PERSONAL DATA PROCESSING POLICY

This Personal Data Processing Policy is issued by VOET, in compliance with Article 15 of the Political Constitution of Colombia, Law 1581 of 2012, Decree 1377 of 2013, and other applicable regulations on the protection of personal data. Its purpose is to regulate the collection, storage, use, circulation, and deletion of personal data processed by VOET, in order to guarantee the rights of their owners.

VOET is committed to the proper handling of personal data and to respecting the rights of all data subjects whose information it processes, including clients, prospects, employees, contractors, suppliers, and third parties.

This Policy is mandatory for VOET, its employees, contractors, and any third party acting on its behalf.

1. IDENTIFICATION OF THE COMPANY

Name: VOET
Activity: Marketing and commercialization of perfumes and related products, including online retail (e-commerce).
Email for data protection matters: liderproyectos@mansionparis.co
Phone: 311 3814878

VOET receives, transmits, and processes personal data in Colombia and, where applicable, abroad, in connection with its business activities, operations, and legal obligations.

2. OBJECTIVE

This Policy is intended to ensure that VOET complies with applicable personal data protection laws and to establish the procedures for handling requests, queries, and claims from data subjects regarding their personal data.

3. SCOPE

This Policy applies to all databases and personal data files administered by VOET, as well as to any personal data VOET accesses in the context of commercial, contractual, or cooperative relationships with third parties (alliances, partners, service providers, etc.).

VOET may act as:

  • Data Controller (Responsable): when it decides on the purposes and means of processing personal data.

  • Data Processor (Encargado): when it processes personal data on behalf of another Controller.

4. DEFINITIONS

For purposes of this Policy, the following definitions apply (based on Law 1581 of 2012 and its regulations):

  • Authorization: Prior, express, and informed consent of the Data Subject for the processing of his or her personal data.

  • Database: Organized set of personal data subject to processing, regardless of the medium.

  • Personal Data: Any information linked or that can be associated with one or more identified or identifiable natural persons.

  • Sensitive Personal Data: Information that affects the privacy of the Data Subject or whose misuse may lead to discrimination (e.g. health data, biometric data, political or religious beliefs).

  • Public Data: Data that is not semi-private, private, or sensitive and that is considered public by law or the Constitution (such as information in public records, official bulletins, etc.).

  • Private Data: Data that due to its intimate or reserved nature is only relevant to the Data Subject.

  • Semi-private Data: Data that is not intimate, reserved, or public and whose knowledge may be of interest not only to the Data Subject but to a certain group or the general public (e.g. credit history).

  • Data Controller: Person or entity that decides on the database and/or the processing of the data.

  • Data Processor: Person or entity that processes personal data on behalf of the Controller.

  • Data Subject: Natural person whose personal data is processed.

  • Processing (Tratamiento): Any operation or set of operations on personal data, such as collection, storage, use, circulation, and deletion.

  • Transfer: Sending personal data by a Controller and/or Processor in Colombia to another Controller in Colombia or abroad.

  • Transmission: Processing involving the communication of personal data within or outside Colombia when the purpose is to carry out processing by a Processor on behalf of the Controller.

  • Prior Procedure Requirement: Before filing a complaint before the Superintendence of Industry and Commerce (SIC), the Data Subject must first submit a query or claim to the Controller or Processor.

5. PRINCIPLES GOVERNING PERSONAL DATA PROCESSING

VOET will apply the following principles in all processing activities:

  • Legality: Processing is subject to Colombian data protection laws.

  • Purpose: Processing must pursue a legitimate, informed, and specific purpose, which is communicated to the Data Subject.

  • Freedom: Data processing requires prior, express, and informed Authorization from the Data Subject, unless legal exceptions apply.

  • Veracity or Quality: The information processed must be true, accurate, complete, updated, verifiable, and understandable.

  • Transparency: VOET guarantees the Data Subject’s right to obtain information about the existence and use of their personal data at any time.

  • Access and Restricted Circulation: Data processing is subject to authorization and may only be accessed by authorized persons.

  • Security: VOET implements technical, human, and administrative measures to protect data against unauthorized or fraudulent access, use, loss, or alteration.

  • Confidentiality: All persons involved in processing must keep personal data confidential, even after their relationship with VOET ends.

6. PROCESSING AND PURPOSES

VOET processes personal data using physical, automated, or digital means, depending on how data is collected. Typical purposes include, but are not limited to:

For Clients and Users

  • Manage customer relationships and sales of VOET perfumes and related products.

  • Process orders, payments, billing, and collections.

  • Conduct loyalty, marketing, and communication campaigns.

  • Send commercial and promotional information (products, launches, offers, news).

  • Manage service requests, complaints, and claims.

  • Conduct surveys and satisfaction studies.

For Suppliers and Contractors

  • Manage supplier records and contracts.

  • Process purchases of goods and services.

  • Make payments and manage billing.

  • Control access to facilities and systems when necessary.

For Employees and Candidates

  • Conduct recruitment, selection, and hiring processes.

  • Manage employment relationships, payroll, benefits, and legal obligations.

  • Administer health, occupational safety, and training programs.

  • Control access, attendance, and use of company resources.

For Security and Compliance

  • Use security systems, including video surveillance, to protect people, property, and facilities.

  • Generate evidence for internal investigations or legal proceedings, where applicable.

  • Comply with legal, tax, accounting, and regulatory requirements.

VOET may also:

  • Organize, classify, and update personal data.

  • Verify, validate, and cross-check data with legally authorized sources (e.g. credit or risk centers, public records).

  • Transfer or transmit data to affiliates, business partners or service providers (including cloud services), under contractual obligations of confidentiality and security.

7. RIGHTS OF DATA SUBJECTS

Data Subjects have the following rights:

  • Access: To know what personal data VOET holds and how it is processed.

  • Update and Rectification: To request correction or updating of inaccurate, incomplete, or outdated data.

  • Deletion: To request deletion of data when it is not required for legal or contractual purposes or when processing is inappropriate.

  • Revocation of Authorization: To revoke consent when there is no legal or contractual obligation that requires data to be kept.

  • Proof of Authorization: To request evidence of the Authorization granted, unless legally exempt.

  • Information on Use: To be informed about how their personal data has been used.

  • Complaint to the SIC: To file a complaint before the Superintendence of Industry and Commerce after having exhausted the internal consultation or claim process with VOET.

Access to personal data is free of charge at least once every calendar month, under the terms of the applicable regulation.

8. DUTIES OF VOET AS DATA CONTROLLER

When acting as Data Controller, VOET will:

  • Guarantee the full and effective exercise of the Data Subject’s habeas data rights.

  • Request and keep evidence of Authorizations granted by Data Subjects.

  • Inform Data Subjects about the purposes of data collection and the rights they have.

  • Respond to queries and claims within legal deadlines.

  • Keep information under appropriate security standards.

  • Update data when required.

  • Rectify personal data when it is incorrect or incomplete.

  • Provide Processors only with data necessary for the agreed processing.

  • Ensure that data delivered to Processors is accurate, complete, and up to date.

  • Inform Processors about any updates, corrections, or news regarding the data.

  • Require Processors to respect security and confidentiality conditions.

  • Inform the Processor when data is under dispute by the Data Subject.

9. AUTHORIZATION FOR DATA PROCESSING

VOET will obtain prior, express, and informed Authorization from Data Subjects before processing their data, except when the law allows an exception (e.g. public data, administrative or judicial requirements).

Before obtaining Authorization, VOET will inform the Data Subject of:

  • The purposes of processing.

  • The voluntary nature of providing sensitive data or data of children and adolescents.

  • Their rights as Data Subjects (as per Article 8 of Law 1581 of 2012).

  • VOET’s identification and contact details.

Authorization may be obtained through written forms, digital mechanisms (website, apps), verbal acceptance (with record), or unequivocal conduct that clearly indicates consent.

Sensitive Data:
Processing sensitive personal data requires explicit Authorization. Data Subjects are informed that they are not obliged to authorize processing of sensitive data, and VOET will clearly identify which data is sensitive and for what purpose it will be processed.

Children and Adolescents:
Processing personal data of children and adolescents will only be carried out when it responds to and respects their best interests, and with prior, express, and informed Authorization from their parents or legal representatives.

10. NATIONAL AND INTERNATIONAL TRANSFER / TRANSMISSION OF DATA

VOET may transfer or transmit personal data nationally or internationally to:

  • Affiliates, subsidiaries, or parent companies.

  • Service providers and business partners that support VOET’s operations.

  • Entities required by law or judicial/administrative order.

Such transfers or transmissions will be carried out in accordance with applicable law, ensuring that recipients implement appropriate security and confidentiality measures.

11. PROCEDURE TO EXERCISE RIGHTS

Data Subjects or their legitimate representatives may exercise their rights of access, updating, rectification, deletion, and revocation through the following channel:

Email: liderproyectos@mansionparis.co

To handle requests properly, VOET may require:

  • Full name and identification of the Data Subject or representative.

  • Description of the request (query, update, correction, deletion, revocation, etc.).

  • Supporting documentation, when necessary.

  • Contact information for response (email or physical address).

Queries:
VOET will respond to queries within a maximum period of ten (10) business days from the date of receipt. If it is not possible to respond within that period, VOET will inform the interested party of the reasons and indicate a new date for response, which will not exceed five (5) additional business days.

Claims (correction, update, deletion, or alleged breach):
Claims must contain at least: identification of the Data Subject, description of the facts, the request, contact information, and evidence when relevant. If the claim is incomplete, VOET will request correction within five (5) business days of receipt. If the information is not provided within two (2) months, the claim will be deemed withdrawn.

The maximum period to respond to a claim is fifteen (15) business days from the day after receipt. If it is not possible to respond within that time, VOET will inform the reasons and indicate a new date, which will not exceed eight (8) additional business days.

12. DATA PROTECTION OFFICER (DPO)

VOET appoints a person/area responsible for Personal Data Protection, who can be contacted at:

Email: liderproyectos@mansionparis.co

All new projects that involve personal data processing must be reviewed with the Data Protection Officer to ensure compliance with this Policy and with applicable regulations.

13. INFORMATION SECURITY

VOET adopts technical, administrative, and organizational measures to safeguard personal data against unauthorized or fraudulent access, use, alteration, loss, or disclosure. Internal security policies and procedures are documented and are binding on all personnel with access to personal data.

14. EFFECTIVE DATE AND DATA RETENTION

This Policy enters into force on the date of publication on VOET’s official channels and remains in effect as long as VOET processes personal data.

Personal data will be retained for the time necessary to fulfill the purposes of processing and to comply with legal, contractual, accounting, and regulatory obligations, in accordance with Article 11 of Decree 1377 of 2013.

15. AMENDMENTS TO THIS POLICY

VOET may amend or update this Policy at any time to reflect changes in internal practices, legal requirements, or regulatory guidelines. Any modification will be communicated through the website or other suitable channels, indicating the date of the latest update.