1. Objective of the personal data protection policy of Comestibles Ya S.AS.

In order to comply with the Political Constitution of the Republic of Colombia, Law 1581 of 2012, its regulatory decrees, and other regulations that modify or complement it, this document aims to inform each and every one of the holders of personal information collected, processed, and stored by Comestibles Ya SAS. It outlines the purpose of data processing, the data protection policy, the person responsible for handling personal data, and the process that data owners must follow in case they need to exercise their rights.

According to the Political Constitution of the Republic of Colombia and Law 1581 of 2012, the right to Habeas Data is the right of every person to know, update, and rectify the information that has been collected about them in public or private databases and ensures that everyone can make decisions and have control over their personal information.

In light of this, Comestibles Ya SAS, committed to respecting the personal data of its shareholders, investors, collaborators, consumers, clients, and suppliers, makes available this policy for the protection of personal data to safeguard their privacy. This policy also acknowledges and informs them of their right to know, update, or request the information stored about them in databases collected by Comestibles Ya SAS in the course of its business activities.

2. Scope of the personal data protection policy

This policy applies to the processing of personal databases in which Comestibles Ya SAS acts as the data controller or processor. All activities within the company related to the collection, custody, and/or processing of personal databases must comply with the provisions set forth in this document.

3. Definitions

In accordance with the Political Constitution of the Republic of Colombia, Law 1581 of 2012, and the regulations that supplement or complement them, the following are established:

Authorization: It's the prior, express, and informed consent given by the owner of personal data for a third party to carry out the processing of their personal data.

Personal Database: It is any organized set of personal data that is subject to processing.

Personal Data Lifecycle: It refers to the process of collecting, storing, classifying, analyzing, using, transferring, retaining, and destroying personal data.

Database Custodian: The physical person who has custody and control over the personal databases collected within Comestibles Ya SAS.

Personal Data: Any information linked to one or more specific or determinable natural persons.

Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data regarding the civil status of individuals, their profession or occupation, and their status as a merchant or public servant. Public data may be contained in public records, public documents, gazettes, official bulletins, and duly executed judicial decisions that are not subject to legal reservation.

Sensitive Data: Data that affects the privacy of the data subject or whose misuse may lead to their discrimination, either because they reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, promotion of the interests of any political party, or guaranteeing the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

Data Processor: Natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the data controller.

Terms of Privacy: Verbal or written communication generated by the data controller, directed to the data subject for the processing of their personal data, informing them about the information processing policies that will apply to them, how to access them, and the purposes of the processing of personal data.

Principles for Data Processing: Fundamental rules, legal and/or jurisprudential, that inspire and guide the processing of personal data, determining the actions and criteria to solve potential tension or collision between the rights to privacy, Habeas Data, and protection of personal data, and the right to information.

Data Controller: The natural or legal person, public or private, who, alone or in association with others, decides on the Database and/or the Processing of data.

Data Subject: The natural or legal person whose data is subject to processing.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

Transfer: Data Transfer occurs when the data controller and/or data processor, located in Colombia, sends information or personal data to a recipient who is also responsible for processing and is located within or outside of Colombia.

Transmission: Processing of personal data that involves the communication of such data within and outside of Colombia when it aims to carry out processing by the processor on behalf of the controller.

4.- Principles for the Processing of Personal Data

In accordance with Law 1581 of 2012, the following principles for the processing of personal data are established, which Comestibles Ya SAS undertakes to respect and comply with:

Principle of Legality: The processing of personal data and its protection is a regulated activity in accordance with the laws of the Republic of Colombia.

Principle of Purpose: The processing of personal data must obey a legitimate purpose in accordance with the Constitution and the law, which must be duly informed to the data subject.

Principle of Freedom: Processing can only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that exempts consent.

Principle of Truthfulness or Quality: Information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, inaccurate, or misleading data is prohibited.

Principle of Transparency: In processing, the data subject's right to obtain information from the data controller or data processor, at any time and without restrictions, about the existence of data concerning them, must be guaranteed.

Principle of Access and Restricted Circulation: Processing is subject to the limits derived from the nature of personal data, the provisions of Law 1581 of 2012, the Political Constitution of the Republic of Colombia, and other regulations that complement it. In this sense, processing may only be carried out by persons authorized by the data subject and/or by persons provided for by law.

Personal data, except for public information, may not be available on the internet or other mass communication or dissemination media unless access is technically controllable to provide restricted knowledge only to data subjects or authorized third parties.

Principle of Confidentiality: All persons involved in the processing of personal data that do not have the nature of public data are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks comprising the processing has ended.

Principle of Security: Information subject to processing by the data controller or data processor must be handled with the technical, human, and administrative measures necessary to provide security to the records, avoiding their alteration, loss, consultation, use, or unauthorized or fraudulent access.

5.- Identification of the data controller

6.- Rights of the data subject

In accordance with the provisions of Article 8 of Law 1581 of 2012, the rights of data subjects are related. Below are the rights that data subjects can exercise:

6.1.- Know, update, rectify, and/or delete their personal data in front of Comestibles Ya SAS, regarding data that they consider partial, inaccurate, incomplete, fragmented, or misleading.

6.2.- Request proof of the authorization granted to Comestibles Ya SAS, in its capacity as data controller and processor.

6.3.- Be informed by Comestibles Ya SAS, upon request, regarding the use that has been made of their personal data.

6.4.- Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights, and guarantees; provided that the data subject does not have a legal or contractual obligation to remain in the databases and that Comestibles Ya SAS must respect in compliance with legal or contractual provisions that may obligate it to the data subject.

6.5.- Access their personal data free of charge at least once a month, and every time there are substantial modifications to this Information Processing Policy that motivate new inquiries.

For the exercise of the rights described above, the data subject must duly prove their identity and the capacity in which they act. This also applies when claiming to act as the legal representative of a minor.

7.- Duties of Comestibles Ya SAS towards data subjects

In accordance with the provisions of Article 17 of Law 1581 of 2012, Comestibles Ya SAS, as data controller, must fully comply with the following duties:

7.1.- Ensure to the data subject, at all times, the full and effective exercise of the right to Habeas Data.

7.2.- Request and keep, under the conditions provided in this document and in the law, a copy of the respective authorization granted by the data subject.

7.3.- Inform the data subject clearly and sufficiently about the purpose of the collection of their personal data and the rights they are entitled to by virtue of the authorization granted.

7.4.- Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

7.5.- Update the information, communicating in a timely manner to the data processor, all the news regarding the data that they have previously supplied and take the necessary measures so that the information provided to it remains updated.

7.6.- Rectify the information when it is incorrect and communicate the pertinent information to the data processor.

7.7.- Provide the data processor, as the case may be, only with data whose processing is previously authorized in accordance with the provisions of this law.

7.8.- Demand from the data processor at all times, respect for the conditions of security and privacy of the data subject's information.

7.9.- Process the inquiries and claims made by the data subjects or their successors in the terms indicated in Law 1581 of 2012 and ratified in this policy.

7.10.- Inform the data processor when certain information is under discussion by the data subject, once the respective claim has been filed and the respective process has not been completed.

7.11.- Inform, upon request of the data subject, about the use given to their data.

7.12.- Inform the data protection authority when violations of security codes occur and there are risks in the administration of the data subject's information.

7.13.- Comply with the instructions and requirements issued by the data protection authority responsible for overseeing compliance with the right to the protection of personal data.

8.- Duties of the data processors

In accordance with the provisions of Article 18 of Law 1581 of 2012, the data processors within Comestibles Ya SAS must fully comply with the following duties:

8.1.- Ensure to the data subject, at all times, the full and effective exercise of the right to habeas data.

8.2.- Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

8.3.- Timely carry out the update, rectification, or deletion of the data in the terms provided in this personal data policy.

8.4.- Update the information reported by Comestibles Ya SAS within five (5) business days counted from its receipt.

8.5.- Process the inquiries and claims made by the data subjects in the terms provided in this policy.

8.6.- Record in the database the legend "claim in process" as established in this policy or in the law.

8.7.- Insert in the database the legend "information under judicial discussion" once notified by the competent authority about judicial processes related to the quality of personal data.

8.8.- Refrain from circulating information that is being contested by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce or the authority responsible for monitoring compliance with the right to the processing of personal data.

8.9.- Allow access to the information only to persons who can have access to it.

8.10.- Inform the Superintendence of Industry and Commerce or the corresponding supervisory authority when violations of security codes occur and there are risks in the administration of the data subject's information.

8.11.- Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce or the corresponding supervisory authority.

9.- Procedure for data subjects wishing to exercise their rights

In order to comply with the provisions of Law 1581 of 2012, its regulatory decrees, or regulations that may modify or complement it, the procedure for data subjects to exercise their rights and file their complaints or claims is hereby informed.

When the data subject wishes to exercise their rights, the request must be submitted through a written, physical, or digital support, either via our email gerencia@box5545.temp.domains or by visiting our facilities located at Autopista Medellín KM 2.5 Parque Industrial los Nogales Bodega 15 – Cota – Cundinamarca.

The request must contain the following information:

• Name of the data subject and their representatives, if applicable.

• Specific and precise request for information, access, update, rectification, cancellation, opposition, or revocation of consent. In each case, the request must be reasonably justified so that Comestibles Ya SAS, as the responsible party for the personal database, can proceed to provide the corresponding response.

• Physical and/or electronic address for notifications where the response to the request will be received.

• Documents and/or evidence supporting the request.

• Signature of the data subject on the request. In the event that the data subject is represented by a third party, the request must be accompanied by the respective special or general power of attorney, which must be recognized by a notary public, in the case of a special power of attorney, and in the case of a general power of attorney, it must contain the corresponding validity note with a issuance date not exceeding one month. The attorney must also prove their identity as indicated."

If any of the aforementioned information is missing, Comestibles Ya SAS will notify the interested party within five (5) days following the receipt of the request so that the missing information can be provided. If two (2) months pass without the requested information being provided, it will be considered that the request has been withdrawn. If the recipient of the claim is not competent to resolve it, they will forward it to the appropriate authority within a maximum period of two (2) business days and inform the situation to the interested party. Once the complete claim is received, a note stating "claim in process" and the reason for it will be included in the database within a maximum period of two (2) business days. This note must be kept until the claim is resolved.

Comestibles Ya SAS may provide physical and/or digital formats for the exercise of this right and will indicate whether it is a consultation or a claim by the interested party.

If the request is to know or consult personal data, the request must specify this right, which needs to be exercised as the data subject.

If the request is to update personal data, the request must specify which data the data subject wants to update, indicating the previous data and the updated data.

If the request is to cancel or object to the processing of data, the request must specify which data needs to be deleted from our databases.

If the request is to process a complaint to the organization, it must specify in the letter or corresponding format the description of what happened, the facts that give rise to the complaint, and the corresponding documentation that evidences or supports said complaint.

Comestibles Ya SAS will receive the request and, according to the response times defined in this document, will provide a response.

In cases where Comestibles Ya SAS acts as the data processor, it will inform the data subject or interested party about this situation regarding the personal data and will communicate the data controller about the request, in order for the latter to respond to the consultation or claim presented. A copy of this communication will be sent to the data subject or interested party, so they are aware of the identity of the data controller and, consequently, the main party responsible for guaranteeing the exercise of their rights.

Comestibles Ya SAS will document and store the requests made by the data subjects or interested parties in the personal data, or by the data subjects exercising any of their rights, as well as the responses to such requests. This information will be treated in accordance with the applicable rules of the organization's correspondence.

To resort to the Superintendence of Industry and Commerce or the corresponding authority, in exercising the legal actions provided for data subjects or interested parties, the consultation and/or claims procedure described here must be exhausted first.

10.- Response Times

Comestibles Ya SAS, when it is responsible for processing personal database data contained in its information systems, will respond to the request within ten (10) business days if it is a consultation; and within fifteen (15) business days if it is a claim. The same term will be used when verifying that it does not have Personal Data of the interested party exercising any of the indicated rights in its information systems.

In case of consultation, update, or rectification, if it is not possible to respond within the term of ten (10) business days, the interested party will be informed of the reasons for the delay and the date on which the request will be attended, which in no case may exceed five (5) business days following the expiration of the first ten (10) business days.

In case of claim, request to delete or revoke authorization, if it is not possible to respond within the term of fifteen (15) business days, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first fifteen (15) business days.

Comestibles Ya SAS, when it is responsible for processing personal database data contained in its information systems, will respond to the request within ten (10) business days if it is an update or rectification; and within fifteen (15) business days if it is a deletion or revocation of authorization. The same term will be used when verifying that it does not have Personal Data of the interested party exercising any of the indicated rights in its information systems.

11.- Processing to which the data will be subjected and its purpose

Comestibles Ya SAS processes the information contained in its databases in cases where it acts as the data controller or processor, for the following purposes, namely:

11.1.- Personal Data Processing of Candidates and/or Employees.

Comestibles Ya SAS processes the personal data of individuals who apply for vacant positions and the personal data of its employees, during and after the contractual relationship, for the following purposes:

• Processing of personal data before the employment relationship: When individuals are interested in applying for vacancies at Comestibles Ya SAS, they should be aware that their data will be processed solely for purposes related to their selection process; their data cannot be processed for different purposes. In the event that the selection process is not continued, Comestibles Ya SAS will inform the candidate of the negative outcome, and if requested by the data subject, the information provided by them will be provided. The information obtained from unsuccessful applicants will be deleted from its information systems.

If the selection process is not continued, Comestibles Ya SAS will inform the candidate of the negative outcome, and if requested by the data subject, the information provided by them will be provided. The information obtained from unsuccessful applicants will be deleted from its information systems.

• Processing of personal data during the contractual relationship: Comestibles Ya SAS processes the personal information of its employees for the purpose of complying with activities related to the contractual relationship established with them, including but not limited to: personnel management involving, among others, salary and payroll administration (salaries, legal and extra-legal social benefits, benefits, reimbursements, insurance, making deductions authorized by law, by judicial authority, or by the employee); making contributions to the Integral Social Security System; allocation of work items such as communication and computing equipment, workstations, email, and others required by the job's particularities; contracting of insurance; staff development; ensuring employee safety and health; issuance of employment certificates, advertising campaigns for company-related issues; employee identification for security reasons upon entry to its physical and virtual facilities. Likewise, any other purpose that is compatible and can be considered analogous to those mentioned.

The use of employees' personal information for purposes other than those related to contractual management is prohibited. The different use of employees' personal data and information will only proceed by order of the competent authority, provided that it has the authority to do so. The aforementioned, except for prior written authorization documenting the consent by the Personal Data Subject or legal provision on the matter.

• Processing of personal data after the contractual relationship ends: The processing of personal data of data subjects who end their employment relationship with Comestibles Ya SAS, former employees and/or pensioners, will have the purpose of fulfilling the obligations arising from the employment relationship that existed, including but not limited to: issuance of employment certificates; recognition of pensions and/or pension substitutions, issuance of certificates for the liquidation of pension bonds, certifications for collections and payments of pension installments. The transfer of such information to third parties is prohibited. The aforementioned, except for prior written authorization documenting the consent by the Personal Data Subject or legal provision on the matter.

• Processing of personal data of shareholders and investors : The processing of personal data of shareholders and investors (bondholders) of Comestibles Ya SAS, will aim to ensure the exercise of their rights and the fulfillment of their duties arising from their condition as shareholders and/or investors in compliance with commercial law and the regulations governing the National Registry of Securities and Issuers in the Public Securities Market in Colombia; likewise, their data will be processed if required for fiscal and statistical activities. The transfer of such information to third parties is prohibited. The aforementioned, except for prior written authorization documenting the consent by the Personal Data Subject or legal provision on the matter.

• Processing of personal data of customers: The processing of personal data of customers of Comestibles Ya SAS will aim to carry out promotional, advertising, marketing, sales, customer service, collection management, collection, fiscal, and statistical activities, as well as any other activity related to the sale of products. The transfer of such information to third parties is prohibited. The aforementioned, except for prior written authorization documenting the consent by the Personal Data Subject or legal provision on the matter.

• Processing of personal data of suppliers: The processing of personal data of suppliers who provide their services to Comestibles Ya SAS will aim to enable the development of the commercial relationship and comply with fiscal and accounting obligations, participate in selection and evaluation processes applicable to suppliers contacted to provide a service to the organization. The transfer of such information to third parties is prohibited. The aforementioned, except for prior written authorization documenting the consent by the Personal Data Subject or legal provision on the matter.

• Processing of personal data of consumers: The processing of personal data of consumers of products manufactured, marketed, and/or distributed by Comestibles Ya SAS will aim to enable the development of the commercial relationship, carry out promotional, advertising, marketing, sales, and customer service activities. The transfer of such information to third parties is prohibited. The aforementioned, except for prior written authorization documenting the consent by the Personal Data Subject or legal provision on the matter.

12.- Cases Where the Authorization of the Owner is not Required

As established by Article 10 of Law 1581 of 2012, authorization for personal data processing is not required in the following cases: 

12.1.- Information required by a public or administrative entity in the exercise of its legal functions or by court order.

12.2.- Data of public nature.

12.3.- Cases of medical or health emergency.

12.4.- Processing of information authorized by law for historical, statistical, or scientific purposes.

12.5.- Data related to the Civil Registry of Persons.

13.- Validity

This policy for the processing of personal data takes effect from September 21, 2022, and will be applied by Comestibles Ya SAS and its processors, in compliance with the provisions of Decree 1377 of 2013, for the duration of the company's existence or any successor entity, including its liquidation, always considering what the law establishes.

The databases held by Comestibles Ya SAS and its processors, containing personal data, will remain valid for as long as the information is maintained and used for the purposes described in this policy. They will be retained until their deletion is requested by the data subject, provided there is no legal or contractual obligation to retain the information.

The person responsible for the Personal Data Processing Policy is the manager of personal data protection, who can be contacted via email at gerencia@box5545.temp.domains, phone: (601) 896 64 94, or by mail at Autopista Medellín KM 2.5 Parque Industrial los Nogales Bodega 15 – Cota – Cundinamarca.

The data subject expressly states that Comestibles Ya SAS has informed them in advance of the purpose for which their personal data will be used, in accordance with the policies established in this document.

13.1.- Update of the Personal Data Processing Policy

Comestibles Ya SAS reserves the right to modify the terms and conditions of this document 'Personal Data Processing Policy' as part of our effort to comply with the obligations established in the Political Constitution of Colombia, Law 1581 of 2012, regulatory decrees, and other regulations that complement, modify, or repeal the contents of this document, in order to reflect any changes in our operations or functions. In cases where this occurs, the new Personal Data Processing Policy document will be published 15 days in advance of its validity on the website: https://comestiblesya.com/proteccion-de-datos/.

The policies and procedures contained in this document will apply to personal data that has been registered in the database during the provision of the service and that are subject to the necessary processing by Comestibles Ya SAS in compliance with the personal data law.

These policies are mandatory for Comestibles Ya SAS as the data controller, as well as for the processors who process personal data on behalf of Comestibles Ya SAS in the provision of services. Both the data controller and the processors must safeguard the security of the databases containing personal data and maintain confidentiality regarding the processing of this data.