Política de Tratamiento de Datos

KORNER SAS
PERSONAL DATA PROCESSING AND PROTECTION POLICY
1. Who We Are and the Purpose of This Personal Data Processing Policy.

KORNER SAS (hereinafter THE COMPANY) is a company incorporated in Colombia and is responsible for the processing of personal data collected in Colombia.

Our contact information is:

Department: Legal Management.

e-mail: contacto@korner.com.co

Address: Carrera Séptima No. 155 C 20, Office 4504

Phone: 601-2411450

Your privacy is important to THE COMPANY, and our policy is to comply with existing laws and regulations regarding the handling of your personal data. That is why we want our customers to understand our practices for collecting and processing personal data, thereby ensuring the highest level of trust and security. This Personal Data Processing Policy (hereinafter, the “Privacy Policy”) aims to enhance national programs for the protection of personal information. THE COMPANY has adopted Information Privacy Principles, which must be followed by its employees and contractors when handling personal information. This Privacy Policy has been developed in accordance with Colombian law and THE COMPANY’s Data Privacy principles and detailed guides of the Data Privacy Program. Data subjects accept the processing of their personal data under the terms of this Privacy Policy and authorize us to process it according to this policy when they provide data through different means or channels.

2. Personal Information Collected.

What type of personal information do we collect and process?

Personal information may be maintained manually or electronically, and collected on paper, electronic systems, photos, videos, voice collection systems, emails, or removable media. Personal information may or may not be related to business matters, such as office address, phone numbers, or email addresses. Personal information may be associated with an employee, contractor, vendor, supplier, partners, and/or third parties.

For the purpose of processing, we may collect the following personal information with your authorization, depending on your type of relationship with THE COMPANY.

First and Last Name
Date of Birth
Gender
State
Marital status and/or relationship to minors or individuals with disabilities requesting our services.
Nationality
Citizen ID or identification document
Passport number and expiration date
Email
Contact phone number
Address
Information and personal data collected through surveys, focus groups, or other market research methods.
Information requested by representatives from the sales and/or customer relations departments for the purpose of handling requests or complaints.
Demographic information such as, for example, information about your company or business, age, gender, interests, preferences, and favorites.
Information about your visits to our websites, including the pages you view, the links and advertisements you click on, the search terms you enter, and other actions you take in relation to THE COMPANY’s services and websites. All of THE COMPANY’s databases are stored in Colombia. THE COMPANY only uses customer information to transmit it to third parties responsible for managing the information in accordance with this policy.
How Do We Collect Information?

We may ask you to provide personal information when you:

Use our website;
Request quotes, services, customer support, or information;
Place orders for products or services;
Participate in surveys, contests, or other promotional activities;
Subscribe to newsletters, promotional emails, or other materials;
Apply for a job, submit your resume, or create a candidate profile,
Please contact us through any authorized means or channel. To offer you a more systematic and personalized experience in your interactions with THE COMPANY, the information collected from one source may be combined with information obtained through other resources of THE COMPANY. We may also supplement the information we gather with information obtained from other parties. Some services of THE COMPANY may have co-branded marks and be offered jointly with another company. If you register for or use these services, both THE COMPANY and the other company may receive information collected jointly through the co-branded services and use the information in accordance with each company’s privacy statement and other agreements made with you.
3. Processing of Sensitive Data and Data of Minors.

In accordance with Law 1581 of 2012, sensitive data is understood to be information that affects the privacy of the data subject or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin; political orientation; religious or philosophical beliefs; membership in unions, social organizations, or human rights groups; data related to health, sexual life, and biometric data. In the event that we collect and process your sensitive data, it will be handled with careful adherence to the provisions of Law 1581 of 2012 and this Privacy Policy. Data subjects are informed that they are not obligated under any circumstances to authorize the processing of sensitive data, and therefore the provision of our services is not conditioned on the provision of this sensitive information, unless such information is strictly necessary to comply with THE COMPANY's obligations and, if not provided, would make the provision of the service impossible.

THE COMPANY takes the privacy of children and adolescents very seriously. Children and minors may be users of the products and services we offer, provided they act through or are duly authorized by their parents or legal guardians. We will ensure the proper use of the personal data of children and minors, guaranteeing that in the processing of their data, their best interests and fundamental rights are respected, and, whenever possible, taking into account their opinion as the owners of their personal data.

4. Purposes and Use of Information.

THE COMPANY will not sell or disclose your individual information to any external company for marketing purposes or service offers. We will maintain the confidentiality of your personal information and it will only be used to strengthen your relationship with THE COMPANY. Additionally, internal practices help protect your privacy by limiting employee access to and use of customer data. If you provide us with personal data, you authorize us to use this information for the purposes outlined in accordance with this Privacy Policy, and we will not transfer or disclose it outside our databases except when (i) you authorize us to do so, (ii) it is necessary to allow our contractors, suppliers, or agents to provide the services we have entrusted to them, (iii) we or third parties use it to provide you with our products or services, (iv) it is delivered to entities that provide marketing services on our behalf or to other entities with which we have joint marketing agreements, (v) it is related to a merger, consolidation, acquisition, divestiture, or other restructuring process, (vi) we implement a personal data transfer agreement under the terms of Decree 1377 of 2013, or (vii) as required or permitted by law or for the purposes set forth in this Privacy Policy. Personal data subjects authorize THE COMPANY to transfer their personal information to other companies related to THE COMPANY such as, but not limited to, parent companies, subsidiaries, and affiliates of THE COMPANY for the development of the purposes described herein. This data processing will take place during the contractual relationship and/or thereafter, for the purposes described in this Policy. The personal information of employees is contained in databases and files owned by the employer. THE COMPANY uses your personal information for various purposes depending on the relationship between THE COMPANY and the data subject.

4.1. Purposes of Processing for Customers

When THE COMPANY requests customer information, it is done with the purpose of improving the relationship between THE COMPANY and the customer. THE COMPANY processes personal data before, during, and/or after the contractual relationship, but not beyond the reasonable period required for the purposes listed below:

Provide and deliver services, support or carry out the operations you have requested, and manage our business relationships.
Carry out the necessary procedures to comply with the obligations related to the services and products contracted with THE COMPANY.
Facilitate the proper execution of purchases and the provision of contracted services and products.
Generate optimal communication regarding our services, products, promotions, billing, and other activities.
Enforce compliance with our sales conditions, the website terms, and/or separate contracts entered into with you, if applicable;
Evaluate the quality, personalize, and improve our products, services (including content and advertisements), technologies, communications, and our relationship with you;
Conduct studies on consumption habits, preferences, purchase interest, product testing, concept, service evaluation, satisfaction, and others related to our services and products; as well as to report volumes by area, territory, and season.
Carry out, through any means directly or indirectly (through third parties), marketing and/or advertising activities, whether own or third-party, sales, billing, collections management, payment processing, scheduling, technical support, market intelligence, service improvement, verifications and inquiries, control, behavior, habits and enabling payment methods, fraud prevention, as well as any other activities related to our current and future products and services, to fulfill contractual obligations and our corporate purpose.
Inform about changes to products and services related to THE COMPANY’s ordinary course of business.
Send you communications such as information about product safety, the status of your transactions (e.g., order confirmations), information about products and services available through THE COMPANY and its related companies, promotional offers, and surveys;
Provide assistance, service, and technical support for our products and services.
Control and prevent fraud in all its forms, as well as other illegal or prohibited activities.
Protect the security or integrity of the website, our business, or our products or services.
Conduct audits.
Business continuity planning.
Verification of compliance with THE COMPANY’s Policies.
Carry out Legal Compliance Programs.
Verify the accuracy of the information provided.
Other purposes, as informed at the time the information is collected and authorized by the data subject.
4.2. Purposes of data processing for employees and candidates

In the case of active and retired employees, pensioners, retirees, affiliated third parties, family members, and beneficiaries, THE COMPANY processes the personal data provided by its active and retired employees, pensioners, retirees, affiliated third parties, family members, and beneficiaries for the fulfillment of the following purposes:

Hire, evaluate, develop, and terminate employees and contractors.
Enter into and execute employment contracts.
Enforce Colombian law and jurisprudence regarding labor and social security matters.
Fulfill the obligations contracted with our employees, pensioners, and retirees.
Grant benefits to employees and their beneficiaries.
Record relevant information, such as salary updates, training, vacations, and birthdays.
Control and prevent fraud in all its forms, as well as other illegal or prohibited activities.
Verify compliance with THE COMPANY’s internal policies.
Conduct audits.
Manage and administer the use of THE COMPANY’s corporate assets (such as offices, facilities, computers, etc.).
Inclusion in business continuity plans and emergency response.
Support professional development processes and resource management.
Business travel management.
Organization of events and conferences.
Informal networking.
Record information to verify the integrity of information, systems, and resources.
Verification of legal compliance programs.
Development of occupational health programs.
Manage personnel.
Allow access control to facilities, as well as verify identity and access permissions.
Carry out security and incident management.
Improve the quality of services.
Manage training programs.
Allow the organization, planning, billing, and management of working hours.
For commercial purposes necessary for the secure, effective, and efficient conduct of LA COMPAÑÍA’s business activities in the countries where it operates.
All other purposes necessary for the proper development of the employment relationship.
Any purpose authorized by the data subject, as informed at the time the authorization is collected, or purposes permitted by law.
The personal data collected includes both commercial and non-commercial information, as well as specific data gathered by third parties on behalf of THE COMPANY. Among the information collected and processed, in addition to that generally indicated in section two (2) of this Policy, the following is included (including sensitive information):

contact details (for example, name, work address, home address, email address, telephone numbers);
demographic data (for example, date of birth, gender, education);
employment data (for example, background, experience, promotions, training, performance, disciplinary actions);
organizational data (for example, position, responsibilities, salary level, professional interests);
data about dependents (for example, marital status, children);
working time and absence data (for example, absences, vacations, work schedule);
financial data (for example, salary, benefits, banking information, shareholding information);
social data (for example, photos, information about awards and recognitions, results of team events);
medical data (for example, occupational health information);
IT data (for example, communication metadata, access requests and permissions);
Within the organization of THE COMPANY, the collected information will only be disclosed to internal recipients who need to know it by virtue of being employees or contractors of THE COMPANY. Data may also be disclosed to external recipients (such as payroll service providers, health insurance, and technology service providers), subject to the execution of a data transfer agreement or authorization from the data owner, in accordance with the provisions of Article 25 of Decree 1377 of 2013 on personal data protection. Through the agreement, the agent commits to using the data only for the purposes for which they were disclosed, employing appropriate security measures, retaining them only as long as necessary, and not disclosing them without authorization. Personal data may be disclosed to internal and external recipients only (1) for the purposes of fulfilling the employment contract; (2) with the consent or authorization of the person in question; (3) in accordance with a collective labor agreement; (4) for the legitimate interests of THE COMPANY; (5) when commercially necessary; (6) as permitted or required by law or any judicial procedure; (7) as part of an investigation of possible criminal conduct; (8) in “emergency cases,” for example, when it is vital for the individual concerned. Active and retired employees, pensioners, retirees, and contractors of THE COMPANY must cooperate to keep their data accurate, complete, up-to-date, verifiable, and understandable, and notify any modifications thereto.

THE COMPANY does not acquire personal information covertly. However, in exceptional circumstances where required by law and/or to protect THE COMPANY’s interests, and when THE COMPANY has reasonable grounds to suspect a violation of THE COMPANY’s policy or that a crime has been committed and no other means of investigation are available, THE COMPANY may obtain personal data in this manner, but only in accordance with applicable law. THE COMPANY also processes personal data of job candidates in order to understand and evaluate their academic and work background, skills, knowledge, and capabilities; to verify the accuracy of the information provided; and for other purposes, as informed at the time the information is collected and authorized by the candidate. Among the information collected and processed, in addition to that generally indicated in section two (2) of this Policy, the following is included (including sensitive information):

Profession or trade
Degrees
Academic profile (school, university, etc.)
Professional profile (job positions, background, etc.)
Membership in professional or academic associations
Salaries and working hours
Performance evaluations
The information provided by candidates applying for a position at THE COMPANY will be stored for a period of up to two (2) years from the date of the last processing, or for the time necessary to comply with the applicable provisions related to the matter at hand, as well as the administrative, accounting, tax, legal, and historical aspects of the information, and any other legal and/or contractual obligations of THE COMPANY.

4.3. Purposes of Processing for Contractors and Suppliers

THE COMPANY processes personal data provided by contractors and suppliers as part of the acquisition process of goods or services supplied to THE COMPANY, before, during, and/or after the contractual relationship, to fulfill the following purposes:

To hire, evaluate, and select potential suppliers
To establish business relationships to acquire goods or services.
To enter into and execute contracts.
Control and payments for goods and services received.
Compliance with tax and legal matters with government and regulatory entities.
Communication of policies and procedures regarding the way of doing business with suppliers.
Queries, audits, and reviews arising from the business relationship with the supplier.
Any purpose authorized by the data subject, as informed at the time the authorization is collected, or purposes permitted by law.
Among the information collected and processed, in addition to that generally indicated in point two (2) of this Policy, the following is included (including sensitive information):

Legal business names or names of natural persons
Commercial names
Type of contract
Profession or trade
Work history
Academic and professional profile
Organizational data (position, responsibilities, salary level, professional interests)
Information on payments to the social security system.
Tax and fiscal identification information.
Banking information for payments via transfer.
Contacts
Copy of supporting documents for tax and banking information.
Any other documentation required according to the nature of the hiring, purchase, or service being carried out.
From the moment providers provide information, they consent to THE COMPANY maintaining in its records all information provided through any means. All personal information collected may be stored and processed in Colombia, and by using THE COMPANY’s services and products (including our website www.korner.com.co ), affiliated companies of THE COMPANY are subject to a data privacy policy to ensure that personal information transmitted between affiliates is properly handled. By accepting this Privacy Policy, you agree to any transfer of information outside your country. Our intention is to send emails only to clients, suppliers, contractors, or individuals who have authorized receiving such messages. By accepting this Privacy Policy, data subjects authorize us to send information about products and services, as well as offers of products and services that we believe may be of interest to them, through various means and channels (including email, SMS or text messages, etc.). You have the right at any time to opt out of receiving communications from THE COMPANY in the future.

We may share your personal information with related companies of THE COMPANY in order to carry out the operations you request or to better tailor our business or that of our related companies to your needs. We may also disclose your personal information for reasons related to legal compliance, fraud prevention, or other legal actions as required by applicable laws or regulations; or if THE COMPANY reasonably believes it is necessary to protect THE COMPANY, its customers, or the public. Additionally, we may share your personal information with business partners who help THE COMPANY perform the operations you request, or with business partners with whom we have co-branded products or services, so that they can offer their products and services, or who assist THE COMPANY in personalizing, analyzing, and/or improving our communication or relationship with you, and finally, only with business partners who share THE COMPANY’s commitment to protecting your personal information. Except for the cases detailed above, we will not disclose your personal information to third parties for their own marketing purposes unless you have authorized us to do so.

5. Duration of Processing of Information and Personal Data

The information provided will be stored for as long as necessary to allow us to fulfill the purposes set forth herein and to comply with legal and/or contractual obligations incumbent upon us, especially regarding accounting, tax, and fiscal matters, or for as long as necessary to comply with applicable provisions related to the subject matter, as well as the administrative, accounting, fiscal, legal, and historical aspects of the information, or in any case as required by law.

6. How Do We Use Cookies and Web Beacons?

THE COMPANY may use cookies and web beacons on its websites and on the electronic devices used to access them, in order to enhance the functionality and accessibility of the websites, verify that users meet the required criteria to process their requests, and tailor its products and services to users’ needs, potentially collecting the following general information:

Device language • Accessed links
Duration of browsing time
Type of browser and operating system used
Date and time of browsing. These cookies, web beacons, and other similar technologies can be disabled and deleted by the User whenever they wish. For this purpose, the User may consult and/or request assistance from the Internet browser they use.
7. Security and confidentiality of information

THE COMPANY is committed to protecting the security of your personal information. We have established policies, procedures, and information security standards aimed at protecting and preserving the integrity, confidentiality, and availability of information, regardless of the medium or format in which it is stored, its temporary or permanent location, or the way it is transmitted. Third parties contracted by us are equally obligated to adhere to and comply with the information security policies and manuals, as well as the security protocols we apply to all our processes. Any contract with third parties (contractors, employees, external consultants, temporary collaborators, etc.) involving the processing of information and personal data includes a confidentiality agreement that outlines their commitments to the protection, care, security, and preservation of the confidentiality, integrity, and privacy of such information.

In order to protect your personal information from any unauthorized access, use, or disclosure, we employ a variety of security procedures and technologies. Although we strive to protect your personal information, THE COMPANY cannot ensure or guarantee that your personal information or the private communications you send us will always remain confidential. Therefore, you do so at your own risk.

8. Rights of Data Subjects and Procedures for Exercising Their Rights

By accepting this Privacy Policy, you freely, expressly, and previously acknowledge that you have been informed about the rights granted to you by law as the owner of your personal data, which are listed below:

(i) To know, update, and rectify their personal data before the entity responsible for or in charge of processing their personal data.

(ii) Request proof of the authorization granted to the data controller, except when it is expressly exempted as a requirement for the processing.

(iii) To be informed by the data controller or the data processor, upon request, about the use given to their personal data.

(iv) To file complaints with the Superintendence of Industry and Commerce for violations of the personal data protection regime.

(v) To revoke the authorization and/or request the deletion of personal data under the terms of Law 1581 of 2012.

(vi) To access free of charge, once a month, their personal data that has been subject to processing, in accordance with the terms of the applicable regulations.

In case the personal data is not collected directly by THE COMPANY from the data subjects, but is provided to THE COMPANY, for example, by an employee, the employee must inform the data subject that the information will be provided to THE COMPANY. If, due to contracts with third parties, they need to process the information, clauses establishing restrictions or requirements on the handling of this information may be added to these contracts. The procedures for exercising your rights will be as follows:

(i) Inquiries

Data subjects, authorized persons, or legal successors may request access to their personal information held in our databases, in which case we will provide the requested information after verifying their legitimacy to make such a request. The inquiry will be addressed within a maximum period of ten (10) business days from the date of receipt. If it is not possible to respond within this period, the reasons for the delay will be communicated, along with the date when the inquiry will be addressed, which in no case will exceed five (5) business days following the expiration of the initial term.

(ii) Claims

If the data subjects, authorized persons, or legal successors consider that the information contained in a database should be corrected, updated, or deleted, or if they notice a presumed breach of any of the duties established in the Regulation, they may file a claim with us, which will be processed under the following rules:

1. Your claim must be submitted through a request addressed to THE COMPANY, including your identification, a description of the facts giving rise to the claim, your address, and accompanied by any supporting documents you wish to submit. If the claim is incomplete, we will request the missing information within five (5) business days following the receipt of the claim so that you can correct the deficiencies. If two (2) months pass from the date of the request without you providing the required information, we will understand that you have withdrawn the claim.

2. In the event that we are not competent to resolve your claim, we will forward it to the appropriate party within a maximum term of two (2) business days and inform you promptly. If applicable, once the complete claim is received, a note stating "claim in process" along with the reason will be added to the database within no more than two (2) business days. This note must remain until the claim is resolved.

3. The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of its receipt. If it is not possible to address the claim within this term, the reasons for the delay and the date when the claim will be attended to will be communicated, which in no case may exceed eight (8) business days following the expiration of the initial term.

Data subjects may exercise their rights to access, update, rectify, and delete their personal data by submitting a written request addressed to Carrera Séptima No. 155 C 30, Office 4504, Bogotá, Colombia, in accordance with this Privacy Policy. At any time, data subjects may revoke their consent for the processing of their Personal Data. To do so, a written communication in Spanish must be sent to Carrera Séptima No. 155 C 30, Office 4504, Bogotá, Colombia, which must include the same requirements indicated for exercising data subject rights, specifying the Personal Data for which consent is to be revoked. Within no more than 15 (fifteen) business days from receipt of the communication, we will process the revocation of the requested data.

At any time, data subjects may limit their consent for the processing of their Personal Data for marketing and promotional purposes by sending a written communication to the following address: Carrera Séptima No. 155 C 30, Office 4504, Bogotá, Colombia, specifying the limitations. Within no more than 10 (ten) business days from the receipt of the written communication, we will cease sending you information. The department responsible for handling requests, inquiries, or complaints where the data subject can exercise their rights is:

Department: Legal Management.

e-mail: contacto@korner.com.co

Address: Carrera Séptima No. 155 C 20, Office 4504

Phone: 601-2411450

9. Modifications and validity of the privacy policy.

We may modify the terms and conditions of these privacy policies at any time. If we decide to introduce any material changes to our privacy policies, this will be communicated on our website or in a widely circulated national newspaper, along with the publication of an updated version of the privacy policies. The databases will remain valid indefinitely, in accordance with the purposes and uses of the information.

Updated June 2022.