PRIVACY POLICIES

PERSONAL DATA PROCESSING POLICY

In compliance with Article 15 of the Political Constitution of Colombia, Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other applicable regulations, the company MARIA ELENA VILLAMIL & CÍA S.A.S, hereinafter referred to as MARIA ELENA VILLAMIL & CÍA S.A.S, committed to respecting and guaranteeing the rights of its clients, suppliers, employees, and third parties in general, hereby informs the public of its policies and procedures for the processing of personal data stored and protected in our database. These policies are mandatory in all activities that involve, in whole or in part, the collection, storage, use, circulation, and/or transfer of such information.

This Personal Data Processing Policy is mandatory for MARIA ELENA VILLAMIL & CÍA S.A.S in its role as data controller, as well as for all companies affiliated, subsidiaries, or part of its corporate group.

LEGAL FRAMEWORK

This Personal Data Processing Policy is supported by:
– Article 15 of the Political Constitution of Colombia, which establishes:
"All persons have the right to personal and family privacy and a good name, and the State must respect and ensure these rights. Likewise, they have the right to know, update, and correct the information gathered about them in databases and files of public and private entities. In the collection, processing, and circulation of data, freedom and other constitutional guarantees shall be respected. Correspondence and other forms of private communication are inviolable and may only be intercepted or recorded by court order, in the cases and with the formalities established by law. For tax or judicial purposes, and in cases of inspection, monitoring, and intervention by the State, the presentation of accounting books and other private documents may be required, in accordance with the law."

– Statutory Law 1581 of 2012: “Whereby general provisions are issued for the protection of personal data.”

– Regulatory Decree 1377 of 2013: “Whereby Law 1581 of 2012 is partially regulated.”

GENERAL INFORMATION ABOUT MARIA ELENA VILLAMIL & CÍA S.A.S AS DATA CONTROLLER

Business Name: MARIA ELENA VILLAMIL & CÍA S.A.S

NIT: 900.045.889-9

Address: Cra 1 #47-160, Second Floor, Cali – Valle del Cauca

Phone: +57 602 483 7470

Email: gestionhumana@mariaelenavillamil.com.co

Website: www.mariaelenavillamil.com.co

PURPOSE OF THE PERSONAL DATA PROCESSING POLICY

The purpose of this Personal Data Processing Policy is to develop and inform the general public of the corporate and legal guidelines under which MARIA ELENA VILLAMIL & CÍA S.A.S processes personal data, the purpose of said processing, the rights of data subjects, and the internal and external procedures available for the exercise of those rights.

LEGAL DEFINITIONS

  • Authorization: Prior, express, and informed consent of the Data Subject for the processing of personal data.
  • Database: An organized set of personal data that is subject to processing.
  • Data Subject: A natural person whose personal data is subject to processing, whether a client, supplier, employee, or any third party who, due to a commercial or legal relationship, provides personal data to MARIA ELENA VILLAMIL & CÍA S.A.S.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
  • Personal Data: Any information linked or that can be associated with one or more specific or determinable individuals.
  • Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, information on marital status, profession, or occupation, and the status of individuals as merchants or public servants. Due to their nature, public data may be contained in public records, public documents, official gazettes, and executed judicial decisions not subject to confidentiality.
  • Sensitive Data: Data that affects the privacy of the data subject or whose misuse can lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human rights organizations, political parties, or data related to health, sex life, and biometric data.
  • Transfer: Occurs when the data controller and/or processor located in Colombia sends the data to a recipient who is also a controller and is located inside or outside the country.
  • Transmission: Processing of personal data involving communication of the data within or outside the territory of Colombia for processing by a third party on behalf of the controller.

When a term used in this Policy is defined by law, that definition shall apply. If not defined, the ordinary meaning consistent with the purpose of the Policy shall apply.

PRINCIPLES GOVERNING PERSONAL DATA PROCESSING BY MARIA ELENA VILLAMIL & CÍA S.A.S

  • Principle of Lawfulness: Data processing is regulated and must comply with Law 1581 of 2012, Decree 1377 of 2013, and other applicable regulations.
  • Principle of Purpose: Processing must have a legitimate purpose, and the data subject must be informed.
  • Principle of Necessity: Storage and processing are limited to what is essential for the commercial relationship or purposes authorized by the data subject.
  • Principle of Freedom: Personal data may only be processed with the prior, express, and informed consent of the data subject or by legal or judicial mandate.
  • Principle of Veracity: Information must be truthful, complete, accurate, updated, verifiable, and understandable.
  • Principle of Transparency: The data subject has the right to obtain information about their data held by MARIA ELENA VILLAMIL & CÍA S.A.S.
  • Principle of Restricted Access and Circulation: Only authorized persons or those permitted by law may process data.
  • Principle of Security: Data must be handled with technical, administrative, and physical measures to prevent tampering, loss, or unauthorized access.
  • Principle of Confidentiality: Non-public data is confidential and may only be disclosed in accordance with the law.
  • Principle of Systematic Integration: Personal data protection principles must be applied across all business processes of MARIA ELENA VILLAMIL & CÍA S.A.S.

RIGHTS OF PERSONAL DATA SUBJECTS

Data subjects have the right to:

  • Know, update, and rectify their personal data held by data processors or controllers.
  • Request proof of the authorization granted to the controller, except when not required by law.
  • Be informed, upon request, of the use of their personal data.
  • File complaints with the Superintendence of Industry and Commerce for violations of the law.
  • Revoke authorization and/or request deletion when constitutional and legal rights are not respected.
  • Access their data free of charge.

AUTHORIZATION FOR PERSONAL DATA PROCESSING

MARIA ELENA VILLAMIL & CÍA S.A.S has procedures to obtain data subject consent at the time of data collection, informing them of the data to be collected and the specific purposes.

Consent is considered granted through:
(i) written form,
(ii) oral expression, or
(iii) unequivocal conduct from the data subject. Silence is not considered valid consent.

Authorization is not required when:

  • Requested by a public entity or court,
  • Data is public,
  • In health or medical emergencies,
  • For historical, statistical, or scientific purposes,
  • Related to civil registry records.

REVOCATION OF AUTHORIZATION AND/OR DATA DELETION

The data subject may request data deletion and/or revoke consent at any time via a claim, as per Article 15 of Law 1581 of 2012.

Requests will not proceed if the data subject has legal or contractual obligations to remain in the database.

PURPOSES OF DATA PROCESSING

MARIA ELENA VILLAMIL & CÍA S.A.S will process personal data for:

  • Marketing, promotion, advertising, sales, billing, collection, support, fraud prevention, and more.
  • Communication regarding services and products.
  • Evaluating service and product quality and studying consumer behavior.
  • Providing customer service and technical support.
  • Fulfilling contractual and legal obligations.
  • Controlling and preventing fraud.

REQUESTS AND INQUIRIES PROCEDURE

The data subject or authorized party may:

  • Submit inquiries regarding their personal data.
  • Request updates, corrections, or deletion.
  • Request a copy of the consent granted.

These can be made:

  • By phone: +57 602 483 7470 – +57 602 483 7071
  • In writing: Cra 1 #47-160, Second Floor, Cali, Colombia
  • By email: gestionhumana@mariaelenavillamil.com.co

Responses will be issued within 10 business days. If more time is needed, the company will notify and respond within an additional 5 business days.

COMPLAINTS AND WITHDRAWAL OF AUTHORIZATION

The data subject or their representative may:

  • Revoke consent,
  • File complaints regarding breaches in data processing obligations.

Complaints must be submitted via:

  • Phone: +57 602 483 7470 / +57 602 483 7071
  • Writing: Cra 1 #47-160, Second Floor, Cali
  • Email: sales@mariaelenavillamil.com.co

Complaints must include:
(i) Data subject identification,
(ii) Description of the facts,
(iii) Contact details,
(iv) Supporting documents.

If incomplete, the applicant will have 5 business days to correct the issue. After 2 months without response, the complaint is considered withdrawn.

Complaints will be addressed within 15 business days. If delayed, a notice and new deadline will be provided (not exceeding 8 more business days).

DEPARTMENT RESPONSIBLE FOR REQUESTS AND COMPLAINTS

The Customer Service Department of MARIA ELENA VILLAMIL & CÍA S.A.S is responsible for managing requests, inquiries, and complaints regarding the rights to access, correct, delete, or revoke data consent.

VALIDITY

This policy has been in effect since May 3, 2019, and remains valid until expressly amended or revoked.

All content on this page (text, logos, images, audio, videos, designs, etc.) is protected under intellectual property laws. All rights reserved. Unauthorized reproduction or distribution is prohibited.

For payments made through external platforms, data security is managed by said platforms. The company is not responsible for transactions made through those platforms.