Personal Data Processing Policy
1. Legal Context.
The processing of personal data is carried out in compliance with the Statutory Law on Data Protection (Law 1581 of 2012), more specifically s articles 17 (k) and 18 (f), articles 15 and 20 of the Political Constitution of Colombia and article 13 of Law 1377 of 2013. which regulates the previous Law.
This Corporate Manual of Policies and Procedures for the Processing of Personal Data will be applicable to all data collected by GESTIÓN DE COMPRAS EMPRESARIALES S.A.S. (hereinafter referred to as "The Data Controller") of the processing.
The concepts defined below are, in essence, those contained in Decree 1377 of 2013 in its third article.
Authorization: Prior, express and informed consent of the Owner to carry out the processing of personal data.
Privacy Notice: Verbal or written communication generated by the Data Controller, addressed to the Owner for the processing of their personal data, informing them about the existence of the information processing policies that will be applicable to them, the way to access them and the purposes of the processing that is intended to be given to the personal data.
Database: An organized set of personal data that is processed.
Personal data: Any information linked or that may be associated with one or more specific or determinable natural persons.
Public data: This is data that is not semi-private, private or sensitive. Public data includes, but is not limited to, data relating to the marital status of individuals, their profession or trade, and their status as a trader or public servant. By their nature, public data may be contained, among others, in public registers, public documents, official gazettes and gazettes, and duly enforceable court judgments that are not subject to confidentiality.
Sensitive data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose improper use may lead to discrimination, such as data that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social or human rights organizations or that promotes the interests of any political party or that guarantee the rights and guarantees of opposition political parties. as well as data relating to health, sex life, and biometric data.
Data Processor: A natural or legal person, public or private, who, by s own or in association with others, carries out the processing of personal data on behalf of the Data Controller.
Data Controller: A natural or legal person, public or private, who, on s own or in association with others, decides on the database and/or the processing of data.
Data Subject: Natural person whose personal data is processed.
Transfer: Data transfer takes place when the Data Controller and/or Data Processor, located in Colombia, sends the information or personal data to a recipient, who is also a Data Controller and is located inside or outside the country s.
Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a processing by the processor on behalf of the Data Controller.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or erasure.
3. Acceptance of the Corporate Manual of Policies and Procedures for the Processing of Personal Data.
In accordance with article nine of the Statutory Data Protection Law, any processing of personal data will require prior authorization from the Data Controller. The owners understand that whoever provides information considered as personal data, expressly accepts that these will be processed by GESTIÓN DE COMPRAS EMPRESARIALES S.A.S., as established in this document.
The same norma establishes that no authorization will be required for the processing of the following data.
· Data of a public nature.
· Information that is required by authorities in the exercise of their functions through s administrative acts, court rulings or any other legal act.
· Data related to the Civil Registry of persons.
· Cases of medical or health emergency.
· Processing of information authorized by law for historical, statistical, or scientific purposes.
4. Responsible party
The databases that are the object of this policy are the responsibility, under the terms of Law 1581 of 2012, of GESTIÓN DE COMPRAS EMPRESARIALES S.A.S., identified with the NIT 901.065.664-8, located at Calle 1 B Sur No. 38 10 in Medellín, Antioquia.
5. Purposes of the processing of personal data
In the ordinary course of its business, the Data Controller processes the personal data of natural persons, contained in databases for legitimate purposes, in compliance with the Constitution and the Law.
In "Annex 1. Database Inventory" presents the different databases managed by the Responsible Party, the information and characteristics of each of them.
6. Rights of the Data Subjects
In accordance with Articles 21 and 22 of Decree 1377 of 2013 and Article 8 of the LEPD, the holders of personal data have rights that they can use in relation to the processing of their personal data, which may be exercised by the following:
1. By the Data Controller, who must provide sufficient proof of identity by the various means made available by the Data Controller.
2. By their successors, who must prove such quality.
3. By the representative and/or attorney-in-fact of the Owner, after accrediting the representation or power of attorney.
4. By stipulation in favor of another and for another.
The rights of children or adolescents shall be exercised by the persons who are authorized to represent them.
The rights that the owners have in relation to the processing of their personal data are:
· Right of access or consultation: This is the right of the Data Controller to be informed by the Data Controller, upon request, regarding the origin, use and purpose of their personal data.
· Grievance and Grievance Rights: The Act distinguishes four types of grievances:
- Claim for correction: This is the right of the Owner to have updated, rectify or modify any partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.
- Deletion claim: This is the right of the Owner to have data that is inadequate, excessive or that does not respect constitutional and legal principles, rights and guarantees deleted. -
- Claim for revocation: This is the right of the Owner to revoke the authorization previously given for the processing of their personal data.
- Infringement claim: This is the right of the Owner to request that the breach of the Data Protection regulations be remedied.
- Right to request proof of the authorization granted to the Data Controller: Except when expressly excepted as a requirement for processing in accordance with the provisions of article 10 of the LEPD.
- Right to file complaints of infringements with the Superintendence of Industry and Commerce: The Data Controller or successor in title may only file this complaint once the consultation or claim procedure has been exhausted before the Data Controller or Data Processor.
7. Holders' contact
The Data Protection Officer shall be responsible for requests, queries and complaints. The owners of the processed data may exercise their rights before this officer.
8. Exercise of rights
8.1 Right of access or consultation
The owner will be able to consult their personal data free of charge in the following cases.
1. Once every calendar month.
2. Whenever there are substantial changes in the data processing policies of The Data Controller.
For consultations that have a periodicity greater than that set forth in the first paragraph of this article, the Responsible Party may charge the holder the costs of shipping, reproduction and, if applicable, certification of documents.
The right set forth in this paragraph may be exercised by the holder, by writing to GESTIÓN DE COMPRAS EMPRESARIALES S.A.S. identified with NIT 901.065.664-8, located at the Calle 1 B Sur No. 38 10 in Medellín, Antioquia; by s by post sent to the address indicated above, or by e-mail to the address: email@example.com indicating in the Subject "Exercise of the right of access or consultation". The application must contain the following information:
ü Name and surname of the Owner.
ü Photocopy of the Holder's C Citizenship Certificate and, if applicable, of the person representing him/her, as well as the document accrediting such representation.
ü Request specifying the request for access or consultation
ü Address for notifications, date and signature of the applicant.
If applicable, the documents that accredit the consultation carried out.
By making this clear in the application, the information may be requested in any of the following ways.
ü On-screen display.
ü In writing, with a copy or photocopy sent by registered mail or not.
ü E-mail or other electronic means
Once the request has been received, THE RESPONSIBLE PARTY will have a maximum period of ten (10) business days to resolve the request. If it is not possible to resolve the request within the stated period, the applicant will be informed of the reason for this, and THE RESPONSIBLE PARTY will have a period of five (5) working days plus s, in accordance with article 14 of the LEPD.
8.2 Complaint and Claim Rights
The Data Subject may exercise the rights of complaint over his/her data by writing to GESTIÓN DE COMPRAS EMPRESARIALES S.A.S. identified with the NIT 901.065.664-8, located at Calle 1 B Sur No. 38 10 in Medellín, Antioquia; through postal mail s sent to the address listed above, or by e-mail to the address: firstname.lastname@example.org indicating in the subject "Exercise of the right of access or consultation". The application must contain the following information:
- Name and surname of the Owner.
- Photocopy of the Holder's C Citizenship Certificate and, if applicable, of the person representing him/her, as well as the document accrediting such representation.
- Description of the facts and request in which the request for correction, deletion, revocation or infringement is specified.
- Address for notifications, date and signature of the applicant.
- Documents accrediting the request made that you wish to assert, when applicable.
If the complaint is incomplete, the interested party will be required within five (5) days of receipt of the complaint to correct the defects. If two (2) months have elapsed from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.
Once the complete claim has been received, a legend will be included in the database that says "claim in process" and the reason for it, within a period of no more than two (2) business days. Such legend shall be maintained until the claim is decided.
The Data Controller will resolve the request for consultation within a maximum period of fifteen (15) business days from the date of receipt of the request. When it is not possible to attend to the claim within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
Once the claim process has been exhausted, the Owner or successor in title may file a complaint with the Superintendence of Industry and Commerce.
9. Security Policies
The Data Controller, in order to comply with the principle of security enshrined in Article 4 (g) of the LEPD, has implemented technical, human and administrative measures necessary to guarantee the security of the records by preventing their adulteration, loss, consultation, use or unauthorized or fraudulent access.
On the other hand, the Data Controller, by signing the corresponding transmission contracts, has required the data processors with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the processing of personal data.
10. International Data Transfer.
In line with Title VIII of the LEPD, the transfer of data to countries that do not have the security conditions established in the aforementioned Law is expressly prohibited. When a country s does not comply with the conditions established by the Superintendence of Industry and Commerce, the transfer of data to this country will be understood to be prohibited,s The conditions of the country s to which the data are to be transferred may in no case be lower than those established by the LEPD. The transfer of data to third countries shall not be prohibited when:
· You have given your express and unequivocal consent to the transfer.
· Exchange of medical data, when required by the Data Controller's processing for reasons of health or public hygiene.
· Bank or stock market transfers, in accordance with the legislation applicable to them.
· Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
· Transfers necessary for the execution of a contract between the Data Controller and the Data Controller, or for the execution of pre-contractual measures, provided that the Owner has the authorization of the Data Controller.
· Transfers legally required for the safeguarding of the public s interest, or for the recognition, exercise or defence of a right in legal proceedings.
In cases where the exception is not contemplated, the Superintendence of Industry and Commerce will announce the verdict on the possibility or prohibition of the transfer of data to third countries. The official in charge shall be empowered to request the necessary information, as well as to carry out the necessary steps to determine the viability of the operation.
As long as there is a data transfer contract between the Data Controller and a processor located outside the Colombian territory, the consent or authorization of the Owner will not be required.
The databases processed by the Data Controller will be processed for the time required for the purpose for which these data are collected. When the purpose or purposes for which the data were collected have been fulfilled, without prejudice to the provisions of other legal regulations, the Data Controller will proceed to the total deletion of the data, unless there is a legal or contractual obligation to keep them in custody.