PERSONAL DATA PROCESSING POLICY

A.    INTRODUCTION

 

La The Political Constitution The Political Constitution of Colombia of 1991 established in Article 15 the Right to Personal Data Protection as the right of every individual to access, update, correct, and/or delete the personal information and data collected about them and/or processed in public or private databases.

This fundamental right was regulated by the legislator through Statutory Law 1581 of October 17, 2012, and its regulatory provisions, as well as Law 1266 of December 31, 2008, and its regulatory provisions concerning credit, financial, commercial, service-related, and cross-border data. Additionally, Law 2300 of July 10, 2023, was enacted to establish measures protecting consumers’ Right to Privacy, prompting the Congress of the Republic to adopt special measures for the exercise of debt collection activities, commercial prospecting, and obtaining authorizations to contact consumers.

In compliance with the aforementioned provisions, As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. aware of its responsibility in the Processing of Personal Data of the data subjects, guarantees the Constitutional Right of all individuals to access, update, correct, delete, and revoke authorization regarding the information collected about them in the Entity's databases. This data has been collected for the purposes stipulated by law, with the corresponding authorizations, and has been processed in accordance with national regulations on personal data protection.

For this purpose, As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. has developed this POLICY FOR THE PROCESSING OF PERSONAL DATA,which is mandatory for all natural or legal persons involved in the processing of personal data registered in the Entity's databases. The policy aims to provide the necessary guidelines to ensure compliance with legal obligations regarding personal data protection.

 As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.hereby informs all interested parties that the personal data obtained as a result of operations requested or conducted with As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. will be processed in accordance with the principles and obligations established by Law 1581 of 2012,Law 1266 of 2008 and Law 2300 of 2023, and all other applicable regulations governing this matter. For all relevant purposes, the domicile of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. is the city of Medellín (Antioquia, Colombia) at the following address:   Calle 2 # 20-50 Oficina 2103 Edificio Q Office located in the city of Medellín(and its email addresses for notification purposes are: [email protected] y [email protected]  

 

B.   B. LEGAL AND REGULATORY FRAMEWORK

 

Article 15 of the 1991 Political Constitution of Colombia explicitly recognized the Right of Habeas Data in the following terms: “(…) the right to know, update, and rectify information collected about them in databases and records held by public and private entities.” It further stipulated that “[i]n the collection, processing, and circulation of data, freedom and other guarantees enshrined in the Constitution shall be respected”.

Through Law 1266 of 2008 Habeas Data was regulated for the management of information contained in personal databases, especially financial, credit, commercial, service-related, and data originating from third countries. This regulation focuses on the protection of commercial and financial data, generically referred to as Financial. Habeas Data Financiero. This law was further regulated by Decree 1727 of 2009 and Decree 2952 of 2010, now consolidated in Decree 1074 of 2015, and through regulations issued by the Superintendence of Industry and Commerce. It was also analyzed by the Constitutional Court in Judgment C-1011 of 2008.

On October 17, 2012, Statutory Law 1581 of 2012 was enacted to establish general provisions for the protection of personal data in Colombia. This legislation developed the fundamental right enshrined in Article 15 of the Constitution. This law was regulated by Decrees 1377 of 2013 and 886 of 2014, consolidated in Decree 1074 of 2014, Decree 90 of 2018, Circulars 002 of 2015, 001 of 2016, 001 of 2017, 005 of 2017, and 008 of 2017, as well as External Circular 003 of 2024 issued by the Superintendence of Industry and Commerce, along with additional guides and manuals from this authority. The interpretation and application of this regulation must consider the analysis provided by the Constitutional Court in Judgment C-748 of 2011. 

On October 10, 2023, Law 2300 of 2023 came into effect, introducing measures to safeguard consumers’ Right to Privacy. This law establishes rules and prohibitions concerning personal data protection, defining the channels, schedules, and frequency with which companies may contact consumers.

C.     SCOPE OF APPLICATION

 

This Policy applies to personal data that is registered or to be registered in the various databases (automated or non-automated) of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases., or to be registered in the various databases (automated or non-automated) of ROYALTY WORLD INC S.A.S., whether acting as the data controller and/or processor. It also applies to data regulated under Law 1266 of 2008 and its regulatory provisions—Financial Habeas Data.

The Policy is intended to provide employees, suppliers, contractors, visitors, individuals associated with As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. ., and the general public with the necessary and sufficient information about the various processes and purposes their data will be subject to, as well as the rights they, as data subjects, may exercise with As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. when it acts as the controller of their personal data.

This Policy is mandatory knowledge and compliance for all individuals and entities responsible for managing personal data databases of ROYALTY WORLD INC S.A.S., particularly database administrators and those employees As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. and contractors who directly or indirectly receive, process, and respond to requests (inquiries or claims) for information related to the personal data protection law.

 

D.   PURPOSE

 

The purpose of this Policy is to provide necessary and sufficient information to various stakeholders and to establish guidelines that ensure the protection of personal data processed by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.through its procedures. This aims to ensure compliance with applicable laws, policies, and procedures for addressing the rights of data subjects, as well as the criteria for the collection, storage, use, circulation, and deletion of personal data.

 

E.      SCOPE

 

Ensure a prompt and lawful response to various requests and claims made by Data Subjects, as well as by their successors or any other person with proper authorization.

Comply with the requirements of current regulations on Personal Data Protection, as well as any obligations arising from the principle of demonstrated accountability and the protection of consumer privacy.

Provide appropriate protection for the interests and needs of the Data Subjects whose personal information is processed by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

F.    GLOSSARY

 

In the development, interpretation, and application of the law, regulations, and current standards, the following definitions will be applied in a harmonious and comprehensive manner:

 

• RESTRICTED ACCESS: A level of access to information limited to predefined parameters. As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. will not make Personal Data available for access via the Internet or other mass communication media, unless technical measures are established to control access and restrict it only to Authorized individuals.

 

• AREA RESPONSIBLE FOR DATA PROTECTION: The area within As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.responsible for overseeing and controlling the application of the Personal Data Protection Policy and the implementation of the Comprehensive Personal Data Protection Program.

 

• AREA RESPONSIBLE FOR HANDLING REQUESTS, COMPLAINTS, CLAIMS, AND INQUIRIES:Requests, complaints, claims, and inquiries made by data subjects will be handled by Management through the Data Protection Officer assigned to this area.

 

• DATABASE: An organized set of Personal Data that is subject to processing. This includes both physical and electronic files.

 

• DATA QUALITY: The personal data subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. When partial, incomplete, fragmented, or misleading personal data is in possession of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. it must refrain from processing it or request the data subject to complete or correct the information.

 

• RESTRICTED CIRCULATION: Personal data will only be processed by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. personnel or those whose duties involve carrying out such activities. Personal data cannot be provided to individuals who are not authorized or have not been designated by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.to process it.

 

• CONFIDENTIALITY: An information security element that determines who can access the data and under what circumstances.

 

• PERSONAL DATA: Any information related to or that can be associated with one or more identified or identifiable natural persons. Therefore, "personal data" should be understood as information related to a natural person (individually considered).

 

• PUBLIC DATA: Data that is not semi-private, private, or sensitive. Public data includes, among others, information related to a person's marital status, profession or occupation, and their status as a merchant or public servant. Due to its nature, public data may be found in, among others, public records, public documents, official gazettes and bulletins, and final judicial rulings that are not subject to confidentiality.

 

• SEMI-PRIVATE DATA: This is information that is neither of a private, confidential, nor public nature, and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector, group of people, or society in general. Examples include financial, credit, or commercial activity data.

 

• SENSITIVE DATA: Data that affects the privacy of the data subject or whose improper use could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights groups, or political parties, as well as data related to health, sexual life, and biometric data.

 

• RIGHTS OF CHILDREN AND ADOLESCENTS: The processing of data will ensure respect for the prevailing rights of children and adolescents. Only public data may be processed.

 

• DATA PROCESSOR: A natural or legal person, public or private, who, either alone or in association with others, processes personal data on behalf of the data controller. As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.acts as a data processor in cases where, either alone or in association with others, it processes personal data on behalf of a data controller.

 

• DIGITAL INFORMATION: Any information that is stored or transmitted through electronic and digital means, such as email or other information systems.

 

• DATA CONTROLLER: A natural or legal person, public or private, who, either alone or in association with others, decides on the database and/or the processing of data. As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. acts as the data controller for all personal data over which it makes decisions directly, in compliance with the functions legally recognized.

 

• Data Subject: A natural person whose personal data is being processed.

 

• PROCESSING: Any operation or set of operations performed on Personal Data by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. or the Data Processors, such as collection, storage, use, circulation, or deletion.

 

 

G.   GOVERNING PRINCIPLES

 

In the development, interpretation, and application of the law, regulations, and current standards, the following principles will be applied in a harmonious and comprehensive manner:

 

1) Principle of Legality in Data Processing: Processing is a regulated activity that must comply with the provisions established in Law 1581 of 2012,its regulatory decrees, and other related regulations.

2) Principle of Purpose: Processing must serve a legitimate purpose in accordance with the The Political Constitution and the Law, which must be informed to the Data Subject.

3) Principle of Freedom: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data cannot be collected or disclosed without prior authorization or in the absence of a legal or judicial mandate that overrides consent.

4) Principle of Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. The processing of partial, incomplete, fragmented data, or data that could lead to errors is prohibited.

5) Principle of Transparency: In Processing, the Data Subject's right to obtain, at any time and without restrictions, information from the Data Controller or Data Processor regarding the existence of data concerning them must be guaranteed.

6) Principle of Restricted Access and Circulation: Processing is subject to the limits derived from the nature of personal data, the provisions of the law, and the The Political ConstitutionIn this regard, processing may only be carried out by individuals authorized by the Data Subject and/or by persons specified by law.

Personal data, except for public information, cannot be made available on the Internet or other mass communication media, unless access is technically controllable to ensure restricted knowledge limited only to the Data Subjects or authorized third parties.

7) Principle of Security: The information subject to Processing by the Data Controller or Data Processor, as referred to in the Law, must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use, or access.

8) Principle of Confidentiality: All employees and contractors involved in the processing of personal data that is not public are required to ensure the confidentiality of the information, even after the end of their relationship with any of the activities involved in the processing. They may only disclose or communicate personal data when it corresponds to the development of activities authorized by the Law and in accordance with its terms. As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. commits to processing the personal data of the data subjects as defined in literal g) of Article 3 of Law 1581 of 2012, in an absolutely confidential manner, using this data exclusively for the purposes outlined in the previous section, provided the data subject has not opposed such processing. As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. informs that it has implemented the necessary technical and organizational security measures to guarantee the safety of personal data and prevent its alteration, loss, processing, and/or unauthorized access.

9) Principle of Timeliness: Personal data will be retained only for the reasonable and necessary time to fulfill the purposes that justified the processing, considering the applicable regulations and the administrative, accounting, fiscal, legal, and historical aspects of the information. Data will be retained when necessary for the fulfillment of a legal or contractual obligation. Once the purpose of the processing has been achieved and the previously established terms have been met, the data will be deleted.

 

10) Comprehensive Interpretation of Constitutional Rights: Rights will be interpreted in harmony and balanced with the right to information provided in article 20 of the The Political Constitution and with other applicable constitutional rights.

 

11) Principle of Necessity: The personal data processed must be strictly necessary to fulfill the purposes pursued with the database.

 

12) Principle of Non-Interference: Personal data associated with purposes of commercial prospecting and debt collection shall be processed in accordance with the standards established in Law 2300 of July 10, 2023, and the regulations that govern it.

 

H.   SPECIAL DATA

 

SENSITIVE DATA

 

Sensitive data refers to information that affects the privacy of the Data Subject or whose improper use could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or those promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

Sensitive Data Processing:: As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. can only process or handle sensitive data with the express authorization of the data subject. When it comes to the collection of sensitive data, the following requirements must be met:

a) The Data Subject has given their explicit authorization for such processing, unless the law does not require the granting of such authorization in certain cases.

b) The Processing is necessary to safeguard the vital interest of the Data Subject and they are physically or legally incapacitated. In these cases, legal representatives must provide authorization.

c) The Processing concerns data that is necessary for the recognition, exercise, or defense of a right in a legal process.

d) The Processing has a historical, statistical, or scientific purpose. In this case, measures must be taken to ensure the Data Subject's identity is anonymized.

Special Authorization for Sensitive Personal Data: As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. will inform all its data subjects, through various means of obtaining authorization, that under law 1581 of 2012 and its regulatory standards, they are not obligated to grant authorization for the processing of sensitive data.

In the case of processing health-related data, As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.will implement the necessary measures to protect the confidentiality of the information. The processed biometric sensitive data is intended for the identification of individuals, security, and the fulfillment of legal obligations.

AUTHORIZATION FOR THE PROCESSING OF DATA OF CHILDREN AND ADOLESCENTS.

 

The processing of personal data of children and adolescents (hereinafter referred to as C&A) is prohibited, except when it concerns publicly available data, and when such processing meets the following parameters and/or requirements:

• Authorization must be granted by individuals who are authorized to represent the children and adolescents (C&A). The representative of the C&A must ensure that their right to be heard is respected and consider their opinion on the processing, taking into account the maturity, autonomy, and ability of the C&A to understand the matter.

 

• It must be informed that responding to questions about the C&A's data is optional.

 

• The processing must respect the best interests of the C&A and ensure the protection of their fundamental rights.

 

• As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. will only use, store, and process personal data of minors who are children, descendants, or dependents of employees or contractors and that is of a public nature. The purpose of such processing will be solely to plan and carry out activities related to the personal and family well-being of employees and minors.

 

PROOF OF AUTHORIZATION.

 

In order to allow for future verification, ROYALTY WORLD INC S.A.S. will retain evidence of this authorization. As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. conservará prueba de esta.

The data subject's authorization will not be required when it concerns:

• Information required by a public or administrative entity in the exercise of its legal functions or by court order.
• Publicly available data.
• Cases of medical or health emergencies.
• Processing of information authorized by law for historical, statistical, or scientific purposes.
• Data related to the Civil Registry of individuals.

 

I.      PROCESSING AND PURPOSES

 

In accordance with the provisions of Law 1581 of 2012, and in line with the authorizations granted by the data subjects, As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.  will carry out operations or a set of operations that include the collection of data, its storage, use, circulation, and/or deletion. This Data Processing will be carried out exclusively for the purposes authorized and outlined in this Policy and in the specific authorizations granted by the data subject. Similarly, Personal Data will be processed when there is a legal or contractual obligation to do so, always in accordance with the guidelines of the Information Security policies.

Due to the legal nature of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.in all cases, personal data may be processed for the purpose of conducting internal and external control and audit processes, as well as evaluations carried out by national or multilateral regulatory bodies.

Likewise, and in execution of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.corporate purpose, personal data will be processed according to the interest group and in proportion to the purpose or purposes for which each processing is intended, as described below:

 

 

CONSUMERS, USERS, CLIENTS, AND THE GENERAL PUBLIC.

 

The processing of Personal Data by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. will have the following purposes:

 

1. To control requests related to the products and services provided by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

2. To send responses to petitioners of consultations and petitions submitted by them.

 

3. To carry out procedures related to the products and other processes executed directly or indirectly by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

4. To send communications and notifications related to the procedures issued by the responsible and supporting areas of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

5. To update databases, including cases where it is required to transmit or transfer information to a third party for data validation, purification, enrichment, and homogenization, after complying with legal requirements.

 

6. To prepare studies, statistics, surveys, and trend analysis related to the products and services provided by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

7. To present reports to external entities that allow compliance with legal, contractual, and statistical analysis requirements for As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

8. To manage the necessary information to comply with tax, contractual, commercial, and commercial, corporate, and accounting record obligations.

 

9. To transmit the information to national or international contractors with whom there is an operational relationship, providing the products and services necessary for the proper operation of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

10. To provide information products and services through different contact channels.

 

11. To evaluate the quality of the products and services provided.

 

12. Other purposes determined in the processes of obtaining Personal Data for processing, in any case in accordance with the law and within the framework of functions As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

13. To store, organize, classify, and catalog personal data within the formats, systems, files, and databases of ROYALTY WORLD INC S.A.S.

 

14. To conduct credit background checks, inquiries with risk centers before approving a credit application, as well as reporting in the case of default on obligations.

 

15. To perform the necessary actions to ensure the fulfillment of contracts.

 

16. To manage procedures (requests, complaints, claims), perform risk analysis, conduct satisfaction surveys regarding the company’s services and its commercial partners.

 

17. To provide contact information and relevant documents to the sales force and/or distribution network, telemarketing, market research, and any third party with whom As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.has a contractual relationship of any kind.

 

18. To provide necessary and sufficient information about the products or services marketed by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.to facilitate their purchase.

 

19. To disclose, transfer, and/or transmit personal data of the data subjects within and outside the country to third parties pursuant to a contract, agreement, or commercial alliance, law, or lawful relationship that requires it for the provision of the respective services.

 

20. To supply information to third parties with whom As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases., To supply information to third parties with whom ROYALTY WORLD INC S.A.S.has a contractual relationship and for whom providing such information is necessary to fulfill the contracted purpose.

 

21. To send information such as news, promotions, newsletters, and advertisements about the products and services marketed by ROYALTY WORLD INC S.A.S. and its partners with whom it has a signed contract, via text messages, physical material, emails, online offers, WhatsApp communications, push notifications, and/or any other authorized contact method.

 

22. To conduct market strategies through the study of user behavior in response to offers and improve content by personalizing presentation and service.

 

23. To conduct studies on behavior in response to offers and purchases, and based on that, present reports and statistics.

 

24. To conduct studies on behavior in response to offers and purchases, and based on that, make improvements and changes in the service delivery process.

 

25. To prepare commercial prospects and market segmentation.

 

26. To present reports to inspection, surveillance, and control authorities, and process requests made by administrative or judicial entities.

 

27. To transfer or transmit data nationally or internationally to providers with whom ROYALTY WORLD INC S.A.S. carries out activities to fulfill its corporate purpose. Additionally, transfers may be made to the company’s strategic partners to carry out marketing, advertising, data analysis, and promotions related to their commercial activity; all in accordance with Colombian regulations.

 

28. Personal data of minors will be processed to comply with legal obligations.

 

29. To control and prevent fraud in all its forms.

 

EMPLOYEES

 

The processing of Personal Data by ROYALTY WORLD INC S.A.S. will have the following purposes:

 

1. To carry out the necessary activities to comply with legal obligations related to employees and former employees of ROYALTY WORLD INC S.A.S.

 

2. To publish the corporate directory for contacting employees.

 

3. To carry out all necessary activities for the fulfillment of the different contractual stages in relationships with suppliers and contractors.

 

4. To control compliance with requirements related to the General Social Security System.

 

5. In the case of biometric and biographical data captured through video surveillance or recording systems, their processing will aim at identification, security, and the prevention of internal and external fraud.

 

6. The employee gives their consent for the use of their image, voice, and name through photographic, videographic, cinematic, or similar tools for advertising, announcements, and communications of ROYALTY WORLD INC S.A.S. and its brands. Additionally, the use of their image is authorized for corporate purposes, as well as its publication on social media, websites, official sites, and similar platforms, as well as in brand communication campaigns. The transfer of rights over their image and voice will remain valid during the time the employee is with the company and may continue to be used even after their departure from the company.

 

7. To update databases, including cases where it is required to transmit or transfer information to a third party for data validation, purification, enrichment, and homogenization, after complying with legal requirements.

 

8. To present reports to external entities that allow compliance with legal, contractual, and statistical analysis requirements for As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

9. To manage the necessary information to comply with tax, contractual, commercial, and commercial, corporate, and accounting record obligations.

 

10. To transmit the information to national or international contractors with whom there is an operational relationship, providing the products and services necessary for the proper operation of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

11. To store, organize, classify, and catalog personal data within the formats, systems, files, and databases of ROYALTY WORLD INC S.A.S.

 

12. To disclose, transfer, and/or transmit personal data of the data subjects within and outside the country to third parties pursuant to a contract, agreement, or commercial alliance, law, or lawful relationship that requires it for the provision of the respective services.

 

13. To present reports to inspection, surveillance, and control authorities, and process requests made by administrative or judicial entities.

 

14. To control and prevent fraud in all its forms.

 

15. For participants in selection calls, the personal data processed will be for the purpose of advancing the selection processes. The documents received, such as resumes and tests, will be managed while ensuring the principle of restricted access.

 

16. Issuance of income and withholding certificates (individuals and legal entities) and payment statements.

 

17. To manage the accounting process of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

18. For all purposes related to the selection processes, contracts, or related activities.

 

19. To maintain a digital archive that ensures the proper information for each contract.

 

20. Other purposes determined in the processes of obtaining Personal Data for processing, in any case, in accordance with the law and within the framework of the functions of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

CONTRACTORS

 

The processing of Personal Data by ROYALTY WORLD INC S.A.S. will have the following purposes:

 

1. To carry out all necessary activities to comply with the different contractual stages in relationships with contractors.

 

2. To control compliance with requirements related to the General Social Security System.

 

3. In the case of biometric and biographical data captured through video surveillance or recording systems, their processing will aim at identification, security, and the prevention of internal and external fraud.

 

4. To update databases, including cases where it is required to transmit or transfer information to a third party for data validation, purification, enrichment, and homogenization, after complying with legal requirements.

 

5. To present reports to external entities that allow compliance with legal, contractual, and statistical analysis requirements for As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

6. To manage the necessary information to comply with tax, contractual, commercial, and commercial, corporate, and accounting record obligations.

 

7. To transmit the information to national or international contractors with whom there is an operational relationship, providing the products and services necessary for the proper operation of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

8. To store, organize, classify, and catalog personal data within the formats, systems, files, and databases of ROYALTY WORLD INC S.A.S.

 

9. To disclose, transfer, and/or transmit personal data of the data subjects within and outside the country to third parties pursuant to a contract, agreement, or commercial alliance, law, or lawful relationship that requires it for the provision of the respective services.

 

10. To manage the information by suppliers and/or contractors for tasks related to processes, products, and services defined in their respective relationships with ROYALTY WORLD INC S.A.S., and only when strictly necessary.

 

11. To present reports to inspection, surveillance, and control authorities, and process requests made by administrative or judicial entities.

 

12. To control and prevent fraud in all its forms.

 

13. For participants in selection calls, the personal data processed will be for the purpose of advancing the selection processes. The documents received, such as resumes and tests, will be managed while ensuring the principle of restricted access.

 

14. Issuance of income and withholding certificates (individuals and legal entities) and payment statements.

 

15. For all purposes related to the selection processes, contracts, or related activities.

 

16. To maintain a digital archive that ensures the proper information for each contract.

 

17. Other purposes determined in the processes of obtaining Personal Data for processing, in any case, in accordance with the law and within the framework of the functions of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

VENDORS

 

The processing of Personal Data by ROYALTY WORLD INC S.A.S. will have the following purposes:

 

1. To control compliance with requirements related to the General Social Security System.

 

2. In the case of biometric and biographical data captured through video surveillance or recording systems, their processing will aim at identification, security, and the prevention of internal and external fraud.

 

3. To inform and communicate the general details of events developed by ROYALTY WORLD INC S.A.S. through the media and in the forms deemed appropriate.

 

4. To facilitate ROYALTY WORLD INC S.A.S.’s budgeting chain: payments by ROYALTY WORLD INC S.A.S., issuance of income and withholding certificates (individuals and legal entities), and payment statements.

 

5. To facilitate the accounting process of ROYALTY WORLD INC S.A.S.

 

6. To carry out all internal procedures and comply with accounting, tax, and legal obligations.

 

7. To issue contractual certifications requested by the company’s suppliers or requests from control entities.

 

8. To maintain a digital archive that ensures the proper information for each contract.

 

9. Other purposes determined in the processes of obtaining Personal Data for processing, in any case, in accordance with the law and within the framework of the functions of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.  

 

10. To update databases, including cases where it is required to transmit or transfer information to a third party for data validation, purification, enrichment, and homogenization, after fulfilling legal requirements. As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.  

 

11. To update databases, including cases where it is required to transmit or transfer information to a third party for data validation, purification, enrichment, and homogenization, after complying with legal requirements.

 

• To manage the information by suppliers and/or contractors for tasks related to procedures, products, and services defined in their respective relationships with the company, and only when strictly necessary.

 

• To present reports to external entities that allow compliance with legal, contractual, and statistical analysis requirements for As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

• To manage the necessary information to comply with tax, contractual, commercial, and commercial, corporate, and accounting record obligations.

 

15. To transmit the information to national or international contractors with whom there is an operational relationship, providing the products and services necessary for the proper operation of As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

16. To provide information products and services through different contact channels.

 

17. To store, organize, classify, and catalog personal data within the formats, systems, files, and databases of ROYALTY WORLD INC S.A.S.

 

• To perform the necessary actions to ensure the fulfillment of contracts.

 

• To manage procedures (requests, complaints, claims), perform risk analysis, conduct satisfaction surveys regarding the company’s services and its commercial partners.

 

• To provide contact information and relevant documents to the distribution network, telemarketing, market research, and any third party with which the company has any contractual relationship.

 

• To disclose, transfer, and/or transmit the personal data of the data subjects within and outside the country, to third parties as a result of a contract, law, or lawful relationship requiring it for the provision of the respective services or as per agreements or commercial alliances.

 

22. To supply information to third parties with whom As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. , To supply information to third parties with whom ROYALTY WORLD INC S.A.S.has a contractual relationship and for whom providing such information is necessary to fulfill the contracted purpose.

 

23. To present reports to inspection, surveillance, and control authorities, and process requests made by administrative or judicial entities.

 

24. To transfer or transmit data nationally or internationally to suppliers with whom ROYALTY WORLD INC S.A.S. develops activities in compliance with its corporate purpose. Transfers may also be made to the company’s strategic allies to carry out marketing, advertising, data analysis, and promotions associated with their commercial activity, in accordance with Colombian regulations.

 

25. To control and prevent fraud in all its forms.

 

J.    TRANSFER AND TRANSMISSION OF PERSONAL DATA

 

As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. may transfer and transmit personal data to third parties with whom it has an operational relationship that provides products and services necessary for its proper operation or in accordance with the functions assigned by law. In these cases, the necessary measures will be taken to ensure that individuals who have access to personal data comply with this Policy and the principles of personal data protection and obligations established by law.

In all cases, when ROYALTY WORLD INC S.A.S. transmits data to one or more data processors located within or outside the territory of the Republic of Colombia, it will establish personal data transmission contracts or confidentiality agreements, which will include the following:

1. Scope of the processing.

 

2. The activities the processor will perform on behalf of the controller for processing personal data.

 

3. The obligations of the processor toward the data subject and the controller.

Through this contract, the processor will commit to applying the responsibilities set forth under the controller's data processing policy and will process personal data in accordance with the purpose authorized by the data subjects and in compliance with applicable laws.

In addition to the obligations imposed by applicable regulations within the mentioned contract, the following obligations must be included for the processor:

1. Process the personal data, on behalf of the controller, in accordance with the principles that protect it.

 

2. Safeguard the security of databases containing personal data.

 

3. Maintain confidentiality regarding the processing of personal data.

 

In the case of data transfers, the obligations stipulated in Law 1581 of 2012, and its regulatory norms will be complied with.

 

K.   RIGHTS AND LEGAL CONDITIONS FOR PROCESSING

 

RIGHTS OF DATA SUBJECTS

 

In the Processing of Personal Data by ROYALTY WORLD INC S.A.S., the rights of the Data Subjects will be fully respected at all times, which are:

 

1. To know, update, and rectify the Data with the Data Processor(s).

 

1. To request proof of the authorization granted, or any other document signed by the Data Subject for this purpose, unless explicitly exempted as a requirement for Data Processing in accordance with the law.

 

1. To be informed by ROYALTY WORLD INC S.A.S. or the Data Processor, upon request, regarding the use of the data.

 

1. To file complaints before the Competent Authority for violations of the law and other regulations that amend, replace, or add to it.

 

1. To revoke the authorization and/or request the deletion of data when the Processing does not respect the principles, rights, and constitutional and legal guarantees. Revocation and/or deletion will occur when the Competent Authority has determined that ROYALTY WORLD INC S.A.S. or Data Processors have engaged in conduct contrary to the law and the Constitution. Revocation will occur as long as there is no legal or contractual obligation to retain the personal data.

 

1. To access, free of charge, the Personal Data that has been processed.

 

DATA SUBJECT’S’ AUTHORIZATION

 

Notwithstanding the exceptions provided by law, prior and informed consent from the Data Subject is required for the Processing, which must be obtained by any means that can be subject to subsequent consultation. The authorization will be considered to meet these requirements when it is expressed (i) in writing, (ii) orally, or (iii) through unequivocal conduct by the Data Subject that allows a reasonable conclusion that consent was granted.

Cases in Which Authorization Is Not Required::

 

The data subject's authorization will not be required when it concerns:

 

1. Publicly available data.

 

1. Casos de urgencia médica, sanitaria o de carácter humanitario.

 

1. Processing of information authorized by law for historical, statistical, or scientific purposes.

 

1. Data related to the Civil Registry of Individuals.

 

Anyone who accesses personal data without prior authorization must, in any case, comply with the provisions contained in Law 1581 of 2012, and other related and applicable regulations.

 

PROVISION OF INFORMATION

 

The information requested by the data subjects will be provided primarily through electronic means, or by any other means only if required by the data subject. The information provided by ROYALTY WORLD INC S.A.S. will be delivered without technical barriers that would prevent access; its content will be easy to read and must fully correspond to that which is stored in the database.

 

DUTY TO INFORM

 

As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.when requesting authorization from the data subject, must clearly and explicitly inform them of the following:

 

1. The processing to which their personal data will be subjected and its purpose.

 

1. The voluntary nature of the response to the questions asked, when they relate to sensitive data or data concerning children and adolescents.

 

1. The rights they have as the data subject.

 

1. The identification, physical or electronic address, and phone number of the data controller.

 

As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. as the data controller, must retain evidence of compliance with the provisions of this section and, when requested by the data subject, provide a copy of it.

 

PERSONS TO WHOM INFORMATION MAY BE PROVIDED

 

The information that meets the conditions established by law may be provided to the following persons:

 

1. To the Data Subjects, their heirs, or their legal representatives, as duly accredited.

 

1. To Public or Administrative Entities in the exercise of their legal functions or by judicial order.

 

1. To third parties authorized by the Data Subject or by law.

 

L.     DUTIES OF DATA CONTROLLERS AND PROCESSORS

 

DUTIES OF DATA CONTROLLERS

 

As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. as the data controller, must comply with the following duties, without prejudice to other provisions established by law and those that govern its activities:

1. Guarantee the full and effective exercise of the Habeas Data right for the Data Subject at all times.

 

1. b) Request and retain, in accordance with the law, a copy of the authorization granted by the Data Subject.

 

1. c) Properly inform the Data Subject about the purpose of data collection and the rights granted under the authorization.

 

1. d) Maintain the information under necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access.

 

1. e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable.

 

1. f) Update the information and promptly communicate to the Data Processor any updates regarding the data previously provided and take necessary steps to ensure the information remains current.

 

1. g) Correct any incorrect information and communicate the necessary adjustments to the Data Processor.

 

1. h) Provide the Data Processor with only data whose processing has been previously authorized in accordance with the law.

 

1. i) Continuously ensure that the Data Processor respects the security and privacy conditions of the Data Subject's information.

 

1. j) Process the queries and complaints as specified by law.

 

1. k) Implement specific procedures to ensure proper compliance with the law, especially for handling queries and complaints.

 

1. l) Inform the Data Processor when certain information is under dispute by the Data Subject, once the complaint has been filed and the process is not yet concluded.

 

1. m) Inform the Data Subject, upon request, about the use of their data.

 

1. n) Notify the data protection authority when security breaches occur and there are risks to the management of Data Subjects' information.

 

DUTIES OF DATA PROCESSORS

 

The Data Processors, and in the event that ROYALTY WORLD INC S.A.S. acts as a processor, must comply with the following duties, without prejudice to other provisions established by the law and any other regulations governing their activities:

 

1. a) Guarantee the full and effective exercise of the Habeas Data right for the Data Subject at all times.

 

1. b) Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access. The processors must comply with the minimum security conditions defined in the National Register of Databases.

 

1. c) Timely update, rectify, or delete the data as required by Law 1581 of 2012, and other related and applicable regulations.

 

1. d) Update the information provided by the data controllers within five (5) business days from receipt.

 

1. e) Handle the consultations and complaints made by the data subjects according to the terms specified in this Policy.

 

1. f) Adopt an Internal Manual of Policies and Procedures to ensure proper compliance with the law and, especially, for addressing consultations and complaints from data subjects.

 

1. g) Register the legend "claim in process" in the Databases, as regulated by the law.

 

1. h) Insert the legend "information in judicial dispute" into the Database once notified by the competent authority about legal proceedings related to the accuracy of the personal data.

 

1. i) Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce or by the data controller.

 

1. j) Allow access to the information only to those persons authorized by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

1. k) Inform the data controller when there are violations of security codes and risks in managing the data subjects’ information.

 

1. l) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

 

1. m) Verify that the data controller has authorization for the processing of the personal data of the data subject.

 

M.   GENERAL ACTIONS FOR THE PROTECTION OF PERSONAL DATA

 

The following are the general guidelines established by ROYALTY WORLD INC S.A.S. in order to fulfill its obligations in compliance with the principles for the management of personal data.

 

These guidelines are complementary to the currently existing and implemented policies, procedures, or general instructions, including the data and information security policies, and are in no way intended to replace or disregard them

 

PROCESSING OF INFORMATION

 

All members of ROYALTY WORLD INC S.A.S., when carrying out the activities specific to their position, will assume the responsibilities and obligations related to the proper management of personal information, from its collection, storage, use, circulation, and until its final disposal.

 

USE OF INFORMATION

 

The personal information contained in the databases must be used and processed in accordance with the purposes described in this Policy.

 

In the event that any department identifies new uses different from those described in this Personal Data Processing Policy, it must inform the Data Protection Officer, who will evaluate and manage, when applicable, its inclusion in this Policy. Additionally, the following assumptions must be considered:

 

1. a. In the event that a department different from the one that initially collected the personal data requires the use of the personal data obtained, it may be done as long as it is a foreseeable use aligned with the mission-related purposes of ROYALTY WORLD INC S.A.S. and for a purpose contemplated within this Personal Data Processing Policy.

 

1. b. Each department must ensure that, during the recycling process of physical documents, confidential information or personal data is not disclosed. Therefore, resumes, academic degrees, academic or employment certifications, medical examination results, or any document containing information that could identify an individual may not be recycled.

 

1. c. If a data processor has provided personal data or databases to a department for a specific purpose, the department that requested the personal data should not use that information for any purpose other than what is described in the Personal Data Processing Policy. Upon completion of the activity, the department that requested the information must delete the database or personal data used, avoiding the risk of outdated information or cases where a data subject has filed a claim during that time.

 

1. d. Employees are not allowed to make decisions that significantly impact personal information or have legal implications based solely on the information provided by the information system. They must validate the information using other physical instruments or manually, and if necessary, directly from the data subject, in cases where this is required.

 

1. e. Only authorized employees and contractors may enter, modify, or cancel the data contained in the databases or protected documents. User access permissions are granted by the department defined in the applicable protocols, according to the established profiles, which will be pre-defined by the leaders of the processes where personal information is required.

 

1. f. Any use of the information different from what is established will be previously consulted with the Data Protection Officer.

 

STORAGE OF INFORMATION

 

The storage of digital and physical information is carried out using media or environments with appropriate controls to ensure data protection. This includes physical and IT security controls, technological safeguards, and environmental measures in restricted areas, within the company’s own facilities and/or data centers or document management centers operated by third parties.

 

DESTRUCTION OF INFORMATION

 

The destruction of physical and electronic media is carried out using mechanisms that prevent reconstruction. This is done only when it does not violate any legal regulations, always ensuring proper traceability of the action.

The destruction applies to information held by third parties as well as within the company's own facilities.

 

INFORMATION SECURITY INCIDENTS

 

An incident is understood as any anomaly that affects or could affect the security of databases or the information contained within them.

If a user becomes aware of an incident, they must report it to the Data Protection Officer, who will take appropriate measures in response to the reported incident.

The Data Protection Officer will notify the Personal Data Protection Division of the Superintendency of Industry and Commerce through the designated module within fifteen (15) days of becoming aware of the incident.

Incidents may affect both digital and physical databases and will trigger the following activities:

• • Incident Notification: When it is presumed that an incident may affect or has affected databases containing personal information, it must be reported to the Personal Data Protection Officer, who will manage its reporting in the National Database Registry.

 

• • Incident Management: It is the responsibility of every employee, contractor, consultant, or third party to promptly report any suspicious event, vulnerability, or policy violation that could impact the confidentiality, integrity, and availability of the assets and personal information of ROYALTY WORLD INC S.A.S.

 

• • Incident Identification: All suspicious or abnormal events, such as those with the potential to compromise the confidentiality or privacy of information, must be assessed to determine whether they constitute an incident. These should be reported to the appropriate level within the organization. Any decisions involving investigative or judicial authorities must be made jointly by the Personal Data Protection Officer and the Legal Department of ROYALTY WORLD INC S.A.S. Communication with such authorities will be handled by these parties.

 

• • Incident Reporting: All incidents and suspicious events must be reported as soon as possible through the internal channels established by ROYALTY WORLD INC S.A.S.

If sensitive or confidential information is lost, disclosed to unauthorized personnel, or if any such event is suspected, the Personal Data Protection Officer must be notified immediately.

Employees must report to their direct supervisor and the Personal Data Protection Officer any damage or loss of computers or other devices containing personal data managed by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

Unless there is a duly reasoned and justified request from a competent authority, no employee or contractor should disclose information about computer systems or networks that have been affected by a cybercrime or system abuse. For the provision of information or data pursuant to an authority's order, the Legal Department of ROYALTY WORLD INC S.A.S. must be involved to provide appropriate guidance.

 

• • Incident Containment, Investigation, and Diagnosis: The Personal Data Protection Officer must ensure actions are taken to investigate and diagnose the causes of the incident. Additionally, they must ensure that the entire incident management process is properly documented, with support from the Technology and IT Office.

If a cybercrime is identified, as defined by Law 1273 of 2009, the Personal Data Protection Officer and the Legal Department will report this information to the respective judicial investigative authorities.

During the investigation process, the "Chain of Custody" must be preserved to ensure its validity in case legal action is required.

 

• • Incident Resolution: Any affected area and those directly responsible for managing personal data must take measures to prevent the recurrence of the security incident by addressing all existing vulnerabilities.

 

• • Incident Closure and Follow-Up: The Personal Data Protection Officer, along with the areas that use or require the information, will initiate and document all tasks related to reviewing the actions taken to resolve the security incident.

The Personal Data Protection Officer will prepare an annual analysis of reported incidents. The conclusions from this report will be used to design awareness campaigns aimed at minimizing the likelihood of future incidents.

• • Incident Reporting: Security incidents affecting the database will be reported as follows:

Violations of security codes or the loss, theft, and/or unauthorized access to information within a database managed by the Data Controller or Processor must be reported to the National Database Registry within fifteen (15) business days of detection and notification to the responsible person or area.

Process leaders and/or information asset owners must internally report incidents related to personal data to the Personal Data Protection Officer, who will proceed to report them to the National Database Registry within the legal timeframe.

 

N.    HANDLING REQUESTS, INQUIRIES, AND CLAIMS

 

Requests, inquiries, and claims submitted by holders of Personal Data under the processing of ROYALTY WORLD INC S.A.S., aimed at exercising their rights to access, update, rectify, and delete data, or revoke consent, must be addressed to the Personal Data Protection Officer.

The aforementioned role will serve as the point of contact for data subjects for all purposes outlined in this Policy. Additionally, the means to carry out any procedure or exercise rights related to personal data protection will be via email: [email protected]

 

PROCEDURE FOR HANDLING REQUESTS, COMPLAINTS, AND CLAIMS (PQRS).

 

Data subjects, regardless of the type of relationship they have with ROYALTY WORLD INC S.A.S., can exercise their rights to access, update, rectify, and delete information and/or revoke the consent granted, in accordance with the 'Procedure for Updating, Rectifying, Deleting Information and/or Revoking Authorizations”.

 

PERSON RESPONSIBLE FOR HANDLING INQUIRIES

 

The Personal Data Protection Officer of ROYALTY WORLD INC S.A.S. will be responsible for receiving and processing requests in accordance with the terms, deadlines, and conditions established in Law 1581 of 2012 and these policies.

 

Inquiries directed to ROYALTY WORLD INC S.A.S. must contain at least the following information:

 

1. a. Full name of the Data Subject and/or their representative and/or heirs;

 

1. b. The subject of the inquiry.

 

1. c. Physical address, email, and contact phone number of the Data Subject and/or their heirs or representatives;

 

1. d. Signature, identification number, or corresponding validation procedure.

 

1. e. It must have been submitted through the inquiry channels enabled by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

 

Once the information inquiry request is received from the Data Subject or their representative or duly authorized third party, through the channels established by the respective area, the request will be forwarded to the Personal Data Protection Officer. The Officer will verify that the request contains all the required specifications in order to assess that the right is being exercised by the interested party or their representative, thereby confirming that there is legal legitimacy to do so.

 

TIMEFRAME FOR HANDLING INQUIRIES

 

Requests received through the aforementioned channels will be addressed within a maximum of ten (10) business days from the date of receipt.

In case it is not possible to respond to the inquiry within this timeframe, the interested party will be informed before the expiration of the ten (10) days, stating the reasons for the delay and indicating the date when their inquiry will be addressed, which in no case can exceed five (5) business days following the expiration of the initial period.

 

CLAIMS PROCEDURE

 

Rights guaranteed through the claims procedure:

 

1. a) Correction or Update: ROYALTY WORLD INC S.A.S. and/or the Data Processors will guarantee the data subjects listed in their databases, or their heirs, the right to correct or update personal data held in their databases by submitting a complaint when they believe the conditions established by law or outlined in this Personal Data Processing Policy are met, making the request for correction or update valid.

 

1. b) Revocation of Consent or Deletion of Personal Data: ROYALTY WORLD INC S.A.S. and/or the Data Processors will guarantee the data subjects listed in their databases, or their heirs, the right to request the revocation of consent or request the deletion of the information contained in their individual records, or any data linked to their identification, when they believe the conditions established by law or outlined in this Personal Data Processing Policy are met. The right to file complaints is also guaranteed when there is a perceived violation of Law 1581 of 2012 or this Personal Data Processing Policy.

 

PERSON RESPONSIBLE FOR HANDLING CLAIMS

 

The Personal Data Protection Officer of ROYALTY WORLD INC S.A.S. will be responsible for receiving and processing the claims submitted, in accordance with the terms, deadlines, and conditions established in Law 1581 of 2012 and these policies.

Claims directed to ROYALTY WORLD INC S.A.S. must contain at least the following information:

1. a. Full name of the Data Subject and/or their representative and/or heirs;

 

1. b. The details of what is intended to be updated or rectified.

 

1. c. Physical address, email, and contact phone number of the Data Subject and/or their heirs or representatives;

 

1. d. Signature, identification number, or corresponding validation procedure.

 

1. e. It must have been submitted through the inquiry channels enabled by As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

•  

Once the request for updating or rectifying information is received from the Data Subject or their representative or a duly authorized third party, through the established channels, the respective area will forward the request to the Personal Data Protection Officer. The Officer will verify that the request contains all the required specifications to assess whether the right is being exercised by the interested party or their representative, thereby confirming the legal legitimacy to do so.

 

CLAIMS WITHOUT COMPLIANCE WITH LEGAL REQUIREMENTS

 

If a claim is submitted without meeting the aforementioned legal requirements, the claimant will be requested within five (5) days from the receipt of the claim to correct the deficiencies and provide the missing information or documents.

 

If two (2) months pass from the date of the request without the claimant submitting the required information, it will be understood that they have withdrawn the claim.

 

INCLUSION OF LEGEND IN THE DATABASE

 

Once the claim is fully received, ROYALTY WORLD INC S.A.S. will include a legend in the database containing the Data Subject's personal data within a maximum of two (2) business days from receipt, stating "claim in process" and the reason for it. This legend must be maintained until the claim is resolved.

 

RESPONSE TIME TO CLAIMS

 

The maximum term to address the claim will be fifteen (15) business days from the day following its receipt.

 

If it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date when the claim will be addressed, which in no case can exceed eight (8) business days after the expiration of the initial term.

 

PERSONAL DATA DELETION PROCEDURE

 

If the deletion of the Data Subject's personal data from the database is deemed appropriate in accordance with the submitted claim, ROYALTY WORLD INC S.A.S. must operationally delete the data in such a way that its recovery is not possible. However, the Data Subject must be aware that, in certain cases, some information must remain in historical records for compliance with the organization's legal obligations. Therefore, its deletion will apply only to the active processing of the data and in accordance with the Data Subject's request.

 

O.    ACCESS CONTROL AND VIDEO SURVEILLANCE

 

ACCESS CONTROL

 

Areas where processes related to confidential or restricted information are carried out must have access controls that allow only authorized employees to enter, and that enable the tracking of entry and exit activities.

 

VIDEO SURVEILLANCE

 

ROYALTY WORLD INC S.A.S. has video surveillance cameras with the purpose of complying with physical security policies, in line with the guidelines established in the Guide for the Protection of Personal Data in Video Surveillance Systems, issued by the Superintendence of Industry and Commerce as the control authority.

 

The footage must be retained for a maximum period of ninety (90) days. If the footage becomes part of or supports a claim, complaint, or any legal process, it must be kept until the matter is resolved.

 

EMPLOYEE AND CONTRACTOR TRAINING

 

ROYALTY WORLD INC S.A.S. will develop annual training and awareness programs on Personal Data Protection and Information Security. ROYALTY WORLD INC S.A.S. must make this Policy known through the means it deems appropriate and, in doing so, train its employees and contractors on the management of personal data at least once a year, in order to assess their knowledge on the matter.

 

New employees and contractors, upon joining ROYALTY WORLD INC S.A.S., must receive training on Personal Data Protection and Information Security, with proof of attendance and acknowledgment of their understanding.

In the development of training and awareness programs, it should be ensured that employees, contractors, and third parties are aware of their responsibilities regarding Personal Data Protection and Information Security.

The training programs will be periodically updated.

The Human Resources department, in collaboration with the Personal Data Protection Officer, will define training and evaluation plans for employees in accordance with any regulatory changes that may arise.

 

Q.  AUDITS AND CONTROL

 

ROYALTY WORLD INC S.A.S. will conduct review or audit processes regarding Personal Data Protection, verifying directly or through third parties that policies and procedures have been properly implemented at ROYALTY WORLD INC S.A.S.

Based on the results obtained, necessary improvement plans (preventive, corrective, and enhancement) will be designed and implemented.

Por regla general, As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases. realizará estos procesos de revisión con una periodicidad mínima de un año o de forma extraordinaria ante incidentes graves que afecten a la integridad de las bases de datos personales.

The results of the review, along with any improvement plans, will be presented by the Personal Data Protection Officer to the Legal Representative for evaluation and approval.

 

R.   DATABASE PERIOD

 

The databases of ROYALTY WORLD INC S.A.S. will have a retention period corresponding to the purpose for which their processing was authorized and the special regulations that govern the matter, as well as those regulations that establish the exercise of ROYALTY WORLD INC S.A.S.'s legal functions or duties.

S.   NATIONAL DATABASE REGISTRY

 

In accordance with article 25 of Law 1581 and its regulatory decrees, ROYALTY WORLD INC S.A.S. will register its databases along with this Personal Data Processing Policy in the National Database Registry, administered by the Superintendence of Industry and Commerce, in accordance with the procedure established for this purpose.

 

T.   VALIDITY, VERSIONS, AND UPDATES

 

This Personal Data Processing Policy is effective from the date of its signature and complements the associated policies, with indefinite validity.

 

Any substantial changes to the Personal Data Processing Policy will be communicated in a timely manner to the data subjects through the usual contact methods and/or through the ROYALTY WORLD INC S.A.S. website. As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.

For data subjects who do not have access to electronic means or those who cannot be contacted, the changes will be communicated through public notices at the company's main office.

 

1. SUMMARY OF CHANGES COMPARED TO THE PREVIOUS VERSION

 

This policy is version 2.0, it has been expanded, complemented, and adjusted to the national protection standard of the Republic of Colombia for the year 2024.

 

This Personal Data Processing Policy will come into effect on December 11, 2024. 

 

Luis Alfonso Londoño Zapata
Legal Representative
As a general rule, ROYALTY WORLD INC S.A.S. will carry out these review processes at least once a year or on an extraordinary basis in the event of serious incidents that affect the integrity of personal data databases.
NIT. 900.918.489-3