HABEAS DATA VIOSCULPT® POLICY

CHAPTER ONE - SCOPE OF THE POLICY

RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
VIOSCULPT,® a commercial company duly constituted and identified with NIT 901.211.257-1, acting as the person responsible for the information and in compliance with the Personal Data Protection Law 1581 of 2012 and its regulatory decrees, is identified through the following data:

Principal address: Cra 12 Nº 118-86 de Bogotá D.C., Colombia
Phone: +57 1 2560535
Email for compliance purposes: info@viosculpt.com

DEFINITIONS

For the development and implementation of this policy, the definitions established in Law 1581 of 2012 and Chapter I of Decree 1377 of 2013 are adopted, for an adequate understanding of this policy:

Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data. Database: An organised set of personal data that is subject to Processing. Personal data: Any information linked to or that can be associated with one or more specific or determinable natural persons.

Public data: It is data that is not semi-private, private or sensitive. Public data includes , but is not limited to, data relating to the marital status of persons, their profession or trade and their status as a merchant or public servant. By their nature, public data may be contained, inter alia, in public registers, public documents, official gazettes and gazettes, and duly enforceable court judgments that are not subject to confidentiality.

Sensitive data: Sensitive data is understood to be data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as those that reveal racial or ethnic origin , political orientation, religious or philosophical convictions, membership of trade unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of political parties of opposition, as well as data relating to health, sex life, and biometric data.

Semi-private data: Semi-private data is data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or society in general.

Private data: It is the data that, due to its intimate or reserved nature, is only relevant to the owner.

Data Processor: Natural or legal person, public or private, that by itself or in association with others, carries out the Processing of personal data on behalf of the Data Controller.

Data Controller:Natural or legal person, public or private, who by himself or in association with others, decides on the data database and/or the Processing of data.

Owner: Natural person, acting on their own behalf or on behalf of others whose personal data are subject to Processing.

Processing:Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

Transfer: The transfer of data takes place when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the Processing and is located inside or outside the country.

Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose is to carry out a Processing by the processor on behalf of the responsible party.

PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

Principle of legality in data processing: VIOSCULPT® seeks to ensure compliance with the Regulatory Regime for the Protection of Personal Data.
Principle of purpose: The processing of personal data carried out by VIOSCULPT® is subject to and serves a legitimate purpose, which is informed to the respective owner of the personal data at the time of collection of their information.
Principle of freedom: The processing of personal data can only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that discloses consent. Principle of truthfulness or quality: VIOSCULPT® has internally provided mechanisms for updating personal information, in order to ensure that it is truthful, complete, accurate and up-to-date.
Principle of Transparency: In compliance with this principle, VIOSCULPT® guarantees the right of the owner to obtain from it, at any time and without restrictions, information about the existence of any type of information or personal data that is of interest or ownership.
Principle of Access and Restricted Circulation: VIOSCULPT® has established access controls to the personal information contained in the databases. It has also set up internal mechanisms so that its officials can have access only to the information that according to their position they should know. It has also established confidentiality agreements and contracts for the transmission of personal data with those responsible for the information, to provide all the guarantees that allow the protection of personal information. Security principle: VIOSCULPT® has established different types of technological, physical and administrative measures to prevent any type of unauthorized processing of personal data by third parties who are not authorized to access such information.
Principle of confidentiality: Each and every one of the persons who interact in the processing of personal data carried out by VIOSCULPT,® and who manage, handle, update or have access to personal, commercial, accounting, technical, commercial or any other type of information that is found in databases or that is provided in the execution and exercise of their functions undertake to keep and keep it strictly confidential and not to disclose it to third parties.

OBJECTIVE AND SCOPE OF THE POLICY

The purpose of the Personal Data Processing Policy is to establish the criteria under which it processes the personal information that rests in its databases and in physical and electronic files. The Personal Data Processing Policy establishes the guidelines for the processing of personal data, the mechanisms for the exercise of the right of habeas data, as well as the purposes, security measures and other aspects related to the protection of personal information.

HEADLINES TO WHOM THE POLICY IS ADDRESSED

Owners are understood to be natural persons and/or commercial companies such as customers or suppliers whose personal data are processed by VIOSCULPT.® This Personal Data Processing Policy is addressed to any owner of the information, either acting on their behalf or as a legal representative who, on the occasion, of the activities for which they are linked to VIOSCULPT.® REGULATORY COMPLIANCE WITH THE PERSONAL DATA PROTECTION REGIME

This Personal Data Processing Policy complies with the Personal Data Protection Regime in Colombia, in particular, Articles 15 and 20 of the National Political Constitution, Law 1581 of 2012, Chapter 25 of Decree 1074 of 2015 and Judgment C-748 of 2011 and other regulations that modify, complement or add to it.

CHAPTER TWO - PURPOSES OF THE PROCESSING OF INFORMATION ACCORDING TO DATABASES

According to the classification of personal data, established in the National Registry of Personal Databases (RNBD), of the Superintendence of Industry and Commerce, the personal data to which VIOSCULPT® processes are the following:
General and specific identification data of the person and/or legal person: names, surnames, company name, type of identification, identification number. Financial data, credit and/or economic rights of the person and Property data of the person.
Tax information data of the person and/or commercial company.
Data on the economic activity of the person and/or commercial company.
From the Suppliers, Creditors, Customers and Others Database.

COLLECTION OF PERSONAL DATA

VIOSCULPT® collects information from suppliers, creditors, customers, and others through physical forms, emails, and calls.

PURPOSES OF PROCESSING PERSONAL DATA

The purposes of the collection of personal information from this database are:
l) creation and updating of suppliers, creditors, debtors and customers;
ll) generation and submission of income and withholding certificates;
lll) accounting of supplier and customer invoices, as well as the causation to create the account payable , salaries, withholdings;
(lV) communications on information campaigns on new products and/or maintenance campaigns;
(V) donor communications and acknowledgements;
Vl) management of tax certificates;
Vll) Report of tax and legal obligations before administrative entities and control bodies;
Vlll) Administrative Management, management of financial, accounting, tax and legal information, as well as
lX) monitoring of income and donors.

CHAPTER THREE – PROCESSING OF PERSONAL DATA

GATHERING
VIOSCULPT® collects personal information through the following means. But not limited to:
Chat: When information is requested through virtual means. Telephone calls: In telephone consultations, personal data is captured, including the recording of the Call. Physical forms: When you access some of our services through face-to-face channels, your personal data is obtained through physical forms.
STORAGE
The storage of personal information from databases and files with personal information can be carried out by VIOSCULPT® in the following ways:
Own internal archive
Personal Institutional Computer
VIOSCULPT® has physical, technical, and administrative security measures in place to prevent unauthorized access and consultation of databases and files containing personal information. Likewise, it requires those in charge of the information to take measures conducive to the security and confidentiality of the information provided.
CIRCULATION
The circulation of personal information in VIOSCULPT® operates in a restricted manner towards our data processors, implementing security measures to prevent improper use.

NATIONAL TRANSMISSION OF PERSONAL DATA

The processes of processing personal data in collection, circulation, storage, use and deletion may be transmitted to third parties with whom there is a contractual relationship at a national or international level for custody and storage, provided that they have the security standards in the protection of personal data set by the Superintendence of Industry and Commerce.
The transmission of personal data carried out by VIOSCULPT® may be generated in some cases in the following processing operations:
Collection: When the processor is asked to capture personal information on behalf of VIOSCULPT.® Storage: When a processor is asked to store both physical and electronic information with the appropriate security and confidentiality measures. Use: When the processor is requested to perform certain operations on behalf of VIOSCULPT,® such as telephone calls, digitization of information, among others. Final disposition: When the person in charge of the information is requested to keep the information that has lost its validity, but that must be kept by legal provision.

RESTRICTIONS ON THE FLOW OF INFORMATION

As a general rule and legal provision, VIOSCULPT® does not share, transmit, transfer the personal data it collects to third parties, with whom it has not previously signed a confidentiality agreement and personal data transfer contract. It has also provided access controls for the entry of its employees to VIOSCULPT'® s information systems, exclusively to the information that according to the role and/or position they must know.

CIRCULATION OF INFORMATION BY LEGAL PROVISION

By legal provision, in some cases VIOSCULPT® must provide personal data to State entities , in the exercise of its functions:
DIAN and Ministry of Finance: Report of exogenous information.
Other public order or administrative entities: Any public order or administrative entity in the exercise of its legal functions or by court order may request personal information .
Persons to whom information may be provided: To the holders, successors and legal representatives, to third parties authorized by the owner or by law.

CIRCULATION OF INFORMATION AS AN EMPLOYER

As an employer, VIOSCULPT® may carry out the circulation of employee data in the following cases:
Financial institutions: Payroll
Entities of the Social Security System: For affiliation purposes
Occupational Risk Administrator: Affiliation and reporting of occupational accidents.
DIAN and Ministry of Finance: Report of exogenous information.
Pension and Parafiscal Management Unit,
Attorney General's Office, among others.

OBLIGATIONS OF INFORMATION PROCESSORS

VIOSCULPT®, as guarantor of the personal data under its responsibility, requires those in charge of the processing of information to comply with the following measures: Provide the owner of the data at all times with the possibility of exercising their right of habeas data through communication channels enabled so that the person can communicate in case of a query or claim related to their personal data.
Keep the personal information provided by VIOSCULPT®, under security conditions , with the aim of preventing unauthorized or fraudulent consultation or access, loss or inappropriate use of the information. Request authorization for the processing of personal data, under the terms established in Law 1581 of 2012 and its regulatory decrees. To process the queries and claims made by the owners in the terms indicated in Law 1581 of 2012 and in the Data Processing Policy of VIOSCULPT.® Inform VIOSCULPT® and the Superintendence of Industry and Commerce in the event of violations of security codes and risks in the management of the holders' information. If applicable, register their databases with the National Registry of Databases of the Superintendence of Industry and Commerce. Adopt access controls to personal information on physical premises and on computer equipment and tools Adopt an information security document, which establishes the procedures for assigning responsibilities and authorizations in the processing of personal information. Implement confidentiality agreements with personnel who have access to personal information , as well as security checks prior to engagement and after the contract ends. Implement security controls in the outsourcing of services for the processing of information. Implement policies for backing up personal information.
Implement protection policies for remote access to personal information.
Implement procedures that define the specifications and security requirements of information systems.
Implement procedures related to the management of information security incidents.
Conduct information security audits.
Sign confidentiality agreements with your employees, contractors, suppliers and in general, with personnel who will have some type of treatment of VIOSCULPT® information.
To apply this Policy for the processing of personal data that complies with the requirements established in Law 1581 of 2012 and its regulatory decrees.
In general, comply with current legislation on the protection of personal data and with the instructions and requirements issued by the Superintendence of Industry and Commerce.

VIOSCULPT® AS INFORMATION OFFICER

When operating as an information processor, the Information Controllers must request and maintain the authorization of the owner of the information, for the processing of personal data by VIOSCULPT,® so VIOSCULPT® presumes that the Data Controller has the prior and express authorizations of the owners with whom it has contact. to make use of your personal data and will provide a copy of such authorizations if VIOSCULPT® requires it.

DELETION AND/OR FINAL DISPOSITION

The deletion of personal information is carried out once the purpose for which the data was requested has been fulfilled , or in cases in which the owner of the information requests the deletion of the information, this case will proceed, as long as the Law authorizes it. The retention times of documents with personal information are subject to the rules established in the retention tables in accordance with the provisions of the Law and decrees that regulate it.

CHAPTER FOUR - AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA AND SECURITY MEASURES

VIOSCULPT® requests in a free, prior, express and duly informed manner, the authorization of the data owners and for this purpose it has provided suitable mechanisms guaranteeing for each case that it is possible to verify the granting of said authorization. It may be recorded in any medium, whether it is a physical document, electronic or in any format that guarantees its subsequent consultation through technical tools, complying with the requirements established in the Law.
Below are some ways in which VIOSCULPT® can request consent for data processing.

EXPRESS AUTHORIZATION

When personal data is collected through a web form, chat, either by clicking on the acceptance of terms and conditions or on the processing policy or on the submit button, you are expressly authorizing the processing of personal data.
When the owners fill out physical forms or sign the physical document, where the authorization for the processing of personal data is found, they expressly authorize the processing of their personal data to VIOSCULPT.®
When you make a phone call, VIOSCULPT® stores the recording of that call, for the purpose of retaining the authorization for the processing of personal data.
When sensitive personal data is collected, in which case, questions about this type of information and the analysis of the need to request such information are made optional to do so.

AUTHORIZATION FOR THE PROCESSING OF SENSITIVE PERSONAL DATA

VIOSCULPT® collects sensitive personal data in cases that are strictly necessary for the effective provision of commercial and administrative services.

VIOSCULPT® has established that at the time of collection of sensitive personal data, express authorization has been obtained for the processing of said data. However, for the effective provision of the service, in some cases the provision of this data is essential. The owner is not obliged to authorise the processing of this type of data to VIOSCULPT,® unless required by law.

VIOSCULPT® processes sensitive personal data in the following cases:
When the owner has given express authorisation for its processing, unless the law establishes that it is not necessary to grant such authorisation.
The processing will be necessary to protect the vital interests of the owner and he or she is physically or legally incapacitated, in which case the authorization of the legal representative will be requested.
The processing will be carried out in the course of legitimate activities and with due guarantees on the part of VIOSCULPT.®
The processing will refer to data that are necessary for the recognition, exercise or defence of a right in a judicial process.

CASES IN WHICH AUTHORIZATION IS NOT REQUIRED

The owner's authorisation will not be necessary in the case of:
Information required by a public or administrative entity in the exercise of its legal functions or by court order.
Data of a public nature.
There is a legal provision that requires the request for such data or personal information.
In any case, the official in charge of the collection or circulation of the data, where authorization for the processing of personal data is not mandatory, in the cases established herein, must take the necessary measures to validate that the third party to whom the data is to be provided is fully authorized to receive said information. even if it is an administrative entity in the exercise of its functions.

SECURITY MEASURES FOR THE PROTECTION OF PERSONAL DATA

VIOSCULPT® has adopted technical, legal, human and administrative measures necessary to ensure the security of personal data by protecting confidentiality, integrity, use, unauthorized and/or fraudulent access.
Internally, VIOSCULPT® has implemented mandatory security protocols for all personnel with access to personal data and information systems.
CHAPTER FIVE - DUTIES OF THE PARTIES INVOLVED IN THE PROCESSING OF INFORMATION

DUTIES OF THE OWNERS OF THE INFORMATION
All owners of personal information who have a relationship with VIOSCULPT® must take into account the following rules:
Comply with this Personal Data Processing Policy.
To report through the channels provided any anomaly regarding compliance with this personal data processing policy.
Verify that the screen is not seen by third parties, when processing and consulting your personal data in VIOSCULPT'® s information systems.
Report immediately to the email address noted at the beginning of this policy, in case due to human error, you become aware of personal data of other VIOSCULPT holders®.

VIOSCULPT® DUTIES

The following are listed the duties that VIOSCULPT® has for the effective processing of personal data :
Guarantee to the holder, at all times, the full and effective exercise of the right of habeas data.
Request and keep a copy of the respective authorization granted by the holder.
Duly inform the owner about the purpose of the collection of their personal data, as well as the rights that assist them by virtue of the authorization granted.
Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
Rectify information when it is incorrect and communicate what is pertinent.
To process queries and complaints made by the holders.
Inform the data protection authority when there are violations of security codes and there are risks in the management of the information of the holders.
Comply with the requirements and instructions given by the Superintendence of Industry and Commerce on the particular subject.
Inform, at the request of the owner, about the use given to their data.
Strive for the information to be truthful, complete, accurate, updated, verifiable and understandable.
Update the information, thus taking into account all the news regarding the data of the owner. In addition, all necessary measures must be implemented to keep the information up to date.
Respect the security and privacy conditions of the owner's information.
Identify when certain information is under discussion by the owner.
Use only data whose processing is previously authorised in accordance with the provisions of national legislation.
pan class="titleRight text-3 text-left">CHAPTER SIX- RIGHTS OF THE OWNERS AND PROCEDURE FOR THE EXERCISE OF THE RIGHT OF HABEAS DATA

RIGHTS THAT ASSIST YOU AS THE OWNER OF THE DATA

The Fundamental Right of Habeas Data empowers the owner of the data to request access, updating, rectification and deletion of their personal data that is in the possession of VIOSCULPT,® in turn, they can revoke the authorization they have granted for the processing. If a holder considers that VIOSCULPT® has access to their personal data, they can at any time request the consultation of their data or make a claim if they consider that VIOSCULPT® is making an inappropriate use of their data.
Know, update and rectify your personal data vis-à-vis VIOSCULPT® in its capacity as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorised.
Request proof of the authorization granted to VIOSCULPT® except when expressly exempted as a requirement for the treatment (cases in which authorization is not necessary).
To be informed by VIOSCULPT,® upon request, regarding the use made of their personal data.
To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and the other regulations that modify, add or complement it.
Revoke the authorisation and/or request the deletion of the data when the constitutional and legal principles, rights and guarantees are not respected in the processing.
To have free access to your personal data that has been processed.
PROCEDURE FOR THE OWNER OF THE INFORMATION TO EXERCISE THEIR RIGHTS

CONSULTATION
Through the consultation mechanism, the owner of the data may request from VIOSCULPT® access to their personal information that rests in the databases.
The query will be answered within a maximum term of ten (10) business days from the date of receipt of the same. If it is not possible to respond to the query within the referenced term, the reasons for the delay will be informed and a response will be given, a maximum of five (5) business days following the expiration of the first term. ADVERTISEMENT

Through the complaint mechanism, the owner of the data may express to VIOSCULPT® any disagreements they have about the use that is being given to their data.
The claim will be addressed within a maximum term of (15) fifteen business days from the day following the date of receipt. In the event that it is not possible to address the claim within said term, you will be informed of the reasons for the delay and a response will be given, a maximum of eight (8) business days following the expiration of the first term.
In the event that the claim is incomplete, it will be required, within five (5) days following receipt of the claim, to correct the defects. If two (2) months have elapsed from the date of the request, without submitting the required information, it will be understood that the claim has been withdrawn.
In the event that VIOSCULPT® is not competent to resolve the owner's claim, it will notify the corresponding party within a maximum period of two (2) business days and will inform the owner of the situation.
The Owner may make the claim taking into account the provisions of Article 15 of Law 1581 of 2012 and Decree 1377 of 2013, and other regulations that modify or add to them.
PERSONS AUTHORIZED TO MAKE INQUIRIES OR COMPLAINTS

The persons authorized to make a query or claim related to habeas data, are the owners of the information, either acting on their behalf, or as a legal representative, who on the occasion, of the activities that are linked to VIOSCULPT®, their personal information is required for the development of the same. INFORMATION THAT MUST BE ACCREDITED FOR A CONSULTATION OR CLAIM

INFORMATION TO BE ACCREDITED BY THE OWNER
Request made through the communication channels authorized for the exercise of the right of habeas data.
Attach a photocopy of the identification document.
Attach the supports you wish to enforce.
In any case, at any time, VIOSCULPT® may request additional information to process the respective query or claim.
CHANNELS ENABLED FOR THE EXERCISE OF THE RIGHT OF HABEAS DATA

VIOSCULPT® has enabled the following channels for holders to exercise their right of Habeas Data:
Email: info@viosculpt.com
Página web: www.viosculpt.com
Physical mailbox: Cra 12 NO. 118- 86 Bogotá D.C., Colombia
If any data processor receives a query or a complaint regarding the processing of your personal data, you must inform them of the existing channels; under no circumstances may they leave the owner of the information unanswered PERMANENT APPLICATION

In the processing of personal data, VIOSCULPT® will permanently verify in its processes; protocols, procedures and policies, that the right of habeas data is guaranteed to the owners of the information and that the authorization of the owner for the processing of personal data is obtained with the requirements of the Law .
ARTICULATION BETWEEN THE POLICY AND THE INFORMATION PROCESSING MANUAL

This Personal Data Processing Policy is articulated with the Internal Manual of Policies and Procedures for the Processing of Personal Data, which establishes the criteria, requirements and procedures for this Policy to be effective. DATE OF APPROVAL OF THE POLICY AND ENTRY INTO FORCE

The personal data processing policy is created on September 6, 2008, by VIOSCULPT,® which is in force as of this date.