PERSONAL DATABASE TREATMENT POLICY AND PROCEDURE
MARIO DELGADO ECHEVERRY E HIJOS S.A.S.
Company name: MARIO DELGADO ECHEVERRY E HIJOS S.A.S.
Nit: 800020909-7
Address: Avenida Carrera 24 Park Way # 37 – 31 Office 202, Bogotá D.C.
Telephone: (571) 3687752
e-mail: protecciondedatos@mdelaw.com
Website: www.mdelaw.com
- LEGAL NORMATIVITY AND SCOPE OF APPLICATION:
The present policy of personal data processing is prepared in accordance with the provisions of the Political Constitution, Law 1581 of 2012, Regulatory Decree 1074 of 2015, Chapter 25 and 26 and other complementary provisions, and will be applied by MARIO DELGADO ECHEVERRY E HIJOS S.A.S. hereinafter MDE, regarding the collection, storage, use, circulation, deletion and all those activities that constitute personal data processing.
- DEFINITIONS:
For the purposes of the execution of this policy and in accordance with legal regulations, the following definitions shall apply:
2.1 Authorization: Prior, express and informed consent from the Holder so that the company can carry out the processing of the personal data.
2.2 Holder: Natural person whose personal data are subject to treatment by the company.
2.3 Database: Organized set of personal data that are subject to treatment, by the company.
2.4 Personal data: Any information linked to or associated with one or several natural determined or determinable persons. Personal data can be public, private or semi-private.
2.5 Responsible for processing: Natural or legal person, public or private, who by itself or in association with others, performs the processing of personal data on behalf of the responsible for treatment.
2.6 Responsible for treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and / or the treatment of the data.
2.7 Public data: It is the data classified as such according to the mandates of the law or the Political Constitution. Are public, among others, the data contained in public documents, judicial rulings that are not subject to reservation and those related to the civil status of the people.
2.8 Semi-private data: Semi-private data have no private nature, reserved, or public and whose knowledge or disclosure may be of interest not only fot its holder but a certain sector or group of people or society in general, such as financial and credit data of commercial activity.
2.9 Private data: Data that due to its intimate or reserved nature is only relevant for the holder.
2.10 Sensitive data: Those data related to racial or ethnic origin, membership in trade unions, social or human rights organizations, political, religious, sexual life, biometric or health data beliefs. This information may not be granted by the holder of these data.
2.11 Privacy notice: A physical, electronic document generated by the Responsible for Treatment that is made available to the holder along with information regarding the existence of the information treatment policies that will be applicable to it, the Information and Personal Data Management Policy, way to access them and the characteristics of the treatment that is intended to give to personal data.
2.12 Transfer: The transfer of data takes place when the Responsible and /or trustee of processing of personal data, located in Colombia, sends the information or personal data to a receiver, who in turn is Responsible for the Treatment and is within or outside the country.
2.13 Transmission: Processing of personal data that implies their communication within or outside the territory of the Republic of Colombia when its purpose is to carry out a Treatment by the Person in Charge on behalf of the Responsible Party.
2.14 Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion thereof.
- PURPOSE OF COLLECTING AND TREATING PERSONAL DATA: “MDE”
The data collected by MDE company will have the following purposes:
3.1 If it is about our clients: i) To communicate information about the processes entrusted to us, ii) To offer new services related to the activities developed by us in accordance with our corporate purpose and / or services offered through our website www.mdelaw.com, iii) To notify warnings about expiration of terms, iv) To repeat information about processes abroad that are of interest to you, v) Ro send information to correspondents abroad to comply with the previously granted legal mandates.
3.2 If it is about our employees, the information will be used to: i) Know the turnover of our employees, ii) Send them information about company decisions that may be of interest to them, iii) Give them instructions related to their work.
If a personal data is provided, said information will be used only for the purposes indicated herein, and therefore, MDE, will not proceed to sell, license, transmit, or disclose it, unless: (i) there is express authorization to do so; (ii) it is necessary to comply with the express mandates of the clients, iii) That is required or permitted by law.
MDE may subcontract third parties for the processing of certain functions or information. When the processing of personal information is effectively subcontracted with third parties or personal information is provided to third party service providers, MDE will warn said third parties about the need to protect said personal information with appropriate security measures, the use of the information for its own purposes and it is demanded that such personal information is not disclosed to others.
- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA:
The processing of personal data in MDE, will be governed by the following principles:
4.1 Principle of legality in data processing: The treatment referred to in this law is a regulated activity that must be subjected to the provisions thereof and in any other provisions that stem from it.
4.2 Principle of purpose: The treatment of collected personal data must obey a legitimate purpose which must be informed to the Holder;
4.3 Principle of freedom: The treatment can only be carried out with the prior, express and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or without legal or judicial mandate that relieves the consent;
4.4 Principle of truth or quality: The information subjected to Treatment must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited;
4.5 Principle of transparency: In the Treatment, the Holder’s right to obtain at any time and without restrictions from MDE, information about the existence of data that concerns him must be guaranteed;
4.6 Principle of access and restricted circulation: The Treatment can only be done by people authorized by the Holder and / or by the persons set forth in the Law. Personal data, except for public information, may not made available on the Internet or any other media or mass communication. unless the access is technically controllable to provide knowledge restricted only for Holders or authorized third parties.
4.7 Principle of security: The information subjected to Processing by MDE must be protected through the use of technical, human and administrative measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use, unauthorized or fraudulent access;
4.8 Principle of confidentiality: All persons involved in the treatment of personal data are obliged to guarantee the reservation of information, even after the end of their relationship with any of the tasks included in the Treatment.
- RIGHTS OF PERSONAL DATA HOLDERS OBJECT OF TREATMENT BY MDE.
Holders of personal data by themselves or through their representative and / or proxy or through their successor in title may exercise the following rights, with respect to personal data that are subject to treatment by MDE:
5.1 The right to know, update and rectify their personal data in front of the company, as Responsible or the Trustee, at any time that he considers that the data are partial, inaccurate, incomplete, fractioned, misleading or those whose Treatment is expressly prohibited or not authorized.
5.2 The right to request proof of the authorization granted to the company at any time, except when expressly excluded as a requirement for processing in accordance with the provisions of article 10 of Law 1581 of 2012.
5.3 The right to be informed regarding the use that has been given to the data upon request of the data Holder.
5.4 The right to submit complaints to the Superintendence of Industry and Commerce for infractions of Law 1581 of 2012 and other regulations that modify, add or complement it.
5.5 The right to revoke the authorizations and / or to request the deletion of any data when he considers that the company has not respected his rights and constitutional guarantees.
5.6 The right to free access personal data he had voluntarily decided to share with the company, so the company, through the corresponding areas, commits to save and file reliably the data provided and the authorizations of each Holder of personal data granted in due form.
PARAGRAPH TWO: The rights of minors will be exercised by the persons who are authorized to represent them.
- MDE DUTIES:
All those obliged to comply with this policy must bear in mind that MDE is obliged to comply with the duties imposed by law in this regard. Consequently, the following duties must be fulfilled:
6.1 Duties when acting as Responsible:
6.1.1 Request and keep, in the conditions set forth in this policy, a copy of the respective authorization granted by the Holder.
6.1.2 Clearly and sufficiently inform the Holder about the purpose of the collection and the rights entitled to him by virtue of the authorization granted.
6.1.3 Report at the request of the Holder on the use given to his personal data
6.1.4 Process inquiries and claims formulated in the terms indicated in this policy
6.1.5 Ensure that the principles of truthfulness, quality, security and confidentiality in the terms established in these policies.
6.1.6 Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
6.1.7 Update the information when necessary.
6.1.8 Rectify personal data when appropriate.
6.2 Duties when acting as Trustee for processing personal data.
If you perform data processing on behalf of another entity or organization (Responsible for processing) you must fulfill the following duties:
6.2.1 Instruct that the treatment trustee is authorized to supply the personal data that he will treat as entrusted.
6.2.2 Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
6.2.3 Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
6.2.4 Perform the update, rectification or deletion of the data in a timely manner.
6.2.5 Update the information reported by the Responsible for the treatment within five (5) business days counted from its receipt.
6.2.6 Process inquiries and claims made by the holders in the terms indicated in this policy.
6.2.7 Register in the database the legend “claim in process” in the form established in this policy.
6.2.8 Insert in the database the legend “information in judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
6.2.9 Refrain from spreading information that is being contested by the Holder and whose blockade has been ordered by the Superintendence of Industry and Commerce.
6.2.10 Allow access to information only to persons authorized by the Holder or authorized by law to that effect.
6.2.11 Inform the Superintendence of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders.
6.2.12 Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
6.3 Duties when performing the treatment through a Trustee:
6.3.1 Provide the person in charge of processing only the personal data whose treatment has been previously authorized.
6.3.2 For the purposes of national or international transmission of data, a contract for the transmission of personal data must be signed, or contractual clauses must be agreed in accordance with Decree 1074 of 2015.
6.3.3 Ensure that the information provided to the Trustee of processing is true, complete, accurate, up-to-date, verifiable and understandable.
6.3.4 Communicate in a timely manner to the Trustee of processing all the news regarding the data previously provided and adopt the other necessary measures so that the information provided to him is kept up-to-date.
6.3.5 Report in a timely manner to the Trustee of processing the rectifications made on the personal data so that the latter may conduct the appropriate adjustments.
6.3.6 To demand from the Trustee of the processing, at all times, respect for the security and privacy conditions of the holder’s information.
6.3.7 Inform the Trustee of the treatment when certain information is under discussion by the Holder, once the claim has been filed and the respective procedure has not been completed.
6.4 Duties regarding the Superintendence of Industry and Commerce:
6.4.1 Inform about possible violations of the security codes and the existence of risks in the administration of the Holders’ information.
6.4.2 Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
- APPLICATION FOR AUTHORIZATION TO THE PERSONAL DATA HOLDER:
In advance and/or upon collecting the personal data, MDE will ask the Holder of the data for authorization to carry out data collection and treatment, indicating the purpose for which the data are requested, using written or oral automated technical means for this purpose, to preserve evidence of the authorization and/or unequivocal conduct described in Decree 1074 of 2015. Said authorization will be requested as long as it is reasonable and necessary to meet the needs that gave rise to the request for data and, in any case, abiding by the legal provisions that govern the subject matter.
- PRIVACY NOTICE:
In case MDE cannot make this information treatment policy available to the Holder of the personal data, it will publish the privacy notice that is attached hereto, which text will be kept for later reference by the data Holder and/or the Superintendence of Industry and Commerce.
- TIME LIMITATIONS TO THE PROCESSING OF PERSONAL DATA.
MDE may only collect, store, use or circulate personal data for as long as it is reasonable and necessary, in accordance with the purposes that justified the treatment, in accordance with the provisions applicable to the subject matter and administrative, accounting, fiscal, legal and historical aspects of information.
Once the purpose (s) of the treatment have been fulfilled and without prejudice to any legal norms that stipulate otherwise, it will proceed to the suppression of the personal data in its possession. Notwithstanding the foregoing, personal data must be retained when required for the fulfillment of a legal or contractual obligation.
- RESPONSIBLE AREA AND PROCEDURE FOR THE EXERCISE OF THE RIGHTS OF PERSONAL DATA HOLDERS:
The systems area will be responsible for addressing petitions, complaints and claims made by the data Holder in the exercise of the rights considered in paragraph 5 of this policy, except for the one described in letter e).
For such purposes, the personal data Holder or whoever represents him may send his request, complaint or claim from Monday to Friday from 8:00 a.m. at 5:00 p.m. to the email protecciondedatos@mdelaw.com, call the telephone line # (571) 3687753, or file them at the following address Av. Carrera 24 Park Way # 37 – 31 Oficina 202 in the city of Bogotá D.C.; the petition, complaint or claim must contain the identification of the Holder, the description of the facts that give rise to the claim, the contact address, and accompanying documents he wants to enforce.
If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it shall be understood that the claim has been abandoned. In the event that the person receiving the claim is not competent to come to a decision, he will notify the corresponding party within a maximum term of two (2) business days and inform the interested party on the situation.
Once the complete claim has been received, a legend that says “claim in process” and the reason therefor will be included in the database, in a term not exceeding two (2) business days.
This legend must be maintained until the claim is decided.
The maximum term to attend the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be handled, which in no case may exceed eight (8) business days following the expiration of the first term.
RESPONSIBLE FOR DATA PROCESSING
MDE Company acts as the responsible for treatment, it informs you its identification data through this policy:
MDE
NIT # 800020909-7
Main address: Av. Carrera 24 Park Way # 37 – 31 Oficina 202, Bogotá D.C.
Person or agency responsible for the attention of requests, queries and claims:
The person responsible for receiving and channeling all the requests and concerns is Mrs. JESSICA POSADA ACUÑA through the email protecciondedatos@mdelaw.com
TRUSTEE OF DATA PROCESSING
MDE company acts as the data processing trustee, it informs you its identification data through this policy:
MDE
NIT # 800020909-7
Main address: Av. Carrera 24 Park Way # 37 – 31 Oficina 202, Bogotá D.C.
The person responsible for receiving and channeling all the requests and concerns is Mrs. JESSICA POSADA ACUÑA through the email protecciondedatos@mdelaw.com
- DATA COLLECTED BEFORE THE ISSUANCE OF DECREE 1074 OF 2015:
In accordance with the provisions of the previous Decree, MDE will proceed to publish a notice on its official website www.mdelaw@com addressed to the personal data holders for the purposes of publicizing this information treatment policy and how to exercise your rights as holders of personal data housed in the MDE databases.
- SECURITY MEASURES:
In development of the security principle established in Law 1581 of 2012, MDE will adopt the technical, human and administrative measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
The personnel that carry out the processing of the personal data will execute the established protocols in order to guarantee the security of the information.
- EFFECTIVE DATE:
This Personal Data Policy was created on October 25, 2016 and becomes effective as of October 26, 2016. Any change arising regarding this policy will be reported through the website www.mdelaw.com.