In accordance with the provisions of Article 17 (k) and Article 18 (f) of the Statutory Law 1581 of 2012 and Article 13 of Decree 1377 of 2013, it is the obligation of those responsible / responsible for the processing of personal data to adopt an internal manual of policies and procedures to ensure the attention of queries and claims that their users have with respect to the treatment that it gives to them.

Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia, domiciled in Calle 11 # 12 - 32 of the city of Bogotá, mail: gerencia@sombrerosyponchosdecolombia.commobile: 315 2545192is committed to the strictest compliance with the law and the protection of the rights of individuals, therefore, informs its affiliates the adoption of the following policies on collection, processing and use of personal data, which will be mandatory for the company, as controller, its employees, as well as those third parties that by provision of the company assume the quality of data processors.

FIELD OF APPLICATION

The present policies will apply to the collection, treatment and use of the personal data of the users of Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia, that have or have had the quality of users, that is used and/or are in the data bases of our entity.

DEFINITIONS

• Authorization: it is the prior and express consent given by the owner of the data to carry out the processing of the same.

• Personal data: is that information linked or that can be associated to one or several determined or determinable natural persons and which can identify them. For example: name, address, telephone number, e-mail, marital status, fingerprint, etc.
• Semi-private personal data: data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner, but also to a group of persons or to society in general. In this case, the express authorization of the owner of the information is required for its processing. For example: financial data, data related to relations with social security entities (EPS, AFP, ARL, Cajas de Compensación).
• Sensitive personal data: is that information that affects the privacy of its owner so that its improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as information relating to health, sex life and biometric data. This information may not be processed unless it is required to safeguard a vital interest of the holder or the holder is incapacitated and its collection has been expressly authorized.
• Private personal data: is personal data that, due to its intimate or reserved nature, is only of interest to its owner and requires express authorization for its processing. For example: Level of schooling, merchants' books, among others.
• Public personal data: is that type of personal data that the norms and the Constitution have expressly determined as public and, for whose collection and processing, the authorization of the owner of the information is not necessary. For example: civil status of persons, data contained in the RUNT, data contained in enforceable court judgments, among others.
• Data Processor: is the natural or legal person, public or private, that by itself or in association with others, performs the Processing of personal data on behalf of the Controller.
• Data controller: is the natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of the data.
• Data subject: is the natural person who is the owner of the personal data and who must authorize its processing. In the case of minors, their legal representatives will have the power to authorize or not the processing of their personal data.
• Processing: is any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

TREATMENT TO WHICH THE PERSONAL DATA WILL BE SUBJECTED AND ITS PURPOSE

The personal data of the users that Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia has will be treated with the following purpose:

• Sending of newsletters
• Send promotions and discounts
• Article Delivery
• Responses to requests for improvement, petitions, complaints and grievances
• Verification of affiliation status, current regulations, company processes and social security related services.
• Marketing activities and/or promotion of services of third parties with whom the company has entered into commercial alliances.
• Information on new products and services
• Information on campaigns and special programs
• Definition of demand and analysis of services rendered by the company
• Notification of payments generated by the company
• Satisfaction surveys on services and care provided
• Updating data and identification documents
• To consolidate the timely and quality supply are the suppliers,
• To invite them to selection and quotation processes.
• For the verification of balances with payables
• For the determination of outstanding obligations, the consultation of financial information and credit history and the report to information centers of unfulfilled obligations, with respect to debtors.
• To eventually contact natural persons, with whom we have had a relationship, such as workers, consumers, customers, distributors, suppliers, creditors and debtors, among others, for the development of all purposes.

RIGHTS OF USERS OF Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia

• The rights that the users of Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia have regarding the treatment of their personal data are:
• Know, update and rectify your personal data. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
• Request proof of the authorization granted to the data controller.
• Be informed by the company of the use that has been made of your personal data.
• To file before the Superintendence of Industry and Commerce complaints for violations to the Data Protection Law and other regulations that modify, add or complement it.
• To revoke the authorization and/or request the deletion of the data when it is considered that the treatment does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the treatment the responsible or in charge have incurred in conduct contrary to this law and the constitution.
• Access free of charge to your personal data that has been processed.

DUTIES OF Rivera y Arcos s.a.s - Hats and Ponchos of Colombia

• When Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia is directly responsible for the treatment of its users' data, it must comply with the following duties:
• Guarantee to the company's users, at all times, the full and effective exercise of their constitutional right to habeas data.
• Request and keep, under the conditions foreseen in this manual, a copy of the authorization granted by the user who owns the data.
• Clearly inform the user about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
• Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
• Ensure that the information provided to the data processor is truthful, complete, accurate, updated, verifiable and understandable.
• To update the information, communicating in a timely manner to the data processor, all the news regarding the data previously provided and to adopt the other necessary measures so that the information provided to the data processor is kept up to date.
• Rectify the information when it is incorrect and communicate the pertinent to the person in charge of the treatment.
• To provide the data processor, as the case may be, only with data whose processing has been previously authorized.
• Require the data processor at all times to respect the conditions of security and privacy of the user's information.
• To process queries and claims formulated by users within the terms established in this Policy.
• Inform the data processor when certain information is under discussion by the user of the company, once the complaint has been filed and the respective process has not been completed.
• Inform upon request of the user about the use given to their data.
• Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of its users.
• Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
• When Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia carries out the processing on behalf of a third party (data processor), it must comply with the following duties:
• Guarantee to the company's users, at all times, the full and effective exercise of their constitutional right to habeas data.
• Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
• Timely update, rectification or deletion of data in the terms established in this policy.
• Update the information reported by the data controllers within five (5) business days from its receipt.
• To process queries and claims formulated by users under the terms established in this policy.
• Register in the database the legend "complaint in process" in the manner regulated in this policy.
• Insert in the database the legend "information under judicial discussion" once notified by the competent authority about judicial processes related to the quality of the personal data.
• Refrain from circulating information that is being disputed by the user and whose blocking has been ordered by the Superintendence of Industry and Commerce.
• Allow access to information only to those who can access it.
• Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of user information.
• Comply with the instructions and requirements given by the Superintendence of Industry and Commerce with respect to data processing.

CASES IN WHICH AUTHORIZATION IS NOT REQUIRED FOR DATA PROCESSING

• When public personal data is involved.
• When the personal data is required by a public entity in the exercise of its functions.
• When faced with medical or sanitary emergencies.
• When they are processed for historical, statistical or scientific purposes.
• When the data relates to information contained in the civil registry.

PERSONS TO WHOM AUTHORIZATION FOR DATA PROCESSING CAN BE PROVIDED

• Information that meets the conditions set forth in this policy may be provided to the following persons:
• To the owners, their successors in title or their legal representatives.
• To public or administrative entities in the exercise of their legal functions or by court order.
• To third parties authorized by the owner or by law.
  
  

POLICIES FOR THE TREATMENT OF SENSITIVE DATA

• The treatment of sensitive data of the user of Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia is prohibited, except in the following cases:
• When the user has given explicit authorization for such treatment, except in cases where the law does not require the granting of such authorization.
• When the processing of the data is necessary to safeguard the vital interest of the user and the user is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
• When the processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or persons who maintain regular contacts by reason of its purpose. In these events, the data may not be provided to third parties without the owner's authorization.
• When the processing relates to data that are necessary for the recognition, exercise or defense of a right in a judicial proceeding.
• When the processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the owners must be adopted.

And warning the user the following conditions: a) that for the processing of their sensitive data is not required to authorize their treatment and b) that explicitly and previously, in addition to the general requirements of authorization for the collection of any type of personal data, it must be established which of the data to be processed are sensitive and the purpose to be given to them, as well as to obtain their express consent.

In the case of users' health data, they will be considered part of their medical history and will be kept in the confidentiality established by law.

DATA PROCESSING OF MINORS

The processing of personal data of children and adolescent beneficiaries of the company is prohibited, except in the case of data of a public nature and when the processing complies with the following parameters and requirements:

• That it responds to and respects the best interests of children and adolescents.
• To ensure respect for their fundamental rights.
• Once the above requirements have been met, the legal representative of the child or adolescent will grant the authorization after the minor has exercised his or her right to be heard, an opinion that will be assessed taking into account the maturity, autonomy and capacity to understand the matter.

PROCESS FOR INQUIRIES AND COMPLAINTS

The users of Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia will be able to access and consult their personal information through the following means provided by the company:

E-mail: gerencia@sombrerosyponchosdecolombia.com

Customer Service Hotline Bogotá 571- 2822824

In order to access such information, the company will perform, prior to the request, the verification of the user's identity by requesting confirmation of certain personal data contained in the database. Once the identity of the owner has been verified, he/she will be provided with all the information about his/her personal data and will be able to carry out any procedure related to such data.

In the event that the user needs to make an additional query or requires that the information contained in the company's database is updated, rectified, modified or deleted, or considers that there is an alleged breach in the protection of their data, they may submit a query/complaint via email (gerencia@www.sombrerosyponchosdecolombia.com, user service line 571- 2822824. The response to the query/complaint submitted by the user will be handled by the User Service area.

The consultation/complaint submitted by a user must, in all cases, be in writing and must contain, at least, the following points:

• Complete identification of the user (name, notification address, identification document).
• Description of the facts giving rise to the inquiry/complaint.
• Documents supporting the facts.
• The way you would like to receive the answer to your inquiry/complaint.

In case of consultation, the user will be given an answer within ten (10) working days following the filing of the request. When it is not possible to answer the request within the above term, the user will be informed, stating the reasons for the delay and indicating the date on which the request will be answered, which in no case may exceed five (5) business days following the expiration of the first term.

In case of a claim, a response will be given within fifteen (15) business days from the day following the date of filing. When it is not possible to address the claim within such term, the user will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

If Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia is not competent to solve it, it will transfer it to whoever corresponds within a maximum term of two (2) working days and will inform the user of the situation.

INFORMATION SECURITY ASSURANCE POLICY

According to the present Policy adopted by Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia for the treatment of the personal data of our users, we inform that the mechanisms through which these data are used are safe and confidential since the company has the appropriate technological means to ensure that such data are stored securely guaranteeing their confidentiality.

PRIVACY NOTICE

The users of Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia are informed that the privacy notice is published in the link "data processing policy".

EFFECTIVE DATE

The present policy of treatment of personal data of the users of Rivera y Arcos s.a.s - Sombreros y Ponchos de Colombia is effective as of February 01, 2017.