STAFFINGABROAD S.A.S. Privacy Policy

General Information

STAFFINGABROAD S.A.S., identified with Tax ID No. 901.507.209-8, with headquarters at Carrera 12 #96-81 of Bogotá, D.C. (“STAFFINGABROAD”) is respectful of and is committed to the privacy and safeguard of the data of the persons comprising its stakeholders, including, amongst others: Shareholders, Applicants, Employees, Talents, Clients, Suppliers, Advertising Campaign Participants, Attendants, and Digital Users (“Stakeholders”), as well as, in general, the information of all the individuals from whom it collects and processes Personal Data.


PURPOSE

The purpose of this Privacy Policy (“Policy”) is to describe the practices and standards followed by STAFFINGABROAD during the Processing of the Databases and the Personal Data included in them, to propel the safeguarding of this information and ensure the effective enforcement of Data Subject’s rights. Furthermore, this Policy enables Data Subjects to know how and for what purposes the Processing of their personal information is carried out. Likewise, this Policy aims to ensure that the Processing of Personal Data fully complies with the Colombian Personal Data Protection Regulation (“CDPR”).


SCOPE

The guidelines set forth in this Policy shall be complied with during the Processing of all Personal Data that STAFFINGABROAD collects, stores, uses, transfers, deletes, and/or suppresses, by means of all Employees or Data Processors that carry out the Processing of Personal Data on behalf of and/or in the name of STAFFINGABROAD.


Relevant Terms Defined in This Policy

Consent: It is the prior, express, and informed consent given by the Personal Data Subject to the Controller, which allows it to process his/her Personal Data.

Privacy Notice: It is the verbal or written communication that STAFFINGABROAD discloses to the Data Subject, and by means of which it informs him/her about the existence of the Privacy Policy, the mechanisms available to access it, and the purposes applicable to the Processing of his/her Personal Data.

Database(s): It is the database containing the Personal Data of the Talents to be made available to the Processor, which is under the Controller’s control.

Employees: All individuals linked to STAFFINGABROAD and who carry out activities aimed at developing its purpose, regardless of the type of relationship or contract signed.

Query: It is the consultation made by the Data Subject, the assignee, or his representative regarding the Processing of his Personal Data by the Controller or the Processor.

Cookies: These are files and/or automated tools that the Website installs on the User’s device to collect information, including Personal Data.

Personal Data: It is any information associated or that can be associated with one or several determined or determinable natural persons.

Private Data: It is that which, due to its intimate or reserved nature, is only relevant to the Data Subject.

Public Data: Personal Data that is not semi-private, private, or sensitive. Among others, data related to the marital status of individuals, profession or trade, and the status of merchant or public servant are considered public data.

Semi-private Data: It is information that is not of an intimate, reserved, or public nature and the knowledge or disclosure of which may be of interest not only to its Data Subject but also to a certain sector or group of people or to society in general, such as financial and credit data of business or service activity.

Sensitive Data: Personal Data that affects the privacy of the Personal Data Subject or whose improper use may generate discrimination. Among others, racial or ethnic origin, political orientation, convictions, beliefs, religious, health, sex life, and biometric Personal Data.

Data Processor/Processor: It is the person or legal entity, public or privately owned, which carries out the Processing of the Database on behalf of the Controller, by itself or in association with others.

Website: It is the web browser under STAFFINGABROAD management. It is accessed through the link: https://staffingabroad.com/.

Privacy Policy / Policy: It is this STAFFINGABROAD Privacy Policy.

Accountability Principle: It consists of the obligation of Data Controllers and Processors to comply with the CDPR, being able to demonstrate that they have adopted appropriate and effective measures to fully comply with the requirements of the rules that make up the CDPR.

Complaint: It is the request submitted by the Data Subject, its successor, or representative, before the Data Controller or the Data Processor, in the cases in which he/she considers that the information contained in a Database should be subject to correction, updating, or deletion; or, in the cases in which he/she notices the alleged breach of a duty under the CDPR.

Colombian Data Protection Regulations / CDPR: It is the regulations on the processing of Personal Data in Colombia, which includes both the Colombian General Data Protection Regulations and the Colombian Financial Data Protection Regulations.

Colombian General Data Protection Regulations / CGDPR: Means the general regulations governing the protection of Personal Data in Colombia, which includes Law 1581 of 2012, Law 2300 of 2023, Regulatory Decree 1377 of 2013, Decree 886 of 2014, Unified Regulatory Decree 1074 of 2015, Decree 255 of 2022, Title V of the Unified Directive of the Superintendence of Industry and Commerce and other regulations that complement or modify them.

Colombian Financial Data Protection Regulations / CFDPR: This refers to the special regulations governing the processing of personal data in the context of financial, credit, business, service, and third-country information databases, which include Law 1266 of 2008, Decree 4886 of 2011, Law 2157 of 2021, and Title V of the Unified Directive of the Superintendency of Industry and Commerce and other regulations that complement or modify them.

National Database Registry / RNBD: It is the public directory of free consultation that contains the Personal Data Bases subject to Processing that operate in the country, which is operated by the SIC.

Data Controller: It is the natural or legal person, public or private, that by itself or in association with others, decides on the Processing of the Database and/or the Processing of Personal Data. For the purposes of this Policy, it will be STAFFINGABROAD, unless otherwise indicated.

SIC: It is the Colombian Data Protection Authority, i.e., the Superintendence of Industry and Commerce.

Data Subject(s): The natural person or persons whose Personal Data is held in the Database. In this case, it refers to the Talents.

Controller-to-Controller Transfer: Refers to the transmission of Personal Data between two independent entities (Controllers), located in Colombia or abroad. Both entities independently determine the purposes and means of Processing the Personal Data.

Controller-to-Processor Transfer: Refers to the transfer of Personal Data from a Data Controller to a Data Processor. In this relationship, the controller determines the purposes and means of Processing the Personal Data. The Processor Processes the data on behalf of the Controller, following the latter’s instructions.

Processing: It is any operation or set of operations performed on the Personal Data, such as the collection, storage, use, circulation, or deletion thereof.

User: It is the individual who enters and/or makes use of the Website or its functionalities, such as those available in the sections: “Contact Sales” and “Work With Us.”

GUIDING PRINCIPLES FOR PROCESSING PERSONAL DATA

STAFFINGABROAD will follow these principles during the Processing of the Databases and the Personal Data included therein:

  1. Principle of Restricted Access and Disclosure:
    The Processing shall be subject to the limits derived from the nature of the Personal Data, the Constitution, and the CDPR. Access to Personal Data must be adequate, relevant, and limited to the people authorized by the Data Subject and/or to the individuals provided for in the CDPR. The Databases and Personal Data, with the exception of Public Data, may not be made available on the Internet or other means of dissemination or mass communication unless access is technically controllable to provide restricted access solely to Controllers, Data Subjects, or authorized third parties.

  2. Confidentiality Principle:
    The reserve and integrity of the Personal Data shall be guaranteed by means of technical, legal, and administrative safeguards, even after the tasks that comprise the Processing have been completed. The provision or communication of Personal Data shall only be carried out when it pertains to the development of the processing activities allowed by the CDPR.

  3. Principle of Freedom:
    Processing may only be carried out with prior, express, and informed Consent granted by the Data Subject. Personal Data may not be obtained or disclosed without prior Consent or in the absence of a legal or judicial mandate that relieves this Consent.

  4. Principle of Purpose:
    The Processing of Personal Data must obey legitimate purposes in accordance with the Constitution, the Law, and the CDPR. Moreover, such purposes must be informed to the Data Subject and consented to by him/her in an express, prior, and informed manner, with the exception of those cases expressly exempted under the CDPR.

  5. Legality Principle:
    The Processing of Personal Data shall comply with the provisions applicable under the CDPR.

  6. Security Principle:
    All necessary technical, human, and administrative measures shall be implemented to provide security to the Databases and Personal Data, avoiding unauthorized or fraudulent adulteration, loss, consultation, use, or access.

  7. Principle of Truthfulness or Quality of Information:
    The Personal Data subject to Processing shall be truthful, complete, accurate, up-to-date, verifiable, and understandable. Partial, incomplete, fractioned, or misleading data shall not be processed.

  8. Principle of Transparency:
    The right of the Data Subject to obtain from the Controller or Processor, at any time and without restrictions, information about the existence of the Personal Data concerning him/her shall be guaranteed.

  9. Principle of Minimization:
    It shall be ensured that only Personal Data that are adequate, pertinent, and limited to what is necessary for each of the specific purposes of the Processing shall be used.

  10. Principle of Accountability:
    Appropriate and effective measures shall be implemented to enable compliance with the obligations and duties set forth in the CDPR, as well as to ensure the enforcement of the provisions contained in this Policy within the company.


PERSONAL DATA PROCESSED BY STAFFINGABROAD

STAFFINGABROAD will collect different types of Personal Data based on the context of its dealings with Data Subjects, future requests made by such Data Subjects regarding the Processing of their information, the services or products being used by the Data Subject, their location, and the applicable law. The Personal Data that STAFFINGABROAD may collect includes:

  1. Name, identification type, and number.
  2. Contact information (i.e., physical address, telephone number, and e-mail).
  3. Job title or profession.
  4. Educational level.
  5. Information related to performance reviews and payroll.
  6. Demographic, social, and/or geolocation data.
  7. Credit or financial information.
  8. Billing information.
  9. Interests or preferences.
  10. Data Subject’s signature.
  11. Voice, image, and/or video records.
  12. Data associated with the health state, physical condition, and other related information.
  13. Certificates of affiliation to EPS, ARL, and other institutions related to the social security system.
  14. Electronic identification data or web credentials and Website information, including technical information about the IP address, connection means, or Internet service provider number.
  15. Navigation information on the Website and in general on the Internet.

The Personal Data indicated in item 15 are considered Sensitive Data and thus its Processing will follow all the procedures established for such information in accordance with this Policy.


LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

STAFFINGABROAD will only process Personal Data that has been previously, expressly, and informedly consented to by the Data Subject via written or verbal Consent, or by means of an unequivocal conduct performed by the Data Subject, or those Personal Data that, in accordance with what is expressly established in the CDPR, do not require the Data Subject’s Consent for processing. A copy of such Consent will be kept by STAFFINGABROAD.

At the moment the Data Subject grants his or her Consent, STAFFINGABROAD will inform him or her of the Processing to which his or her Personal Data will be subject and the purposes thereof, his or her rights, and the means by which he or she may exercise them. The Data Subject may revoke his or her Consent and request the immediate deletion of his or her Personal Data through the channels established in this Policy unless there is a contractual or legal duty to remain in the Database.

Furthermore, in the context of recruitment processes, it is possible that STAFFINGABROAD Employees or Talents may submit Personal Data of referred Applicants, such as their resume and/or contact information. By submitting this Personal Data, the referrer declares to have informed the Data Subject of this circulation of information to STAFFINGABROAD, who will process the Personal Data as Controller, within the scope of the corresponding recruitment process. Likewise, the referrer declares to have informed the Data Subject about STAFFINGABROAD’s identification, his/her rights as a Data Subject, and that the information will be processed for the purposes stated above, declaring that the Data Subject has granted his/her Consent in those terms to submit his/her Personal Data to STAFFINGABROAD. In any case, STAFFINGABROAD will carry out the necessary measures to verify that the Data Subject has effectively given his or her Consent in the terms set forth by the CDPR and, if not, will immediately proceed with the deletion of the personal information.

STAFFINGABROAD will not be obliged to request Consent from the Data Subject when it pertains to:

  1. Information required by a public or government entity in the fulfillment of its legal functions or pursuant to a court order.
  2. Public Data.
  3. Cases of medical or health emergency.
  4. Information authorized by law for historical, statistical, or scientific purposes.
  5. Information related to an individual’s civil registry.

In the aforementioned events, and in compliance with its legal duties, STAFFINGABROAD may collect Personal Data, including Sensitive Data, and transfer or deliver them to the corresponding public or government entities, or to the organizations that they delegate, in the exercise of their functions, without it being necessary to warn the Data Subject of this fact. In these scenarios, STAFFINGABROAD will refrain from using the Personal Data for purposes other than those permitted by its legal obligations or those authorized by the Data Subject.

HOW DO WE PROCESS PERSONAL DATA?

STAFFINGABROAD will process the Personal Data of the individuals who comprise its Stakeholders, directly, through its Employees, or through its Data Processors, and in that regard, it will have all the obligations and rights set forth under the CDPR. Specifically, the Processing of Personal Data shall be subject to the provisions of this Policy.


FOR WHAT PURPOSES DO WE PROCESS PERSONAL DATA?

Stakeholders and Purposes of Processing

Shareholders:

  • Maintain efficient communication with information that is useful for the development and fulfillment of existing obligations with Shareholders, including all those related to corporate governance.
  • Communication, registration, filing, organization, processing, and management of the actions, strategies, and activities in which the Shareholders are involved.
  • Consult and report information to restrictive lists, credit bureaus, and/or other information operators.
  • File tax returns.
  • Carry out registration procedures required before the respective Chamber of Commerce and appointment procedures before competent authorities when applicable.
  • Perform administrative, accounting, and tax activities to comply with social, corporate, tax, or credit obligations.
  • Send communications through various media for business, advertising, or promotional purposes.
  • Submit information to control and surveillance authorities, support internal or external audits, and perform statistical or accounting processes.
  • Verify and update personal data and inform about changes in the Policy or Processing purposes.
  • Transfer personal data to third parties, inside or outside Colombia, for relationship-related activities or strategic transactions.

Applicants, Employees, and Talents:

  • Perform activities necessary to execute contracts and fulfill employment obligations, including salaries, social benefits, and others.
  • Conduct recruitment and evaluation processes, including interviews, technical tests, and background checks.
  • Store and manage information for recruitment and labor purposes.
  • Manage access to STAFFINGABROAD platforms and ensure compliance with security policies.
  • Conduct wellness programs and manage social security system participation.
  • Collect and use data for medical tests, emergencies, and benefits like insurance.
  • Monitor technological tools, emails, and other devices used for work purposes.
  • Retain resumes for future recruitment processes.
  • Collect and use images, audio, and video for communications and promotional purposes.
  • Submit information to social security, regulatory entities, and auditors.
  • Transfer data for outsourcing, labor services, or strategic transactions.

Suppliers:

  • Contact and hire suppliers for business activities and facility needs.
  • Execute contracts with suppliers, report accounting, legal, and tax information, and verify credit information.
  • Perform administrative, tax, and due diligence tasks.
  • Send communications for business or promotional purposes.
  • Submit information to regulatory entities and support audits.
  • Transfer data for relationship-related activities or strategic transactions.

Clients:

  • Provide services and execute business relationships.
  • Conduct satisfaction surveys, statistical studies, and data analysis.
  • Process inquiries and requests through available contact methods.
  • Verify and report credit and financial information.
  • Certify business relations and perform tax, accounting, and administrative tasks.
  • Send promotional communications through various media.
  • Transfer data for relationship-related activities or strategic transactions.

Attendees:

  • Enable participation in events hosted or sponsored by STAFFINGABROAD.
  • Perform statistical studies, data analytics, and business intelligence.
  • Collect images, audio, and video for communications and promotional purposes.
  • Develop market strategies, including customer loyalty programs.
  • Transfer data for audits, compliance, and strategic transactions.

Advertising Campaign Participants:

  • Collect and use images, audio, and video for reports and promotional activities.
  • Develop strategies for customer loyalty and market expansion.
  • Perform tax, accounting, and administrative tasks.
  • Transfer data for audits, compliance, and strategic transactions.

Digital Users:

  • Conduct satisfaction surveys and monitor service quality.
  • Send personalized communications and advertising content.
  • Analyze user activities and ensure website security.
  • Transfer data for audits, compliance, and strategic transactions.

HOW DO WE PROCESS SENSITIVE DATA?

In cases where this is absolutely necessary, STAFFINGABROAD will collect and/or process Sensitive Data. If applicable, STAFFINGABROAD will inform the Data Subjects which Sensitive Data would be subject to Processing, the specific purposes of its Processing, and that the Data Subject is not obliged to provide it unless there is a legal duty requiring it.

Sensitive Data may include health or biometric information used for:

  • Occupational medical tests and entrance exams.
  • Identity verification.
  • Compliance with legal or contractual obligations.

HOW DO WE PROCESS MINORS’ PERSONAL DATA?

STAFFINGABROAD will limit the collection and Processing of minors’ Personal Data to specific contexts such as:

  • Employment or internship applications.
  • Compliance with social security obligations for minors related to Employees or Talents.
  • Participation in social or charitable activities.

In all cases, STAFFINGABROAD ensures:

  • The Processing respects minors’ fundamental rights and best interests.
  • Consent is obtained from a legal guardian, and measures are taken to verify their authority.

STAFFINGABROAD’s communication channels are intended exclusively for adults. If minors’ data is unintentionally collected, STAFFINGABROAD will delete it immediately upon detection or notification.


HOW IS UNSOLICITED PERSONAL DATA PROCESSED?

Unsolicited Personal Data received by STAFFINGABROAD will be processed under the assumption that the Data Subject has authorized its use through unequivocal conduct. This includes:

  • Submissions by individuals applying for jobs, partnerships, or client relationships through unofficial channels.
  • Requests, complaints, or claims submitted voluntarily.

In such cases, STAFFINGABROAD will request formal Consent for additional Processing purposes if the relationship is formalized.


WHO HAS ACCESS TO THE PERSONAL DATA?

Access to STAFFINGABROAD’s Databases is restricted to authorized Employees who require it for their duties. Personal Data may be shared with:

  • Third-party suppliers acting as Processors.
  • Clients or affiliates under strategic relationships.
  • Public or government entities as required by law.

Aggregated, anonymized data may also be shared with business partners or affiliates for analytics or marketing purposes.


WHEN DOES STAFFINGABROAD ACT AS A PROCESSOR OF PERSONAL DATA?

In the “Elite Recruiter” service, STAFFINGABROAD acts as a Processor, while Clients act as Controllers. STAFFINGABROAD ensures compliance with CDPR, including verifying Consent from Data Subjects.


WHAT IS STAFFINGABROAD’S COMMITMENT TO INFORMATION SECURITY?

STAFFINGABROAD implements industry-standard measures to ensure Personal Data is protected against unauthorized access, tampering, or loss. Stakeholders are encouraged to report any concerns about data security immediately.


FOR HOW LONG IS PERSONAL DATA PROCESSED?

STAFFINGABROAD retains Personal Data only as long as necessary to fulfill the purposes for which it was collected or comply with legal obligations. Data is deleted or destroyed after these requirements are met.


HOW IS PERSONAL DATA OF THIRD PARTIES WHO ARE PART OF THE STAKEHOLDERS PROCESSED?

STAFFINGABROAD assumes Stakeholders have obtained Consent from third parties before providing their Personal Data. If Consent is not obtained, STAFFINGABROAD will limit itself to Processing Public Data only.


WHAT ARE DATA SUBJECTS’ RIGHTS?

Data Subjects have the right to:

  • Access, update, and rectify their Personal Data.
  • Request proof of Consent.
  • Revoke Consent or request deletion of their Personal Data.
  • File complaints with the SIC for violations of the CDPR.
  • Submit a Subject Rights Request here
 
 

WHO IS RESPONSIBLE FOR HANDLING QUERIES AND COMPLAINTS AT STAFFINGABROAD?

Administrative Area

Queries or complaints must be submitted to this contact, clearly describing the request.


COOKIES ON THE WEBSITE

STAFFINGABROAD uses Cookies for various purposes, including ensuring website functionality, analyzing user behavior, and personalizing content. Users can accept, reject, or customize Cookie preferences via the Privacy Notice.


POLICY ENFORCEMENT AND VALIDITY OF DATABASES

The Policy is effective from November 20, 2024. Databases will remain valid as long as necessary for the purposes outlined in this Policy. Substantial changes to the Policy will be communicated via the STAFFINGABROAD website.

STAFFINGABROAD S.A.S.
Tax ID: 901.507.209-8
Address: Carrera 12 #96-81, Bogotá, D.C., Colombia
Email: administrative@staffingabroad.com
Phone: +1 (209) 665 3039