Personal Data Protection
Cerrejón Coal Limited and Cerrejón North Zone S.A., henceforth the Companies, comply with the constitutional right of everyone to know, update, and rectify information gathered on them in databases or files, and the other constitutional rights, liberties, and guarantees referred to in Article 15 of the Political Constitution, in addition to the right to information granted in Article 20 of the same, the provision of Act 1581 of 2012 by which general provisions are issued for the protection of personal data, and Decree 1377 of 2013, which partially regulates Act 1581 of 2012.
Objective
The Companies are committed to respecting and guaranteeing the rights of their employees, former employees, and third parties in general. That is why they place at your disposal the Personal Data Protection, which presents and explains the Policies and Guidelines Manual as well as the mechanisms to exercise your rights to know, update, and correct your personal data, and revoke authorization granted for their treatment.
In charge of data treatment
The Companies, located at Calle 100 No. 19-54 Piso 12 in Bogotá D.C., have provided their employees and third parties with the contact e-mail PPInf@cerrejon.com for the Information Protection Program.
Personal Data Treatment
The Companies have identified the personal data subject to treatment that it possesses. Gathering and treating personal data is done for legal ends respecting the general and special standards provided and the authorization given by their owner over them.
The Companies shall apply legal limitations to the treatment of sensitive data, ensuring that:
a) The owner has given explicit permission for that treatment except in cases where the law does not require said authorization to be granted.
b) The treatment is necessary to safeguard the owner’s vital interests and he or she is physically or legally disabled. In these cases, their legal representatives must grant their authorization.
c) The data treatment must be effected during the course of legitimate activities and with due guarantees by a foundation, NGO, association, or any other non-profit body whose aim is political, philosophical, religious, or union-related as long as they refer exclusively to their members or to people who maintain regular contact with them due to their objective. In these cases, the data may not be provided to third parties without the authorization of the owner.
d) The treatment refers to data necessary for the recognition, exercise, or defense of a legal right in a judicial process.
e) The treatment has a historic, statistical, or scientific objective. In these cases, the Companies shall adopt measures appropriate for removing identity-specific data.
Rights of children and adolescents
The Companies guarantee that all those responsible for and in charge of the treatment of the personal data of children and adolescents safeguard their appropriate use. The treatment of the personal data of children and adolescents, which are not of a public nature, shall meet the following parameters and requisites:
It shall respond to and respect the higher interests of children and adolescents.
b) It shall ensure respect for their fundamental rights.
Having met the above prerequisites, the companies shall request authorization from the child or adolescent’s legal representative for the data treatment.
Owners’ rights
The companies are committed to respecting and guaranteeing the following rights of data owners:
Know, update, and correct personal data. To that end, it is first necessary to establish the person’s identification to prevent unauthorized third parties from accessing the owner’s data.
b) Obtain a copy of the authorization signed by them as data owners.
c) Report on the use that the companies shall make of the owner’s personal data.
d) Process consultations and claims following the procedures established by law and in this policy.
e) Agree to requests to revoke authorization and/or suppress personal data when the Industry and Commerce Superintendency determines that the companies’ data treatment has involved behaviour contrary to Act 1581 of 2012, to those that modify or regulate it, or to the Constitution.
Database validity
The owner may revoke authorization and request removal of the data when there is no legal or contractual obligation enforcing the need for them to remain in the database or file of the person responsible or in charge.
The request to remove the information and the revocation of permission shall not take place when the owner has a legal or contractual obligation to remain in the database of the person responsible or in charge.
Owner’s authorization
Notwithstanding the exceptions provided for in Act 1581 of 2012 or those that regulate, augment, execute, complement, modify, suppress, or repeal it, for those cases in which authorization is required for the data treatment, the owner’s prior and informed authorization shall be necessary, and it shall be obtained by any means that may be subject to subsequent consultation.
Mechanism to exercise the rights to consultation and claims
As the owner of your personal data, in order to exercise your rights you may send an e-mail to PPInf@cerrejon.com or a letter to Calle 100 No. 19-54 Piso 12 in Bogotá, specifying names and surnames, contact information (address, physical and/or e-mail, and contact telephone numbers), means to receive an answer to your request, reason(s)/event(s) leading to the claim, description of the right you wish to exercise with Cerrejón, signature, and identification number. You must attach a copy of the owner’s identity document and documents supporting your request and/or violation of your rights.