Guia del Café S.A.S. presents the following Data Protection Policies to clients, suppliers, employees, and regulatory entities, in accordance with the guidelines outlined in Law 1581 of 2012 and its Regulatory Decree 1377 of 2013. The following information is ruled by the Colombia’s government.

This Data Protection Policy regulates the collection, storage, use, circulation, and deletion of personal data by Guia del Café S.A.S., providing tools to ensure the authenticity, confidentiality, and integrity of information.

SCOPE

This Data Protection Policy applies to all Databases and/or Files containing Personal Data processed by Guia del Café S.A.S.

GUIDELINES

  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
  • Personal data: Any information linked or that may be associated with one or several identified or identifiable natural persons.
  • Database: An organized set of personal data that is subject to processing.
  • Data Subject: The individual whose personal data is subject to processing.
  • Authorization: Prior, express, and informed consent of the Data Subject for the processing of personal data.
  • Data Controller: The natural or legal person, public or private, who, alone or jointly with others, decides on the database and/or data processing.
  • Data Processor: The natural or legal person, public or private, who, alone or jointly with others, performs personal data processing on behalf of the Data Controller.

DATA SUBJECT RIGHTS

Data Subjects whose personal data is stored in the databases of Guia del Café S.A.S have the following rights:

  • Right to know, update, and correct their personal data: Data Subjects can exercise this right for partial, inaccurate, incomplete, or fragmented data that leads to errors or is expressly prohibited or unauthorized.
  • Right to request proof of authorization: Data Subjects may request proof of the authorization granted for the processing of their data, as provided by Article 9 of Law 1581 of 2013. Data specified in Article 10 of this Law are exempt from this obligation.
  • Right to be informed of the use of their personal data: Data Subjects have the right to know, at any time, the use given to their personal data upon request to the Data Controller.
  • Right to revoke authorization and/or request data deletion: Data Subjects may revoke the authorization granted to Guia del Café S.A.S for data processing if they find that constitutional and legal principles, rights, and guarantees have not been respected.
  • Right to access their personal data: Data Subjects may access their processed personal data free of charge.

DUTIES OF GUIA DEL CAFÉ S.A.S

As the Data Controller, the company has the following duties:

  • Guarantee the Data Subject the full and effective right to Data Protection.
  • Request and retain a copy of the Data Subject’s authorization.
  • Properly inform the Data Subject about the purpose of data collection and their rights.
  • Retain data under the necessary security conditions to prevent its alteration, loss, unauthorized access, or fraudulent use.
  • Correct inaccurate information and notify the Data Processor accordingly.
  • Address inquiries and complaints within the terms specified in Law 1581 of 2012.

PURPOSE OF DATA PROCESSING

The Personal Data is processed by Guia del Café S.A.S for the following purposes:

  • To send information to employees and their families.
  • To provide health services to the beneficiaries of employees.
  • To strengthen customer relations by sending relevant information and responding to requests, complaints, and claims.
  • To ensure timely and quality supply with suppliers by inviting them to participate in selection processes, evaluating compliance, and verifying balances.
  • To determine outstanding obligations, consult financial information and credit history, and report non-compliance to credit bureaus.
  • To respond to judicial or administrative requests and comply with legal or judicial mandates.

AUTHORIZATIONS

Data Subjects may provide their authorization to Guia del Café S.A.S for data processing through the “AUTHORIZATION FOR DATA PROCESSING FE-01” form, which will be sent once the relationship between the company and the third party is formalized.

SPECIAL PROVISIONS FOR PROCESSING SENSITIVE PERSONAL DATA

According to the Data Protection Law, sensitive data is defined as data that affects privacy or can lead to discrimination, such as racial or ethnic origin, political orientation, religious/philosophical beliefs, union membership, health, sexual life, biometric data (such as fingerprints, signatures, and photographs). Processing of sensitive personal data is prohibited by law unless explicit, prior, and informed consent is obtained, among other exceptions outlined in Article 6 of Law 1581 of 2012. In these cases, Guia del Café S.A.S must:

  • Inform the Data Subject that authorization for processing sensitive data is optional.
  • Inform the Data Subject which sensitive data will be processed and the purpose of processing.
  • No activity can be conditioned on the provision of sensitive personal data.

PROCEDURE FOR ADDRESSING REQUESTS, COMPLAINTS, AND CLAIMS (PQR)

Data Subjects may exercise their rights to know, update, correct, delete information, and revoke authorization at any time. This process will follow the procedure outlined in the Data Protection Law: Data Subjects may request information on their personal data, proof of authorization granted, adjustments, or information on its use by contacting Guia del Café S.A.S at:

Requests and inquiries will be handled within a maximum of fifteen (15) business days from the date of receipt. If it is not possible to respond within this period, the requester will be informed of the delay, the reasons, and the date for addressing the request or inquiry, which will not exceed five (5) business days after the initial period.

PERSONAL DATA SECURITY

Guia del Café S.A.S. will implement the necessary technical, human, and administrative measures to ensure the security of records, preventing their alteration, loss, unauthorized access, or fraudulent use. Suppliers will be required to adopt and comply with appropriate technical, human, and administrative measures for the protection of Personal Data under their control.

TRANSFER AND TRANSMISSION OF PERSONAL DATA

Under no circumstances may Guia del Café S.A.S disclose information from its databases to affiliated companies, unrelated third parties, contractors, suppliers, clients, or any employee without the express written consent of the Data Subject.

This Data Protection Policy is effective as of September 1, 2024.