abutton
Close menu
Accessibility Menu
Bigger text
bigger text icon
Highlight Links
Links off icon
Text Spacing
Spacing icon
Saturation
saturation icon
Cursor
big cursor icon
Dyslexia Friendly
dyslexia icon
Reset
  

Personal Data Protection Corporate Policy

  1. Introduction.

    SOFTTEK respects the fundamental rights and freedoms of individuals, including the right to protection of their personal data, and is committed to protecting the privacy of its customers, employees and business partners, and the processing of their personal data. To this end, and as part of its corporate responsibility, SOFTTEK will carry out all its activities in accordance with the regulations on the protection of personal data at all points in which it operates.

    As a global organization operating in numerous countries, SOFTTEK needs to ensure that information, including personal data, is treated securely in all SOFTTEK companies, groups, affiliates and/or subsidiaries, with an adequate and uniform level of protection, for which it establishes common behavioral guidelines that are defined in this policy.

    The purpose of this Corporate Personal Data Protection Policy is to establish the common and general principles and guidelines of action that must govern all entities related to SOFTTEK in terms of personal data protection, guaranteeing, in all cases, compliance with the applicable legislation.

  2. Scope.

    This Policy is applicable to all the companies that make up SOFTTEK, to the investee companies not integrated into the group over which SOFTTEK has effective control, within the limits established by law, as well as to all persons who are related to the entities belonging to the group. In those investee companies in which this Policy does not apply, SOFTTEK will promote the alignment of this policy with those of said companies. In addition, this Policy is also applicable, as applicable, to joint ventures, temporary unions of companies and other equivalent associations, when SOFTTEK assumes their management.

    Without prejudice against the provisions of the previous paragraph, SOFTTEK companies, under their own framework of autonomy, may establish an equivalent policy, which must be in accordance with the principles set out in this Policy.

    The Personal Data Protection Policy applies to all departments, operational areas, as well as to their administrators, managers, employees, and all people who are related to the entities belonging to SOFTTEK and must be known and complied with by all members of the group.

    This personal data protection policy applies to all data processing carried out by SOFTTEK in its relations with its employees, former employees, contacts, job applicants, customers, potential customers, suppliers, as well as in the provision of the services that SOFTTEK provides to third parties and organizations and that involve access to and processing of data on behalf of third parties.

    All persons linked to SOFTTEK will promote that the principles compiled in this policy are taken into account (i) in the design and implementation of all procedures that involve the processing of personal data, (ii) in the products and services offered by them, (iii) in all contracts and obligations that they formalize with natural persons and (iv) in the implementation of any systems and platforms that allow access by SOFTTEK professionals. SOFTTEK or third parties to personal data and its collection or processing.

    This policy covers the entire life cycle of personal data: Generation or capture, data collection, maintenance and processing of data, use of data, exchange of data, archiving of data and destruction of data. This Policy does not apply to the processing of anonymous data (e.g., information that includes random names that do not directly or indirectly identify a real person).

  3. References.

    • GDPR (EU): The General Data Protection Regulation is the European regulation on the protection of natural persons with regard to the processing of their personal data and on the free movement of such data within the EU and the European Economic Area.
    • LFPDPPP (MX): The 'Federal Law on the Protection of Personal Data in Possession of Private Parties' is a regulatory body of Mexico, approved by the Congress of the Union on April 27, 2010, which aims to regulate the right to informational self-determination.
    • CCPA (USA): It is the first comprehensive modern data protection law in the United States. The California Consumer Privacy Act is a statewide privacy law that regulates how organizations can handle the personal information of California residents.
    • LPDP (BR): Personal Data Protection Law or Law 1581 of 2012, recognizes and protects the right of all people to know, update and rectify the information that has been collected about them in databases or files that are susceptible to processing by public or private entities.
    • LPDP (CO): Personal Data Protection Law or Law 1581 of 2012, recognizes and protects the right of all people to know, update and rectify the information that has been collected about them in databases or files that are susceptible to processing by entities of a public or private nature.
    • LGPD (AR): The Personal Data Protection Law 25.326 General Provision that establishes the general principles relating to data protection. Rights of data subjects. Users and those responsible for archives, registers and databases. Control. Sanctions. Action for the protection of personal data.
    • DPDPA (IN): Digital Personal Data Protection Act 2023. It establishes a specific legal framework in India to safeguard citizens' personal data. It highlights the importance of the Data Protection Board of India, its key provisions, and the rights and duties of organizations and individuals.
    • Information Security Policy: This is the document approved by management, which includes its commitment to guaranteeing information security and establishes the measures and controls that the company will adopt to ensure the confidentiality, integrity, availability and privacy of the information.

  4. Policy Enforcement.

    The Information Security Office, in conjunction with the Legal Services, will develop and keep updated the Corporate Policy on Personal Data Protection, which will be implemented by the aforementioned Office.

    Likewise, the Information Security Office and Legal Services of each country will establish internal local procedures that develop the principles compiled in this Policy and that specify their content according to the applicable law in their respective jurisdictions.

    The Directorate of Legal Services of each country will be responsible for reporting to the Information Security Office the developments and regulatory developments that occur in the field of personal data protection.

    The Local Security Committees or equivalent bodies, together with those responsible for Technological Infrastructure (IT), will be responsible for implementing in the information systems of the companies of the group, the controls and computer developments that are appropriate to guarantee compliance with the internal regulations on global data protection management and will ensure that these developments are updated at all times.

    In addition, SOFTTEK companies must: (i) designate the persons responsible for the data (Local Personal Data Privacy Officer), who will act in coordination with the Information Security Office; and (ii) coordinate with the Information Security Office any activity that involves or entails the management of personal data, respecting in all cases the framework of autonomy of companies.

    It is the responsibility of the Audits area to supervise compliance with and effectiveness of the provisions of this Policy by each Group Company. The foregoing shall be understood, in any case, without prejudice to the responsibilities that correspond to other bodies and directorates of the Company and, where appropriate, to the administrative and management bodies of the SOFTTEK companies. To verify compliance with this Policy, information security audits will be carried out, with internal and/or external auditors, and other controls.

    The Information Security Office will review and evaluate, at least once a year, this Policy and keep the Local Security Committees or equivalent bodies informed about risks, events or incidents that may occur related to the privacy of information or any breach related to this Policy, it will also provide education and awareness content on Personal Data Protection.

  5. Personal Data Privacy Officers.

    The Corporate Personal Data Privacy Officer is responsible for ensuring that SOFTTEK complies with all applicable local and international data protection regulations. It is also responsible for defining and updating the Corporate Personal Data Protection Policy and ensuring compliance with it.

    The Corporate Data Privacy Officer, as appointed by the Security Executive Committee, is the director of the Office of Information Security.

    Each company of the SOFTTEK group must designate people responsible for the security of personal data in its company or location (Local Personal Data Privacy Officers), who will act in coordination with the Information Security Office and define the communication channels with the companies in its charge, according to local regulations. so that the owners of the data who require it can contact them to exercise their rights.

  6. Principles of Personal Data Processing

    Any activity within the life cycle of personal data that may be carried out by SOFTTEK, both for processing activities within the different business processes, for the administration and management of personnel, economic, accounting and tax management, commercial and marketing and communication actions, as well as customer management, suppliers and potential customers that is carried out in SOFTTEK, will be carried out in accordance with the following general principles of personal data processing:

    • Principle of legality, equity and transparency. The personal data collected will be processed in a lawful, fair and transparent manner. Only the information that is required will be requested, clearly indicating the uses and purposes of the processing that is planned to be carried out, during the processing such personal data will only be used for the purposes for which they have been collected.
    • Principle of purpose limitation. The personal data collected will only be used for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with these purposes.
    • Principle of data minimization. The data collected will be those strictly necessary in the fulfilment of the purposes for which they are required.
    • Principle of precision. The personal data collected must be kept complete, correct and up-to-date. The data will be updated whenever the owner requests it or because they have direct knowledge of the outdated data of a specific data.
    • Principle of storage limitation. Personal data will be stored for the legal periods applicable to each processing activity carried out. Once they are no longer needed for the purposes for which they were collected, they must be deleted or destroyed, unless there are other reasons to retain them in which case a minimum legal retention period in accordance with the available processing authorizations.
    • Principle of integrity and confidentiality. The personal data collected must be subject to technical, organisational and security measures to ensure that our business activities, information, documentation and processes in which they are used are protected against unauthorised or unlawful access, loss, destruction or accidental damage.
    • Principle of legitimacy of the source. The personal data collected must not be obtained from illegitimate sources, from sources that do not guarantee their origin or from sources whose data have been collected or transferred in contravention of the law.
    • Principle of proactive responsibility.The technical and organisational privacy measures will be established by design and by default, appropriate to ensure compliance with personal data legislation and the traceability of the decision-making processes relating to their processing will be ensured.

  7. Rights of data subjects.

    The companies of the Group must allow the interested parties to exercise the rights that apply in each location, establishing, for this purpose, the internal procedures that are necessary to satisfy, at least, the legal requirements applicable in each case. SOFTTEK also undertakes to respect at least the following rights:

    • Right of access. The right of the data subject to obtain information on whether his/her own personal data is being processed, the categories of data being processed, the purpose of the processing, information available on the origin of the data when the data has not been originally received from the data subject, the period of data retention and any communications made or planned to be made.
    • Right of Rectification. The right of the data subject to correct or modify any personal data that is found to be inaccurate or incomplete. The applicant's application must indicate what data it refers to and the correction to be made. It must include, where necessary, the documentation that justifies the inaccuracy or incompleteness of the data being processed.
    • Right of erasure. The right of the owner to delete their data when the following circumstances occur:
      • Personal data is not necessary for the processing that is carried out.
      • The data subject withdraws consent for the processing of the data, if no other legitimate purpose (legal relationship or contract, legitimate interest, legal obligation) applies.
      • When the personal data of the owners has been unlawfully processed by SOFTTEK.
      • The data subject objects to the processing for profiling, based on a legitimate interest.
    • Right to restriction of processing: The right of the data subject to restrict the processing of SOFTTEK data when:
      • The owner contests the accuracy of his/her personal data, for a period of time that allows the accuracy of the same to be verified, or
      • Where the processing is unlawful, but the owner objects to the deletion of the personal data, he or she may request that the processing be restricted, or
      • Where they are no longer necessary for processing, the data subject may request a limited erasure in order to use the data to lodge a complaint, or
      • Where the data subject objects to a profiling process based on legitimate interest.
    • Right to data portability. The right of the data subject to receive the data provided, in a structured and commonly used format, data that has been obtained with express consent or in a contract, and which is processed by automated means. In addition, the owner may authorize the data to be transmitted directly to another party, if this is technically possible.
    • The right not to be subject to a decision based solely on automated processing. The right of the data subject not to be subject to a decision, with legal effects, based solely on automated processing, including profiling.
    • Right to object to data processing. The right of the owner to prevent the processing of their personal data or to cease in the event that consent will not be necessary for the processing because the legitimate basis is legitimate interest, or when the data is used for direct marketing.
    • Right to be forgotten. The right of the data subject to request the deletion of his/her data made public by SOFTTEK and to delete any link to them. This right means that the data has been published on the internet, social networks, blogs and/or comments.

    The properties common to all these rights are:

    1. Very personal rights: This means that they can only be exercised by the owner of the data, by their legal representative, in the case of minors or people with disabilities, or by their voluntary representative specifically designated to exercise any of these rights. Therefore, SOFTTEK will deny the exercise of these rights if they are requested by a person who is not the owner of the data or who does not adequately certify that they are acting on behalf of the owner.
    2. Independent rights: this means that it is not necessary to exercise any of them previously in order to exercise another, each one is exercised separately and independently.
    3. Obligations: SOFTTEK undertakes to facilitate the exercise of these rights to those affected and to respond to their request within the legally established deadlines, regardless of the procedure used by the interested party and even if the person responsible for the file does not have personal data of the data subject, this person must be able to support the response to the requester.
    4. Procedure: The exercise of these rights must be carried out through simple and free procedures (whenever possible) that SOFTTEK must make available to the interested parties.
    5. Complaints before the Supervisory Authority: In the event that a request for entitlement cannot be met, SOFTTEK must communicate the reasons for not acting and will inform of the possibility of filing a complaint with the Supervisory Authority if applicable. This notification must be made within the deadlines established by the legislation of the country where the claim is filed or, in cases where no deadlines are established, at most one month from the receipt of the request.

  8. Purposes of the processing of personal data.

    The collection, processing and use of personal data within SOFTTEK is only permitted for the following purposes:

    1. Processing of customer data for a contractual relationship.

      The personal data of our potential customers, customers, partners and suppliers may be processed only to establish a commercial or contractual relationship, manage it over time, execute or comply with contractual, tax and/or accounting obligations, as well as terminate a contract.

      Thus, personal data may be processed to:

      1. Track pre-sales and sales activities. In order to improve user service procedures and update the catalog of products and services, understanding the way in which the user interacts with Softtek, as well as detecting their degree of satisfaction.
      2. To prepare offers or orders. To send commercial information, about activities, products and services, as well as to have fluid communication with our customers and to be able to give the best offer or service.
      3. To send commercial information. Identify the people who represent the client or who act as a contact for the purposes of contracting. This processing is only applicable in the case where the customer is a legal person.
      4. For the execution of contracts with suppliers and customers. There are a series of treatments that are necessary for the execution and development of contractual relationships. Without this processing of personal data for these purposes, the existence of such contractual relationships would not be possible because it is inherent to it. Develop, control and maintain the contractual relationship, manage the signature including through electronic signature platforms including the issuance of electronic signature certificates, carry out and manage the transactions that have been contracted, contact, invoicing, management of collections and debts, customer services (including the possibility of recording telephone calls), send non-commercial information related to the contract and manage complaints, requests, suggestions and attention to possible incidents.
      5. For compliance with legal obligations. Customer data may be processed on the basis of the legitimate basis of the processing. Sometimes, the basis that legitimises the processing is the fulfilment of contractual obligations or compliance with a legal obligation, as is the case with the processing of data for accounting and tax purposes; in other cases, the processing will be legitimised solely on the basis of consent. In such cases, before the customer or potential customer consents, they must be informed according to the privacy and data protection policy. The declaration of consent must be obtained electronically or in writing for the purposes of management, conservation and traceability of consent. In some circumstances, such as telephone conversations, consent may be given verbally. In these cases, SOFTTEK recommends the use of call recording systems.
      6. Treatments of general interest. These Treatments are necessary to fulfill a mission carried out in the public interest. Specifically, they are Processing aimed at guaranteeing security conditions and preventing the commission of unlawful acts. Such as: Capturing images through security cameras for security purposes of the facilities and other security actions o Managing complaints or internal investigations for violation by the Data Subject of internal regulations or the Code of Ethics, which implies the management of the file and consultation with the areas that are necessary for this purpose.
      7. For advertising and marketing/communication purposes. In order to maintain the relationship with the customer by registering new products, improving the conditions of the products and/or services that have been contracted and offering information on similar products and/or services that may be of interest to the customer. Cases such as,

        1. If the data subject contacts SOFTTEK to request information (e.g., request to receive advertising material about a product), the processing of data is permitted to comply with this request.
        2. The specific instructions and policies adopted by SOFTTEK for the different advertising actions and use of means of contact with potential customers must be followed, since advertising actions are subject to additional legal requirements.
        3. The data may be processed for advertising, market or opinion purposes, if the data has been collected with valid consent and for these specific purposes. Any potential customer or customer must be informed about the use of their data for advertising purposes.
        4. In the case of planning any action related to advertising or communication campaigns to potential professional contacts (professional contacts in their capacity as representative or point of contact of a customer or potential customer), you will be asked for your consent to process the data for advertising and advertising purposes during the first communication. If the data subject rejects the use or does not authorise the use of their data for advertising purposes, this data can no longer be used for such purposes and their use must be blocked.

    2. Processing of customer data for the satisfaction of SOFTTEK's legitimate interests.
      1. Personal Data may also be subject to processing if necessary to meet SOFTTEK's legitimate interests. Legitimate interests are generally of a legal nature (i.e. collection or recovery of the amounts owed) or satisfaction surveys for the improvement of products and services.
        1. Personal data may not be processed on the basis of a legitimate interest of SOFTTEK if there is evidence that the interests and rights of an individual person override the legitimate interests of SOFTTEK.
        2. Therefore, the application of SOFTTEK's legitimate interest as a legitimate basis for processing is not always appropriate. For each case, an analysis of the prevalence between legitimate interests and the rights of individuals must be made.
      2. Historical Archive: to keep an archive of the activities with a view to possible responsibilities or as historical memory for the time defined by law.
      3. Automated individual decisions. This is data processing carried out in an automated way, used to assess certain aspects (e.g. creditworthiness), this type of data processing must be communicated to the data subject.
      4. Processing of data derived from accesses and visits to a website. If personal data is collected, processed and used on websites or applications, the data subjects must be informed of these purposes in a privacy statement and, where appropriate, in a cookie policy. This information must be easily identifiable, directly accessible and constantly available to the interested parties.

      If tracking profiles are created to evaluate the use of websites and apps, data subjects should always be informed.
      Tracking may only be carried out if permitted by the legislation of the country or the consent of the data subject.

    3. Processing data of employees, former employees and candidates.

      At SOFTTEK we carry out various data processing derived from the relationship with our employees, thus, we use personal data to:

      1. Recruitment and onboarding management.
      2. Identification within the organization and granting of access to facilities and information systems.
      3. The allocation of work resources, such as computer equipment, e-mail, applications, telephones, other resources.
      4. Management and monitoring of labor relations by the human resources department, such as vacations and leave.
      5. Payment of salaries and compensation, payroll advances, expenses, withholdings, subsidies, benefits and other remuneration in kind.
      6. Occupational risk prevention programs.
      7. Management of health, safety and health services at work; hiring and dismissal, absenteeism.
      8. To participate in training.
      9. Other social benefits for the interested party (restaurant vouchers, travel management...)
      10. Management of the offboarding process.
      11. Management of obligations with former employees.
      For certain data processing needs, particularly sensitive data will be needed, such as health data, for the management of health treatments and the prevention of occupational risks.

      We may also process employee data within SOFTTEK's corporate address, in accordance with the authorizations granted by national authorities regarding international transfers and personal data protection.

  9. Data processing on behalf of the client in the provision of SOFTTEK services.

    The processing of data in the name and on behalf of the CLIENT means that SOFTTEK has been contracted for the provision of a service that may involve the access and processing of personal data. In these cases, access to the data must be limited to the service provided to the CLIENT, following the instructions provided by the CLIENT and subscribing prior to the start of the service the model data access contract for third parties, defined by the Legal Services of each country and validated by the Local Data Privacy Officer.

    During the provision of services that involve or may involve access to data that are the responsibility of the client, all SOFTTEK personnel in charge of this provision of services and SOFTTEK's resources that are used for the same provision of services, will be subject to the following principles:

    • The data will not be removed from the CLIENT's environment unless it is stipulated in the contract or notified in writing by the CLIENT, in which case what is defined by the CLIENT will prevail.
    • The data will only be processed according to the instructions given by the CLIENT and for the correct provision of the services contracted by the CLIENT to SOFTTEK.
    • Personal data will not be used for any purpose other than to provide the service.
    • The personal data will be returned to the CLIENT once the contracted services have been completed, following the instructions received from the CLIENT.
    • In the case of subcontracting services, the subcontracting will be regulated in accordance with the authorizations granted by the CLIENT.
    • Security measures will be implemented in devices and resources to guarantee the security of personal data to prevent its alteration, loss, processing or unauthorized access, taking into account the state of technology, the nature of the data stored and the risks of exposure, whether of human origin. action or environmental risks.

  10. Processing of personal data under the responsibility of SOFTTEK by service providers.

    In the event of contracting external suppliers for the processing of personal data under SOFTTEK's responsibility, the guidelines established in this Policy must be followed, as well as any instructions or directives provided for this purpose by the Legal Services of each country or by the Local Data Privacy Officer.

    • The area or department responsible for any data that may include personal data, sent for processing to a third-party provider, shall notify the Information Security Office (security@softtek.com) or the area determined by the Information Security Office, the identity of the service provider, type of service, categories of data or information to which the provider has access, technology and any other considerations.
    • A contract/annex/annex regulating access to and processing of data for the provision of the service will be signed between SOFTTEK and the provider.
    • The Data Processing provider may only access and process the data, following the instructions of SOFTTEK.
    • The data processing provider will be obliged to submit information on its capacity to cover the technical and organisational needs required by the contracted service. Protection should be considered.
    • Before initiating any data processing, the Service Provider must share any documentation that proves the adoption of security, technical and organizational measures, on the processes, procedures, applications and people who will access and process SOFTTEK's information.
    • In the event that the data processing is carried out by subcontractors, the provider is obliged to enter into data processing contracts with such subcontractors based on standard contractual clauses defined by SOFTTEK's legal area in the country for the processing of personal data.
    • At the end of the contracted services, the supplier must follow SOFTTEK's instructions for the return of the data that is still in the supplier's facilities, certifying in writing the total return of the data.
    • Contractual obligations and responsibilities for data breaches will be established by the provider, expressly assuming all responsibility before the data subjects and before the Supervisory Authorities.
    • SOFTTEK may request evidence from the provider of compliance with personal data protection policies.

  11. General obligations of employees in relation to the processing of personal data.

    Personal data is classified as restricted. Any unauthorized collection, processing or use of data by employees is prohibited.

    Any data processing carried out by an employee, which has not been authorized to exercise as part of his or her job duties and functions, is prohibited.

    Authorized employees may have access to the information, data and documentation necessary for the fulfillment and development of their job functions within SOFTTEK. For this reason, our organization has implemented measures and resources for the implementation of user roles and responsibilities.

    Employees are prohibited from using personal data for private or commercial purposes, disclosing it to unauthorized people, or making it available in any other way.

    SOFTTEK's Corporate Personal Data Protection Policy must be published and available to all employees and all employees must be informed of the obligation to protect data secrecy, an obligation that will remain in force even after the employee has terminated his or her relationship with SOFTTEK if local laws allow it.

  12. Transmission of Personal Data.

    In general, SOFTTEK will not transfer data of the Data Subjects, except in the following cases:

    • To competent authorities and bodies, courts, tribunals or any other third party entitled in accordance with the applicable regulations. If the data transmission is necessary for compliance with a legal or contractual obligation, the organizational unit carrying out the actual processing of the data will request assistance from the Local Personal Data Privacy Officer for support in carrying out the appropriate actions and adopting the appropriate procedures.
    • To third party holders of common documents for the fulfilment of monetary obligations, when the client incurs in non-payment, and there are legitimate interests.
    • To third-party owners of services or products that the user voluntarily requests (for example, when the user wants to benefit from an offer from another group company or a partner).
    • To certain SOFTTEK companies to comply with the contracted purposes. In all cases, the international transfer will be carried out with adequate guarantees and on the condition that the individuals have enforceable rights and effective legal actions. With all of them, there are Standard Contractual Clauses (also called "SCC" or "Standard Corporate Rules") signed between the members of the group to ensure compliance with the regulations of each country regarding the protection of personal data.
    • Likewise, it is also possible that third parties, SOFFTEK's suppliers, have access to the personal data of the interested parties to provide services to SOFTTEK (companies operating in the following sectors: technology, legal advice, marketing agencies, IT services, payment processing, administrative managers for solvency control, etc.). These providers will only access Personal Data to carry out their services in the name and on behalf of Softtek, under an obligation of confidentiality and always following its instructions and without at any time being able to use said data for their own purposes and/or unauthorized purposes.

  13. Safety.

    Personal data must be protected against unauthorized access, unlawful processing or unauthorized disclosure, as well as against accidental loss, modification or destruction. This applies regardless of whether the data is processed electronically or on physical media.

    In view of the introduction of new data processing methods in SOFTTEK, the Local Data Privacy Officer, together with the Information Security Office and the Information Technology area, will define and document the process to be carried out, its characteristics and security measures to protect personal data. These measures must be based on current technology, potential processing risks, and data protection requirements (as defined by the SOFTTEK data classification standard).

    Technical and organizational measures to protect personal data are part of SOFTTEK's Information Security Office and must be continuously adjusted to technological developments and organizational changes.

  14. Data protection control.

    SOFTTEK's compliance with data protection policy and data protection laws is continuously verified through information security audits and other controls.

    These actions are the responsibility of the Corporate Data Privacy Officer, the Local Data Privacy Officers, the internal auditors or the external auditors hired for this purpose. The results of the evaluation of these controls must be shared with the Local Security Committees or equivalent bodies.

    Upon request, the results of the data protection checks shall be made available to the competent data protection authority. The data protection authority may conduct its own inspection of compliance with the rules of this Policy, as permitted by local law.

  15. Data protection incidents.

    All employees must immediately inform their leader and the Local Data Privacy Officer about cases of violation of this policy, as well as register the security incident or event, depending on the case, in the corporate HELP tool.

    The following include, but are not limited to, data security incidents:

    • Accidental transmission of personal data to third parties,
    • Inadequate access by third parties to personal data, or
    • Loss of personal data.

    The following are, but are not limited to, data security events:

    • In general, any risky or improper processing of personal data

    The Local Data Privacy Officer must make a report together with the Information Security Office, the Technology Infrastructure department and other areas and departments involved in the security incident, to determine the actions to be taken.

    In the case of Data Privacy-related Incidents, they must be reported and documented immediately, following SOFTTEK's Information Security Incident Management, so that the reporting obligations under local legislation to the Supervisory Authority can be fulfilled within the period stipulated by the applicable laws from the date of knowledge of the incident.

  16. Sanctions and Responsibilities.

    SOFTTEK's Management is responsible for the data processing carried out in its area of responsibility, so it is obliged to ensure that the legal requirements and the contents defined in the Corporate Policy on Personal Data Protection (or comparable local document) are complied with.

    The management team is responsible for ensuring that the organization, human and technical resources, have adequate controls in place to ensure that data processing is carried out in accordance with this Corporate Personal Data Protection Policy.

    Any department or area responsible for the development of processes and projects involving the collection of personal data shall share this process with the Local Data Privacy Officer for review and approval. In order for any personal data to be processed, privacy and any other obligations to SOFTTEK must be considered from the initial design, including an initial assessment of the risks to the rights of individual data owners before any data is processed.

    If the information processing operations involve the collection and processing of particularly sensitive data, an additional risk assessment will be carried out by the Local Data Privacy Officer, which will analyze: the risks arising from the processing and compliance of the data and the security measures that must be adopted to minimize the risks that may arise from the processing of these categories of data.

    Improper processing of personal data or other violations of data protection laws can be criminally prosecuted, including administrative penalties or fines for violations, while allowing the data subject to claim compensation for damages.


Last modification: March 2025.