Article 1 – PURPOSE:

This document complies with the provisions set forth in subsection (k), Article 17, Title VI of Law 1581 of 2012, which regulates the duties of those responsible for the processing of personal data, specifically regarding the adoption of an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to address inquiries and handle complaints.

It also aims to guarantee and protect the fundamental right to habeas data within the framework of the guidelines established by the aforementioned law and Articles 15 and 20 of the Colombian Political Constitution.

Article 2 – SCOPE:

The INTERNAL POLICY FOR THE PROCESSING, RETENTION, AND DELETION OF PERSONAL DATA implemented by GÉNESIS BANCA DE INVERSIÓN S.A.S. establishes the methodology for the processing of personal information of our clients, suppliers, and interested third parties, stored in our databases, in accordance with the requirements of Law 1581 of 2012, which seeks to:

“Develop the constitutional right that all individuals have to know, update, and rectify the information collected about them in databases or files, and other constitutional rights, freedoms, and guarantees referred to in Article 15 of the Political Constitution, as well as the right to information established in Article 20 thereof.”

This policy also complies with Regulatory Decree 1377 of 2013, which regulates aspects related to the authorization granted by the data subject for the processing of their personal data, the data processing policies of controllers and processors, the exercise of data subjects’ rights, and the transfer of personal data.

Article 3 – DEFINITIONS:

We adopt the concepts set forth in Article 3 of Law 1581 of 2012 and Decree 1377 of 2013, which establish the following:

1. Authorization: Prior, express, and informed consent of the Data Subject for the processing of personal data.

2. Database: An organized set of personal data that is subject to processing.

3. Personal Data: Any information linked or that can be associated with one or more determined or determinable natural persons.

4. Processor (Encargado del Tratamiento): A natural or legal person, public or private, who, alone or in association with others, carries out the processing of personal data on behalf of the Controller.

5. Controller (Responsable del Tratamiento): A natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the processing of the data.

6. Data Subject (Titular): A natural person whose personal data is subject to processing.

7. Processing (Tratamiento): Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.

8. Privacy Notice: Verbal or written communication issued by the Controller to the Data Subject for the processing of their personal data, informing them of the existence of the applicable data processing policies, how to access them, and the purposes of the intended data processing.

9. Public Data: Data that is not classified as semi-private, private, or sensitive. Public data includes, among others, data related to a person’s civil status, profession or trade, and their status as a merchant or public servant. By nature, public data may appear in public records, official documents, gazettes, bulletins, and final judicial rulings not subject to confidentiality.

10. Sensitive Data: Data that affects the privacy of the Data Subject or that, if misused, could lead to discrimination. This includes data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human rights organizations, or political parties, as well as data related to health, sexual life, and biometric information.

11. Transfer: The transfer of data occurs when the Controller and/or Processor of personal data located in Colombia sends the information or data to a recipient who, in turn, is responsible for the processing and is located either within or outside the country.

12. Transmission: The processing of personal data involving its communication within or outside the territory of the Republic of Colombia when the purpose is for the Processor to perform the processing on behalf of the Controller.

Article 4 – PRINCIPLES:

The principles governing this policy are aligned with those established by law and are as follows:

1. Principle of Legality in Data Processing: We adhere to constitutional, legal, and ethical guidelines in the processing of personal data.

2. Principle of Purpose: The processing of our clients’ personal information serves the legitimate purposes of our organization and complies with the Constitution and the law. This purpose is communicated to the data subject.

3. Principle of Freedom: The handling of personal information by the organization has been previously and expressly authorized by the data subject. This data is not obtained or disclosed without prior consent, or unless there is a legal or judicial mandate that waives such consent.

4. Principle of Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, misleading, or error-inducing data is prohibited.

5. Principle of Transparency: We guarantee the data subject access to information regarding the existence of data concerning them at any time and without restriction.

6. Principle of Restricted Access and Circulation: Processing is limited to the scope of the contractual relationship with the Data Subject and the provisions of this law and the Constitution.

7. Accordingly, data processing may only be carried out by persons authorized by the Data Subject and/or those legally permitted under this law.

8. Online access to personal information is controlled in such a way that only the data subject may access it.

9. Principle of Security: We manage our technology platform using mechanisms that ensure the security of records, preventing their alteration, loss, consultation, unauthorized use, or fraudulent access.

10. Principle of Confidentiality: Personal data obtained as a result of commercial and/or contractual relationships with our clients is considered confidential and will be used solely for purposes aligned with the development of our corporate purpose.

Article 5 – AUTHORIZATION:

The collection, storage, use, circulation, or deletion of personal data by GÉNESIS BANCA DE INVERSIÓN S.A.S. requires the free, prior, express, and informed consent of the data subject. Efficient mechanisms are in place to obtain such authorization and to verify it at any time.

Authorization is a declaration in which the data subject is informed about the following:

1. The Controller or Processor responsible for collecting the information.

2. What personal data is being collected.

3. The purpose of such collection.

4. The rights the data subject has regarding access, correction, updating, or deletion of the personal data provided.

5. What sensitive data is collected (if applicable).

Information from our clients who access the website is initially collected through the contact form on our website, where they are informed and asked to accept our Policy for the Processing, Retention, and Deletion of Personal Data. It is not mandatory for clients who access the website to provide their personal data; however, such data, along with acceptance of our Data Policy, is required in order to contact us through this channel.

Authorization records for the processing of personal data are digitized and stored on our website platform and email platform (outlook.com) for future retrieval when necessary.

Article 6 – RIGHTS OF DATA SUBJECTS:

In accordance with Article 8 of Law 1581 of 2012 and Article 18 of Decree 1377 of 2012, the data subject has the following rights:

1. To know, update, and correct their personal data in relation to GÉNESIS BANCA DE INVERSIÓN S.A.S.

2. To request proof of the authorization granted to GÉNESIS BANCA DE INVERSIÓN S.A.S.

3. To be informed by GÉNESIS BANCA DE INVERSIÓN S.A.S., upon request, about the use that has been made of their personal data.

4. To file complaints with the Superintendence of Industry and Commerce regarding violations of the provisions of Law 1581 of 2012, after having exhausted the internal remedies provided by GÉNESIS BANCA DE INVERSIÓN S.A.S.

5. To revoke the authorization and/or request the deletion of their data when the processing does not respect constitutional and legal principles, rights, and guarantees.

6. To access their personal data that has been subject to processing, free of charge.

Article 7 – DUTIES OF GÉNESIS BANCA DE INVERSIÓN S.A.S. REGARDING PERSONAL DATA PROCESSING:

1. To guarantee the Data Subject, at all times, the full and effective exercise of the right to *habeas data*.

2. To request and retain, under the conditions established by this law, a copy of the respective authorization granted by the Data Subject.

3. To properly inform the Data Subject about the purpose of the data collection and the rights they are entitled to under the granted authorization.

4. To store the information under the necessary security conditions to prevent its tampering, loss, consultation, unauthorized or fraudulent use or access.

5. To ensure that the information provided to the Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.

6. To update the information, promptly notifying the Processor of any changes to the data previously supplied, and to adopt any other necessary measures to keep the data updated.

7. To correct the information when it is incorrect and communicate the corrections to the Processor.

8. To provide the Processor, as applicable, only with data that has been previously authorized for processing in accordance with this law.

9. To require the Processor, at all times, to respect the security and privacy conditions of the Data Subject's information.

10. To process inquiries and complaints in the terms established by this law.

11. To adopt an internal manual of policies and procedures to ensure proper compliance with this law, especially concerning the handling of inquiries and complaints.

12. To inform the Processor when certain information is under dispute by the Data Subject, once a complaint has been submitted and the relevant procedure is still ongoing.

13. To inform the Data Subject, upon request, about how their data has been used.

14. To inform the data protection authority in the event of security breaches or risks in the management of the Data Subjects' information.

15. To comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

Article 8 – PROCEDURES:

The data subject may submit requests, inquiries, and complaints, and exercise their rights to know, update, correct, and delete their data, as well as revoke authorization.

To effectively enforce the rights set forth in Article 6 of this document, GÉNESIS BANCA DE INVERSIÓN S.A.S. will implement appropriate verification mechanisms to confirm that the request indeed originates from the data subject before proceeding with the corresponding request, inquiry, or complaint. Once the identity of the data subject is confirmed, the company will proceed to process the relevant request.

Paragraph 1: INQUIRIES AND REQUESTS. 

Inquiries will be addressed within a maximum of ten (10) business days from the date of receipt. If the inquiry cannot be answered within this period, the applicant will be informed of the reasons for the delay and the date on which the inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the initial term.

Paragraph 2: COMPLAINTS.

To process complaints, the following information must be provided: identification of the data subject, a description of the facts giving rise to the complaint, the address, and any supporting documents the complainant wishes to present. If the complaint is incomplete, GÉNESIS BANCA DE INVERSIÓN S.A.S. will notify the complainant within five (5) business days of receiving the complaint, requesting the missing information. If two (2) months pass without the required information being submitted, the complaint will be deemed withdrawn.

If the person receiving the complaint is not competent to resolve it, they will forward it to the appropriate party within a maximum of two (2) business days and inform the complainant of the situation.

Once the complete complaint is received, a note stating "complaint in process" and its reason will be included in the database within a maximum of two (2) business days. This note must remain until the complaint is resolved.

The maximum term to address the complaint will be fifteen (15) business days from the day following its receipt. If it is not possible to respond within this term, the complainant will be informed of the reasons for the delay and the date on which the complaint will be answered, which in no case may exceed eight (8) business days after the initial term has expired.

Paragraph 3: DATA DELETION.

The data subject has the right, at any time, to request the deletion of their personal data from GÉNESIS BANCA DE INVERSIÓN S.A.S. when they consider that:

- The data is not being processed in accordance with the principles, duties, and obligations established by Law 1581 of 2012; 

- The data is not necessary or relevant for the purpose for which it was collected; 

- The data has exceeded the necessary period for fulfilling the purpose for which it was collected.

In any case, data deletion is not an absolute right, and GÉNESIS BANCA DE INVERSIÓN S.A.S. may deny its execution in the following cases:

- The data subject has a legal or contractual obligation to remain in the database; 

- Deletion could hinder judicial or administrative proceedings related to tax obligations, criminal investigations or prosecutions, or administrative sanctions; 

- The data is necessary to protect legally protected interests of the data subject, to carry out actions in the public interest, or to comply with a legally acquired obligation by the data subject.

Paragraph 4: REVOCATION OF AUTHORIZATION. 

Data subjects may revoke their authorization for the processing of personal data at any time, provided there is no legal or contractual impediment. In any case, the timelines for processing revocation requests will follow the provisions of Paragraph 2 of this Article in accordance with Article 15 of Law 1581 of 2012.

It should be noted that in certain cases, consent may not be revocable due to the contractual nature of the relationship between the data subject and GÉNESIS BANCA DE INVERSIÓN S.A.S., or because of legal requirements.

Article 9 – PURPOSE OF THE USE OF COLLECTED DATA:

The personal data requested by GÉNESIS BANCA DE INVERSIÓN S.A.S. is intended for the following purposes:

- To establish effective communication with our clients, suppliers, and interested third parties, as a result of fulfilling our corporate purpose and the contractual relationship with them. 

- To promote our services and products. 

- To inform about updates, new products, or services related to our corporate purpose. 

- To fulfill obligations contracted with our clients, suppliers, and interested third parties, derived from the execution of our corporate purpose and contractual relations. 

- To carry out satisfaction surveys regarding the services provided. 

- To conduct customer due diligence activities (“conocimiento del cliente”). 

- To transfer personal data to third parties commercially linked to GÉNESIS BANCA DE INVERSIÓN S.A.S. 

- To determine whether our clients qualify for the services offered by GÉNESIS BANCA DE INVERSIÓN S.A.S. and to assess their risk level.

In accordance with the provisions of Law 1581 of 2012, we inform the data subject of the personal data collected in our database for the purposes mentioned above. The data will be retained for as long as any type of contractual and/or legal obligations remain in force.

Article 10 – RESPONSIBILITY:

GÉNESIS BANCA DE INVERSIÓN S.A.S., a duly incorporated commercial company, designates its legal representative—or whoever acts in their stead—as the individual responsible for handling requests, inquiries, and complaints, as described in Article 8 of this document. 

The data subject may exercise their rights to access, update, correct, and delete their personal information, as well as to revoke authorization, through written communication, email, or in person at the following address:

Carrera 7 # 71 – 21 Torre B, Office 1003, Bogotá, Colombia 

Phone: +57 (601) 4824321 

Email: info@genesis.com.co

Article 11 – VALIDITY:

This INTERNAL POLICY FOR THE PROCESSING, RETENTION, AND DELETION OF PERSONAL DATA has been effective since January 15, 2018.