Policy for the Processing and Protection of Personal Data of Alimentos SAS S.A.S.
Introduction
This document establishes the personal data processing policy for ALIMENTOS SAS S.A.S. (hereinafter “SAS”), in accordance with the guidelines set forth by current regulations on the subject. This policy applies to the processing of personal information of anyone who has a relationship with the company—whether clients, suppliers, or employees—as provided by law.
The most important regulations governing data protection in Colombia are: Law 1581 of 2012; Decree 1377 of June 27, 2013; Decree 886 of 2014; and any other norms that amend, supplement, or complement them, all of which must be applied by SAS. Law 1581 of 2012 constitutes the general framework for personal data protection in Colombia.
The fundamental right to personal data protection in Colombia guarantees citizens the power of decision and control over the information to which they are entitled. As controller of personal data, SAS fulfills the requirement of literal k) of Article 17 of Law 1581 of 2012 through this policy.
Key Definitions for Data Processing
These definitions enable correct interpretation of Law 1581 of 2012 and its regulatory decrees, are indispensable for protecting habeas data, and help determine the responsibilities of all parties involved in processing personal data:
Authorization: Prior, express, and informed consent of the Data Subject to carry out processing of personal data, except for public data which may be processed by anyone if, by its nature, it is public.
Privacy Notice: Oral or written communication from the controller to the data subject, informing them of the existence of applicable data‐processing policies, how to access them, and the purposes for which personal data will be processed.
Database: Organized set of personal data subject to processing.
Personal Data: Any information linked to or that can be associated with one or more identified or identifiable natural or legal persons. Personal data may be public, semi‑private, or private.
Public Personal Data: Information freely and openly known to the general public. This includes, but is not limited to, civil status, profession or trade, and status as a merchant or public servant. Public data may be found in public registries, official bulletins, and final court decisions not under confidentiality.
Private Personal Data: Information whose knowledge is restricted and private to the public.
Semi‑private Data: Data that is neither intimate nor public; its disclosure may interest not only the data subject but also a sector or the general public.
Sensitive Data: Data affecting the data subject’s privacy or whose misuse may lead to discrimination—e.g., racial or ethnic origin, political orientation, religious or philosophical convictions, union membership, health status, sexual life, biometric data (fingerprints, DNA, facial or voice recognition), etc.
Biometric Data: Physical, biological, or behavioral traits unique to an individual, such as fingerprint or DNA analysis.
Employee: Natural person who, under an employment contract, provides personal services to a legal or natural person, under their dependency, in exchange for remuneration.
Former Employee: Natural person who was previously employed by SAS.
Visitor: Person who remains on premises for under eight (8) hours without engaging in remunerated activity.
Data Processor (Encargado del Tratamiento): Natural or legal person, public or private, who processes personal data on behalf of the Data Controller.
Data Controller (Responsable del Tratamiento): Natural or legal person, public or private, who alone or jointly decides on the database and/or the purposes and means of processing personal data.
Data‐Processing Policy: This document, which constitutes SAS’s personal data‐processing policy in compliance with applicable law.
Supplier: Any natural or legal person providing services to SAS under a contractual relationship.
Data Subject (Titular): Natural person whose personal data is subject to processing.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
Transfer: When the controller or processor located in Colombia sends personal data to a recipient (also responsible for processing) inside or outside the country.
Transmission: Communication of personal data within or outside Colombia for processing by a processor on behalf of the controller.
Governing Principles for Personal Data Processing
Article 4 of Law 1581 of 2012 establishes the following guiding principles, which SAS will abide by:
Legality: Processing must comply with Law 1581 (2012), Decree 1377 (2013), and related regulations.
Purpose: Processing must serve a legitimate purpose, which must be communicated to the Data Subject.
Freedom: Processing requires prior, express, and informed consent from the Data Subject, unless dispensed by legal mandate.
Accuracy and Quality: Processed information must be truthful, complete, exact, up‑to‑date, verifiable, and understandable. Partial or misleading data is prohibited.
Transparency: Data Subjects have the right to obtain, at any time and without restriction, information about their processed data from the controller or processor.
Restricted Access and Circulation: Processing is limited to authorized persons and must respect legal and constitutional limits. Non‑public data may not be made available on mass‐communication channels unless access is technically restricted to authorized parties.
Security: The controller and processor must implement technical, human, and administrative measures to protect data against alteration, loss, unauthorized access, or fraudulent use.
Confidentiality: All individuals involved in processing non‑public data must maintain confidentiality, even after their involvement ends, and may only disclose data as authorized by law.
How We Collect Your Information
We receive personal information through various sources and actions, including:
Voluntary provision when you register on our Site.
Your use of our Site and related services.
External suppliers, services, and public records (e.g., traffic statistics providers).
Databases in Which SAS Acts as Controller and Processor
Payroll Management Database
Description: Contains information collected on employees (direct, temporary, interns), managed by Human Resources and Accounting.
Contents: Personal data such as name, ID number, date of birth, address, phone, email, blood type, fingerprint, academic background, employment history, financial and family data, and socio‑cultural information.
Collection: Data entered via system interface forms; physical files stored in folders. Sources include employment contracts, CV forms, updates, and attached certifications.
Purpose: To fulfill employment obligations, register social security, file government reports, pay taxes, manage absences, ensure security, and other internal functions. Fingerprints are used for time‑clock control.
Processing: Collection; physical and electronic storage; updates; backups; internal circulation among Human Resources and Accounting; reporting to DIAN and other official bodies; exclusive use by SAS; deletion in accordance with law.
Retention: While the employment relationship exists; thereafter marked inactive but kept indefinitely, with a physical archive for current and former employees.
Clients and Suppliers Database
Description: Collects data on clients and suppliers with whom SAS has commercial dealings.
Contents: Personal, commercial, and financial data collected via email, physical forms, or telephone.
Collection: Detailed form via email; telephone interviews recorded in the database.
Purpose: To manage commercial relationships, register as client or supplier, request quotes, invoice, track payments and purchase volumes, and report to DIAN and local tax authorities.
Processing: Storage in SIIGO system; collection; updates; government reporting; exclusive company use; deletion per law; cloud backups for business continuity.
Retention: Indefinitely per SAS’s document‑management program and legal requirements, as long as the commercial relationship continues.
Customer Service Requests, Complaints, and Claims (PQR) Database
Description: Information from all PQRs made through account executives, customer service, quality email, or hotline.
Contents: Customer’s personal data and details of the request, complaint, or claim.
Collection: Via telephone lines and customer‑service email addresses.
Purpose: To properly process, track, and resolve PQRs.
Processing: Collection; electronic storage; updates; exclusive use by SAS; deletion per legal requirements.
Retention: While the PQR is being resolved plus two (2) years; records over three (3) years old may be purged to free up space.
Database Registration
In accordance with Decree 886 of 2014 and External Circular 002 of 2015, the above databases will be registered in the National Database Registry.
Data Subject Authorization for Processing
Under Article 5 of Decree 1377 of 2013, SAS has prepared an “Authorization for Personal Data Processing” form and procedures to obtain prior consent at data collection, informing which personal data will be collected and the specific purposes for which consent is given. Publicly accessible data may be processed without additional authorization if, by its nature, it is public. Authorization is deemed valid when given in writing, orally, or by unequivocal conduct indicating consent.
Authorization for Sensitive Data
When processing sensitive data as permitted by Article 6 of Law 1581 of 2012, SAS will:
Inform the Data Subject that they are not obliged to authorize processing of sensitive data.
Explain the general requirements for any personal data collection, which data are sensitive, and the purpose of processing, and obtain express consent.
Ensure no activity is conditioned on providing sensitive personal data.
Use and Purpose of Personal Data Processing
SAS respects individuals’ privacy and recognizes their right to control personal data. Accordingly, SAS collects, records, stores, and uses personal data for the purposes for which it was requested or as required by public authorities. SAS uses personal data to:
a. Carry out SAS’s corporate activities in accordance with each database’s purpose.
b. Offer products, services, and benefits by physical means, email, or mobile devices.
c. Submit information to private or government entities as legally required.
d. Perform background checks against national and international watchlists (e.g., CIFIN, Datacrédito, Clinton List, Procuraduría, Contraloría, DIJIN).
e. Support internal and external audits.
f. Pursue judicial or extrajudicial actions as permitted by SAS’s statutes.
g. Record employees, former employees, suppliers, and clients in SAS databases for contractual, commercial, or obligatory communications.
h. Verify references of employees, former employees, suppliers, and clients.
i. Automate visitor activity logs.
Personal data will only be used for these purposes; SAS will not sell, transmit, or disclose data except:
With the Data Subject’s express authorization.
In connection with a merger, consolidation, acquisition, or restructuring.
As permitted by law.
Internally, authorized SAS personnel (including shareholders’ assembly, board of directors, statutory auditor, and management) may access data. SAS may subcontract third parties to perform certain functions; they will be bound to protect data as processors.
For data transmission abroad, SAS will execute the necessary agreements under Decree 1377 of 2013 and take appropriate security measures. Once data processing needs cease, records will be securely deleted.
Rights of Data Subjects
Article 8 of Law 1581 of 2012 grants Data Subjects the rights to:
a. Access, update, and rectify their data held by controllers or processors.
b. Request evidence of authorization, except where legally exempt.
c. Be informed of the use given to their data.
d. File complaints with the Superintendence of Industry and Commerce for legal violations.
e. Revoke authorization and/or request data deletion if principles, rights, or guarantees are not upheld.
f. Access their processed data.
Procedure for Exercising Data Subject Rights
Under Article 20 of Decree 1377 of 2013, rights may be exercised by:
The Data Subject, proving identity by available means.
The Data Subject’s heirs, proving their status.
Representatives acting under a valid mandate.
Rights may be exercised via any of SAS’s established channels.
Procedures for Consultation and Claims
Consultation: Data Subjects (or representatives) may request their personal data via written or electronic communication. SAS will respond within ten (10) business days or, if delayed, will notify the requester of reasons and a new response date (no more than five (5) additional days). Consultations may be made once per calendar month or whenever policy changes require re‑consultation.
Claims: If a Data Subject seeks correction, update, or deletion, or suspects noncompliance, they may file a written claim with identification, facts, address, and supporting documents. A copy of their ID must be attached. SAS will:
Acknowledge and label the record “claim in process” within two (2) business days.
If incomplete, request missing information within five (5) business days; if not received within two (2) months, SAS will consider the claim withdrawn.
Transfer claims outside the recipient’s competence within two (2) business days, notifying the claimant.
Resolve the claim within fifteen (15) business days; if delayed, inform the claimant of reasons and a new response date (no more than eight (8) business days beyond the original term).
All consultations and claims are made through SAS’s designated channels.
Channels for Exercising Rights
Data Subjects may exercise their rights via:
Email: protecciondatos@sas.com.co
Controller’s Duties (Article 17, Law 1581 of 2012)
SAS must:
a. Ensure effective exercise of habeas data rights.
b. Request and retain proof of Data Subject authorization.
c. Inform Data Subjects of collection purposes and rights.
d. Securely store information to prevent unauthorized access or alteration.
e. Ensure data accuracy and completeness.
f. Update and communicate changes to processors.
g. Rectify inaccurate data and inform processors.
h. Provide processors only the data they are authorized to handle.
i. Enforce security and privacy conditions on processors.
j. Process consultations and claims timely.
k. Maintain an internal policy and procedure manual.
l. Inform processors of disputed data once a claim is filed.
m. Inform Data Subjects of data usage upon request.
n. Notify the data protection authority of security breaches.
o. Comply with all requests and orders from the Superintendence of Industry and Commerce.
Processor’s Duties (Article 18, Law 1581 of 2012)
Processors must:
a. Ensure effective exercise of habeas data rights.
b. Securely store data to prevent unauthorized access or alteration.
c. Update, rectify, or delete data promptly.
d. Implement updates from controllers within five (5) business days.
e. Handle consultations and claims per this policy and the law.
f. Maintain an internal policy and procedure manual.
g. Label records “claim in process” in accordance with the law.
h. Label records “information under judicial review” when notified by competent authority.
i. Cease circulation of data under dispute or blocked by the Superintendence.
j. Restrict access to authorized personnel only.
k. Notify the Superintendence of Industry and Commerce of security breaches.
l. Comply with all instructions and requirements from the Superintendence.
Security Measures
SAS protects data confidentiality, integrity, and availability through:
a. Access controls via passwords and role‑based authority levels.
b. Password encryption and complexity/rotation policies.
c. Backup and redundancy storage.
d. Password protection on workstations.
e. All measures detailed in the Technology Department’s Security and Access Control Policy Manual.
Designation of Responsible Area or Person
For consultations, complaints, claims, and requests regarding personal data, contact:
Email: protecciondatos@sas.com.co
Address: Diagonal 19D No. 39‑20, Bogotá D.C.
Phone: +57 (1) 405 8899
Policy Modification
If substantial changes occur affecting the identity of the controller or the purposes of data processing—impacting the scope of prior authorizations—SAS will notify Data Subjects no later than at implementation and obtain new authorizations when required.
Effective Date
This personal data‐processing policy was created on May 18, 2014, and is effective upon publication.
Last Modified: March 20, 2019.