Spanish English
About Us   l   Mission and Vision   l   Brief History   l   Certifications



1. General information

SOCIEDAD EXPORTADORA DE CAFE DE LAS COOPERATIVAS DE CAFICULTORES S A EXPOCAFE S A, a company incorporated and existing under the laws of the Republic of Colombia, with Tax ID 860.525.060 - 6, registered office in Bogotá, D.C., headquarters in carrera 7 No. 74-36 Piso 3 telephone number (571) 3437050 (the “Company”), is an entity committed to the protection of the privacy and any information that may be associated or related to specific or determinable natural persons (the “Personal Data”), to which it has access in the development of its commercial activities. In this regard, the Company receives, collects, uses, manages, processes, analyzes, segments, indexes, profiles, transmits, transfers, condense, anonymizes, stores and generally processes Personal Data such as identification (name, identity card, gender), contact (telephone, email, address), consumer preferences, visits and behavior on the Internet and financial information, among others, information that may be obtained during the course and for the realization of its business activities.

2. Scope of this Policy

The Company's Information Treatment Policy (the “Policy”) is addressed to business partners, suppliers, customers, employees, collaborators, contractors and, in general, any person whose Personal Data are or will be handled by the Company (the “Holders”), and is intended to guarantee the rights of the Holders; describe the mechanisms and procedures for enforcing these rights; identify the area or person in charge within the Company to handle the consultations, questions, claims and complaints, and, finally, describe the purposes and types of Treatment (as defined below) to which the Personal Data will be submitted in the development of the Company's business activities.

This Policy shall apply to any Treatment performed within the territory of the Republic of Colombia by the Company, its employees and, where applicable, by those third parties that the Company engages to perform all or part of any activity related to the Treatment of Personal Data for which the Company is Responsible (as defined below).

The Policy will apply to third parties with whom the Company may eventually enter into Transmission agreements (as defined below), in order for such third parties to be aware of the obligations that will apply to them, the purposes to which they must submit and the security and confidentiality standards they must adopt when performing the Treatment on behalf of the Company.

3. Main definitions

Expressions that are in parentheses, underlined and written with initial capital letters in this Policy will have the meaning given to them before parentheses. The terms not defined shall have the meaning that the law or the jurisprudence applicable in Colombia confers. Notwithstanding the foregoing, the most relevant terms of this Policy are defined below:


4. Principles

Any Treatment performed by the Company, the Persons in Charge and/or third parties to whom Personal Data is Transferred and/or Transmitted shall comply with the principles established in the Law and in this Policy. These principles are:


5. Types of Personal Data and ways in which they are collected

The Company obtains Personal Data and information that does not allow individualization of the individual, and processes the information that results from the combination of these two data types, as joint information.

The Company obtains and processes the following categories of information, including Personal Data:

a. Information that is obtained when registering new providers and contractors, which may include but not is not limited to the name and surname of the employees, company name, place of residence, physical address, email address, telephone and fax.

b. Information that is obtained from potential workers and people employed, which may include but is not limited to name and surname, place of residence, nationality, gender, physical address, email address, telephone and fax.

c. Registration information that the Holders provide when they enter information on the Company's website and other electronic channels, which may include, but is not limited to, name and surname, identity document, telephone, and email.

d. Information of customers and potential customers that they provide when, for instance, requesting quotations or acquiring the Company's products or services, including but not limited to name and surname, company name, place of residence, physical address, e-mail address, telephone and fax.

6. Treatment and storage

Personal Data may be stored and hosted in Colombia and abroad. The storage of Personal Data may be entrusted to a third party, who may be domiciled in a country other than Colombia. In any case, the Company will ensure that the Personal Data is Treated in accordance with this Policy and with the Law.

7. Treatment and purposes

In the course of its business activities, the Company will collect, use, manage, store, analyze, anonymize, index, segment, profile, condense, process, transmit, transfer and perform various operations with Personal Data. Accordingly, the Personal Data Treated by the Company must be submitted only to the purposes indicated below or those that are accepted by the Holders at the time of the collection of Personal Data. Likewise, the Persons In Charge or third parties who have access to Personal Data under the Law, contract or other binding document, will perform the Treatment for the attainment of the following purposes:


8. Rights of the Holders

In accordance with the Law, the Holders have the following rights:


The Holders may exercise their rights of Law and perform the procedures established in this Policy by exhibiting their identity card or any identification document. Minors may exercise their rights in person or through their parents or adults who have parental authority, who must prove so through the relevant documentation. Likewise, the rights of the Holder may be exercised by all who are Entitled by submitting the respective document.

9. Sensitive Data

In the context of its business activities, the Company may collect and Treat Sensitive Data, such as but not limited to:


Sensitive Data will be Treated as diligently as possible and with the highest security standards. Limited access to Sensitive Data will be a guiding principle to safeguard their privacy, so only authorized personnel can access such information.

The Authorization for the Treatment of Sensitive Data is optional and entirely discretionary for the Holder, so that no activity will be restricted or dependent on the supply thereof, thus the Holder may not authorize the Treatment of his/her Sensitive Data and that decision will be respected by the Company.

10. Personal data of children and adolescents

The Treatment of Personal Data of children and adolescents by the Company may only be done in compliance with the provisions of article 7 of Law 1581 of 2012 and other corresponding regulation or that replace it, and subject to the requirements established by the applicable regulations.The following measures will be taken into account when Treating Personal Data of children and adolescents:

a. Notification to parents about the practices implemented by the Company in relation to the Personal Data of children and adolescents, including the types of Personal Data to be collected, the forms of Treatment, the purposes that will be pursued with the Treatment and if the information will be shared and with whom.

b. The Authorization will be obtained from the children and adolescents and their parents or guardians to perform the Treatment of Personal Data of the former.

c. Only the Personal Data of children and adolescents that are strictly necessary will be collected or Treated, according to the respective intended purpose.

d. Parents will be allowed access or the possibility of requesting access to the Personal Data of children and adolescents, as well as the possibility of requesting that they be changed or deleted.

11. Authorization

Every Treatment must be preceded by obtaining the Authorization. To this end, the Company, its employees and Authorized third parties must refrain from collecting and Treating Personal Data if the Holder has not signed the respective Authorization. In addition, they must keep a copy of this Authorization for future consultations.

12. Area of Personal Data protection

The area in charge of handling all matters related to personal data is Customer Service, for example.

The Company has the Internal Control Area that is in charge of receiving and handling Requests, Complaints and Claims related to Personal Data. The Internal Control Department will be the one who will specifically process the consultations and claims regarding Personal Data in accordance with the Law, the Manual and this Policy. Some of the particular functions of this area in relation to Personal Data are:

a. Address and receive all the requests of the Holders, process and respond requests such as:

* Requests for updating Personal Data.

* Requests for knowing Personal Data.

* Requests for deletion of Personal Data.

* Requests for revocation of the authorization when, in accordance with the Law, such revocation is applicable.

* Requests for information on the Treatment given to Personal Data.

* Requests for information on the purposes of the Treatment.

* Requests to obtain proof of the Authorization granted, when it has proceeded according to the Law.

* Respond to the Holders on those requests that do not proceed in accordance with the Law.

b. Ensure the protection of the Holder’s Personal Data.

c. Ensure the implementation of good practices of Personal Data management inside the Company.

d. • Register the Databases managed by the Company in the National Registry of Databases and update such registry when necessary.

The contact details of the person in charge are:


13. Procedures for exercising the rights of the Holders

13.1. 13.1. Consultations

The Company has several mechanisms for the Holder, Entitled, or representatives of minors Holders, to make all kinds of consultations regarding:

a. What are the Personal Data of the Holder that rest in the Company’s Databases?

b. What is the Treatment to which they are subject?

c. What are the purposes they intend to satisfy?

These mechanisms may be physical such as window procedure, or by electromagnetic means, as procedures through the email or telephone calls made to the company to the personnel in charge of receiving the requests, complaints and claims. Whatever the means, the Company will keep proof of the consultation and its response.

Before proceeding, the person responsible for handling the consultation will verify:

a. The identity of the Holder or the Entitled. To do so, he/she will require the identity card or any original identification document of the Holder and the special or general powers of attorney, as the case may be.

b. The Authorization or contract with third parties that gave origin to the Treatment by the Company.

c. Indicate the date on which the consultation was received by the Company.

If the applicant has the ability to formulate the consultation, the person responsible for handling it will collect all the information about the Holder that is contained in the individual record of that person or that is related with the identification of the Holder in the Company's Databases. Once the information has been collected, it will be supplied to the Holder so that he/she can access and know it.

The person responsible for handling the consultation will respond to the applicant provided the latter has the right to do so for being the Holder of the Personal Data, the Entitled, or the legal guardian in the case of minors. This response will be sent within ten (10) business days as of the date the request was received by the Company. In the event the request cannot be answered in the ten (10) business days, the applicant will be contacted and informed the reasons for which the status of his/her application is in process and indicating the date in which the consultation will be answered, which in no case may exceed five (5) business days following the expiration of the first period. To do this, the same or similar means will be used to the one through which the consultation was presented.

The final response to all requests may not take more than fifteen (15) business days as of the date on which the initial request was received by the Company.

Even when the applicant does not have the power to request the consultation, the Company will have to inform the applicant of this circumstance and respond within the above mentioned periods.

13.2. 13.2. Claims

The Company will have mechanisms for the Holder, the Entitled or the representatives of minors Holder, to make claims regarding:

a. Personal Data Treated by the Company that must be corrected, updated or deleted.

b. The alleged non-compliance of some of the duties of Law by the Company.

These mechanisms may be physical such as window procedure, or by electromagnetic means, as procedures through the email or telephone calls made to the company to the personnel in charge of receiving the requests, complaints and claims. Whatever the means, the Company will keep proof of the consultation and its response.

The claim must be submitted by the Holder, the Entitled, or their representatives, in case the Holder is a minor, as follows:

a. Must be addressed to the Internal Control Department, to the e-mail address or to the physical address Carrera 7 No. 74-36 P-3.

b. It must contain the name and identification document of the Holder.

c. It should contain a description of the events that give rise to the claim and the objective pursued (updating, correcting or deletion, or fulfillment of duties).

d. It should indicate the address and contact details and identification of the claimant.

e. It must be accompanied by all the documentation that the claimant wishes to enforce.

If the claim or the supplementary documentation is incomplete, the Company will request the claimant only once within five (05) days following the receipt of the claim to remedy the mistakes. If the claimant fails to submit the required documentation and information within the two (2) months as of the date of the initial claim, it will be understood that the claim has been withdrawn.

If for any reason the person receiving the claim inside the Company is not competent to resolve it, he/she will transfer it to the Data Protection Area - Internal Control Department, within two (2) business days of receiving the claim, and shall report such forwarding to the claimant.

Once the claim has been received with the complete documentation, in a period no greater than one two (2) business days an inscription saying "claim in process" and the reason thereof, will be included in the Company's Database where the Personal Data of the Holder rests. This inscription must be kept until the claim is decided.

The maximum period to answer the claim shall be fifteen (15) business days as of the day following its date of receipt. When it is not possible to answer the claim in that period, the interested party will be informed of the reasons for the delay and the date on which the claim will be answered, which in no case may exceed eight (8) business days following the expiration of the first period.

The Company will keep proof of the consultation, the claim and its response in the event that subsequent consultation is necessary.

14. Validity

This Policy will take effect as of 10/01/2017. The Personal Data that is stored, used or transmitted will remain in the Company's Database, based on the criterion of temporality, for as long as it is necessary to fulfill the purposes mentioned in this Policy, for which it was collected. Thus, the validity of the Database is closely related to the purposes for which the Personal Data was collected.

15. Modifications

This Policy may be amended from time to time by the Company and will form part of the Company's agreements, where applicable. Any substantial modification of this Policy will have to be communicated in advance to the Holders through efficient mechanisms such as the Company's website and/or e-mails. Substantial modification means, among others, the following situations:

a. Modification in the identification of the area, section or person in charge of handling the consultations and claims.

b. Evident modification of the purposes that may affect the Authorization. In this case, the Company will seek a new Authorization.

The modifications will be informed on the Company's website and/or by an email that will be sent to the Holders of the Personal Data, provided the Company has such information in its possession.