Terms and conditions of use

MENNTUN PRIVACY NOTICE
In accordance with Law 1581 of 2012, Decree 1377 of 2013 and complementary regulations in force in Colombia, this privacy notice (hereinafter “the Notice”) establishes how MENNTUN S.A. (hereinafter “MENNTUN”), a company duly incorporated in Colombia, domiciled in the city of Bogotá, collects and processes your personal data (hereinafter the “Personal Data”).

  1. Personal data collected, purpose of collection and processing Taking into account your status as an employee, MENNTUN may collect the following personal information (together “Personal Data”):

1.1 General employee data such as: name, identification document number, address, telephone number, physical or postal address, email, date of birth, marital status, position or title, contact information, work location and captured personal image through the cameras installed in the MENNTUN offices;

1.2 Likewise, as contractual and affiliation requirements for the different entities, we require information from your family members including name, identification document, address, telephone number, email address, and date of birth;

1.3 In order to know your profile and your skills, MENNTUN will collect and process your employment information including: resume, work history, academic certificates and professional experience, information about your current position, bosses and performance evaluation in your position, jobs. previous studies, education, certifications obtained, competence, personal references, labor certificates, support for selection processes, interviews, psychotechnical and technical tests and any training, exams and respective grades;

1.4 Contractual documents, annexed agreements and any other documents relating to the relationship between MENNTUN and the employee, as well as income, salaries, benefits and assistance;

1.5 Documents supporting disciplinary processes, including discharges, warnings and suspensions;

1.6 For the development of the employment contract, MENNTUN will require collecting medical and occupational health history information according to the applicable standards, as well as supporting studies carried out on safety and home visits, for the fulfillment of MENNTUN’s obligations as its employer;

1.7 Financial information including your bank account number, the type of account and the banking entities where you have the account, support for transfers and credits with any external entity and; retirement documents, settlements, letters of termination of the employment contract and resignation letters and supports for the termination of employment contracts.

The purpose and purpose for which your Personal Data is collected is to comply with the normal development of the corporate purpose and business of MENNTUN and to comply with the legal and contractual obligations of MENNTUN as your employer. Likewise, your Personal Data is collected and processed in general, to guarantee compliance with legal requirements of any type or in relation to pending litigation where MENNTUN or any of its clients is a party or to comply with any obligation imposed by law. or by any Colombian authority.

In general terms, Personal Data is required for contractual purposes, affiliations, payments, recreational activities, communications, demographic analysis and social balance of MENNTUN, payroll payment processes, entry requirements to MENNTUN, employee profile supports, requirements for comply with legal obligations in occupational health and for MENNTUN’s internal procedures.

Please note that MENNTUN may process your Personal Data in order to provide you with training in the specific area in which you work as an employee of MENNTUN and in general, for the management of human talent by the Human Resources Department and to ensure efficient productivity of MENNTUN employees.

In joint application of the Acceptable Use Policy for Computer Systems and the Privacy Policy for Information Systems, MENNTUN may also process your Personal Data through the monitoring of work tools and technological resources (which may include but are not limited to computers, email accounts, data messages, landlines or mobile phones, etc.) that MENNTUN has made available to its employees for the following purposes:

  • protect and prevent the abuse of said work tools and technological resources,
  • protect MENNTUN employees from and prevent the commission of crimes,
  • guarantee that MENNTUN complies with the obligations contained in the contracts it signs,
  • safeguard the personal data for which you are responsible,
  • comply with MENNTUN’s legal obligations in the framework of possible or existing litigation,
  • prevent the theft or unauthorized disclosure of confidential MENNTUN information,
  • detect possible or current violations of other MENNTUN policies,
  • prevent inappropriate and inappropriate use of MENNTUN technological resources,
  • prevent intrusions or malicious or unauthorized access and spread of computer viruses,
  • protect MENNTUN’s data and/or systems and prevent situations from arising that could attack said data or systems,
  • increase the productivity of MENNTUN employees
  • verify that MENNTUN systems are accessed only by authorized people.

Likewise, for the safety of all MENNTUN employees and visitors, as well as to capture appropriate behavior within its facilities, the image of employees and visitors may be obtained through the cameras installed in the offices. by MENNTUN.

MENNTUN will only use the Personal Data within the use that has been authorized, it will only transmit it to its parent company, subsidiaries if they exist acting on behalf of MENNTUN, to clients or third parties when this is necessary as a result of the ordinary line of business. MENNTUN and to authorities when required by applicable laws. MENNTUN will safeguard and protect the Personal Data received at your home, limiting its use and disclosure to the authorized purpose.

  1. Rights of holders of Personal Data In accordance with article 8 of Law 1581 of 2012, MENNTUN states that employees have the following legal rights:

2.1 Know, update and correct your Personal Data before MENNTUN. This right can be exercised, among others, in relation to information that is partial, inaccurate, incomplete, divided, misleading information or whose processing is prohibited or unauthorized.

2.2 Require proof of consent granted to MENNTUN for the collection and processing of your Personal Data, have access to your Personal Data that is subject to processing by MENNTUN and in general, be informed by MENNTUN of the treatment that is being given to you. your personal information. For this, it is important that the procedures established in section 4 of this Privacy Notice are followed.

2.3 Revoke the authorization granted to MENNTUN and/or request the deletion of your Personal Data when you consider that MENNTUN is not respecting the constitutional and legal principles, rights and guarantees. In these cases MENNTUN will inform you about the implications that the revocation of the authorization or the deletion of your Personal Data from the database may have.

2.4 Have access to the Personal Data that MENNTUN has collected and processed.

2.5 If you are not satisfied with the way in which MENNTUN processes your Personal Data or have any complaint or claim, you may submit a statement to the MENNTUN data protection officer at habeasdata@MENNTUN.com

2.6 If the MENNTUN data protection officer does not resolve your concerns or does not address your complaint, you can contact the Superintendence of Industry and Commerce to present your concerns, complaints or claims if you consider that MENNTUN has violated your habeas data rights or the provisions of Law 1581 of 2012, Decree 1377 of 2013 and other regulations that modify, add or complement them.

  1. Persons or area responsible for responding to queries, requests or claims related to the processing of your Personal Data

If you have questions, queries or complaints related to your Personal Data, you can contact the MENNTUN Data Protection Officer at habeasdata@MENNTUN.com (hereinafter the “Data Protection Officer”). You can exercise your right to know, update, rectify or delete your Personal Data and revoke the consent granted to MENNTUN for the processing of your Personal Data before this person or area of ​​MENNTUN.

  1. Procedure to exercise your rights

Any question or query in relation to your Personal Data collected and processed by MENNTUN will be received by the MENNTUN Data Protection Officer, for which you must send a written description of your query to habeasdata@MENNTUN.com The Data Protection Officer MENNTUN Data will resolve your question or query within ten (10) business days following the date on which the question or query is received. If it is not possible for the MENNTUN Data Protection Officer to respond to your complaint within the aforementioned term, the MENNTUN Data Protection Officer will let you know the situation and explain the reason for the delay. In any circumstance, the MENNTUN Data Protection Officer will respond within five (5) business days following the expiration of the term of the initial ten (10) business days. The consent granted by you may be revoked at any time, by prior written and signed notice addressed to the Data Protection Officer of MENNTUN, at the aforementioned electronic address, in the terms established by the Law.

If you consider that the information contained in the MENNTUN database is subject to correction, updating or deletion or if you consider that MENNTUN is not complying with its obligations established in Law 1581 of 2012, you must submit a complaint to MENNTUN, addressed to the Data Protection Officer, which will be treated according to the procedure established in article 15 of Law 1581 of 2012.

PERSONAL DATA PROCESSING POLICY

This Personal Data and Information Processing Policy (hereinafter the “Policy”) aims to implement the provisions contained in Law 1591 of 2012 and Decree 1377 of 2013 in what refers exclusively to databases. , files and information that contain personal data susceptible to processing, and explains how Menntun collects, stores, uses, circulates and processes information that you provide us through different means.

Contact information of the person responsible or in charge of the data – area responsible for handling queries, requests and complaints.

Menntun, is a corporation legally constituted and existing under the laws of the Republic of Colombia. For the purposes of this Policy, you may contact us in the area at the following email or telephone number (hereinafter, the “Controller”)

Data processing and purpose

The Data Controller, with prior authorization from the owners of the information (if required), may obtain information from natural persons, clients or users, from different sources (related businesses, financial entities, entities participating in the payment system, telecommunications service providers, and own sources among others). It is also possible that the Data Controller has a direct relationship with natural persons (employees, suppliers, etc.), who may choose to provide personal information in connection with that relationship. The types of personal data we collect are public, semi-private data, and sensitive data or data from minors will not be collected, unless there is express authorization and a valid purpose in this regard.

Users, clients, workers and suppliers expressly authorize the Data Controller to confirm the personal information provided by going to public entities, specialized companies or risk centers, their contacts, or the employer, as well as their personal, banking or work references. , among others. This information will be treated confidentially by the Data Controller.

The personal data provided to the Data Controller will be collected, stored, used, analyzed, circulated, updated and reported for the following purposes: (i) as an element of analysis to establish and maintain a contractual or commercial relationship, whatever its nature, (ii) as an element of analysis to carry out market studies or commercial or statistical research, (iii) as a tool for offering our own or third-party products or services, (iv) as a tool for initiating any prejudicial or judicial collection, (v) so that the information is shared, circulated and used by Menntun, its parent company, subsidiaries and subordinates, for any of the purposes provided herein, (vi) for the completion of any procedure before a public authority or a private person or entity. , with respect to which the information is relevant, (vii) so that all information referring to credit, financial, commercial behavior, services and data of the same nature from third countries is consulted, provided, reported, processed or disclosed, in the terms and conditions contained in this Policy.

Owners’ rights

The owner of the personal data has the following rights against the Data Controller:

  1. Know, update and rectify your personal data;
  2. Request proof of authorization granted;
  3. Be informed by the Data Controller upon request, regarding the use that has been given to your personal data;
  4. Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and Decree 1377 of 2013, once the consultation or claim process has been exhausted before the Data Controller;
  5. Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees; and
  6. Access free of charge to your personal data that has been processed.

Procedure to exercise the rights to habeas data.

The owners of the information may exercise the rights to know, update, rectify, revoke the authorization by sending a communication to the address and area indicated in this Policy. This communication must contain at least the following:

  1. The name, address of the owner and means of contact to receive the response such as telephone, email, residence address.
  2. Documents that prove the identity or representation of your client.
  3. The clear and precise description of the personal data with respect to which the owner seeks to exercise any of the rights.
  4. If applicable, other elements or documents that facilitate the location of personal data.

Once the communication is received by the Data Controller, a response will be provided within the terms established in the applicable regulation.

Modification and/or update of the data protection and information management policy.

Any substantial change in the treatment policies will be communicated in a timely manner to the data owners through the usual means of contact and/or through the Internet page www.MENNTUN.com

Validity of personal information processing policies

These policies take effect as of June 27, 2013, and the databases will be maintained during the term of validity of the companies.

The parent company of the Data Controller has defined privacy policies that apply to all its subordinates. In the event of inconsistency or contradiction between the provisions of the aforementioned privacy policies and these Treatment Policies or the applicable regulations, the latter will prevail.

MENNTUN PRIVACY POLICY

1. Purpose

This Policy is intended to establish minimum requirements to protect Personal Information (as defined below) processed by the computer systems of MENNTUN, MENNTUN INTERNACIONAL and SYNTHESIS. 1.3 Scope of application

This Policy applies to Menntun computer systems that contain Personal Information, and to the organizations responsible for IT systems that process Personal Information. This Policy does not apply to data collected prior to its issuance. Recommended IT controls should be evaluated for legacy systems when a new use of personal information is introduced. This Policy does not apply to processing of Anonymized Information, as defined below.

  1. Definitions

Menntun: When reference is made to “Menntun” in this document.

Authorized Persons: Any Person or Entity (Menntun employees, agents, contractors or third parties) who have a legitimate need to process Personal Information as is (i) consistent with their duties and responsibilities; (ii) permitted by the Data Controller; (iii) permitted by applicable law. Data Subject: Any Menntun employee who makes decisions regarding the processing of Personal Information.

Notice: Statement informing the data subject about the purpose for which the data is collected and used and how to contact Menntun if they have concerns about the collection of Personal Information. Information regarding an individual that identifies or can reasonably be used to identify that individual, regardless of the medium or format in which it is stored, transmitted or socialized. For all purposes, personal information will not be understood as information that is public or generally known.

Process/Processing: Includes, but is not limited to, the collection, access, storage, manipulation, use, transfer, disclosure or destruction of Personal Information.

Unauthorized Persons: Any person or entity (e.g. Menntun employees, agents or contractors) who do not have a legitimate need to access Personal Information for the purposes of carrying out their duties and responsibilities.

  1. Requirements

3.1 General

Personal Information must be processed in accordance with this Policy, other applicable policies and/or operational procedures of Menntun, and local and country laws. However, if the applicable laws of any jurisdiction are more restrictive than this Policy, such laws must be followed in that jurisdiction.

IT systems that collect or process Secret or Confidential Personal Information must be classified for their intended use. If Secret or Confidential Personal Information is identified in a system that is not classified in compliance, contact Human Resources. If Menntun determines that there is reason to suspect a breach of personal information, the event must be reported to Human Resources.

Additionally, one of the following actions must be taken: • Secret and/or Confidential Data must be deleted from the system if the processing of such Data is not the intended use of the system.

  • The System should be reclassified to reflect its correct intended use, and system controls should be re-evaluated accordingly.

The Data Controller is responsible for limiting the processing of Personal Information, to the extent possible, to what is reasonably necessary for its intended purpose. Information should be anonymized where possible and appropriate.

Only Authorized Persons may process Personal Information. If an Unauthorized Person receives unsolicited Personal Information, he or she must:

  • Return the Personal Information to the sender, and
  • Destroy Personal Information if copies remain in electronic format after returning it to the sender.

3.2 Notice to Data Subjects

The Menntun IT Department, in conjunction with the System Owner, will ensure that systems that directly collect data comply with Menntun’s employee, clinical and marketing notice requirements.

3.3 Collection

Any collection of Personal Information by the Data Controller or Processing will be collected in order to pursue Menntun’s legitimate business purposes, and only when there is a specific business need.

When a computerized system collects Personal Information, the Data Controller will ensure that data collected through a Menntun system is in accordance with this Policy, other Menntun’s applicable policies and procedures, and applicable laws. Additionally, all Personal Information collected by an IT System must be processed in accordance with applicable laws and the privacy policy or privacy notice applicable to the electronic means on which it was collected. In the event that multiple privacy policies or notices apply to the online collection of any Personal Information, the most stringent policy/notice will apply.

3.4 Use

Prior to the use of Personal Information, the Data Controller is responsible for ensuring that the use is made in accordance with this Policy and other operational policies and/or procedures of Menntun, as well as with all applicable legal requirements. .

The Data Controller will ensure that the data is collected for legitimate Menntun Businesses. Menntun employees or agents may never use Personal Information (other than your own) for personal use without the prior consent of the Data Subject, and only when permitted by applicable local laws.

If a Data Subject decides to revoke their consent to the use of their Personal Information for marketing purposes of a particular Product Line, or in jurisdictions where express consent is required, and does not grant it, the Data Controller Data will ensure that the Data Subject is not contacted for marketing purposes.

3.5 Revelation

Prior to the disclosure of Personal Information, the Data Controller is responsible for ensuring that the disclosure is made in accordance with this Policy and other operational policies and/or procedures of Menntun, as well as with all legal requirements. applicable, including the notice provided to the Data Owner.

Personal Information may only be disclosed to Authorized Persons.

3.6 Access and Correction

Personal Information will only be corrected in accordance with the legal rights of the Data Subject. Wherever possible or where required by law, Menntun will allow Data Subjects to review and, where there are inaccuracies, request correction of the Data Subject’s Personal Information of the data Menntun holds about them.

As determined by the Data Controller, all reasonable measures will be taken to comply with such requirements.

3.7 Security

System owners and IT personnel developing IT Systems that process Personal Information must ensure that physical and technical safeguards are taken to secure Personal Information, in accordance with Menntun requirements.

Menntun IT Personnel who access or use Personal Information must also ensure that any applicable policies and operating procedures regarding access or use of Personal Information are also followed. Applicable technical precautions must be observed when mobile devices, feeds or file transfers that contain Personal Information (i.e. for example, Personal Information should not be stored on a mobile device or media unless the data is encrypted). Personal Information should not be located in data sharing environments unless access to the environment is restricted to those with an approved business need to access the data. Secret information should not be sent via end-user messaging technologies (email, instant messaging, etc.) unless the data or message is encrypted.

3.8 Retention and Destruction

Personal Information may be retained only for the period of time necessary to fulfill the purposes for which it is collected, or as required or permitted by contractual agreements, legal requirements, or under Menntun policies or operating procedures. Personal Information must be stored, maintained, or destroyed in accordance with Corporate and affiliate retention policies and procedures and in accordance with the Policies and Procedures established by the Enterprise Information Security division, as well as in accordance with applicable legal requirements. .

3.9 Hiring of Entities Other than Menntun for the Processing of Personal Information

Prior to contracting non-Menntun entities to process Personal Information, the Data Controller must determine, after consulting the applicable policies and procedures and/or the contract models approved by the Legal Division, whether an agreement is appropriate. in writing or any other documentation that includes the following information:

  • Non-Menntun entities must be approved for their intended use via vendor evaluation, if they are to process Personal Information on behalf of Menntun;
  • There are appropriate restrictions on the processing of Personal Information by such non-Menntun entities; and
  • There are other requirements or restrictions required by local law or contracted requirements.
  • The non-Menntun entity accepts the other contractual addendums that are required according to the Menntun Policies
  • Transfer of Personal Information

Prior to any transfer of Personal Information, parties transferring and receiving Personal Information must (1) comply with all applicable policies and procedures, and (2) ensure compliance with applicable legal requirements of any and all countries involved. and (3) consult with the Legal Division, as required (4) ensure that appropriate physical and technical security measures are in place to protect the data. 3.10 Compliance Resolution

Menntun is committed to assisting Data Subjects in protecting their privacy and will cooperate with local data protection authorities in resolving any concerns, disputes or complaints.