This Personal Data Protection Policy will apply to all Databases and / or Files that contain Personal Data that are subject to Treatment by Rojas Trasteos considered responsible for the treatment of Personal Data, (hereinafter, “THE COMPANY”).
Definitions
Authorization: Prior, express and informed consent of the Owner to carry out the Processing of Personal Data.
Privacy Notice: Verbal or written communication generated by the Responsible, addressed to the Owner for the Treatment of your Personal Data, through which you are informed about the existence of the Information Processing Policies that will be applicable, the way of accessing to them and the purposes of the Treatment that is intended to be given to personal data.
Database: Organized set of Personal Data that is subject to Treatment.
Clients: Natural or legal person, public or private, with whom THE COMPANY has a commercial relationship.
Consumers: Natural person who consumes the goods produced by THE COMPANY.
Personal Data: Any information linked or that may be associated with one or more determined or determinable natural persons. Some examples of personal data are the following: name, citizenship card, address, email, telephone number, marital status, health data, fingerprint, salary, assets, financial statements, etc.
Sensitive data: Information that affects the privacy of the Holder or whose improper use may generate its discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, rights human or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data, among others, the capture of still or moving images , fingerprints, photographs, irises, voice recognition, facial or palm, etc.
Treatment Manager: Natural or legal person, public or private, who by himself or in association with others, performs the Processing of Personal Data on behalf of the Data Controller. In the events in which the Person Responsible does not act as Manager of the Database, it will be expressly identified who will be the Manager.
Responsible for the Treatment: Natural or legal person, public or private, who by himself or in association with others, decides on the Database and / or the Treatment of the data.
Claim: Request from the Data Holder or the people authorized by it or by the Law to correct, update or delete your personal data or to revoke the authorization in the cases established in the Law.
Terms and Conditions: general framework in which the conditions for the participants of promotional or related activities are established.
Owner: Natural person whose Personal Data is subject to Treatment.
Transfer: The data transfer takes place when the Person Responsible and / or in Charge of the Treatment of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is Responsible for the Treatment and is inside or outside from the country.
Transmission: Treatment of Personal Data that involves the communication thereof within or outside the territory of the Republic of Colombia when it is intended to carry out a Treatment by the Manager on behalf of the Responsible.
Treatment: Any operation or set of operations on Personal Data, such as the collection, storage, use, circulation or deletion.
Principles Applicable to the Processing of Personal Data
For the Treatment of Personal Data, THE COMPANY will apply the principles mentioned below, which constitute the rules to be followed in the collection, handling, use, treatment, storage and exchange of personal data:
Legality: The processing of personal data will be carried out in accordance with the applicable legal provisions (Statutory Law 1581 of 2012 and its regulatory decrees).
Purpose: The personal data collected will be used for a specific and explicit purpose which must be informed to the Holder or permitted by Law. The Holder will be clearly, sufficiently and previously informed about the purpose of the information provided.
Freedom: The collection of Personal Data can only be exercised with the prior, express and informed authorization of the Owner.
Transparency: In the Processing of Personal Data, the Holder’s right to obtain, at any time and without restrictions, information about the existence of data concerning him is guaranteed.
Access and restricted circulation: The processing of personal data may only be carried out by the persons authorized by the Owner and / or by the persons provided for in the Law.
Security: The Personal Data subject to Treatment will be handled adopting all the security measures that are necessary to avoid its loss, adulteration, consultation, use or unauthorized or fraudulent access.
Confidentiality: All officials who work at THE COMPANY are obliged to keep confidential the personal information to which they have access when they work at THE COMPANY.
This Personal Data Protection Policy will apply to all Databases and / or Files that contain Personal Data that are subject to Treatment by Rojas Trasteos considered responsible for the treatment of Personal Data, (hereinafter, “THE COMPANY” ).
Definitions:
Authorization: Prior, express and informed consent of the Owner to carry out the Processing of Personal Data.
Privacy Notice: Verbal or written communication generated by the Responsible, addressed to the Owner for the Treatment of your Personal Data, through which you are informed about the existence of the Information Processing Policies that will be applicable, the way of accessing to them and the purposes of the Treatment that is intended to be given to personal data.
Database: Organized set of Personal Data that is subject to Treatment.
Clients: Natural or legal person, public or private, with whom THE COMPANY has a commercial relationship.
Consumers: Natural person who consumes the goods produced by THE COMPANY.
Personal Data: Any information linked or that may be associated with one or more determined or determinable natural persons. Some examples of personal data are the following: name, citizenship card, address, email, telephone number, marital status, health data, fingerprint, salary, assets, financial statements, etc.
Sensitive data: Information that affects the privacy of the Holder or whose improper use may generate its discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, rights human or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data, among others, the capture of still or moving images , fingerprints, photographs, irises, voice recognition, facial or palm, etc.
Treatment Manager: Natural or legal person, public or private, who by himself or in association with others, performs the Processing of Personal Data on behalf of the Data Controller. In the events in which the Person Responsible does not act as Manager of the Database, it will be expressly identified who will be the Manager.
Responsible for the Treatment: Natural or legal person, public or private, who by himself or in association with others, decides on the Database and / or the Treatment of the data.
Claim: Request from the Data Holder or the people authorized by it or by the Law to correct, update or delete your personal data or to revoke the authorization in the cases established in the Law.
Terms and Conditions: general framework in which the conditions for the participants of promotional or related activities are established.
Owner: Natural person whose Personal Data is subject to Treatment.
Transfer: The data transfer takes place when the Person Responsible and / or in Charge of the Treatment of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is Responsible for the Treatment and is inside or outside from the country.
Transmission: Treatment of Personal Data that involves the communication thereof within or outside the territory of the Republic of Colombia when it is intended to carry out a Treatment by the Manager on behalf of the Responsible.
Treatment: Any operation or set of operations on Personal Data, such as the collection, storage, use, circulation or deletion.
Principles Applicable to the Processing of Personal Data
For the Treatment of Personal Data, THE COMPANY will apply the principles mentioned below, which constitute the rules to be followed in the collection, handling, use, treatment, storage and exchange of personal data:
Legality: The processing of personal data will be carried out in accordance with the applicable legal provisions (Statutory Law 1581 of 2012 and its regulatory decrees).
Purpose: The personal data collected will be used for a specific and explicit purpose which must be informed to the Holder or permitted by Law. The Holder will be clearly, sufficiently and previously informed about the purpose of the information provided.
Freedom: The collection of Personal Data can only be exercised with the prior, express and informed authorization of the Owner.
Accuracy or Quality: The information subject to the Processing of Personal Data must be truthful, complete, exact, updated, verifiable and understandable.
Transparency: In the Processing of Personal Data, the Holder’s right to obtain, at any time and without restrictions, information about the existence of data concerning him is guaranteed.
Access and restricted circulation: The processing of personal data may only be carried out by the persons authorized by the Owner and / or by the persons provided for in the Law.
Security: The Personal Data subject to Treatment will be handled adopting all the security measures that are necessary to avoid its loss, adulteration, consultation, use or unauthorized or fraudulent access.
Confidentiality: All officials who work at THE COMPANY are obliged to keep confidential the personal information to which they have access when they work at THE COMPANY.
Treatment and Purposes to which the Personal Data processed by THE COMPANY will be subjected
THE COMPANY, acting as Responsible for the Processing of Personal Data, for the proper development of its commercial activities, as well as for the strengthening of its relations with third parties, collects, stores, uses, circulates and deletes Personal Data corresponding to natural persons with who has or has had a relationship, such as, without the enumeration signifying limitation, workers and their families, shareholders, consumers, customers, distributors, suppliers, creditors and debtors, for the following purposes or purposes:
General purposes for the processing of Personal Data
Allow the Owners to participate in marketing and promotional activities (including participation in contests, raffles and raffles) carried out by THE COMPANY;
Evaluate the quality of the service, carry out market studies on consumption habits and statistical analyzes for internal uses;
Control access to THE COMPANY offices and establish security measures, including the establishment of video-monitored areas;
Respond to queries, requests, complaints and claims that are made by the Holders and control bodies and transmit the Personal Data to the other authorities that under the applicable law must receive the Personal Data;
To eventually contact, via email, or by any other means, natural persons with whom you have or have had a relationship, such as, without the listing signifying limitation, workers and their families, shareholders, consumers, customers, distributors, suppliers, creditors and debtors, for the aforementioned purposes.
Transfer the information collected to different areas of THE COMPANY and its related companies in Colombia and abroad when it is necessary for the development of its operations (collection of portfolio and administrative charges, treasury, accounting, among others);
For the attention of judicial or administrative requirements and the fulfillment of judicial or legal mandates;
Register your personal data in THE COMPANY’s information systems and in its commercial and operational databases;
Any other activity similar in nature to those described above that is necessary to carry out THE COMPANY’s corporate purpose.
Regarding the personal data of our Clients and Consumers:
To fulfill the obligations contracted by THE COMPANY with its Clients and Consumers when purchasing our products;
Send information about changes in the conditions of the products offered by THE COMPANY;
Send information about offers related to our products offered by THE COMPANY and its related companies;
To strengthen relationships with its Consumers and Clients, by sending relevant information, taking orders and evaluating the quality of the service;
For the determination of pending obligations, the consultation of financial information and credit history and the report to information centers of unfulfilled obligations, regarding their debtors;
To improve, promote and develop its products and those of its related companies worldwide;
Train vendors and agents in basic aspects of commercial management of the products offered by THE COMPANY;
Allow companies linked to THE COMPANY, with which it has entered into contracts that include provisions to guarantee the security and proper treatment of the personal data processed, to contact the Owner with the purpose of offering him goods or services of interest to him;
Control access to THE COMPANY offices and establish security measures, including the establishment of video-monitored areas;
Use the different services through THE COMPANY’s websites, including content and format downloads;
Regarding the personal data of our employees:
Manage and operate, directly or through third parties, the personnel selection and recruitment processes, including the evaluation and qualification of the participants and the verification of work and personal references, and the performance of safety studies;
Carry out the activities of Human Resources management within THE COMPANY, such as payroll, affiliations to entities of the general social security system, occupational health and wellness activities, exercise of the employer’s sanctioning power, among others;
Make the necessary payments derived from the execution of the employment contract and / or its termination, and the other social benefits that may arise in accordance with the applicable law;
Contract labor benefits with third parties, such as life insurance, medical expenses, among others;
Notify authorized contacts in case of emergencies during working hours or during its development;
Coordinate the professional development of employees, the access of employees to the computer resources of the employer and provide support for their use;
Planning business activities;
Regarding Supplier Data:
To invite them to participate in selection processes and events organized or sponsored by THE COMPANY;
For the evaluation of the fulfillment of its obligations;
To register in THE COMPANY systems;
To process your payments and verify outstanding balances;
Regarding the personal data of our shareholders:
For the recognition, protection and exercise of the rights of THE COMPANY’s shareholders;
For the payment of dividends;
To eventually contact, via email, or by any other means, the shareholders for the aforementioned purposes;
Rights of the Holders of Personal Data
The natural persons whose Personal Data are subject to Treatment by THE COMPANY, have the following rights, which they can exercise at any time: 6.1 Know the Personal Data on which THE COMPANY is carrying out the Treatment. Similarly, the Owner may request at any time, that their data be updated or rectified, for example, if they find that their data is partial, inaccurate, incomplete, fractional, misleading, or those whose Treatment is expressly prohibited or not has been authorized.
Request proof of the authorization granted to THE COMPANY for the Treatment of your Personal Data.
To be informed by THE COMPANY, upon request, regarding the use it has given to your Personal Data.
Submit complaints to the Superintendence of Industry and Commerce for infractions of the provisions of the Personal Data Protection Law.
Request THE COMPANY to delete your Personal Data and / or revoke the authorization granted for the Treatment thereof, by filing a claim, in accordance with the procedures established in number Security of Personal Data of this Policy. However, the request to delete the information and the revocation of the authorization will not proceed when the Holder of the information has a legal or contractual duty to remain in the Database and / or Files, or while the relationship between the Owner and THE COMPANY, by virtue of which their data was collected.
Free access to your Personal Data that has been processed.
The rights of the Holders may be exercised by the following persons: By the Holder; For their successors in title, who must prove such quality; By the representative and / or attorney of the Holder, after accreditation of the representation or empowerment; By stipulation in favor of another or for another.
Duties of THE COMPANY as Responsible for the Processing of Personal Data
THE COMPANY is aware that the Personal Data is the property of the people to whom they refer and only they can decide on it. In this sense, THE COMPANY will make use of the Personal Data collected only for the purposes for which it is duly empowered and respecting, in any case, the current regulations on the Protection of Personal Data. THE COMPANY will attend to the duties foreseen for the Data Controllers, contained in article 17 of Law 1581 of 2012 and the other norms that regulate, modify or replace it.
Authorization
THE COMPANY will request prior, express and informed authorization from the Holders of the Personal Data on which the Processing is required. This manifestation of the Holder’s will can be done through different mechanisms made available by THE COMPANY, such as: In writing, filling out an authorization form for the Processing of Personal Data determined by THE COMPANY. Orally, through a telephone conversation or videoconference. Through unequivocal behaviors that allow concluding that it granted its authorization, through its express acceptance of the Terms and Conditions of an activity within which the authorization of the participants is required for the Treatment of their Personal Data. IMPORTANT: In no case will THE COMPANY assimilate the Owner’s silence to unequivocal conduct.
Special Provisions for the Processing of Personal Data.
Treatment of Personal Data of a Sensitive Nature the Treatment of Personal Data of a sensitive nature is prohibited by law, unless you have express, prior and informed authorization from the Owner, among other exceptions enshrined in Article 6 of Law 1581 of 2012 In this case, in addition to complying with the requirements established for authorization, THE COMPANY will inform the Owner: that because it is sensitive data, it is not obliged to authorize its Treatment. which of the data that will be processed are sensitive and the purpose of the processing. Additionally, THE COMPANY will process the sensitive data collected under security and confidentiality standards corresponding to its nature. To this end, THE COMPANY has implemented administrative, technical and legal measures contained in its Policies and Procedures Manual, which are mandatory for its employees and, as applicable, for its suppliers, related companies and business allies.
Treatment of Personal Data of Children and Adolescents in accordance with the provisions of Article 7 of Law 1581 of 2012 and article 12 of Decree 1377 of 2013, THE COMPANY will only carry out the Treatment, corresponding to children and adolescents, provided and when this Treatment responds and respects the best interests of children and adolescents and ensures respect for their fundamental rights. Once the above requirements have been met, THE COMPANY must obtain the Authorization of the legal representative of the child or adolescent, after the minor exercises his or her right to be heard, an opinion that will be assessed taking into account maturity, autonomy and ability to understand the matter. Procedure for Attention and Response to Requests, Queries, Complaints and Claims of the Personal Data Holders The Personal Data Holders treated by THE COMPANY have the right to access their Personal Data and the details of said Treatment, as well as to rectify and update them in In case of being inaccurate or requesting their elimination when they consider that they turn out to be excessive or unnecessary for the purposes that justified their obtaining or to oppose the Treatment of the same for specific purposes.
Procedure for making requests and inquiries
The Holder may consult his personal data at any time. For this purpose, you can submit a request indicating the information you want to know, through any of the mechanisms indicated above. The Holder or his successors must prove his identity, that of his representative, representation or provision in favor of another or for another. When the request is made by a person other than the Holder and it is not proven that it acts on behalf of the latter, it will be considered not filed. The consultation and / or request must contain at least the name and contact address of the Owner or any other means to receive the response, as well as a clear and precise description of the personal data regarding which the Owner seeks to exercise the right of consultation and / or request. If the query and / or request made by the Data Holder is incomplete, THE COMPANY will require the interested party within five (5) days after receiving the query and / or request to correct the failures. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn from his consultation. The requests and / or consultations will be attended by THE COMPANY within a maximum term of ten (10) business days from the date of receipt thereof. When it is not possible to attend to the request or query within said term, this fact will be reported to the applicant, stating the reasons for the delay and indicating the date on which the request will be answered, which in no case may exceed five (5 ) business days following the expiration of the first term.
Procedure for making complaints and claims
In accordance with the provisions of Article 14 of Law 1581 of 2012, when the Owner or his successors consider that the information processed by THE COMPANY should be subject to correction, updating or deletion, or when it should be revoked for notifying the alleged breach of any of the duties contained in the Law, may submit an application to THE COMPANY, which will be processed under the following rules: The Holder or his successors must prove his identity, that of his representative, representation or provision in favor of another or for another. When the request is made by a person other than the Holder and it is not proven that it acts on behalf of the latter, it will be considered not filed. The request for rectification, updating, deletion or revocation must be submitted through the means authorized by THE COMPANY indicated in this document and contain, as a minimum, the following information: The name and address of the owner’s address or any other means to receive the answer. The documents that prove the identity of the applicant and, if necessary, that of his representative with the respective authorization. The clear and precise description of the personal data with respect to which the Owner seeks to exercise any of the rights and the specific request. If the application is incomplete, THE COMPANY must request the interested party within five (5) days of receipt to correct the failures. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn his request. In the event that the person receiving the request is not competent to resolve it, they will transfer the Legal area of THE COMPANY, within a maximum period of two (2) business days and will inform the interested party of the situation. Once the request is received, a legend will be included in the Database that says “claim in process” and the reason for it, within a term not exceeding two (2) business days. This legend must be kept until it is decided. The maximum term to attend to this request will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend to it within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
Information Obtained Passively
When the services contained within the websites of THE COMPANY are used, the COMPANY may passively collect information through information management technologies, such as “cookies”, through which information about the hardware is collected and the software of the equipment, IP address, type of browser, operating system, domain name, access time and the addresses of the websites of origin; Through the use of these tools, Personal Data of users is not directly collected. Information will also be collected about the pages that the person visits most frequently on these websites in order to know their browsing habits. However, the user of THE COMPANY’s websites has the possibility of configuring the operation of “cookies”, according to the options of their internet browser.
Security of Personal Data
THE COMPANY, in strict application of the Principle of Security in the Treatment of Personal Data, will provide the technical, human and administrative measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. The obligation and responsibility of THE COMPANY is limited to having the appropriate means for this purpose. THE COMPANY does not guarantee the total security of your information nor is it responsible for any consequence derived from technical failures or the improper entry by third parties to the Database or file in which the Personal Data subject to Treatment by THE COMPANY rest. and their Managers. THE COMPANY will require the service providers it contracts to adopt and comply with the appropriate technical, human and administrative measures for the protection of Personal Data in relation to which said providers act as Managers. Transfer, Transmission and Disclosure of Personal Data THE COMPANY may disclose to its related companies worldwide, the Personal Data on which it performs the Treatment, for its use and Treatment in accordance with this Personal Data Protection Policy. Likewise, THE COMPANY may deliver Personal Data to third parties not related to THE COMPANY when: They are contractors executing contracts for the development of THE COMPANY’s activities; By transfer to any title of any business line to which the information is related. In any case, when THE COMPANY wishes to send or transmit data to one or more Managers located inside or outside the territory of the Republic of Colombia, it will establish contractual clauses or enter into a contract for the transmission of personal data in which, among others, it is agreed the next:
The scope and purposes of the treatment.
The activities that the Manager will carry out on behalf of THE COMPANY. The obligations that must be fulfilled by the Person in Charge with respect to the Data Holder and THE COMPANY. The duty of the Person in Charge to process the data in accordance with the purpose authorized for it and observing the principles established in Colombian Law and this policy. The Manager’s obligation to adequately protect personal data and databases as well as to keep confidentiality regarding the treatment of the transmitted data. A description of the specific security measures that will be adopted by both THE COMPANY and the Data Controller at their destination. THE COMPANY will not request authorization when the international transfer of data is covered by any of the exceptions provided for in the Law and its Regulatory Decrees.
Applicable legislation
This Personal Data Protection Policy, the Privacy Notice, and the Authorization Format Annex that is part of this Policy, are governed by the provisions of current legislation on the protection of Personal Data referred to in Article 15 of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013, Decree 1727 of 2009 and other regulations that modify, repeal or replace them.
Validity
This Personal Data Protection Policy is in force since December 7, 2016.
