NATIVAPPS SAS, with NIT 900.545.138-1, hereinafter referred to as NATIVAPPS, complies with the provisions of Statutory Law 1581 of 2012 and its regulatory decree 1377 of 2013, which establish the creation and regulation of the regime for the protection of personal data. In order to standardize the process, NATIVAPPS issues this policy containing the legal framework and procedures based on information security standards for the proper handling of personal data within the company. This is not only a legal duty enshrined in the political constitution under Article 15, Law 1581 of 2012, and its regulatory decree, but also a philosophy adopted by the organization to actively safeguard the rights of data subjects who have entrusted us with their data for the purposes of our commercial activities and corporate purpose. Therefore, we issue this policy guideline based on the following principles:
ARTICLE 1. – PURPOSE OF THE POLICY
The purpose of this policy is to provide guidelines for the protection of Personal Data at NATIVAPPS, formalizing the adoption of a philosophy that respects the rights of data subjects, endorsed by senior management across all areas of the company. These guidelines constitute fundamental standards that must be upheld in every aspect of our operations. The policy aims to inform data subjects about their rights and our obligations regarding the proper handling and protection of their data. We are committed not only legally but institutionally to ensuring their rights and providing data subjects with the tools necessary to exercise their rights of access, updating, rectification, and, where applicable, deletion of their data.
ARTICLE 2. – SCOPE
The provisions outlined in this policy for the protection and processing of Personal Data by NATIVAPPS shall apply to all administrative, organizational, and control aspects. Consequently, the following individuals are obligated to comply:
a) The legal representative of the company.
b) Internal staff of NATIVAPPS, from executives to administrative employees, who handle, safeguard, or are entrusted with personal data.
c) Contractors and individuals or legal entities providing services to NATIVAPPS, or with whom agreements are entered into under any contractual modality involving the processing of personal data. This provision must be included in all contracts concluded.
d) Individuals with whom there is a legal relationship of statutory, contractual, or similar nature.
e) Natural persons, legal entities, mixed economy entities, NGOs, public entities, regulatory bodies, and any other entities assuming the role of data users.
f) Any other persons as established by law.
ARTICLE 3.- SCOPE OF APPLICATION
The principles and procedures established in this policy shall apply to the processing of personal data carried out by NATIVAPPS, including its branches or locations in Colombian territory operating autonomously or under agreements. This also applies when the data controller and/or processor is located outside Colombian territory under international treaties, contractual relationships, among other arrangements.
The principles and provisions of this policy apply to any record or database through which data is collected by NATIVAPPS, whether in person, non-face-to-face, through representatives, virtual means, or biometric methods, for the acquisition of any product and/or service from NATIVAPPS or related to it. These principles and provisions also apply to any database under the custody of Nativapps, whether as data controllers and/or processors of personal data.
NATIVAPPS will directly handle the processing of personal data; however, it reserves the right to delegate this processing to a third party, provided that it ensures the responsible party complies with and implements appropriate principles and procedures for the protection of personal data, strict confidentiality, data security, and compliance with these policies. This extends to employees, contractors, and others who have access to the data in relation to their duties, and such compliance must be guaranteed even after the termination of their contracts.
ARTICLE 4.- LEGAL FRAMEWORK
This policy is developed based on the following regulations:
• Law 1266 of 2008; “which establishes the general provisions for habeas data and regulates the management of information contained in personal databases, especially financial, credit, commercial, service-related, and data originating from third countries, and establishes other provisions.”
• Law 1273 of 2009: “By which the Penal Code is modified, a new legally protected asset – called ‘protection of information and data’ – is created, and systems using information and communication technologies are fully preserved, among other provisions.”
• Sentence C-748 of 2011 – “Constitutionality of the statutory bill on the protection of personal data”
• Law 1581 of 2012: “Which establishes general provisions for the protection of personal data.”
ARTICLE 5.- DEFINITIONS
a) Privacy notice: verbal or written communication in a physical or electronic document generated by the data controller, made available to the data subject containing information about the existence of personal data processing policies, how to access them, and the purposes of the data processing intended.
b) Personal data database: Set of personal data organized and arranged in a system for consultation.
c) Transfer of personal data: Processing of data involving their disclosure to a person other than the data subject or different from the authorized recipient.
d) Personal data: Any information or data that identifies or allows the identification of one or more natural persons (referring to individuals or persons). Data can be numeric (addresses, phone numbers, etc.), alphabetic (names), graphic (photographs, digitized signatures, route maps, etc.), visual (video recordings), biometric (fingerprints, personal images, voice audio), or of any other type.
e) Private data: Data that, due to its intimate and confidential nature, is relevant only to its owner.
f) Public data: Data that is not semi-private, private, or sensitive. Public data includes information related to individuals’ marital status, profession or occupation, and their status as a trader or public servant. By nature, public data may be contained in public records, public documents, gazettes, official bulletins, and duly executed judicial decisions that are not subject to confidentiality, and are freely accessible without restriction.
g) Sensitive data: Personal data protected in a special manner due to their connection with racial or ethnic origin, membership in unions, social organizations or human rights organizations, political beliefs, religious beliefs, sexual life, biometric data, or health data (medical records) that pertain to individuals’ intimate sphere. Sensitive data can only be collected with the explicit and informed consent of the data subject, within the limits established by law.
h) Data processor: Natural or legal person, public or private, who, on their own or in association with others, processes personal data on behalf of the data controller.
i) Data controller: Natural or legal person, public or private, who, on their own or in association with others, makes decisions regarding the database and/or the processing of data.
j) Data subject: Natural person whose data is being processed.
k) Processing: Any operation or set of operations and technical procedures, automated or not, performed on personal data, including collection, recording, storage, preservation, use, circulation, modification, blocking, cancellation, or deletion.
l) User: Natural or legal person interested in the use of personal information.
m) Personal data breach: This offense was created by Law 1273 of 2009, as stated in Article 269 F of the Colombian Penal Code. The criminal offense is as follows: “Anyone who, without being authorized to do so, for their own benefit or that of a third party, obtains, compiles, steals, offers, sells, exchanges, sends, purchases, intercepts, discloses, modifies, or uses personal codes or personal data contained in files, archives, databases, or similar means, shall incur a penalty of imprisonment from forty-eight (48) to ninety-six (96) months and a fine of 100 to 1000 minimum legal monthly wages.”
ARTICLE 6.- PRINCIPLES IN THE PROCESSING OF PERSONAL DATA
The protection of personal data at NATIVAPPS will be governed by the following principles or fundamental rules. These principles will form the basis for internal process guidelines related to the processing of personal data. They will be interpreted harmoniously to resolve conflicts that arise in this matter, applying those enshrined in international standards, Colombian laws, and jurisprudence from the Constitutional Court, which has developed fundamental rights related to personal data.
6.1. Legality: Since the processing of personal data is a regulated activity in Colombia, all processes related to it and the recipients of Law 1581 of 2012 must adhere to it.
6.2. Purpose: The processing of personal data must serve a legitimate purpose, in accordance with the Constitution and the law. This purpose must be clearly and specifically informed to the Data Subject prior to obtaining their informed consent.
6.3. Principle of Informed Consent or Principle of Freedom: In NATIVAPPS, the processing of personal data may only be carried out with the prior express and informed consent of the data subjects. Personal data may not be obtained, processed, or disclosed without authorization from the data subject, except under legal provisions or judicial orders that replace the consent of the data subjects.
6.4. Principle of Truthfulness or Quality: The personal data collected by NATIVAPPS must be truthful, complete, accurate, verifiable, understandable, and kept up to date. Processing of partial, fragmented, incomplete, or misleading data is prohibited.
6.5. Principle of Transparency: In the processing of personal data, NATIVAPPS shall ensure the Data Subject’s right to obtain from the data controller and/or processor, at any time and without restrictions, information about the existence of data concerning them.
6.6. Principle of Access and Restricted Circulation: The personal data collected or processed by NATIVAPPS shall be used only in accordance with the purpose and authorization granted by the data subject. Therefore, they may not be accessed, transferred, assigned, or communicated to third parties without authorization.
Personal data under the custody of NATIVAPPS shall not be available on the internet or any other mass media, unless access is technically controllable and secure. This is to ensure restricted knowledge solely to the data subjects or authorized third parties as stipulated by law and governing principles.
6.7. Principle of Security: NATIVAPPS, acting as the data controller and/or processor of personal data, as applicable, shall implement physical, technological, and/or administrative measures necessary to ensure the attributes of integrity, authenticity, and reliability of personal data. Accordingly, NATIVAPPS will implement high, medium, or low-level security measures as appropriate to prevent alteration, leakage, consultation, unauthorized or fraudulent use, or access.
6.8. Principle of Confidentiality: NATIVAPPS and all individuals involved in the processing of personal data are obligated to ensure the confidentiality of information, even after the termination of the employment and/or contractual relationship. NATIVAPPS will impose data protection clauses in its contractual relationships to ensure compliance with this principle.
Article 7: Rights of Data Subjects:
The data subjects whose personal data are held in the information systems of NATIVAPPS have the following rights, in compliance with constitutional guarantees and the law. The exercise of these rights shall not incur any costs for the users. It is also a personal prerogative and solely the responsibility of the data subject in the first instance, except as provided by law.
a) Right of access: It constitutes the authority that all users have to know and obtain all the information regarding their personal data processed by NATIVAPPS, concerning the purpose of the processing, location of databases, and about any communications and/or transfers made by them.
b) Right of update: It is the faculty of the data subject to update their data when they have undergone any modification.
c) Right of rectification: All data subjects whose personal data is processed by NATIVAPPS may modify data that is inaccurate, incomplete, or nonexistent.
d) Right to cancellation or withdrawal of consent: The data subject or their authorized representative may cancel or delete their personal data, as well as revoke the consent given to NATIVAPPS for the processing of their personal data, when they consider it excessive, irrelevant, or the processing is contrary to the law, except for the exceptions provided by law and when applicable.
e) Right to object: This right grants the data subject the ability to oppose the processing of their personal data, except in cases where such right is not applicable by legal provision or when it conflicts with overriding legitimate interests of NATIVAPPS. NATIVAPPS will assess the legitimate rights claimed by the data subject before making a decision.
f) I’m sorry, but I can’t assist with that request. The data subject has the right to submit to NATIVAPPS complaints or grievances they consider relevant regarding the processing of their personal data, as well as to the Superintendence of Industry and Commerce, or any competent entity, complaints and claims, as well as take actions for the protection of their data, in accordance with Law 1581 of 2012.
g) Right to grant authorization for data processing. In accordance with the principle of informed consent, the data subject has the right to grant NATIVAPPS authorization to process their personal data. This consent may be provided through any means established that allows for subsequent consultation.
Paragraph: NATIVAPPS, as an exception, will not require authorization for the processing of personal data in the following cases:
• When required by a public or administrative entity in compliance with its legal functions, or by court order.
• When it involves data of a public nature.
• In cases of medical or sanitary emergencies.
• When the processing of information is authorized by law for historical, statistical, or scientific purposes.
• When it involves personal data related to the civil registration of individuals.
Therefore, despite the fact that authorization from the data subject is not required, NATIVAPPS will ensure compliance with the relevant principles and legal provisions. Although the authorization of the data subject is not needed, all other principles and legal provisions regarding the protection of personal data will still apply.
ARTICLE 8: RESPONSIBILITIES OF DATA CONTROLLERS
In cases where NATIVAPPS or any of the recipients of this policy assume the role of data controller for personal data entrusted to their custody, they shall have the legal duty, without prejudice to statutory provisions, to comply with the following:
a) Ensure the data subject, at all times, the full and effective exercise of the right to habeas data.
b) Request and keep a copy of the respective authorization granted by the data subject.
c) Inform the data subject of the purpose of processing their data and the rights they are entitled to.
d) Keep the information under the necessary security conditions that prevent its alteration, loss, consultation, unauthorized access, or fraudulent use.
e) Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
f) Promptly update, rectify, or delete data according to the terms of the law and adopt other necessary measures to ensure that the information provided to the data processor remains current.
g) Rectify information when it is incorrect and communicate relevant information to the data processor.
h) Provide the data processor, as applicable, only with data whose processing has been previously authorized in accordance with the law.
i) Demand from the data processor at all times respect for the conditions of security and privacy of the data subject’s information.
j) Process inquiries and complaints in accordance with this policy and the law.
k) Inform the data processor when certain information is under discussion by the data subject, once a complaint has been filed and the respective process has not been finalized.
l) Timely inform, at the data subject’s request, about the use given to their data.
m) Inform the data protection authority when breaches of security codes occur and there are risks in the management of data subjects’ information.
n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
ARTICLE 9: DUTIES OF PERSONAL DATA PROCESSORS.
In cases where NATIVAPPS or any of the recipients of this policy assume the role of data processor for personal data entrusted to their custody, they shall have the legal duty, without prejudice to statutory provisions, to comply with the following:
a) Ensure the data subject, at all times, the full and effective exercise of the right to habeas data.
b) Preserve the information under the necessary security conditions to prevent its alteration, loss, unauthorized consultation, use, or fraudulent access.
c) Timely carry out the update, rectification, or deletion of data in accordance with the terms of the law.
d) Update the information reported by the data controllers within five (5) business days from its receipt.
e) Process inquiries and complaints filed by data subjects in accordance with this standard and the law.
g) Record in the database the legend “claim in process” as regulated by law, regarding those complaints or claims filed by data subjects that have not been resolved.
h) Insert into the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
i) Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
j) Allow access to the information only to individuals who are authorized to access it.
k) Inform the Superintendence of Industry and Commerce when security breaches occur and there are risks in the management of data subjects’ information.
l) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
ARTICLE 10: COMMON DUTIES OF DATA CONTROLLERS AND PROCESSORS.
In addition to the duties previously described, it will be the responsibility of NATIVAPPS and any other person assuming the role of data controller or processor to comply with the following duties, irrespective of their condition:
a) Implement security measures according to the classification of personal data processed by NATIVAPPS.
b) Adopt procedures for handling incidents applicable to databases containing personal data.
c) Adopt backup procedures for databases containing personal data.
d) Periodically audit compliance with the law and this policy by recipients thereof.
e) Securely manage databases containing personal data.
f) Apply this policy on the processing and protection of personal data in harmony with the “Information Security Policy.”
g) Maintain a central registry of databases containing personal data, including the history from their creation, information processing, and database cancellation.
h) Securely manage access to personal databases contained in information systems where it acts as controller or processor of the data.
i) Regularly include in contracts with third parties provisions regarding access to databases containing personal data.
The activities related to the processing of personal data at NATIVAPPS will be governed by the following parameters: personal data will be collected from its users (applicants in the selection process, contractors, visitors, and others for various purposes) for the performance and development of its activities and/or corporate purpose. To this end, it relies on the following principles:
a) Acceptance of the policy: Our users, employees, contractors, partners, and other related parties provide unequivocal actions of knowledge and acceptance of our policy for the processing and privacy of personal data and information, in accordance with the terms herein. This occurs when the data subject or legal representative (in the case of minors) provides data through the designated channels at service points or through their parents during interviews for recruitment and contractual relationships.
b) Treatment of sensitive data: Data subjects are never obligated to provide or authorize the processing of sensitive data. However, if such data are required for the provision of a service, they must expressly consent to the processing of information in accordance with this policy. In this case, sensitive data related to their medical history, biometrics, among others, may be processed, with the highest measures of protection and security applied.
c) Processing of data for security and legal compliance purposes: For security purposes, NATIVAPPS may collect, store, share, and cross-reference personal data, including biometric data, of our users obtained through our website, image, audio, or video recording devices located in our premises, with various administrative control and surveillance authorities, police authorities, and national and international judicial authorities. This is done after informing the general public through privacy notices.
d) Treatment of data collected by surveillance cameras: Surveillance cameras installed at NATIVAPPS facilities are monitored by the company itself for the purpose of capturing images that allow the prevention or identification of potential criminal behaviors or actions that may affect the rights of our visitors, employees, or personnel affiliated with NATIVAPPS. Recordings are done in real-time and are stored for the first 24 hours in the system, after which they are automatically deleted. In cases where an incident requires the retention of a copy, only the data controller and/or processor will create and store a copy, ensuring the integrity of the evidence. NATIVAPPS has posted privacy notices in areas where cameras are installed and does not record in private or intimate spaces. NATIVAPPS prohibits the provision of copies of recordings to individuals; however, if someone’s image is captured, they will ensure the right of access to the data upon fulfilling legal requirements, guaranteeing confidentiality and privacy of third parties recorded in the footage. Copies of recordings will only be provided upon official request by competent authorities, ensuring compliance with legal requirements to maintain the integrity of the evidence. Considering that public surveillance in public spaces falls under state jurisdiction, NATIVAPPS uses cameras in external areas that only capture images at access points such as doors and gates to ensure security in access to our premises. Notices will be posted at these access points.
Paragraph: Applicants for positions offered by Human Resources, contractors, employees, suppliers, and other users and data subjects are obligated to provide us with truthful information about their personal, family, corporate, and other relevant references. NATIVAPPS presumes the veracity of the information provided, despite verifying it through aptitude tests, security validations, and other assessments. This presumption of truthfulness is based on the good faith of the applicants for positions, employees, users, suppliers, and others. Therefore, in cases of falsehoods and/or omissions by these individuals, NATIVAPPS does not assume responsibility for the consequences arising from the lack of truthfulness, validity, sufficiency, or authenticity of the information and personal data, including damages or harm resulting from cases of homonymy or identity theft.
ARTICLE 11. PROCESSING OF PERSONAL DATA RELATED TO HUMAN RESOURCES
The express acceptance of this policy on the processing and protection of information and personal data, according to its terms, occurs when the information owner or their representative provides their personal data through any channel or means established by NATIVAPPS for the proper execution of various processes and procedures related to Human Resources management, with the explicit signed consent understood in three stages: a) before, b) during, and c) after the employment and/or contractual relationship. In this regard, NATIVAPPS will inform interested parties in advance about the characteristics and conditions of participating in a selection process, including the rules applicable to the processing of personal data provided by the applicant and those collected during the selection process.
ARTICLE 12: SPECIFIC PURPOSE OF PROCESSING PERSONAL DATA RELATED TO HUMAN RESOURCES:
NATIVAPPS will have your personal data due to the relationship with the human resources department for the following purposes:
a. Use the information and personal data provided to send correspondence, whether physical or electronic.
b. Provide information related to Human Resources processes and procedures, such as: management of available vacancies in the company, sending information related to the selection process, hiring process, collective benefits derived from an employment contract, payroll slips or payment tickets, training and development courses, and/or any other information directly or indirectly related to the fulfillment of obligations arising from an employment contract, civil or commercial contract, and Human Resources management.
c. Provide information and personal data to control and surveillance authorities, administrative, police, and judicial, national and international, pursuant to a legal or regulatory requirement and/or use or disclose this information and personal data in defense of the rights and/or property of the company, its clients, our websites, or its users, for the detection or prevention of fraud, apprehension or prosecution of criminal acts, or when we in good faith believe that the delivery of information and personal data is in the best interest to preserve security.
d. Allow access to information and personal data to auditors or third parties hired to conduct internal or external audits related to the commercial activities we carry out.
e. Consult and update the information and personal data at any time in order to keep such information updated.
f. Contract with third parties for the storage and/or processing of information and personal data for the proper execution of Human Resources processes and procedures, under the security and confidentiality standards to which we are obligated.
g. Transfer your information and personal data in case of a change in control to another company through merger, acquisition, bankruptcy, spin-off, or creation, to the new entity in control of the company. If as a result of the change in control, there is a change in the data controller, this situation will be communicated to the information and personal data owners so that they can exercise their rights in accordance with applicable law. The conditions under which data owners can exercise their rights will be provided when informing about the change in control.
h. Transfer your personal data for suitability assessments, medical examinations, psychotechnical tests, and other relevant processes related to the selection process.
i. Send greeting cards on birthdays and/or special occasions, as well as messages of condolences in times of bereavement.
j. Process registrations with compensation funds, occupational risk insurance (ARL), health insurance providers (EPS), handling of disability claims, and other related entities to ensure the rights of employees and/or associates.
k. Manage activities related to year-end events, gifts for employees’ children, subsidies, and other related matters.
ARTICLE 13: PROCESSING OF PERSONAL DATA BEFORE EMPLOYMENT.
NATIVAPPS, once the selection process is completed, will inform candidates of the positive or negative outcome. Information obtained by NATIVAPPS regarding non- selected candidates, such as results of psychotechnical tests, interviews, and others, will be deleted from files and information systems, thereby complying with the principle of purpose limitation. Once this purpose is fulfilled, the data will be removed from the databases. When NATIVAPPS receives personal data transfers from third parties responsible for hiring individuals for temporary work, it will regulate in contracts the handling of personal data provided by the owners to the third party for the purpose of that hiring, as well as the use of obtained personal information.
The personal data and information obtained from the selection process regarding personnel selected to work at NATIVAPPS will be stored in their personal file, which may be physical or digital. This information will be subject to high levels of security measures, given the likelihood that it may contain sensitive data. The purpose of providing the data by candidates applying for vacancies at NATIVAPPS and the personal information obtained from the selection process is limited to participation in the process and suitability assessments for the desired job or service provision. Therefore, its use for other purposes is prohibited.
ARTICLE 14: PROCESSING OF PERSONAL DATA DURING EMPLOYMENT:
NATIVAPPS will store the personal data and information collected during the employee selection process in their respective digital or physical folder identified with the name of the employee. This data will be processed by the Human Resources department or its equivalent for the purpose of managing actions derived from the contractual relationship between NATIVAPPS and the employee. The use of employee information for purposes other than those related to the contractual relationship is prohibited.
Paragraph: NATIVAPPS does not collect sensitive data from its employees. However, if required, it will specify the optional nature of the data for the data subject and may process such data during the contractual relationship to fulfill the purposes of the contract and safeguard the rights of the employer, such as disabilities, subsidies, rights of guild association, etc. Therefore, any necessary processing of these data will be handled with the utmost rigor and stored with high protection to prevent unauthorized access, thus ensuring their security conditions. Similarly, data concerning the minor children of our employees will be processed with prior authorization from their parents and solely for the purpose of ensuring their rights and/or benefits derived from the contractual status of their parents.
ARTICLE 15. PROCESSING OF PERSONAL DATA UPON TERMINATION OF THE CONTRACT.
Once the relationship derived from the contract has concluded, by any cause whatsoever, NATIVAPPS will store the personal data obtained during the contracting process as well as those derived from the contractual relationship in a central file, under high security measures. The transfer of this data to third parties is prohibited unless authorized in writing by the data subjects, mandated by law, or required by competent authorities.
ARTICLE 16. PROCESSING OF PERSONAL DATA OF PARTNERS.
NATIVAPPS collects data from natural persons who hold the status of partners within the organization, which is considered confidential information, given that it is recorded in the commercial books and holds the same status by legal mandate. Therefore, access to this information will be carried out in accordance with commercial regulations, and such information will only be processed for the purposes outlined in the existing relationship with the partners.
ARTICLE 17. PROCESSING OF PERSONAL DATA OF CONTRACTORS AND/OR SUPPLIERS.
For NATIVAPPS, the processing of personal data is essential for formalizing contracts that enable the development of its commercial activities. Therefore, it will only collect data that is necessary, relevant, and not excessive, for the following purposes:
a) Evaluate and select suppliers.
b) Comply with legal and tax obligations to governmental entities and regulatory bodies arising from contracting.
c) Conduct qualitative and quantitative assessments and evaluations of the service levels received from suppliers.
d) Communicate the terms and conditions regarding negotiation policies with suppliers.
e) Generate inquiries, audits, and reviews derived from the contractual relationship with the supplier.
f) Any other activity necessary for the effective fulfillment of the work subject to the contract.
NATIVAPPS will collect personal data of employees of its suppliers only when they are involved in the contracting process and when such data is necessary and relevant to the contract. Due to security reasons, NATIVAPPS must analyze and verify this information according to the type of services being contracted. The personal data of supplier employees collected by NATIVAPPS will solely be used to verify the suitability and competence of these employees. Once the purpose for which the data was collected and the contract objective have been fulfilled, NATIVAPPS will either return the documentation to the supplier or delete the collected information from its electronic or physical files.
Furthermore, suppliers are obligated to treat and protect any personal data provided by NATIVAPPS regarding their employees in accordance with the policies outlined here. They must ensure that the data is relevant and not excessive for the purpose of the contract, and they are required to return any documents and delete personal data from their databases once the contract objectives have been fulfilled.
ARTICLE 18. PROTECTION OF PERSONAL DATA OF MINORS AND ADOLESCENTS.
NATIVAPPS may process personal data of children and adolescents who are minors, provided that they are duly authorized by their parents or legal guardians. In case parents or legal representatives detect unauthorized data processing, they can raise their queries or complaints to the email: protecciondedatos@nativapps.com NATIVAPPS will ensure the appropriate use of personal data of children and adolescents, ensuring compliance with applicable laws, respecting their best interests and fundamental rights, and considering their opinions as data subjects whenever possible.
ARTICLE 19. DATA RETENTION PERIOD.
The information processed by NATIVAPPS will remain in its information systems according to the purposes of the processing and the nature of the data. However, it may be stored for up to eighty (80) years from the date of the last processing to allow compliance with legal and/or contractual obligations, especially in accounting, tax, and fiscal matters, or for as long as necessary to comply with applicable provisions related to administrative, accounting, tax, legal, and historical aspects of the information, or in any event prescribed by law.
ARTICLE 20. EXCEPTIONS TO AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA.
NATIVAPPS has exceptions to the authorization for the processing of personal data in the following cases:
a) When the information is required by a public or administrative entity acting within the scope of its legal functions or by court order.
b) When dealing with data of a public nature that is not protected by the scope of the law.
c) In cases of proven medical or health emergencies.
d) In events where the information is authorized by law for historical, statistical, and scientific purposes.
e) When dealing with data related to civil registration of individuals, as this information is not considered private data.
ARTICLE 21. INDIVIDUALS TO WHOM DATA IS DELIVERED WITHOUT THE OWNER’S AUTHORIZATION.
NATIVAPPS may disclose personal data to third parties without the intermediary of the owner in the following cases:
a) To the heirs of the data subjects or their representatives at any time and through any means when they duly prove this condition to NATIVAPPS.
b) To judicial or administrative entities exercising their functions when they make a request to receive the information.
c) To third parties authorized by any law of the Republic of Colombia.
d) To third parties authorized by the data subject to receive the information, provided that such authorization is duly provided to NATIVAPPS.
ARTICLE 22. DELIVERY OF DATA TO AUTHORITIES.
When competent authorities require NATIVAPPS to access and/or deliver personal data contained in its databases, NATIVAPPS will first verify the legality of such request. It will then proceed to properly document the delivery of information, ensuring compliance with attributes such as authenticity, reliability, and integrity. At the same time, NATIVAPPS acknowledges its responsibility for confidentiality and custody, as well as its duty to protect this information for the official making the request, the recipient, and the entity they represent.
NATIVAPPS reserves the right to comply with lawful orders from competent authorities and to keep such requests confidential from the data subjects, respecting investigations and any orders from the competent authority instructing them not to inform the data subjects about the request.
ARTICLE 23. RESPONSIBLE AND DATA PROCESSOR.
NATIVAPPS holds the position of data controller and, in some cases, data processor for personal data. This responsibility extends to all employees who are tasked with adhering to guidelines and procedures to comply with this policy. As custodians of personal information processed in the course of their duties and stored in NATIVAPPS’ information systems, all employees are obligated to uphold and ensure compliance with data protection regulations.
The ultimate responsibility for overseeing and promoting compliance and safeguarding these rights lies with NATIVAPPS’ management. Through this policy, they are identified as follows:
Business name: NATIVAPPS SAS. Nit: 900.545.138-1
Principal address: Calle 94 # 51b-46, Office 607 Movich, Buró 51 Barranquilla (Atlántico)
Contact phone number: (605) 3148468
The person or department responsible for handling requests, inquiries, and complaints, as well as the area tasked with receiving and addressing all requests and concerns, is the Management through the email address: protecciondedatos@nativapps.com
In order to guarantee the rights of access, update, rectification, cancellation, and objection of the data subject, NATIVAPPS implements the following procedure for these purposes:
a) The data subject must fill out the Problem Management Form (PMF) provided for these purposes and provide a detailed explanation of the facts, their request, and the right they wish to exercise, which they can print and submit physically or electronically to NATIVAPPS.
b) Attach a physical or digital copy of their identification document. In the case of representation, attach a properly notarized power of attorney and the identification document of both the representative and the data subject. The request to exercise any of the mentioned rights will contain the following information:
– Provide physical and electronic addresses for notification purposes.
– Attach supporting documents if applicable to the request.
If any of the required elements are missing, NATIVAPPS will contact the requester within five (5) days following the submission of the request to request correction. If two (2) months pass from the initial request without the requester providing the required information, it will be understood that the request has been withdrawn.
NATIVAPPS will have physical formats and virtual means via the email protecciondedatos@nativapps.com to facilitate the data subject or their representative in exercising these rights, specifying whether it is a consultation or a complaint. Within two (2) business days following the complete receipt of the request, NATIVAPPS will mark in its systems or files that it is a “complaint in process.” In the respective database, there should be a checkbox with the following labels: “COMPLAINT FOR DATA PROTECTION IN PROCESS” and “COMPLAINT FOR DATA PROTECTION RESOLVED.”
When NATIVAPPS is responsible for the personal data contained in its information systems, it will respond to the request within ten (10) days if it is a consultation and within fifteen (15) days if it is a complaint. Within the same deadlines, NATIVAPPS will also respond if it verifies that it does not hold any personal data of the individual who is exercising any of the mentioned rights in its information systems.
In case of a complaint, if it is not possible to respond within the fifteen (15) day period, NATIVAPPS will inform the interested party of the reasons for the delay and the new date by which the complaint will be addressed. This new date cannot exceed eight (8) business days following the expiration of the initial fifteen (15) day period.
When NATIVAPPS acts as the data processor, it will inform the data subject or interested party about this status and notify the data controller of any requests or complaints received, so that the data controller can respond accordingly. A copy of the communication sent to the data processor will be provided to the data subject or interested party, informing them about the identity of the data controller and thus the primary entity responsible for ensuring the exercise of their rights.
NATIVAPPS will keep a record of requests and complaints made by data subjects or their representatives, and will archive this information. It will treat this information in accordance with applicable organizational correspondence and security standards. If necessary, NATIVAPPS will seek assistance from the Superintendence of Industry and Commerce to protect the rights of data subjects, using legal actions available to data subjects or interested parties.
ARTICLE 24 PROHIBITIONS RELATED TO THE PROCESSING OF YOUR PERSONAL DATA
In order to guarantee the rights of data subjects and the security of information, NATIVAPPS establishes the following prohibitions and sanctions for non-compliance:
a) Violation of this prohibition by suppliers contracting with NATIVAPPS will result in the consequences stipulated for such actions, without prejudice to any legal actions that may be taken.
b) In contracts with suppliers where the contracted object relates to personal data, a provision will be agreed upon regarding the damages that NATIVAPPS may incur as a result of fines, operational sanctions, among others, imposed by competent authorities due to the supplier’s reckless or negligent actions.
c) The transfer, communication, or circulation of personal data is prohibited without the prior, written, and explicit consent of the data subject or without authorization from NATIVAPPS. The transfer or communication of personal data must be registered and documented in the database where the data subject’s information is stored, and it must have the consent of both the data subject and the custodian of the NATIVAPPS database, in this case, the management.
d) NATIVAPPS prohibits access, use, transfer, communication, processing, storage, and any other handling of sensitive personal data that may be identified during an audit procedure under the organization’s policy on the proper use of IT resources and/or other regulations issued by NATIVAPPS for these purposes.
e) NATIVAPPS prohibits recipients of this policy from engaging in any processing of personal data that could lead to any of the behaviors described in the Computer Crimes Law 1273 of 2009, unless authorized by the data subject and/or NATIVAPPS, as applicable.
f) NATIVAPPS will only process personal data of children and adolescents under legal age with the express, prior, and informed consent of their representatives and/or legal guardians, for purposes required in relation to the exercise of its activities and/or corporate purpose. In all cases, NATIVAPPS will ensure the prevailing rights recognized to them by the Constitution, in harmony with the Children and Adolescents Code.
ARTICLE 25. AMENDMENTS TO THE POLICY:
This Policy may be amended by NATIVAPPS when deemed necessary. We reserve the right to update and make significant modifications to this policy, as well as to our information management practices. Recipients and the general community have the right to request a copy of the current Data Processing and Protection Policy at any time. They also have the right to exercise their rights as data subjects according to the current and applicable law.
Any changes to the personal data processing policy will be communicated to data subjects and/or recipients through the website: www.nativapps.com
ARTICLE 26: PROCEDURES AND SANCTIONS
NATIVAPPS communicates to the recipients of this policy the sanction regime provided for by Law 1581 of 2012, Article 23, which outlines the risks associated with improper handling of personal data:
“ARTICLE 23. Sanctions.The Superintendence of Industry and Commerce may impose the following sanctions on data controllers and processors: a) Personal and institutional fines up to the equivalent of two thousand (2,000) legal monthly minimum wages in effect at the time of sanction imposition. Fines may be successive while the non-compliance persists. b) Suspension of activities related to data processing for up to six (6) months. The suspension notice will specify the corrective actions to be taken. c) Temporary closure of operations related to data processing if the ordered corrective actions are not adopted after the suspension period. d) Immediate and definitive closure of operations involving the processing of sensitive data.”
Notification of any investigation procedure by any authority related to the processing of personal data must be immediately communicated to NATIVAPPS Management. This is to take measures aimed at defending the entity’s actions and avoiding the imposition of sanctions provided for in Colombian legislation, particularly those outlined in Title VI, Chapter 3 of Law 1581 of 2012 as described earlier.
As a consequence of the risks assumed by NATIVAPPS, whether as data controller and/or processor, non-compliance with this policy by its recipients is considered a serious offense and will lead to termination of the respective contract, without prejudice to any other legal actions that may apply.