Data Processing Policy

Lina Marcela Zuluaga
Tax ID: 1017203177

María Isabel Zuluaga
Tax ID: 1152703194

Brand: Skull Accessories

PERSONAL DATA PROCESSING POLICY

AIM

To guarantee the proper handling of personal data handled by the Company in compliance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, Single Regulatory Decree No. 1074 of 2015 and other regulations that repeal, modify or complement them.

SCOPE

This applies to databases and files containing personal information of suppliers, clients, collaborators, or any other person whose information is processed by Lina Marcela Zuluaga and María Isabel Zuluaga representing the Skull Accesorios brand.

This applies to employees in all areas who, in the course of their duties, process personal data of suppliers, clients, employees, or any other natural person.

DEFINITIONS

For the purposes of the following policy, the following definitions shall apply:

  • Authorization : Prior, express and informed consent of the data subject to carry out the processing of their personal data.
  • Database : An organized set of personal data that is subject to processing in accordance with the Law.
  • Files : A collection of documents kept by the company containing personal information regulated by law.
  • Personal data : Information linked to or that can be associated with one or more specific or identifiable natural persons.
  • Sensitive data : Those that affect the privacy of the holder or whose misuse may generate discrimination, such as: those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of trade unions, social or human rights organizations, data relating to health, sex life and biometric data.
  • Data Processor : The natural or legal person who processes personal data on behalf of the Company.
  • Data controller : Natural or legal person who decides on the basis and processing of the data.

Third : Any natural or legal person other than the persons belonging to Lina Marcela Zuluaga and María Isabel Zuluaga representing the Skull Accesorios brand.

  • Data Subject : Natural person whose personal data is being processed.
  • Transfer : Data transfer takes place when the controller and/or processor of personal data located in Colombia sends the information or personal data to a recipient, who in turn is responsible for the processing and is located inside or outside the country.
  • Transmission: Processing of personal data that involves the communication of the same, within or outside the Colombian territory, when its purpose is to carry out processing on behalf of the responsible party.
  • Processing : Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.

POLICY

4.1. General

  • 4.1.1. Lina Marcela Zuluaga and María Isabel Zuluaga representing the Skull Accesorios brand, with main address at Cra 27 49 a 81, hereinafter The Company; is responsible for the processing of personal data that appears registered in its databases and files in accordance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, Single Regulatory Decree No 1074 of 2015 and other regulations that repeal, modify or complement them.
  • 4.1.2. For any request or claim related to this policy, please contact us at the email address Skullmed.accesorios@gmail.com or by mobile phone at +57 319 286 7700.
  • 4.1.3. Any area or employee of the Company that, due to their functions, is in charge of processing databases with personal information must comply with the provisions of the policy and procedure of this document.
  • 4.1.4. The Company must register in the National Database Registry the databases that contain personal data subject to processing.

4.2. Information Processing

  • 4.2.1. Compliance with the Law
    The Company strictly complies with the legal requirements on Personal Data Protection, especially Law 1581 of 2012, Regulatory Decree 1377 of 2013, Single Regulatory Decree No. 1074 of 2015 and other regulations that repeal, modify or complement them.
  • 4.2.2. Purpose
    The Company informs the data subjects of the specific purpose of the processing of their personal data, which in any case will have as its main purpose to carry out the accounting, tax, administrative, commercial, operational, and human resources management of the Company; as well as the development of welfare, health, education, culture activities, and to ensure the safety of people and property related to the activity of the same.
    The Company deletes the personal data collected when it is no longer necessary or relevant for the purpose for which it was obtained.
  • 4.2.3. Authorization
    The Company will process the information with the prior, express and informed consent of the owner, which will be obtained through any means that can be subsequently consulted.

Authorization is not required when it comes to:

    • Information that is required by a public or administrative entity in the exercise of its legal functions or by court order
    • Data that is of a public nature
    • Cases of medical or health emergency
    • Processing of information authorized by law for historical, statistical or scientific purposes
    • Data related to the Civil Registry of the person
  • 4.2.4. Truthfulness
    The information provided by the data subject must be truthful, complete, accurate, verifiable, and up-to-date. The data subject guarantees the authenticity of all data communicated to the Company.
  • 4.2.5. Access and circulation of information
    In processing information, the Company adheres to the limitations arising from the nature of the personal data, the provisions of the Law, and the Constitution. In this regard, the Company will only process data with the data subject's authorization and in the cases provided for by law.
    The information will be available on the internet or other mass media provided that access is controlled in accordance with the Company's policies and is limited to its owners or third parties authorized to process the information.
  • 4.2.6. Information Security
    The Company has the necessary technical, human and administrative measures to guarantee the security of personal data obtained and stored in its databases and files, preventing its alteration, loss, unauthorized or fraudulent consultation or access.
    The Company may publish personal databases on the Intranet or Internet provided that it has prior authorization from the owner of the personal data, restrictions are set for its access and the publication is approved by the Marketing Department.
  • 4.2.7. Confidentiality
    The Company guarantees the confidentiality of the information, even after the processing work has been completed.
    The Company's employees responsible for processing personal information agree to comply with the policy and procedures outlined in this document.
  • 4.2.8. Sensitive Data
    The Company may only process sensitive data when:
    • The data subject has given explicit authorization for such processing
    • It is necessary to safeguard the vital interests of the data subject, and the data subject is physically or legally incapacitated. In these cases, authorization from legal representatives is required.
    • It refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
    • It has a historical, statistical or scientific purpose, provided that measures are taken to suppress the identity of the data subjects.
  • 4.2.9. Rights of the holders
    The owners of the information processed by the Company have the following rights:
    • To know, update and correct your personal data
    • Request proof of authorization granted to the Company, except in the cases specified by law that do not require authorization:
    • Information required by a public or administrative entity in the exercise of its legal functions or by court order
    • Data of a public nature
    • Medical or health emergency
    • Processing of information authorized by law for historical, statistical or scientific purposes
    • Data related to the civil registration of people
    • To be informed of the use that has been made of your personal data.
    • To file complaints with the Superintendency of Industry and Commerce for non-compliance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, Single Regulatory Decree No. 1074 of 2015 and other regulations that repeal, modify or complement them.
    • Revoke authorization and/or request the deletion of data when the Company does not respect the constitutional and legal principles, rights and guarantees.
    • Access your personal data that is being processed by the Company.
    • The data subject may submit requests, inquiries and complaints via email to Skullmed.accesorios@gmail.com.

PROCEDURE

5.1. Authorizations
The Company requests written authorization from every supplier, client or collaborator whose personal data it processes, provided that they are a natural person, so that their data can be processed in accordance with the purpose established in each case.

5.2. Consultations
The owner or their successor who wishes to make inquiries about their personal information may do so through the email address Skullmed.accesorios@gmail.com.
At the request of the data subject, the Company will provide all the information contained in the individual record or linked to the identification of the data subject.
The Company will respond to the inquiry within a maximum of ten (10) business days from the date of receipt. If it is not possible to respond within this timeframe, the Company will inform the interested party of the reasons for the delay and indicate the response date, which may not exceed five (5) business days following the initial deadline.

5.3. Claims
The data subject or their successor may file a claim with the Company to have their personal information corrected, updated, deleted, or when they consider that the Company is not complying with Law 1581 of 2012, Regulatory Decree 1377 of 2013, Single Regulatory Decree No. 1074 of 2015 and other regulations that repeal, modify or complement them.

You may also revoke the authorization granted for the processing of your personal data.

Claims are made via email to Skullmed.accesorios@gmail.com.

  • Claims must contain:
    • Identification of the holder
    • Description of the events that give rise to the claim
    • Address
    • Attached documents (if applicable)
    • If the person in charge of receiving the complaint detects that the data is incomplete, they will request the interested party to make the necessary corrections within five (5) days following receipt of the complaint.
    • The person responsible for receiving the complaint will respond to it. If they are not authorized to do so, they will forward it within a maximum of two (2) business days to the appropriate person and will inform the complainant of this situation.
    • The Company will respond to the claim within fifteen (15) business days from the day after receiving it. If it is not possible to respond within this timeframe, the Company will inform the interested party of the reasons for the delay and indicate the response date, within eight (8) business days following the initial deadline.
    • Claims submitted by data subjects must be registered in the National Database Registry

5.4. Transfer and transmission of information
The Company will provide the personal data subject to processing to the following persons:

  • Owner of the information, their successors or legal representatives.
  • Public or administrative entities in the exercise of their legal functions or by court order.
  • Third parties authorized by the owner or by law.

The Company will provide personal data to third parties only with the data subject's authorization, for the purpose of fulfilling the normal requirements of its business operations. In this case, the third party, from the moment it receives the information, becomes the data processor and must comply with all applicable legal obligations.

Any third party who, due to their relationship with the Company, is entrusted with the processing of personal data, must be required to include a contractual clause expressing their knowledge of the law and their responsibility in complying with it, and will also require prior authorization from the data subject to process their personal data.

5.5. Exceptions
This policy does not apply to databases and files that:

  • Their purpose is national security and defense, as well as the prevention, detection, monitoring and control of money laundering and the financing of terrorism.
  • Their purpose is to contain and provide intelligence and counterintelligence information.
  • Their purpose is to provide journalistic information and other editorial content.

5.6. Validity
This Policy and Procedure is effective from March 7, 2018 and will remain in effect until the issuance of other policies or a substantial change to them.

5.7. Policy Versions

First version: November 3, 2021