I. PURPOSE
To set forth the patterns and general criteria to handle employees’, clients’ and providers’ personal data of ARRIETA MANTILLA & ASOCIADOS S.A.S, corporation identified with TIN (Taxpayer’s Identification Number): 830.040.209-4.
II. REGULATORY FRAMEWORK
The following are the regulations related to Personal Data Protection:
Law 1266/2008
Law 1581/2012
Decree 1377/2013
External SIC (Superintendence of Industry and Commerce) external newsletter 001/2016
III SCOPE
This Personal Data Protection Policy shall apply to every Data Base and/or Files containing Personal Data which are object of Treatment by ARRIETA MANTILLA & ASOCIADOS S.A.S.
IV. DEFINITIONS
Actors in Personal Data treatment: They are the companies or persons who carry out provision, collection and treatment of PERSONAL DATA, these are:
ü Responsible person for treatment: Natural or juridical person, public or private, that on its own, or associated with others, decides on the database and/or Treatment of data.
ü Person in charge of treatment: Natural or juridical person, public or private, that, on its own or associated with others, carries out PERSONAL DATA TREATMENT, on account of the Responsible person for PERSONAL DATA TREATMENT.
Holder of Personal Data: Natural person whose personal data is object of Treatment.
User: Natural or juridical person who may access personal information of one or several holders of information supplied by the operator or by the source, or directly by the holder of information. The user shall guarantee protection of the rights of the holder of data. In case the user, on their turn, supplies information directly to an operator, they shall have double condition of user and source, and they shall assume duties and responsibilities of both.
Authorization: Previous consent, express and informed of the holder to carry out Personal Data Treatment.
Warning of Privacy: Physical or electronic document of in any other format, generated by the Responsible person for Treatment, made available to the Holder to communicate the existence of policies of treatment of information which shall be applicable, the way to access them and the characteristics of Treatment intended to be given to personal data.
Database: Organized set of personal data which is object of treatment.
Enquiry: A process through which the Holder of Personal Data may request ARRIETA MANTILLA & ASOCIADOS S.A.S, its affiliates and subsidiaries their personal information which lies in the databases.
Personal Data: Whichever information that is linked, or may be associated to one or several determined or determinable natural persons.
Public Data: This is data qualified as such pursuant to the mandates of the law or the Constitution and all those which are not semiprivate or private, according to the law. The following, among others, are public: data contained in public documents, judicial rulings that are not subject to confidentiality and those regarding civil status of individuals.
Sensitive Data: Are those which impact privacy of the Holder or which inappropriate use may generate their discrimination, such as those that reveal racial or ethnic background, political orientation, religious or philosophical convictions, belonging to unions, social organizations, of human rights, or those that promote interests of any political party or that guarantee rights and guarantees to opposing political parties as well as data related to health, sexual life and other biometric data.
Claim: Process through which the Holders of Personal Data or their successors, may request ARRIETA MANTILLA & ASOCIADOS S.A.S, its affiliates and subsidiaries updating, clarification, partial or total suppression of information, evidence of authorization or its revocation.
SIC: Superintendence of Industry and Commerce.
Personal Data Treatment: Any operation or set of operations on Personal Data, such as collection, storage, enquiry, exchange, transfer, use, circulation or suppression.
V. RULES AND CRITERIA OF APPLICATION
1. GENERAL PRINCIPLES FOR PERSONAL DATA TREATMENT
Personal Data Treatment shall comply with the following principles:
a) Principle of purpose: Personal Data Treatment shall obey a legitimate purpose which shall be reported to the Holder.
b) Principle of freedom: Personal Data Treatment may only be exercised with previous, expressed and informed consent from the Holder. Personal Data may not be obtained or disclosed without previous authorization or legal or judicial mandate exonerating consent from the Holder.
c) Principle of veracity or quality: Information subject to treatment shall be truthful, complete, accurate, updated, verifiable and understandable. Partial, incomplete, fractioned or misleading data treatment is forbidden.
d) Principle of transparency: The right of the Holder to obtain information from ARRIETA MANTILLA & ASOCIADOS regarding the existence of data that pertains them shall be guaranteed in such Treatment.
e) Principle of access and restricted disclosure: Personal Data, except public information, shall not be available on the Internet or any other disclosing or mass communication media, except if access is technically controllable to provide restricted knowledge exclusively to Holder or third persons who are authorized by them.
f) Principle of security: Information subject of Treatment shall be handled with the technical, human and administrative measures that are necessary to grant security to records avoiding falsification, loss, inquiry, unauthorized or fraudulent use.
g) Principle of confidentiality: Every individual who intervenes in Personal Data Treatment shall be forced to guarantee confidentiality of information, even after their relation with some of the tasks included in the treatment has finished.
2. SPECIAL CATEGORIES OF DATA 2.1
Sensitive Data:
Sensitive data treatment is forbidden, except when:
a) The Holder has given their explicit authorization to such Treatment, except in cases in which by law granting such authorization is not required.
b) Treatment is necessary to safeguard vital interest of the Holder, and they are physically or juridically incapacitated. In these events, the legal representatives shall grant their authorization.
c) Treatment is made in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other nonprofit organism, which purpose is political, philosophical, religious or union related, provided that they exclusively refer to its members or to the individuals who keep regular contacts due to its purpose. In these cases, data may not be provided to third parties without authorization from the Holder.
d) Treatment refers to data that are necessary for recognition, exercise or defense of a right in a judicial proceeding.
e) Treatment has a historic, statistical or scientific purpose. In this case the measures to suppress identity of Holders shall be adopted.
ARRIETA MANTILLA & ASOCIADOS S.A.S shall restrict treatment of sensitive personal data to what is strictly indispensable and shall request previous and express consent from holders (legal representatives, attorneys, successors), reporting on the exclusive purpose of their treatment.
2.2 Rights of children and adolescents: Treatment of personal data of children and adolescents is forbidden, except if it is data of public nature. The Areas which, by nature of their management, shall carry out this type of personal data, shall apply the principles for protection of fundamental rights of this type of Holders of Personal Data.
3. TREATMENT TO WHICH DATA SHALL BE SUBJECT TO AND THE PURPOSE OF THE SAME
ARRIETA MANTILLA & ASOCIADOS S.A.S acting in the capacity of Responsible Person for Treatment of Personal Data, for the appropriate development of its commercial activities, as well as for strengthening its relations to third parties, collects, stores, uses, discloses and suppresses Personal Data corresponding to natural or juridical persons with whom it has or has had relations, such as (without this listing meaning limitation) workers and their relatives, consumers, clients, distributors, providers, creditors and debtors, for the following purposes:
3.1 General purposes for Personal Data treatment
• Personal data that providers, clients and employees provide or have provided ARRIETA MANTILLA & ASOCIADOS S.A.S, are subject of treatment (collection, storage, use, disclosure or suppression) with the purpose of adequately rendering services developed pursuant to the business purpose of the company, to carry out activities of marketing, sales, invoicing, cashing management, collection, enhancement of services, sending commercial information by email and to carry out the necessary arrangements to comply with obligations that are inherent to the company.
• To access control to offices of the company and to establish security measures, including establishment of video surveillance zones;
• To respond to enquiries, claims and complaints made by the Holders and organisms of control and to transmit Personal Data to other authorities that in virtue of the governing law shall receive Personal Data;
• To eventually contact, by email, or by any other means, natural or juridical persons with whom it has or has had relation, such as, without the listing meaning limitation, workers and their relatives, clients, distributors, providers, creditors and debtors, for the aforementioned purposes.
• To serve judicial or administrative requirements and compliance of the judicial or legal mandates;
• To register their personal data in the information systems of the company;
3.2 Regarding personal data of our employees:
• To administer and operate, directly or through third parties, processes of selecting and hiring personnel, including assessment and qualification of participants and verification of labor and personal references, and to carry out security studies;
• To develop activities inherent to management of Human Resources within the company, such as payroll, registration in entities of the general social security system, wellbeing and occupational health activities, exercise of penalization powers of the employer, among others;
• To carry out the necessary payments derived from signing the working contract and/or its termination, and other social contributions that may be, according to the governing law;
• To contract working benefits with third parties, such as life insurance, medical expenses, among others;
• To notify authorized contacts in case of emergencies during working hours or because of its development;
• To coordinate professional development of employees, access of every employee to information resources of the employer and to support its use;
• To plan activities of the company;
3.3 Regarding Data of the Providers:
• For contact in case of requiring a good or service.
• For assessment of compliance of their duties;
• To record them in the systems of the company;
• To process their payment and to verify outstanding balances;
3.4. Regarding personal data of our Clients:
• To comply with obligations contracted by the company with its Clients when acquiring our services;
• To send information on changes on the conditions of the services rendered by the company;
• To send information on services contracted with the company;
• To strengthen relations with its clients, by sending relevant information.
4. AUTHORIZATION
Personal Data Treatment made by ARRIETA MANTILLA & ASOCIADOS S.A.S, requires free, previous, express and informed consent by the Holder. ARRIETA MANTILLA & ASOCIADOS S.A.S, in its condition of Responsible Person for Personal Data Treatment, has provided the necessary mechanisms to obtain authorization from the Holder, its successors or legitimated representatives.
Authorization may be granted through a physical or electronic document or any other format that allows guaranteeing its further enquiry, and that, it may also be unequivocally proven that the Holder of Personal Data: a) authorized treatment; b) knows and accepts they shall collect and use information for the purposes that have been reported to them.
In virtue of the above, authorization requested shall include:
a) Responsible for Treatment and data they collect;
b) Purpose of data treatment;
c) Rights of access, correction, updating or suppression of personal data provided by the holder, and,
d) If Sensitive Data is collected e) identification, physical or electronical address and telephone number of the Responsible for Treatment.
5. PRIVACY NOTICE
ARRIETA MANTILLA & ASOCIADOS S.A.S has the Privacy Notice, containing information demanded through Decree 1377/2013, which shall be communicated to the Holder of Personal Data through communication media of the company. To facilitate disclosure, its content may be included within the authorization.
6. RIGHTS AND DUTIES OF THE HOLDERS
The Holder of Personal Data shall have the following rights:
a) To know, update and rectify Personal Data
b) To request evidence of authorization granted to ARRIETA MANTILLA & ASOCIADOS S.A.S
c) To be informed by ARRIETA MANTILLA & ASOCIADOS S.A.S, previous request, regarding use that has been given to their personal data.
d) To file enquiries before the Responsible Person of Treatment, pursuant to what is set forth in item 9 of the herein policy.
e) To file before the Superintendence of Industry and Commerce, complaints about breaches to what is provided in the herein law and other rules that amend, add or complement it, once the process of enquiry or claim has been exhausted before the Responsible Person for Treatment, pursuant to Article 16 of Decree 137.
f) To freely access Personal Data that is object of Treatment.
The Holder of personal data shall have the duty to keep their information updated and to guarantee, at all times, its truthfulness. ARRIETA MANTILLA & ASOCIADOS S.A.S. shall not be liable, in any case, for any kind of liability derived for inaccuracy of information provided by the Holder.
7. SECURITY MEASURES
ARRIETA MANTILLA & ASOCIADOS S.A.S shall adopt the technical, human and administrative measures that are necessary to grant security to records avoiding its falsification, loss, enquiry, unauthorized or fraudulent use or access. Such measures shall correspond to the minimum requirements made by the valid legislation and its effectiveness shall be periodically assessed.
8. RESPONSIBLE PERSON FOR TREATMENT
ARRIETA MANTILLA & ASOCIADOS S.A.S shall be responsible and/or in charge of collection and/or Personal Data Treatment, it shall keep Authorization and other records stored, preventing its impairment, loss, alteration or unauthorized use.
9. CONTACT DATA TO FILE REQUESTS:
Holders of information may exercise their rights to revoke authorization for data treatment, learn, update, rectify and suppress their Personal Data, sending communication to the Area of the Administrative Directorate located at Carrera 7 #71- 21 B Building 16th Floor Suite 1601A in the city of Bogotá, Colombia, phone 7450634
10. REQUESTS BY THE HOLDER OF DATA
a) Enquiry:
Holders of Personal Data or its successors may, at any time, enquire on personal information that lies in the databases of ARRIETA MANTILLA & ASOCIADOS S.A.S. Similarly, they may request proof of existence of their authorization for Personal Data treatment.
Term to serve the enquiry
Pursuant to Law 1581/2012, the request for enquiry shall be served in a term of no more than ten (10) business days counting from the date of reception of the same. When it is not possible to serve the enquiry within such term, it shall be reported to the interested person, expressing the reasons for the delay and stating the date in which their enquiry shall be served, which in no case may exceed five (5) business days after expiration of the first term.
b) Claims
Holders of Personal Data or their successors shall request update, rectification or total or partial suppression. Similarly, they may request to revoke authorization. Such requests shall be made face to face at the administrative office of the company located at Carrera 7 #71- 21 B Building 16th Floor Suite 1601A.
Revoking authorization:
The Holder of Personal Data or their successors may revoke authorization granted, pursuant to valid regulations.
The Holder of Personal Data may request the Responsible Person and/or in charge of Data Treatment total or partial suppression of personal data. The request for suppression and revoking authorization shall not proceed when the Holder has a legal, contractual or commercial duty to remain in the database.
According to Article 16 of Decree 1377, the Holder or successor may only file a claim before the Superintendence of Industry and Commerce once they have exhausted the process of enquiry or claim before the Responsible Person or in charge of treatment.
When a claim is received from the Holder of Personal Data regarding inconsistencies in information, or that the data is being discussed by them, the responsible person for treatment, and when the person in charge or treatment acts on its behalf, they shall suspend its use, for a term no less than the date to end the process.
Term to serve Claims regarding Personal Data:
According to Law 1581/2012, when a request of claim is received from the Holder of Personal Data, the responsible person of treatment, shall proceed to review if it contains enough information to be served, and in case it needs more information they shall communicate it to the Holder, within the next 5 business days following the reception of the claim to correct the flaws. After two (2) months have passed since the date of the requirements, without the requestor filing the information requested, it will be understood that they dismissed the claim.
Similarly, the law indicates that the maximum term to serve the claim shall be fifteen (15) business days counting from the day after the date of its reception. When it is not possible to serve it within such term, the interested person shall be informed on the reasons for the delay and the date in which their claim will be served, before expiration of the referred term, which in no case shall be more than eight (8) business days after expiration of the first term.
