Introduction

The purpose of this manual is to comply with the legal, constitutional and jurisprudential provisions concerning the development of the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files related to the article 15 of the Political Constitution, as well as the right to information enshrined in article 20 of the same.

L Law 1581 of 2012 developed "the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files, and the other rights, freedoms and constitutional guarantees referred to in the article 15 of the Political Constitution; as well as the right to information enshrined in article 20 of the same.” This constitutional right known as habeas data, gives citizens the ability to decide and control the information that others have about them and, in that order of ideas, Law 1581 of 2012 establishes mechanisms and guarantees that allow the full exercise of the aforementioned right. .

In compliance with the provisions of Law 1581 of 2012, GIRLEE, as responsible for the processing of personal data and sensitive personal data of its affiliates, providers, suppliers and collaborators, has adopted the following Information Treatment Policies, to guarantee that the processing of personal data and sensitive personal data complies with current legal provisions.

In compliance with the provisions of Law 1581 of 2012, GIRLEE, as responsible for the processing of personal data and sensitive personal data of its affiliates, providers, suppliers and collaborators, has adopted the following Information Treatment Policies, to guarantee that the processing of personal data and sensitive personal data complies with current legal provisions.

In summary, this manual establishes the policies and procedures through which the owner of the personal data can exercise their rights related to the processing of their data and, in turn, the treatment that the person in charge must give to the personal data. third parties, as well as the mechanisms to encourage compliance with the duties of the data controller. Likewise, some definitions are given regarding terms necessary for the correct application of the aforementioned policies, together with the principles on which the collection and processing of personal data is based.

Object

Regulate the policies and procedures that will be applicable in the handling of personal data information by GIRLEE, according to the provisions contained in Law 1581 of 2012 and Decree 1377 of 2013.

Data controllers GIRLEE

• Business name: GIRLEE
• RNC: 132367286
• Main Office:Santo Domingo, Dominican Republic
• Telephone: (+57) 555555
• Main website: girleeshop.com
• Email: info@girleeshop.com

GIRLEE, is responsible for the Treatment of personal data and sensitive personal data of its affiliates, providers, suppliers and collaborators, on which it decides directly and autonomously.

Scope

This manual is applicable to the personal data of natural persons registered in the databases related to Employees, Potential Employees, Retired Workers, Shareholders, Suppliers, Potential Suppliers, Clients and Users (where relevant) of GIRLEE which are susceptible of treatment. It will apply to the personal data that is collected and handled by GIRLEE. If in the future, other legal entities become part of GIRLEE, the manual will apply to those.

This manual will not apply to:

a. To data for exclusively personal or domestic use.

b. To data whose purpose is national security and defense, as well as the prevention, detection, monitoring and control of money laundering and financing of terrorism.

c. To data containing intelligence and counterintelligence information of the State.

d. To the databases and files regulated by Statutory Law 1266 of 2008.

and. To the databases and files regulated by Law 79 of 1993.

DDefinitions

For the application of the rules and procedures established in this manual, and in accordance with the provisions of article 3 of Statutory Law 1581 of 2012, it will be understood as:

• a. Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data.
• b. Database: Organized set of personal data that is subject to Treatment.
• c. Privacy notice: Physical document, electronic or in any other format, generated by the person responsible for the Treatment that is made available to the Owner for the Treatment of their personal data. Through this, the Owner of the information is informed of the existence of the applicable policies for the treatment of their personal data, together with the way to access them and the characteristics of the treatment of personal data.
• d. Personal data: Any information linked to or that can be associated with one or more specific or determinable natural persons, such as name and surname, identity document, age, address, region, country, city, postal code, landline telephone number, mobile phone, address, email address, advertising preferences, consumption preference, channel preferences, complaints and claims, new service, basic and personal data, contact data, demographic data, data on tastes, preferences and habits.
• and. Sensitive data: Sensitive data is understood to be that which affects the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, organizations social, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.
• F. Person in Charge of Treatment: Natural or legal person, public or private, that by itself or in association with others, performs the Treatment of personal data on behalf of the Person Responsible for Treatment.
• g. Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data.
• h. Owner: Natural person whose personal data is subject to Treatment.
• Yo. Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion of data, in any technology known or to be known.

Beginning

The principles that are stated below constitute the general parameters through which the provisions of this manual will be applied regarding the personal data of the people to whom the processing of their data is applicable:

• a. Principle of purpose: The Processing of personal data by GIRLEE must obey a legitimate purpose, which must be informed to the Owner.
• b. Principle of freedom: The processing of personal data may only be exercised with the prior, express and informed consent of the Holder of the information. Personal data may not be obtained or obtained without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
• c. Principle of veracity or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited.
• d. Principle of transparency: In the Treatment, the right of the Holder to obtain from GIRLEE, at any time and without restrictions, information about the existence of data that concerns him must be guaranteed.
• and. Principle of access and restricted circulation: Personal data, except for public information, may not be available on the Internet or other means of downloading or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties. .
• F. Security principle: The information subject to Treatment by GIRLEE must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
• g. Confidentiality principle: All persons involved in the Processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the Processing has ended.

Treatment to which the data will be subjected and purpose of the treatment.

Treatment is any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. The information that GIRLEE collects in the provision of its services and in general in the development of its corporate purpose, is mainly used to identify, maintain a record and control of Employees, Potential Employees, Retired Workers, Shareholders, Suppliers, Potential Suppliers, Clients and Users of GIRLEE

TGeneral Information Treatments:

• • Process
• • Confirm
• • Comply
• • Provide the services and/or products acquired directly or with the participation of third parties.
• • Promote and advertise our activities, products and services
• • Carry out transactions
• • Make reports with the different administrative authorities of control and national surveillance, police or judicial authorities, financial entities and/or insurance companies.
• • Internal administrative and/or commercial purposes such as: market research, audits, accounting reports, statistical analysis or billing • Collection
• • Storage
• • Recording
• • Use
• • Circulation
• • Processing
• • Deletion
• • Transmission and/or transfer to third countries of the data provided, for the execution of activities related to the services and products purchased.
• • Accounting records
• • Correspondence
• • Carry out transactions
• • Identification of fraud and prevention of money laundering and other criminal activities

General Treatment of Shareholder Information:

• • Make the payment of orders.
• • Compliance with judicial decisions and administrative and legal provisions.
• • Contacts.
• • Compliance with judicial decisions and administrative and legal, tax and regulatory provisions.

General Treatment of Provider Information:

• • For business purposes.
• • Accounting.
• • Compliance with judicial decisions and administrative and legal, tax and regulatory provisions.
• • Compliance with contractual obligations, for which the information may be transferred to third parties, such as financial institutions, notaries, OFAC and terrorism lists, lawyers, etc.
• • To carry out the processes in which the suppliers are linked.
• • Any other use that the provider authorizes in writing for the use of your information.
• • Transmission of information and personal data in audit processes.

General Treatment of Customer Information:

• • For business purposes.
• • Offering of goods and services.
• • Publicity and marketing.
• • Commercial alliances.
• • Accounting.
• • Compliance with contractual obligations, for which the information may be transferred to third parties, such as financial institutions, notaries, OFAC and terrorism lists, lawyers, etc.
• • Compliance with judicial decisions and administrative and legal, tax and regulatory provisions.
• • Transmission of information and personal data in audit processes.
• • Billing.

General Treatment of Information of employees, retired workers, pensioners and candidates to fill vacancies:

• • For purposes relevant to the employment relationship (EPS, ARL, pension and severance funds, family compensation funds, etc.)
• • In the case of employees with the signing of the employment contract, express authorization is understood to treat the information.
• • In the case of judicial and legal requirements.
• • Accounting and payment of payroll.
• • Recruit and select staff to fill vacancies.
• • Process, confirm and comply with the legal and extralegal labor obligations derived from the employment contract.
• • Carry out transactions.
• • Payment of extralegal benefits.
• • Audits.
• • Statistical analysis.
• • Maintain database of candidates.
• • Training and education.
• • Share personal data with banks, companies that offer benefits to our active workers, among others.

Authorization.

The compilation, storage, consultation, use, exchange, transmission, transfer and treatment of personal data requires the free, express and informed consent of the Owner of the information. Based on the foregoing and through this manual, the mechanisms that allow subsequent consultation by the owner of the information are implemented.

Mechanisms to grant Authorization.

The authorization by the Holder may be recorded in a physical, electronic document or any other format that allows a reasonable conclusion that the Holder granted the authorization.

Taking into account the foregoing, GIRLEE notes that the authorization in any case will be by means of a physical and/or digital document, which must have the signature of the Owner of the information, which does not prevent different mechanisms from being established later to grant authorization.

GIRLEE will ensure respect for and compliance with the fundamental rights of children and adolescents, observing the special requirements established for the processing of their personal data and sensitive personal data.

Through the authorization, the Holder of the information or his representative in the case of infants (boys and girls) and adolescents will be made aware of the fact that the information will be collected, including the purpose, modifications, storage and use. I specify what will be given to them, and also:

• • The person who collects the information (specifying whether it is the Responsible or the Person in Charge of the treatment).
• • The data that will be collected, including whether Sensitive Data is collected.
• • The purpose of data processing.
• • The mechanisms through which they can exercise their rights as Owners of the information (access, correction, updating or deletion of data).

Notice of Privacy.

GIRLEE, in its capacity as Data Controller and Data Processor, will have the necessary means to maintain the technical and technological records of when and how authorization was obtained from the Data Owner for data processing.

Notice of Privacy.

The privacy notice is a physical, electronic document or any other format, through which the owner of the information is informed about the existence of policies that will be applicable to him, as well as the way in which they can access them and the characteristics of the treatment that will be given to personal data.

Notice of Privacy.

The privacy notice is a physical, electronic document or any other format, through which the owner of the information is informed about the existence of policies that will be applicable to him, as well as the way in which they can access them and the characteristics of the treatment that will be given to personal data.

Content of the privacy notice.

• a. The identity, address and contact information of the Responsible or the Person in Charge of the Treatment.
• b. The Treatment to which the data will be subjected and the purpose of the same.
• c. The mechanisms provided by GIRLEE so that the Holder knows the information treatment policy and the substantial changes that occur in it or in the corresponding privacy notice. In all cases, you must inform the Holder how to access or consult the information treatment policy.

The model of the privacy notice that was transmitted to the Holders of the information will be kept while the processing of personal data is carried out and the obligations derived from it endure. For the storage of the model, computer, electronic or any other technology at the option of GIRLEE may be used.

Depending on the group of people whose personal data is collected, there will be a single privacy notice model, which will specify in detail the points described above for each of them.

Rights of the Holders of the information.

In accordance with article 8 of Statutory Law 1581 of 2012, the Holder of personal data has the following rights:

• a. Know, update and rectify your personal data GIRLEE in its capacity as Responsible and Responsible for the treatment.
• b. Request proof of authorization granted to GIRLEE
• c. Be informed by GIRLEE regarding the use it has given to your personal data.
• d. Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Statutory Law 1581 of 2012, having exhausted the consultation or claim process as indicated in the aforementioned Law.
• and. Revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the Treatment.
• F. Free access to your personal data that has been processed.

Duties of GIRLEE in relation to the processing of personal data in its capacity as Responsible and Responsible for the Treatment.

It is noted that the personal data subject to treatment are the property of the persons to whom they refer and they are the ones empowered to dispose of them. Based on the foregoing, it will only use personal data in accordance with the purposes established in the Law and respecting the provisions of Statutory Law 1581 of 2012:

In accordance with article 17 of Statutory Law 1581 of 2012, they undertake to comply with the following duties:

• a. Guarantee the Holder, at all times, the full and effective exercise of the right of habeas data.
• b. Request and keep a copy of the respective authorization granted by the Holder.
• c. Perform in the terms provided in articles 14 and 15 of Statutory Law 1581 of 2012, the updating, rectification or deletion of data.
• d. Process the queries and claims made by the owners in the terms indicated in article 14 of Statutory Law 1581 of 2012.
• and. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
• F. Insert in the databases the legend "information under judicial discussion" once notified by the competent authority about judicial processes related to the quality or details of the personal data.
• g. Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the holders.
• h. Process queries and claims made by the owners of the information.
• Yo. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
• J. Apply the rules that regulate Statutory Law 1581 of 2012.

Duties regarding the Treatment of data of Infants and Adolescents.

GIRLEE, in its capacity as Responsible and Responsible for the Processing of the personal data of the aforementioned groups, must take special care to ensure compliance with the Law with respect to these groups and respect for their rights, especially with respect to personal data that do not fit into the category of data of a public nature (name, gender, date of birth, etc.).

The processing of personal data of children and/or adolescents that are of a public nature will comply with the following parameters and requirements:

• a) That responds to and respects the best interests of children and adolescents.
• b) To ensure respect for their fundamental rights.
• c) Assessment of the opinion of the minor when he/she has the maturity, autonomy and capacity to understand the matter.

Once the above requirements have been fulfilled, the legal representative of the child or adolescent may grant authorization for the Treatment, after exercising the minor's right to be heard, an opinion that must be assessed taking into account the maturity, autonomy and ability to understand the case.

Procedures for access, consultation and claim.

Applicable points for all Procedures:

(l) For the exercise of the rights indicated in this point by the assignees, and also to prevent access to the information by unauthorized persons, the documentation that allows concluding that the person requesting the information is a successor in title of the Holder.

(ll) If there is any doubt regarding the application of the procedures indicated here, it will be reported by the area responsible for the database that is the object of the application of the procedure and resolved by the Legal Department, who will resolve the subject taking into account the Law, the Decrees and other regulations or instructions, and the jurisprudence that is issued on the matter.

Access.

Bearing in mind that the power to dispose of or decide on personal data is in the hands of the Holder of the information, this power necessarily implies the right of the holder to access and know the personal information that is being processed, including in this aspect the scope, conditions and generalities of the treatment.

Taking into account the foregoing, this right is guaranteed to the Holder, which includes.

• • Knowledge of the existence of the processing of your personal data.
• • Access to your personal data.
• • The circumstances of the processing of personal data
.

Query.

In accordance with article 14 of Statutory Law 1581 of 2012, the Holders or their successors in title may consult the personal information of the Holder that resides in any database. Based on this, this right is guaranteed by supplying them with all the information contained in the individual record or that is linked to the identification of the Holder.

Depending on the nature of the personal database, the query will be managed by the area responsible for attending to it within GIRLEE.

Queries will be answered within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed within the first term conferred, where the reasons for the delay will be stated and the date on which the query will be attended will be indicated, which in no case may exceed the five (5) business days following the expiration of the first term.

Claim.

In accordance with article 15 of Statutory Law 1581 of 2012, the Holder or his successors in title who consider that the information contained in a database must be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in Statutory Law 1581 of 2012, may file a claim which will be processed under the following rules:

• 1. The claim will be formulated through a communication made by the owner or his successors in title addressed to the responsible GIRLEE or the person in charge of the Treatment, which must include the information indicated in article 15 of Statutory Law 1581 of 2012. If the claim is incomplete, The interested party will be required within five (5) days after receiving the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn. In any case, if the communication is addressed to GIRLEE and it does not have the quality to respond to the communication, GIRLEE, without the need to notify the person making the claim, will inform the company that must respond.
• In the event that GIRLEE receives a claim that it is not competent to resolve, it will transfer it to the appropriate party within a maximum period of two (2) business days and will inform the interested party of the situation.
• 2. Once the complete claim has been received, a legend will be included in the database that says "claim in process" and the reason for it, within a term not exceeding two (2) business days. Said legend must be kept until the claim is decided.
• 3. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first finished.
En cualquier tiempo y gratuitamente, la persona natural Titular de los datos personales o su representante podrá solicitar la rectificación, actualización o supresión de sus datos personales previa acreditación de su identidad.

The request for rectification, updating or deletion of your personal data must be submitted through the provided means indicated in the privacy notice and must contain at least the following information:

• 1. El nombre y domicilio del Titular o representante o cualquier otro medio para recibir la respuesta a su solicitud.
• 2. Los documentos que acrediten la identidad o la representación del Titular de los datos personales.
• 3. La descripción clara y precisa de los datos personales y de los hechos que dan lugar al reclamo.
• 3. La descripción clara y precisa de los datos personales y de los hechos que dan lugar al reclamo.
• 4. Los documentos que se desean hacer valer en la reclamación.

The suppression implies the total or partial elimination of the personal information in accordance with the request of the Holder, of the records, files and databases or treatments carried out by GIRLEE

Depending on the nature of the personal database, the claim will be managed by the area responsible for attending to it within GIRLEE.

Procedural requirement.

The Holder or successor in title may only file a complaint with the Superintendence of Industry and Commerce once the consultation or claim process has been exhausted before GIRLEE.

Revocation of authorization.

In accordance with the provisions of the Law, in the event that the Treatment principles, rights and constitutional and legal guarantees are not respected, the Holders or their representatives (as is the case of parents who exercise parental authority of an infant or adolescent) may request the revocation of the authorization granted for the Treatment of the same, unless by legal or contractual provision such revocation is prevented, indicating in said case, the specific reasons based on which it considers that the situation is taking place of not with respect to the mentioned scopes.

GIRLEE, being responsible or in charge of the Treatment, as the case may be, must confirm receipt of the authorization revocation request, including the date of receipt. The same may be objected if, in the opinion of GIRLEE, the assumption indicated by the Holder does not occur or if such revocation implies an affectation for the monitoring or fulfillment of rights or obligations by the entity and with respect to the Holder, in which case You must inform the same in writing so that it can take the measures before the authorities that it considers pertinent.

The request for revocation of the authorization can be total or partial. It will be total when the revocation of all the consented purposes through the authorization is requested; It will be partial when the revocation of some purposes is requested depending on the revocation request. This qualifier must be expressed clearly in the request for revocation of the authorization.

Security of the information.

Information security measures.

In development of the security principle established in Statutory Law 1581 of 2012, GIRLEE will implement additional technical, human and administrative measures, if required, that are necessary to grant security to the records, through which their adulteration, loss, unauthorized or fraudulent consultation, use or access. The development of this online store carried out by the Distecnoweb web design agency was tested in different scenarios and GIRLEE carries out the necessary technical updates over time to preserve the security of the information.

Registration of the Bases.

GIRLEE, in its capacity as Responsible and Responsible for Treatment, must proceed to register the bases in the terms indicated by Colombian regulations.

Acceptance.

The Holders of the information accept the processing of their personal data in accordance with the terms of this Manual, at the time of providing their data.

Validity.

This General Privacy Policy is effective from the date of its publication and its validity will be subject to the purpose of processing personal data of the legal nature of GIRLEE.