whose processing has been previously authorized by the data owner. 
9. Demand that the Data Processor respect the security and privacy conditions of the Data Subject's information at all times.
10. Process queries and complaints made by personal data holders.
11. Inform the Data Processor when certain information is being disputed by the Data Subject, once the claim has been submitted and the respective process has not been completed.
12. Inform the Owner, upon request, about the use given to their data.
13. Inform the data protection authority (Superintendency of Industry and Commerce SIC – Personal Data Protection Office) when security code violations occur and there are risks in the management of the Data Subjects' information. 
14. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. 

‍PROCEDURE FOR THE EXERCISE OF RIGHTS BY THE HOLDERS

‍

PROCEDURE FOR HANDLING QUERIES

Data Subjects may access the personal information held by the OPNICER Foundation, which will provide all information contained in its database records or any other means linked to the Data Subject's identification. 

‍The consultation will be formulated through the following means:

• Email to funopnicer@gmail.com.
• Through the telephone line 313 832 2303.

• Physical submission of a request to the building's concierge. Regardless of the method used, the request will be answered within a maximum of ten (10) business days from the date of receipt. When it is not possible to answer the request within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their request will be answered, which in no case may exceed five (5) business days following the expiration of the first term. 

‍

PROCEDURE FOR HANDLING CLAIMS

The Data Subject who considers that the personal information held by FUNDACIÓN OPNICER should be corrected, updated or deleted, or when he/she notices the alleged non-compliance with any of the duties contained in the law, may file a claim with the Data Controller or the Data Processor through the following means:

• Email to funopnicer@gmail.com.
• Through the telephone line 313 832 2303.

• Physical submission of a request to the building's concierge. Regardless of the method used, the request will be answered within a maximum of ten (10) business days from the date of receipt. When it is not possible to answer the request within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their request will be answered, which in no case may exceed five (5) business days following the expiration of the first term. 

‍In any case, you must indicate the information you wish to correct, update, or delete (where applicable), attaching the corresponding supporting documents if necessary. 

If the claim is incomplete, the interested party will be required within five (5) days of receipt to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, the claim will be deemed to have been withdrawn. 

In the event that the person receiving the claim is not competent to resolve it, he/she will forward it to the appropriate person within a maximum period of two (2) business days and inform the interested party of the situation. 

The maximum period for addressing the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

‍

‍PROCEDURE FOR REVOCATION OF AUTHORIZATION 

Any data subject who believes that the authorization granted to the OPNICER Foundation for the processing of personal data should be revoked may file a complaint with the Data Controller or Data Processor through the following means: 

• Email to funopnicer@gmail.com. 
• Through the telephone line 313 832 2303. 
• Physical submission of a request to the building's concierge. Regardless of the method used, the request will be answered within a maximum of ten (10) business days from the date of receipt. When it is not possible to answer the request within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their request will be answered, which in no case may exceed five (5) business days following the expiration of the first term. 

‍

VALIDITY OF THE INFORMATION PROCESSING POLICY 

This Personal Data Processing Policy is effective as of October 15, 2017, and the OPNICER Foundation may modify it as a fundamental part of its actions to comply with the obligations established by Law 1581 of 2012.

‍

‍VALIDITY OF THE DATABASES 

The validity of the databases will correspond to the provisions of the foundation's internal procedures, which are in accordance with current legal regulations.

‍