In order to comply with the current legislation on data protection, particularly, Law 1581 of 2012 and Decree 1377 of 2013, and any other regulations that modify, add, supplement or develop them, we inform you below about the relevant aspects related to the collection, use and transfer of personal data that Sociedad Minera de Santander S.A.S. (hereinafter "MINESA") may carry out with your personal data, by virtue of the authorization granted by you for such data processing and handling. In this personal data processing policy (the “POLICY”,) you will find the corporate and law guidelines under which MINESA carries out the processing of your data, the purpose, your rights as the Holder, and the internal and external procedures for exercising such rights. In accordance with the provisions of Article 15 of the Constitution of Colombia and the applicable Legislation (Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013, and any other rules that regulate, add, repeal or modify them,) we have a clear privacy and protection policy for your personal data: we do not obtain personal information from you, our employees, customers, suppliers and third parties in general, unless you have voluntarily provided it, with your prior, express and informed consent, to MINESA under the conditions provided by law.
For the interpretation of this POLICY, we ask you to take into account the following definitions:
• Personal Data: Any information linked to, or that may be associated with, one or more specific or determinable natural persons.
• Private Data: Data that, due to the intimate or reserved nature thereof, is only relevant for the Holder.
• Semi-Private Data: Data that has no intimate, reserved or public nature, and whose knowledge or disclosure may interest not only his/her Holder, but also a certain sector or group of people or society in general, such as financial and credit data of a commercial activity or services referred to in Title IV of Law 1266 of 2008.
• Public Data: Data that is not semi-private, private or sensitive. The following data is considered public data, among others, data relating to the marital status of people, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official newsletters, as well as in duly enforced judicial judgements, not subject to confidentiality.
• Sensitive Data: Data that may affect the Holder’s privacy or whose improper use may give rise to discrimination; such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, memberships in trade unions, in social and human rights organizations or in organizations that promote the interests of any political party or that guarantee the rights and guarantees of political parties of the opposition, as well as data related to health, sexual life, and biometric data.
• Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
• Holder: Natural person whose personal data is the object of the Processing, whether such person is a customer, supplier, employee, or any third party, who, by reason of a commercial, legal or other relationship, existing or that may be established, provides personal data to MINESA.
• Party Responsible for the Processing: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Processing of the data; initially, for the purposes of this POLICY, MINESA shall exercise as the Responsible Party.
• Party in Charge of the Processing: Natural or legal person, public or private, that by himself or herself or in association with others, carries out the Processing of personal data on behalf of MINESA as the Party Responsible for the data.
• Authorization: Prior, express and informed consent of the Holder to carry out the Processing of personal data.
• Database: Organized set of personal data that is the object of the Processing.
• Processing Policy: This makes reference to this document as the personal data processing policy applied by MINESA, in accordance with the guidelines of the Legislation in force on the subject.
• Supplier: Any natural or legal person that provides any goods or services to MINESA by virtue of a mandatory and/or contractual relationship.
• Worker: Any natural person who provides a service to MINESA under an employment contract. The word employee may also be used.
• Transfer: This relates to the sending of information or personal data by MINESA as the Party Responsible for the Processing of personal data, or a Party in Charge thereof, to a third agent or natural or legal person (Receiver,) inside or outside the national territory, for the effective processing of personal data.
• Transmission: This relates to the communication of personal data by MINESA, as the Responsible Party, to the Party in Charge, located inside or outside the national territory, so that the Party in Charge, on behalf of the Responsible Party, will process personal data.
• Privacy Notice: Verbal or written communication generated by the Responsible Party, addressed to the Holder for the Processing of his/her personal data, by means of which he or she is informed about the existence of the policies for the Processing of information that will be applicable to him or her, the way to access them and the purposes for the Processing to be applied to the personal data.
• Data Protection Officer: This is the natural person hired by MINESA whose function is the Coordination of Holders’ requirements, such as those of the Superintendency of Industry and Commerce-SIC, related to consultation, complaints, update, rectification, revocation of authorizations and/or requests for deletion of data, and other rights granted by law to the Holder and the SIC. For the understanding of the terms that are not included in this list, you should refer to Legislation in force, particularly, Law 1581 of 2012 and Decree 1377 of 2013, giving the meaning used in such rule to the terms in respect of which there is any question about the definition.
MINESA companies are Sociedad Minera de Santander S.A.S., Sociedad Minera Calvista Colombia
S.A.S. and Galway Resources Holdco Ltd – Colombia Branch.
MINESA shall show you the principles established by law and such other principles as may be applicable to the
Processing of your Personal Data.
a) Principle of Legality in the Processing of Data: The Processing referred to by this law is a regulated activity that must adhere to the provisions set forth therein and to any other provisions developing this law.
b) Principle of Purpose: The Processing must respond to a legitimate purpose, in accordance with the Constitution and the Law, which should be informed to the Holder.
c) Principle of Freedom: The Processing can only be exercised with the prior, express and informed consent of the Holder. Personal data cannot be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that substitutes this consent.
d) Principle of Truthfulness or Quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. Processing of partial, incomplete, fractional or error-inducing data is prohibited.
e) Principle of Transparency: In the Processing, the right of the Holder to obtain information about data that may concern him or her from the Party Responsible for the Processing or from the Party in Charge of the Processing, at any time and without any restrictions, shall be guaranteed.
f) Principle of Restricted Access or Circulation: The Processing is subject to the limits derived from the nature of the personal data and the provisions of this Law and Constitution. In this regard, the Processing may only be carried out by people authorized by the Holder and/or by the people provided for by this law.
g) Personal data, except for public information, may not be available on Internet or other dissemination or mass communication means, unless access is technically controllable to provide restricted knowledge only to Holders or authorized third parties, in accordance with Law 1581 of 2012.
h) Principle of Security: The information subject to Processing by the Party Responsible for the Processing or the Party in Charge of the Processing referred to in this law, must be handled with the technical, human and administrative measures necessary to provide security to the records avoiding adulteration, loss, unauthorized or fraudulent consultation or use thereof, or unauthorized or fraudulent access thereto.
i) Principle of Confidentiality: All people involved in the Processing of personal data that do not have the nature of public must guarantee confidentiality of information, even after the end of their relationship with any of the tasks included in the Processing, being able to only provide or communicate personal data when relating to the development of activities authorized by this law and in the terms thereof.
j) Principle of Accountability: According to which an organization that collects and processes data must be liable for effectively complying with the measures implemented in the principles of privacy and data protection.1
1. Data Processing
MINESA collects, stores, organizes, uses, processes, updates and deletes information, according
to the purpose and processing indicated.
1.1 Public Data Processing
MINESA informs that it processes, without prior authorization, personal data of a public nature, such as
data related to the marital status of people, their profession or trade, and their status as merchants
or public servants, as well as data that may be contained, among others, in public records,
public documents, gazettes and official newsletters, and in duly
enforced judicial sentences not subject to confidentiality, as authorized by Article 10 of Law 1581.
1 Guide for the implementation of the Principle of Accountability
Superintendency of Industry and Commerce, Colombia
2012, notwithstanding the foregoing, MINESA indicates that the necessary measures will be adopted
to guarantee compliance with the principles that may apply and the obligations contemplated in the
applicable regulations in force.
1.2 Personal Data Processing
MINESA informs that it processes personal data in accordance with the provisions of this POLICY, Law 1581 of 2012, Decree 1377 of 2013, and any other applicable regulations in force.
1.3 Sensitive Data Processing
MINESA informs that it only processes sensitive data when strictly necessary, complying, in any case, with the general requirements established by law for the processing of personal data, and with those established for this type of data.
1.4 Processing Data of Children and adolescents
MINESA informs that it only processes data of children and adolescents when strictly necessary and, in any case, responding to and respecting their best interests, as well as ensuring respect for their fundamental rights. For this processing, MINESA shall request authorization to the legal representative of the child or adolescent, after the minor exercises his or her right to be heard, such opinion shall be assessed taking into account the maturity, autonomy and ability to understand the matter.
2. Use and Purpose of the Processing
Personal data is used for: a) creating and recording the Holder as part of MINESA’s stakeholders in its internal databases; b) creating, recording, evaluating and re-evaluating the Holder as MINESA’s supplier or customer in the MINESA’s internal and accounting database; c) registration of suppliers; writing, execution and performance of contracts and agreements under which MINESA will sustain a contractual and binding relationship; d) payment of contractual or mandatory obligations; e) issuance of tax or supporting documents, such as invoices, vouchers, cash receipts, and activities carried out for payment or collection purposes; f) any other purpose that may arise in the development of the contract or in the relationship between you and MINESA; g) receiving and evaluating job applications; h) participating in selection processes, whether developed directly by MINESA or commissioned by MINESA; i) managing all aspects of the employment relationship with the Employee, which includes, among others, payroll, benefits, corporate trips and any other reimbursable expenses, training and development, attendance control, performance assessment, disciplinary and claim processes, and any other general administrative processes in connection with human resources; j) developing personal and replacement plans; k) maintaining records of illnesses and occupational health programs; l) protecting the security of MINESA’s customers, personnel and property, which includes control and access simplification, and monitoring the activity in protected facilities and the activity in the use of computers, communications, mobile devices and any other resources of MINESA, always respecting the constitutional rights of the Holder; m) investigating and responding to claims against MINESA, its affiliates, suppliers or customers; n) conducting Employee opinion surveys and managing Employee recognition programs; ñ) managing the termination of an employment relationship, and maintaining and providing references; maintaining data on emergency contacts and beneficiaries; o) complying with the laws in force, including those related to health and social security, which includes judicial or administrative orders that may involve or affect Employees; p) sending to the pay entities or to the payroll management entity, benefits including salary aspects, non-salary aspects, aid payments, benefits and contributions; q) certifying third parties at the request of the worker or at the request of the entities of the Comprehensive Social Security System, courts, authorities, ICBF [The Colombian Institute for Family Welfare], cooperatives, order-of-payment companies and others; r) transferring data to companies that provide clinical support services, occupational health exams and others; s) assessing the health condition and the psychosocial and occupational risks, among others; t) carrying out the occupational health system activities, including those related to visual, auditory and respiratory aptitudes, health condition, epidemiological surveillance system and risks; u) carrying out plans for improving and developing competencies; v) and in general, for doing all necessary for the corporate purpose of MINESA.
If you provide us with Personal Data, this information will be used only for the purposes indicated herein, and we will not proceed to assign, license, transmit or disclose it outside of MINESA, (i) unless you expressly authorize us to do so, (ii) unless it is necessary, so that our contractors or agents can provide the services required from them, (iii) in order to provide our products or services, (iv) unless it is disclosed to the entities that provide social or commercial management services on our behalf, (v) unless it is related to a merger, spin-off, consolidation, acquisition, divestment or any other restructuring process, or (vi) as required or permitted by law.
In order to implement the purposes described above, your personal data may be processed for the purposes set forth above, among others, by the staff of human resources, the supplies department, the legal department, the social department, managers, consultants, advisers and any other people and offices, as applicable, for the fulfillment of the corporate purpose of MINESA. MINESA may sub-contract with third parties for the processing of certain functions, information or data. When we sub-contract with third parties the processing of your personal information or provide your personal information to third parties, we warn these third parties about the need to protect such personal information with security measures, at least under the same terms under which we protect it internally, and unless expressly authorized by the Holder; we prohibit the processing and disclosure of your personal information for own or unrelated third party purposes.
MINESA may transfer or transmit, as appropriate, your personal data to other people abroad for reasons of security, administrative efficiency and/or better service, in accordance with the authorizations of each of these people, taking the appropriate measures of the case, so that these people will implement, in their jurisdiction and in accordance with the applicable laws applicable to them, personal data security and protection standards, at least similar to those provided for herein and, in general, in the MINESA’s policies on the subject. If these companies act as MINESA Managers, the data transmission contract referred to in Decree 1377 of 2013 shall be executed in this regard. Once the need for the processing of your data ceases, they may be removed from the databases of MINESA or filed in safe terms, so that they will only be disclosed when there is cause for it, in accordance with the law.
For the processing of personal and/or sensitive data and/or data of children and adolescents, MINESA shall request the respective authorization from the Holder or the legal representative, which may be provided in writing, orally or through unequivocal conducts by the Holder that will allow to reasonably conclude that he or she have granted the authorization.
Likewise, MINESA presumes, in good faith, that the Holder has the respective authorization for collecting, using, transferring and processing any data that is not theirs and that was provided to MINESA.
4. The Rights of the Holder
Holders of information, in accordance with Article 8 of Law 1581 of 2012, have the following rights in relation to their personal data:
a) The right to know, update and rectify their personal data for those Responsible for the Processing or in Charge of the Processing. This right may be exercised, among others, with partial, inaccurate, incomplete, fractional, error-inducing data, or data which Processing is expressly prohibited or has not been authorized;
b) To request proof of the authorization granted to the Party Responsible for the Processing, unless it is expressly excluded as a requirement for the Processing;
c) To be informed by the Party Responsible for the Processing or the Party in Charge of the Processing, upon request, about the use of their personal data;
d) To file with the Superintendency of Industry and Commerce any complaints for violations of the provisions of such law and any other rules that modify, add or supplement it;
e) To revoke the authorization and/or request the deletion of the data when the Constitutional and legal principles, rights and guarantees are not respected in the Processing.
f) To access, at no charge, to your personal data that have been subject to Processing;
g) To grant or not to grant authorization when sensitive data is collected.
5. Rights related to the Processing of Sensitive Data
In the event that Sensitive Data of a Holder is required, MINESA informs that, in addition to the rights of the Holder mentioned above, Article 6 of Decree 1377 of 2013 grants the following rights to the Holder:
a) The right to be informed that because this is sensitive data, the Holder is not required to authorize Processing.
b) Not to be conditioned, in any activity, to provide sensitive data.
c) To be explicitly and previously informed, in addition to the general requirements of the authorization for the collection of any type of personal data, on which of the data that will be subject to Processing are sensitive and the purpose of the Processing, as well as to obtain your express consent.
In accordance with the foregoing, it is explained that sensitive data, in accordance with the Law, are data that may affect the privacy of the Holder or which proper use may generate discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, memberships in trade unions, in social and human rights organizations or in organizations that promote the interests of any political party or that guarantee the rights and guarantees of political parties of the opposition, as well as data related to health, sexual life, and biometric data; in turn, the purpose thereof will be that set forth herein.
6. Responsible Company and Exercise of Rights:
In accordance with the rights granted by the Law to the Holders, the following data of the Party Responsible for the Processing shall be submitted for the knowledge of the Holder and for the requests made to him or her:
Sociedad Minera de Santander S.A.S. – MINESA
Transversal Oriental # 90-102 Piso 11 de la ciudad de
Bucaramanga, Sociedad Minera de Santander S.A.S. –
Note: Regarding the telephone number provided, it should be noted that the Party Responsible for the Processing cannot give a precise response on data, but the procedure to make the rights enforceable, taking into account that MINESA would not have the necessary elements to determine whether this is the Holder, the successor or his/her legal representative.
7. Procedure for the Exercise of Rights as a Holder
If you have any questions about this Policy, or any concerns or complaints, or in case of exercise of complaint, rectification, update, consultation or request for deletion of data or regarding the administration of this Policy, please contact us through any of the following means: in writing to the address mentioned in paragraph 9 of this policy under the subject: “Data Processing” or to the email firstname.lastname@example.org
You can consult MINESA regarding personal data stored in the databases, for which it will be necessary for the applicant or his/her legal representative to demonstrate his/her identity in advance. Such consultation shall be handled by MINESA within a maximum term of ten (10) business days counted as from the date of receipt thereof. This term may be extended by MINESA on one single occasion; in which case, the reasons for the delay and the date on which your request will be handled shall be informed, which in no case may exceed five (5) business days following the expiration date of the first term.
Your request or petition related to claims, updates, corrections, or deletion of your personal data shall be handled within a maximum term of fifteen (15) business days counted as from the receipt of the request or petition. When it is not possible to handle the claim within this term, MINESA shall inform the interested party about the reasons for the delay and the date on which his/her claim will be handled, which in no case may exceed eight (8) business days following the expiration of the first term.
For the correct and complete consideration of your petition, request or claim, please submit the following:
- Description of the facts;
- Identity of the applicant;
- Notification / Response address;
- Any relevant documents.
If your request or petition does not have enough data and facts so that MINESA can handle it correctly and completely, you will be required to remedy any failures within five (5) days after receiving the request, petition or claim. After two (2) months have elapsed from the date of the request, if you, as the applicant, have not made the corrections as required, MINESA, as the recipient of your request, will understands that you have abandon your request.
8. Security of Information
MINESA, knowing the importance of personal data and in the application of the Security Principle, will provide such technical, human and administrative measures as may be necessary to grant security to the records, avoiding adulteration, loss, consultation, use or unauthorized or fraudulent access.
MINESA does not guarantee the total security of your information nor is it responsible for any consequences derived from technical failures or from improper entry by third parties in the Database or archives where the Personal Data subject to Processing by MINESA are stored. Notwithstanding the foregoing, the obligation and responsibility of MINESA is limited to having the adequate means for this purpose, and the necessary tools to safeguard and protect the databases, including confidentiality clauses in employment contracts and/or service provision contracts, training workers and employees as a duty and fundamental complement to our commitment to Data Protection.
9. Term of the Databases
The validity of the database shall be the reasonable and necessary time to fulfill the purposes of the information processing. Notwithstanding the above, personal data must be kept when required to comply with any legal or contractual obligation.
10. Modification of this Policy
This policy may be modified at any time. Modifications will be informed by the publication thereof, through which the latest version will be made available or the mechanisms to obtain a copy thereof.
11. Validity Effective Date:
August 25, 2013. Date last modified: June 8, 2017. It should be noted that this update does not present any substantial change, but intends to expand some information of interest to the Holder.