1. LEGAL FRAMEWORK

Article 15 of the Political Constitution of Colombia enshrines the right of any citizen to access, update and rectify their Personal Data compiled in any Database and/or files of public or private entities. It also orders those who possess Personal Data of third parties to respect the rights and guarantees laid out in the Constitution whenever collecting, processing and circulating this type of information.

Statutory Law 1581 / 2012 (“Law 1581 / 2012”) establishes the minimum conditions conducive to the legitimate processing of Personal Data belonging to clients, employees and any other individual. Item (f) of Article 18 of Law 1581 / 2012 obligates Personal Data Processors to adopt “policies and procedures to ensure due compliance therewith, in particular, vis-à-vis queries and claims from any Data Subject”. Article 25 of Law 1581 / 2012 also provides that compliance with the data processing policy is mandatory and that failure to do so will entail sanctions. This policy must ensure the processing level defined in Law 1581 / 2012 as a minimum.

Chapter 3 of Decree 1377 / 2013 governs aspects relating to the contents and requirements of Information Processing Policies and Privacy Notices.

Resolution 1652 / 2008 issued by the Ministry of Information and Communication Technologies of Colombia (“MINTIC”), as amended, establishes the policy framework for the (a) promotion, administration and operation of the Colombian Internet Top-Level Domain (ccTLD “.CO”) and (b) the delegation of domain names under the “.CO” domain.

.CO INTERNET S.A.S., as the operator responsible for the operation of the ccTLD “.CO”, with delegation from and supervision over the Registry Services, Promotion and Marketing duties by the MINTIC, undertakes to respect the data privacy rights of its clients, employees and third parties in general, Therefore, .CO INTERNET S.A.S. adopts this Protection Policy, whose application is mandatory in all activities involving Personal Data Processing.

2. MANDATORY ENFORCEMENT

This Policy must be strictly complied with by all employees, contractors and third parties acting on behalf of .CO INTERNET S.A.S.

All employees must abide by and follow this Policy in the performance of all their duties, in pursuance of Paragraph 1 of Article 58 of the Substantive Labor Code, whereby the worker must “abide by the provisions laid out in the rules, follow and comply with the orders and instructions that may be given by the supervisor or his/her representatives”.

In the absence of a labor relation, a clause must be included in the contract so that those acting on behalf of .CO INTERNET S.A.S. are forced to follow this Policy.

Failure to comply with this Policy may entail labor or contractual liability sanctions, as may be the case. The foregoing does not preclude those who fail to comply with this Policy from being financially liable for the damages caused to the Data Subjects and/or to .CO INTERNET S.A.S., for violating this Policy or for unduly processing the Personal Data.

3. DEFINITIONS

• 3.1 Authorization

  Prior, express and informed consent of the Data Subject to Process their Personal Data.

• 3.2 Query

  Request made by the Data Subject or persons authorized by the Data Subject or by law to gain access to the information of said Data Subject available in the Databases or information files.

• 3.3 Databases

  Organized set of Personal Data to be Processed.

• 3.4 Personal Data

  Any information related or which may be linked to one or several determined or determinable individuals, including Data Subjects. Data such as name, identity card number, mailing address, email, phone number, marital status and health information are a few examples of Personal Data. Personal Data are classified as sensitive, public, private and semi-private.

  • 3.4.1 Sensitive Personal Data

    Data affecting Data Subjects' intimacy, or the use of which may lead to the person’s discrimination, e.g. those revealing the person’s racial or ethnic origin, political orientation, religious or philosophical beliefs, membership to unions, social organizations, human rights organizations or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data (fingerprints, among others).

  • 3.4.2 Public Personal Data

    Classified as such by the law or the Political Constitution, and all others not classified as semi-private or private. The data contained in public documents, records, gazettes and government newsletters and duly enforced judicial sentences not subject to secrecy, those relating to the marital status of the people, their profession or occupation and their status as trader or public official, are all public personal data. The Personal Data included in the Mercantile Registry of Chambers of Commerce are public personal data (Colombian Commercial Code, Article 26). This data may be obtained and offered without any reserve whatsoever and regardless whether they allude to general, private or personal information.

  • 3.4.3 Private Personal Data

    Intimate or confidential information that is only relevant to the Data Subject. Examples: traders’ books, private documents, information extracted from domicile inspections.

  • 3.4.4 Semi-private Personal Data

    Information that is not intimate, confidential or public and whose knowledge or dissemination may be of interest not only to the data subject but to a certain sector or group of persons or society in general, such as, among others, data regarding compliance or failure to comply with financial obligations or concerning relations with social security entities.

• 3.5 Data Processor

  Private or public company or individual that Processes the Personal Data on behalf of the Controller, on its own or jointly with others.

• 3.6 Data Controller

  Private or public company or individual that makes decisions pertaining to the Database and/or Data Processing, on its own or jointly with others.

• 3.7 Data Subject

  Individual whose Personal Data is Processed.

• 3.8 Processing

  Any operation or set of operations involving Personal Data, such as their compilation, storage, use, circulation or elimination.

• 3.9 Data Transfer

  Occurs when the Personal Data Processor and/or Controller, located in Colombia, forwards the information or the Personal Data to a recipient, who is also a Data Controller and is located inside or outside the country.

• 3.10 Data Transmission

  Personal Data Processing entailing the communication of said data inside or outside the territory of the Republic of Colombia, when the purpose of said transmission is to allow the Processor to Process the Data on behalf of the Controller.

• 3.11 Claim

  Request made by the Data Subject or those authorized by the latter or by law to correct, update or eliminate the Personal Data.

• 3.12 Privacy Notice

  Verbal or written communication issued by the Controller and addressed to the Data Subject regarding their Personal Data Processing, whereby the Data Subject is informed of the existence of the Information Processing Policy that will apply thereto, how to access said policy and the purpose of Processing said Personal Data.

4. PRINCIPLES FOR PERSONAL DATA PROCESSING

The Protection and Processing of Personal Data must be carried out in observance of the general and special laws on the subject and for the activities that are legally authorized.

The following principles will be applied, harmoniously and completely, in the furtherance, interpretation and application of this Policy:

• 4.1 Principles relating to the Collection of Personal Data

  Principle of Freedom

  Unless there is a law stating otherwise, data collection can only be carried out with the prior, express and informed consent of the Data Subject. Personal Data cannot be obtained or disseminated with the prior authorization of the Data Subject or in the absence of a court order or legal mandate in lieu of said consent. Deceiving or fraudulent means cannot be used to collect and Process Personal Data. The implied authorization of the Data Subject is not allowed. Said authorization can only be waived with an express court order or legal mandate. Failure of the Data Subject to respond can never be construed as the authorization to compile or use their information. The Data Subject must be given clear, sufficient and previous information concerning the purpose of the information provided and therefore the subject’s data cannot be collected without clearly indicating the purpose thereof.

  Principle of Collection Restriction

  Only the Personal Data that is strictly necessary to achieve the processing purpose may be collected. Therefore, recording and disseminating data that is unrelated to the Processing purpose is prohibited. As a consequence, all reasonable steps must be taken to limit Personal Data Processing to the minimum. This means that the data must be: (i) adequate, (ii) relevant, and (iii) suitable to the purposes for which they were provided.

• 4.2 Principles relating to the Use of Personal Data

  Principle of Purpose or Use

  Personal Data must be processed with a specific purpose and explicitly authorized by the Data Subject or as allowed by law. The data must only be processed in the manner in which the Data Subject can reasonably expect based on the authorized uses. If the use of the Personal Data changes over time in ways that the Data Subject cannot have reasonably expected, then the prior consent of the Data Subject must be obtained once again.

  Principle of Temporality

  Personal Data will only be kept for the time necessary to achieve the processing purpose and to comply with the legal requirements or instruction of the supervision and control authorized or other competent authorities. In order to establish the processing term, the laws applicable to each purpose and the administrative, accounting, fiscal, judicial and historical aspects of the information, must be taken into account. Once the purpose or purposes have been achieved, the data will be eliminated.

  Principle of Non-Discrimination

  Any discrimination actions stemming from the information compiled in the databases or files is forbidden.

  Principle of Reparation

  Damages caused by potential Personal Data Processing failures must be compensated.

• 4.3 Principles relating to Information Quality

  Principle of Accuracy or Quality

  The information subject to processing must be truthful, complete, accurate, up-to-date, provable and understandable. The processing of partial, incomplete, fractioned or misleading data is forbidden. Reasonable measures must be taken to ensure that the data is accurate and sufficient and whenever the Data Subject or the Controller may require it, said data must be updated, rectified or eliminated whenever applicable.

• 4.4 Principles relating to the Protection, Access and Circulation of Personal Data

  Principle of Safety and Security

  All employees, contractors or third parties acting on behalf of .CO INTERNET S.A.S. must comply with the technical, human and administrative guidelines, controls and procedures defined by the organization to make sure the Personal Data is safe and secure, by avoiding their forging, loss, consultation or unauthorized or fraudulent use or access.

  Principle of Transparency

  Data Processing must guarantee that the Data Subject can obtain information on the existence of data pertaining to him/her at any time and free of restrictions.

  Principle of Restricted Access

  Access to Personal Data will only be granted to the following:

  • The Data Subject
  • The persons authorized by the Data Subject
  • The persons who have been authorized, by court order or legal mandate, to access the information of the Data Subject. Personal Data, except for public information, cannot be available on the Internet or any other mass dissemination or communication media, unless access is technically controllable to provide restricted knowledge only to the Data Subject or legally authorized third parties.
  Principle of Restricted Circulation

  Personal Data can only be sent to the following:

  • The Data Subject
  • The persons authorized by the Data Subject
  • Public or administrative entities in the performance of their legal duties or in compliance with a court order. In the latter case, according to the Constitutional Court, the following will be the procedure applicable: first, the public or administrative entity must justify the request by stating the link between the need to obtain the information and compliance with the entity’s constitutional or legal duties. Second, upon the delivery of the information, the public or administrative entity will be informed that it must comply with the duties and obligations set in Law 1581 / 2012 as the Data Controller. The recipient administrative entity must fulfill the protection and guarantee obligations enshrined in the said Law, in particular, compliance with the principle of use, legitimate use, restricted circulation, confidentiality and safety and security.
  Principle of Confidentiality

  All those involved in the Processing of Personal Data that is not classified as public, must guarantee the confidentiality of the information, even after the termination of their involvement with any of the duties part of the processing. However, they may provide or report the Personal Data only when this is required by law.

5. PURPOSE OF PERSONAL DATA PROCESSING

• 5.1 Registry Database

  The Registry Database means the database where all the data on domain name, contact and hosting for each registry under the ccTLD.co is found.

  .CO INTERNET S.A.S. and/or the Registrars, as the case may be, carry out the collection, storage, use, circulation, elimination, transmission, transfer and/or reception of such abovementioned data with the following purpose: to administer and/or manage the Registry Database and provide the registry services in order to comply the terms of the Resolution 161 of 2020, the contract for the operation of the ccTLD.co and the guides, policies and supervision of the MINTIC, related to registry operations of such domain names.

  .CO INTERNET S.A.S. shall not permit access to the Registry Database by individuals other than required for fulfillment of the purpose of the contract for the operation of the ccTLD.co, taking into account in any case the privileges that each shall have regarding access to said Registry Database. Where required in accordance with applicable laws, .CO INTERNET S.A.S. shall permit access to the Registry Database whenever a Colombian judicial authority so orders.

  .CO INTERNET S.A.S. may not sell the personal data contained in the database, neither in a disaggregated manner, nor jointly, nor by anonymizing the data. .CO INTERNET S.A.S. does not have nor will it develop any intellectual property right regarding the data in the Registry Database and this Database is at the service of the Colombian Nation, the Registered Users and the Internet community in general.

  .CO INTERNET S.A.S. shall be responsible for processing the personal data of the Registry Database, under the terms stipulated in Law 1581 of 2012 and its regulatory provisions, as well as those that modify, complement or replace them.

• 5.2 Mirror Database/Escrow File

  The Mirror Database/Escrow File corresponds to the database that will be available to the MINTIC and the Emergency Operator (EBERO) for the purposes of Supervision and Emergency Transition, if required, which replicates the contents of the Registry Database.

• 5.3 Client Database

  In order to provide proper care and information vis-à-vis its business services and activities and facilitate general access to information, .CO INTERNET S.A.S., as the Personal Data Controller, carries out the compilation, storage, use, circulation, elimination, transmission, transfer and/or the reception of its clients’ data with respect to .CO INTERNET S.A.S. restricted domain name registrants with the following purpose: administrate the .CO Internet S.A.S. restricted domain name registrants with a view to complying with the MINTIC’s guidelines, policies and supervision relating to the registration operations of said domain names, such as invoicing, customer care, operation reports, follow up to client requirements, domain name operations (registrations, renewals, eliminations, queries and registration data modification, transmission to the processors) and customer care management, handling judicial or administrative requirements and complying with court orders or legal mandates.

• 5.4 Human Resources Database

  .CO INTERNET S.A.S. carries out the compilation, storage, use, circulation, elimination, transmission, transfer and the reception of the Personal Data of its Human Resources Database with the following purpose vis-à-vis the management of former, current and future employees: compensation, wellbeing, training, knowledge transfer, recruitment (selection, election and internal promotions), compliance with all the laws relating to safety, health and wellbeing management at the workplace.

• 5.5 Supplier and Vendor Database

  .CO INTERNET S.A.S. carries out the compilation, storage, use, circulation, elimination, transmission, transfer and the reception of the Personal Data of its Supplier and Vendor Database with purpose of achieving efficient communication to provide the services, manage pre-contractual, contractual and post-contractual processes, payments, acquisitions, services engaged services and to be engaged, as well as to comply with the all the Colombian accounting and fiscal laws.

• 5.6 Business Intelligence Database

  .CO INTERNET S.A.S. carries out the compilation, storage, use, circulation, elimination, transmission, transfer and the reception of the Personal Data of its Business Intelligence Database with purpose of producing information reports to the MINTIC to comply with contractual obligations under the contract for the operation of the ccTLD.co.

• 5.7 Customer Services Database

  .CO INTERNET S.A.S. carries out the compilation, storage, use, circulation, elimination, transmission, transfer and the reception of the Personal Data of its Customer Services Database with purpose of collecting data and producing reports to the MINTIC in connection with support claims and support services requests from users, clients and registrants, to comply with contractual obligations under the contract for the operation of the ccTLD.co.

6. DATA SUBJECT RIGHTS

Based on the provisions of Law 1581 / 2012, individuals whose Personal Data is processed by .CO INTERNET S.A.S. have the following rights, which may be exercised any time:

• Access, update and rectify their Personal Data whenever there is partial, inaccurate, incomplete, fractioned, misleading data or their Processing is expressly forbidden or has not been authorized.
• Request Proof of the Authorization given to .CO INTERNET S.A.S., except in the cases in which it has been expressly exempted or waived as a Processing requirement in pursuance of the contents of Article 10 of Law 1581 / 2012.
• Be informed by .CO INTERNET S.A.S., prior request, regarding the use given to their Personal Data.
• File with the Superintendence of Industry and Trade (SIC, for its initials in Spanish) claims for violations to the terms of Law 1581 / 2012 and all others complementary to, or amending, said law.
• Request that .CO INTERNET S.A.S. delete their Personal Data and/or revoke the authorization given for their Processing, by filing a formal claim in accordance with the procedure laid out in Subparagraph 9.2. herein. Notwithstanding the foregoing, and in compliance with Article 9 of Decree 1377 / 2013, the request to delete the information and the authorization revocation will be inapplicable whenever the Data Subject is legally or contractually bound to remain in .CO INTERNET S.A.S.’s Database and/or files, or if the business relation between the Data Subject and .CO INTERNET S.A.S. by virtue of which the data was compiled is still in force.
• Have free access to the Processed Personal Data.

7. DEPARTMENTS RESPONSIBLE FOR THE POLICY’S IMPLEMENTATION AND FOLLOW-UP

The departments of Information Security, Risk and Compliance and the Legal Department (or the third party acting in its name) of .CO INTERNET S.A.S. are responsible for developing, implementing, training in, complying with and following up this policy. To this end, all the officers involved in Personal Data Processing in the different departments throughout .CO INTERNET S.A.S. must report their Databases to these departments, as well as immediately transfer to them any petition, complaint or claim made by any Personal Data Subject.

The previously mentioned departments have also been appointed by .CO INTERNET S.A.S. as being accountable for providing customer care and managing petitions, queries, complaints and claims vis-à-vis the Data Subjects, who may formally exercise their right to access, update, rectify and eliminate their data and revoke their authorization.

8. PERSONAL DATA PROTECTION POLICY

• 8.1 OVERVIEW

  • .CO INTERNET S.A.S. must make sure that the Data Subject’s information subject to processing is truthful, complete, accurate, up-to-date, provable and understandable. The processing of partial, incomplete, fractioned or misleading data is forbidden.
  • .CO INTERNET S.A.S. must guarantee the confidentiality of the information, even after their involvement in any of the activities part of the Processing of the Data Subject’s Personal Data has ended.
  • Whenever .CO INTERNET S.A.S. must transfer or transmit a Database to another entity, it must make sure that it has been authorized by the Data Subjects to do so. Likewise, the Compliance department of .CO INTERNET S.A.S., regarding the Data Protection Policy, must keep records of the data provided and the name of the entity that received it. Any entity that receives these Databases can only use the information for the purposes established in the authorization granted by the Data Subject to .CO INTERNET S.A.S.
  • Under no circumstance may .CO INTERNET S.A.S. circulate information that has been disputed by a Data Subject and/or which has been blocked by order of the Superintendence of Industry and Trade (SIC, for its initials in Spanish).
  • .CO INTERNET S.A.S. is responsible for ensuring and guaranteeing that the Personal Data of the Data Subjects included in their Databases, except for public information (names and surnames, identity card number or trade registry data), are not available on the Internet or other similar communication media, in accordance with the Principle of Restricted Access and Circulation defined in Law 1581 / 2012.
  • .CO INTERNET S.A.S. must guarantee that the information contained in its Databases is kept under the minimum security conditions required to prevent their forging, loss, consultation or unauthorized or fraudulent use or access.
  • .CO INTERNET S.A.S. does not capture or process sensitive Personal Data belonging to their Data Subjects and contained in the Databases, in pursuance of the provisions of Article 5 of Law 1581 / 2012.
  • .CO INTERNET S.A.S. has forbidden the Transfer of Personal Data to countries that do not provide proper data protection; this operation can only take place if the Data Subject has authorized it.
  • If there are security breaches that endanger the administration of the information provided by the Data Subjects, .CO INTERNET S.A.S. will deliver a formal and timely notice of these situations or incidents to the Superintendence of Industry and Trade (SIC, for its initials in Spanish).

• 8.2 AUTHORIZATION TO USE PERSONAL DATA

  • .CO INTERNET S.A.S. must formally request the Authorization of the Data Subjects to capture and Process their Personal Data and inform them regarding:
    1. The purpose of the Processing to which their Personal Data will be subject (how and to what ends they will be collected and used).
    2. Their rights, in accordance with Paragraph 6 herein
    3. Identification, mailing address, email and corporate phone number of .CO INTERNET S.A.S. as the Data Processor and Controller.
  • The departments and officers responsible for Processing Personal Data cannot capture the personal information of those who are not registered in the .CO INTERNET S.A.S. Databases, or have not granted their authorization to Process their Personal Data.
  • Whenever a Data Subject registered in a Database managed by .CO INTERNET S.A.S. wishes to revoke the authorization or not authorize the Processing of their Personal Data, the procedure described in Subparagraph 9.2 hereunder must be followed.
  • Pursuant to Article 15.3 of Law 1581 / 2012, .CO INTERNET S.A.S. will have a maximum of fifteen (15) business days to respond to a formal request to eliminate Personal Data.
  • .CO INTERNET S.A.S. must keep the authorization granted by the Data Subject and ensure the delivery of a copy thereof if the Data Subject or his/her assigns so request it.
  • .CO INTERNET S.A.S. must guarantee the protection and preservation of the (a) authorization granted by the Data Subject to Process the Personal Data, and (b) the elimination requests filed by Data Subjects in accordance with the internal procedures defined by .CO INTERNET S.A.S.

• 8.3 INFORMATION PROCESSING

  • .CO INTERNET S.A.S. must guarantee the right of the Data Subject or his/her assigns to obtain information on the existence of the Subject’s data, at any time and without restrictions.
  • In no case the departments in which officers responsible for Personal Data Processing work can do so without the authorization of the Data Subject.
  • Under no circumstance may departments in which officers responsible for Personal Data Processing work, Process the Personal Data of children and adolescents, except for the data that is classified as public (name and civil registry data), with the corresponding authorization of a representative or guardian.
  • The Processing of sensitive Personal Data contained in the Databases managed by .CO INTERNET S.A.S. is not allowed in any circumstance, in pursuance of Article 5 of Law 1581 / 2012.

9. PERSONAL DATA MANAGEMENT PROCEDURES

• 9.1 PETITIONS AND QUERIES BY DATA SUBJECTS

  The Data Subject or his/her assigns may request the following from .CO INTERNET S.A.S.:

  • Information concerning the Data Subject’s Personal Data subject to Processing
  • Proof of Authorization granted for Processing the Personal Data
  • Information relating to the use given to the Personal Data

  Data Subjects may use any of the following mechanisms, which allow keeping proof of the petition and/or query:

  Written communication addressed to:

  Privacy – Customer Service
  .CO INTERNET S.A.S.
  Calle 100 # 8A-49 Torre B Oficina 507
  WORLD TRADE CENTER
  Bogotá, COLOMBIA

  By email to: help@go.co

  Once received, .CO INTERNET S.A.S. will process it within ten (10) business days as of the date and time of reception. If it were not possible to process it within this term, .CO INTERNET S.A.S. will inform the petitioner of this circumstance, stating the cause and the date on which it will be responded, which cannot exceed in any case five (5) business days after the expiration of the initial term.

  NOTE: whenever the assign of the Data Subject makes a query, a document accrediting the assign’s relation with the Data Subject must be provided; otherwise, the query cannot be processed.

• 9.2 COMPLAINTS AND CLAIMS MADE BY DATA SUBJECTS

  The Data Subject or his/her assigns can request the following to .CO INTERNET S.A.S.:

  • Correct or Update their data
  • Eliminate their Personal Data or revoke the Authorization granted for their Processing
  • Correct an alleged violation to any of the duties defined in Law 1581 / 2012

  Data Subjects may use any of the following mechanisms, which allow keeping proof of the petition and/or query:

  Written communication addressed to:

  Privacy – Customer Service
  .CO INTERNET S.A.S.
  Calle 100 # 8A-49 Torre B Oficina 507
  WORLD TRADE CENTER
  Bogotá, COLOMBIA

  By email to: help@go.co

  The text of the request must include:

  (a) date of filing, (b) reference to an issue, (c) full names and surnames of the Data Subject, (d) type of identity document (identity card or passport) and number, (e) mailing or email address, (f) a list of Personal Data provided to .CO INTERNET S.A.S. constituting the purpose of the complaint or claim, (g) a succinct description of the facts that led to the complaint and/or claim, (h) the type of operation (update, correction or elimination) to be conducted regarding the Personal Data, (i) the attached supporting documents deemed relevant.

  If the complaint or claim is incomplete (for instance, the written communication is not signed), .CO INTERNET S.A.S. must respond (in writing or via email) to the interested party within five (5) business days of the reception of the complaint or claim requesting the correction. If two (2) calendar months have elapsed from the date of the requirement without having received the additional requested information, then it will be understood that the petitioner has abandoned his/her complaint or claim.

  Whenever the request contains incomplete information, the Customer Care Department of .CO INTERNET S.A.S. must forward the complaint and/or claim to the departments responsible for following up this Policy (Item 7) no later than two (2) business days after and will report this situation to the petitioner.

  Once the complete complaint or claim has been received, it will be included in the corresponding Database with the following information (a) the legend “Claim under Process” and (b) the reason for it, no later than two (2) business days after. Said legend must not be removed until the complaint or claim has been decided. The maximum term to resolve the complaint or claim is fifteen (15) business days as of the first business day after the day and time of its reception. If it were not possible to resolve it within this period, the petitioner will be informed of this circumstance, stating the cause and the date on which it will be responded, which cannot exceed in any case eight (8) business days after the expiration of the initial term.

  NOTE: whenever the Data Subject’s assign has filed a claim, a document accrediting the assign’s relation with the Data Subject must be provided; otherwise, the claim cannot be processed.

  If .CO INTERNET S.A.S. does not have the competence to resolve the claim filed, it will inform the petitioner of this situation and will forward it to the competent entity, in the terms and within the deadline to do so in accordance with the law.

  If .CO INTERNET S.A.S. is notified by a competent authority on judicial proceedings against a Data Subject relating to his/her Personal Data Processing, the corresponding record in the Database will include the legend “Information under Judicial Discussion”.

  .CO INTERNET cannot use the Data Subject’s information that is subject to a claim, disputed by the Data Subject or has been blocked by order of the Superintendence of Industry and Trade (SIC, for its initials in Spanish).

  If the Superintendence of Industry and Trade (SIC, for its initials in Spanish) identifies a risk that jeopardizes the fundamental rights of a Data Subject, it may request that .CO INTERNET S.A.S. temporarily block the data; .CO INTERNET S.A.S. must ensure that this is done as soon as possible.

  .CO INTERNET S.A.S. must provide all the information the Superintendence of Industry and Trade (SIC, for its initials in Spanish) may require for the effective exercise of its duties.

10. PERSONAL DATA SAFETY AND SECURITY

1. .CO INTERNET S.A.S., strictly applying the Principle of Safety and Security in Personal Data Processing (Subparagraph 4.4 herein) will provide the technical, human and administrative measures needed to make the records secure, thus avoiding their forging, loss, consultation or unauthorized or fraudulent use or access.
2. .CO INTERNET S.A.S.’s obligation and responsibility is limited to providing the proper means to this end. .CO INTERNET S.A.S. does not guarantee the complete safety and security of its information nor will it be liable for any consequence stemming from technical failures or undue breach by third parties to the Database or files where the Personal Data Processed by .CO INTERNET S.A.S. and its Processors are kept.
3. .CO INTERNET S.A.S. will demand that the services providers it engages adopt and comply with the proper technical, human and administrative measures for the protection of Personal Data by virtue of which said providers act as Processors.

11. TRANSMISSION AND DISCLOSURE OF PERSONAL DATA

1. .CO INTERNET S.A.S. may transmit Processed Personal Data to its parent company to use and Process them in accordance with this Personal Data Protection Policy.
2. .CO INTERNET S.A.S. may provide the Personal Data to third parties that are unrelated to .CO INTERNET S.A.S. whenever (a) dealing with contractors engaged for the performance of .CO INTERNET S.A.S.’s commercial and operational activities, (b) a transfer has been made, for any reason, of any business line to which the information pertains.
3. Personal Data transmission contracts entered into by .CO INTERNET S.A.S. and Personal Data Processors will include clauses that will demand that the information be processed in pursuance of this Personal Data Protection Policy and will also include the following obligations for the Processor:
   • Process, on behalf of .CO INTERNET S.A.S. the Personal Data in accordance with the guiding principle.
   • Safeguard the safety and security of the Databases containing the Personal Data
   • Keep confidential the Personal Data Processing.

12. TERM OF ENFORCEMENT

This Personal Data Protection Policy will be in force as December 4th, 2020.