INFORMATION AND PERSONAL DATA PROCESSING POLICY OF MUNDIAL DE REPUESTOS DE MOTOS SAS

INFORMATION AND PERSONAL DATA PROCESSING POLICY OF MUNDIAL DE REPUESTOS DE MOTOS SAS (MUNDIMOTOS)

  1. General provisions.

1.1. Objective

This Information and Personal Data Processing Policy aims to establish and inform the guidelines, principles and procedures that MUNDIAL DE REPUESTOS DE MOTOS SAS (“MUNDIMOTOS”) must follow during the Processing of Personal Data of its shareholders, Strategic Allies, employees, former employees, suppliers, clients, potential clients and in general all persons regarding whom it collects, receives and processes Personal Data (“Stakeholders”), in order to protect their rights as Data Subjects and guarantee compliance with the General Regime for the Protection of Personal Data of Colombia.

1.2. Legal framework

This Policy was prepared in accordance with Colombia's General Personal Data Protection Regulations, with special consideration of the provisions established in Articles 15 and 20 of the Colombian Constitution; Law 1581 of 2012, which establishes general provisions for the protection of personal data; and Regulatory Decree 1377 of 2013.

1.3. Definitions

Throughout this Policy the following words will have the scope that accompanies them:

  • Authorization: Prior, express and informed consent granted by the Data Subject to carry out the processing of his or her Personal Data.
  • Privacy Notice: This is the verbal or written communication that the Controller will make available to Data Subjects, informing them of the existence of the Information and Personal Data Processing Policy that will apply to them, how to access it, and the purposes for which their Personal Data will be processed.
  • Database(s): Organized set of Personal Data that is the object of processing.
  • Inquiries: This is the request made by the Owner, the successor in title or their representative regarding their Personal Data found in the Databases.
  • Official social media accounts: These are profiles or pages owned and operated exclusively by MUNDIMOTOS.
  • Personal Data(s): Any information associated or that can be associated with one or more specific or determinable natural persons.
  • Public Personal Data(s): Personal Data classified as such according to the mandates of the Law or the Political Constitution and that which is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person's marital status, their profession or occupation, their status as a merchant or public servant, and data that can be obtained without reservation. By its nature, public data may be contained in, among others, public registries, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to reservation.
  • Semi-private Personal Data(s): These are Personal Data that are not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to the Owner, but also to a certain sector or group of people or to society in general.
  • Private Personal Data(s): These are Personal Data that, due to their intimate or reserved nature, are only relevant to the Data Subject.
  • Sensitive Personal Data(s): These are Personal Data that affect the privacy of the Owner or whose improper use may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.
  • Employee or former employee: A natural person with whom the company has or had at some point an employment relationship, either directly or through temporary service agencies or worker cooperatives.
  • Data Controller: A natural or legal person, public or private, who, either alone or in association with others, processes personal data on behalf of the Data Controller.
  • Purposes: These are the purposes for which Personal Data may be processed, as authorized by the Data Subjects.
  • Staff: All natural persons associated with MUNDIMOTOS and who carry out activities aimed at developing MUNDIMOTOS' purpose in Colombia, regardless of the type of relationship. Staff shall also be understood to include all natural persons associated with the Managers.
  • Claims: A request submitted by the Data Subject, their successor in title, or their representative in cases where they believe the information contained in a Database should be corrected, updated, or deleted; or in cases where an alleged breach of a duty under the Colombian General Personal Data Protection Regime is observed.
  • General Regime for the Protection of Personal Data of Colombia/GDPR: refers to the general regulations governing the protection of personal data in Colombia, which include Statutory Law 1581 of 2012, Regulatory Decree 1377 of 2013, Decree 886 of 2014, Single Regulatory Decree 1074 of 2015, Title V of the Single Circular of the Superintendency of Industry and Commerce and any others that complement or modify it.
  • Controller: A natural or legal person, public or private, who, either alone or in association with others, decides on the database or the processing of data.
  • Strategic Partners: Individuals, independent or associated with legal entities, both national and international, with which the company has a business relationship or may establish a business relationship for the development of its corporate purpose, such as authorized service centers, authorized points of sale and distributors of spare parts and accessories, suppliers and business partners.
  • Holder(s): This is the natural person whose personal data is processed by MUNDIMOTOS.
  • Transfer: Data transfer occurs when the controller or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is in turn the controller and is located inside or outside the country.
  • Transmission: Processing of personal data that involves communicating it within or outside the territory of the Republic of Colombia, when the purpose is to carry out processing by the data processor on behalf of the controller.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
  • Data subject: Natural person whose personal data is being processed.

  1. Rights of Personal Data Subjects

In accordance with the provisions of Article 8 of Law 1581 of 2012, the Holders shall have the following rights:

  • Know, update, and rectify your Personal Data with those responsible or in charge.
  • Request proof of the authorization granted to the Controller, except in cases where there is an exception to this requirement, in accordance with the provisions of the General Personal Data Protection Regulation.
  • To be informed by the Controller or Processor regarding the use that has been given to the Personal Data, once the Owner requests it.
  • Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of the General Personal Data Protection Regime.
  • Revoke Authorization or request the deletion of Personal Data in cases where constitutional and legal principles, rights, and guarantees are not respected during Processing.
  • Access your Personal Data that has been processed free of charge.

The above list should be understood as illustrative and not exhaustive, as the rights of the holder are understood to include all those conferred by Colombian legislation and international standards applicable in the country.

  1. Duties and obligations of MUNDIMOTOS

Given that MUNDIMOTOS shares the roles of Controller and Processor, it is your responsibility to fulfill the following duties in each case:

3.1. Duties and obligations as Controller.

MUNDIMOTOS, as the Controller, undertakes to:

  • Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
  • Request and keep a copy of the Authorization granted by the Owner.
  • Properly inform the Data Subject about the purpose of the collection and the rights to which he or she is entitled by virtue of the Authorization granted.
  • Keep Personal Data under the necessary security conditions to prevent its adulteration, loss, unauthorized or fraudulent consultation, use, or access.
  • Ensure that the information provided to the Managers is true, complete, accurate, up-to-date, verifiable and understandable.
  • Update the information, promptly communicating to the Data Controller any new developments regarding the Personal Data previously provided to him/her and adopting any other measures necessary to ensure that the information provided to him/her remains up-to-date.
  • Correct information when it is incorrect and notify the Manager.
  • Provide the Data Controller only with Personal Data whose processing has been previously authorized in accordance with the provisions of the General Personal Data Protection Regulation.
  • Require the Controller to respect the security and privacy conditions of the Data Subject's information.
  • Process inquiries and complaints submitted in accordance with the General Personal Data Protection Regulation.
  • Adopt internal policy and procedure manuals to ensure proper compliance with the provisions of the General Personal Data Protection Regulation.
  • Inform the Manager when certain information is being disputed by the Owner, once the claim has been submitted and the respective process has not been completed.
  • Inform, at the request of the Owner, about the use given to their Personal Data.
  • Inform the data protection authority when security code violations occur and there are risks in the management of Data Subjects' information.
  • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

3.2. Duties and obligations as Manager

MUNDIMOTOS, as Manager, undertakes to:

  • Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
  • Keep information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.
  • Promptly update, rectify, or delete data in accordance with the terms established by the General Personal Data Protection Regulation.
  • Update the information reported by the Responsible Parties within five (5) business days from receipt.
  • Process queries and complaints submitted by data subjects in accordance with the terms set forth in the General Personal Data Protection Regulation.
  • Adopt an internal manual of policies and procedures to ensure proper compliance with the General Personal Data Protection Regime.
  • Record the legend "claim in process" in the database in the manner regulated by the General Personal Data Protection Regime.
  • Insert the legend "information under judicial discussion" into the database once notified by the competent authority about judicial proceedings related to the quality of personal data.
  • Refrain from circulating information that is being disputed by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.
  • Allow access to information only to those who are entitled to it, in accordance with Article 13 of Law 1581 of 2012.
  • Inform the data protection authority when security code violations occur and there are risks in the management of Data Subjects' information.
  • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce
  1. Processing of Personal Data

4.1. Personal Data Subject to Processing

In accordance with the principles established by the General Personal Data Protection Regime, MUNDIMOTOS will limit itself to collecting Personal Data that is relevant and appropriate for the Purposes for which it is requested and authorized by the Data Subject.

The Personal Data collected and processed by MUNDIMOTOS depends on the context of its interactions with its Stakeholders, future requests made by Personal Data Subjects regarding the Processing of their information, and the services or products used by the Subject by MUNDIMOTOS. However, in general, MUNDIMOTOS will refrain from collecting and processing Sensitive Personal Data and Personal Data of children and/or adolescents. In cases where it is absolutely necessary to collect this type of Personal Data, MUNDIMOTOS will inform Subjects of the Sensitive Personal Data and/or Personal Data of children and/or adolescents that will be processed and will request the corresponding authorization, in accordance with the terms established by the General Personal Data Protection Regulation.

4.2. Authorization for the Processing of Personal Data

MUNDIMOTOS reserves the right to collect and process Personal Data and to request a copy of the respective Authorization, either directly or through its Strategic Partners or suppliers acting as Processors. In the latter case, the Strategic Partners may act as Controllers independent of MUNDIMOTOS, as well as as Processors of MUNDIMOTOS, a situation that will be communicated through the corresponding Authorization.

MUNDIMOTOS will only process Personal Data that has been previously, expressly, and informedly authorized by the Data Subject through written or verbal authorization, or through unequivocal conduct on the part of the Data Subject. A copy of the aforementioned authorization will be retained by MUNDIMOTOS.

At the time the Data Subject grants their Authorization, MUNDIMOTOS will inform them of the Purposes and Processing to which their Personal Data will be processed, their rights, and the means by which they may exercise them. The Data Subject may revoke their authorization and request the immediate deletion of their Personal Data through the channels established in this Policy, unless they have a contractual or legal obligation to maintain their Personal Data in the Database.

MUNDIMOTOS reserves the right to collect personal data from various stakeholders, such as their image, upon entering its offices for security reasons and for the sole purpose of complying with surveillance protocols. In this case, authorization will be granted by unequivocal entry into the facilities, in accordance with the provisions of the corresponding privacy notices.

MUNDIMOTOS will not be required to request authorization from the Personal Data Subject when it concerns: i) information required by a public or administrative entity in the exercise of its legal functions or by court order; ii) public data; iii) cases of medical or health emergencies; iv) information authorized by law for historical, statistical, or scientific purposes.

In the aforementioned events, MUNDIMOTOS may collect Personal Data, including Sensitive Data, and transfer or deliver it to the corresponding public or administrative entities, or those they delegate, in the exercise of their functions, without it being necessary to notify the Data Subject of this fact. In these scenarios, MUNDIMOTOS will refrain from using the Personal Data for its own purposes.

4.3. Mechanisms for requesting Authorization and collecting Personal Data

MUNDIMOTOS may request authorization for the processing of personal data from its stakeholders in the following ways:

  • Written: This is the means by which MUNDIMOTOS, in the development of its corporate purpose and economic activities, physically and in person, requests the Data Subject's Authorization for the processing of their Personal Data, using one of the current models.
  • Oral: is the means through which, audibly, in person, MUNDIMOTOS, in the development of its corporate purpose and its economic activities, will request Authorization and collect Personal Data.
  • Virtual: This is the means by which MUNDIMOTOS, using technological means, requests the Data Subject's authorization to process their Personal Data. Some of the authorized technological means are: the website, chat, and official social media accounts.
  • By unequivocal conduct: This is the means by which MUNDIMOTOS can reasonably conclude that a Data Subject has granted their Authorization for the Processing of their Personal Data, based on the conduct carried out by the Data Subject.

MUNDIMOTOS may collect its Customers' Personal Data through, among others, the following channels: its website, its website chat, the chat on the social media platforms of the brands it sells; its Authorized Service Centers; its Points of Sale; and the events it holds.

4.4. Purposes of the Processing of Personal Data

Without prejudice to and in addition to the purposes contained in the Data Processing Authorization, MUNDIMOTOS will process Personal Data in accordance with the following Purposes:

4.4.1. Shareholders

  • Maintain efficient communication with information that is useful for the development and fulfillment of existing obligations to our shareholders.
  • Carry out all administrative, accounting, and tax activities that enable MUNDIMOTOS to fulfill its social, corporate, credit, and other obligations to its shareholders.
  • Submit information to supervisory and oversight authorities and support internal or external audit processes.

4.4.2. Strategic Allies

  • Maintain efficient communication with information that is useful for the development and fulfillment of existing obligations between MUNDIMOTOS and the Strategic Allies.
  • Send institutional, commercial, and other information of interest to strengthen and fulfill the commercial relationship between MUNDIMOTOS and the Strategic Allies, for the sector and/or industry.
  • Verify information in risk centers or restrictive lists, with the purpose of using it as an element of analysis in the business relationship, and when necessary, prepare the appropriate reports.
  • Send technical information about MUNDIMOTOS products or services that Strategic Partners are authorized to offer.
  • Track quotes, sales, and actual deliveries of MUNDIMOTOS products.
  • Monitor the management of Authorized Service Centers and distribution and sales centers.
  • Monitor after-sales service for MUNDIMOTOS products and services.
  • Develop training programs on topics relevant to the business relationship between MUNDIMOTOS and Strategic Allies, for the sector and/or industry.
  • Review and analyze documents for credit allocation.
  • Carry out information update processes.
  • Carry out administrative, accounting, and tax activities that enable MUNDIMOTOS to fulfill its social, corporate, credit, and contractual obligations with its Strategic Partners.
  • Contact and contract service or product providers that MUNDIMOTOS requires for the development of its activities and the provision of its facilities or offices, as well as submit the necessary requests to report the accounting, legal, and tax information related to them.
  • Carry out all necessary activities to properly execute existing contracts with Suppliers.
  • Verify information in risk centers or restrictive lists, with the purpose of using it as an element of analysis in the business relationship, and when necessary, prepare the appropriate reports.
  • Carry out accounting, tax, administrative, due diligence, invoicing, and other tasks related to the business relationship.
  • To make direct contact or through any third party duly accredited by MUNDIMOTOS for commercial or promotional purposes, to provide information on products of interest, to collect payments, and to use any available means of contact, including email, text messages, phone calls, WhatsApp, among others.
  • Submit information to control and surveillance authorities and support internal or external audit processes. Conduct statistical studies or accounting processes.

4.4.3. Workers or former workers

  • Develop selection, evaluation, and job placement processes, conduct security studies, and maintain efficient communication of information useful for these processes; and understand and evaluate information related to their academic, professional, and work activities.
  • Carry out all necessary activities to properly execute existing contracts with MUNDIMOTOS employees and fulfill the obligations arising from them, including the payment of salaries, social benefits, and other obligations arising from the employment relationship.
  • Verify compliance with MUNDIMOTOS' internal policies and business purposes, which include, but are not limited to, compliance with legal or contractual obligations with third parties.
  • Maintain efficient communication of information that is useful for the development and fulfillment of existing contracts with employees.
  • Manage MUNDIMOTOS' information and communications systems, including creating backup copies and files of the information contained on the equipment provided by MUNDIMOTOS.
  • Implement corporate employee wellness programs, monitor the Health and Safety Management System, and promote and prevent health activities.
  • Send communications by physical mail, email, mobile devices, or through any other analogous and/or digital means of communication with commercial, advertising, or promotional information about services, events, promotions, campaigns, and/or contests of a commercial or advertising nature, carried out by MUNDIMOTOS.
  • Report on current issues related to the activities of MUNDIMOTOS and the development of its corporate purpose.
  • Submit information to supervisory and oversight authorities, support internal or external audit processes, and conduct statistical studies or accounting processes.
  • Send information related to the settlement, completion of activities, and participation in future selection processes, following the termination of the employment contract.

4.4.4. Customers and potential customers

  • Respond to requests, questions, complaints, or claims submitted by data subjects through the company's customer service channels regarding MUNDIMOTOS products and/or services; and regarding MUNDIMOTOS services or products requested or received through a Business Partner.
  • To make direct contact or through any third party duly accredited by MUNDIMOTOS for commercial or promotional purposes, to provide information on products of interest, to collect payments, and to use any available means of contact, including email, text messages, phone calls, WhatsApp, among others.
  • Consult information in restrictive lists and other public sources for managing ML/TF/FPDAM risks.
  • Share, transfer, and transmit information to MUNDIMOTOS' partner companies for the purposes of risk analysis due to their relationship and due diligence procedures in compliance with applicable regulations.
  • Advance activities that allow for effective connection with MUNDIMOTOS.
  • Monitor the experience received at Authorized Service Centers and sales outlets managed directly by MUNDIMOTOS or its Strategic Partners; conduct satisfaction campaigns; and monitor the provision of MUNDIMOTOS services and products.
  • Verify information in risk centers or restrictive lists, with the purpose of using it as an element of analysis in the business relationship, and when necessary, prepare the appropriate reports.
  • Report on the status of financial support requests activated for the purpose of purchasing MUNDIMOTOS products and/or services.
  • Report on changes to MUNDIMOTOS and Strategic Partners' products and services and conduct after-sales activities.
  • Conduct information analysis activities, generate statistics, reports, research, market studies, and satisfaction assessments.
  • Response and follow-up to the management of requests, complaints, and claims of all kinds.
  • Accompanying buyers and shipping products.
  • Sending commercial, educational, industry or sector-relevant, and service information.
  • Carry out information update processes.
  • Report changes to MUNDIMOTOS policies and/or procedures.
  • Support internal or external audit processes.

4.5. Access to Personal Data

Access to the Databases under the responsibility of MUNDIMOTOS will only be available to MUNDIMOTOS Personnel who require access and processing of the information in order to carry out their duties.

MUNDIMOTOS will not share or provide the Databases or the Personal Data stored therein to third parties with whom it has no relationship. However, when required to achieve the authorized Purposes, the Personal Data may be legitimately transferred to third-party partners, with whom the corresponding personal data transfer agreement will be signed to protect the information and the rights of the Data Subjects, and to take all appropriate measures to ensure that the information is processed in compliance with this Policy.

4.6. Unsolicited Personal Data

Prior to formally initiating a business or employment relationship with MUNDIMOTOS, we may receive Personal Data without the Data Subject's authorization. In these cases, the Data Subject accepts that, by their unequivocal action of submitting their information to MUNDIMOTOS, they authorize the processing of their Personal Data for purposes strictly related to the process or request submitted to MUNDIMOTOS.

Authorization for unequivocal conduct will apply, including, but not limited to, the submission of information from: i) individuals who wish to work at MUNDIMOTOS; and ii) individuals who wish to become MUNDIMOTOS suppliers.

Without prejudice to the foregoing, and only if the relationship with these third parties is formalized, the signature of the corresponding Authorization will be requested to continue with the Processing of Personal Data.

4.7. Time Limitations on the Processing of Personal Data

MUNDIMOTOS will retain a record of its Stakeholders' information before, during, and after the termination of the contractual relationship. This information may include Personal Data and will be retained only for the aforementioned Purposes. This information will be retained for a reasonable retention period, taking into account: (i) the duration of our relationship with you and the provision of our services; and (ii) there is a legal, accounting, or administrative obligation and/or legal, administrative, auditing, or regulatory requirements to which we are subject.

  1. Information security commitments

MUNDIMOTOS is committed to the confidentiality and security of the Personal Data stored in its Databases, subject to access and availability restrictions, preventing unauthorized third parties from accessing them.

Therefore, MUNDIMOTOS guarantees that Personal Data Holders will retain their data under industry-standard security conditions, preventing its alteration, loss, theft, public access, unauthorized or fraudulent use or access, and implementing internal practices that contribute to a secure information environment.

  1. Attention to Queries and Complaints Related to the Processing of Personal Data

6.1. Area responsible for handling queries and complaints

Area

Customer service

Address

Calle 38 #52-30 Medellín, Antioquia.

Mail

compraya@mundimotos.com.co

Phone

(604)2324513

6.2. Procedure for submitting queries

  • The Owners, their successors in title, representatives or agents may consult the Owner's personal information under the responsibility of MUNDIMOTOS, so that MUNDIMOTOS can provide them with all the information contained in its Databases that is linked to the Owner.
  • Queries must be submitted to the service channels established in section 6.1.
  • MUNDIMOTOS may request full identification of the applicant and documents proving the capacity of Owner, successor in title, representative, or attorney in charge, in cases where it deems it necessary.
  • The query will be answered within a maximum period of ten (10) business days, counted from the date of receipt thereof. When it is not possible to answer the query within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be answered, which in no case may exceed five (5) business days following the expiration of the first term.

6.3. Procedure for submitting Claims

  • Data Subjects, their successors in title, representatives, or attorneys-in-fact who believe that the information contained in the Databases should be corrected, updated, or deleted, or who become aware of a suspected breach of the General Personal Data Protection Regulation, may file complaints with MUNDIMOTOS.
  • Claims must be submitted to the service channels established in section 6.1., and must include the following:

- identification of the Holder;

- capacity in which the applicant acts;

- document proving the capacity in which the applicant acts;

- description of the facts giving rise to the Claim;

- notification and response address; and,

- the documents or evidence that are intended to be used.

  • If the Claim is incomplete, MUNDIMOTOS will require the Holder to correct the deficiencies within five (5) business days of receipt. If two (2) months pass from the date of the request without the applicant submitting the required information, it will be understood that the Claim has been withdrawn.
  • Once the complete Claim has been received, the record associated with the Holder will become inactive and will be included in the Databases containing information associated with the Holder, with a legend stating "claim in process." Additionally, a customer request record, of the claim type, will be associated with the Claim, allowing the reason for the claim to be observed within a period of no more than two (2) business days. This legend will remain in effect until the Claim is decided.
  • The maximum term for addressing the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
  1. Final provisions.

7.1. Validity of the Policy

This document entered into force as of July 1, 2022.

Any substantial changes to this Policy will be communicated promptly through its website and through the means it generally uses to contact Data Subjects, at least 10 business days prior to their entry into force.

7.2. Validity of the Databases

The Databases managed by MUNDIMOTOS will be valid for the same period as the Personal Data is used for the Purposes described in this Policy; and the Personal Data included in these will be retained unless the Data Subject requests its deletion and there is no legal or contractual obligation to retain the information.

Modified: October 11, 2023.