Data Processing Policy

Lukaika ® with registered office in the city of Bogotá, has established this privacy and personal data protection policy, which regulates the collection, storage, management and protection of information received by all clients, suppliers, consumers, contractors, debtors, creditors, employees and related parties. For the purposes of this policy, the following will be taken into account:

DEFINITIONS

Privacy notice: is the document that appears in any physical, electronic or other format generated by the person responsible for the processing of personal data, which is made available to the user for the processing of his/her personal data. The privacy notice informs the Owner of the information of the existence of these information processing policies that will be applicable to him/her, the way to access them and the purposes and rights for the processing that will be given to the personal data provided by him/her.

Authorization: is the prior and express consent of the user to carry out the processing of their personal data.

Database: is the set of all personal data that have been authorized by its Users and that will be subject to the treatment established by this policy.

Personal Data: is any information linked to or that can be associated with a user.

Private Data: data that due to its intimate or reserved nature is only relevant to the user.

Sensitive Data: is data that affects the privacy of the user or whose misuse may lead to discrimination based on racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data.

Data Controller: For the purposes of this policy, it is Lukaika ® who manages the personal data of its users, in accordance with the provisions of the Law and in this document.

Data Processor: is the natural person designated by the person responsible for the processing of personal data (Lukaika ® ).

Holder: natural person to whom the information belongs and who has freely and voluntarily expressed to Lukaika ® your authorization for your personal data to be processed.

Processing: any operation on personal data, such as the collection, storage, use, circulation, modification, clarification or deletion of such data.

PRINCIPLES IN THE PROCESSING OF PERSONAL DATA

As a fundamental premise of this policy, Lukaika ® respects the privacy of each natural or legal person who provides their personal information through the different information collection channels established for this purpose, Lukaika ® guarantees that it has adequate and secure storage mechanisms and systems. The information is collected, processed and used in accordance with current data protection and privacy regulations.

Nevertheless, Lukaika ® is not responsible for any consequences arising from improper access by third parties to the database and/or for any technical failure in the operation and/or conservation of data in the information storage system.

The data provided by the Owner must be clear, truthful, verifiable and accurate, so that their processing can be equally reliable.

Confidentiality in the processing of personal data is another of the guiding principles of this policy, since all officials with access to the databases are required to maintain strict confidentiality in their handling.

All data stored and processed by Lukaika ® must have the prior and express authorization of its owner, which must be granted freely and voluntarily. Notwithstanding this principle, authorization will not be necessary in the following events:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Data of a public nature.
  • Cases of medical or health emergencies.
  • Processing of information authorized by law for historical, statistical or scientific purposes.
  • Data related to the civil registry of persons.

Personal data will be included in a database and will be used for the following purposes:

  • Encode in our systems, the requests for linking as clients and/or suppliers.
  • Inform about new products or services.
  • Comply with obligations contracted with our clients, suppliers, and employees.
  • Achieve efficient communication related to our products, services, offers, promotions, alliances, studies, contests, content, as well as those of our affiliated companies, and to facilitate general access to information about these.
  • Provide our services and products.
  • To inform about the launch of new products or services, or changes to them.
  • Evaluate the quality of service.
  • Conduct internal studies on consumer habits.
  • Consult, report, process and transfer information to risk centers.

PROCESSING OF PERSONAL DATA OF MINORS: The processing of data of minors must comply with and respect their rights. In the event of processing Personal Data of minors, Lukaika ® , will observe the applicable regulations and will adhere to the rulings of the Constitutional Court on this matter.

SENSITIVE DATA PROCESSING: Given that Lukaika ® may collect biometric data, such as surveillance videos, photographs, fingerprints, and others that may be considered sensitive data, will guarantee that the processing of this information will be carried out seeking to establish mechanisms that improve its service processes and in compliance with the provisions contained in Law 1581 of 2012 and Chapter 25 of Decree 1074 of 2015.

DUTIES AND RIGHTS

1. Rights of the Data Subject:

To know, update and rectify your personal data in front of the data controllers or data processors. This right may be exercised, among others, in the case of partial, inaccurate, incomplete, fragmented data that may lead to error, or data whose processing is expressly prohibited or has not been authorized.

Request proof of the authorization granted to the data controller, except when it is expressly excepted as a requirement for processing, in accordance with the provisions of this policy.

Be informed by the data controller or data processor, upon request, regarding the use that has been given to your personal data.

Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of the Law.

Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the processing, the person responsible or in charge has engaged in conduct contrary to the Law and the Constitution.

Access free of charge to your personal data that has been processed.

2. Duties of the person responsible for the processing of personal data:

Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.

Request and retain, under the conditions provided by law, a copy of the respective authorization granted by the Owner.

Properly inform the Owner about the purpose of the collection and the rights granted to him/her by virtue of the authorization granted.

Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

Ensure that the information provided to the data controller is true, verifiable, complete, accurate, up-to-date, verifiable and understandable.

Update the information, communicating in a timely manner to the data controller all new developments regarding the data previously provided and adopting the other measures necessary to ensure that the information provided to the controller remains up to date.

Rectify information when it is incorrect and communicate the relevant information to the data controller.

Demand that the person in charge of the treatment respects the security and privacy conditions of the Owner's information at all times.

Process queries and complaints made by data owners in accordance with the terms set out in the law.

Inform the data controller when certain information is being discussed by the Data Controller, once the claim has been submitted and the respective process has not been completed.

Inform the Owner, upon request, about the use given to their data.

Inform the data protection authority when security code violations occur and there are risks in the management of the information of the Holders.

Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

3. Duties of the person in charge of processing personal data:

Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.

Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

Carry out the updating, rectification or deletion of data in a timely manner.

Update the information reported by those responsible for the treatment within five (5) business days from its receipt.

Process queries and complaints made by data owners.

Record the legend “claim in process” in the database when appropriate.

Insert the legend “information under judicial discussion” into the database, once notified by the competent authority about judicial processes related to the quality of personal data.

Refrain from circulating information that is being disputed by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.

Allow access to information only to people who can access it.

Inform the Superintendency of Industry and Commerce when security code violations occur and there are risks in the management of the information of the Holders.

Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

AREA RESPONSIBLE AND PROCEDURES FOR DATA CONSULTATION AND FOR PRESENTING CLAIMS:

The area responsible for queries, complaints and claims will be the Marketing area:

The Holders or their successors in title may consult the Holder's personal information that is stored in the database.

The Data Controller or Data Processor must provide the Data Subject with all information contained in his or her individual record or that is linked to his or her identification.

The query will be made via email and the other contact details listed in the privacy notice published on the website www.lukaika.com and which in any case is attached to this policy as Annex 1.

The query will be answered within a maximum period of ten (10) business days from the date of receipt of the same. When it is not possible to answer the query within said period, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be answered, which in no case may exceed five (5) business days following the expiration of the first period.

The Owner or his/her successors in title who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged non-compliance of any of the duties contained in the Law, may file a claim with the person responsible for data processing, through the communication channels established in the privacy notice. For the purposes of filing claims, the following procedure must be followed and the following requirements must be met:

The claim must contain at least: the identification of the Holder, the description of the facts that give rise to the claim, the address and, accompanying, the documents that you wish to assert.

If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that he has withdrawn the claim.

In the event that the person receiving the claim is not competent to resolve it, he/she will forward it to the appropriate person within a maximum period of two (2) business days and will inform the interested party of the situation.

Once the complete claim has been received, a legend stating “claim in process” and the reason for the claim will be included in the database within a period of no more than two (2) business days. This legend must be maintained until the claim is decided.

The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt.

When it is not possible to address the claim within this period, the interested party will be informed of the reasons for the delay and the date on which his claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. The Holder or successor in title may file a complaint with the Superintendence of Industry and Commerce once he has exhausted the consultation or claim process with Lukaika. ®.

EFFECTIVE DATE: This Personal Data Policy was created on March 15, 2019.

Any changes to this policy will be reported via email to: lukaikaempresa@gmail.com.