DATA PROCESSING POLICY
Introduction
The purpose of this manual is to comply with the legal, constitutional and jurisprudential provisions concerning the development of the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files related to the Article 15 of the Political Constitution, as well as the right to information enshrined in Article 20 of the same.
Law 1581 of 2012 developed “the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files, and the other rights, freedoms and constitutional guarantees referred to in article 15 of the Political Constitution; as well as the right to information enshrined in article 20 of the same ”. This constitutional right known as habeas data, gives citizens the possibility of deciding and controlling the information that others have about them and, in that order of ideas, Law 1581 of 2012 establishes mechanisms and guarantees that allow the full exercise of the aforementioned right .
In compliance with the provisions of Law 1581 of 2012, D-SIGNLED, as responsible for the processing of personal data and sensitive personal data of its affiliates, providers, suppliers and collaborators , has adopted the following Information Processing Policies, to guarantee that the processing of personal data and sensitive personal data complies with current legal provisions.
In summary, this manual establishes the policies and procedures through which the owner of personal data can exercise their rights related to the processing of their data and their Once, the treatment that the person in charge must give to the data of third parties, as well as the mechanisms to urge compliance with the duties of the person responsible for the treatment. Likewise, some definitions are given regarding terms necessary for the correct application of the aforementioned policies, together with the principles on which the collection and processing of personal data is based.
Object
Regulate the policies and procedures that will be applicable in the handling of personal data information by D-SIGNLED, according to the provisions contained in Law 1581 of 2012 and Decree 1377 of 2013.
Data controllers D-SIGNLED
- Company name: D-SIGNLED
- Main Office: Bogotá - Colombia
- Telephone: +1 (613) 897-0919
- Main website: d-signled.com
- Email: [email protected]
D-SIGNLED, is responsible for the Treatment of personal data and sensitive personal data of its affiliates, providers, suppliers and collaborators, on which it decides directly and autonomously.
Scope
This manual is applicable to the personal data of natural persons registered in the databases relating to Employees, Potential Employees, Retired Workers, Shareholders, Suppliers, Potential Suppliers, Clients and Users (in the pertinent) of D-SIGNLED which are susceptible to treatment. It will apply to personal data that are the object of collection and handling by D-SIGNLED. If in the future, other legal entities become part of D-SIGNLED, the manual will apply to them.
This manual will not apply to:
- a. To data for exclusively personal or domestic use.
- b. To data whose purpose is national security and defense, as well as the prevention, detection, monitoring and control of money laundering and terrorist financing.
- c. To data containing intelligence and counterintelligence information from the State.
- d. To the databases and files regulated by Statutory Law 1266 of 2008.
- e. To the databases and files regulated by Law 79 of 1993.
Definitions
Para la aplicación de las reglas y procedimientos establecidos en el presente manual, y de acuerdo a lo establecido en el artículo 3 de la Ley Estatutaria 1581 de 2012, se entenderá por:
- a. Authorization: Prior, express and informed consent of the Holder to carry out the Processing of personal data.
- b. Database: Organized set of personal data that is subject to Treatment.
- c. Privacy notice: Physical, electronic document or in any other format, generated by the person responsible for the Treatment that is made available to the Holder for the Treatment of their personal data. Through this, the owner of the information is informed of the existence of the applicable policies for the treatment of their personal data, together with the way to access them and the characteristics of the treatment of personal data.
- d. Personal data: Any information linked to or that can be associated with one or more specific or determinable natural persons, such as name and surname, identity document, age, address, region, country, city, postal code, landline phone number, mobile phone number, address, email address, advertising preferences, consumption preference, channel preferences, complaints and claims, service news, basic and personal data, contact data, demographic data, data from tastes, preferences and habits.
- e. Sensitive data: Sensitive data is understood to be those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions , membership in unions, social organizations, human rights organizations or those that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data .
- f. Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of personal data on behalf of the Responsible for the Treatment.
- g. Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and / or the Treatment of the data.
- h. Owner: Natural person whose personal data is subject to Treatment.
- i. Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion of data, in any known or unknown technology.
Beginning
The principles set forth below constitute the general parameters by which the provisions of this manual will be applied regarding the personal data of the people to whom the processing of their data is applicable:
- a. Principle of purpose: The processing of personal data by D-SIGNLED must obey a legitimate purpose, which must be informed to the Owner.
- b. Principle of freedom: The processing of personal data can only be exercised with the prior, express and informed consent of the Information Owner. Personal data may not be obtained or recorded without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
- c. Principle of truthfulness or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fractioned or misleading data is prohibited.
- d. Principle of transparency: In the Treatment, the right of the Holder to obtain from D-SIGNLED, at any time and without restrictions, information about the existence of data concerning him must be guaranteed.
- e. Principle of access and restricted circulation: Personal data, except for public information, may not be available on the Internet or other means of thumb or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties.
- f. Security principle: The information subject to Treatment by D-SIGNLED, must be handled with the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or access unauthorized or fraudulent.
- g. Principle of confidentiality: All persons involved in the Processing of personal data that are not public are obliged to guarantee the reservation of information, even after the end of their relationship with any of the tasks that comprises the Treatment.
Treatment to which the data and purpose of the treatment will be subjected.
Treatment is any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. The information that D-SIGNLED collects in the provision of its services and in general in the development of its corporate purpose, is used mainly to identify, maintain a record and control of Employees, Potential Employees, Retired Workers, Shareholders, Suppliers, Potential Suppliers, Clients and Users of D-SIGNLED.
General information processing:
- • Process
- • Confirm
- • Comply
- • Provide services and / or products purchased directly or with the participation of third parties
- • Promote and publicize our activities, products and services
- • Make transactions
- • Make reports with the different administrative authorities of national control and surveillance, police or judicial authorities, financial entities and / or insurance companies
- • Internal administrative and / or commercial purposes such as: market research, audits, accounting reports, statistical analysis or billing • Collection
- • Storage
- • Recording
- • Use
- • Circulation
- • Processing
- • Suppression
- • Transmission and / or transfer to third countries of the data provided, for the execution of activities related to the services and products purchased
- • Accounting records
- • Correspondence
- • Make transactions
- • Identification of fraud and prevention of money laundering and other criminal activities
General Treatment of Shareholder Information:
- • Make the payment of requests.
- • Compliance with judicial decisions and administrative and legal provisions.
- • Contacts.
- • Compliance with judicial decisions and administrative and legal, fiscal and regulatory provisions.
General Treatment of Information from suppliers:
- • For commercial purposes.
- • Accounting.
- • Compliance with judicial decisions and administrative and legal, fiscal and regulatory provisions.
- • Compliance with contractual obligations, for which the information may be transferred to third parties, such as financial entities, notaries, OFAC and terrorism lists, lawyers, etc.
- • To carry out the processes in which the suppliers are linked.
- • Any other use that the provider authorizes in writing for the use of your information.
- • Transmission of information and personal data in audit processes.
General Treatment of Customer Information:
- • For commercial purposes.
- • Offer of goods and services.
- • Advertising and marketing.
- • Commercial alliances.
- • Accounting.
- • Compliance with contractual obligations, for which the information may be transferred to third parties, such as financial entities, notaries, OFAC and terrorism lists, lawyers, etc.
- • Compliance with judicial decisions and administrative and legal, fiscal and regulatory provisions.
- • Transmission of information and personal data in audit processes.
- • Billing.
General Treatment of Information on employees, retired workers, pensioners and candidates to fill vacancies:
- • For purposes relevant to the employment relationship (EPS, ARL, pension and severance funds, family compensation funds, etc.)
- • In the case of employees with the signing of the employment contract, express authorization is understood to give Treatment to the information.
- • In the case of judicial and legal requirements.
- • Accounting and payroll.
- • Recruit and select personnel to fill the vacancies.
- • Process, confirm and comply with legal and extra-legal labor obligations derived from the employment contract.
- • Make transactions.
- • Payment of extralegal benefits.
- • Audits.
- • Statistical analysis.
- • Maintain a database of candidates.
- • Training and education.
- • Share personal data with banks, companies that offer benefits to our active workers, among others.
Authorization.
The compilation, storage, consultation, use, exchange, transmission, transfer and processing of personal data requires the free, express and informed consent of the Holder of the information. Based on the foregoing and through this manual, mechanisms are implemented that allow subsequent consultation by the owner of the information.
Mechanisms to grant Authorization.
The authorization by the holder may be in a physical, electronic document or any other format that allows a reasonable conclusion that the Holder granted the authorization. </ span >
Taking into account the foregoing, D-SIGNLED hereby notices that the authorization in any case will be by means of a physical and / or digital document, which must have the signature of the Holder of the information, which does not prevent the establishment of different mechanisms to grant authorization later.
D-SIGNLED, will ensure respect and compliance with the fundamental rights of children and adolescents, observing the special requirements established for the treatment of your personal data and sensitive personal data.
Through the authorization, the Holder of the information or his representative will be informed in the case of infants (boys and girls) and adolescents, the fact that The information will be collected, including the purpose, modifications, storage and the specific use that will be given to them, and also:
- • The person who collects the information (specifying if he is the Responsible or the Person in charge of the treatment).
- • The data that will be collected, including whether Sensitive Data is collected.
- • The purpose of the data processing.
- • The mechanisms through which they can exercise their rights as Information Holders (access, correction, updating or deletion of data).
Proof of Authorization.
D-SIGNLED, in its capacity as Responsible and in Charge of Treatment, will have the necessary means to maintain technical and technological records of when and how authorization was obtained from the Owner of the information for the treatment thereof.
Privacy notice.
The privacy notice is a physical document, electronic or any other format, through which the owner of the information is informed about the existence of policies that will be applicable , as well as the way in which they can access them and the characteristics of the treatment that will be given to personal data.
Privacy notice.
The privacy notice is a physical document, electronic or any other format, through which the owner of the information is informed about the existence of policies that will be applicable , as well as the way in which they can access them and the characteristics of the treatment that will be given to personal data.
Content of the privacy notice.
- a. The identity, address and contact information of the Responsible or the Person in Charge of Treatment.
- b. The Treatment to which the data will be submitted and the purpose thereof.
- c. The mechanisms provided by D-SIGNLED so that the Holder knows the information treatment policy and the substantial changes that occur in it or in the corresponding privacy notice. In all cases, you must inform the Holder how to access or consult the information treatment policy.
The model of the privacy notice that was transmitted to the Holders of the information will be kept while the processing of personal data is carried out and the obligations that of this is derived. For the storage of the model, computer, electronic or any other technology at the choice of D-SIGNLED may be used.
According to the group of people whose personal data is collected, there will be a single privacy notice model, which will specify in detail the points described above for each of the same.
Rights of the holders of the information.
In accordance with article 8 of Statutory Law 1581 of 2012, the Holder of personal data has the following rights:
- a. Know, update and rectify your personal data D-SIGNLED in its capacity as Responsible and in charge of the treatment.
- b. Request proof of authorization granted to D-SIGNLED
- c. Be informed by D-SIGNLED regarding the use that has been given to your personal data.
- d. Present before the Superintendency of Industry and Commerce complaints for infractions of the provisions of Statutory Law 1581 of 2012, having exhausted the consultation or claim process as indicated in the aforementioned Law.
- e. Revoke the authorization and / or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the Treatment.
- f. Free access to your personal data that have been subject to Treatment.
D-SIGNLED's duties in relation to the processing of personal data in its capacity as Responsible and Responsible for the Treatment.
It is hereby noted that the personal data being processed is the property of the persons to whom they refer and they are empowered to dispose of them. Based on the foregoing, it will only use personal data in accordance with the purposes established in the Law and respecting the provisions of Statutory Law 1581 of 2012 .:
In accordance with article 17 of Statutory Law 1581 of 2012, they undertake to fulfill the following duties:
- a. Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
- b. Request and keep a copy of the respective authorization granted by the Owner.
- c. Carry out in the terms provided in articles 14 and 15 of Statutory Law 1581 of 2012, the update, rectification or deletion of the data.
- d. Process the queries and claims made by the owners in the terms indicated in article 14 of Statutory Law 1581 of 2012.
- e. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
- f. Insert in the databases the legend "information in judicial discussion" once notified by the competent authority about judicial processes related to the quality or details of personal data.
- g. Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the holders.
- h. Process inquiries and claims made by the holders of the information.
- i. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
- j. Apply the rules that regulate Statutory Law 1581 of 2012.
Duties regarding the Data Processing of Infants and Adolescents.
D-SIGNLED, in its capacity as Responsible and in Charge of Processing the personal data of the aforementioned groups, must take special care to ensure compliance with the Law regarding these groups and respect for their rights, especially regarding personal data that does not fit into the category of public data (name, sex, date of birth, etc.).
The processing of personal data of boys, girls and / or adolescents that is of a public nature will comply with the following parameters and requirements:
- a) Respond to and respect the best interests of children and adolescents.
- b) That the respect of their fundamental rights is ensured.
- c) Assessment of the minor's opinion when he or she has the maturity, autonomy and ability to understand the matter.
Once the above requirements have been met, the legal representative of the child or adolescent may grant authorization for the Treatment, after exercising the minor's right to be heard An opinion that should be assessed taking into account maturity, autonomy and ability to understand the matter.
Procedures for access, query and claim.
Applicable points for all Procedures:
(l) For the exercise of the rights indicated in this point by the successors, and also to prevent access to the information by persons not legally authorized, You must first verify and in accordance with the Law, the documentation that allows to conclude that the person requesting the information is indeed a successor of the Holder.
(ll) If there is any doubt regarding the application of the procedures indicated here, it will be informed by the area responsible for the database that It is subject to the application of the procedure and resolved by the Legal Directorate, who will resolve the issue taking into account the Law, Decrees and other regulatory or instructive standards, and the jurisprudence that is issued on the matter. </ p >
Access.
Taking into account that the power to dispose or decide on personal data rests with the Owner of the information, this power necessarily implies the right of the owner to access and know the personal information that is being processed, including in this regard the scope, conditions and generalities of the treatment.
Taking into account the above, this right is guaranteed in the head of the Holder, which includes.
- • Knowledge of the existence of the processing of your personal data.
- • Access to your personal data.
- • The circumstances of the processing of personal data.
Query.
In accordance with article 14 of Statutory Law 1581 of 2012, the Holders or their successors in title may consult the personal information of the Holder that resides in any database. Based on this, this right is guaranteed by providing them with all the information contained in the individual registry or that is linked to the identification of the Holder.
Depending on the nature of the personal database, the query will be managed by the area responsible for attending to it within D-SIGNLED </ p>
Queries will be answered within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed within the first term granted, where the reasons for the delay will be expressed and indicating the date on which the query will be attended, which in no case may exceed the five (5) business days following the expiration of the first term.
Query.
In accordance with article 14 of Statutory Law 1581 of 2012, the Holders or their successors in title may consult the personal information of the Holder that resides in any database. Based on this, this right is guaranteed by providing them with all the information contained in the individual registry or that is linked to the identification of the Holder.
Depending on the nature of the personal database, the query will be managed by the area responsible for attending to it within D-SIGNLED </ p>
Queries will be answered within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed within the first term granted, where the reasons for the delay will be expressed and indicating the date on which the query will be attended, which in no case may exceed the five (5) business days following the expiration of the first term.
- 1. The claim will be formulated by means of a communication made by the owner or his successors in title addressed to D-SIGNLED responsible or the person in charge of the Treatment, which must include the information indicated in article 15 of Statutory Law 1581 of 2012. If the claim is incomplete, it will be required to the interested party within five (5) days following the receipt of the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn. In any case, if the communication is directed to D-SIGNLED and does not have the quality to respond to the communication, D-SIGNLED, without having to communicate it to the person making the claim, will inform the company that must respond.
- In the event that D-SIGNLED receives a claim that it is not competent to resolve, it will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.
- 2. Once the complete claim is received, a legend that says "claim in process" and the reason for it will be included in the database, within a term not exceeding two (2) business days. This legend must be maintained until the claim is decided.
- 3. The maximum term to attend the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.
At any time and free of charge, the natural person Holder of the personal data or his representative may request the rectification, updating or deletion of his personal data after proof of his identity .
The request for rectification, updating or deletion of your personal data must be submitted through the means provided indicated in the privacy notice and must contain at least the following information:
- 1. The name and address of the Holder or representative or any other means to receive the response to your request.
- 2. The documents that prove the identity or representation of the Holder of personal data.
- 3. The clear and precise description of the personal data and the facts that give rise to the claim.
- 3. The clear and precise description of the personal data and the facts that give rise to the claim.
- 4. The documents that you want to assert in the claim.
The deletion implies the total or partial elimination of personal information in accordance with what is requested by the Holder, from the records, archives and databases or treatments carried out by D-SIGNLED.
According to the nature of the personal database, the claim will be managed by the area responsible for the attention to it within D-SIGNLED.
Procedure requirement.
The Holder or successor in title may only file a complaint with the Superintendency of Industry and Commerce once they have exhausted the consultation or claim process before D-SIGNLED. </ p>
Revocation of authorization.
In accordance with the provisions of the Law, in the event that the Treatment does not respect the principles, rights and constitutional and legal guarantees, the Holders or their Representatives (as is the case of parents who exercise parental authority of an infant or adolescent) may request the revocation of the authorization granted for the Treatment of them, unless such revocation is prevented by legal or contractual provision, indicating in that case , the specific reasons on the basis of which it considers that the situation of no respect to the aforementioned scopes is occurring.
D-SIGNLED being responsible or the person in charge of the Treatment, as the case may be, must confirm having received the request for revocation of authorization, including its date of receipt. It may be objected if, in the opinion of D-SIGNLED, the assumption indicated by the Holder is not presented or if such revocation implies an impairment for the monitoring or fulfillment of rights or obligations by the entity and with respect to the Holder, in which case You must inform the same in writing so that it can take the measures before the authorities it deems appropriate.
The request for revocation of the authorization can be total or partial. It will be total when the revocation of the totality of the consented purposes through the authorization is requested; it will be partial when the revocation of some purposes is requested depending on the revocation request. This qualifier must be clearly expressed in the request for revocation of the authorization.
Information security.
Information security measures.
In development of the security principle established in Statutory Law 1581 of 2012, SINTRACOLOMBINA will implement additional technical, human and administrative measures, if required, that are necessary to grant security to the records, through which their adulteration, loss, unauthorized or fraudulent consultation, use or access. The development of this online store carried out by the Distecnoweb web design agency was tested in different scenarios and SINTRACOLOMBINA carries out the necessary technical updates over time to preserve the security of the information.
Registration of the Bases.
D-SIGNLED, in its capacity as Responsible and in Charge of Treatment, must proceed to register the bases in the terms indicated by Colombian regulations.
Acceptance.
The Holders of the information accept the treatment of their personal data in accordance with the terms of this Manual, at the time of providing their data.
Validity.
This General Privacy Policy is effective from the date of its publication and its validity will be subject to the purpose of the processing of personal data of the legal nature of D-SIGNLED .