Ingreso inversionistas

Síguenos en:

Youtube LinkedIn

Todos los derechos reservados Lenus 2024

PERSONAL DATA PROCESSING POLICY OF LENUS CAPITAL PARTNERS S.A.S.

1. OBJECTIVE

Lenus Capital Partners S.A.S. («Lenus») has prepared this personal data processing policy (the «Data Processing Policy») in accordance with the provisions of the Political Constitution, Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other applicable complementary provisions, in order to regulate the collection, storage, use, circulation, or deletion of all activities that constitute the Processing of Personal Data (as defined later). Lenus will process Personal Data for the purpose established in this Data Processing Policy, in accordance with the principles and provisions contained in the applicable regulations. This Data Processing Policy is published on www.lenuscp.com and applies to directors, employees, contractors, suppliers, clients, and, in general, to any person who grants Authorization for the Processing of Personal Data.

2. DEFINITIONS

• Authorization: It is the prior, expressed, and informed consent of the Data Subject (as defined later) to carry out the Processing of Personal Data.

• Database: An organized set of Personal Data that is or may be subject to Processing.

• Personal Data: Any information related to or that can be associated with one or more specific or determinable natural persons. It is made clear that the data of legal entities (e.g., commercial companies, non-profit entities, etc.) are not subject to protection.

• Sensitive Personal Data: This is data that affects the intimacy of the Data Subject or whose misuse could lead to discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or political parties, or those that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual preference, and biometric data.

• Private Data: This is data that, by its nature, is intimate or reserved and is only relevant to the Data Subject.

• Public Data: This refers to data that is not semi-private, private, or sensitive. By its nature, public data may be found, among others, in public records, public documents, gazettes and official bulletins, and court rulings that are final and not subject to confidentiality. Public data includes, among others, data related to a person’s marital status, profession or trade, and their status as a merchant or public servant.

• Data Processor: This is the natural or legal person, whether public or private, who, either alone or in association with others, processes Personal Data on behalf of the Data Controller.

• Data Controller: This is the natural or legal person, whether public or private, who, either alone or in association with others, decides on the Database and/or the Processing of the Data.

• Data Subject: This is the natural person whose Personal Data is or may be subject to Processing.

• Transfer: This occurs when the Data Controller and/or Data Processor, located in Colombia, sends the information or Personal Data to a recipient, who in turn is responsible for the Processing and is located inside or outside the country, to be stored and processed in accordance with applicable personal data regulations.

• Transmission: This refers to the Processing of Personal Data that involves communication of this data within or outside the territory of the Republic of Colombia when the purpose is to carry out specific Processing by the Processor on behalf of the Controller.

• Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion.

3. PRINCIPLES

Lenus will process Personal Data in accordance with the following principles:

  • Principle of Purpose: The Processing of Personal Data and Sensitive Personal Data collected by Lenus will comply with a legitimate purpose according to the Political Constitution and the Law. This purpose will be duly informed to the Data Subject.
  • Principle of Freedom: Processing can only be carried out with the Authorization of the Data Subject. Personal Data and Sensitive Personal Data cannot be obtained or disclosed without prior Authorization or in the absence of a legal or judicial mandate that exempts consent.
  • Principle of Truthfulness or Quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable, and understandable. The processing of partial, incomplete, fragmented data, or data that may lead to error is prohibited.
  • Principle of Transparency: The processing must guarantee the Data Subject’s right to obtain from Lenus, at any time and without restrictions, information about the existence of data concerning them.
  • Principle of Restricted Access and Circulation: Personal Data and Sensitive Personal Data, except for public information, must not be available on the Internet or other mass dissemination or communication media, unless access is technically controllable to ensure restricted knowledge only to the Data Subjects or authorized third parties.
  • Principle of Security: The information subject to processing by the Data Controller or Data Processor must be protected by using necessary technical, human, and administrative measures to ensure the security of records, preventing adulteration, loss, consultation, unauthorized or fraudulent use or access.
  • Principle of Confidentiality: All individuals involved in the processing of Personal Data, which are not public in nature, are required to ensure the confidentiality of the information, even after their relationship with any of the tasks related to the processing has ended. They can only disclose or communicate Personal Data when it is necessary for the development of activities authorized by law or under the terms of this policy.

4. COLLECTION OF PERSONAL DATA

Lenus may have access to the following types of Personal Data, depending on the Data Subject:

1. Personal and Family Information

Includes, but is not limited to:

  • First and last names
  • Type and number of identification (including copies), professional card, and other government-issued identification numbers (e.g., tax registry numbers)
  • Email address
  • Contact information (home, residence, or work address)
  • Criminal background
  • Credit and/or financial information
  • Phone number (for communication via chat, SMS, calls, and instant messaging)
  • Health data (e.g., blood type, health status, medical treatments, health insurance affiliations, policies, and prepaid medical services)
  • Socioeconomic, family, marital status, geographic location, and employment data
  • Biometric data (images or videos captured by security cameras or biometric readers)
  • Date and place of birth, gender, bank account, and other financial details
  • Academic certificates
  • Information about family members and dependents, including minors under 18 (name, date of birth, relationship, health data, socioeconomic, family, and marital status)
  • Emergency contact information
  • Visas
  • Criminal records and background check information retrieved from databases or search engines

2. Labor and Background Information

Includes, but is not limited to:

  • Previous jobs, positions held, salary, and supervisor details
  • Social benefits
  • Job performance
  • Payroll or payment details
  • Absences, licenses, and medical leaves
  • Certifications and professional skills
  • Background check data from publicly available platforms or search engines

3. Sensitive Information

Includes:

  • Biometric data (fingerprints, photographs, videos, and voice recordings)
  • Medical and occupational health records
  • Union or social organization membership
  • Socioeconomic status
  • Racial or ethnic origin
  • Work disability information (for benefits management)
  • Health status

5. PURPOSE OF PROCESSING PERSONAL DATA

Lenus (including its directors, employees, and shareholders) may collect, store, use, circulate, employ, and/or delete Personal Data for the following purposes:

1. General Processing for All Data Subjects

  • Creation, administration, review, and management of databases for analysis, statistical purposes, or risk assessment
  • Development of operations and services necessary for Lenus’s corporate objectives
  • Initiation of legal actions and protection of Lenus’s rights, as well as those of its directors, employees, shareholders, investors, managed companies, or affiliated parties
  • Use of images, recordings, or footage from Lenus’s surveillance and security systems to ensure safety and provide evidence in legal proceedings

2. Processing for Job Candidates

  • Evaluation of candidates as potential employees for Lenus or its affiliates
  • Verification of resume information, professional experience, and academic background
  • Storage and categorization of Personal Data for easier access and identification
  • Provision of information to competent authorities when legally required
  • Sharing of data with internal or external auditors
  • Communication of job opportunities and event announcements
  • Verification of information against risk lists and background check databases
  • Transmission of Personal Data to Lenus’s human resources providers for analysis and performance evaluation
  • Other activities compatible with these purposes or arising from the relationship between the Data Subject and Lenus

3. Processing for Directors, Shareholders, and Employees

  • Management of contractual relationships, including communication and documentation
  • Payroll processing, compensation management, and fulfillment of labor obligations (e.g., social security, tax withholdings, income certifications, and labor certificates)
  • Monitoring financial and compensation indicators
  • Budget preparation
  • Management of social benefits and additional benefits (e.g., health insurance, prepaid medical services, and company agreements)
  • Professional planning and development
  • Provision of information to authorities when legally required
  • Organization of social and recreational activities, as well as contracting of life and medical insurance
  • Performance and productivity evaluation
  • Recruitment, human resources management, and employee replacement planning
  • IT services, telephone assistance, and technical support
  • Compliance monitoring of Lenus’s policies and procedures
  • Allocation of workspaces according to employee needs
  • Verification of data against risk lists and background check databases
  • Notification of family members in case of emergencies, workplace illnesses, or accidents
  • Secure storage of Personal Data in Lenus’s information systems or third-party services
  • Background checks, including criminal records, restrictive lists, educational background, and employment history verification
  • Issuance of labor certifications (even post-employment)
  • Other activities arising from the relationship between the Data Subject and Lenus or contained in contracts with Lenus

For clients, suppliers, interested natural persons or their personal representatives.

 

Lenus will have the following purposes for processing data for these individuals in particular: (i) the administration, management, compliance, and execution of the contractual relationship; (ii) to provide our services and products through the management and execution of the business relationship or provide information about Lenus to interested parties; (iii) to achieve efficient communication related to our services or products; (iv) to inform about changes in our products or services; (v) to manage the relationship with investors, suppliers, or interested natural persons or their personal representatives, which includes compliance with legal requirements related to commercial and accounting books, the management of billing and payment transactions, performing financial closures, management reports, and generally ensuring internal monitoring of these relationships; (vi) to conduct satisfaction surveys; (vii) to communicate newsletters, events, and products; (viii) to analyze potential relationships with interested parties who give their authorization for the processing of personal data, either through Lenus’s website, emails, calls, visits, and other means; (ix) to provide information to competent authorities when required by such authorities in the exercise of their functions and legal powers, to comply with a legal duty, or to protect Lenus’s rights; (x) to manage billing, receivables, collections, and payments for requested services; (xi) to verify the information contained in risk, restrictive, and nonrestrictive lists, and binding and non-binding for Colombia, as explained in Chapter VI of this policy; and (xii) all other activities that are compatible with these purposes or that arise from the existing relationship between the data subject and Lenus.

For visitors or other third parties, natural persons.

 

Lenus will process the personal data of visitors or other third-party natural persons for the following purposes: (i) to guarantee security inside our offices by controlling access to the facilities; (ii) to protect our employees and prevent the commission of crimes; (iii) to detect violations of Lenus’s policies; (iv) to prevent the inappropriate and improper use of the facilities; (v) to verify that Lenus’s systems and facilities are accessed only by authorized persons; (vi) to provide information to the competent authorities when required by such authorities in the execution of their functions and legal powers, to comply with a legal duty, or to protect the company’s rights; (vii) to manage and process any type of remuneration if necessary; (viii) to analyze the information and/or personal data authorized for processing by the data subject; (ix) to verify the information contained in risk, restrictive, and non-restrictive lists, and binding and non-binding for Colombia, as explained in Chapter VI of this policy; and (x) all other activities that are compatible with these purposes or that arise from the existing relationship between the data subject and Lenus. In any case, when the data subject provides personal data to Lenus, it will be understood that they have duly been informed of this Personal Data Processing Policy and that they have authorized the use of such data by Lenus.

Verification in Risk Lists, Restrictive and Non-Restrictive Lists, and Binding and NonBinding for Colombia

 

As part of the obligations established by law, Lenus must determine whether its directors, employees, shareholders, suppliers, and collaborators (including their directors, shareholders, and/or employees), their relatives, or close associates qualify as Politically Exposed Persons (hereinafter «PEP») or are included on risk lists and/or restrictive lists.

Therefore, Lenus is required to verify, request, and/or consult the Personal Data of the Data Subjects on risk lists, restrictive and non-restrictive lists, and binding and non-binding lists for Colombia, using any search engine such as, but not limited to, platforms of the administrators of the Comprehensive Social Security System, National Judicial and Police Authorities, the Attorney General’s Office, the National Audit Office, or any other legally constituted information source and/or other search engines designed to verify their current employment status, academic qualifications, and other relevant information for the aforementioned purposes. Lenus will carry out these actions directly or through its subsidiaries, suppliers, and/or strategic partners with whom it agrees to perform these activities.

Additionally, in accordance with the law, the Data Subject is informed that if any relative or close associate holds the status of PEP or acquires such status, the Data Subject must notify Lenus immediately within three (3) business days of acquiring such status, providing the identification details of the relative or close associate, including their full name, the relationship with the Data Subject, and the position they hold or held within the last two (2) years.

In cases where Lenus must process the Personal Data of third parties provided by the Data Subject, the Data Subject must obtain authorization from these individuals to have their Personal Data delivered to Lenus and processed in accordance with this Personal Data Processing Policy.

7. Personal Data about Relatives and/or Third Parties

If the Data Subject provides Lenus with Personal Data about family members and/or other third parties (e.g., emergency contacts or for the purpose of assigning benefits), the Data Subject will inform them of their rights related to the protection of their Personal Data and Sensitive Personal Data. Unless the Data Subject has notified Lenus otherwise, it is understood that the Data Subject has obtained the expressed, prior, and informed consent of these individuals, and that these individuals are legally capable of authorizing it, to provide this information to Lenus and for the subsequent processing, including the transmission, of such information as established in this Personal Data Processing Policy.

8. ACCESS TO PERSONAL DATA

In Lenus, access to the Personal Data of the Data Subjects is restricted to certain individuals in cases that are strictly necessary and legally permitted, or as required by the competent authority. All employees, directors, and shareholders may have access to the internal directory of employees, candidates, collaborators, and suppliers.

9. TRANSMISSION OF PERSONAL DATA

Lenus may transmit and/or transfer Personal Data and Sensitive Personal Data to third parties located in Colombia or abroad, who will process the data on behalf of Lenus and in accordance with the Purpose of the Processing as outlined in this Data Processing Policy.

These third parties will act as Data Processors, and the relationship will be documented in agreements or contracts for Transmission.

Lenus will take the necessary measures to ensure that appropriate security and protection requirements are met by these recipients, and will ensure that the Personal Data is properly protected in accordance with this Data Processing Policy and applicable legal provisions.

10. RIGHTS OF THE DATA SUBJECTS

In accordance with Article 8 of Law 1581 of 2012, the rights of Data Subjects with respect to their Personal Data and Sensitive Personal Data are:

• To know, update, and rectify their Personal Data and Sensitive Personal Data before the Data Controllers or Data Processors. This right can be exercised, among others, for partial, inaccurate, incomplete, fragmented data, those that induce error, or those whose processing is explicitly prohibited or has not been authorized.

• To request proof of the Authorization granted to the Data Controller, except when expressly excluded as a requirement for processing.

• To be informed by the Data Controller or Data Processor, upon request, about the use made of their Personal Data and Sensitive Personal Data.

• To file complaints with the Colombian Superintendence of Industry and Commerce for violations of the provisions of the Law regarding the processing of information.

Revoking authorization and/or requesting the deletion of data when the processing does not respect the principles, rights, and constitutional and legal guarantees. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the Responsible or Processor has engaged in conduct contrary to the Law and the Constitution.

Access free of charge to the Personal Data and Sensitive Personal Data that has been processed.

11. PROCEDURE FOR HOLDERS TO EXERCISE THEIR RIGHTS

Lenus will process any queries or claims regarding the Personal Data collected and processed in accordance with the Law. For this, the Data Subject should send a written description of their query and/or claim to info@lenuscp.com, following the procedures below:

Queries on Personal Data. In accordance with the provisions of Article 14 of Law 1581 of 2012, Data Subjects may consult the Personal Data held in any Lenus database. For this process, the Data Subject must provide the following with their query: (i) their identification (i.e., name, surname, and identification number); (ii) data they wish to locate; and (iii) the signature of the Data Subject or their representative. In this regard, Lenus will guarantee the right to consult by providing the Data Subject or their successors with all the information contained in the individual record or link to the identification of the Data Subject as a Personal Data subject. In the case of queries, Lenus will ensure that they are addressed within a maximum period of ten (10) business days from the day after receiving the request. If it is not possible to respond within this period, the interested party will be informed before the expiration of the ten (10) business days, indicating the reasons for the delay and providing the date when the query will be addressed, which in no case will exceed five (5) business days after the expiration of the initial period.

• Claims. In accordance with Article 15 of Law 1581 of 2012, Data Subjects, when they believe that the information contained in a database should be corrected, updated, or deleted, or when they identify a possible failure to comply with any of the duties contained in Law 1581 of 2012, may file a claim with Lenus. This claim must be accompanied by the following information and/or documentation: (i) their identification (i.e., name, surname, and identification number); (ii) data they wish to correct, update, and/or delete; (iii) any necessary documentation or evidence to justify the request, if applicable; and (iv) the signature of the Data Subject or their representative. «The maximum term to address the claim will be fifteen (15) business days, counted from the day following the date of receipt. If it is not possible to address it within this term, the reasons for the delay will be informed before the expiration of the aforementioned term, along with the date when the claim will be addressed, which in no case may exceed eight (8) business days after the expiration of the initial term.

12. VALIDITY This Personal Data Processing Policy will come into effect as of October 10, 2024, and will remain in force as long as Lenus collects and processes Personal Data.»