Personal Data Processing Policy

SOFTWARE QUALITY ASSURANCE SQA S.A

1. IDENTIFICATION OF THE CONTROLLER

Company Name and Identification: Software Quality Assurance SQA S.A, from now on, referred to as SQA S.A, a commercial company identified with NIT. 811.042.907-7 and created by public deed No. 16 on January 08, 2004, registered in the Chamber of Commerce of Medellin on January 16, 2004.

Domicile and Address. SQA S.A. has its domicile in the city of Medellín, and its main office is located at CRA 43B # 9-33.

E-mail: info@sqasa.com

Telephones: (574) 448 85 67

2. DEFINITIONS

For purposes of this policy and in accordance with the provisions of Statutory Law 1581 of 2012, it is understood:

Authorization: Prior, express and informed consent of the holder to carry out the processing of personal data;
Database: Organized set of personal data that is the object of the processing;
Personal data: Any information linked to or that may be associated with one or more specific or determinable natural persons;
The person in charge of the Treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the treatment of personal data on behalf of the person in charge of the treatment;
Data controller: A natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of the data;
Holder: Natural person whose personal data are subject to processing;
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

3. TREATMENT TO WHICH THE DATA WILL BE SUBMITTED AND ITS PURPOSE

The treatment of the personal data of the person with whom SQA S.A. had established or established a relationship, permanent or occasional, will be carried out within the legal framework that regulates the matter. In any case, personal data may be collected and processed for:

Develop the corporate purpose of SQA S.A. in accordance with its legal statutes.
Comply with applicable tax and commercial regulations.
Comply with the provisions of the Colombian legal system in labor and social security matters (Health, Pension, Labor Risks, and Parafiscal), among others, applicable to former employees, current employees, and candidates for future employment.
To send commercial information of SQA S.A. and to carry out surveys related to the services or goods that it renders.
Develop programs in accordance with its bylaws.
Fulfill all its contractual commitments to customers, suppliers, and employees.
To make it available to its final clients in order to determine the suitability and technical capacity for the development of the activities for which they contract SQA S.A.
Administration of information systems, management of keys, administration of users required for the provision of the service.

Sensitive data

Sensitive data are those data that affect the privacy of the owner or whose improper use may lead to discrimination. In the case of sensitive personal data, SQA S.A. may use and process them when:

The holder has given his explicit authorization, except in cases where the law does not require the granting of such authorization.
The processing is necessary to safeguard the vital interest of the holder, and this is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the authorization of the owner.
The processing refers to data that are necessary for the recognition, exercise, or defense of a right in a judicial process.
The processing has a historical, statistical, or scientific purpose. In this event, the measures leading to the suppression of the identity of the owners must be adopted.

SQA S.A. will restrict the processing of sensitive personal data to what is strictly necessary and will request the holder's prior, express and informed consent on the purpose of its processing. This authorization must be obtained by any means that may be subject to consultation and subsequent verification.

4. RIGHTS OF THE DATA SUBJECT

In accordance with the provisions of the applicable data protection regulations in force, the holders of personal data have the right to:

To access, know, update, and rectify your data concerning SQA S.A. in its capacity as a data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading, or those whose processing is expressly prohibited or has not been authorized.
Request proof of the authorization granted to SQA S.A. for the processing of data, by any valid means, except in cases where approval is not required.
To be informed by SQA S.A., upon request, regarding the use you have made of your data.
Present before the Superintendence of Industry and Commerce, complaints about infractions to the provisions of Law 1581 of 2012 and the other regulations that modify, add, or complement it, before consultation or request before SQA S.A.
Revoke the authorization and request the deletion of the data.
Access, free of charge, your data that have been subject to treatment at least once every calendar month, and each time there are substantial modifications to this policy that motivate new consultations.

These rights may be exercised by:

● The holder, who must prove his/her identity sufficiently by the different means made available to him/her by SQA S.A.
● The successors in title of the holder, who must accredit such quality.
● The representative and proxy of the holder, previous accreditation of the representation, or proxy.
● Other in favor or for which the holder has stipulated.

Note

For the personal data corresponding to Employees of SQA S. A. The information of the EMPLOYEE has by virtue of the contractual bond that binds it with the Company, reason for which it will apply the exception that treats the article 9 subsection second and article 11 final part of the first subsection of the Decree 1377 of 2013, that indicates: the revocation of the authorization will not proceed when the information is required for the fulfillment of a contractual obligation, that is precisely the one that exists between SQA S.A., and THE EMPLOYEE.

5. RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

SQA S.A. will be responsible for the processing of personal data. The administrative and financial processes will be responsible for the processing of personal data. Any communication on the matter must be made through the following written service channels.

Carrera 43B # 9-33 Medellín
Calle 94A # 11A-39 Bogotá
Email: pqrsf@sqasa.com

6. PROCEDURE FOR HANDLING QUERIES, COMPLAINTS, REQUESTS FOR RECTIFICATION, UPDATING AND DELETION OF DATA

The holders or their successors in title may consult the personal information of the holder that rests in SQA S.A, who will provide all the information contained in the individual register or that is linked to the identification of the holder. Likewise, SQA S.A. provides the mechanism through which the holder can raise claims for updating, rectifying, deleting the data, or revoking the authorization definitively.

The procedures to attend the consultations, claims or petitions of the holder are defined based on Statutory Law 1581 of 2012 and are the following:

CONSULTATIONS

The Owners or their successors in title may consult the personal information of the Owner that rests in any database, whether in the public or private sector. The Responsible of the Treatment or Person in charge of the treatment will have to supply to all the information contained in the individual registry, or that is linked with the identification of the holder.

The consultation will be formulated by the means enabled by the Responsible of the Treatment or Responsible of the Treatment, as long as it is possible to maintain proof of this.

The consultation will be attended in a maximum term of ten (10) working days counted from the date of receipt of the same one. When it is not possible to participate in the consultation within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which his consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

Paragraph. The provisions contained in special laws or regulations issued by the National Government may establish lower terms, taking into account the nature of the personal data.

CLAIMS

The Owner or his successors in title who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties included in this law, may file a complaint with the Responsible for Treatment or the Responsible for Treatment which will be processed under the following rules:

1. The claim shall be formulated by means of a request addressed to the Responsible for the treatment or to the Responsible for the procedure.