PRIVACY AND PERSONAL DATA PROCESSING NOTICE

Privacy Notice

C.I. NUTREO S.A.S., located in Rionegro, Antioquia, Colombia, is responsible for the processing of personal data. According to our data processing policies, the mechanisms through which we use this data are secure and confidential, as we have the appropriate technological means to ensure that they are stored in such a way as to prevent unwanted access by third parties, thus ensuring their confidentiality.

Contact Information:

Office Address: Glorieta Aeropuerto José María Córdova Vía Guarne - Parque Empresarial Multicentro Interior 9 y 10, Rionegro – Antioquia – Colombia.
Email: protecciondedatos@iluma.bio
Phone: (57-4) 6042700

Your personal data will be included in a database and will be used for the following purposes:

Provide our services and products.
Inform about new products or services related to those contracted or acquired.
Fulfill contractual obligations with our clients, suppliers, and employees.
Inform about changes in our products or services.
Evaluate the quality of service.
Conduct internal studies.

Holders of the information are informed that they can consult the Internal Manual of Personal Data Policies and Procedures of C.I. NUTREO S.A.S., which contains our policies for handling the information collected, as well as the consultation and claim procedures that allow them to exercise their rights to access, consultation, rectification, updating, and deletion of the data by clicking on the following link: http://www.nutreo.co.

Manual of Procedures and Guidelines for the Processing of Personal Data

C.I. NUTREO S.A.S., in compliance with the legal provisions governing the processing of personal data, especially as indicated in letter k of article 17 of Law 1581 of 2012, adopts this internal manual of procedures and guidelines for the processing of personal data.

PURPOSE: Allow the data subject the free exercise of the right to Habeas Data or information self-determination by establishing a procedure to know, update, and rectify their personal information contained in the databases or files of C.I. NUTREO S.A.S.

CHAPTER I: GENERAL PROVISIONS

ARTICLE 1: Definitions: For the purposes of this manual and according to article 3 of Law 1581 of 2012 and other concordant regulations, the following definitions apply:

Authorization: Prior, express, and informed consent of the data subject for the processing of personal data.
Habeas Data: Autonomous and independent fundamental right enshrined in article 15 of the Colombian Constitution and developed by Law 1581 of 2012, giving individuals the ability to know, update, and rectify the information collected about them in databases and archives of public and private entities.
Privacy Notice: A physical, electronic, or any other format document generated by the responsible party and made available to the data subject for the processing of their personal data, informing them about the existence of the information processing policies applicable, the way to access them, and the characteristics of the intended processing of personal data.
Database: Organized set of personal data subject to processing.
Personal Data: Any information linked or that can be associated with one or more determined or determinable natural persons.
Public Data: Data qualified as such by law or the Constitution and that is not semi-private, private, or sensitive. Examples include information about individuals' civil status, profession or trade, commercial quality, or public servant status.
Private Data: Data that, due to its intimate or reserved nature, is only relevant to the data subject.
Sensitive Data: Data affecting the privacy of the data subject or whose misuse can lead to discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, or health, sexual life, and biometric data.
Semi-private Data: Data that is not intimate, reserved, or public, whose knowledge or disclosure may interest not only its data subject but also a certain sector or group of people or society in general.
Data Processor: A natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the data controller.
Data Controller: A natural or legal person, public or private, who, alone or in association with others, decides about the database and/or the processing of data.
Data Subject: A natural person whose personal data is processed.
Processing: Any operation or set of operations on personal data such as collection, storage, use, circulation, or deletion.
Transmission: Processing of personal data involving communication of the data within or outside the territory of Colombia to carry out processing by the data processor on behalf of the data controller.

ARTICLE 2: Principles: C.I. NUTREO S.A.S. will respect the principles established in applicable regulations in the processing of personal data:

Principle of Legality: Processing personal data is a regulated activity subject to existing regulations.
Principle of Purpose: Processing must have a legitimate purpose according to the Constitution and the Law, informed to the data subject.
Principle of Freedom: Processing can only be conducted with prior, express, and informed consent of the data subject. Personal data cannot be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that relieves the need for consent.
Principle of Veracity or Quality: Information subject to processing must be truthful, complete, accurate, updated, verifiable, and comprehensible. Processing of partial, incomplete, fragmented data, or data that induces error is prohibited.
Principle of Transparency: Processing must guarantee the data subject's right to obtain information about the existence of data concerning them at any time and without restrictions.
Principle of Access and Restricted Circulation: Processing is subject to the limits derived from the nature of the personal data, Habeas Data regulations, and the Constitution. Processing can only be done by authorized persons by the data subject and/or those provided in applicable regulations. Personal data, except public information, cannot be available on the Internet or other mass media unless access is technically controllable to provide restricted knowledge only to data subjects or authorized third parties according to Law 1581 of 2012.
Principle of Security: Information subject to processing by the data controller or processor must be managed with necessary technical, human, and administrative measures to ensure security and prevent its alteration, loss, consultation, unauthorized use, or fraudulent access.
Principle of Confidentiality: All persons involved in the processing of personal data that is not public are obliged to ensure the confidentiality of the information even after their relationship with any of the tasks comprising the processing has ended, only being able to supply or communicate personal data when it corresponds to the development of authorized activities according to the regulation developing the right to Habeas Data.
Principle of Temporality: Information of the data subject cannot be provided to users or third parties when it ceases to serve the purpose of the database.

CHAPTER II: RIGHTS OF THE DATA SUBJECTS AND DUTIES OF THE DATA CONTROLLER

ARTICLE 3: Rights: C.I. NUTREO S.A.S. will respect the rights of the data subject in the processing of personal data, as contained in article 8 of Law 1581 of 2012:

Know, update, and rectify their personal data before the data controllers or processors. This right can be exercised, among others, regarding partial, inaccurate, incomplete, fragmented data, or data inducing error, or those whose processing is expressly prohibited or has not been authorized.
Request proof of the authorization granted to the data controller, except when expressly exempted as a requirement for processing by article 10 of Law 1581 of 2012.
Be informed by the data controller or processor, upon request, about the use given to their personal data.
Revoke authorization and/or request deletion of data when processing does not respect constitutional and legal principles, rights, and guarantees, or when there is no legal or contractual duty to remain in the database or file. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the data controller or processor has incurred in conduct contrary to the regulations developing the right to Habeas Data.
Access their personal data subject to processing free of charge.

ARTICLE 4: Duties of the Data Controllers: C.I. NUTREO S.A.S., as the data controller, complies with the following duties:

Ensure the data subject's full and effective exercise of the right to Habeas Data at all times.
Request and keep copies of the respective authorization granted by the data subject in the conditions provided in the applicable regulations.
Inform the data subject about the purpose of the collection and the rights they have by virtue of the authorization granted.
Maintain information under necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access.
Ensure that the information provided to the data processor is truthful, complete, accurate, updated, verifiable, and comprehensible.
Update information, timely communicating all updates regarding previously provided data to the data processor and adopting other necessary measures to keep the provided information updated.
Rectify information when incorrect and inform the data processor.
Provide the data processor with data whose processing is previously authorized according to applicable regulations.
Demand the data processor to respect security and privacy conditions of the data subject's information.
Process consultations and claims under the terms indicated in articles 14 and 15 of Law 1581 of 2012 and this manual.
Inform the data processor when certain information is under dispute by the data subject, once the claim has been submitted and the respective process has not been completed.
Inform, upon request, the data subject about the use given to their data.
Inform the data protection authority about security breaches and risks in the data subjects' information management.
Comply with instructions and requirements issued by the Superintendence of Industry and Commerce regarding Habeas Data.

CHAPTER III: PROCEDURE FOR ATTENDING TO CONSULTATIONS AND CLAIMS BY THE DATA SUBJECTS

ARTICLE 5: Area Responsible for Attention of Consultations and Claims: The department responsible for attending petitions, consultations, and claims where the data subject can exercise their rights to know, update, rectify, delete the data, or revoke authorization under the terms of the law is:

Address: Kilometer 9 Vía a Mamonal Zona Franca la Candelaria Acceso 2. Bodegas 5678 – Cartagena de Indias, Bolívar.
Email: raul.calderon@premexcorp.com
Phone: (574) 6041500

ARTICLE 6: Procedure for Consultations: To ensure information security, the data subject or their successors may choose to make the request in person or in writing. The consultation will be attended to within a maximum of ten (10) business days from the date of receipt. If it is not possible to attend the consultation within this term, the interested party will be informed of the reasons for the delay and the date when the consultation will be attended to, which will not exceed five (5) business days after the expiration of the first term.

PARAGRAPH I: If the data subject or their successors opt to make the consultation personally before the responsible area, they must fully identify themselves with a citizenship card or equivalent document.
PARAGRAPH II: If the data subject or their successors opt to submit their consultation in writing, the document must be notarized or presented before a competent authority, indicating the petitioner's address and attaching a copy of the personal identification document. If the consultation is made through an authorized person or attorney, the original authorization or notarized power of attorney must be attached, along with the personal identification document of the authorized person or attorney.
PARAGRAPH III: If the consultation concerns a deceased data subject, the spouse, permanent partner, child, or relative must submit a written request duly authenticated, accompanied by the data subject's death certificate. Additionally, they must present:
- Spouse or permanent partner: Original personal identification document and marriage certificate or extrajudicial declaration of the marital union.
- Children: Original personal identification document and a copy of the birth certificate.
- Other relatives: Original personal identification document and the data subject's and petitioner's civil registry documents proving the relationship.

ARTICLE 7: Procedure for Claims: The data subject or their successors, considering that the information contained in a database should be corrected, updated, or deleted, or when they notice the presumed non-compliance with any of the duties contained in Law 1581 of 2012, may submit a written claim to the responsible area under the following rules:

The claim will be formulated by a written request addressed to the responsible area, identifying the data subject, describing the facts giving rise to the claim, providing the address, and accompanying the documents they want to make valid. If the claim is incomplete, the interested party will be required within five (5) days following the receipt of the claim to correct the deficiencies. If two (2) months pass from the date of the requirement without the petitioner presenting the required information, it will be understood that they have withdrawn the claim.
Once the complete claim is received, a legend indicating "claim in process" and the reason for it will be included in the database within a maximum term of two (2) business days. This legend will be maintained until the claim is decided.
The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. If it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date when their claim will be addressed, which will not exceed eight (8) business days after the expiration of the first term.

CHAPTER IV: AUTHORIZATION

ARTICLE 8: Authorization: The processing of information by C.I. NUTREO S.A.S. requires the free, prior, express, and informed consent of the data subject. C.I. NUTREO S.A.S. has put in place necessary mechanisms to obtain the authorization from the data subjects, ensuring that the authorization can be subject to subsequent consultation.

PARAGRAPH: Public data, according to letter b) of article 10 of Law 1581 of 2012, does not require authorization from the data subject.

ARTICLE 9: Privacy Notice: Through the privacy notice, the data subject is informed about the existence of the information processing policies contained in this manual, as well as the characteristics of the intended processing of personal data, and it will contain at least the following information:

Identity, address, and contact details of the data controller.
Type of processing to which the data will be subjected and the purpose of the same.
General mechanisms provided by the data controller for the data subject to know the information processing policy. Informing the data subject how to consult the information processing policy.
PARAGRAPH: C.I. NUTREO S.A.S. will keep the model of the privacy notice transmitted to the data subjects while the personal data is being processed and as long as the obligations derived from it persist. C.I. NUTREO S.A.S. may use electronic or other means it deems appropriate to store the model.

CHAPTER V: NAME AND PURPOSE OF THE DATABASES AND/OR FILES

ARTICLE 10: Databases/Files and Purpose: C.I. NUTREO S.A.S. has information assets linked or associable with natural persons, such as employment histories, customer databases, and supplier databases.

ARTICLE 11: Validity: This internal manual of policies and procedures for the processing of personal data is effective from its date of issuance. The validity period of the databases will be governed by the provisions applicable to the matter in accordance with the principles of purpose and temporality of the information.

Issued in Medellín on December 6, 2013.