What data do we process and for what purposes?

We process data of clients and prospects for quotes, contracts, support, and communications; of suppliers for contractual relationships and billing; of candidates and employees for selection, hiring, and payroll; of visitors for security (video surveillance); and navigation data through cookies to improve experience. We inform the purposes by group, apply security measures, and retain information only for legal or necessary periods.

Who is responsible and how do we contact the DPO?

We are Damos Soluciones S.A.S., the data controller. Our Data Protection Officer is Nidya Duarte; you can write to protecciondedatos@damos.co or contact us at PBX +57 607 6835971. When submitting a request, include your name, identification, description of the case, supporting documents, and a contact method for us to process it in accordance with Law 1581 of 2012 and its regulations.

How do we exercise our rights of access, rectification, or deletion?

We can submit inquiries (response within 10 business days) or claims (within 15 business days) through the available channels. The request must identify the data subject and clearly describe the facts; if information is missing, we will request it to be supplemented, and the deadlines will be suspended. After exhausting this procedure, we may contact the Superintendency of Industry and Commerce if we believe the regulations have been violated.

Data Protection Policy

1. Introduction

This Personal Data Processing Policy (hereinafter, the “Policy”) complies with Law 1581 of 2012, Decree 1377 of 2013, Decree 1074 of 2015, and the guidelines issued by the Superintendency of Industry and Commerce (SIC). Its purpose is to communicate the guidelines under which Damos Soluciones S.A.S. (hereinafter, “Damos Soluciones” or the “Company”) processes and protects the personal information of natural persons (“Data Subjects”) who interact with us.

2. Data Controller

Company Name: Damos Soluciones S.A.S.
NIT: 900 262 711‑7
Address: Calle 58 No. 32‑75, Bucaramanga (Santander), Colombia
Phones: +57  607 6835971 +57 316 2393062
Website: www.damos.co

2.1. Data Protection Officer (DPO)

Name: Nidya Duarte
Position: Head of Personal Data Protection
Email: protecciondedatos@damos.co
Direct Phone: +57  607 6835971

3. Regulatory Framework

Law 1581 of 2012 – Personal Data Protection.
Law 1266 of 2008 – Financial Habeas Data.
Law 2300 of 2023 – Regulation of Commercial Communications (“Do Not Disturb”).
Decree 1377 of 2013 and Decree 1074 of 2015 (Book 2, Part 2, Title 2, Chapter 25).
External Circular 002 of 2015 and SIC guidelines.

4. Definitions

For the correct interpretation of this Policy, the following definitions are adopted:

Authorization: Prior, express, and informed consent of the Data Subject.
Privacy Notice: Verbal or written communication generated by the Controller informing about the existence of this Policy, its access, and purposes.
Personal Data: Any information linked or that can be associated with a determined or determinable natural person.
Sensitive Data: Information that affects the privacy of the Data Subject or whose improper use may generate discrimination (e.g., health, biometrics).
Public Data: Information not subject to confidentiality, such as marital status or merchant status.
Private Data: Personal information related to the intimate sphere of the Data Subject.
Data Processor: Person who carries out the processing on behalf of the Controller.
Data Controller: Person who decides on the databases and the processing.
Database: Organized set of personal data subject to processing.
Transmission: Internal or external communication of data to a Processor for processing on behalf of the Controller.
Transfer: Sending data to another Controller, within or outside Colombia.

5. Principles Applicable to Processing

Legality: Processing shall be subject to current regulations.
Purpose: Data shall be processed for determined, explicit, and legitimate purposes, informed to the Data Subject.
Freedom: Processing requires prior and express authorization, unless legally or judicially mandated.
Truthfulness or Quality: Data must be truthful, complete, accurate, updated, and verifiable.
Transparency: The Data Subject may obtain information about their data at any time.
Restricted Access and Circulation: Only authorized persons may process the data; dissemination through mass media is restricted.
Security: Technical, human, and administrative measures shall be adopted to protect the data.
Confidentiality: All persons involved in the processing shall maintain permanent confidentiality.
Demonstrated Responsibility: Damos Soluciones may at all times demonstrate compliance with this Policy.

6. Duties of the Controller

Damos Soluciones assumes the duties set forth in Article 17 of Law 1581, including:

Ensuring the full and effective exercise of the Data Subject’s rights.
Requesting and retaining proof of authorizations.
Informing the purpose of the processing.
Updating data and registering databases in the RNBD.
Processing inquiries and claims.
Adopting a Comprehensive Personal Data Management Program.

7. Comprehensive Personal Data Management Program

The Company will implement a program that includes: database inventory, risk classification and management, periodic audits, and annual staff training.

8. National Registry of Databases (RNBD)

All databases managed by Damos Soluciones are registered and will be updated promptly in the SIC’s RNBD.

9. Purposes of Processing

9.1. Clients and Prospects

Manage quotes, contracts, billing, and payments.
Provide support and assistance services.
Conduct satisfaction surveys and market research.
Send commercial communications from us or our partners, unless revoked.
Comply with legal, tax, and regulatory obligations.
Retain data for the duration of the contract and an additional ten (10) years or the time necessary to address legal responsibilities.

9.2. Suppliers and Contractors

Evaluate, select, and manage contractual performance.
Process payments and tax procedures.
Verify backgrounds against restrictive lists.

9.3. Employees, Candidates, and Former Employees

Manage selection, hiring, payroll, and welfare processes.
Comply with labor and social security obligations.
Retain information for the period provided in labor legislation (20 years).

9.4. Visitors and Video Surveillance

Ensure the safety of people, facilities, and assets.
Images are stored for a maximum of 30 days, unless under investigation.

9.5. Cookies and Website Navigation

Improve user experience and analyze performance metrics.
The Data Subject can configure or reject non-essential cookies through the Cookie Notice.

10. Data Subject Rights

Data Subjects may exercise, free of charge, among others, the following rights:

To know, update, and rectify their personal data.
To request proof of the authorization granted.
To be informed about the use of their data.
To submit inquiries and claims.
To revoke authorization and/or request the deletion of data when the SIC or an authority determines that the regulations have been violated.
To access data free of charge once a month or when there are substantial changes to this Policy.
To file complaints with the Superintendency of Industry and Commerce.

11. Procedure for Inquiries and Claims

Inquiries will be answered within a maximum of ten (10) business days; claims within fifteen (15) business days, counted from the day after receipt. If additional information is required, the deadlines will be suspended until the Data Subject provides it. The Data Subject must exhaust this procedure before contacting the SIC.

11.1. Minimum Content of the Request

Data Subject’s name and identification document.
Clear description of the facts subject to inquiry or claim.
Physical and/or electronic address for notifications.
Supporting documents, if applicable.

12. Information Security

Perimeter controls (firewall, IDS/IPS) and corporate antivirus.
Encryption of information in transit and at rest.
Access levels based on profiles and robust authentication.
Confidentiality agreements with employees, suppliers, and third parties.
Incident response plan and notification to the SIC within fifteen (15) business days following the detection of an incident compromising personal data.

13. International Transfers and Transmissions

Any international transfer will only be made to countries with adequate levels of protection recognized by the SIC or through contractual clauses that ensure equivalent standards. International transmissions will be governed by processing agreements that comply with Article 2 of Decree 1377 of 2013.

14. Commercial Communications and “Do Not Disturb” List

The Data Subject may at any time request exclusion from commercial mailings through our channels, or register on the “Do Not Disturb” List managed by the SIC, at no cost.

15. Downstream Flow and Third Parties

Damos Soluciones will contractually require partners and suppliers to comply with data protection measures equal to or greater than those established in this Policy.

16. Legitimation to Exercise Rights

The following may request information:

The Data Subject, their heirs, or representatives.
Persons authorized by the Data Subject.
Public or administrative entities in the exercise of their functions, with legal justification.

17. Customer Service Channels

Physical Address: Calle 36 # 27 71 office 804, Bucaramanga - Colombia.
Email: info@damos.co (Subject: “Personal Data Protection”).
Web Form: Available at www.damos.co/contacto.

18. Changes to the Policy

Substantial modifications will be communicated to Data Subjects via the registered email address, the website, and/or physical notices at the headquarters, at least ten (10) days prior to their effective date.