Main Menu

Personal data management policy

  1. OBJECTIVE AND SCOPE OF APPLICATION OF THE PERSONAL DATA MANAGEMENT POLICY.

In order to strictly comply with the regulations in force regarding the protection of Personal Data, POSSE HERRERA RUIZ ABOGADOS (hereinafter “PHR”), pursuant to the provisions of Law 1266 of 2008, Law 1581 of 2012, Decree 1074 of 2015 and other provisions that amend, add to or supplement it from time to time, hereby presents its regarding the of Personal Data Protection Policy (hereinafter the “Policy”), that contains the general provisions for the protection of the information related to, or that can be associated with, one or several individuals, determined or determinable (the “Personal Data”), by virtue of the prior authorization that has been granted by the Owners.

This Policy shall be applicable to all the Owners that are related to PHR and/or whose Personal Data has been collected and processed in any way by virtue or because of a relationship established with the Company, whether said Processing is made by PHR or by third parties upon the latter’s request.

This Policy shall be applied to any Processing done in the territory of the Republic of Colombia by PHR and, as the case may be, by those parties with which it agrees to carry out, in whole or in part, any activity related to or regarding the Processing of Personal Data.

In this Personal Data Management Policy, PHR details the general corporate guidelines in place in order to protect the Owners’ Personal Data, the purpose of the Processing of the data, the rights of the Owners, the area responsible for handling the complaints, as well as the procedures that must be observed to know, update, rectify and suppress the data.

PHR, pursuant to the Habeas Data constitutional right established in article 15 of the Colombian Constitution, only collects and Manages Personal Data when it has been previously authorized to do so by the Owner thereof, implementing, for such purposes, clear measures regarding the confidentiality and privacy of the Personal Data. In the cases in which no Authorization for the Processing of Personal Data is necessary, the Company will also implement the necessary measures to manage the information according to the regulations in force.

  1. DEFINITIONS.

For the purposes of this Policy, the definitions set forth in Law 1581 of 2012 and in Decree 1074 of 2015 will be taken into account, as the same are transcribed below:

  • Personal Data: Any information related to, or that can be associated with, one or several determined or determinable individuals.
  • Owner: Individual whose Personal Data is the subject of Processing.
  • Sensitive Data: Any data that affects the Owner’s privacy or whose inadequate use may generate discrimination, such as the data that reveals the Owner’s racial or ethnic origin, political leanings, religious or philosophical convictions, membership of trade unions or of social or human rights’ organizations, or of those that promote the interests of any political party, or that guarantee the rights and pledges of political parties in the opposition, as well as the data related to the Owner’s health, sex life or biometric details.
  • Person in charge of the Processing: It is the individual or legal entity, public or private, that carries out, by itself or together with others, the Processing of Personal Data on behalf of the Person Responsible for the Processing.
  • Personal Data Management Policy: It refers to this document.
  • National Data Bases Registry: It means the public directory of databases subject to Processing, which is operated by the Superintendence of Industry and Trade.
  • Person Responsible for the Processing: It is the individual or legal entity, public or private, who decides, by itself or together with others, about the Database and/or the Processing of the Personal Data. In this case, it is PHR.
  • Processing: Any operation or set of operations on Personal Data, such as the collection, storage, use, circulation, or suppression, as well as the Transfer and/or Transmission thereof to third parties through notices, enquiries, interconnections, assignments, data messages.
  • Transfer: The Transfer of Personal Data occurs when the Person Responsible and/or the Person in charge of the Processing of Personal Data, located in Colombia, sends the Personal Data to a receiver who is, on its part, a Person Responsible for the Processing and who may be in the country or abroad.
  • Transmission: Processing of Personal Data that implies the communication thereof to a third party inside or outside the territory of the Republic of Colombia, when the purpose of said communication is the Processing by the Person in Charge in the name and on behalf of the Person Responsible, to meet the latter’s purposes.

  1. PRINCIPLES.

According to article 4 of the Law 1581 of 2012, the principles that govern the Processing of Personal Data at PHR are:

  • Principle of legality regarding the Processing of Personal Data: The Processing of Personal Data is a regulated activity that must abide by the provisions of Law 1581 of 2012 and of Decree 1074 of 2015 and by any other provisions that may develop, add to or amend them from time to time.
  • Purpose Principle: The Processing must refer to a legitimate purpose according to the Constitution and the Law, which must be informed to the Owner.
  • Freedom Principle: The Processing can only be performed with the prior, express and informed consent of the Owner. The Personal Data cannot be obtained or disclosed without prior authorization, or in the absence of a legal or court order that makes such consent redundant.
  • Faithfulness or Quality Principle: The information subject to Processing must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, or fractioned data or of data that induces to error, is forbidden.
  • Transparency Principle: The Processing must guarantee the Owner’s right to obtain from the Person Responsible or from the Person in Charge, at any time and without restrictions, information about the existence of data that concerns him / her.
  • Restricted access and circulation Principle: The Processing is subject to the limits derived from the nature of the Personal Data. In this sense, the Processing can only be made by persons duly authorized by the Owner and/or by the persons determined by Law 1581 of 2012.
  • Safety Principle: The information subject to Processing by the Person Responsible for the Processing or by the Person in charge of the Processing, must be managed using all technical, human, and administrative measures that may be necessary to ensure the safety of the records, preventing the unauthorized or fraudulent modification, loss, review, use or access thereof.
  • Confidentiality Principle: Any person taking part in the Processing of Personal Data who is not a public person has the obligation to ensure the reserve of the information, even after the end of their relationship with any of the works involved in the Processing, and they can only supply or communicate Personal Data when it relates to the performing of the activities authorized by Law 1581 of 2012 and in the terms of such law.

 

  1. INFORMATION AND MECHANISMS IMPLEMENTED by PHR as THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA.

Corporate NamePOSSE HERRERA RUIZ
NIT830.022.196-0
Main place of businessBogotá D.C.
AddressCarrera 7 No. 71-52, Torre A, Piso 5
Phone Numbers(57)601 3257300, ext. 482
E – mailprotecciondatos@phrlegal.com
Websitewww.phrlegal.com

  1. AUTHORIZATION, PROCESSING AND STORAGE OF PERSONAL DATA.

As from the enactment of this Policy, [*], at the time of the collection of Personal Data, PHR shall request the prior authorization of the Owners, who shall be duly informed about the specific purposes of the Processing for which such consent has been obtained, excepting in the case of any one of the exceptions contained in article 10 of Law 1581 of 2012 for such purposes.

PHR shall proceed with the Processing of the Personal Data that has been voluntarily provided by the Owner. In general, the Company shall collect, store, use, circulate, transmit and transfer the relevant Personal Data. This information may only be utilized by PHR, its employees, consultants, advisors, affiliates of the business group and commercial and strategic partners expressly authorized by the Company, who need to access this information. In any case, PHR, upon the Owner’s request, shall give to the Owner the complete information of the personas authorized and/or the third parties who may Process their Personal Data.

PHR may request Sensitive Data at any time, informing the Owner, at the time of the collection, that the data requested is Sensitive Data, and the type of Sensitive Data will be collected. PHR may process Sensitive Data if (i) the Owner gives its explicit and voluntary consent with a specified purpose; (ii) the Processing is necessary to comply with legal obligations; (iii) the Processing is necessary to protect vital interests of the Owner or of any other individual; (iv) the Processing refers to Personal Data that the Owner has made public; (v) the Processing is necessary for the formulation, the exercise or the defense of claims or when courts or judges act in exercise of their judicial function; or (vi) the Processing is needed due to essential public interest reasons; (vii) the Processing is mandatory by virtue of the Law. PHR shall strictly observe the legal limitations for the Processing of Sensitive Data. PHR shall not condition, under any circumstances, any activity to the delivery of Sensitive Data. The Sensitive Data shall be processed with the greatest possible diligence and using the highest safety standards. The limited access to the Sensitive Data shall be a governing principle to safeguard the privacy thereof and, therefore, only authorized personnel shall have access to this type of data.

The Owners’ authorization for the Processing of their Personal Data, may be given: (i) in writing, (ii) verbally or (iii) by means of unequivocal conducts that allow to reasonably conclude that the authorization was indeed given.

PHR shall adequately conserve the evidence of those authorizations, upholding in all cases the data confidentiality and privacy principles.

  1. PURPOSES OF THE PERSONAL DATA PROCESSING.

The Personal Data gathered by PHR is included in a Database to which the access is restricted to PHR’S staff in the discharging of their duties, making clear that under no circumstances the Processing of the information is authorized for purposes other than the ones described in here, and that are communicated to the Owner in a direct manner no later than at the time of collection.

6.1. The purposes of the collection and Processing of the Personal Data of the PHR’S clients shall be:

  • To contact the owners to send data related to the contractual and obligational relationship, as the case may be.
  • To know, store, and process all the information provided by the owners in one or several databases, in the format that it deems to be the most convenient.
  • To collect information for commercial and market research purposes.

6.2. The purposes of the collection and Processing of the Personal Data of the vendors of [*], shall be:

  • To supervise and make the follow up of the correct and due execution of our contractual relationship.
  • To manage the administrative, accounting, financial, operational, and logistical aspects associated to the compliance with the obligations of both parties.
  • Administrative and fiscal procedures and activities.
  • Activities related to invoicing and the operations required for the effectiveness thereof.
  • Financial and accounting activity.
  • Commercial relationships’ history.
  • Verification legal, technical, and financial requirements.
  • Tax-related and collection activities.
  • Opinion surveys.
  • To verify the commercial background and reputation, as well as the eventual relationship risks associated to Money Laundering and the Financing of Terrorism.
  • To make reports and queries related to the obligations, both current and past due, to the credit bureaus and data operators legally authorized to operate.
  • To consult databases managed by credit bureaus or other operators, in respect to any relevant information, in order to learn about the Data owner’s performance as debtor, they payment capacity, the viability to enter into or to maintain a commercial relationship or to form any other purpose derived from the knowledge of such information.
  • To report to the credit bureaus or to other data operators about the Data owner’s compliance of, or failure to comply with, its credit liabilities or its legal duties of an economic nature, regarding its location and contact details, its credit applications and any other related to the Data owner’s commercial, financial, or socioeconomic relationships.
  • Any other, the purpose of which is to develop the commercial relationship between PHR and the Vendor and that are typical of this type of relationships, and without prejudice to its right, according to Law 1581 of 2012, to request, amend, delete and/or correct the information reported as Owner of the Personal Data furnished.

6.3. The purposes of the collection and Processing of the Personal Data of the visitors, authorized personnel and authorized contractors, shall be:

  • To have the information required in the event of an emergency while in the Company’s facilities.
  • To protect the safety and security of PHR.
  • To identify and to carry out the procedures for the entry and exit of equipment, vehicles, visitors, authorized personnel, authorized contractors, or natural persons, and to carry out any other safety and security activities.
  • To record and utilize the recordings of cameras of the CCTV or images to carry out investigations.

6.4. The purposes of the collection and Processing of the Personal Data of the workers of the Company, as well as of its contractors, shall be:

  • To carry out audits and to manage our systems and databases.
  • To contact the Owners for the forwarding of data related to the contractual and obligational relationship with the workers.
  • To know, store, and process all the information provided by the Owners in one or several databases, in the format that it deems to be the most convenient.
  • To comply with the obligations contracted in its capacity as Person Responsible for the Processing with the Owner of the information, in respect to the payment of salaries, legal benefits and any other compensation established in the employment contract or according to the law and the contract.
  • The development of programs for the prevention and promotion of the health and safety at the workplace, based on the medical and health and safety data as of the moment of enrollment, as well as throughout the performance and completion of the activities assigned.
  • Development of training, formation, entertainment programs according to the worker’s position.
  • To perform the contracts entered into with the owners of the Personal Data.
  • To manage, maintain, develop and control the existing contractual relationship of the parties, to see to their information requests, as well as the handling of their claims, the processing of their contract termination requests and of their request for the revocation of the authorization for the Processing of Personal Data.
  • To manage the enquiries made by the owners of the data.
  • To manage information associated to the eventual commission of facts or circumstances that imply the performance of ethical or disciplinary procedures pursuant to the provisions of the internal rules applicable and all other regulatory provisions applicable.
  • The generation of copies and backups of the data in the equipment provided by PHR.
  • To order, catalog, classify, divide or separate the information provided by the owners.
  • To offer corporate wellbeing programs, and to plan corporate activities for the Owner and his / her beneficiaries.
  • To see to the legal demands and data requirements made by the administrative authorities, as well as by the social security and judicial authorities who regulate, supervise or oversee PHR’S activities and operations, in full observance of the due process.
  • For the compliance with the Internal Work Rules, as well as with PHR’S internal policies.
  • To verify the information contained in the CV furnished to PHR.
  • To prevent the fraud or the inadequate use of our services.
  • To allow the creation of cases or users in the PHR’S information systems, associated to the enrollment of workers, as well as for the compliance with the strategic, administrative, commercial and accounting function.
  • To record the information of the family group of the Company’s employees for the discharging of the duties determined by the Law, as well as to involve them as participants in the wellbeing activities or benefits provided by the Company.
  • To control the access to the Company’s facilities.
  • To collect data for the discharging of the duties that, as Person Responsible of the information and of the Personal Data, correspond to the Company.
  • To satisfy legal obligations, such as the ones related to the prevention of money laundering and the financing of the terrorism.
  • To verify, corroborate, verify, validate, investigate or compare the information furnished by the owners, against any information that it may be legitimately in its possession.
  • To record and utilize the recordings of the CCTV cameras or images, to carry out investigations or to impose sanctions of a disciplinary or criminal nature, as the case may be.
  • To consult, at any time, in data bases managed by credit bureaus or other operators, all the relevant information to learn of the performance as debtor of the Owner of the information, its payment capacity, the viability to establish or to maintain a contractual relationship, or any other purposes derived from the knowledge of such information.
  • To report to the credit bureaus or other data operators the Data owner’s compliance with, or failure to comply with, its credit liabilities or its legal duties of an economic nature, regarding its location and contact details, its credit applications and any other related to the Data owner’s commercial, financial, or socioeconomic relationships.

 

The information provided by por the Owner shall only be used for the purposes herein established. Once the need for the Processing of the Personal Data has ceased, the same shall be deleted from PHR’S databases.

If PHR were to request data of a sensitive natures, please be advised that it shall not be mandatory to provide such information under any circumstances and, in the event that it is not authorized by the Owner, PHR shall not take any retaliatory measures. Such data will be treated with the utmost diligence and with the highest security standards.

PHR may transmit and/or transfer your Personal Data to third parties located in Colombia or abroad, even if they are located in countries that do not provide adequate protection levels, provided that it has the prior and express authorization of the Owner of the Personal Data.

  1. RIGHTS OF THE OWNER OF THE PERSONAL DATA.

Pursuant to the provisions of art. 8 of Law 1581 of 2012, the Owner of the Personal Data shall have the following rights:

  • To know, update and rectify its Personal Data n respect to the Persons Responsible for the Processing or Persons in Charges of the Processing. This right can be exercised, among other, regarding partial data as well as in respect to data that is incomplete or fractioned, that induces error, or those whose Processing is expressly forbidden or has not been authorized;
  • To request evidence of the authorization granted to the Person Responsible for the Processing unless when it is expressly excepted as a requirement for the Processing, pursuant to the provisions of article 10 of law 1581 of 2012;
  • To be informed by the Person Responsible for the Processing or the Person in charge of the Processing, upon request, in respect to the use that has been made of its Personal Data;
  • To file with the Superintendence of Industry and Trade complaints for infractions to the provisions of Law 1581 of 2012 as amended, added to or supplemented from time to time;
  • To revoke the authorization and/or to request the deletion of the specific data, provided that there is no legal or contractual obligation that imposes on the Owner the duty to remain in the database;
  • To have access, free of charge, to his / her Personal Data that has been the subject of Processing, at least once per calendar month and whenever there are substantial amendments to the Processing policies.

 

According to article 2.2.2.25.4.1 of Decree 1074 of 2015, the aforementioned rights may be exercised by:

  1. The Owner, who must accredit his / her identity in a sufficient manner, through the different means made available by the Person Responsible.
  2. Their heirs, who must accredit such capacity.
  3. The representative and/or attorney of the Owner, once such capacity has been duly accredited.

 

  1. DUTIES OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA.

Pursuant to the provisions of article 17 of Law 1581 of 2012, the Person Responsible for the Processing shall have the following duties:

  • To guarantee to the Owner, at all times, the full and effective exercise of the habeas data right;
  • To request and to keep a copy of the respective authorization granted by the Owner;
  • To duly inform to the Owner of the purpose of the collection and the rights that he / she has by virtue of the authorization granted;
  • To keep the data under the safety and security conditions necessary to prevent its unauthorized or fraudulent modification, loss, review, use or access;
  • To ensure that the information given to the Person in charge of the Processing is true, complete, exact, up to date, verifiable and understandable;
  • To update the information, informing in a timely manner to the Person in charge of the Processing, all the changes in respect to the data that has been previously provided by him / her, and to adopt all other measures required to keep the information provided up to date;
  • To rectify the information when it is found to be wrong and to communicate so to the Person in charge of the Processing;
  • To only give to the Person in charge of the Processing, as the case may be, data the Processing of which has been previously authorized;
  • To demand from the Person in charge of the Processing to respect, at all times, the conditions of safety and privacy of the Owner’s data;
  • To process the queries and claims made in the terms set forth in this Policy;
  • To adopt an internal manual of policies and procedures to guarantee the adequate compliance with the Personal Data protection regulation and, in particular, for the attention of queries and claims;
  • To inform to the Person in charge of the Processing if and when a certain information is being contested by the Owner, once the claim has been filed and the respective proceedings have not ended;
  • Upon request, to inform the Owner of the use made of his / her data;
  • To inform to the data protection authority of the occurrence of violations to the safety codes and when there are risks in the management of the Owners’ data;
  • To comply with the instructions and requirements set by the Superintendence of Industry and Trade.

 

  1. PROCEDURES THAT HAVE TO BE FOLLOWED BY THE OWNER TO EXERCISE ITS PERSONAL DATA RIGHTS.

The Owner of the Personal Data may exercise its rights over its Personal Data furnished through the area of [*], designated for the attention of petitions, enquiries and claims related to Personal Data within the Company. The Owner may exercise its aforementioned rights, as follows:

  • By means of an electronic communication, to the email protecciondatos@phrlegal.com.
  • By phone, to the following number (571) 601 3257300, ext. 482.

9.1. Procedure to make enquiries (to request evidence of the authorization, to learn of the data that has been collected and to learn of the treatment given to them).

The Owner of the Personal Data, their heirs, representatives and/or attorneys may file enquiries regarding the Personal Data kept in PHR’S databases, according to the following rules:

  • The request will be analyzed to verify the identification of the Owner. If the request is made by a person other than the Owner and the capacity of such person is not accredited according to the laws in force, the request will be rejected.
  • All the enquiries will be resolved in a maximum term of ten (10) business days as from the date in which the same are received. If it is not possible to answer the enquiry within said term, the interested party will be informed, expressing the reasons for the delay and informing a date in which the enquiry will be answered, which cannot exceed, in any case, five (5) business days after the expiration of the original term.

9.2. Procedure to file claims for para the update, correction, deletion, revocation of the authorization.

The Owner, or his / her heirs, who consider that the data contained in PHR’S databases must be subject to corrections, updates or deletion, or when they notice the alleged breach of any of the duties, may file a claim according to the following rules:

  • The request will be analyzed to verify the Owner’s identification. If the request is made by a person other than the Owner and the representation thereof is not accredited according to the regulations in force, the request will be rejected.
  • The claim must contain the following information: (i) The identification of the Owner; (ii) The contact data (physical and/or electronic address and contact phone numbers); (iii) The documents that accredit the identity of the Owner, or their representation; (iv) The clear and precise description of the Personal Data regarding which the Owner seeks to exercise any of the rights; (v) The description of the facts that lead to the claim; (vi) The documents that they intend to enforce; (vii) signature and identification number.
  • If the claim is incomplete, PHR shall make a requirement to the interested party, within a term of five (5) days after the receipt of the claim, to remedy the defects. If two (2) months lapse from the date of the requirement and the applicant has not furnished the information required, it shall be construed that he / she has desisted the claim.
  • If the area that receives the claim is not competent to answer it, it shall pass it to the relevant area or person within a term of two (2) business days, and will inform this situation to the interested party.
  • Once the complete claim has been received, a note saying “claim being processed” shall be included in the database together with the reason thereof, in a term of no more than two (2) business days. Said note must be left in place until the moment in which the claim is decided.
  • The maximum term to answer the claim will be of fifteen (15) business days as from the day after the date in which it is received. When it is not possible to answer the claim within that term, the reasons of the delay shall be informed to the interested party together with the date in which the claim will be answered, which under no circumstances can exceed eight (8) business days after the expiration of the first term.
  • The Owner has the right, at all times, to request the deletion of his / her Personal Data. The deletion implies the total or partial removal of the Personal Data from the Data Bases, according to the Owner’s request. The deletion right is not absolute and PHR may refuse the exercise thereof in the following events: (i) If the Owner has a legal or contractual duty to remain in the Database or if the Person Responsible has a legal or contractual obligation that means that he / she has to keep the Personal Data; (ii) The deletion of the Personal Data would thwart judicial or administrative activities related to fiscal obligations, the investigation and persecution of crimes or the update of administrative sanctions; (iii) The Personal Data is necessary to protect the Owner’s interests protected by the laws, to perform an action pursuant to the public interest, or to comply with an obligation legally acquired by the Owner or by the Person Responsible.

 

  1. TERM OF THE PROCESSING POLICY.

This Policy is in force as from the 24/06/2021.

The Personal Data included in the Data Bases subject to Processing, shall remain and shall be managed based on the temporariness criterion for the contractual term of the product or service, during the period in which the purpose for which the same were collected subsists, plus the term established by the law.

This Policy may be amended by PHR when so required without prior notice, provided that such amendments are not substantial ones. Only the amendments in respect to the purposes of the Processing and of the data of the Person Responsible for the Processing, or any other substantial modification shall be previously informed to the Owners.