PERSONAL DATA PROCESSING POLICY
INTRADECON
1. Purpose
Intradecon's purpose is to guarantee the proper handling of personal data, in compliance with the constitutional right of Habeas Data, enshrined in Article 15 of the Political Constitution of Colombia, Law 1581 of 2012, Decree 1377 of 2013, the Single Regulatory Decree 1074 of 2015, and other regulations that modify, add to, or replace them.
This Policy defines the principles, guidelines, responsibilities, and procedures applicable to the collection, storage, use, circulation, updating, correction, deletion, and protection of personal data processed by Intradecon, ensuring the confidentiality, integrity, availability, and traceability of the information, in accordance with the Integrated Management System, the principles of ISO 9001, and the B Corp model.
2. Scope
This Policy applies to all personal data contained in physical or digital databases managed by Intradecon, as well as to data processed by third parties acting as Data Processors, within or outside of Colombia, when such processing is subject to Colombian law.
It is mandatory for employees, contractors, suppliers, strategic partners, and other interested parties who have access to personal data by virtue of their roles or relationships with Intradecon.
3. Regulatory and Reference Framework
This Policy is governed, among others, by the following provisions:
• Political Constitution of Colombia – Article 15.
• Law 1581 of 2012 – General Regime for the Protection of Personal Data.
• Decrees 1377 of 2013 and 1074 of 2015.
• Jurisprudence of the Constitutional Court and guidelines of the Superintendency of Industry and Commerce.
Additionally, Intradecon adopts, as international best practices, the data protection principles of the European Union's General Data Protection Regulation (GDPR), where compatible and applicable, as well as information management guidelines aligned with ISO 27001, as a reference for strengthening internal control.
4. Definitions
For the purposes of this Policy, the definitions established in Law 1581 of 2012 and its implementing regulations apply, including, among others: Authorization, Privacy Notice, Database, Personal Data, Public Data, Private Data, Semi-Private Data, Sensitive Data, Data Processor, Data Controller, Data Subject, and Processing.
5. Data Controller
Data Controller: International Trade Cargo & Contract Consultancy S.A.S. – BIC (Intradecon)
Address: Calle 114 #6A-92 Office D401A, Hacienda Santa Bárbara – Bogotá D.C., Colombia
Email: juridica@intradecon.com
Customer Service Line: +57 310677 7622
6. Intradecon's Duties as Data Controller
Intradecon, in its capacity as Data Controller, undertakes to:
• Guarantee the full and effective exercise of data subjects' rights.
• Request and retain prior, express, and informed consent for the processing of personal data.
• Clearly and sufficiently inform data subjects of the purposes of the processing.
• Implement appropriate technical, human, and administrative controls for the protection of information.
• Process inquiries, requests, and complaints in accordance with the law.
• Promptly report to the Superintendency of Industry and Commerce any security incidents that compromise personal data.
7. Principles for the Processing of Personal Data
The processing of personal data at Intradecon is governed by the principles of legality, purpose limitation, freedom, accuracy or quality, transparency, restricted access and circulation, security, and confidentiality.
8. Processing and Purposes
Intradecon processes the personal data of clients, employees, suppliers, partners, third parties, and shareholders for legitimate purposes related to:
• The provision of international logistics, foreign trade, and consulting services.
• Contractual, accounting, tax, administrative, and fiscal management.
• Commercial activities, marketing, and relationship building, when expressly authorized.
• Compliance with legal, regulatory, and AML/CFT/AFP obligations.
• Human talent management, employee well-being, and the Occupational Health and Safety System.
• Handling requests, complaints, and claims.
The specific purposes for each stakeholder group are detailed in the internal procedures of the Integrated Management System.
9. Special Categories of Data
9.1. Sensitive Data
Sensitive data will only be processed when strictly necessary, with the express authorization of the data subject, and with enhanced security measures in place. The data subject may refrain from providing this type of information.
9.2. Data of Children and Adolescents
The processing of personal data of minors will be carried out respecting the best interests of the child, guaranteeing their fundamental rights, and with the express authorization of their legal representative.
10. Rights of Data Subjects
Data subjects have the right to know, update, and rectify their data; request proof of authorization; be informed about the use of their information; file complaints with the Superintendency of Industry and Commerce; revoke authorization; request the deletion of their data when appropriate; and access their personal data free of charge.
11. Procedure for Exercising Rights
Inquiries, complaints, and requests related to the processing of personal data will be handled through Intradecon's official channels, within the terms established in Law 1581 of 2012 and its implementing regulations.
12. Documented Information Security Incident Management Procedure
Intradecon has a documented procedure for managing information security incidents, which is part of the Integrated Management System and aims to prevent, identify, manage, mitigate, and report events that could compromise the confidentiality, integrity, or availability of personal data.
The procedure includes, at a minimum, the following stages:
a. Identification and Reporting: Any employee, contractor, or third party who identifies a potential incident must report it immediately to the Operations Management or the designated responsible party.
b. Assessment and Classification: The incident will be analyzed to determine its impact, scope, and level of risk to personal data.
c. Containment and Mitigation: Immediate actions will be taken to control the incident and reduce its effects.
d. Notification: When the incident poses a risk to the rights of data subjects, Intradecon will inform the Superintendency of Industry and Commerce and, if necessary, the affected data subjects, in accordance with current regulations.
e. Record Keeping and Documentation: All incidents will be documented and retained as evidence of control and continuous improvement.
f. Corrective and Preventive Actions: Actions will be defined and implemented to prevent the recurrence of the incident, consistent with the continuous improvement approach of ISO 9001.
13. International Data Transfer and Transmission
Intradecon may carry out national or international transfers or transmissions of personal data when authorized by the data subject, when there is a legal or contractual obligation, or when an adequate level of protection is guaranteed in accordance with Colombian regulations, by entering into the necessary agreements with the third parties involved.
14. Information Security
Intradecon implements security controls aligned with international best practices, considering personal information as a critical asset of the Integrated Management System, and applies measures to control access, confidentiality, integrity, and availability of information.
15. Effective Date
This Policy is effective as of January 1, 2025, and will remain in effect as long as Intradecon processes personal data.
16. Conclusion
Intradecon adopts international principles and best practices in data protection, to the extent compatible and applicable, without prejudice to compliance with Colombian law.