Comprehensive Personal
Data
CONTENTS
LEGAL NATURE OF GEB ... 3
NATURE OF THE PERSONAL DATA SUBJECT TO TREATMENT ... 4
TYPE OF TREATMENT ... 4
POTENTIAL RISKS ... 4
THE ORGANIZATION’S COMMITMENTS IN CONNECTION WITH PERSONAL DATA PROTECTION ... 4
A. Senior Management’s Commitment ... 5
b. Personal Data Protection Officer: ... 6
COMPREHENSIVE PERSONAL DATA SYSTEM (SIGDP)- ... 6
A. Operating procedures: ... 7
b. Procedures related to personal data protection: ... 7
c. Identification and management of risks associated with personal data treatment: . 7 d. Ongoing training and education programs: ... 8
e. Management response protocols in the event of breaches or incidents: ... 8
f. Legal instruments ... 8
Comprehensive Personal Data Program1
LEGAL NATURE OF GEB
GEB is a mixed public-private utility services company, incorporated as a joint stock corporation, pursuant to the provisions of Law 142/1994. The Company is autonomous in terms of its administration, equity and budget, and it does business under the private law regime, with the status of sui generis trade company in the capacity of public utility services company. Its main business is the transmission of electric energy, and it therefore has no end users.
1 For the effects of the Comprehensive Management System of GEB SA ESP, this document is a guideline
that is not controlled by the CMS.
PERSONAL DATA ORGANIZATION
PERSONAL DATA PROTECTION
COMMITTEE PENDING AUDITING
TRAINING AND
AWARENESS-RAISING RISK MANAGEMENT
NATURE OF THE PERSONAL DATA SUBJECT TO TREATMENT
The purpose of the treatment of personal data performed by GEB is to carry out its business activity, which is the transmission of electric energy, an activity that is highly regulated in Colombia. Since electric energy transmission is an activity that complements the household electric energy public utility service, the organization has no end users and most personal data subject to treatment are public data. However, exceptionally, treatment is performed on private or sensitive information or on information of minors, in which case the organization fully complies with the rights and guarantees established by law.
TYPE OF TREATMENT
The type of treatment performed by GEB is to gather, input, store and query personal data contained in databases on shareholders, social projects, human resources, SAP, Board members, rights of way, suppliers, contractors and stakeholders. GEB neither sells nor transfers databases, and only with only a few special exceptions, such as external auditors or control entities, the databases are not accessed by external third parties.
POTENTIAL RISKS
GEB has a risk management system in place that enables the identification, measurement, control and monitoring of events or situations that pose a risk for adequate management. The risk matrix includes causes and consequences, as well as the controls described in annex No. 1.
THE ORGANIZATION’S COMMITMENTS IN CONNECTION WITH PERSONAL DATA PROTECTION
A. SENIOR MANAGEMENT’S COMMITMENT
Through the establishment of the policy on personal data protection and treatment, senior management has formally declared its commitment to responsibility in the treatment of personal data, and guarantees the owners of the data their right to know, update and correct the information gathered on them in GEB’s structured and non-structured databases. Additionally, a corporate Information Security and Cybersecurity Committee has been established to address aspects related to personal data protection, with the following duties:
Ø Oversee the protection of the personal data collected and processes by GEB. Ø Assure the rights of the owners of the personal data.
Ø Undertake to provide channels and procedures to process inquiries, requests and complaints.
Ø Ensure that the personal data has been obtained based on authorization, unless no authorization is required.
Ø Undertake to provide conditions of security and privacy for the owners’ data. Ø Comply with the instructions and requirements issued by the competent
administrative authority.
Ø Monitor the comprehensive personal data protection program through established information mechanisms.
B. PERSONAL DATA PROTECTION OFFICER
The Personal Data Protection Officer of GEB S.A. ESP will support and guide the implementation of the principle of proven responsibility.
The following are this role’s duties within the PDVA cycle (Plan, Do, Verify and Act):
The duties of the personal data protection officer are established in the internal manual on personal data protection policies and procedures.
COMPREHENSIVE PERSONAL DATA SYSTEM (SIGDP)
A. OPERATING PROCEDURES: They consist of procedures related to gathering and using personal data within GEB and addressing any requests by users by virtue of their rights. It consequently requires the definitions of employees, roles and activities to be carried out to ensure compliance with Law 1581/2012 and its regulatory decrees.
B. PROCEDURES RELATED TO PERSONAL DATA PROTECTION: They consist in procedures related to the protection of personal data during treatment, taking into consideration the life cycle of the information (gathering, storage, access, use, deletion and exchange)
C. IDENTIFICATION AND MANAGEMENT OF RISKS ASSOCIATED WITH PERSONAL DATA TREATMENT: With the purpose of assessing and/or anticipating any non-compliance of personal data protection regulations, the risks associated with personal data treatment have been identified.
D. ONGOING TRAINING AND EDUCATION PROGRAMS: The Companies are aware that the success of the SIGDP (Spanish acronym for personal data management system) largely depends on developing a culture of personal data protection at all levels of the organization.
E. MANAGEMENT RESPONSE PROTOCOLS IN THE EVENT OF BREACHES OR INCIDENTS: Regarding information security, GEB has a procedure in place to respond to incidents, including those related to personal data, that can be reported by any employee or third party who detects or suspects of a security event that may represent an incident. The Technology Area is responsible for its treatment.
F. LEGAL INSTRUMENTS: Implementation of the Comprehensive Personal Data Management Program has involved developing and adjusting the documentation in accordance with legal components such as agreements, contracts, forms and notices, among others, to comply with personal data protection legislation and to regulate relations with different participants such as the owners, those responsible for processing and the employees.
G. SUSTAINABILITY OF THE COMPREHENSIVE PERSONAL DATA MANAGEMENT PROGRAM
The Comprehensive Personal Data Management Program requires resources to operate, namely financial, time, technical and human resources, which must be provided by Senior Management.
Additionally, in order to ensure compliance with Law 1581/2012 and its decrees, and that the Program is convenient, adequate and effective over time, ongoing assessment and reviews of its controls are required.
Such reviews form part of the continuous improvement cycle implemented through the phases of the PDVA cycle,2 which stands for: Plan, Do, Verify and Act.
The following are the main activities within each phase of the cycle:
2This cycle is used by other corporate systems, including the Information Security Management System (SGSI for the
Ø
Plan: In includes reviewing the organization’s status in terms of compliance, with the assistance of the following, among others: (i) Audits; (ii) assessment of gaps in compliance; (iii) Identification of weaknesses in responses to inquiries and complaints; and (iv) review of trends and legal obligations related to personal data protection.This phase helps determine the actions to be implemented by GEB to improve the effectiveness of the Comprehensive Personal Data Management Program.
