KiiChain Data Processing Policy

Objective

To comply with Law 1581 of 2012 and Decree 1377 of 2013, which safeguard the constitutional right of all individuals to know, update, and correct information collected about them in databases or records maintained by public and/or private entities.

KiiChain, its Joint Ventures, and Consortia are companies and entities that store and collect personal data, per Article 7 of Decree 1377 of 2013. Therefore, we require your authorization to freely, previously, expressly, voluntarily, and duly informed, allow our companies and entities to collect, store, use, disclose, delete, process, compile, exchange, treat, update, and manage the data provided and incorporated into various databases.

The purpose of KiiChain and each of its consortia and joint ventures is to fulfill and implement the constitutional right of all persons to know, update, and correct information collected about them in databases by establishing policies, procedures, and controls for proper protection, providing required information to the data subjects, and addressing requests, complaints, and claims from each of them.

Application and Involved Areas

All areas within KiiChain, its consortia, or joint ventures that collect, process, handle, and store personal data must comply with this privacy protection policy, regulated by Law 1581 of 2012 and Decree 1377 of 2013.

Definitions and Assumptions

Definitions:

For purposes of this policy and its interpretation, the following definitions apply:

- Personal Data: Any information linked or that can be associated with one or more identifiable individuals. Personal data includes names, addresses, images, or codes present in any document, data message, magnetic, electronic, optical, or physical medium, as well as any data discovered, inferred, deduced, communicated, or known by any means and form by the DATA PROCESSOR that allows identifying a specific individual.

- Sensitive Data: Data that affects the data subject's privacy or whose improper use could lead to discrimination.

- Data Subject: Any individual whose personal data is subject to processing, whether as a job candidate, employee, client, supplier, or any third party who provides personal data to the data controller due to a commercial or legal relationship.

- Candidates: Any individual undergoing a recruitment process to be employed by the DATA CONTROLLER.

- Emplyee: Any individual who provides services to the data controller under an employment contract.

- Supplier: Any individual or entity providing services to the data controller based on a contractual/obligational relationship.

- Client: An individual or entity to whom the DATA CONTROLLER provides services as part of its corporate purpose within a contractual relationship.

- Data Processor: An individual or entity, public or private, that, independently or in association with others, processes personal data on behalf of the Company, acting as the data controller.

- Data Processing Policy: This document regulates the processing of personal data applied by the Company (KiiChain, its consortia, and/or joint ventures) in accordance with the current Colombian legislation on this matter.

- Data Controller: An individual or entity, public or private, that, independently or in association with others, decides on the databases and/or data processing. For purposes of this policy, the Company (KiiChain, its consortia, and/or joint ventures) will act as the data controller.

- Data Transmission: Refers to the communication of personal data by the data controller (KiiChain, its consortia, and/or joint ventures) to a data processor located within or outside the national territory for the latter to process personal data on behalf of the data controller under an INTERNATIONAL DATA TRANSMISSION AGREEMENT (if the data transmission is international).

- Data Transfer: The sending of personal data by a data controller to a recipient, who, upon receiving such information, assumes the role of the data controller and the same obligations as the primary data controller. If the transfer is international, a declaration of conformity or the data subject's explicit authorization is required to allow this operation.

- Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, disclosure, or deletion.

- Superintendency of Industry and Commerce: The public authority in Colombia that, through the Data Protection Delegation, is responsible for inspecting, monitoring, controlling, and sanctioning compliance with data protection laws. This entity may be modified as established by Colombian law regulating this matter.

For terms not included in the above list, reference should be made to Colombian legislation, particularly Law 1581 of 2012 and Decree 1377 of 2013, and other supplementary, complementary, or modifying regulations, giving terms their meaning as used in these laws.

Scope

KiiChain and the Joint Ventures, as well as the Consortia to which it belongs, will have the following duties and responsibilities:

1. Guarantee the data subject, at all times, the full and effective exercise of the right of habeas data
2. Request and retain, under the conditions set forth by this law, a copy of the respective authorization granted by the data subject
3. Properly inform the data subject of the purpose of the data collection and the rights associated with the authorization granted
4. Retain the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access
5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable
6. Update the information, timely communicating any changes to the Data Processor regarding previously provided data, and adopt the necessary measures to keep the information up-to-date
7. Correct information when it is inaccurate and communicates such correction to the Data Processor
8. Provide the Data Processor only with data whose processing is previously authorized, following the provisions of this law
9. Require the Data Processor to respect at all times the security and privacy conditions of the data subject's information
10. Process inquiries and claims in the terms established by this law
11. Adopt an internal manual of policies and procedures to ensure adequate compliance with this law, particularly for handling inquiries and claims
12. Inform the Data Processor when certain information is disputed by the data subject after a claim has been made and the respective procedure is ongoing
13. Provide information upon request to the data subject regarding the use of their data
14. Notify the data protection authority of security code breaches and risks in data management of data subjects
15. Comply with instructions and requirements from the Superintendency of Industry and Commerce.