SERENDIPIA GROUP S.A.S.

POLICY FOR THE PROCESSING OF PERSONAL DATA

SERENDIPIA GROUP S.A.S, a company dedicated to the marketing of products, export and import, identified with NIT 900730402-4, with main address at calle 17 number 7-12, office 1101, Centro Empresarial building, recognizes the importance of security , privacy and confidentiality of the personal data of its workers, clients, suppliers and in general of all its agents of interest with respect to whom it exercises personal information treatment.

TITLE I

DEFINITIONS

The concepts presented below are the result of what is stated in Law 1581 of 2012 and article 15 of the Political Constitution of Colombia.

a) Authorization: Prior, express and informed consent of the Holder to carry out the Processing of personal data.
b) Database: Organized set of personal data that is subject to Treatment.
c) Personal data: Any information linked or that can be associated with one or more specific or determinable natural persons.
d) Treatment Manager: Natural or legal person, public or private, who, by itself or in association with others, performs the Treatment of personal data on behalf of the Treatment Manager.
e) Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data.
f) Owner: Natural person whose personal data is subject to Treatment.
g) Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
h) Area in charge of Personal Data Protection/Privacy Officer: Responsible within the Company, in charge of monitoring, controlling and promoting the application of the Personal Data Protection Policy.

TITLE II

LEGAL FRAMEWORK APPLICABLE TO TREATMENT

By virtue of this policy, the following normative references and the procedures / guidelines issued by the Company for the processing of personal data will be applied.

Political Constitution of Colombia.

Law 1581 of 2012.

Single Decree 1074 of 2015.

Regulatory Decrees.

Circular 002 of 2015 of the Superintendency of Industry and Commerce.

Applicable jurisprudence.

This Personal Data Processing Policy.

Manual of procedures for the processing of personal data.

Guidelines for the supervision of the processing of personal data.

Guidelines for relations with third parties.

TITLE III

PRINCIPLES TO WHICH THE TREATMENT IS SUBJECT

In any case, the processing of personal data that is carried out on the occasion of this Treatment Policy must be strictly governed by the following principles:

Legality: The Treatment must be subject to the provisions of the Law.

Purpose: The purpose of the Treatment must be legitimate, temporary and informed to the owner.

Reasonable limit: The storage and processing of personal data will be limited to what is essentially necessary to fulfill the previously specified purposes of the business relationship, as well as the fulfillment of the purposes authorized by the Owner.

Freedom: The data can be processed only with the prior, express, informed and self-determined consent of the owner or by legal or judicial mandate.

Veracity or quality: The information must be true, complete, accurate, updated, verifiable and understandable.

Transparency: The owner’s right to obtain information about their data at any time and without restrictions must be guaranteed.

Restricted access and circulation: Treatment may only be done by persons authorized by the Owner or by the persons provided for in the Law.

Security: The information must be handled with the necessary measures to provide security to the records and prevent their adulteration, loss, consultation, use or unauthorized or fraudulent access.

Confidentiality: Personal data that is not of a public nature is reserved and can only be provided under the terms of the Law. Any person involved in the processing of information must guarantee its reserved nature.

TITLE IV

PURPOSES OF TREATMENT

In its capacity as responsible for the processing of the data collected, the company declares that they will be processed on the occasion of one(s) of the following purpose(s):

Security and Surveillance Management:

Register and control the access and exit of workers to the Company’s facilities through the established security processes, in order to mitigate the risk in the development of the different operations of the Company and structure an absenteeism control.

Register, control and verify the access of visitors to the Company’s facilities, through the entry form.

Monitor through closed circuit video surveillance the entry and exit of workers, contractors and visitors to the warehouses and facilities of the Company.

Human Management and Labor Relations:

Evaluate and manage the contractual documents of the Company’s personnel, in order to prove the work history of each of the workers.

Manage, promote and accredit the training and education programs for the Company’s internal/external personnel, in accordance with the requirements of the position and the established guidelines.

Management and control of the absenteeism of the Company’s workers, in order to promote the development of prevention and health campaigns at work.

Control and monitoring of the health status of the Company’s workers in order to establish occupational safety policies.

Monitoring of the controls of the safety and health system at work, in order to mitigate risks and coordinate the appropriate care of work accidents.

Manage the delivery of the endowments to the Company’s workers in accordance with the characteristics of the position.

Promote the development for the implementation of road safety policies and programs, in order to prevent accidents and unforeseen events for the Company’s motorized workers.

Control and follow-up of the contractual relationship procedures and withdrawal of the Company’s personnel.

Financial and Accounting Management:

Control and monitoring of the financial and accounting obligations of the Company in order to avoid maturities and tax penalties.

Manage the income and expenses of the Company in order to project the financial statements.

Establish contact with financial entities, to exercise control and monitoring of payment operations and bank accounts that are managed corporately.

Commercial and Corporate Management:

Legally and commercially bind customers, suppliers and third parties.

Manage the consolidation of the company’s clients and suppliers in order to have physical support of their relationship and carry out loyalty activities.

Control of the satisfaction surveys carried out on the Company’s suppliers in order to standardize the services.

Control and follow-up of the procedures for dealing with queries and claims presented to the Company.

Administrative management:

Establish supplier selection controls in accordance with the Company’s internal guidelines.

Monitoring of customer service procedures for consumers, customers and suppliers.

Support of internal auditing processes for each of the Company’s areas and operations.

Support of external audits carried out by certifying entities.

Creation of users to access the domains and technological applications of the company according to the requirements of the position.

Management and control of the Company’s enterprise resource planning software.

TITLE V

RIGHTS THAT ASSIST THE HOLDER OF THE INFORMATION

Know, update and rectify your personal data that is being processed by the company or those in charge of processing.

Request proof of the authorization granted to the Company, except when expressly excepted as a requirement for treatment.

Revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the treatment.

Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012.

Know our treatment policy, and the substantial changes that may occur in the treatment policies.

TITLE VI

TRANSMISSION AND INTERNATIONAL TRANSFER OF DATA

On the occasion of the activities carried out by the Company, it may transfer and/or transmit information so that it is processed by responsible third parties within and outside the national territory. This transfer of personal data must be carried out in strict compliance with the provisions of this treatment policy and the security standards implemented by the Company. For the transfer, the Company will request authorization from the Owner of the information.

TITLE VII

AUTHORIZATION OF TREATMENT

For the treatment of personal information, the Company will request prior and informed authorization from the holders of the information, this may be written, verbal or through unequivocal conduct. The Company will keep proof of the authorizations obtained for data processing.

TITLE VIII

PROCEDURE FOR THE PRESENTATION OF CLAIMS, INQUIRIES AND CLAIMS

The Company will have the channels and processes established in the manual of procedures for the processing of personal data that is part of this policy for queries and claims, and will carry out the activities established in its procedure for dealing with queries and claims for your attention and processing. .

Queries

The owner of the information, his successors in title or any other person with a legitimate interest, will make inquiries through written communication or by email, in which:

Determine your identity, including your name and identification number

The reason for the consultation is specified clearly and expressly

The legitimate interest with which it acts is accredited, attaching in any case the due supports.

Indicate the physical or electronic correspondence address to which the response to the request can be sent.

In accordance with article fourteen (14) of Law 1581 of 2012: “The query will be answered within a maximum term of ten (10) business days from the date of receipt of the same. When it is not possible to attend it within of said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be resolved, which in no case may exceed five (5) business days following the expiration of the first term.”

Claims

The owner, his successors in title or any other person with a legitimate interest who consider that the information contained in a database should be subject to correction, updating, deletion, or revocation of the authorization granted for the treatment, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, may, by physical or electronic means, submit a timely claim to the responsible area. In accordance with article fifteen (15) of Law 1581 of 2012, said claim will be appropriate once compliance with the following requirements is verified:

“The claim must: i) include the identity of the claimant, citing their name and identification number; ii) clearly and expressly specify the reason for the query; iii) prove the legitimate interest with which the claimant acts, enclosing in any case the due supports and, iv) indicate the physical or electronic correspondence address to which the response to the request should be sent. If it is found that the claim is incomplete, “the interested party will be required within five (5) days after receiving it to correct the faults. After two (2) months have elapsed from the date of the request, without the applicant present the required information, it will be understood that the claim has been withdrawn.”

In the event that the Company is not competent to resolve the claim, it will transfer it to the appropriate party within a maximum term of two (2) business days and will inform the interested party of the situation.

“Once the complete claim is received, a legend will be included in the database that says “claim in process” and the reason for it, in a term not exceeding two (2) business days. Said legend must be maintained until the claim is decided.”

“The maximum term to deal with the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to deal with it within said term, the interested party will be informed of the reasons for the delay and the date on which your claim will be resolved, which in no case may exceed eight (8) business days following the expiration of the first term.”

The request for deletion of the information and the revocation of the authorization will not proceed when the owner has a legal or contractual duty to remain in the database.

If the respective legal term expires, the person in charge and/or the person in charge, as the case may be, have not eliminated the personal data, the owner will have the right to request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the deletion of personal data. For these purposes, the procedure described in article 22 of Law 1581 of 2012 will be applied.

TITLE IX

ATTENTION OF INQUIRIES AND CLAIMS

The Company has an area responsible for receiving, attending to and resolving queries and claims from personal data holders or persons authorized to do so. Holders may present their queries and claims through the following channels:

Email: comercial2@accesointernacional.com

Physical address: calle 17 number 7-12 office 1101 business center building

Phone: 3008264204

TITLE X

MODIFICATIONS TO THE POLICY

The company reserves the right to modify the privacy policy of personal information at any time. For this purpose, a notice will be published on the website or in the mechanism enabled by the Company 15 business days prior to its implementation and during the validity of the policy. In case of not agreeing with the new personal information management policies, the owners of the information or their representatives may request the withdrawal of their information through the means indicated above. However, it will not be possible to request the withdrawal of the data while maintaining a link of any order with the entity.

TITLE XI

VALIDITY

This policy will be in force from March 2017.