Personal Data Processing Policy

PERSONAL DATA PROCESSING POLICY OF ACEKING

ACEKING, with address at ACEKING Address, has established this privacy and personal data protection policy which regulates the collection, storage, administration and protection of information received from all customers, suppliers, consumers, contractors, debtors, creditors, employees and related parties. For the purposes of this policy, the following shall be taken into account:

DEFINITIONS

Privacy Notice: is the document that appears in any physical, electronic or any other format generated by the person responsible for the processing of personal data, which is made available to the user for the processing of their personal data. The privacy notice informs the Data Owner of the existence of these information processing policies that will be applicable to them, how to access them and the purposes and rights for the processing that will be given to the personal data provided by them.

Authorization: is the prior and express consent of the user to carry out the processing of their personal data.

Database: is the set of all personal data that has been authorized by its Users and that will be subject to the processing established by this policy.

Personal Data: is any information linked or that can be associated with a user.

Private Data: data that by its intimate or reserved nature is only relevant to the user.

Sensitive Data: are those data that affect the privacy of the user or whose improper use may generate discrimination based on racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data.

Data Controller: for the purposes of this policy, it is ACEKING, who handles the personal data of its users, in accordance with the provisions of the Law and in this document.

Data Processor: is the natural person designated by the person responsible for the processing of personal data (ACEKING).

Data Owner: natural person whose information it is and who freely and voluntarily has expressed to ACEKING their authorization for their personal data to be subject to processing.

Processing: is any operation on personal data, such as collection, storage, use, circulation, modification, clarification or deletion of said data.

PRINCIPLES IN THE PROCESSING OF PERSONAL DATA

As a fundamental premise of this policy, ACEKING respects the privacy of each of the natural or legal persons who provide their personal information through the different information collection channels established for this purpose. ACEKING guarantees that it has adequate and secure storage mechanisms and systems. The information is collected, processed and used in accordance with current information protection and privacy regulations.

However, ACEKING is not responsible for any consequence derived from the improper entry of third parties to the database and/or for any technical failure in the operation and/or conservation of data in the information storage system.

The data provided by the Owner must be clear, truthful, verifiable and accurate, so that the processing thereof can be equally reliable.

Confidentiality in the processing of personal data is another of the guiding principles of this policy, since all employees with access to the databases are obliged to maintain strict confidentiality in their handling.

All data stored and processed by ACEKING must have the prior and express authorization of its owner, which must be granted freely and voluntarily. Notwithstanding this principle, authorization will not be necessary in the following events:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Data of a public nature.
  • Cases of medical or health emergency.
  • Information processing authorized by Law for historical, statistical or scientific purposes.
  • Data related to the civil registry of persons.

PURPOSES OF DATA PROCESSING

Personal data will be included in a database and will be used for the following purposes:

  • Encode in our systems, requests for linkage as customers and/or suppliers.
  • Inform about new products or services.
  • Comply with obligations contracted with our customers, suppliers, and employees.
  • Achieve efficient communication related to our products, services, offers, promotions, alliances, studies, contests, content, as well as those of our affiliated companies, and to facilitate general access to their information.
  • Provide our services and products.
  • Inform about the launch of new products or services, or changes in them.
  • Evaluate the quality of service.
  • Conduct internal studies on consumption habits.
  • Consult, report, process and transfer information to credit bureaus.

3. DUTIES AND RIGHTS

3.1. Rights of the Data Owner:

  • Know, update and rectify their personal data with the data controllers or data processors. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fragmented data that leads to error, or those whose processing is expressly prohibited or has not been authorized.
  • Request proof of the authorization granted to the data controller except when expressly exempted as a requirement for processing, in accordance with the provisions of this policy.
  • Be informed by the data controller or the data processor, upon request, regarding the use that has been given to their personal data.
  • File complaints with the Superintendence of Industry and Commerce for violations of the provisions of the Law.
  • Revoke the authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the processing, the controller or processor has incurred in conduct contrary to the Law and the Constitution.
  • Access their personal data that has been subject to processing free of charge.

3.2 Duties of the data controller:

  • Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data.
  • Request and keep, under the conditions provided in the Law, a copy of the respective authorization granted by the Owner.
  • Properly inform the Owner about the purpose of the collection and the rights that assist them by virtue of the authorization granted.
  • Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.
  • Guarantee that the information provided to the data processor is truthful, verifiable, complete, accurate, updated, verifiable and understandable.
  • Update the information, communicating in a timely manner to the data processor, all news regarding the data that has previously been provided and adopt the other necessary measures so that the information provided to it remains updated.
  • Rectify the information when it is incorrect and communicate the pertinent to the data processor.
  • Require the data processor at all times to respect the security and privacy conditions of the Owner's information.
  • Process the queries and claims made by the Owners of the information within the terms indicated in the law.
  • Inform the data processor when certain information is under discussion by the Owner, once the claim has been filed and the respective procedure has not been completed.
  • Inform at the request of the Owner, about the use given to their data.
  • Inform the data protection authority when there are violations of security codes and there are risks in the administration of the Owners' information.
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

3.3 Duties of the data processor:

  • Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data.
  • Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.
  • Carry out the update, rectification or deletion of data in a timely manner.
  • Update the information reported by the data controllers within five (5) business days from its receipt.
  • Process the queries and claims made by the Owners of the information.
  • Register in the database the legend "claim in process" when applicable.
  • Insert in the database the legend "information under judicial discussion", once notified by the competent authority about judicial processes related to the quality of personal data.
  • Refrain from circulating information that is being disputed by the Owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.
  • Allow access to information only to people who can have access to it.
  • Inform the Superintendence of Industry and Commerce when there are violations of security codes and there are risks in the administration of the Owners' information.
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

4. RESPONSIBLE AREA AND PROCEDURES FOR DATA CONSULTATION AND FOR THE PRESENTATION OF CLAIMS:

The area responsible for queries, complaints and claims will be the Marketing area.

The Owners or their successors may consult the Owner's personal information that is in the database.

The data controller or data processor must provide the Owner with all the information contained in their individual record or that is linked to their identification.

The query will be made through email and other contact information contained in the privacy notice published on the website www.tutienda.com and which in any case is attached to this policy as Annex 1.

The query will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to answer the query within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be answered, which in no case may exceed five (5) business days following the expiration of the first term.

The Owner or their successors who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the Law, may file a claim with the data controller, through the communication channels established in the privacy notice. For the purposes of filing claims, the following procedure must be followed and the following requirements must be met:

  • The claim must contain at a minimum: the identification of the Owner, the description of the facts that give rise to the claim, the address and accompanying documents that they want to assert.
  • If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the failures. After two (2) months from the date of the requirement, without the applicant presenting the required information, it will be understood that they have withdrawn from the claim.
  • In case the person who receives the claim is not competent to resolve it, they will transfer it to the appropriate party within a maximum period of two (2) business days and will inform the interested party of the situation.
  • Once the complete claim is received, a legend that says "claim in process" and the reason for it will be included in the database, within a period of no more than two (2) business days. This legend must be maintained until the claim is decided.
  • The maximum term to attend to the claim will be fifteen (15) business days from the day following the date of its receipt.
  • When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term. The Owner or successor may file a complaint with the Superintendence of Industry and Commerce once they have exhausted the query or claim procedure with ACEKING.

EFFECTIVE DATE:

This Personal Data Policy was created on March 15, 2019.

Any changes that occur regarding this policy will be reported through the email address: soporte@aceking.store