Privacy Policy

Privacy policy and handling of personal data

Personal data protection processing policy for Data Subjects

In compliance with the provisions of Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, GSMED SAS adopts this policy for the processing of personal data, which will be communicated to all data subjects whose data has been collected or will be obtained in the future in the course of commercial or work activities.

In this way, GSMED SAS states that it guarantees the rights of privacy, intimacy and good name, in the processing of personal data, and consequently all its actions will be governed by the principles of legality, purpose, freedom, truthfulness or quality, transparency, access and restricted circulation, security and confidentiality.

All persons who, in the course of different contractual, commercial, labor, among other activities, whether permanent or occasional, provide GSMED SAS with any type of personal information or data, may know, update and rectify it.

Identification of the data controller

NAME OR COMPANY NAME: GSMED SAS

Company dedicated to carrying out commercial activities such as:

• Wholesale of other types of machinery and equipment n.e.c.

• Specialized maintenance and repair of machinery and equipment

• Manufacturing of pharmaceutical products, medicinal chemicals, and botanical products for pharmaceutical use

ADDRESS AND STREET ADDRESS : GSMED SAS has its address in the city of Bogotá, located at Cra 69 # 25 B 44 Office 614

EMAIL : contabilidad.gsmed@gmail.com

LANDLINE PHONE: 8050449

CELL PHONE : 3102990305

Legal framework

  • Political Constitution, Article 15. Law 1266 of 2008
  • Law 1581 of 2012
  • Regulatory Decrees 1727 of 2009 and 2952 of 2010,
  • Partial Regulatory Decree 1377 of 2013
  • Constitutional Court Judgments C-1011 of 2008 and C-748 of 2011

Scope of application

This policy will apply to personal data recorded in any GSMED SAS database

Definitions

For the purposes of this document, the following definitions must be taken into account in order to apply the personal data processing policy.

  • Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data.
  • Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, how to access them and the purposes of the processing that is intended to be given to the personal data.
  • Database: An organized set of personal data that is subject to processing
  • Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.
  • Public data: This refers to data that is not semi-private, private, or sensitive. Public data includes, among other things, information relating to a person's marital status, profession or occupation, and their status as a merchant or public servant. By their nature, public data may be contained in, among other sources, public registries, public documents, official gazettes and bulletins, and duly executed court judgments that are not subject to confidentiality.
  • Sensitive data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose misuse may generate discrimination, such as racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations or organizations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data.
  • Data Processor: Natural or legal person, public or private, who, alone or in association with others, carries out the processing of personal data on behalf of the Data Controller.
  • Data Controller: Natural or legal person, public or private, who alone or jointly with others, decides on the database and/or the processing of the data.
  • Data Subject: Natural person whose personal data is subject to Processing.
  • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation or deletion.
  • Transfer: Data transfer takes place when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is located inside or outside the country.
  • Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the processor on behalf of the controller.

Principles for the processing of personal data

To ensure the protection of personal data, GSMED SAS will apply the following principles in a harmonious and comprehensive manner:

  • Principle of legality in the area of ​​data processing The processing of personal data must be subject at least to the provisions of the laws in force that regulate the matter and the provisions that develop it.
  • Principle of purpose: The processing of personal data carried out by GSMED SAS or to which it has access, will be for a legitimate purpose in accordance with the Political Constitution of Colombia, which must be communicated to the respective owner of the personal data.
  • Principle of freedom: Personal data may only be processed with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal, statutory, or judicial mandate that waives the requirement for consent.
  • Principle of veracity or quality: Information subject to the processing of personal data must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
  • Principle of transparency: In the processing of personal data, GSMED SAS will guarantee the Holder's right to obtain at any time and without restrictions, information about the existence of any type of information or personal data that is of interest to them or that they own.
  • Principle of Restricted Access and Circulation: The processing of personal data is subject to the limitations arising from the nature of the data, the provisions of the law, and the Constitution. Consequently, processing may only be carried out by persons authorized by the data subject and/or by persons authorized by law. Personal data, except for public information, may not be available on the internet or other means of mass dissemination or communication, unless access is technically controllable to ensure restricted access only to data subjects or third parties authorized by law.
  • Security Principle: Information subject to processing by GSMED SAS must be handled with the necessary technical, human and administrative measures to ensure the security of the records, preventing their alteration, loss, consultation, use or unauthorized or fraudulent access.
  • Principle of confidentiality: All individuals at GSMED SAS who administer, manage, update, or have access to any type of information contained in databases are obligated to guarantee the confidentiality of that information. They commit to maintaining and preserving in a strictly confidential manner and not disclosing to third parties any information they may become aware of in the performance of their duties, except when expressly authorized by data protection law. This obligation persists and will remain in effect even after their relationship with any of the tasks involved in the processing of data has ended.

Rights of the data subject

In accordance with the provisions of current regulations applicable to data protection, the following are the rights of personal data owners:

  1. Access, know, update and rectify your personal data held by GSMED SAS in its capacity as data controller. This right may be exercised, among others, with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or has not been authorized.
  • Request proof of the authorization granted to GSMED SAS for the processing of data, by any valid means, except when expressly excepted by law.
  • To be informed by GSMED SAS, upon request, regarding the use that has been made of your personal data.
  • To file complaints with the Superintendency of Industry and Commerce, or the entity that replaces it, for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to or complement it, after first consulting or requesting GSMED SAS
  • Revoke authorization and/or request the deletion of data when the Processing does not respect the constitutional and legal principles, rights and guarantees.
  • Access your personal data that has been processed, free of charge, at least once every calendar month, and whenever there are substantial modifications to this policy that warrant

Duties of GSMED SAS as the controller and processor of personal data

GSMED SAS recognizes that individuals own their personal data and, consequently, they alone have the right to decide how it is used. Therefore, GSMED SAS will use personal data only for the purposes expressly authorized by the data subject or by applicable regulations.

In the processing and protection of personal data, GSMED SAS will have the following duties, without prejudice to others provided for in the provisions that regulate or may regulate this matter:

a. Guarantee to the holder, at all times, the full and effective exercise of the right of habeas data.

b. Request and keep a copy of the respective authorization granted by the owner for the processing of personal data.

c. Properly inform the data subject about the purpose of the collection and the rights they have under the authorization granted.

d. Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use or unauthorized or fraudulent access.

e. Ensure that the information is truthful, complete, accurate, up-to-date, verifiable, and understandable.

f. Update the information promptly, taking into account all changes regarding the data subject's information. Additionally, all necessary measures must be implemented to ensure that the information remains up-to-date.

g. Correct the information when it is incorrect and communicate the relevant information.

h. Respect the security and privacy conditions of the data subject's information.

i. Process inquiries and complaints made in accordance with the terms established by law.

j. Identify when certain information is under discussion by the owner.

k. Inform the data subject, upon request, about the use given to their data.

l. Inform the data protection authority when security code violations occur and there are risks in the management of data subjects' information.

m. Comply with the requirements and instructions issued by the Superintendency of Industry and Commerce on the matter in particular.

n. Use only data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012.

o. Register the phrase “claim in process” in the database in the manner regulated by law.

p. Insert the legend “information under judicial discussion” into the database once notified by the competent authority about legal proceedings related to the quality of the personal data.

q. Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.

r. Allow access to information only to people who are authorized to access it.

s. Use the personal data of the holder only for those purposes for which it is duly authorized and respecting in all cases the current regulations on the protection of personal data.

Authorization and consent of the owner

GSMED SAS requires the free, prior, express and informed consent of the owner of the personal data for the processing thereof, except in the cases expressly authorized by law, namely:

a. Information required by a public or administrative entity in the exercise of its legal functions or by court order.

b. Data of a public nature.

c. Cases of medical or health emergencies.

d. Processing of information authorized by law for historical, statistical or scientific purposes.

e. Data related to the Civil Registry of Persons.

Declaration of authorization

Authorization for GSMED SAS to process personal data will be granted by:

a. The holder, who must sufficiently prove his identity through the various means made available to him.

b. The successors of the holder, who must prove such status.

c. The representative and/or attorney of the holder, after accreditation of the representation or power of attorney.

d. Another in favor of or for which the holder has stipulated.

Means of granting authorization

GSMED SAS will request prior, express and informed authorization from the Owners of the Personal Data on which it requires processing.

This statement from the Holder can be made by mail or printed format.

Authorization will be requested prior to the processing of personal data.

Proof of authorization

GSMED SAS will retain proof of the authorization granted by the owners of the personal data for its processing, for which it will use the mechanisms available to it at present, as well as adopt the necessary actions to maintain the record of the form and date in which it obtained this authorization.

Consequently, you may establish physical files or electronic repositories directly or through third parties contracted for this purpose.

Revocation of authorization

Data subjects may at any time revoke the authorization granted to GSMED SAS for the processing of their personal data or request its deletion, provided that it is not prevented by a legal provision or

contractual. It will establish simple and free mechanisms that allow the holder to revoke their authorization or request the deletion of their personal data, at least by the same means by which it was granted.

Processing and Purpose of Personal Data.

Service providers

The processing of personal data whose information is provided by suppliers/contractors and with which GSMED SAS has established or establishes a relationship, permanent or occasional, will be carried out in accordance with the terms established in the applicable regulations in this matter.

In any case, personal data may be collected, used, transmitted, transferred, stored, treated and processed to carry out all activities and procedures in pre-contractual, contractual and post-contractual stages that GSMED SAS requires for the development of its corporate purpose or administrative operation in accordance with current regulations.

Customers

The processing of data will be carried out for the purpose of providing the contracted services consisting of legal advice and representation in legal matters of various kinds by GSMED SAS, as well as informing you about regulatory news or updates to keep your clients informed and up-to-date on matters of interest to you.

Partners or Shareholders

GSMED SAS will only use the Personal Data of Partners or Shareholders for the purposes derived from the existing statutory relationship and the exercise of their rights within the Company.

Privacy notice

The Privacy Notice is a physical, electronic, or other format document made available to the data subject to inform them about the processing of their personal data. This document informs the data subject about the existence of GSMED SAS's data processing policies that apply to them, how to access these policies, and the characteristics of the intended processing of their personal data.

The privacy notice must contain, at a minimum, the following information:

a. The identity, address and contact details of the data controller.

b. The type of processing to which the data will be subjected and the purpose thereof.

c. The rights of the holder.

d. The general mechanisms established by the controller to ensure that the data subject is aware of the data processing policy and any substantial changes to it. In all cases, the controller must inform the data subject how to access or consult the data processing policy.

e. The optional nature of the response to questions about sensitive data.

Guarantees of the right of access

To guarantee the data subject's right of access, GSMED SAS will make available to them, upon verification of their identity, legitimacy, or the identity of their representative, at no cost or expense, in a detailed and comprehensive manner, the respective personal data, through all types of means, including electronic means that allow the data subject direct access. This access must be offered without any limitations and must allow the data subject the possibility of knowing, updating, and rectifying their data.

Procedures for Attention and Responses to requests, inquiries, complaints and claims, rectification, updating and suspension of data.

Data Subjects whose Personal Data is processed by GSMED SAS have the right to access their Personal Data and the details of said Processing, as well as to rectify and update them if they are inaccurate or to request their deletion when they consider that they are excessive or unnecessary for the purposes that justified their obtaining or to oppose the Processing of the same for specific purposes.

The procedures that have been implemented to guarantee the exercise of these rights through the submission of the respective application are:

• Communication addressed to: GSMED SAS Cra 69 # 25 B 44 Office 614

• Application submitted to the email address: contabilidad.gsmed@gmail.com

• Application submitted via the following telephone numbers: landline 8050449 and mobile 3102990305

These channels may be used by Personal Data Holders, or third parties authorized by law to act on their behalf, in order to exercise the following rights:

Inquiries and Requests

Data Subjects may consult the personal information held by GSMED SAS, for which purpose they may submit a request indicating the information they wish to know through the mechanisms indicated in the previous point.

Complaints and Claims

The Data Subject or their successors who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a claim with GSMED SAS, which will be processed under the following rules:

a. The Holder, or their successors, must provide proof of their identity, the identity of their representative, or the representation or stipulation in favor of or for another. When the request is made by a person other than the Holder and it is not proven that they are acting on behalf of the Holder, it will be considered not submitted.

b. Submit a description of the facts giving rise to the claim, the address, and any supporting documents. If the claim is incomplete, the interested party will be notified within five (5) days of receipt of the claim to correct the deficiencies. If the applicant fails to submit the required information within two (2) months of the notification date, the claim will be considered withdrawn.

c. Once the complete claim is received, it will be categorized with the label “in process” and the reason for the claim, within a period not exceeding two (2) business days. This label will remain until the claim is resolved.

d. The maximum time to address the claim will be fifteen (15) business days, counted from the day following the date of its receipt. If it is not possible to address the claim within said period, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first period.

Request for update and/or correction

GSMED SAS will rectify and update, at the request of the owner, any information that is incomplete or inaccurate, by means of a request through the enabled means indicated in this document, registering the following information:

• The name and home address of the Holder or any other means to receive the response.

• Documents that prove the identity of the applicant and, if applicable, that of their representative with the respective authorization.

• A clear and precise description of the personal data with respect to which the Holder seeks to exercise any of the rights and the specific request.

• If the application is incomplete, GSMED SAS must request the applicant to correct the deficiencies within five (5) days of receiving it. If the applicant fails to submit the required information within two (2) months of the date of the request, it will be understood that they have withdrawn their application.

Request for data deletion

The owner of the personal data has the right to request GSMED SAS to delete it in any of the following events:

a) When you consider that they are not being treated in accordance with the principles, duties and obligations provided for in current regulations.

b) If they are no longer necessary or relevant for the purpose for which they were collected.

c) The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

This deletion implies the total or partial removal of personal information, as requested by the data subject, from the records, files, databases, or processing carried out by GSMED SAS. However, this right of the data subject is not absolute, and consequently, GSMED SAS may deny its exercise when:

a. The data subject has a legal or contractual duty to remain in the database.

b. The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.

c. The data are necessary to protect the legally protected interests of the data subject; to carry out an action in the public interest, or to comply with a legally acquired obligation of the data subject.

National database registry

GSMED SAS reserves the right, in the events contemplated by law and in its statutes and internal regulations, to maintain and categorize certain information held in its databases or databases as confidential in accordance with current regulations, its statutes and regulations, all of the above and in accordance with the fundamental and constitutional right.

GSMED SAS will proceed, in accordance with current regulations and those issued by the National Government, to register its databases with the National Database Registry (RNBD), which will be administered by the Superintendency of Industry and Commerce. The RNBD is the public directory of databases subject to processing that operate in the country and will be freely accessible to citizens, in accordance with the regulations issued by the National Government.

Information security and security measures

In compliance with the security principle established in current regulations, GSMED SAS will adopt the necessary technical, human and administrative measures to ensure the security of the records, preventing their alteration, loss, consultation, use or unauthorized or fraudulent access.

Use and international transfer of personal data and personal information by GSMED SAS

In compliance with the institutional mission and the strategic development plan, and taking into account the nature of the permanent or occasional relationships that any person holding personal data may have with GSMED SAS, the latter may carry out the transfer and transmission, even internationally, of all personal data, provided that the applicable legal requirements are met; and consequently, the holders, by accepting this policy, expressly authorize the transfer and transmission, even internationally, of personal data.

For the international transfer of personal data of data subjects, GSMED SAS will take the necessary measures to ensure that third parties are aware of and agree to comply with this policy, with the understanding that the personal information they receive may only be used for matters directly related to GSMED SAS and only for as long as such relationship lasts, and may not be used or intended for any other purpose. The provisions of Article 26 of Law 1581 of 2012 will be observed for the international transfer of personal data.

International transfers of personal data carried out by GSMED SAS will not require notification to the data subject or their consent when there is a personal data transfer contract in accordance with Article 25 of Decree 1377 of 2013.

GSMED SAS may also exchange personal information with governmental or other public authorities (including, but not limited to, judicial or administrative authorities, tax authorities, and criminal, civil, administrative, disciplinary, and fiscal investigative bodies), and third parties involved in civil legal proceedings and their accountants, auditors, lawyers, and other advisors and representatives, because it is necessary or appropriate: (a) to comply with applicable laws, including laws other than those of your country of residence; (b) to comply with legal processes; (c) to respond to requests from public and governmental authorities, and to respond to requests from public and governmental authorities other than those of your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety, or property, or those of you or third parties; and (g) to obtain applicable relief or limit damages that may affect us.

Responsible and in charge of the processing of personal data

GSMED SAS will be responsible for the processing of personal data.