1. LEGAL BASIS AND SCOPE OF APPLICATION
This Personal Data Processing Policy is developed in compliance with Articles 15 and 20 of the Political Constitution, as well as based on Articles 17 literal k) and 18 literal f) of Statutory Law 1581 of 2012, which establishes general provisions for the Protection of Personal Data, and in compliance with Article 2.2.2.25.1.1 Section 1 Chapter 25 of Decree 1074 of 2015, which partially regulates Law 1581 of 2012.
This Policy shall apply to all personal data recorded in databases that are subject to processing by the Data Controller.
1.1. Scope
This document shall apply to all personal data that is used or stored in the databases and files of SEW EURODRIVE COLOMBIA, respecting the criteria of collection, storage, use, circulation, and final disposition of personal data established in Law 1581 of 2012 and its regulatory decrees. Additionally, it sets forth the obligations and guidelines of SEW EURODRIVE COLOMBIA for the management and processing of personal data contained in its databases and files. This Policy applies to all processes of SEW EURODRIVE COLOMBIA in which data processing (public data, semi-private data, private data, sensitive data, data of boys, girls, and adolescents) is necessary, in the capacity of Controller and/or Processor.
1.2. Applicable Regulations
- Political Constitution of Colombia
- Law 1581 of 2012
- Decree 1074 of 2015 Chapters 25 and 26 compiling the following decrees:
• Decree 1377 of 2013
• Decree 886 of 2014
- Law 1266 of 2008 “Whereby the general provisions of Habeas Data are issued.”
- Administrative acts issued by the Superintendence of Industry and Commerce.
2. DEFINITIONS
The following definitions are established in Article 3 of Law 1581 of 2012 and Article 2.2.2.25.1.3 Section 1 Chapter 25 of Decree 1074 of 2015 (Article 3 of Decree 1377 of 2013)
2.1. Authorization:
Prior, express, and informed consent of the Data Subject to carry out the processing of personal data.
2.2. Database:
An organized set of personal data that is subject to processing, belonging to the same context and systematically stored for subsequent use.
2.3. Personal Data:
Any information linked or that may be associated with one or more identified or identifiable natural persons. These data are classified as public, semi-private, private, and sensitive:
2.3.1. Public Data:
Data that the law or the Political Constitution determines as such, as well as all those that are not semi-private, private, or sensitive. Considered public data, among others, are those related to the civil status of persons, their profession or occupation, and their quality as a merchant or public servant.
By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and judicial decisions duly finalized that are not subject to confidentiality.
2.3.2. Semi-Private Data:
Data that is neither intimate, reserved, nor public in nature and whose knowledge or disclosure may be of interest not only to its Data Subject but also to a certain sector or group of persons or to society in general, such as databases containing financial, credit, commercial, service-related information, and information originating from third countries.
2.3.3. Private Data:
Personal data that, due to its intimate or reserved nature, is of interest solely to its Data Subject and whose processing requires his or her prior, informed, and express authorization.
2.3.4. Sensitive Data:
Sensitive data is understood as those that affect the privacy of the Data Subject or whose improper use may lead to discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations that promote the interests of any political party or that ensure the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
2.4. Data Processor:
Natural or legal person, public or private, that by itself or in association with others carries out the processing of personal data on behalf of the Data Controller.
2.5. Data Controller:
Natural or legal person, public or private, that by itself or in association with others decides on the database and/or the processing of the data.
2.6. Person Responsible for Managing the Databases:
Employee in charge of controlling and coordinating the proper application of the data processing policies once the data is stored in a specific database, as well as implementing the guidelines issued by the Data Controller and the Data Protection Officer.
2.7. Data Protection Officer:
The natural person who assumes the role of coordinating the implementation of the legal framework for the protection of personal data, who will handle the requests of the Data Subjects for the exercise of the rights referred to in Law 1581 of 2012.
2.8. Data Subject:
Natural person whose personal data is subject to processing.
2.9. Processing:
Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
2.10. Privacy Notice:
Verbal or written communication generated by the Controller, addressed to the Data Subject for the processing of his or her personal data, through which the Data Subject is informed about the existence of the information processing policies applicable to him or her, the way to access them, and the purposes of the processing intended for the personal data.
2.11. Transfer:
The transfer of data takes place when the Data Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient who, in turn, is a Data Controller and is located within or outside the country.
2.12. Transmission:
Processing of personal data that involves the communication thereof within or outside the territory of the Republic of Colombia when its purpose is the execution of a processing determined by the Processor on behalf of the Controller.
3. PRINCIPLES OF DATA PROTECTION
Article 4 of Law 1581 of 2012 establishes a set of principles for the processing of personal data that must be applied harmoniously and comprehensively in the development, interpretation, and application of the Law. The legal principles of data protection are as follows:
3.1. Principle of Legality:
The processing of data is a regulated activity that must be subject to the provisions established in Law 1581 of 2012, Decree 1377 of 2013 compiled in Chapter 25 of Decree 1074 of 2015, and in the other provisions that may develop it.
3.2. Principle of Purpose:
The processing must pursue a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
3.3. Principle of Freedom:
The processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that reveals such consent. The processing of data requires the prior and informed authorization of the Data Subject by any means that may be subsequently verified.
3.4. Principle of Truthfulness or Quality:
The information subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
3.5. Principle of Transparency:
In the processing, the right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information regarding the existence of data concerning him or her must be guaranteed. At the time of requesting authorization from the Data Subject, the Data Controller must clearly and expressly inform him or her of the following, keeping proof of compliance with this duty:
- The processing to which his or her data will be subjected and its purpose.
- The optional nature of the Data Subject’s response to questions asked when these relate to sensitive data or to data of boys, girls, or adolescents.
- The rights that assist him or her as the Data Subject.
- The identification, physical address, email, and telephone number of the Data Controller.
3.6. Principle of Restricted Access and Circulation:
Processing is subject to the limits derived from the nature of personal data, from the provisions of Law 1581 of 2012, and from the Constitution. In this regard, processing may only be carried out by persons authorized by the Data Subject and/or by those provided for by law. Personal data, except for public information, may not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or to third parties authorized in accordance with the Law.
3.7. Principle of Security:
The information subject to processing by the Data Controller or the Data Processor must be handled with the technical, human, and administrative measures necessary to ensure the security of the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use, or access. The Data Controller is responsible for implementing the corresponding security measures and informing all personnel who have direct or indirect access to the data. Users who access the information systems of the Data Controller must know and comply with the security rules and measures corresponding to their duties. These security rules and measures are contained in PL-02 Internal Security Policies, which are mandatory for all users and company personnel. Any modification of the rules and measures concerning personal data security by the Data Controller must be brought to the attention of the users.
3.8. Principle of Confidentiality:
All persons involved in the processing of personal data that is not of a public nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks comprising the processing has ended, and may only supply or communicate personal data when this corresponds to the development of activities authorized under Law 1581 of 2012 and in accordance with its provisions.
4. AUTHORIZATION FOR THE USE OF PERSONAL DATA
In accordance with Article 9 of Law 1581 of 2012, the processing of personal data requires the authorization of the Data Subject, except in cases expressly indicated as exceptions in the regulations governing the protection of personal data. Prior to and/or at the time of collecting the personal data, SEW EURODRIVE COLOMBIA shall request authorization from the Data Subject for its collection and processing, indicating the purpose for which the data is requested, using for such purposes automated, written, or oral technical means that allow for the preservation of proof of the authorization and/or of the unequivocal conduct described in Article 2.2.2.25.2.4 Section 2 Chapter 25 of Decree 1074 of 2015.
Authorization from the Data Subject shall not be required when it concerns:
- Information required by a public or administrative entity in the exercise of its legal functions or by court order.
- Data of a public nature.
- Cases of medical or health emergencies.
- Processing of information authorized by law for historical, statistical, or scientific purposes.
- Data related to the Civil Registry of persons.
5. REQUEST FOR AUTHORIZATION FROM THE DATA SUBJECT
Authorization for the use and/or processing of data shall be managed by SEW EURODRIVE COLOMBIA through mechanisms that ensure its subsequent consultation and the expression of the Data Subject’s consent by the following means:
- In writing.
- Orally.
- Through automated channels.
- Through unequivocal conduct by the Data Subject that reasonably allows the conclusion that authorization was granted.
SEW EURODRIVE COLOMBIA, prior to and/or at the time of collecting the personal data, shall clearly and expressly inform the Data Subject of the following:
a) The Processing to which his or her personal data will be subjected and its purpose;
b) The optional nature of the response to questions asked when these relate to sensitive data or to the data of boys, girls, and adolescents;
c) The rights that assist him or her as the Data Subject;
d) The identification, physical or electronic address, and telephone number of SEW EURODRIVE COLOMBIA.
6. DATA CONTROLLER
The Data Controller of the databases subject to this Policy is SEW EURODRIVE COLOMBIA, whose contact information is as follows:
- Address: CL 17 132 18, BOGOTÁ D.C - CAPITAL DISTRICT
- Email: recepcion@sew-eurodrive.com.co
- Telephone: 3162222201
7. PROCESSING AND PURPOSES OF THE DATABASES
SEW EURODRIVE COLOMBIA, in the development of its corporate purpose, carries out the processing of personal data related to natural persons contained in databases intended for legitimate purposes, in compliance with the Constitution and the Law. Such processing includes the collection, storage, use, circulation, or final disposition in accordance with the purposes authorized by the Data Subject.
Annex 2 Purposes of Databases of this document contains the information related to the different databases under the organization’s responsibility and the purposes assigned to each of them for their processing.
8. VALIDITY OF THE DATABASE
The personal data incorporated into the databases shall remain valid for the period necessary to fulfill the purposes for which their processing was authorized, in accordance with Article 2.2.2.25.2.8 of Decree 1074 of 2015 and the special regulations governing the matter; current regulations related to the retention period shall also be taken into account.
9. RIGHTS OF THE DATA SUBJECTS
In accordance with Article 8 of Law 1581 of 2012, the Data Subjects may exercise a series of rights in relation to the processing of their personal data. The Data Subject shall have the following rights:
a) To know, update, and rectify his or her personal data before the Data Controllers or Data Processors. This right may be exercised, among others, regarding partial, inaccurate, incomplete, fragmented data, data that may induce error, or those whose Processing is expressly prohibited or has not been authorized;
b) To request proof of the authorization granted to the Data Controller, except when it is expressly excluded as a requirement for Processing, in accordance with the provisions of Article 10 of this law;
c) To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been made of his or her personal data;
d) To file complaints before the Superintendence of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add to, or complement it;
e) To revoke the authorization and/or request the deletion of the data when the Processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the Data Controller or Data Processor has engaged in conduct contrary to the law and the Constitution;
f) To access free of charge his or her personal data that have been subject to Processing.
In accordance with Article 2.2.2.25.4.1 of Decree 1074 of 2015, these rights may be exercised by the following persons:
1. By the Data Subject, who must sufficiently prove his or her identity through the various means made available by the Data Controller.
2. By his or her successors, who must prove such capacity.
3. By the Data Subject’s representative and/or attorney, upon proof of representation or power of attorney.
4. By stipulation in favor of another or for another.
The rights of boys, girls, or adolescents shall be exercised by the persons authorized to represent them.
9.1. Right of Access or Inquiry
This refers to the right of the Data Subject to be informed by the Data Controller, upon request, regarding the origin, use, and purpose that have been given to his or her personal data.
9.2. Rights to Complaints and Claim
The Law distinguishes four types of claims:
- Correction claim: the right of the Data Subject to have partial, inaccurate, incomplete, fragmented data, data that may induce error, or those whose processing is expressly prohibited or has not been authorized, updated, rectified, or modified.
- Deletion claim: the right of the Data Subject to have data that are inadequate, excessive, or that do not respect constitutional and legal principles, rights, and guarantees deleted.
- Revocation claim: the right of the Data Subject to nullify the authorization previously granted for the processing of his or her personal data.
- Infringement claim: the right of the Data Subject to request that the noncompliance with the regulations on Data Protection be remedied.
9.3. Right to Request Proof of Authorization Granted to the Data Controller
The Data Subject or successor may request the physical or digital proof of the authorization granted for the processing of personal data.
9.4. Right to File Complaints before the Superintendence of Industry and Commerce for Infringements
The Data Subject or successor may only submit a petition (complaint) to the SIC – Superintendence of Industry and Commerce once the consultation or claim procedure has been exhausted before the Data Controller or Data Processor.
10. PROCESSING OF MINORS’ DATA
SEW EURODRIVE COLOMBIA, in accordance with Article 7 of Law 1581 of 2012, carries out the Processing of personal data of boys, girls, and adolescents within the framework of the criteria established in Article 2.2.2.25.2.9 Section 2 Chapter 25 of Decree 1074 of 2015 (Article 12 of Decree 1377 of 2013), observing the following parameters and requirements:
1. That the use of the data responds to and respects the best interests of boys, girls, and adolescents.
2. That the use of the data ensures respect for the minors’ fundamental rights.
Once these requirements have been met, SEW EURODRIVE COLOMBIA shall request authorization from the legal representative of the boy, girl, or adolescent, after allowing the minor to exercise his or her right to be heard; such opinion shall be assessed considering the child’s maturity, autonomy, and ability to understand the matter.
The Data Controller and/or Data Processor shall ensure the proper use of the data of boys, girls, and adolescents by applying the principles and obligations established in Law 1581 of 2012 and regulatory standards. Likewise, it shall identify the sensitive data collected or stored in order to strengthen security in the processing of information
11. DUTIES AS DATA CONTROLLER
SEW EURODRIVE COLOMBIA, in its capacity as Data Controller, shall comply with the following duties, without prejudice to other provisions set forth in this Policy and in any others governing its activity:
11.1. Regarding the Data Subject:
a) To guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data;
b) To request and keep, under the conditions provided in this law, a copy of the respective authorization granted by the Data Subject;
c) To duly inform the Data Subject about the purpose of the collection and the rights conferred by virtue of the granted authorization;
d) To process the inquiries and claims submitted under the terms established in this law;
e) To inform the Data Subject, upon request, about the use given to his or her data;
11.2. Regarding the Data Processor:
a) To guarantee that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable;
b) To update the information, timely communicating to the Data Processor all updates or changes regarding the data previously provided, and to adopt the necessary measures to ensure that the information provided remains current;
c) To rectify the information when it is incorrect and communicate the relevant corrections to the Data Processor;
d) To inform the Data Processor when certain information is under dispute by the Data Subject, once a claim has been submitted and while the respective procedure has not been concluded;
e) To provide the Data Processor, as applicable, only with data whose Processing has been previously authorized in accordance with the provisions of this law;
f) To require the Data Processor, at all times, to respect the security and privacy conditions of the Data Subject’s information;
g) To ensure that the Data Processors fully comply with the Data Processing Policies.
11.3. Regarding the Principles and Other Obligations:
a) To observe the principles of legality, purpose, freedom, quality, truthfulness, transparency, restricted access and circulation, security, and confidentiality.
b) To adopt an internal manual of policies and procedures to ensure proper compliance with Law 1581 of 2012 and its regulatory decrees, particularly with respect to handling inquiries and claims;
c) To inform the data protection authority when breaches of security codes occur and there are risks in the management of the Data Subjects’ information.
d) To comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
e) To preserve the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use, or access.
12. DUTIES AS DATA PROCESSOR
SEW EURODRIVE COLOMBIA, in its capacity as Data Processor, shall comply with the following duties, without prejudice to other provisions set forth in this Policy and in any others governing its activity:
a) To guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data;
b) To preserve the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use, or access;
c) To timely carry out the updating, rectification, or deletion of data under the terms of this law;
d) To update the information reported by the Data Controllers within five (5) business days from its receipt;
e) To process the inquiries and claims submitted by the Data Subjects under the terms established in this law;
f) To adopt an internal manual of policies and procedures to ensure proper compliance with this law, particularly regarding the handling of inquiries and claims by the Data Subjects;
g) To record in the database the note “claim in process” in the manner regulated by this law;
h) To insert in the database the note “information under judicial discussion” once notified by the competent authority about judicial proceedings related to the quality of the personal data;
i) To refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce;
j) To allow access to the information only to those persons who are authorized to access it;
k) To inform the Superintendence of Industry and Commerce when breaches of security codes occur and there are risks in the management of the Data Subjects’ information;
l) To comply with the instructions and requirements issued by the Superintendence of Industry and Commerce;
m) To comply with the Personal Data Processing Policies of the Data Controllers.
13. ATTENTION TO DATA SUBJECTS
For handling petitions, inquiries, and claims regarding personal data protection, SEW EURODRIVE COLOMBIA has designated a Data Protection Officer. Data Subjects may send their petitions or inquiries through the following channels:
Email: recepcion@sew-eurodrive.com.co
Address: CL 17 132 18, BOGOTÁ D.C - DISTRITO CAPITAL.
Telephones: 3162222201
PROCEDURES FOR EXERCISING THE RIGHTS OF THE DATA SUBJECT
14.1. Right of access or inquiry
SEW EURODRIVE COLOMBIA shall guarantee the Data Subject free consultation of his or her personal data in the following cases (Article 2.2.2.25.4.2 Section 4 Chapter 25 of Decree 1074 of 2015):
1. At least once every calendar month.
2. Whenever there are substantial modifications to the information processing policies that motivate new inquiries.
For inquiries whose frequency is greater than one per calendar month, SEW EURODRIVE COLOMBIA may charge the Data Subject for shipping, reproduction, and, where applicable, certification of documents. Reproduction costs may not exceed the costs of recovering the corresponding material. For this purpose, SEW EURODRIVE COLOMBIA shall provide the Superintendence of Industry and Commerce, when so required, with support for such expenses.
The Data Subject may exercise the right of access or inquiry of his or her data by means of a written request addressed to SEW EURODRIVE COLOMBIA, sent by email to: recepcion@sew-eurodrive.com.co, indicating in the Subject line “Exercise of the right of access or inquiry,” or by postal mail sent to CL 17 132 18, BOGOTÁ D.C. The request must contain the following information:
- Name and surnames of the Data Subject.
- Photocopy of the Data Subject’s Citizenship ID and, where applicable, of the person representing him or her, as well as the document evidencing such representation.
- Petition specifying the request for access or inquiry.
- Address for notifications, date, and signature of the applicant.
- Documents supporting the submitted petition, when applicable.
The Data Subject may choose one of the following methods of database consultation to receive the requested information:
- On-screen viewing.
- In writing, with a copy or photocopy sent by certified or non-certified mail.
- Email or another electronic means.
- Another technical, digital, or electronic mechanism provided by SEW EURODRIVE COLOMBIA.
Once the request has been received, SEW EURODRIVE COLOMBIA shall resolve the inquiry within a maximum period of ten (10) business days from the date of receipt thereof. When it is not possible to address the inquiry within that term, the interested party shall be informed of the reasons for the delay and the date on which the inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the initial term. These deadlines are established in Article 14 of Law 1581 of 2012.
Once the inquiry procedure has been exhausted, the Data Subject or successor may file a complaint before the Superintendence of Industry and Commerce.
14.2. Rights to Complaints and Claims
The Data Subject may exercise the rights to claim regarding his or her data through a written request addressed to SEW EURODRIVE COLOMBIA, sent by email to recepcion@sew-eurodrive.com.co, indicating in the Subject line “Exercise of the right to complaint or claim,” or by postal mail sent to CL 17 132 18, BOGOTÁ D.C. The request must contain the following information:
- Name and surnames of the Data Subject.
- Photocopy of the Data Subject’s Citizenship ID and, where applicable, of the person representing him or her, as well as the document evidencing such representation.
- Description of the facts and petition specifying the request for correction, deletion, revocation, or infringement.
- Address for notifications, date, and signature of the applicant.
- Documents supporting the petition submitted that are intended to be used, when applicable.
If the claim is incomplete, the interested party shall be requested within five (5) days following receipt of the claim to correct the deficiencies. If two (2) months elapse from the date of the request without the applicant providing the required information, it shall be understood that the claim has been withdrawn.
Once the complete claim has been received, a note stating “claim in process” and the reason for it shall be included in the database within no more than two (2) business days. This note shall remain until the claim has been resolved.
SEW EURODRIVE COLOMBIA shall resolve the claim within a maximum period of fifteen (15) business days from the date of receipt. When it is not possible to address the claim within this term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be handled, which in no case may exceed eight (8) business days following the expiration of the initial term.
Once the claim procedure has been exhausted, the Data Subject or successor may file a complaint before the Superintendence of Industry and Commerce.
14.3. Authorized Persons to Receive Information
SEW EURODRIVE COLOMBIA shall provide the Data Subjects’ information to the following persons authorized to receive it, in accordance with Article 13 of Law 1581 of 2012:
• To the Data Subjects, their successors, or their legal representatives;
• To public or administrative entities in the exercise of their legal functions or by court order;
• To third parties authorized by the Data Subject or by law.
14.3.1. Verification of the Authority to Request or Receive Information
For the handling of the consultation or claim request, the applicant must provide the following documents to prove his or her ownership or authority to receive the requested information, according to the following cases:
• Data Subject: Copy of the identification document.
• Successor: Identification document of the applicant, death certificate of the Data Subject, document evidencing the capacity in which he or she acts, and a copy of the Data Subject’s identification document.
• Legal representative and/or attorney-in-fact: Identification document of the applicant, document evidencing the capacity in which he or she acts (Power of Attorney), and a copy of the Data Subject’s identification document.
15. PROCESSING OF DATA IN VIDEO SURVEILLANCE SYSTEM
SEW EURODRIVE COLOMBIA shall inform individuals about the existence of video surveillance systems through the placement of visible notices accessible to all Data Subjects and installed in the areas under video surveillance, primarily at the entrances to the monitored locations and within them. These notices shall inform who the Data Controller is, the purposes of the processing, the rights of the Data Subject, the channels available for exercising such rights, and where the Personal Data Processing Policy is published.
Additionally, it shall retain the images only for the time strictly necessary to fulfill the intended purpose and shall register the database storing the images in the National Database Registry.
Access to and disclosure of the images shall only be permitted upon request from a judicial or administrative authority in the exercise of its functions, who must request it in writing. Consequently, the disclosure of the collected information shall be handled in accordance with the purpose established by the Data Controller.
16. PROCESSING OF PERSONAL DATA IN ARTIFICIAL INTELLIGENCE (AI) SYSTEMS
SEW EURODRIVE COLOMBIA may employ Artificial Intelligence (AI) technologies for the processing of personal data, provided that it is limited to the processing and purposes established in the authorization for the processing of personal data granted by the Data Subject, and complies with the provisions set forth in Law 1581 of 2012 and its complementary regulations.
However, the organization shall refrain from using artificial intelligence (AI) systems when it is determined that the processing of personal data poses a risk of significantly affecting the Data Subject, after analyzing the criteria of suitability, necessity, reasonableness, and proportionality described in Circular 002 of 2024 issued by the Superintendence of Industry and Commerce.
The use of these tools shall adhere to the principles of legality, purpose, freedom, truthfulness, security, confidentiality, and demonstrated accountability, and must include sufficient technical, human, and administrative security measures to prevent unauthorized access, improper handling, loss, or fraudulent use of the personal information of Data Subjects.
SECURITY MEASURES
SEW EURODRIVE COLOMBIA is committed to protecting all personal and sensitive data it manages by adopting appropriate security measures to ensure their confidentiality, integrity, and availability at all times. Sensitive data include, but are not limited to, information related to health, financial data, biometric information, as well as any other data classified as sensitive under current regulation.
In order to safeguard the security and privacy of sensitive data, the organization has implemented a set of specific control measures within this Policy and in “Annex 1 PL-01 Database Organization,” which include, but are not limited to: encryption of information both in transit and at rest, multifactor authentication for access to systems that store or process sensitive data, network segmentation to minimize exposure risks, and periodic audits to verify compliance with internal policies. Likewise, personnel have been trained in the proper handling of such data, and penetration and vulnerability tests are carried out regularly. SEW EURODRIVE COLOMBIA also has an incident response plan that includes specific procedures for the containment and mitigation of potential security breaches involving sensitive data.
Furthermore, SEW EURODRIVE COLOMBIA, through the execution of the corresponding transmission contracts, has required the Data Processors with whom it works to implement the necessary security measures to ensure the protection and confidentiality of the information during the processing of personal data.
18. COOKIES OR WEB BUGS
SEW EURODRIVE COLOMBIA may collect personal information from its users during the use of its website, application, or linked pages (Landing Page). Users have the option to store this personal information on such platforms to facilitate the transactions and services offered by SEW EURODRIVE COLOMBIA and/or its linked portals.
To this end, SEW EURODRIVE COLOMBIA uses various tracking and data collection technologies, such as first-party and third-party cookies. These cookies act as analytical tools that allow website and application owners to understand how visitors interact with their platforms. These tools may use cookies to collect information and generate usage statistics without personally identifying users.
The collected information allows the analysis of browsing patterns, the offering of personalized services, and the facilitation of various functions such as user authentication, remembering user preferences, and presenting personalized offers. Likewise, SEW EURODRIVE COLOMBIA may use this information to analyze the performance of its platforms and services, combine it with other personal data in its possession, and share it with authorized entities, always in compliance with applicable regulations.
If a user does not wish his or her personal information to be collected through cookies, he or she may modify the preferences of his or her web browser. However, it is important to note that disabling cookies may cause certain functionalities of the website, the application, or the linked pages to become unavailable or operate in a limited manner.
Users may allow, block, or delete the cookies installed on their devices by configuring their browser options, such as:
• Google Chrome
• Safari
• Microsoft Edge
• Samsung Internet
• Opera
• Mozilla Firefox
• Android Browser
• Internet Explorer
• UC Browser
• Brave
According to the user’s browsing preferences, the SEW EURODRIVE COLOMBIA website may:
Install on the user’s device cookies necessary to allow the secure operation, access, and navigation of the site. It may also use functional cookies to evaluate and improve performance in order to provide a better customer experience on the Site.
Install on the user’s device first-party or third-party cookies for analytical purposes. Please note that these can be deleted through the browser options.
By accepting all cookies, the user gives consent to store, access, and process data regarding his or her visit to the website. By selecting the customize option, the user may review the different cookies that collect information and may enable or disable their tracking, except for essential cookies.
Categories:
Marketing: Collect information about browsing behavior to display relevant advertisements.
Statistics: Allow understanding how users interact with the website’s pages and thus perform statistical analysis of the services provided.
Analytics: Collect information about the use of the website, allow tracking and analysis of user behavior on the websites to which they are linked, and thereby offer a better experience.
Essential: These cookies are necessary for the website to function and cannot be disabled in our systems; they are used strictly to provide an online service.
19. SECURITY INCIDENT NOTIFICATION, MANAGEMENT, AND RESPONSE GUIDELINE
SEW EURODRIVE COLOMBIA has an incident reporting procedure for communication and notification among employees, the Personal Data Protection Officer, Data Processors, Data Subjects, supervisory and control entities, as well as judicial authorities. This procedure is designed for the management and response to security incidents from the moment they are detected, in order to evaluate and address identified vulnerabilities, ensuring that systems, networks, and applications remain sufficiently secure.
All users and individuals responsible for managing databases, as well as any person involved in the collection, storage, use, circulation, or any processing or consultation of databases, must be familiar with the procedure to act in the event of security incidents, to guarantee the confidentiality, availability, and integrity of the information contained in the databases under their responsibility.
Examples of security incidents include: failure of security systems that allows unauthorized persons to access personal data; unauthorized attempts to extract documents or files; data loss or total or partial destruction of storage media; change in the physical location of databases; disclosure of passwords to third parties; modification of data by unauthorized personnel; among others.
In the event of a security incident, the response team or Committee shall take into account the following criteria:
Strategy for identifying, containing, and mitigating security incidents.
• Apply measures to contain and reverse the impact that the security incident may have.
• Properly assess the security incident and its impact on the Data Subjects.
• Verify the legal or contractual requirements with service providers associated with the security incident.
• Determine the level of risk for the Data Subjects and notify the occurrence.
• Verify the roles and responsibilities of the personnel in charge of the operation of the affected information or data.
Timeline for the management of the security incident
Apply the procedure to address security incidents in accordance with parameters that allow proper management and impact mitigation. Verify, based on the assessment of the security incident, the need to notify entities such as: the Office of the Attorney General of the Nation, the Office of the Inspector General of the Nation, GAULA, the National Police, the Financial Superintendence of Colombia, the Cyber Police Center, colCERT, Police CSIRT, Asobancaria CSIRT, Sectoral CSIRT, among others.
Progress of the security incident report
Monitor the management process by setting deadlines, evaluating its progress, and identifying possible conflict points that may arise during the handling of the security incident.
Evaluation of the response to the security incident
Once the security incident has been managed and controlled, the response team shall review the actions executed to contain it and make the necessary adjustments to implement an improvement plan.
Implemented actions and improvement plans
Establish the necessary actions to mitigate the impact of the security incident and prevent its recurrence through corrective and preventive actions, as well as improvement plans that the response team must adopt.
Review
Evaluate the causes that originated the security incident and the success of its management to assess the effectiveness of the controls and actions implemented. Document the lessons learned to take them into account in future situations.
Documentation and reporting to the supervisory and control entity
Record internally the information related to the security incident and prepare a report with evidence of the actions taken, which must be filed before the Superintendence of Industry and Commerce through the RNBD within fifteen (15) business days following the detection of the incident.
20. RISK MANAGEMENT ASSOCIATED WITH DATA PROCESSING
SEW EURODRIVE COLOMBIA has identified risks related to the processing of personal data and established controls to mitigate their causes through the implementation of PL-02 Internal Security Policies. Therefore, it shall establish a risk management system along with the tools, indicators, and resources necessary for its administration, when the organizational structure, internal processes and procedures, the number of databases, and the types of personal data processed by the organization are considered to be exposed to frequent or high-impact events or situations that affect the proper provision of services or compromise the Data Subjects’ information.
The risk management system shall determine the sources such as technology, human resources, infrastructure, and processes that require protection, their vulnerabilities, and the threats, in order to assess their level of risk. Therefore, to ensure the protection of personal data, consideration shall be given to the type or group of internal and external individuals and the different levels of access authorization. Likewise, the possibility of occurrence of any type of event or action that could cause damage (material or immaterial) shall be considered, such as:
- Criminality: Understood as actions caused by human intervention that violate the law and are penalized by it.
- Events of physical origin: Understood as natural and technical events, as well as events indirectly caused by human intervention.
- Negligence and institutional decisions: Understood as actions, decisions, or omissions by persons who hold power and influence over the system. At the same time, these are the least predictable threats because they are directly related to human behavior.
SEW EURODRIVE COLOMBIA, within its risk management program, shall implement protection measures to prevent or minimize damage in the event a threat materializes.
21. DISCLOSURE OF PERSONAL DATA TO AUTHORITIES
When a public or administrative entity, in the exercise of its legal functions or by judicial order, requests SEW EURODRIVE COLOMBIA to provide access to and/or delivery of personal data contained in any of its databases, the legality of the request and the relevance of the requested data in relation to the purpose stated by the authority shall be verified. For the delivery, a document shall be used to provide the requested data with a warning that the authority must guarantee the confidentiality, security, restricted access, and circulation of such data, specifying the obligation to protect the Data Subject’s rights. This document must be sent to the institutional physical or electronic channels of the requesting entity.
22. INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA
SEW EURODRIVE COLOMBIA shall transfer personal data to countries that provide adequate levels of data protection. A country shall be deemed to offer an adequate level of data protection when it complies with the standards established by the Superintendence of Industry and Commerce on the matter, which in no case may be lower than those required by Law 1581 of 2012 for its recipients. This prohibition shall not apply in the following cases
- Information for which the Data Subject has given his or her express and unequivocal authorization for the transfer.
- Exchange of medical data when required for the Data Subject’s treatment for reasons of health or public hygiene.
- Banking or stock market transfers in accordance with the applicable legislation.
- Transfers agreed upon within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
- Transfers necessary for the execution of a contract between the Data Subject and the Data Controller, or for the execution of pre-contractual measures, provided that the Data Subject’s authorization has been obtained.
- Transfers legally required for the safeguarding of the public interest, or for the recognition, exercise, or defense of a right in a judicial proceeding.
In cases where data transfer is necessary and the destination country is not included in the list of countries considered safe harbors designated by the Superintendence of Industry and Commerce, a declaration of conformity must be obtained from that same authority regarding approval for the international transfer of personal data.
International transmissions of personal data carried out between SEW EURODRIVE COLOMBIA and a Data Processor, for the purpose of allowing the Processor to perform processing on behalf of the Controller, shall not require prior notification to the Data Subject or his or her consent, provided that there exists a personal data transmission contract. This personal data transmission contract must be signed between the Controller and the Processor to define the scope of personal data processing under their control and responsibility, as well as the activities the Processor will carry out on behalf of the Controller and the Processor’s obligations toward the Data Subject. Additionally, the Processor must comply with the following obligations and apply the current data protection regulations in force in Colombia:
1. Process, on behalf of the Controller, the personal data in accordance with the principles that protect them.
2. Safeguard the security of the databases containing personal data.
3. Maintain confidentiality regarding the processing of personal data.
The above conditions established for international data transmissions shall also apply to national data transmissions.
23. PROCESSING OF BIOMETRIC DATA
The biometric data stored in the databases are collected and processed strictly for security purposes, to verify personal identity and control access for employees, clients, and visitors. Biometric identification mechanisms capture, process, and store information related to, among others, individuals’ physical features (fingerprints, voice recognition, and facial characteristics) to establish or “authenticate” each person’s identity.
The management of biometric databases is carried out using technical security measures that ensure compliance with the principles and obligations established by the Statutory Law on Data Protection, while also guaranteeing the confidentiality and privacy of the Data Subjects’ information.
24. NATIONAL DATABASE REGISTRY – RNBD
SEW EURODRIVE COLOMBIA has registered the information of its databases and shall perform the annual update of its database inventory in the National Database Registry (RNBD) between January 2 and March 31, as enabled by the Superintendence of Industry and Commerce for that purpose.
The National Database Registry is a public directory of personal databases subject to processing that operate in the country, administered by the Superintendence of Industry and Commerce, in accordance with the provisions of Article 25 of Law 1581 of 2012.
In this regard, Data Subjects and any interested party may consult the minimum information set forth in Article 5 of Decree 886 of 2014 in order to facilitate the exercise of their rights to know, update, rectify, delete data, and/or revoke authorization.
25. INFORMATION AND PERSONAL DATA SECURITY
Compliance with the regulatory framework on Personal Data Protection, as well as the security, confidentiality, and privacy of the information stored in databases, is of vital importance to SEW EURODRIVE COLOMBIA. Therefore, we have established information security policies, guidelines, procedures, and standards, which may be modified at any time to align with new regulations and the needs of SEW EURODRIVE COLOMBIA, with the objective of protecting and preserving the integrity, confidentiality, and availability of information and personal data.
Likewise, we guarantee that during the collection, storage, use, and/or processing, destruction, or deletion of the provided information, we rely on technological security tools and implement security practices that include: the circulation and storage of sensitive information through secure mechanisms, the use of secure protocols, the safeguarding of technological components, restriction of information access to authorized personnel only, data backups, secure software development practices, among others.
If it becomes necessary to provide information to a third party due to the existence of a contractual relationship, we execute a data transmission agreement to guarantee the confidentiality and privacy of the information, as well as compliance with this Data Processing Policy, the information security policies and manuals, and the procedures for handling Data Subject requests established by SEW EURODRIVE COLOMBIA. In all cases, we adopt commitments to ensure the protection, care, security, and preservation of the confidentiality, integrity, and privacy of the stored data.
26. DOCUMENT MANAGEMENT
Documents containing personal data under the responsibility of SEW EURODRIVE COLOMBIA must be easily retrievable. Therefore, the organization must document the location where both physical and digital documents are stored. These storage locations must be inspected frequently, and their preservation must be guaranteed by defining the medium and conditions under which they will be maintained, taking into account environmental conditions, storage sites, and risks to which they are exposed, among others. The document retention period shall be determined based on legal requirements when applicable; otherwise, SEW EURODRIVE COLOMBIA shall define it according to its needs. Likewise, the final disposition of the documents must be established, identifying whether they are to be recycled, reused, preserved, or digitized, among others.
To ensure traceability, documents must be coded and shall be updated and modified by the personnel responsible at SEW EURODRIVE COLOMBIA. Such modification shall be carried out only when necessary; for the elimination of a document, justification must be provided in the historical record located at the bottom of all documents.
Both physical and digital documents containing personal data must be protected from external or internal agents who could alter their content, following the guidelines described in PL-02 Internal Security Policies.
The distribution of documents containing personal data shall be carried out by SEW EURODRIVE COLOMBIA, which shall document evidence of such distribution, specifying, among other details, the type of document and the identification of the person to whom the information was delivered.
SEW EURODRIVE COLOMBIA shall designate a person responsible for guaranteeing the confidentiality of the Data Subjects’ personal data. This person shall safeguard the documents, ensure their physical and digital protection, prevent alterations to the information, and guarantee that any documents leaving his or her custody are identified and easily traceable.
27. EFFECTIVE DATE
This updated Policy shall be effective as of 2025-09-09. The databases under the responsibility of SEW EURODRIVE COLOMBIA shall be subject to processing for as long as is reasonable and necessary to fulfill the purposes for which the data were collected and in accordance with the authorization granted by the Data Subjects.