Terms

Policies and Procedures for the Collection and Processing of Personal Data of the Museum of Modern Art of Medellín

CONTENTS

1. Objective of the Personal Data Processing Policy
2. Definitions for the purposes of the Personal Data Processing Policy
3. Scope of Application
4. Principles for the Processing of Personal Data
5. Authorization
6. Purposes of Personal Data Processing
7. Procedures for the Processing of Personal Data
8. Information and Mechanisms Provided by the Corporation Museum of Modern Art of Medellín as the Data Controller
9. Area responsible for processing personal data
10. Rights of the data subject
11. Duties of the data controller
12. Validity of the processing policy
13. Other provisions

1. Purpose of the personal data processing policy

The Museum of Modern Art of Medellín Corporation (hereinafter “THE MUSEUM”), considering its status as the data controller, committed to the security of the personal information of its users, clients, suppliers, contractors, employees, and the general public, and in order to strictly comply with current regulations on the protection of personal data, especially those established in Statutory Law 1581 of 2012, Decree 1377 of 2013, and other provisions that modify, clarify, add to, or complement them, hereby presents the Personal Data Processing Policy (hereinafter the “Policy”) of THE The Museum, in relation to the collection, use, and transfer of personal data, is responsible for the authorization granted by the data subjects.

In this Policy, the Museum details the general guidelines considered for protecting the Personal Data of the Data Subjects, such as the purpose of data collection, the rights of the Data Subjects, the department responsible for addressing inquiries, complaints, and claims regarding the processing of personal data collected and managed by the Museum, as well as the procedures to be followed to access, update, rectify, and delete information.

In compliance with the constitutional right to Habeas Data, the Museum only collects Personal Data when previously authorized by the Data Subject, implementing clear measures regarding the confidentiality and privacy of Personal Data, which are defined below.

2. Definitions for the Purposes of the Personal Data Processing Policy

For the purposes of this Policy, the following definitions shall apply:

(a) Data Subject: A natural or legal person whose Personal Data is being processed.

(b) Data Controller: A natural or legal person, public or private, who, alone or jointly with others, determines the purposes and means of the processing of personal data. In this specific case, the Data Controller is THE MUSEUM.

(c) Personal Data: Any information linked to or that can be associated with one or more identified or identifiable natural persons.

(d) Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among other things, data relating to a person’s marital status, profession or occupation, and their status as a merchant or public servant. By their nature, public data may be contained in, among other sources, public registries, public documents, official gazettes and bulletins, and court rulings. (e) Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse may lead to discrimination.

(f) Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.

(g) Personal Data Processing Policies: This refers to this document.

3. Scope of Application

This Policy applies to all personal data databases held by THE MUSEUM and the Data Processors acting on behalf of THE MUSEUM. Therefore, it applies to personal data recorded in any database that makes it subject to processing by THE MUSEUM, with the limitations and restrictions established by law. IV. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

In accordance with Article 4 of Law 1581 of 2012, the principles governing the Processing of Personal Data are as follows:

(a) Principle of legality in data processing: The processing referred to in Law 1581 of 2012 is a regulated activity that must comply with its provisions and other applicable regulations, as well as with the provisions of this Policy.

(b) Principle of purpose: Processing must be for legitimate purposes in accordance with the Constitution and the Law, such as those established in this Policy, which must be communicated to the Data Subject.

(c) Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, unless there is a legal or judicial mandate that waives the requirement for consent.

(d) Principle of accuracy or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited. (e) Principle of transparency: The processing must guarantee the data subject’s right to obtain information from the controller or processor, at any time and without restriction, regarding the existence of data concerning them.

(f) Principle of restricted access and circulation: Processing will be subject to the limitations arising from the nature of the personal data. In this regard, processing may only be carried out by persons authorized by the data subject and/or by persons authorized by law.

(g) Principle of security: Information subject to processing by the controller and/or processor must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent access, use, or disclosure. (h) Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks that comprise the processing has ended, and may only supply or communicate personal data when it corresponds to the development of the activities authorized by law and according to its terms.

5. Authorization

When collecting Personal Data, THE MUSEUM will request authorization from the Data Subjects, informing them of the specific purposes of the Processing for which such consent is obtained.

The Data Subjects’ authorization may be given by any of the following means: (i) in writing, (ii) orally, or (iii) through unambiguous conduct that reasonably allows the conclusion that authorization was granted.

THE MUSEUM will maintain proof of such authorizations appropriately, respecting the principles of confidentiality and privacy of the information.

In accordance with the provisions of Article 10 of Law 1581 of 2012, this authorization will not be necessary when the information refers to: (i) Information required by a public or administrative entity in the exercise of its legal functions or by court order; (ii) Public Data; (iii) Cases of medical or health emergencies; (iv) Processing of information authorized by law for historical, statistical, or scientific purposes; and (v) Data related to the Civil Registry.

6. Purposes of Personal Data Processing

The Museum, in the course of its business activities and its relationships with third parties, including users, employees, suppliers, creditors, and others, constantly collects data for various purposes and uses, which may include the following, and which you expressly authorize by accepting this policy:

•

To reaffirm its sociocultural commitment by building bridges between the public, societal issues, and artistic expression.

• To be a center for generating experiences, ideas, education, training, and debate around contemporary artistic practices; visual arts, architecture, urban planning, design, film, video, music, literature, reading and writing, theater, dance, television, the environment, photography, gastronomy, geography, the internet, new media, and technology.

• To be a living museum, a center for contemporary arts.

• To conserve, document, research, and exhibit the works in the museum’s collection.

• To promote activities related to contemporary artistic expression.

• To design and manage non-formal education programs for diverse audiences.

• To design and implement a pedagogical and didactic policy within the museum.

• To promote cultural entrepreneurship.

• To foster and promote emerging national and international artistic talent through exhibitions, seminars, conferences, publications, and other activities.

• To promote the cultural exchange of individuals, institutions, services, and ideas.

• To coordinate activities with local, national, and international institutions, artists, and cities.

•

To conserve and care for animal and plant species that may be visited by the public within the framework of an art exhibition.

• To exhibit film, performance art, live art, contact improvisation, space interventions, and architectural interventions.

• To contribute to the social and cultural transformation of the city, the country, and the world. • To support the promotion of tourism in the city of Medellín.

• To enter into agreements with public entities to receive and manage resources for the construction of artistic and cultural venues, as well as to promote events aligned with the Museum’s mission.

• To fulfill the aforementioned objectives, either directly or in partnership with other public or private entities or institutions that carry out similar or complementary programs.

• To execute all acts and contracts directly related to the Museum’s mission and those aimed at generating income and exercising the rights or fulfilling the legal or contractual obligations arising from the Museum’s existence and activities.

• To market works of art, operate real estate directly or through third parties, and generally carry out activities that generate income.

• Data verification through consultation of public databases or credit bureaus.

• To comply with legal reporting obligations to administrative bodies, as well as to competent authorities as required.

• To share information with third parties who collaborate with THE MUSEUM and who, in order to fulfill their functions, must access the information to some extent.

• To support THE MUSEUM’s audit processes.

• To conduct satisfaction surveys.

• Any other purpose that may arise in the course of the contract or the business relationship between THE MUSEUM and the Data Subject.

The information provided by the Data Subject will only be used for the purposes stated herein, and once the need for processing Personal Data ceases, it may be deleted from THE MUSEUM’s databases or securely archived to be disclosed only when required by law.

Within its corporate purpose and for the purpose of carrying out the aforementioned activities, THE MUSEUM collects Personal Data from its Data Subjects, such as: name, address, telephone number, identity document, email address, employment information, family information, academic background, financial information, among others.

7. Procedures for the Processing of Personal Data

The Personal Data included in THE MUSEUM’s Database comes from information collected in the course of activities carried out in accordance with its corporate purpose, commercial, contractual, employment, or any other type of relationship with its users, clients, suppliers, contractors, employees, and/or the general public.

The Museum’s website, social media, telephone hotline, and commercial and employment contracts, among others, are the means by which the Museum obtains the Personal Data referred to in this Policy.

The Personal Data collected by the Museum will be processed in accordance with Law 1581 of 2012, pursuant to the authorizations granted by the data subjects, and exclusively for the purposes authorized and set forth in this Policy.

PROCEDURE FOR ACCESSING INFORMATION:

In order to protect and maintain the confidentiality of the Personal Data of Data Subjects, THE MUSEUM has established the following procedure for accessing the information that THE MUSEUM holds about the data subject in its databases:

Anyone wishing to access the information that THE MUSEUM stores in its databases must send a communication to the email address [email protected] or to the address CARRERA 44 No. 19A – 100, stating their intention to access the information about the Data Subject held in THE MUSEUM’s databases, and providing an address or email address where a response can be sent.

This communication must be signed by (i) the Data Subject, who must sufficiently prove their identity; (ii) the Data Subject’s heirs, who must prove their status as such; (iii) the Data Subject’s representative and/or attorney-in-fact, upon prior proof of representation or power of attorney; or (iv) by stipulation in favor of or for another (hereinafter collectively referred to as the “Interested Parties”).

The Responsible Area will respond to the Data Subject or the interested party within a maximum of ten (10) business days from the date of receipt of the communication, to the email address or physical address specified in the request. If it is not possible to respond to the inquiry within this timeframe, the interested party will be informed of the reasons for the delay and the date on which the inquiry will be addressed, in which case the response time will be extended by an additional five business days.

Access to this information by the Data Subject or interested party will be free of charge, provided that it is (i) at least once every calendar month, or (ii) requested in connection with a substantial modification of this Data Processing Policy.

If access is requested more frequently than required, THE MUSEUM may charge the Data Subject for shipping, reproduction, and, where applicable, document certification costs incurred for this purpose.

PROCEDURE FOR UPDATING, CORRECTING, AND DELETING INFORMATION:

Data Subjects or their legal representatives may, at any time, request that THE MUSEUM update, correct, or delete their data and/or revoke their authorization for the processing of said data by THE MUSEUM, by submitting a claim to the following email address: [email protected] or to the address: CARRERA 44 No. 19A – 100. The claim must include the facts giving rise to the claim, the physical address or email address to which the response should be sent, and any supporting documents.

If the claim is incomplete, the applicant will be notified within five (5) days of receipt of the claim to correct the deficiencies. If the applicant fails to provide the required information within two (2) months of the notification date, the claim will be considered withdrawn.

If the person receiving the complaint is not competent to resolve it, they will forward it to the appropriate person within a maximum of two (2) business days and inform the applicant of the situation.

Once a complete claim is received, a note stating “claim in process” and the reason for the claim will be added to the database within two (2) business days. This note will remain until the claim is resolved.

The maximum time to address the claim is fifteen (15) business days, starting from the day after the date of receipt. If it is not possible to address the claim within this timeframe, the claimant will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial timeframe.

It is essential to note that requests for the deletion of information and the revocation of authorization will not be processed when the Data Subject has a legal or contractual obligation to THE MUSEUM.

8. Information and mechanisms provided by the corporation. Museum of Modern Art of Medellín as the entity responsible for processing personal data

Company Name: CORPORACIÓN MUSEO DE ARTE MODERNO DE MEDELLÍN
Tax ID: 890.984.010-5
Address: MEDELLÍN – COLOMBIA
Address: CARRERA 44 No. 19A – 100
Telephone: 442622
Email: [email protected]
Website: www.elmamm.org

9. Department responsible for processing personal data

The Communications Department of THE MUSEUM will be responsible for receiving requests, complaints, or claims from Data Subjects. This department will handle all necessary internal procedures to ensure a clear, efficient, and timely response to the Data Subject or other interested parties.

Data Subjects or interested parties may contact this department at any time to exercise their rights to access, update, rectify, and delete their data, and to revoke their consent.

10. Rights of the Data Subject

In accordance with Article 8 of Law 1581 of 2012, the Data Subject has the following rights:

(a) To access, update, and rectify their personal data with the Data Controllers or Data Processors. This right may be exercised, among other things, with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or has not been authorized.

(b) Request proof of the authorization granted to the Data Controller, except when such authorization is expressly waived as a requirement for processing, in accordance with the provisions of Article 10 of this law.

(c) To be informed by the Data Controller or the Data Processor, upon request, regarding the use made of their personal data.

(d) To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add to, or complement it.

(e) To revoke authorization and/or request the deletion of data when the Processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that the Data Controller or Data Processor has engaged in conduct contrary to this law and the Constitution.

(f) To access their personal data that has been processed, free of charge.

In accordance with art. Pursuant to Article 20 of Decree 1377 of 2013, the aforementioned rights may be exercised by:

1. The Data Subject, who must sufficiently prove their identity through the various means made available by the Data Controller.

2. Their successors in interest, who must prove their status as such.

3. The Data Subject’s representative and/or attorney-in-fact, upon prior proof of representation or power of attorney.

4. By stipulation in favor of or for another.

11. Duties of the Data Controller

In accordance with Article 17 of Law 1581 of 2012, the Data Controller shall have the following duties:

(a) To guarantee the Data Subject, at all times, the full and effective exercise of the right to data protection (habeas data).

(b) To request and retain, under the conditions stipulated in this law, a copy of the respective authorization granted by the Data Subject.

(c) Properly inform the Data Subject about the purpose of the data collection and their rights under the authorization granted.

(d) Store the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, use, or disclosure.

(e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.

(f) Update the information, promptly notifying the Data Processor of any changes to the data previously provided and take all other necessary measures to ensure that the information provided remains up-to-date.

(g) Rectify the information when it is incorrect and notify the Data Processor accordingly.

(h) Provide the Data Processor, as applicable, only with data whose processing has been previously authorized in accordance with the provisions of this law. (i) Require the Data Processor to respect, at all times, the security and privacy conditions of the Data Subject’s information.
(j) Process inquiries and complaints submitted in accordance with the terms established in this law.

(k) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for handling inquiries and complaints.

(l) Inform the Data Processor when certain information is under dispute by the Data Subject, once a complaint has been filed and the respective process has not yet been completed.

(m) Inform the Data Subject, upon request, about the use given to their data.

(n) Inform the data protection authority when security breaches occur and there are risks in the management of data subjects’ information.

(o) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

12. Validity of the Processing Policy

This Personal Data Processing Policy of THE MUSEUM is effective from the date of its publication, which took place on ___________.

Likewise, the processing of Personal Data or databases will be carried out while the contractual relationships between THE MUSEUM and the data subject remain in effect, plus the time required to carry out all the activities aimed at fulfilling the purposes of the Processing.

Notwithstanding the foregoing, personal data must be retained when required for compliance with a legal or contractual obligation.

13. Other Provisions

1. The Museum, for the Processing of Sensitive Data, will inform Data Subjects: (i) that, because it involves this type of data, they are not obligated to authorize its Processing, and (ii) will inform them which Data is Sensitive and the purpose of the Processing.

2. For the purposes of Processing Personal Data of children and adolescents, the Museum will act in their best interests and ensure respect for their fundamental rights. In this regard, it is clarified that, as a matter of policy, the Museum will under no circumstances request or collect information from minors in its Database.

3. The Museum will collect, store, use, or circulate Personal Data for which it has obtained the necessary authorization, for the period that is reasonable and necessary.

MEDELLÍN MUSEUM OF MODERN ART CORPORATION