CHAPTER VII

HOLDER’S AUTHORIZATION FOR DATA PROCESSING

MUNILY as Data Controller has adopted procedures to request, at the latest at the time of collection of personal data, the corresponding authorization for the Processing thereof and to inform which personal data will be collected, as well as all the specific purposes of the Processing for which consent is obtained. However, in the case of personal data that are in publicly accessible sources, regardless of the means by which they are accessed, meaning those data or databases that are available to the public, they may be processed by MUNILY, provided that, by their nature, they are public data. MUNILY as Responsible for the Processing of personal data has established mechanisms to obtain the authorization of the Data Controllers or whoever is legitimized for such purpose. It shall be understood that the authorization granted by the Data Subject to MUNILY complies with the requirements of the applicable legislation in force, when it is expressed: (i) in writing; (ii) orally; or (iii) through unequivocal conduct of the Data Subject that allows the reasonable conclusion that he/she granted MUNILY the respective authorization. In no case shall the silence of the Data Subject to issue his/her consent or authorization be assimilated by MUNILY as an unequivocal conduct. The Data Subject may at any time request MUNILY as Data Controller, the deletion of their personal data and/or revoke the authorization granted to MUNILY for the Processing of the data, for which the channels provided for in Section 3 of Chapter Twelve of this Policy have been enabled.

CHAPTER VIII

HOLDER’S AUTHORIZATION FOR THE PROCESSING OF SENSITIVE DATA

In accordance with the provisions of Chapter V of this Policy, Sensitive Data is understood as: “data that affect the privacy of the Data Subject or whose improper use may lead to discrimination”. The processing of sensitive data referred to in Article 5° of Law 1581 of 2012 is prohibited, except for the cases listed below:

• When the Data Subject has given his explicit authorization to such Processing, except in those cases where by law the granting of such authorization is not required.
• When the Processing is necessary to safeguard the vital interest of the Data Subject and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
• When the Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or persons who maintain regular contacts by reason of its purpose. In these events, the data may not be provided to third parties without the authorization of the Data Controller.
• When the Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process;
• When the Processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Controllers must be adopted.

In the Processing of sensitive personal data, when such Processing is possible in accordance with the provisions of Article 6 of Law 1581 of 2012, MUNILY complies with the following obligations:

• Informs the Data Subject that since it is sensitive data, he/she is not obliged to authorize its processing.
• It informs the Data Subject explicitly and in advance, in addition to the general requirements of authorization for the collection of any type of personal data, which of the data to be processed are sensitive and the purpose of their processing, and also obtains his or her express consent.

None of the activities carried out by MUNILY are or will be conditioned on data subjects providing the Company with sensitive personal data.

CHAPTER IX

USE AND PURPOSE OF THE TREATMENT

MUNILY recognizes that holders of personal data are entitled to have a reasonable expectation of their privacy, taking into account their responsibilities, rights and obligations to the Company. MUNILY will use the personal data collected for the following purposes:

• Execute contracts signed with customers.
• To provide security and community communication solutions in horizontal properties.
• Make payment of contractual obligations.
• Send the information to governmental or judicial entities at their express request.
• Support external and internal audit processes.
• Payroll payments, issuance of labor certifications, invitations to company events to its active workers.
• Issuance of labor certificates requested by workers who have left the company.
• Develop internal communication campaigns that may contain data of MUNILY employees in Colombia.
• Contact independent professionals, employees, customers and suppliers, to send commercial information that may be requested or that has to do with the contractual relationship between the parties.
• Contact professionals who send their resumes for job interviews.
• Submission of proposals that are requested either electronically, in writing or by electronic means.
• Sending e-mails containing newsletters, publications, invitations to events and information that may be relevant to customers and/or prospects.
• Sending of proposals and portfolio of services.
• Sending satisfaction surveys and service improvement programs (only for customers).

The information provided by the Holders of personal data will be used by MUNILY only for the purposes stated herein, and, therefore, we will not proceed to sell, license, transmit or disclose the same, outside the Company, unless: (i) you expressly authorize us to do so; (ii) it is necessary to do so to allow our professionals to provide our services; (iii) it is required or permitted by law or by a competent administrative or judicial authority. In order to implement the purposes described above, your personal data may be disclosed for the purposes set forth above to the personnel that make up the Human Resources Management, Administrative and Financial Management and Commercial Management. MUNILY may subcontract to third parties for the processing of certain functions or information. When we do outsource the processing of personal information to third parties or provide personal information to third party service providers, we advise such third parties of the need to protect such personal information with appropriate security measures, prohibit them from using your personal information for their own purposes, and prevent them from disclosing the personal information to others. Once the need for data processing has ceased, the data may be removed from MUNILY’s databases or archived in a secure manner so that it can only be disclosed when required by law.

CHAPTER X

PROCESSING OF PERSONAL DATA

This Security Policy extends and reaches the various areas that are part of the processing (use, collection, circulation, storage and deletion) of personal data; the above in order to standardize procedures in the management and administration of risks in the processing of personal data. This Security Policy applies to all MUNILY’s Databases containing personal data, whether digital or physical, and binds each of the areas and personnel designated for the processing of personal data. The policy shall be extended as applicable to those in charge of the processing with whom MUNILY establishes links as applicable This document applies to all employees, contractors and personnel linked to MUNILY under any type of contractual relationship and who are involved in the processing of personal data under the development of the contract For this purpose, personal data shall be understood as any information linked or that may be associated with natural persons. To consider it as personal data you must answer affirmatively to the following question With the data I can directly or directly identify a natural person? According to Decree 1377 of 2013, MUNILY, may only collect, store, use or circulate the personal data of a person, for the time that is reasonable and necessary, according to the purposes that justified the treatment, taking into account the provisions applicable to the matter in question and the administrative, accounting, fiscal, legal and historical aspects of the information. Once the purpose or purposes of the Processing have been fulfilled and without prejudice of legal regulations that provide otherwise, MUNILY shall proceed to the deletion of the personal data in its possession. As an exception to the above, MUNILY may keep the personal data when it is required to comply with a legal or contractual obligation. In cases in which MUNILY processes sensitive data, defined as any data that affects the privacy of the owner or whose improper use may generate discrimination, such data shall be protected in accordance with the framework and limitations established by law. MUNILY shall endeavor to comply with the digital and physical security measures established herein, which are adequate to ensure the security of sensitive data. Thus, all processing (use, collection, circulation, storage and filing) of personal data must be authorized by the owner according to the purposes indicated by the responsible party. Therefore, it is MUNILY’s duty to ensure that the areas involved in the entire life cycle of the data comply with the provisions of the processing policy and that the personal data is effectively used according to the purposes authorized by the owner.

• TREATMENT OF PERSONAL DATA OF MINORS.

  The processing of data of minors must be subject to the principles, parameters and requirements contained in Article 7 of Law 1581 of 2012, Article 12 of Decree 1377 of 2013 and Ruling C-778 of 2012 of the Constitutional Court.

• The processing of personal data of children under 18 years of age may be subject to processing as long as the purpose pursued is in the best interest of children and adolescents and respect for their prevailing rights is ensured without exception. In accordance with the above, the processing of personal data of children and adolescents will be exceptionally possible when the following criteria are met:
  • The purpose of the treatment responds to the best interests of children and adolescents.
  • To ensure respect for the fundamental rights of children and adolescents.
  • In accordance with the maturity of the child or adolescent, his or her opinion shall be taken into account.
  • Compliance with the requirements set forth in Law 1581 of 2012 for the processing of personal data.
  • Prior authorization is obtained from the legal representative of the minor, usually the parents.
• VIDEO SURVEILLANCE

  Through the Munily app it will be possible to capture the image of people and vehicles entering the condominiums that use the Munily app, who prior to entry are informed of this situation by the people in charge of the reception, who will additionally seek at that time the authorization of the owner. The sole purpose of these systems is the security of both the people entering the condominium and its residents.

• POLICIES OF THE PERSON IN CHARGE OF THE PROCESSING OF PERSONAL DATA
  The PERSON IN CHARGE is the one who carries out the processing of personal data on behalf of MUNILY, that is, the person to whom MUNILY is entrusting the handling of a compendium of personal data, whether provided directly by the owners of the data or by third parties to MUNILY.In this sense, the personal data provided by MUNILY shall be used only for the entrusted task and in accordance with the established guidelines
  . According to the Colombian regulations applicable to the protection of personal data and the jurisprudence related to the subject, the person responsible for the processing of personal data, i.e. MUNILY and THE PERSON IN CHARGE of the processing, respond concurrently and jointly and severally before the owner of the personal data The foregoing with respect to the veracity, integrity, purpose and incorporation of the personal data, as well as in the treatment (use, collection, storage, circulation and suppression) of the same; in the understanding that any use must be made with the authorization of the owner.
  By virtue of the foregoing, THE PARTY undertakes with MUNILY to verify the delivery status of the personal data, as well as to provide the necessary security measures to ensure the security of the data according to the measures of this Security Policy. It is the duty of the PRINCIPAL to provide the utmost diligence in the execution of its work with respect to the protection and security of personal data, both in digital and physical databases.
  THE PERSON IN CHARGE is responsible for the use, custody and protection of the personal data provided by MUNILY, for which reason he/she shall be liable even for slightest fault with respect to the protection and custody of the personal data provided Any conduct contrary to the policies set forth herein or its omission shall engage the responsibility of the PRINCIPAL.
  THE PRINCIPAL shall comply with the duties set forth in the Policy of the Data Processor and with the other duties set forth in Article 18 of Law 1581 of 2012, and shall also be liable even for its employees or contractors.

CHAPTER XI

REVOCATION OF AUTHORIZATION AND/OR DELETION OF DATA

Data Owners may at any time request MUNILY as Data Controller, the deletion of their personal data and/or revoke the authorization granted for the Processing thereof, by filing a claim, in accordance with the provisions of Article 15 of Law 1581 of 2012. However, it is important to note that the request for deletion of the information and the revocation of the authorization shall not proceed when the Data Subject has a legal or contractual duty by virtue of which it must remain in MUNILY’s database. MUNILY has provided easily accessible and free mechanisms, so that the Data Owners may submit at any time requests for deletion of their data or revocation of the authorization granted. Such mechanisms are set forth in paragraph 3 of Chapter XIII of this document. If upon expiration of the respective legal term, MUNILY as the Responsible Party does not remove the personal data from its databases, the Data Subject may request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the deletion of the personal data. For these purposes, the procedure described in Article 22 of Law 1581 of 2012 shall apply. Finally, it is important to highlight that personal data will be kept in MUNILY’s databases when so required in compliance with a legal or contractual obligation.

CHAPTER XII

RIGHTS OF DATA SUBJECTS

Pursuant to the provisions of Article 8 of Law 1581 of 2012, the rights of personal data owners are:

• To know, update and rectify their personal data with respect to the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
• Request proof of the authorization granted to the Data Controller except when expressly exempted as a requirement for the Processing.
• To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been made of their personal data.
• File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it.
• To revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees.
• Access free of charge to personal data that have been subject to Processing.

The channels that exist in MUNILY for the exercise of the rights of the Data Subject are found in Chapter XIII of this Policy.

CHAPTER XIII

PROCEDURE FOR EXERCISING YOUR RIGHTS AS A DATA SUBJECT

The rights of the Holders established in the Law may be exercised before MUNILY by the following persons:

• By the Data Subject, who must provide MUNILY with sufficient proof of his or her identity.
• By the successors of the Data Subject, who must prove such quality to MUNILY.
• By the representative and/or proxy of the Data Subject, upon accreditation before MUNILY of the representation or proxy.
• By stipulation in favor of or for another.

In accordance with the provisions of the applicable legislation in force, for the exercise of any of the rights of the Data Owner, any of the mechanisms set forth below may be used before MUNILY:

Inquiries:

• The Data Controllers or their successors in title may consult the personal information of the Data Controller in MUNILY’s databases.
• MUNILY, as the data controller, will provide to the Data Controllers or their successors in title, all the information contained in the individual record or that is linked to the identification of the Data Controller.
• The consultation shall be made through the channels enabled by MUNILY for such purpose, which are described in Section 3 of this chapter.
• The consultation will be attended by MUNILY in a maximum term of ten (10) working days counted from the date of receipt of the same.
• When it is not possible for MUNILY to attend the consultation within said term, it shall inform the interested party, stating the reasons for the delay and indicating the date on which it will attend the consultation, which in no case shall exceed five (5) business days following the expiration of the first term.

Claims:

• The Titleholders or assignees who consider that the information contained in MUNILY’s databases should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a claim with MUNILY as the party responsible for the Processing, which will be processed under the following rules:
  • The claim shall be formulated by means of a written request addressed to MUNILY, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents to be asserted.
  • A photocopy of the data subject’s identification document must be attached to the claim.
  • The claim shall be formulated through the channels enabled by MUNILY for such purpose, which are described in Section 3 of this chapter.
  • If the claim is incomplete, MUNILY will require the interested party within five (5) business days following receipt of the claim to correct the faults.
  • After two (2) months from the date of the request made by MUNILY, without the applicant submitting the required information, the Company shall understand that the claim has been withdrawn.
  • In the event that the person who receives the claim is not competent to resolve it, he/she will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.
  • Once MUNILY receives the completed claim, it will include in the database a legend indicating: claim in process and the reason for the claim, within a term no longer than two (2) business days.Such legend shall be maintained until the claim is decided.
  • The maximum term for MUNILY to respond to the claim will be fifteen (15) business days from the day following the date of its receipt.
  • When it is not possible for MUNILY to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which the claim will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term.
  • Enabled Channels.

The rights of the holders may be exercised by the aforementioned persons through the channels that have been enabled by MUNILY for this purpose, which are available free of charge, as follows:

• Through the following e-mail address:
  soporte@munily.com.co
• Physical facilities of MUNILY Calle 69 A No. 5 59 P 2 Bogota

CHAPTER XIV

MUNILY’S DUTIES AS DATA CONTROLLER

As the party responsible for the Processing of personal data, MUNILY must comply with the following duties:

• Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data.
• Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Holder.
• Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
• Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
• Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.
• Update the information, communicating in a timely manner to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.
• Rectify the information when it is incorrect and communicate the pertinent to the Data Processor.
• To provide to the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of the law.
• To require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.
• Process inquiries and claims formulated under the terms set forth in the law.
• Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to deal with queries and complaints.
• Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.
• Inform upon request of the Data Subject about the use given to his/her data.
• Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Holders.
• Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

CHAPTER XV

COOKIES POLICY

MUNILY in Colombia manages the cookie policy of MUNILY and therefore in the notice on the website of Colombia should be redirected to the stipulations on cookies that MUNILY Global has. MUNILY in Colombia shall ensure that users of its app and website can access MUNILY’s cookie policy. Users of the website and the app will have the ability to change or modify the consent of the cookie statement.

Definition of cookies

A cookie is a small information file that is downloaded to the user’s computer, smartphone or tablet when accessing certain web pages to store and retrieve information about the navigation that is made from the equipment. Through cookies, websites remember information about the user’s visit, which allows them to provide a safer browsing experience. Cookies are associated with anonymous users, that is, those who visit the portals without identification or without registering themselves, as well as those who do. Cookies are not viruses or malicious programs that can damage the devices through which the web page is accessed, therefore, they cannot delete or read user information MUNILY may share information obtained through cookies with external persons or third parties (allies, clients, suppliers or companies linked to the MUNILY Group), in order to improve the service provided to the user. Likewise, the information received through cookies will be used by MUNILY and the third parties described for the purposes described in this document. Types of Cookies

• Own or third party cookies: When they are managed from the terminal or domain of the same editor, they are qualified as own and are third party when they are not sent by the editor itself but by another entity.
• Session and persistent cookies: In session cookies, the data collected is only stored while browsing the website and in persistent cookies, the data continues to be stored in the terminal and can be accessed for a certain period of time.
• Technical/personalization/analytics/advertising cookies:
  • Techniques: those that make it possible to control traffic and data communication.
  • Personalization: Those that allow users to access according to some of their own characteristics that are collected, such as, customizing the search engine home page.
  • Analysis: these collect data on user behavior and allow for user profiling.
  • Advertising: they collect data on the management of advertising spaces, allow users to be shown advertising banners of which they may be possibly interested.

Purpose of cookies

They are necessary for the operation of the website, they cannot be disabled on our systems, they are only set in response to actions taken when requesting service, setting privacy preferences, logging in or completing forms. You can configure the browser of the device you are using to block or alert you to cookies. These cookies do not store any personally identifiable information.

CHAPTER XVI

MODIFICATION OF THE TREATMENT POLICY

In the event of substantial changes in the content of this Personal Data Processing Policy, they shall be communicated before or at the latest at the time of the implementation of the new policies. In addition, when the change refers to the purpose of the Processing of Personal Data, MUNILY must obtain a new authorization from the owners. In any case, we invite you to regularly or periodically review our website www.munily.com., through which you will be informed about the change and the latest version of this Policy or the mechanisms enabled by MUNILY to obtain a copy of it will be made available to you.

CHAPTER XVII

MUNILY DATA PRIVACY POLICY

MUNILY in Colombia is part of MUNILY INC and therefore in all that is applicable and does not contravene Colombian legislation on the matter, the MUNILY group, its customers, suppliers, contractors, active or inactive employees, will abide by the guidelines and policies established for the treatment of personal data of MUNILY INC, especially in everything related to the transmission, exchange and/or security of data information between member countries.

CHAPTER XVIII

TREATMENT POLICY IN EFFECT

This Personal Data Processing Policy was created on February 18, 2022 and is effective as of this day.