BIODIVERSAL S.A.S. BENEFIT AND COLLECTIVE INTEREST – BIC (hereinafter referred to as BIODIVERSAL) has made a commitment to carry out its activities in compliance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, Decree 886 of 2014, and other regulations that form the Personal Data Protection Regime of Colombia, as well as the highest applicable standards in this field. BIODIVERSAL is committed to safeguarding the personal data of its clients, contractors, suppliers, employees, and the general public.
SCOPE
This policy is publicly accessible, allowing anyone who wishes to learn about the standards and procedures established by BIODIVERSAL regarding the Processing of Personal Data and the protection of the information contained in its Databases to access and consult it permanently.To ensure the rights of the Data Subjects, this Policy must be followed by all workers linked to BIODIVERSAL. Likewise, it applies to all agents, representatives, advisors, contractors, and persons acting on behalf of this company who process personal data. For the purposes of this policy, all individuals described above will be referred to as "BIODIVERSAL Personnel."
DEFINITIONS
Authorization: The prior, express, and informed consent of the Data Subject to carry out the Processing of Personal Data, in accordance with the purposes and terms of this Privacy and Personal Data Protection Policy.Database: The organized set of Personal Data in digital, electronic, or physical media, subject to Processing.Personal Data: Information that identifies a person or information linked to or that can be associated with one or several identified or identifiable individuals.Private Personal Data: Information that concerns only the Data Subject and has a reserved nature.Sensitive Personal Data: Personal data that affects the privacy of the Data Subject, whose misuse may lead to discrimination, such as those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or political parties, as well as data related to health, sexual life, and biometric data.Public Data: Data that is not private, semi-private, or sensitive. Public data includes, among others, information related to the civil status of individuals, their profession or occupation, and their status as merchants or public servants. Public data may be contained, among others, in public records, official documents, official bulletins, and duly executed judicial rulings that are not subject to confidentiality.Data Processor: A person, either natural or legal, who independently or in association with others, carries out the Processing of Personal Data on behalf of BIODIVERSAL.BIODIVERSAL Personnel: All individuals linked to BIODIVERSAL who handle the processing of personal data and must comply with this Personal Data Protection Policy.Data Controller: BIODIVERSAL, when acting alone or in association with others, determines the purposes and processing of Personal Data contained in its Databases.Data Subject: The natural person whose Personal Data is processed.Transfer: The sending of Personal Data by a Data Controller and/or Data Processor located in Colombia to a Data Controller located inside or outside the country.Transmission: The Processing of Personal Data that involves the communication of such data within or outside the territory of Colombia, carried out by the Data Processor on behalf of the Data Controller.Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion.
PRINCIPLES OF PERSONAL DATA PROCESSING
For the Processing of Personal Data, BIODIVERSAL will take into account the following principles:Principle of Legality in Data Processing: The Processing of Personal Data will be subject to the provisions of applicable laws in Colombia and other regulations that develop these laws.Principle of Purpose: Processing will be carried out for a legitimate purpose in accordance with the Colombian Constitution and Law, which will be communicated to the Data Subject.Principle of Freedom: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal Data will not be obtained or disclosed without prior authorization or in the absence of legal or judicial mandate that waives the need for consent.Principle of Truthfulness or Quality: The information subject to Processing will be truthful, complete, accurate, up-to-date, verifiable, and understandable.Principle of Transparency: The right of the Data Subject to obtain information about their Personal Data at any time and without restrictions will be guaranteed by BIODIVERSAL or the Data Processor.Principle of Restricted Access and Circulation: Processing will be subject to the limits derived from the nature of the Personal Data, the provisions of applicable laws, and this Policy. This means that Personal Data, except for public information, will not be available on the Internet or other mass media unless access is technically controlled to provide restricted knowledge only to the Data Subjects or authorized third parties.Principle of Security: Personal Data subject to BIODIVERSAL’s Processing or that of its Data Processor(s) will comply with the necessary technical, human, and administrative measures to ensure the security of Personal Data, preventing its alteration, loss, unauthorized consultation, use, or access.Principle of Confidentiality: All BIODIVERSAL Personnel involved in the Processing of Personal Data will be obligated to ensure its confidentiality, even after their relationship with any activity involving the Processing has ended. Personal Data may only be provided or communicated when it is necessary for authorized activities under the law.
AUTHORIZATIONS
BIODIVERSAL will request authorization so that the Data Subject provides their prior, express, and informed consent for the processing of their personal data.Authorization can also be obtained through unequivocal behavior of the Data Subject, which reasonably leads to the conclusion that they have provided consent for the processing of their information. These behaviors should clearly express the will to authorize processing.The Data Subject's consent may be obtained by any means that allows subsequent consultation, such as written, verbal, or virtual communication, or through unequivocal behaviors.By virtue of its nature and corporate purpose, BIODIVERSAL receives, collects, records, stores, modifies, reports, consults, delivers, transmits, transfers, shares, and deletes personal information, for which it obtains prior authorization from the Data Subject.The authorization granted by the Data Subjects to BIODIVERSAL allows, among other things, the following purposes: offering and providing product and service information, as well as consulting, reporting, and updating their data before information and risk operators; updating current contractual relationships and fulfilling agreed obligations, among others (see section VIII on purposes).BIODIVERSAL will adequately retain proof of these authorizations, ensuring compliance with and respecting the principles of privacy and confidentiality of the information.Similarly, when BIODIVERSAL deals with information related to the following types of data, the following special considerations will apply:Sensitive Data
For the processing of sensitive data, BIODIVERSAL will inform the Data Subject of the following:For the processing of this type of information, the Data Subject is not obliged to provide authorization or consent.It will be explicitly and previously informed what type of sensitive data will be requested.The Data Subject will be informed of the treatment and the purpose for which the sensitive data will be used.Authorization for sensitive data must be prior, express, and clear.Children's and Adolescents' Data
BIODIVERSAL will ensure that the processing of this type of data complies with the rights of children and adolescents. In this sense, their special status will be protected, and their fundamental rights will be respected, in accordance with Articles 5, 6, and 7 of Law 1581 of 2012, and Articles 6 and 12 of Decree 1377 of 2013, and other laws that modify or add to these.To comply with the above, BIODIVERSAL will act in accordance with the following:Authorization will be requested from the legal representative of the child or adolescent, after exercising the minor's right to be heard. Their opinion will be evaluated taking into account their maturity, autonomy, and ability to understand the matter, in order to process their personal data.It will be informed that responding to questions regarding the child's or adolescent's data is optional.It will be explicitly and previously communicated which data is subject to processing and the purpose of such processing.BIODIVERSAL informs all its stakeholders that, in accordance with Article 10 of Law 1581 of 2012, the Data Subject's authorization is not required in the following cases: (1) information required by a public or administrative entity in the exercise of its legal functions or by court order, (2) public data, (3) cases of medical or health emergencies, (4) information processing authorized by law for historical, statistical, or scientific purposes, and (5) data related to the Civil Registry of Persons.
ACCESS TO PERSONAL DATA
The information stored in BIODIVERSAL's Databases may be shared internally with the workers responsible for processing Personal Data in accordance with the purposes mentioned in this Policy and/or in the authorization request for Processing granted by the Data Subject.BIODIVERSAL will not share or deliver Personal Data stored in its Databases to third parties unrelated to this company. However, when the purpose so requires, Personal Data may be legitimately transmitted or transferred to BIODIVERSAL's commercial allies or service providers to meet specific contractual or commercial objectives. In the event that BIODIVERSAL considers it necessary to transfer Personal Data, it will only be done in strict compliance with legal requirements.In any of these events, BIODIVERSAL commits to taking all pertinent measures to ensure that the Processing of the information by its Data Processors and/or its commercial allies or service providers is carried out in strict compliance with this Policy.PURPOSES OF PROCESSING
Without prejudice to what is stated in the authorization request or corresponding contract, the Processing of Personal Data carried out by BIODIVERSAL has the following general purposes:To carry out all activities necessary for the development of BIODIVERSAL's corporate purpose.To adequately provide the contracted services, as well as keep the Data Subjects informed about the progress, status, and other topics related to the contracted activity.To carry out all activities necessary to properly execute existing contracts with workers, suppliers, clients, and other commercial contacts.To maintain efficient communication of information useful for the development and fulfillment of existing contracts with workers, suppliers, clients, and other commercial contacts.To manage the administrative tasks associated with the development of BIODIVERSAL's corporate purpose.To send commercial information about the activities carried out by BIODIVERSAL and the launch of new products or services.To send communications by physical mail, email, mobile device, or through any other analogous and/or digital means of communication with commercial, advertising, or promotional information about BIODIVERSAL's services, events, promotions, campaigns, and/or contests of a commercial or advertising nature.To contact clients in case of complaints, claims, or suggestions about BIODIVERSAL's services.To conduct satisfaction campaigns, monitor the provision of its services, and evaluate the quality of the services provided by its workers.To comply with obligations contracted with BIODIVERSAL's workers related to the payment of wages, social benefits, and other obligations derived from the employment relationship.To develop processes for selection, evaluation, and employment linkage.To contact and contract suppliers of products or services that BIODIVERSAL requires for the development of its activities and the natural supply of its facilities or offices, as well as to make the necessary requests for reporting tax-related information about them.To provide information to supervisory and control authorities and support internal or external audit processes.To conduct statistical studies or accounting processes.To comply with legal standards of Data Subject knowledge.To establish, maintain, and deepen the contractual relationship.To update information.To evaluate credit risk.To determine the level of indebtedness in a consolidated manner.To send messages containing commercial, marketing, personal, institutional, product or service, or other information that BIODIVERSAL considers relevant to the mobile and/or cell phone, email, physical mail, or any other means of communication.To be consulted, exchanged, or circulated by BIODIVERSAL with any entity in the real sector, entities under the supervision and control of the Financial Superintendence, and/or with any information operator and/or national or foreign database.To validate and verify the client's identity for the offering and management of products and services, and to share the information with various market players, including but not limited to strategic allies.
COMMITMENT TO PRIVACY AND SECURITY
BIODIVERSAL is committed to the confidentiality and privacy of the Personal Data stored in its Databases, under access and availability restrictions, preventing unauthorized third-party consultation.Based on this, BIODIVERSAL guarantees Data Subjects that their Personal Data will be stored under standard security conditions typical of the industry, preventing their alteration, loss, theft, public consultation, unauthorized or fraudulent use or access, as well as the implementation of internal practices that contribute to a secure information environment.
PROCESSING OF CHILDREN’S AND ADOLESCENTS' DATA
BIODIVERSAL understands that the processing of personal data of children or adolescents is prohibited, except when it involves public data. Therefore, it commits not to collect Personal Data from minors under 18 years of age without the authorization of their legal representative, in which case BIODIVERSAL will consider: i) respect for fundamental rights; and, ii) respect for the best interests of children and adolescents.In this case, BIODIVERSAL will make its best effort to verify that the person acting as the legal representative of the child or adolescent truly holds that status. However, BIODIVERSAL will assume good faith from the person providing authorization for the processing of the child or adolescent's personal data and who claims to have legal representation.
PROCESSING OF SENSITIVE DATA
BIODIVERSAL commits to avoiding the processing of sensitive data. However, when it is absolutely necessary, BIODIVERSAL will handle the processing of sensitive data (according to the purposes listed earlier) and commits to:Informing the Data Subject explicitly and in advance, in addition to the general requirements for authorization for the collection of all Personal Data, that the data to be processed is sensitive and the specific purpose of its processing.Informing the Data Subject that, as it concerns sensitive data, they are not obliged to authorize its processing.Notwithstanding the above, BIODIVERSAL appreciates the prudence and discretion of Data Subjects in disclosing sensitive data and requests that under no circumstances sensitive data be disclosed to BIODIVERSAL without prior, free, and informed consent. If you have doubts about the need to provide sensitive data, please contact us before disclosing this information.
TRANSMISSION OF PERSONAL DATA
If BIODIVERSAL does not have the technical capacity to carry out certain activities involving the Processing of Personal Data, it may transmit the Personal Data or the Databases it deems pertinent to third-party Data Processors.In these cases, BIODIVERSAL will ensure that the Data Processor complies with the terms established in this Privacy and Personal Data Protection Policy and adheres to the same standards of protection, information security, and guarantees for Data Subjects.
TEMPORARY LIMITATIONS ON PERSONAL DATA PROCESSING
BIODIVERSAL will retain a record of information related to workers, suppliers, and/or clients during and after the contractual relationship. These records may include Personal Data, which, after the contractual relationship has ended, will be retained for a reasonable period until the information is no longer required to fulfill legal, administrative, audit, or regulatory requirements.Additionally, BIODIVERSAL, after the contractual relationship has ended, will retain the contact information of Data Subjects to send news, information updates, and invitations to events held or sponsored by BIODIVERSAL, unless a request to revoke the Processing of Personal Data is made, in which case, the information will be deleted for the purposes mentioned.Lastly, BIODIVERSAL will store and process the Personal Data necessary to fulfill its legal obligations.
PROHIBITION OR REVOCATION OF AUTHORIZATION FOR PERSONAL DATA PROCESSING
Data Subjects are free to prohibit or not authorize the Processing of their Personal Data by BIODIVERSAL, except when legal or contractual requirements make it necessary to retain the data. However, if certain clients, suppliers, current or former employees do not authorize the use of their Personal Data or request the revocation of authorization for its Processing, BIODIVERSAL may be unable to continue the commercial relationship or provide services due to a lack of necessary information for these purposes.In this regard, if the Data Subject insists on revoking authorization for Personal Data Processing, BIODIVERSAL is not responsible for non-compliance with pre-contractual or contractual obligations, or for the cessation of particular benefits that third parties may access through regular communication with BIODIVERSAL, as a result of the lack of authorization or revocation of authorization for Personal Data Processing.
RIGHTS OF DATA SUBJECTS
Data Subjects of Personal Data stored in BIODIVERSAL's Databases have the following rights:To know, update, and rectify their Personal Data: Data Subjects may exercise this right in relation to partial, inaccurate, incomplete, fragmented data, or data that induces error.In compliance with the principles that should govern Personal Data Processing, BIODIVERSAL is committed to making its best efforts to ensure that the information contained in its Databases is accurate, complete, and up-to-date. To this end, BIODIVERSAL may ask its clients, suppliers, and employees to update their information permanently.Right to request proof of authorization: Data Subjects may request proof of the authorization granted for the Processing of their data, except in cases indicated in this Policy.Right to be informed about the use of their Personal Data: Data Subjects have the right to know at any time how their Personal Data has been used, upon request directed to BIODIVERSAL or its Data Processor.Right to revoke authorization and/or request the deletion of personal data: Data Subjects may revoke the authorization granted to BIODIVERSAL for the Processing of their Personal Data, if they find that the principles, rights, and constitutional and legal guarantees have not been respected, as well as request the deletion of Personal Data for which Processing is not expressly prohibited or has not been authorized.Right to access their Personal Data: Data Subjects whose Personal Data is processed may access it for free.Right to file complaints: Data Subjects may file complaints with the Superintendence of Industry and Commerce for violations of the provisions of the current regulations.Right to refrain from answering questions about sensitive data: Data Subjects whose Personal Data is processed may refrain from answering questions about sensitive data. It is optional to answer questions regarding sensitive data or data about children and adolescents
RIGHTS OF DATA SUBJECTS
Data Subjects of Personal Data stored in BIODIVERSAL's Databases have the following rights:To know, update, and rectify their Personal Data: Data Subjects may exercise this right in relation to partial, inaccurate, incomplete, fragmented data, or data that induces error.In compliance with the principles that should govern Personal Data Processing, BIODIVERSAL is committed to making its best efforts to ensure that the information contained in its Databases is accurate, complete, and up-to-date. To this end, BIODIVERSAL may ask its clients, suppliers, and employees to update their information permanently.Right to request proof of authorization: Data Subjects may request proof of the authorization granted for the Processing of their data, except in cases indicated in this Policy.Right to be informed about the use of their Personal Data: Data Subjects have the right to know at any time how their Personal Data has been used, upon request directed to BIODIVERSAL or its Data Processor.Right to revoke authorization and/or request the deletion of personal data: Data Subjects may revoke the authorization granted to BIODIVERSAL for the Processing of their Personal Data, if they find that the principles, rights, and constitutional and legal guarantees have not been respected, as well as request the deletion of Personal Data for which Processing is not expressly prohibited or has not been authorized.Right to access their Personal Data: Data Subjects whose Personal Data is processed may access it for free.Right to file complaints: Data Subjects may file complaints with the Superintendence of Industry and Commerce for violations of the provisions of the current regulations.Right to refrain from answering questions about sensitive data: Data Subjects whose Personal Data is processed may refrain from answering questions about sensitive data. It is optional to answer questions regarding sensitive data or data about children and adolescents.PROCEDURES FOR HANDLING INQUIRIES AND PETITIONS
Directly responsible for handling petitions, inquiries, or claims:Security Information Officer: Luis Felipe Arias Rojas
Email: legal@thecoffeehub.co
PETITIONS OR INQUIRIES
Inquiries or petitions should be sent to the email address: legal@thecoffeehub.coIn the email, the Data Subject must fully identify themselves and clearly describe their inquiry or petition. If the request is made on behalf of someone else, please indicate the capacity in which you are acting and attach the document authorizing you to make the inquiry or petition, such as a power of attorney, civil registry, among others.BIODIVERSAL will respond to your inquiry or petition within a maximum of ten (10) business days from the date of receipt of the inquiry.If it is not possible to respond to the inquiry within the mentioned period, BIODIVERSAL will inform the interested party, explaining the reasons for the delay and indicating the new period for responding to the inquiry or petition, which will not exceed five (5) business days from the expiration of the original term.
CLAIMS
Requests for correction, updating, or deletion of Personal Data should be directed to the email address: legal@thecoffeehub.coIn the email, the Data Subject must fully identify themselves. If the request is made on behalf of someone else, please indicate the capacity in which you are acting and attach the document authorizing you to make the claim, such as a power of attorney, civil registry, among others.If the claim relates to a possible breach of any of BIODIVERSAL's duties, the reason for the breach must be detailed.If the claim is incomplete, BIODIVERSAL will request the interested party to correct the inaccuracies within five (5) business days following the receipt of the claim. If two (2) months have passed since the request without the claimant providing the required information, BIODIVERSAL will consider the claim withdrawn.If BIODIVERSAL receives a claim that it is not competent to resolve, it will transfer the claim to the relevant party within a maximum of two (2) business days and inform the interested party.Once a complete claim is received, BIODIVERSAL will include a label in the relevant Database indicating "claim in process" and the reason for it, within no more than two (2) business days. This label will remain until the claim is resolved.BIODIVERSAL will respond to the claim within a maximum of fifteen (15) business days from the day following its receipt.If it is not possible to respond to the claim within this period, BIODIVERSAL will inform the interested party of the reasons for the delay and the date when the claim will be addressed, which in no case will exceed eight (8) business days following the expiration of the first period.
PERSONS AUTHORIZED TO PROVIDE INFORMATION ABOUT PERSONAL DATA
For all purposes, BIODIVERSAL may only provide information contained in its Databases to:The Data Subjects, their heirs, or their legal representatives.Public or administrative entities in the exercise of their legal functions or by court order.Third parties authorized by the Data Subject or by law.BIODIVERSAL reserves the right to request additional documentation to verify the identity of the person requesting the information.
CONTACT INFORMATION FOR BIODIVERSAL AS THE DATA CONTROLLER
Corporate name: BIODIVERSAL S.A.S. BENEFIT AND COLLECTIVE INTEREST – BIC
NIT: 901.179.541 – 0
Domicile: Bogotá, Bogotá D.C., Colombia
Address: Calle 70ª # 5 – 37
Contact phone: +57 310 5875103
Email: legal@thecoffeehub.co
Website: https://biodiversal.com/
MODIFICATION OF THIS POLICY
This policy may be modified at any time, so we recommend regularly or periodically reviewing it on our website.