Data Policy and processing of personal data

In compliance with Law 172-13 of 2013, which establishes provisions for the protection of personal data, Ctpnutricosmetic.com, in its capacity as responsible for the processing of personal data, informs the general guidelines on this matter:

1. Authorization of data processing

Authorization for clients:

The authorization for the processing of your personal data allows Ctpnutricosmetic.com to collect, store, process, use, circulate, delete, collate, search, share, update, transmit and transfer personal information, to develop the portfolio products related to the corporate purpose, seeking to fulfill the following purposes:

These data can be stored on any physical or electronic medium and be processed manually or automated.

Law No. 172-13 OF 2013 defines the following types of personal data:

a) Private data: “It is the data that, due to its intimate or reserved nature, is only relevant to the Owner.”

b) Semi-private data: “Semi-private data is data that is neither intimate, reserved, nor public in nature and whose

knowledge or dissemination may be of interest not only to its Owner but to a certain sector or group of people or

to society in general, such as the financial and credit data of commercial activity or services referred to in Law 172-13.

c) Public data: “It is the data classified as such according to the mandates of the Law or the Political Constitution and all those that are not semi-private or private”, in accordance with Law 172-13 of 2013. “They are public, among others, the data contained in public documents, duly executed judicial rulings that are not subject to confidentiality and those related to the marital status of the people.

Additionally, Law 172-13 of 2013 establishes the following special categories of personal data:

– Sensitive data: These are “those that affect the privacy of the Owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations. , human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.

Law 172-13 of 2013 prohibits the processing of sensitive data with the exception of the following cases:

(1) When the Owner grants his consent.

(2) The Processing is necessary to safeguard the vital interest of the Owner and he or she is physically or legally incapacitated.

(3) The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or union, provided that refer exclusively to its members or to people who maintain regular contacts due to their purpose.

(4) Processing refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.

(5) The Treatment has a historical, statistical or scientific purpose, in the latter case measures must be adopted leading to the deletion of the identity of the Owners.

– Personal data of children and adolescents: It must be taken into account that although Law 172-13 Article 79 of 2013 prohibits the processing of personal data of children and adolescents, except for those that by their nature are public , the Constitutional Court specified that regardless of the nature of the data, the processing of data can be carried out “as long as the purpose pursued with said processing responds to the best interest of the children and adolescents and the respect for their prevailing rights.”

The law also defines the following roles:

– Data Controller: “Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the Processing of the data.” Ctpnutricosmetic.com, in accordance with the law, is responsible for the processing of personal data contained in its databases.

– Data Processor: “Natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller.” Ctpnutricosmetic.com may process your personal data through Managers.

1.1 GENERAL PROVISIONS ESTABLISHED IN LAW 172-13 OF 2013 FOR THE PROTECTION OF PERSONAL DATA

Law 172-13 of 2013 develops the constitutional right to know, update and rectify the information collected in databases and the other rights, freedoms and guarantees referred to in articles 15 and 20 of the Constitution (right to privacy and right to information, respectively).

The aforementioned law applies to personal data registered in any database that makes them susceptible to processing by public or private entities.

Considering the way a database is preserved, a distinction can be made between automated databases and manual databases or files.

Automated databases are those that are stored and managed with the help of computer tools.

Manual databases or files are those whose information is organized and stored physically, such as order forms for suppliers that contain personal information related to the supplier, such as name, identification, telephone numbers, email, etc.

The law exempts from the protection regime:

(1) Files and databases belonging to the personal or domestic sphere

(2) Those whose purpose is national security and defense, the prevention, detection, monitoring and control of money laundering and the financing of terrorism.

(3) Those whose purpose is and contain intelligence and counterintelligence information

(4) Those of journalistic information and other editorial content

(5) Those regulated by Law 172-13 of 2013 (financial and credit, commercial, service information and information from third countries)

(6) Those regulated by Law 5096 of 1965 (on population and housing censuses).

1.2 DUTIES OF THE DATA CONTROLLER

The Data Controller has been defined by Law 172-13 of 2013 as the natural or legal person, public or private, who alone or in association with others decides on the database and/or the processing of the data.

The duties of the Data Controllers and, consequently, of Ctpnutricosmetic.com are those established in article 17 of Law 1581 of 2012:

a) Guarantee to the Holder, at all times, the full and effective exercise of the right of habeas data.

b) Request and keep, under the conditions provided in the aforementioned law, a copy of the respective authorization granted by the Owner.

c) Duly inform the Owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.

d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

e) Guarantee that the information provided to the Data Processor is true, complete, exact, updated, verifiable and understandable.

f) Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it remains updated.

g) Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor.

h) Provide the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of the aforementioned law.

i) Demand that the Data Processor at all times respect the security and privacy conditions of the Owner's information.

j) Process queries and claims made in the terms indicated in the aforementioned law.

k) Adopt an internal manual of policies and procedures to guarantee adequate compliance with the aforementioned law and, especially, to respond to queries and complaints.

l) Inform the Data Processor when certain information is under discussion by the Owner, once the claim has been submitted and the respective process has not been completed.

m) Inform at the request of the Owner about the use given to their data.

n) Inform the data protection authority when violations of security codes occur and there are risks in the administration of the Owners' information.

o) Comply with the instructions and requirements indicated by Ctpnutricosmetic.com

1.3 RIGHTS OF THE OWNERS

Law 172-13 of 2013 establishes that the Holders of personal data will have the following rights:

– Know, update and rectify your personal data before the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or those whose Processing is expressly prohibited or has not been authorized.

– Request proof of the authorization granted to the Data Controller except when it is expressly excepted as a requirement for the Treatment, in accordance with the provisions of article 10 of the aforementioned law.

– Be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been given to your personal data.

– Submit complaints to Ctpnutricosmetic.com for violations of the provisions of the aforementioned law and other regulations that modify, add or complement it.

– Revoke the authorization and/or request the deletion of the data when the Processing does not respect constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when Ctpnutricosmetic.com has determined that in the Treatment the Controller or Processor has engaged in conduct contrary to the law and the Constitution.

– Access free of charge to your personal data that has been processed.