In compliance with the provisions of the General Data Protection Regulation (GDPR) of the European Union, the General Law on Personal Data Protection (LGPD) of Brazil, Law 1266 of 2008, the Statutory Law 1581 of 2012 and its Regulatory Decrees and the Accountability Guide of the Superintendence of Industry and Commerce and other complementary guides in Colombia, the laws of Argentina, including Law 25,326 on Personal Data Protection (PDPL), and any other applicable data privacy law or regulation, SIMETRIK INC,its present and future affiliated, controlled, controlling or related entities (hereinafter "SIMETRIK"), adopt this policy for the Processing of Personal Data, which will be informed to all subjects of the data collected or that in the future will be obtained in the exercise of its business activities.
This document describes the mechanisms through which SIMETRIK guarantees an adequate management of the Personal Data collected in its databases, in order to allow the Data Subjects to exercise their privacy rights. Regarding GDPR data protection requirements, this Privacy Policy shall be read jointly with the ANNEX I. Regarding LGPD data protection requirements, this Privacy Policy shall be read jointly with ANNEX II.
This policy is of mandatory and strict compliance for SIMETRIK.
a) SIMETRIK INC., a Delaware corporation domiciled in the city of San Francisco, California, identified by EIN No. 61-1863197, whose corporate address is 2261 Market Street #4030 San Francisco, CA, US , and whose phone number is +13053398090, as parent company;
b) SIMETRIK S.A.S., a Colombian company, incorporated under the laws of the Republic of Colombia, domiciled in the city of Bogotá D.C., identified with TIN. 901.030.030-8, whose corporate address is CL 91 # 11 - 29, floor 6, and whose phone number is +13053398090, in its capacity as a subsidiary;
c) SIMETRIK BRASIL LTDA a Brazilian corporation domiciled in the city of Sao Paulo, by CNPJ 54.485.011/0001-38, whose corporate address is Rua Conselheiro Brotero, nº 528, Suíte 1408, Tower Office Urban, Mario de Andrade nº 48, and whose phone number is +13053398090, in its capacity as a subsidiary.
▪ Corporate purpose of SIMETRIK INC, SIMETRIK S.A.S, SIMETRIK BRASIL LTDA is the Development of software in the cloud and provision of cloud technology services (SaaS).
▪ Website: http://simetrik.com.
d) ATOM UNIFIED LLC a Delaware corporation domiciled in the city of San Francisco, California, by EIN No. 93-3287266, whose corporate address is Corporation Service Company, 251 Little Falls Drive, Wilmington, Delaware 19808., and whose phone number is +13053398090, in its capacity as a subsidiary
e) SIMETRIK S.R.L. a Argentinian corporation domiciled in the autonomous city of Buenos Aires by CUIT. 30718525280 whose corporate address is Avenida Chiclana 3345, 5° Piso, Ciudad Autónoma de Buenos Aires, and whose phone number is +13053398090, in its capacity as a subsidiary.
f) And other affiliated, controlled, controlling or related entities are the Data Controllers of your Personal Data.
DATA SUBJECTS INFORMATION:
Simetrik processes personal data regarding its employees and contractors, shareholders and investors, customers, suppliers, individuals’ subjects to video recordings, visitors, children and adolescents, and users of our website (through cookies). Such processing is carried out by SIMETRIK in the terms of Section 10.2. of this Privacy Policy.
This Policy establishes the general guidelines for the protection and processing of Personal Data within SIMETRIK, thus allowing to strengthen the level of trust between the Controller and the Data Subjects, and other persons in charge of the handling and processing of personal data, in relation to the collection, registration, handling, transfer and processing of identifiable personal data carried out by SIMETRIK in the ordinary exercise of its corporate purpose.
This Privacy Policy will be applied to all databases and/or files that include Personal Data that are subject to Processing by SIMETRIK as Data Controller.
1. Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of Personal Data.
2. Data Protection Authority: It is the authority in charge of monitoring and supervising that in the processing of Personal Data, the principles, rights and guarantees of the Data Subjects are respected.
3. Privacy Notice: It is the document which is made available to the Data Subject in order to inform him or her about the Processing of his or her Personal Data. The Privacy Notice informs the Data Subjects of the existence of the privacy policies that will be applicable, the means to access them and the characteristics of the processing that is intended to be given to the Personal Data.
4. Data Base: Organized set of Personal Data that is subject to processing.
5. Successor: A person who by succession or transmission acquires the rights of another person.
6. Personal Data: Any information linked or that can be associated to one or several determined or determinable natural persons.
7. Sensitive Data: Sensitive data is Personal Data that may affect the privacy of the Data Subject or whose improper use may lead to the Data Subject’s discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data.
8. Data Protection Officer: It is the natural person who meets the profile established by law and whose function is to monitor and control the application of the Privacy Policy, as well as to process any complaints or requests filed by Data Subjects.
9. Data Processor: Natural or legal person, public or private, that by itself or in association with others, performs the processing of Personal Data on behalf of the Data Controller.
10. Habeas Data: The right of every person to know, update and rectify the information that has been collected about him/her in files and data banks of a public or private nature.
11. Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of the data. For the purposes of this Privacy Policy, SIMETRIK is the Data Controller.
12. Data Subject(s): Natural person whose Personal Data is the object of processing.
13. Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.
14. Breach of security of Personal Data: Any breach of security that results in the accidental or unlawful destruction, loss or alteration of Personal Data stored or processed, or the unauthorized communication of or access to such data.
15. Information Source: Exclusively for the purposes of Personal Data concerning the creation, performance and extinction of monetary obligations, it is the person, entity or organization that receives or knows Personal Data of the Data Subject, by virtue of a commercial or service relationship or of any other nature and that, by reason of legal authorization or of the Data Subject, provides such data to an Information Operator, which in turn will deliver it to the end user.
16. Information Operator or Database Operators: Exclusively for the purposes of Personal Data concerning the creation, performance and extinction of monetary obligations, it is the person, entity or organization that receives Personal Data from the Information Source on several Data Subjects, manages them and grants access to such Personal Data to the Data Subjects, in the terms set forth under applicable law.
17. Information User: Exclusively for the purposes of Personal Data concerning the creation, performance and extinction of monetary obligations, it is the legal entity or individual that may access Personal Data of one or more Data Subjects provided by the Information Operator or by the Information Source, or directly by the Data Subject.
The principles set forth below constitute the general parameters that SIMETRIK applies and safeguards in the exercise of the processes of capture, registration, management, use and processing of Personal Data:
5.1. Principle of legality in matters of data processing: The processing of Personal Data shall be carried out within the legal framework in force and in the other provisions that develop it, in accordance with the authorization granted by the Data Subject.
5.2. Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the law, including the law of Argentina, which must be informed to the Data Subject.
The processing of Personal Data will be carried out for the time that is reasonable and necessary, in accordance with the purposes that justify the processing.
Once the purposes of the processing have been fulfilled the Personal Data provided will be deleted, unless there is any provision which may indicate otherwise.
5.3. Principle of freedom: processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior authorization, or in the absence of a legal basis or judicial mandate that relieves consent.
5.4. Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
5.5. Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him or her, must be guaranteed.
5.6. Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the Personal Data, the provisions of the law and the Constitution. In this sense, the Processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for by law, provided no other legal basis for the processing applies. Personal Data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to Data Controllers or third parties authorized by law.
5.7. Security Principle: The information subject to processing by the Controller or Data Processor must be handled with the technical, human and administrative measures that are necessary to ensure the security of the information necessary to ensure the security of the records to prevent their adulteration, loss, consultation, unauthorized or fraudulent use or access.
5.8. Principle of confidentiality: All persons involved in the processing of Personal Data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the processing and may only supply or communicate Personal Data when this corresponds to the development of the activities authorized by and under the terms of the law.
5.9. Principle of temporality: Personal data will be kept only for the reasonable and necessary time to fulfill the purposes that justified the processing, considering the provisions applicable to the matter in question and the administrative, accounting, fiscal, legal and historical aspects of the information. The data will be kept when this is necessary for the fulfillment of a legal or contractual obligation. Once the purpose of the processing and the terms established above have been fulfilled, the data will be deleted.
5.10. Integral interpretation of constitutional rights: The rights shall be interpreted in harmony and in balance with the applicable constitutional rights.
5.11. Principle of Necessity: The personal data processed must be strictly necessary for the fulfillment of the purposes pursued with the database.
It is any information that refers to the private life of a person such as personal data, such as personal e-mail, telephone, home address, employment data, education level, administrative or criminal offenses, data administered by some entities such as tax, financial or social security, photographs, videos, and any other data that refer to the lifestyle of the person.
The Data Subject has the right to control when and who can access this information that is part of his or her private life.
Data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as financial and credit data of commercial or service activity.
Semi-private data has a limitation, which is that its disclosure requires an order from an administrative or judicial authority.
Semi-private data includes: credit histories, financial data, reports in credit bureaus.
Sensitive data is defined under Section 4 of this Privacy Policy.
The processing of sensitive data is prohibited except for the following cases:
- When the Data Subject grants consent.
- The processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapacitated.
- The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that it concerns exclusively its members or persons in regular contact with them by reason of their purpose.
- The processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
- The processing has a historical, statistical or scientific purpose, in the latter case, measures must be taken to suppress the identity of the Data Subjects.
- When a different legal basis for the processing of sensitive personal data may apply, in accordance with applicable law.
Biometrics refers to any information concerning identified or identifiable individuals regarding the parameters and characteristics of the human body, physical parameters that are unique to each person , such as fingerprints, eye iris, photographs, video surveillance cameras, dental records, voice, palm print or facial features.
The processing of this special category of Personal Data is prohibited, except when such data is public in nature. In addition, the processing of Personal Data of children and adolescents is permitted when the purpose for such processing responds to the best interests of the children and adolescents and ensures, without exception, the respect of their prevailing rights.
The information collected, stored, used, disclosed and deleted, and otherwise processed by SIMETRIK is used with the main purpose to allow the proper development of the company’s corporate purpose for the fulfillment its relationship with the Data Subject, as well as other purposes, as described below:
✔To comply with the obligations undertaken by SIMETRIK with the Data Subject.
✔ Transfer personal data outside the country from to SIMETRIK, INC, as its parent company.
✔ To provide the services offered by Simetrik accepted in the contract signed.
✔ Transmit personal data outside the country to data processors with whom SIMETRIK has entered into a data processing agreement, when such transmission is necessary for the fulfillment of the contractual object with Data Subjects.
✔To provide information to third parties with which SIMETRIK has a contractual relationship and that it is necessary to deliver it to them for the fulfillment of the contracted object.
Therefore, whoever accesses the services and / or products of SIMETRIK, has a labor or service provision agreement with SIMETRIK, is a supplier of SIMETRIK, is a shareholder of SIMETRIK, or visits SIMETRIK’s premises, must voluntarily provide certain physical or personal identification data, such as: name, surname, ID, age, gender, telephone, physical and electronic address, country, city and other necessary data requested within the framework of their relationship with SIMETRIK.
Specific purposes for each category of Personal Data processed by SIMETRIK are described in Section 10.2. of this Privacy Policy.
The disclosure, publication or transfer of the Personal Data processed by SIMETRIK will be limited in accordance with the applicable principles that regulate the process of personal data management.
Personal data and user data sent through the platforms and in general the information generated, produced, stored, sent or shared in the provision of SIMETRIK’s services, regardless of the means employed for their collection and subsequent processing, may not be subject to marketing or economic exploitation of any kind, except with the express authorization of the Data Subject and in accordance with the limits imposed by applicable privacy law.
SIMETRIK will only process the Personal Data of Data Subjects where at least one of the following legal basis are met:
a) The Data Subject has given his/her explicit authorization to such processing;
b) The processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapacitated. In these events of emergency that affect the Data Subject, the legal representative of the Data Subject must provide such authorization.
c) The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they relate exclusively to its members or to persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the authorization of the Data Subject;
d) The processing refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process, or to comply with a legal obligation to which SIMETRIK is subject.
e) The processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Subjects shall be adopted.
f) Personal Data will not be used for commercial or marketing purposes unless expressly authorized to do so.
g) The processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the data subject prior to entering into a contract, where this legal basis applies under applicable law.
h) Processing is necessary for the performance of a task carried out in the public interest.
i) Processing is necessary for the purposes of the legitimate interests pursued by SIMETRIK, which include the purposes set out throughout this Privacy Policy, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the data subject is a child.
SIMETRIK declares to be responsible for the processing of the Personal Data that has been provided by the Data Subject and that is stored in databases or storage media owned or managed by SIMETRIK, or whose management has been entrusted to a third party by SIMETRIK.
The information contained in SIMETRIK’s databases is subjected to different forms of processing, such as collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization and organization, all of them in compliance with the established purposes.
The information may be transmitted or transferred to public entities, business partners, contractors, subsidiaries and affiliates, as long as such transfer or transmission is intended to fulfill the established purposes and is compliant with the requirements set forth under applicable law.
In any case, the transmission or transfer will be made after the execution of the necessary documents to safeguard the confidentiality of the information. Likewise, in compliance with its legal duties, SIMETRIK may provide personal information to judicial or administrative authorities.
When SIMETRIK processes Personal Data of Data Subjects residing abroad, it will adopt the provisions in compliance with the General Data Protection Regulation (GDPR), or any other applicable data privacy regulation. In this case, this Personal Data Processing Policy shall be read jointly with ANNEX I. SIMETRIK will conduct a prior impact assessment, when it is likely that a specific form of Data processing entails a high risk to the rights of Data Subjects, due to its nature, scope, purposes or context.
The assessment shall: (i) contain a description of the processing operations and the purposes thereof; (ii) an assessment of the necessity and proportionality of the processing; (iii) an assessment of the risks to the rights of the Data Controllers; and (iv) the measures envisaged to ensure the protection of the Personal Data.
SIMETRIK may consult the Data Protection Authority before carrying out a form of Personal Data processing, when the prior impact assessment shows that the processing would entail a high risk to the rights of the Data Subjects, if the necessary measures to mitigate it are not taken.
The Personal Data we collect from our employees and contractors include:
a. Identification information: Name, address, phone number, marital status, name of family members and beneficiaries, date of birth, place of birth, photo ID, age, military passbook (if applicable), citizenship, foreigners’ card or passport number, signature.
b. Electronic contact: E-mail.
c. Academic information: Academic titles, academic certificates, diplomas, professional card.
d. Employment data: Recruitment and selection information, personal and labor references, social security information (e.g. affiliation to pension funds, healthcare, family compensation funds, etc.)
e. Financial data: Banking account, type of banking account.
f. Biometric data: Fingerprint, face scan.
The information collected by SIMETRIK from its employees and contractors is primarily for the following purposes:
a. To store the personal data of employees, including those obtained in the course of the selection process (including the applicable affiliations and contributions to healthcare, pension funds, labor risks, and others that apply according to the employment relationship)..
b. To comply with the obligations imposed by labor law on employers and to comply with the orders issued by the competent authorities for such purposes.
c. Issue certifications regarding the employee’s relationship with SIMETRIK.
d. Comply with the obligations set out under occupational safety and health management systems, where applicable.
e. Manage the functions performed by the workers.
f. Consult memos or reminders.
g. To advance the corresponding disciplinary processes.
h. Contact family members in case of emergency.
i. To carry out personnel hiring procedures and comply with contractual obligations.
j. Identification of personnel (internal management of databases for metrics creation, team follow-up and analysis of the People Experience & Culture area).
k. Manage and make payments (News reports, payroll payments, reports to social security entities and similar).
l. Comply with contractual obligations.
m. Monitoring of virtual and face-to-face activities (Group activities where we must keep attendance, participation or record grades).
n. Forms, surveys or evaluations where your participation is required. If participation is not anonymous, personal data will be used to track participation.
o. To register employees to trainings or events, generating attendance lists and validating such lists, issuing certificates of participation of attendance to trainings and events when such certificate is required, issuing communications regarding trainings or events, clarification of queries about your training or events data, generating statistics reports regarding trainings and events, sharing training or support material, issuing future invitations to trainings or events.
p. For the processing of Sensitive Personal Data, SIMETRIK will collect such information with the respective Authorization. The Sensitive Personal Data collected will be stored in databases and/or files independent from the other Personal Data that are subject to processing by SIMETRIK.
q. The information collected, stored and processed by SIMETRIK shall not exceed twenty (20) years counted from the termination of the employment relationship, or according to the legal or contractual circumstances that make necessary the handling of the information.
Personal data may be collected for the purposes set out above directly from the employee, during the onboarding process, when the employee applies to a specific job opening at SIMETRIK, by means of onboarding forms, or at any time during the performance of the employee’s labor contract.
The Personal Data we collect from our shareholders includes:
a. Identification information: Name, address, phone number, marital status, name of family members and beneficiaries, date of birth, place of birth, photo ID, age, citizenship, foreigners’ card or passport number, signature.
b. Electronic contact: E-mail.
c. Biometric data: Fingerprint, face scan.
d. Other: Any other information required for SIMETRIK to comply with applicable laws regarding its relationship with its shareholders
The information collected by SIMETRIK from its shareholders is mainly for the following purposes:
a. To allow the exercise of the duties and rights derived from the Data Subject’s capacity of Shareholder.
b. Send invitations to events scheduled by the company and in general contact the Shareholder.
c. To issue certifications related to the relationship of the Data Subject with the Company (commercial and credit operations in which the shareholder composition of SIMETRIK must be known).
d. Any others specifically established in the authorizations granted by the Shareholders.
e. To comply with the contractual purpose and the applicable requirements in financial matters and prevention of money laundering and financing of terrorism and proliferation of weapons of mass destruction, which will be applicable as a security measure of SIMETRIK in order to onboard new investors.
f. For the processing of Sensitive Personal Data, SIMETRIK will collect such information with the respective Authorization. The Sensitive Personal Data collected will be stored in databases and/or files independent from the other Personal Data that are subject to processing by SIMETRIK.
g. The information collected, stored and treated by SIMETRIK shall not exceed five (5) years from the date on which you lose your status as a shareholder of the company.
Personal data may be collected for the purposes set out above directly from the shareholder at the time in which the Data Subject acquires his or her capacity as shareholder of SIMETRIK, or at any time in which the shareholder continues to act in such capacity.
SIMETRIK collects the Personal Data of its clients and users through the subscription of contracts for the provision of services in the cloud and/or through the domain simetrik.com domain, where for purposes of authentication and access to the service, the client and/or user will be asked for certain personally identifiable information that can be used to contact or identify him/her. Personally identifiable information may include, but is not limited to: email address, name, address, country, zip code, city, cookies and usage data, as well as any information on the client’s background that could help SIMETRIK evaluate the viability of entering into a contract with the client, including any information required to comply with SIMETRIK’s obligation for the prevention, detection, monitoring and control of money laundering, financing of terrorism, fraud, bribery and corruption risks.
SIMETRIK stores the data in a database, which is classified by the company as confidential, and will only be disclosed with the express authorization of the owner or when requested by a competent authority.
The purposes for which the Personal Data of SIMETRIK’s Customers are used are:
a. Performing the pre-contractual, contractual and post-contractual stages of his or her contract.
b. Sending invitations to events scheduled by the company.
c. Sending of software updates and news.
d. To corroborate any requirement that may arise in the development of the executed contract.
e. To comply with the object of the contract, including mailing activities, compliance, among others.
f. Provide customer support.
g. Monitor software usage.
h. Detect, prevent and address technical problems.
i. Verify cases of non-compliance by any of the parties.
j. General relationship with each client.
k. To carry out customer loyalty activities and marketing operations, in which case the Personal Data may be processed directly or indirectly by the Data Controller or a Data Processor.
l. When processing sensitive data, the Data Subject’s authorization must be collected, which in any case will be express and optional, clearly indicating the sensitive data to be processed and its purpose.
m. The sensitive data collected will be stored in databases and/or files separate from the other Personal Data that are subject to processing. Likewise, it will have adequate security systems for the handling of sensitive data and its confidentiality.
n. In any case, the information will not be processed for a period exceeding the duration of the customer’s relationship with the company, and the additional time required according to the legal or contractual circumstances that make necessary the management of information, which in no case may exceed five (5) years from the time of termination of the relationship.
Personal data may also be collected for the purposes set out above directly from the client, during the onboarding process, when the client enters into an agreement with SIMETRIK, by means of onboarding forms, or at any time during or prior to the performance of the customer’s agreement with SIMETRIK.
The Personal Data we collect from our suppliers includes:
a. Identification information: Name, address, phone number, marital status, name of family members and beneficiaries, date of birth, place of birth, photo ID, age, citizenship, foreigners’ card or passport number, signature.
b. Electronic contact: E-mail.
c. Background information: Any information on the supplier’s background that could help SIMETRIK evaluate the viability of entering into a contract with the supplier, including any information required to comply with SIMETRIK’s obligation for the prevention, detection, monitoring and control of money laundering, financing of terrorism, fraud, bribery and corruption risks.
d. Other: Any other information required for SIMETRIK to comply with applicable laws regarding its relationship with its suppliers.
SIMETRIK, collects the Personal Data of its suppliers and stores them in a database which, although it is composed mostly of public data, is qualified by the company as private. The company will only disclose private data with the express authorization of the Data Subject or when requested by a competent authority.
The purposes for which the Personal Data of SIMETRIK’s suppliers is processed are:
a. Proposing the supplier to enter into an agreement and making arrangements for the pre-contractual, contractual and post- contractual stages.
b. Sending invitations to events scheduled by the company or its affiliates.
c. Others specifically established in the authorizations granted by the suppliers themselves.
d. SIMETRIK, will only collect this data to the extent that it is necessary, relevant and not excessive for the purpose of selection, evaluation and execution of the contract.
e. In any case, the collection of Personal Data of individuals affiliated to suppliers by SIMETRIK will have the purpose of verifying the suitability and competence of the employees; that is, once this requirement is verified, SIMETRIK will return such information to the Supplier, except when its conservation is expressly authorized.
f. Likewise, SIMETRIK will have adequate security systems for the handling of sensitive data and its confidentiality.
g. To register suppliers to trainings or events, generating attendance lists and validating such lists, issuing certificates of participation of attendance to trainings and events when such certificate is required, issuing communications regarding trainings or events, clarification of queries about your training or events data, generating statistics reports regarding trainings and events, sharing training or support material, issuing future invitations to trainings or events.
h. In any case, the information will not be subject to processing for a period longer than the duration of the Supplier’s relationship with the company, and the additional time required according to the legal or contractual circumstances that make it necessary to handle the information, which in no case may be longer than ten (10) years from the time the Supplier’s relationship with the company ends.
Personal data may be collected for the purposes set out above directly from the supplier, during the onboarding process, when the supplier enters into an agreement with SIMETRIK, by means of onboarding forms, or at any time during or prior to the performance of the customer’s agreement with SIMETRIK.
SIMETRIK, from time to time, may collect biometric data, including the Data Subject’s personal images and video recordings, from its visitors, through its surveillance cameras and store them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the Data Subject or when requested by a competent authority.
The purposes for which the Personal Data contained in SIMETRIK’s Surveillance Cameras are used are:
a. Ensuring safety in the work environment.
b. To provide adequate work environments for the safe development of the company’s work activities.
c. Control the entry, stay and exit of employees and contractors in the company’s facilities.
d. In order to comply with the duty of information that corresponds to SIMETRIK as administrator of Personal Data, the company will implement Privacy Notices in the areas where the capture of images that involve Personal Data processing is carried out.
e. In any case, the information will not be processed for a period exceeding thirty (30) days from its collection in accordance with the legal or contractual circumstances that make it necessary to handle the information.
Personal Data under this category will be collected at the time the Data Subject enters one of the areas in the facilities of SIMETRIK that is subject to surveillance recordings. At all times a privacy notice will be made available to the Data Subjects that access such areas, to ensure that they have access to this Privacy Policy.
SIMETRIK may collect personal data from visitors, including their Identification, contact telephone number, city, Data related to Social Security, Vehicle data, Equipment Registration, information on the purpose of the visit, contact in case of emergency, and signature, among others.
Your personal data will be used in order to keep control of the entrances and exits to our premises and to have the necessary information in case of an accident or any risk identified in SIMETRIK during your visit. Likewise, you are informed that this processing is part of the security measures adopted within SIMETRIK.
Personal Data under this category will be collected at the time the Data Subject conducts the mandatory registry procedure upon entering SIMETRIK’S premises.
The Personal Data we collect from children and adolescents includes:
a. Identification information: Name, address, family members, date of birth, place of birth, photo ID, age, identification number.
b. Other: Any other information required for SIMETRIK to comply with applicable laws regarding its relationship with its suppliers.
SIMETRIK does not directly process Personal Data of minors. However, in particular, the company collects and processes the Personal Data of its employees’ underage sons for the sole purpose of complying with the obligations imposed by law on employers in relation to affiliations to the social security and parafiscal systems, and in particular to allow the enjoyment of children’s fundamental rights to health and recreation.
In any case, SIMETRIK will collect, when appropriate, the respective authorization for its processing, always bearing in mind the best interest of the minor and the respect of the prevailing rights of children and adolescents.
Data on Children and Adolescents will be collected from their parents (i.e. SIMETRIK employees) on a voluntary basis, exclusively for the purposes set out above.
Cookies are text files placed on computers to collect internet log information and visitor’s behavior information. When SIMETRIK’s website is visited, SIMETRIK may collect information from Data Subjects automatically through cookies or similar technology.
SIMETRIK performs cookie scans to ensure that it is aware of all personal information being collected from its website and to ensure that its website is not collecting or sharing any information that it does not need, or is not aware of.
SIMETRIK uses cookies in a range of ways to improve the data Subject’s experience in SIMETRIK’S website, including keeping the user signed in and understanding how Data Subjects use SIMETRIK’s website.
Data Subjects can set their browsers not to accept cookies. However, in a few cases some features of SIMETRIK’s website may not function as a result.
The company currently performs International Personal Data Transfers. To perform the International Transfers of Personal Data, in addition to informing the Data Subject and having his authorization SIMETRIK (if applicable), will ensure that the action of transmitting is regulated and that contemplates the requirements set by the GDPR the Statutory Law 1581 of 2012 , its regulatory decrees and/or any other applicable regulations. A copy of the appropriate or suitable safeguards implemented under GDPR may be obtained by contacting the Data Protection Officer.
To the extent that SIMETRIK also performs International Data Transmissions, SIMETRIK will enter into a data transmission agreement, enter into Standard Contractual Clauses, or enter into any agreement or comply with any requirement under applicable data privacy laws for the disclosure of personal data to a data processor. A copy of the appropriate or suitable safeguards implemented under GDPR may be obtained by contacting the Data Protection Officer.
SIMETRIK has implemented safeguards that are intended to protect the personal information we collect from loss, misuse, unauthorized access, disclosure, alteration, and destruction, which comply with applicable data protection laws and are consistent with current technical standards.
In compliance with the obligation described above, SIMETRIK adopts the security protocols available in the following document: General Information Security, Cybersecurity And Privacy Policy
SIMETRIK does not sell, purchase, not is in any other way involved in the commercialization of the Data Subject’s Personal Data.
For the processing of Personal Data, SIMETRIK will request prior and informed authorization from the Data Subject, which may be obtained by any means that may be subject to subsequent consultation.
14.1. The authorization shall contain at least the following information:
✔ The identification of the Data Controller and the area responsible for the protection of Personal Data.
✔ The type of Personal Data to be processed.
✔ The purpose for which the Personal Data will be processed.
✔ The legitimate interests pursued, where such legal basis is applicable.
✔ The recipients or categories of recipients of the personal data, if any.
✔ The fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the data protection authority, where applicable.
✔ The rights of the Data Subjects.
✔ The communication channels through which the Data Controllers may submit queries and/or complaints to the Data Controller.
✔ Data Protection Officer contact details.
✔ The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
✔ Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
✔ The existence of automated decision-making, including profiling, providing meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject, in the cases in which this information must be informed to the Data Subject under applicable laws.
SIMETRIK will not appeal to silence, pre-ticked boxes or inactivity in order to obtain the Data Subject’s authorization.
14.2. Events in which authorization is not required:
✔ Information required by a public or administrative entity in the exercise of its legal functions or by court order.
✔ Data of a public nature.
✔ Cases of medical or sanitary emergency.
✔ Processing of information authorized by law for historical, statistical or scientific purposes.
✔ Data related to the Civil Registry of Persons.
✔ Where a legal basis different from consent may allow us to process the Data Subject’s Personal Data.
The Data Subjects shall enjoy the following rights, and those granted to them by law:
a. Access: Data Subjects have the right to obtain confirmation as to whether or not Personal Data concerning the Data Subject is being processed, and where that is the case, to know what personal data SIMETRIK has about the Data Subject, what it is used for and the conditions of the use SIMETRIK makes of it, free of charge, in the terms set forth under applicable law.
b. Rectification: Likewise, it is the Data Subject’s right to request the correction of his or her personal information in case it is outdated, inaccurate or incomplete.
c. Right to erasure or the right to be forgotten: Data Subjects have the right to obtain erasure from SIMETRIK’S records or databases when THE Data Subject considers that it is not being used in accordance with the principles, duties and obligations provided by law, and where other legal grounds for erasure may apply. SIMETRIK will retain your personal data where other legal basis for the processing apply.
d. Restriction of data processing: Data Subjects have the right to request to restrict SIMETRIK’s use of their personal information for specific purposes, where any applicable legal grounds for such restriction may apply.
e. Right to objection: It is the right of Data Subjects to limit or oppose at any time, to the processing of their Personal Data on SIMETRIK’s behalf. In case of requesting such limitation, the SIMETRIK must obtain a new authorization, in accordance with the limitation requested. However, SIMETRIK may demonstrate legal grounds to continue to process the personal data, to the extent possible under applicable privacy laws.
f. Data Portability: Data Subjects have the right to request SIMETRIK to provide their personal data to another Data Controller, where the conditions set out under applicable law are satisfied.
g. Request proof for authorization: It is the Data Subject’s right to request proof of the authorization granted to the Data Controller, except when expressly exempted as a legal basis for the processing.
h. Right of information: Data Subjects have the right to be informed by SIMETRIK, upon request, regarding the use that has been made of their Personal Data.
i. File Complaints: Data Subjects have the right to file complaints before the competent data protection authority, including but not limited to the European Commission and the Superintendence of Industry and Commerce, for violations to the provisions set forth under applicable data protection laws and regulations.
j. Right to revoke your consent: Data Subjects may revoke their authorization and/or request the deletion of their Personal Data when the processing does not comply with applicable constitutional and legal principles, rights and guarantees. Notwithstanding the foregoing, SIMETRIK may demonstrate a legal basis to continue to process the personal data, in the terms set forth under applicable law.
k. Automated Decision-Making, including profiling: Data Subjects have the right to request SIMETRIK not to process their personal information solely by automated means, including profiling, in a manner that produces legal or similarly significant effects on them.
SIMETRIK as Data Controller, shall comply with the following duties:
a. Guarantee to the Data Subject, at all times, the full and effective exercise of the right of Habeas Data.
b. Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject.
c. Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
d. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
e. Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.
f. If applicable, inform the Data Controller of any rectification, deletion or limitation of the processing made by the Data Subject.
g. To guarantee that only the Personal Data that is necessary for each of the specific purposes of the processing is subject to processing.
h. Update the information, communicating in a timely manner to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.
i. Rectify the information when it is incorrect and communicate any inconsistency to the Data Processor.
j. To provide to the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of the law.
k. When the processing is carried out by a Processor, to try to select a Data Processor that offers sufficient guarantees in accordance with the provisions of this Privacy Policy.
l. To enter into a confidentiality agreement and/or the document that takes its place with the Data Processor, establishing, but not limiting to, the obligations and rights of the Data Controller, the purpose, duration, nature, types of Personal Data to be processed, the purpose of the processing and the commitment to process the Personal Data in accordance with applicable laws and this Privacy Policy.
m. To demand from the Data Processor, at all times, respect for the security and privacy conditions of the Data Subject’s information, as well as his or her rights.
n. Process queries and claims issued in the terms set forth under applicable data privacy regulation.
o. Implement an internal manual of policies and procedures to ensure proper compliance with applicable privacy law and, in particular, to process queries and complaints.
p. Inform the Data Processor when certain information is under discussion by the Data Subject, once a claim has been filed and has not yet been resolved.
q. Inform upon request of the Data Subject about the use given to his/her Personal Data.
r. Inform the Data Protection Authority when there are violations to the security codes and there are risks in the administration of the information of the Data Subjects.
s. Comply with the instructions and requirements issued by the data protection authority.
Exclusively for the purposes of Personal Data concerning the creation, performance and extinction of monetary obligations, Database Operators are obliged to:
1. Guarantee, at all times to the Data Subject, the right to habeas data and the right to petition.
2. Guarantee to the Data Subject the possibility of accessing the information about him/her that exists or is in the database, and to request the updating or correction of data, all of which will be done through the mechanisms of consultations or claims, as provided by applicable law.
3. Guarantee that, in the collection, processing and disclosure of data, the rights of the Data Subject and other rights enshrined under law will be respected.
4. Allow access to information only to individuals authorized to access it.
5. Adopt policies and procedures to ensure proper compliance of data privacy law.
6. Processing inquiries and complaints from the Data Subjects.
7. Request certification from the Information Source of the existence of the authorization granted by the Data Subject, when such authorization is necessary, in accordance with the provisions set forth under applicable law.
8. Keep Data Bases in a secure manner to prevent their deterioration, loss, alteration, unauthorized or fraudulent use.
9. Periodically and timely update and rectify the data, each time the Information Sources report new information.
10. To process the petitions, queries and claims filed by the Data Subjects, under the terms set forth under applicable law.
11. Flag any information under request for review by Data Subjects, when a request for rectification or update has been submitted and the proceeding has not been completed.
12. Disclose information to Information Users within the established parameters.
13. Comply with the instructions and requirements given by the supervisory authority with regards to compliance of applicable law.
Exclusively for the purposes of Personal Data concerning the creation, performance and extinction of monetary obligations, Sources of Information shall comply with the following obligations:
1. Ensure that the information provided to Database Operators or Information Users is truthful, complete, accurate, up to-date and verifiable.
2. Report, on a regular and timely basis to the operator, all new developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to the operator is kept up to date.
3. Rectify the information when it is incorrect and inform the operators accordingly.
4. Design and implement effective mechanisms for timely reporting of information to the operator.
5. Request, when applicable, and keep a copy or evidence of the respective authorization granted by the Data Subjects of the information, and make sure not to provide the operators with any information whose supply is not previously authorized, when such authorization is necessary, in accordance with the provisions of this law.
6. Certify, on a semi-annual basis to the Information Operator, that the information provided is authorized.
7. Resolve the claims and petitions of the Data Subject in the manner set forth under applicable law.
8. Inform the operator of any information that is subject to a request for review on behalf of Data Subjects, when a request for rectification or update has been submitted, so that the operator flags such request in the Database, until the process has been completed.
9. Comply with the instructions issued by the supervisory authority in relation to compliance of applicable law.
Exclusively for the purposes of Personal Data concerning the creation, performance and extinction of monetary obligations, Information Users shall:
1. Maintain the confidentiality of the information provided to them by the Information Operators, by the Information Sources or the Data Subjects of the information and to use the information only for the purposes for which it was given to them.
2. Inform the Data Subjects, at their request, about the use that is being made of their information.
3. Keep the information received with the appropriate security measures to prevent its deterioration, loss, alteration, unauthorized or fraudulent use.
4. Comply with the instructions given by the supervisory authority.
The Data Protection Officer will be the person designated by SIMETRIK, who can be contacted by e-mail at dataprivacy@simetrik.com
The Data Protection Officer will be responsible for processing all privacy complaints and requests received by SIMETRIK, and will ensure that SIMETRIK processes personal data in compliance of all applicable data protection laws and regulations.
The functions of the Data Protection Officer include, but are not limited to, the following:
a. Inform, supervise and advise the Controller or the Data Processor of compliance requirements with this Privacy Policy and other applicable regulations.
b. Cooperate with the data protection authority and be the point of contact/communication with the data protection authority.
c. Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data.
d. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
e. Timely update, rectify or delete of data under the terms of GDPR and the Law 1581 of 2012 and other concordant and current regulations.
f. Update the information reported by the Data Controllers within five (5) business days from its receipt.
g. To process the queries and claims formulated by the Data Subjects under the terms indicated in this Privacy Policy.
h. Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, for the attention of inquiries and complaints by the Data Subjects.
i. Allow access to information only to those who can access it.
j. Verify that the Data Controller has the authorization for the processing of personal data of the Data Subject.
All the processes of the organization, when carrying out their own activities, will assume the responsibilities and obligations regarding the proper handling of personal information, from its collection, storage, use, circulation and even its final disposal.
The personal information contained in the databases must be used and processed in accordance with the purposes described in this policy.
In the event that any area identifies new uses different from those described in this personal data processing policy, it must inform the Data Protection Officer, who will evaluate and manage, when applicable, its inclusion in this policy. Likewise, the following assumptions should be taken into consideration:
a. In the event that an area other than the one that initially collected the Personal Data requires the use of the Personal Data that has been obtained, this may take place provided that it is a foreseeable use for the type of services offered by SIMETRIK and for a purpose contemplated in this Privacy Policy.
b. Each area must ensure that no confidential information or Personal Data is disclosed.
c. Process leaders may not make decisions that have a significant impact on personal information, or that have legal implications, so they must validate the information directly from the Data Subject, in cases where it is necessary.
d. Only authorized personnel may enter, modify or delete Personal Data contained in the Databases or documents subject to protection. User access permissions are granted in accordance with the access control policy, according to the established profiles, which will be previously defined by the process leaders where the use of personal information is required.
e. Any use of the information different from that established will be previously consulted with the data Protection Officer.
The storage of digital and physical information is done in media or environments that have adequate controls for data protection. This involves physical and technological security controls in authorized and properly managed repositories.
The destruction of physical and electronic media is carried out through mechanisms that do not allow their reconstruction. This is done in accordance with the retention time established for the information.
In case of any inquiry, claim, complaint or request regarding the processing of personal data of the Data Subjects, they may contact us by e-mail. dataprivacy@simetrik.com
An incident is understood as any eventuality that affects or could affect the security of the databases or inforInquirymation contained therein.
In the event that the user becomes aware of any incident that has occurred, he/she must communicate it to the Data Protection Officer who will take the appropriate measures to deal with the reported incident.
The Personal Data Protection Officer shall inform the data protection authority, no later than 72 hours from the knowledge of the incident, in the case of Personal Data from residents of the European Union, no later than 15 business days for data processed in the Colombian territory, or within the deadline set forth under applicable privacy laws.
Incidents can affect both digital and physical databases and will generate the following activities:
a. Incident Notification: It is the responsibility of the personnel, when it is presumed that an incident may affect or has affected Databases with Personal Data or any suspicious event, weakness or violation of policies that may affect the confidentiality, integrity and availability of assets and personal information must be reported to the Data Protection Officer who will manage its report to the data protection authority, including where applicable, no latter that 72 hours after becoming aware of the incident, and to the Superintendence of Industry and Commerce through its Colombian National Database Registry, no later than 15 business days after becoming aware of the incident.
b. Containment, Investigation and Diagnosis: The Data Protection Officer must ensure that actions are taken to investigate and diagnose the causes that generated the incident.
c. Solution: The IT process, as well as any compromised areas and those directly responsible for personal data management, must prevent the security incident from reoccurring by correcting all existing vulnerabilities.
d. Incident Closure and Follow-up: The information technology and information security manager and the Data Protection Officer shall document the actions that were taken to remediate the security incident. The Data Protection Officer will prepare an analysis of the reported incidents.
The Data Subject, his assignees, his representative and/or attorney-in-fact, or whoever is determined by stipulation in favor of another; may file a complaint or request before the data protection authority for the exercise of his or her rights, or may choose to first address SIMETRIK for the Consultation or Claim directly before the company.
SIMETRIK will rectify and update, at the request of the Data Subject, the information that is inaccurate or incomplete, in accordance with the procedure and terms indicated above, for which the Data Subject must submit the request according to the channels provided by the company, indicating the update and rectification of the data and in turn must provide the documentation supporting such request.
The Data Subject may revoke at any time the consent or authorization given for the processing of his/her Personal Data, as long as there is no impediment enshrined in a legal or contractual provision.
Likewise, the Data Subject has the right to request SIMETRIK at any time the deletion or elimination of his/her Personal Data, provided that there is no legal obligation for the Data Subject’s Personal Data to Remain in SIMETRIK’s Databases.
Such deletion implies the total or partial elimination of the personal information, as requested by the Data Subject in the records, files, databases or processing carried out by SIMETRIK.
This right is not absolute and therefore SIMETRIK may refuse to revoke such authorization in the following cases:
a. The Data Subject has a legal or contractual duty to remain in the database.
b. The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
c. The data is necessary to protect the legally protected interests of the Data Subject; to carry out an action in the public interest, or to comply with an obligation legally acquired by the Data Subject.
d. Any other legal grounds to reject the Data Subject’s request applies.
The personal information of the Data Subject contained in SIMETRIK's databases may be consulted, and the company will be responsible for providing all the information contained in the individual record or that is linked to the identification of the applicant, using in any case a clear and simple language.
The consultation once received by the company will be answered within a maximum term of ten (10) business days from the date of receipt of the same. The information requested by the Data Subject may be provided in writing, by e-mail or by any other means as requested by the Data Subject.
When it is not possible to attend the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the new date on which such consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.
The Data Subject may consult his or her Personal Data free of charge at least once every calendar month, and in the events in which there are substantial modifications to the Information processing Policies that motivate new consultations.
However, in the event that the periodicity of the consultations is greater than one per calendar month, the Data Subject may be charged for the costs of sending, reproduction and, if applicable, certification of documents.
When it is considered that the information contained in a SIMETRIK database should be corrected, updated or deleted, or when the alleged breach of any of the duties contained in applicable data privacy law is noticed, a claim may be filed before SIMETRIK, which will be processed under the following rules:
a. The claim shall be formulated by means of a written communication addressed to SIMETRIK, with the identification of the Data Subject, the description of the facts that give rise to the claim, the address, and accompanying the documents to be asserted.
b. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that the claim has been abandoned.
c. In the event that SIMETRIK receives a Claim that it is not competent to resolve, the company will transfer the Claim to the appropriate person within a maximum term of two (2) business days and will inform the Data Subject.
d. Once the complete claim is received, the company will include in the respective database a legend that says "claim in process" and the reason for this, in a term not greater than two (2) days working days. The company will keep such legend on the data under discussion until the claim is decided.
e. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within said term, the company will inform the Data Subject the reasons for the delay and the new date on which the claim will be attended, which in no case may exceed eight (8) working days following the expiration of the first term.
By accepting this Policy, each Data Subject expressly authorizes SIMETRIK to carry out the processing of the Personal Data, partially or totally, including the collection, storage, recording, use, circulation, processing, suppression, transmission under the terms of this Privacy Policy and/or transfer within the country or to third countries of the data provided for the purposes described in this Privacy Policy. With the acceptance of this Policy, in your capacity as Data Subject of the Information and Personal Data collected, you authorize the processing of such data for all the purposes set forth in this Policy and especially for:
k. Use the Information and Personal Data provided to perform a conflict check in databases that gather information sources, such as the FATF Sanctions lists containing information from OFAC, former Clinton List, United Nations, European Union, FBI, Interpol and other international lists.
l. To use the Information and Personal Data provided to establish and maintain the commercial relationship; to send information regarding the legal, commercial, contractual or obligatory relationship; to collect accounts receivable; to pay accounts payable; and for any other purpose resulting from the development of the relationship that arises.
m. Use the Information and Personal Data provided to send commercial information or information that SIMETRIK considers may be of interest to the Data Subject.
n. Use the Information and Personal Data provided to make it available to the personnel in charge of the corresponding work, within the company, without excluding the possibility of being transferred to managers, consultants, advisors, persons and external offices as necessary.
o. Use the Information and Personal Data provided for marketing purposes of SIMETRIK's services, and the products and services of third parties with whom SIMETRIK maintains a business relationship.
p. Use the Information and Personal Data provided for the request of surveys and after-sales follow- up to establish the satisfaction of the services provided by SIMETRIK for statistical and continuous improvement purposes, or for qualitative and quantitative evaluations of the levels of services received by SIMETRIK.
q. For the transfer of data to third parties in the same sector or sectors related to SIMETRIK, so that the data subjects can know and have access to other options of products and services. In no case shall the transfer of this personal data be understood as a “sale” of personal data, as provided under Sections 8 and 13 of this Privacy Policy.
r. Use the Information and Personal Data provided to maintain records as required by law.
s. Use the Information and Personal Data provided to consult and update Personal Data.
t. Use the Information and Personal Data provided to issue certifications required by the Data Subject.
u. Use the Information and Personal Data provided to make accounting records.
v. To publish announcements and/or report the participation and work of SIMETRIK in the provision of services to the Registrant and/or the work of the Registrant in the development of work performed with or for SIMETRIK, in SIMETRIK presentations and SIMETRIK's website, as well as in national or international publications related to SIMETRIK's areas of practice, for which SIMETRIK may, among others, disclose the name of the Registrant and the natural persons, legal entities and entities associated with the same, the advice provided, and include a link to SIMETRIK's web page. For this purpose, SIMETRIK may, among others, disclose the name of the Data Subject and the natural persons, legal entities and entities associated with the same.
w. To provide the Information and Personal Data to the control and surveillance, administrative, police and judicial, national and international authorities, by virtue of a legal or regulatory requirement.
x. To allow access to the Information and Personal Data to auditors or third parties hired to carry out internal or external auditing processes proper to the commercial activity that SIMETRIK develops.
y. To consult and update the Information and Personal Data.
z. To contract with third parties the storage and/or processing of the Information and Personal Data for the correct execution of the contracts entered into with SIMETRIK, under the security and confidentiality standards to which SIMETRIK is bound.
Third parties may be involved in the aforementioned activities and that such activities may take place in countries different from the place where the service is contracted, and without prejudice to other purposes that have been informed in this Policy and in the terms and conditions of each of the services contracted with each Data Subject.
SIMETRIK reserves the right to modify the Privacy Policy at any time. However, any modification will be available in a timely manner to the Data Subjects through the publication of the updated version on the website.
In the event that a Data Subject does not agree with the new General or Special Policy and with valid reasons that constitute a just cause for not continuing with the authorization for the processing of Personal Data, the Data Subject may request SIMETRIK to withdraw his/her information through the channels indicated in Section 20 of this document. However, Data Subjects may not request the removal of their Personal Data when the company has a legal or contractual duty to process the data.
This Policy is effective as of the date of its publication. The last updated version is dated July 23, 2024.
Emiliano Murúa Cuesta
CISO
Processing of Personal Data subject to General Data Protection Regulation
The following particularities apply to the processing of personal data subject to the application of the General Data Protection Regulation (GDPR):
A. In Section 4. (“Definitions”) the following definitions shall read as follows:
7. Sensitive Data: Sensitive data is Personal Data that may affect the privacy of the Data Subject or whose improper use may lead to the Data Subject’s discrimination, and includes data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, data related to health, sex life or sexual orientation, biometric data.
10. Habeas Data: The right of access to, and rectification or erasure of, personal data or restriction of processing concerning the Data Subject or to object to processing, as well as the right to data portability.
B. In Section 5. (“Principles) the following principles shall read as follows:
5.1. Principle of legality in matters of data processing: The processing of Personal Data shall be carried out within the legal framework in force and in the other provisions that develop it.
5.3. Principle of freedom: processing may only be carried out if a legal basis established in GDPR applies. Personal Data may not be obtained or disclosed without prior authorization, in the absence of a different legal basis.
C. In Section 6. (“Special Categories of Data”), the following amendments shall apply:
i. Sections 6.1 (“Private Data”) and 6.2 (“Semi-private data) shall not apply;
ii. Section 6.3 (“Sensitive Data”) shall read as follows:
6.3. Sensitive Data: Sensitive data is defined under Section 4 of this Privacy Policy.
The processing of sensitive data is prohibited except for the following cases:
− When the Data Subject grants explicit consent.
− The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
− The processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapacitated.
− The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that it concerns exclusively its members or persons in regular contact with them by reason of their purpose.
− The processing relates to personal data which are manifestly made public by the data subject
− The processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
− The processing is necessary for reasons of substantial public interest.
− The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
− The processing is necessary for reasons of public interest in the area of public health.
− The processing has a historical, statistical or scientific purpose, in the latter case, measures must be taken to suppress the identity of the Data Subjects.
6.4 Biometric Data: Biometrics refers to any information concerning identified or identifiable individuals regarding the parameters and characteristics of the human body, physical parameters that are unique to each person, such as fingerprints, eye iris, biometric photographs/images, dental pattern, voice recognition, palm print or facial features.
6.5 Data of children and adolescents: The processing of Personal Data from children and adolescents under 18 years older requires the authorization of the holder of their parental responsibilities.
iii. Section 6.6. is added as follows:
6.6 Data relating to criminal convictions and offenses: The processing of data relating to criminal convictions and offenses and related security measures requires specific authorization from EU or Member State Law.
D. Section 9. (“Legal Basis for Personal Data Processing”) shall read as follows:
SIMETRIK will only process the Personal Data of Data Subjects where at least one of the following legal bases are met:
a) The Data Subject has given his/her authorization to such processing;
b) The processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapacitated.
c) The processing refers to data that is necessary to comply with a legal obligation to which SIMETRIK is subject.
d) The processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the data subject prior to entering into a contract, where this legal basis applies under applicable law.
e) Processing is necessary for the performance of a task carried out in the public interest.
f) Processing is necessary for the purposes of the legitimate interests pursued by SIMETRIK, which include the purposes set out throughout this Privacy Policy, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the data subject is a child.
In case of processing of sensitive personal data or data relating to criminal convictions and offenses, please refer to Section 6.
E. Purposes k. and l. of Section 10.2.1. (“Processing of Employees’ Personal Data”) shall read as follows:
k. The processing of Sensitive Personal Data (biometric and health data) by SIMETRIK is based on, depending on the specific purpose, the following legal basis: processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the data subject in the field of employment and social security and social protection law or the processing is necessary for the purposes of preventive or occupational health, for the assessment of the working capacity of the employee. The Sensitive Personal Data collected will be stored in databases and/or files independent from the other Personal Data that are subject to processing by SIMETRIK or, in case of health data, will be processed solely by or under the responsibility of a professional subject to the obligation of professional secrecy.
l. The information collected, stored and processed by SIMETRIK for the unsuccessful recruitment process, your personal data will be retained for one year following the end of the recruitment process. Regarding employees, the Personal Data (including recruitment data) shall be retained during the legal applicable retention period (no less than 10 years) or, in absence of such legal period, for the period needed in view of the purposes of processing, unless the personal data is necessary for the establishment, exercise or defense of legal claims case in which it shall be retained for such period.
F. Section 10.2.1. (“Processing of Employees’ Personal Data”) is added as follows:
● For the purposes listed in paragraphs b), c), d), g) and j) of this section, processing is necessary for compliance with a legal obligation to which the Controller is subject;
● For the purposes listed in paragraphs a), e), g) and i) of this section, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
● For the purposes listed in paragraphs f), h) and j) of this section, processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. The legitimate interests of the Controller consist in the management of the employees and employment functions and activities, improving the knowledge and qualifications of the employees, and ensuring contact with family in case of emergency.
The processing of certain personal data is needed for purposes of execution of the contractual relationship and/or compliance with SIMETRIK’s legal obligations, therefore, in case of refusal SIMETRIK may not be able to maintain a contractual relationship with the employee.
G. Paragraphs e) and f) of the purposes included in Section 10.2.2 (“Processing of Shareholders’ Personal Data”) shall read as follows:
e. For the purposes listed in paragraphs a) and b) above, Shareholders’ personal data is processed based on the need for the performance of a contract to which the data subject is party. For the purposes listed in paragraphs a) and c) above Shareholders’ personal data is processed for compliance with legal obligation to which the Controller is subject. Exceptionally and to the maximum extent permitted by law, SIMETRIK may process Shareholder’s personal data based on consent, a case in which we will obtain such consent in a separate document. The processing of certain personal data is needed for purposes of execution of the contractual relationship and/or compliance with our legal obligations, therefore, in case of refusal we may not be able to maintain a contractual relationship with you.
f. The information collected, stored and treated by SIMETRIK shall be retained during the legal applicable retention period or, in absence of such legal period, for the period needed in view of the purposes of processing, unless the personal data is necessary for the establishment, exercise or defense of legal claims case in which it shall be retained for such period.
H. Paragraph n) of the purposes included in Section 10.2.3 (“Processing of Personal Customer Data”) shall read as follows:
n. The processing of Customer’s personal data is necessary for the performance of a contract to which the data subject is party, for the compliance with a legal obligation to which the Controller is subject and for the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. The legitimate interests of the Controller consist in the satisfaction and retention of customers and in improving SIMETRIK’s products and services. The processing of certain personal data is needed for purposes of execution of the contractual relationship and/or compliance with our legal obligations, therefore, in case of refusal we may not be able to maintain a contractual relationship with the Customer. In any case, the information shall be retained during the legal applicable retention period or, in absence of such legal period, for the period needed in view of the purposes of processing, unless the personal data is necessary for the establishment, exercise or defense of legal claims in which it shall be retained for such period.
I. Paragraph g) of the purposes listed in Section 10.2.4 (“Processing of Suppliers’ Personal Data”) shall read as follows:
g. For the purposes listed in paragraph a) above, the processing is necessary for the performance of a contract to which the data subject is party, for the compliance with a legal obligation to which the Controller is subject and for the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. The legitimate interests of the Controller consist in the daily management of the relationship with the Supplier. The processing of certain personal data is needed for purposes of execution of the contractual relationship and/or compliance with our legal obligations, therefore, in case of refusal we may not be able to maintain a contractual relationship with the Supplier. The information shall be retained during the legal applicable retention period or, in absence of such legal period, for the period needed in view of the purposes of processing, unless the personal data is necessary for the establishment, exercise or defense of legal claims in which it shall be retained for such period.
J. First paragraph of Section 10.2.5 (“Processing of Personal Data from Video Surveillance Recordings”) shall read as follows:
SIMETRIK, from time to time, may collect Data Subject’s personal images and video recordings, from its visitors, through its surveillance cameras and store them in a database which is classified by the company as confidential, and will only be disclosed with the express authorization of the Data Subject or when requested by a competent authority. The processing of the personal data is based on SIMETRIK’s legitimate interests of controlling the entrances and exits to the premises and ensuring the security of people and goods.
K. Section 10.2.7 “Data on Children and Adolescents” shall read as follows:
The Personal Data we collect from children and adolescents includes:
a. Identification information: Name, family members, date of birth, identification number.
b. Other: Any other information required for SIMETRIK to comply with applicable laws regarding its relationship with its suppliers.
SIMETRIK collects and processes the Personal Data of its employees’ underage sons for the sole purpose of complying with the obligations imposed by tax law.
L. Section 10.2.8 (“Cookies”) shall be added as follows:
Unless in case of essential/technical cookies, the use of cookies by SIMETRIK requires the user’s prior consent.
M. Section 14. (“Authorization of the Data Subjects of Personal Data”) shall read as follows:
Exceptionally and to the maximum extent permitted by law, we may process Personal Data based on Data Subjects’ authorization, in which case we will obtain such authorization in a separate document.
N. The following Data Subject’s rights included in Section 15.1 (“Rights of the Data Subjects”) shall be read as follows:
c. Right to erasure or the right to be forgotten: Data Subjects have the right to obtain erasure from SIMETRIK’S records or databases when the Data Subject considers that it is not being used in accordance with the principles, duties and obligations provided by law, and where other legal grounds for erasure may apply. SIMETRIK will not erase your personal data where the right of erasure does not apply.
e. Right to objection: It is the right to object to the use of your personal data when processing is based on SIMETRIKs legitimate interests. SIMETRIK shall no longer process the personal data unless demonstrates that there is another lawful basis for the processing or for the establishment, exercise or defense of legal claims.
i. File Complaints: Data Subjects have the right to file complaints before the competent data protection authority, including but not limited to the EU competent Data Protection Authorities and Superintendence of Industry and Commerce, for violations to the provisions set forth under applicable data protection laws and regulations.
j. Right to revoke your consent: in the exceptional cases where the processing of your personal data is based on your consent, Data Subjects can withdraw your consent at any time, without prejudice to the lawfulness of the processing executed before withdrawal.
O. Section 19.4. (“Revocation of Authorization and/or Deletion of Personal Data”) shall read as follows:
The Data Subject may withdraw at any time the consent or authorization given for the processing of his/her Personal Data. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Likewise, the Data Subject has the right to request SIMETRIK at any time the deletion or elimination of his/her Personal Data, provided that there is no legal obligation or other lawful reason established in the GDPR for the Data Subject’s Personal Data to remain in SIMETRIK’s Databases.
Such deletion implies the total or partial elimination of the personal information, as requested by the Data Subject in the records, files, databases or processing carried out by SIMETRIK.
P. Section 19.5. (“Inquiry”) shall read as follows:
The personal information of the Data Subject contained in SIMETRIK's databases may be consulted, and the company will be responsible for providing all the information contained in the individual record or that is linked to the identification of the applicant, using in any case a clear and simple language.
The consultation once received by the company will be answered within a maximum term of 1 (one) month from the date of receipt of the same. The information requested by the Data Subject may be provided in writing, by e-mail or by any other means as requested by the Data Subject.
When it is not possible to attend the consultation within such term due to the complexity and number of the inquiries, the interested party shall be informed, stating the reasons for the delay and indicating the new date on which such consultation will be attended, which in no case may exceed 2 (two) additional months following the expiration of the first term.
The Data Subject may consult his or her Personal Data free of charge. However, in the event that the Data Subject requires more than one copy of Personal Data a reasonable fee based on administrative costs may be charged. Moreover, SIMETRIK reserves the right to charge such a fee or to refuse the consultation in case of manifestly unfounded or excessive inquiries, in particular because of their repetitive character.
Q. The first paragraph of Section 19.6. (“Claims”) shall read as follows:
When it is considered that the information contained in a SIMETRIK database should be corrected, updated or deleted, when the Data Subject wants to exercise any other right such as portability or restriction of Personal Data, or when the alleged breach of any of the duties contained in applicable data privacy law is noticed, a claim may be filed before SIMETRIK, which will be processed under the following rules:
R. Paragraph e) of Section 19.6. (“Claims”) shall read as follows:
e. The maximum term to address the claim will be 1 (one) month from the day following the date of receipt. When it is not possible to attend the claim within said term due to the complexity and number of the requests, the company will inform the Data Subject the reasons for the delay and the new date on which the claim will be attended, which in no case may exceed 2 (two) months following the expiration of the first term.
S. Section 20. (“Consequences Acceptance of the Policy”) shall read as follows:
19. CONSEQUENCES OF THE POLICY
By acknowledging this Policy, each Data Subject expressly undertakes that SIMETRIK carries out the processing of the Personal Data, partially or totally, including the collection, storage, recording, use, circulation, processing, suppression, transmission under the terms of this Privacy Policy and/or transfer within the country or to third countries of the data provided. With the acknowledgement of this Policy, in your capacity as Data Subject of the Information and Personal Data collected, you undertake the processing of such data for all the purposes set forth in this Policy and especially for:
(…)
T. Section 21 (“Modification of Policies”) shall read as follows:
SIMETRIK reserves the right to modify the Privacy Policy at any time. However, any modification will be available in a timely manner to the Data Subjects through the publication of the updated version on the website.
In the event that a Data Subject does not agree with the new General or Special Policy, the Data Subject may exercise his or her data protection rights in accordance with this policy.
Processing of Personal Data subject to Brazilian General Data Protection Law
For cases in which Data Subjects are resident in Brazil or otherwise subject to the Brazilian General Data Protection Law (Law no. 13,709/2018 or “LGPD”), the following shall apply to the processing of Personal Data.
In Section 4 “DEFINITIONS” the following amendments shall apply:
8. Data Protection Officer: It is the natural or legal person or group who meets the profile established by law and whose function is to monitor and control the application of the Privacy Policy, as well as to process any complaints or requests filed by Data Subjects.
Section 5 “GUIDING PRINCIPLES APPLICABLE TO PERSONAL DATA” shall read as follows:
In addition to the principles set forth in the Privacy Policy, SIMETRIK also applies and safeguards the following principles in the exercise of the processes of capture, registration, management, use and processing of Personal Data subject to the LGPD:
● Principle of purpose. The processing must be carried out for specific and legitimate purposes, explicitly and informed to the data subject, without the possibility of subsequent processing in a form incompatible with these purposes;
● Principle of adequacy. Compatibility of the processing with the purposes reported to the data subject;
● Principle of necessity. Limitation of processing only to the extent necessary to achieve the purposes;
● Principle of free access. Guarantee that the data subject can consult, easily and at no cost, the form and time frame of the processing, as well as the integrity of their data;
● Principle of quality of the data. Guarantee of the precision, clarity, relevance and updating of the data;
● Principle of transparency. Guarantee of clear and accurate information that is easily accessible by the data subjects;
● Principle of security. Use of technical and administrative measures to protect the data from unauthorized access and misuse;
● Principle of prevention. Adoption of measures to prevent the occurrence of damages due to processing of personal data;
● Principle of nondiscrimination. Impossibility of processing for discrimination, illicit or abusive purposes; and
● Principle of accountability. Demonstration of effective means to observe and prove compliance with the rules on protection of personal data.
In Section 6 “SPECIAL CATEGORIES OF DATA” the following amendments shall apply:
6.3 Sensitive Data: Sensitive data is defined under Section 4 of this Privacy Policy.
The processing of sensitive data subject to the LGPD is prohibited except for the following cases:
● When the Data Subject or their legal representative grants specific and highlighted consent for specific purposes;
● The processing is necessary for compliance with a legal or regulatory obligation;
● The shared processing of Personal Data is necessary for the execution of public policies provided in laws or regulations, by the public administration;
● The processing is necessary for carrying out studies by a research entity, whenever possible ensuring the anonymization of sensitive personal data;
● The processing is necessary for the regular exercise of rights, including in a contract and in a judicial, administrative and arbitration procedure;
● The processing is necessary for protecting life or physical safety of the data subject or a third party;
● The processing is necessary to protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities; or
● The processing is necessary for ensuring the prevention of fraud and the safety of the Data Subject, in processes of identification and authentication of registration in electronic systems.
6.5 Data of children and adolescents: The processing of this special category of Personal Data subject to the LGPD is permitted when the purpose for such processing responds to the best interests of the children and adolescents, observing the requirements provided for in the LGPD.
In Section 9 “LEGAL BASIS FOR PERSONAL DATA PROCESSING” the following amendments shall apply:
SIMETRIK will only process the Personal Data of Data Subjects subject to the LGPD where at least one of the following legal basis are met:
a) The Data Subject has given his/her consent;
b) The processing is necessary to comply with a legal or regulatory obligation of the controller;
c) The processing is necessary for processing of data necessary for public policy purposes by the public administration
d) The processing is necessary for the conduct of studies by a research entity, with guarantee of anonymization;
e) The processing is necessary to perform a contract or preliminary procedures related to a contract of which the Data Subject is a party;
f) The processing is necessary for regular exercise of rights in a judicial, administrative or arbitral proceeding;
g) The processing is necessary for the protection of life or physical integrity of the Data Subject or third parties;
h) The processing is necessary for protection of health, through a procedure carried out by professionals in the area of public health or by sanitary authorities;
i) The processing is necessary for the purposes of the legitimate interests of the controller or third parties; and
j) The processing is necessary for protection of credit.
Section 11 “INTERNATIONAL TRANSFER OF PERSONAL DATA” will read as follows:
The company currently performs International Personal Data Transfers. To perform the International Transfers of Personal Data outside Brazil, in addition to informing the Data Subject, SIMETRIK, will ensure that the action of transmitting is regulated and that it contemplates the requirements and legal bases set forth by the LGPD, as well as instructions to be specified, updated, amended, replaced or superseded from time to time by the National Data Protection Authority (“ANPD”). In the absence of instructions from such authority, SIMETRIK can request data importers to adopt the same standard of clauses adopted under other jurisdictions.
Section 14 “AUTHORIZATION OF THE DATA SUBJECTS OF PERSONAL DATA” shall have the following amendments:
14.2. Events in which authorization is not required under the LGPD:
✔ Information required by a public or administrative entity in the exercise of its legal functions or by court order.
✔ Data of a public nature.
✔ Cases of medical or sanitary emergencies.
✔ Processing of information authorized by law for historical, statistical or scientific purposes.
✔ Where a legal basis different from consent may allow us to process the Data Subject’s Personal Data.
Section 15 “RIGHTS AND CONDITIONS OF LAWFULNESS FOR DATA PROCESSING” shall read as follows:
15.1. RIGHTS OF THE DATA SUBJECTS
The Data Subjects shall enjoy the following rights provided under article 18, LGPD:
● Right of Confirmation and Access. Data Subjects have the right to obtain confirmation as to whether or not their Personal Data is being processed. If SIMETRIK is processing their Personal Data, Data Subjects have the right of access to the Personal Data and to certain information regarding the processing, as provided for in the LGPD, including information regarding the public and private entities with which SIMETRIK shares the Personal Data.
● Right to Rectification. Data Subjects have the right to require the correction of incomplete, inaccurate, or out-of-date Personal Data.
● Right to Anonymization, Blocking or Erasure. Data Subjects have the right to request the anonymization, blocking or erasure of unnecessary or excessive Personal Data or Personal Data processed in non-compliance with the provisions of the LGPD.
● Right to Data Portability. Data Subjects have the right to request that the Personal Data processed by SIMETRIK concerning them is transmitted to another service or product provider, limited to SIMETRIK’s commercial or industrial secrets.
● Right to Withdraw Consent. Data Subjects have the right to withdraw consent at any time with future effect. This shall be without prejudice to the lawfulness of the processing of Personal Data until consent has been withdrawn. Data Subjects also have the right to request the erasure of Personal Data once consent is withdrawn and to be informed about the possibility of denying consent, and the consequences of such denial.
● Right to Object. Data Subjects have the right to object to the processing of their Personal Data to the extent that SIMETRIK relies on legal bases other than consent, in case of violation of the LGPD.
● Right to Revision. Data Subjects have the right to request the revision of decisions taken solely on the basis of automated processing of Personal Data which affects their interests, including decisions intended to define personal, professional, consumer or credit profile or aspects of their personality.
● Right to Lodge a Complaint. Data Subjects have the right to lodge complaints before the Data Protection Authority and consumer protection entities.
Section 19 “PROCEDURE FOR HANDLING INCIDENTS, COMPLAINTS, PETITIONS, INQUIRIES AND CLAIMS FROM DATA SUBJECTS” shall have the following amendments:
19.5. INQUIRY
The personal information of the Data Subject contained in SIMETRIK's databases subject to the LGPD may be consulted, and the company will be responsible for providing all the information contained in the individual record or that is linked to the identification of the applicant, using in any case a clear and simple language.
The consultation once received by the company will be immediately acknowledged and answered within a maximum term of fifteen (15) days from the date of receipt of the same. The information requested by the Data Subject may be provided in writing, by e-mail or by any other means as requested by the Data Subject.
When it is not possible to attend the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the new date on which such consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.
The Data Subject may consult his or her Personal Data free of charge.
