Web Processing Policies

1.Legal basis and scope

 

The information processing policy is developed in compliance with articles 15 and 20 of the Political Constitution; Articles 17(k) and 18(f) of Statutory Law 1581 of 2.012, which issue general provisions for the Protection of Personal Data (LEPD); and Article 13 of Decree 1377 of 2.013, which partially regulates the previous Law.

This policy will apply to all personal data recorded in databases that are processed by the controller.

2. Definitions

 

Established in Article 3 of Law 1581 of 2012 and article 3 of Decree 1377 of 2013

Authorization: Prior, express and informed consent of the Owner to carry out the processing of personal data.

Privacy Notice: Verbal or written communication generated by the controller, addressed to the Owner for the processing of his personal data, by which he is informed about the existence of the policies of processing information that will be applicable to him, the way to access them and the purposes of the processing that is intended to give to the personal data.

Database: Organized set of personal data that is processed.

Personal data: Any information that is linked or that may be associated with one or more natural persons determined or determinable.

Public data: It is data that is not semi-private, private or sensitive. Public data, including data relating to the marital status of persons, their profession or trade and their status as a trader or public servant, are considered. By their nature, public data may be contained, interless, in public records, public documents, gazettes and official bulletins and duly executed court rulings that are not subject to reservation.

Sensitive data: Sensitive data means data that affect the Privacy of the Owner or whose misuse may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties , as well as data on health, sex life, and biometric data.

Data Processor: Natural or legal person, public or private, who by itself or in association with others, performs the processing of personal data on assistance of the controller.

Data Controller: Natural or legal person, public or private, who by itself or in partnership with others, decides on the basis of data and/or the processing of the data.

Holder: Natural person whose personal data are processed.

Transfer: The transfer of data takes place when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is located inside or outside the country.

Transmission: Processing of personal data involving the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out processing by the controller on without processing.

Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

3. Authorization of the treatment policy

 

In accordance with Article 9 of the LEPD, prior and informed authorization of the Owner is required for the processing of personal data. By accepting this policy, any Owner who provides information regarding his/her personal data is consenting to the processing of his/her data by Polifuncionales S.A.S in the terms and conditions contained therein.

The Authorization of the Holder shall not be required in the case of:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Public data.
  • Medical or health emergency cases.
  • Processing of information authorized by law for prehistoric, statistical or scientific purposes. Data related to the RegistryCivil of people.

4. Data Controller

The controller of the databases processing this policy is Polifuncionales S.A.S, whose contact details are as follows:

  • Address: Calle 73 No. 22-06 Barrio San Felipe -Bogotá,
  • Email: servicioalcliente@Polifuncionales.com.co
  • Phone: (57-1) 635 1142

5. Treatment and purposes of databases

 

Polifuncionales S.A.S, in the development of its business activity, carries out the processing of personal data relating to natural persons who are contained and are treated in databases intended for legitimate purposes, complying with the Constitution and the Law.

In “Annex 1. Database Information” presents the different databases that manage the company, the information and characteristics of each of them.

6. Rights of Holders

 

The navigation system and the software necessary for the operation of this website collect some personal data, the transmission of which has been implicit in the use of Internet communication protocols.

By its very nature, the information collected may allow the identification of users through their association with third-party data even if it is not obtained for that purpose. In this category of data are the IP address or domain name of the computer used by the user to access the web page, URL, date and time and other parameters related to the user’s operating system.

This data is used for the sole purpose of obtaining anonymous statistical information about the use of the website or controlling its correct technical functioning, and is cancelled immediately after being verified.

7. Coolies or web bugs

 

This website does not use cookies or web bugs to collect personal data from the user, but its use merely facilitates the user access to the website. The use of session cookies, not permanently stored on the user’s computer and which disappear when you close the browser, are only limited to collecting technical information to identify the session in order to facilitate safe and efficient access of the website. If you do not wish to allow the use of cookies you can reject or delete existing cookies by configuring your browser, and disabling the browser’s Java Script code in the security settings.

8. Procedures for exercising the Rights of the Holder

 

In accordance with Article 8 of the LEPD and Articles 21 and 22 of Decree 1377 of 2.013, Data Subjects may exercise a number of rights in relation to the processing of their personal data. These rights may be exercised by the following persons.

 

  1. By the Holder, who must prove his identity sufficiently by the different means made available to him by the person responsible.
  2. For their successors, who must prove such quality.
  3. By the representative and/or proxy of the Owner, after accreditation of the representation or proxy.
  4. By stipulation in favor of another and for another.

The rights of children or adolescents shall be exercised by persons empowered to represent them.

The rights of the Owner are as follows:

Right of access or consultation: This is the right of the Owner to be informed by the controller, upon request, regarding the origin, use and purpose they have given to their personal data.

Complaint and Complaint Rights: The Act distinguishes four types of claims:

-Claim for correction: It is the Right of the Owner to update, rectify or modify any partial, inaccurate, incomplete, fractional data that they induced in error, or those whose processing is expressly prohibited or has not been authorized.

-Suppression claim: It is the Right of the Owner to delete data that is inappropriate, excessive or does not respect constitutional and legal principles, rights and guarantees.

-Revocation claim: It is the Right of the Owner to leave without effect the authorization previously provided for the processing of his/her personal data.

-Claim of infringement: It is the Right of the Owner to request that non-compliance with data protection regulations be reneed.

-Right to request proof of the authorization granted to the controller: Except where expressly exempted as a treatment requirement in accordance with Article 10 of the LEPD.

Right to file complaints with the Superintendency of Industry and Commerce for infringements: The Owner or successor may only raise this complaint once the consultation or complaint has been exhausted before the controller or processor

9. Attention to Data Subjects

 

The Data Protection Officer of Polifuncionales S.A.S will be in charge of the attention of requests, queries and complaints before which the Data Subject can exercise his rights.

  • Phone: (57-1) 635 1142
  • Email: servicioalcliente@Polifuncionales.com.co

10. Procedures for exercising the Rights of the Holder

 

10.1 Right of access or consultation
According to Article 21 of Decree 1377 of 2.013, the Owner may consult his/her personal data free of charge in two cases:

  • At least once every calendar month.
  • Whenever there are substantial changes to information processing policies that motivate further consultation.

For inquiries whose periodicity is greater than one for each calendar month, Polifuncionales S.A.S may only charge the Holder the costs of sending, reproduction and, where appropriate, certification of documents. Reproduction costs may not be higher than the costs of recovering the relevant material. To this end, the controller shall demonstrate to the Superintendency of Industry and Commerce, where required by the latter, the support of such expenses.

The Data Subject may exercise the right of access or consultation of his data by means of a letter addressed to Polifuncionales S.A.S sent, by email to: servicioalcliente@Polifuncionales.com.co, indicating in the Subject “Exercise of the right of access or consultation”, or through postal mail sent to Calle 73 No. 22-06 Barrio San Felipe -Bogotá. The request shall contain the following data:

  • Name and surname of the Holder.
  • Photocopy of the Holder’s Citizenship Certificate and, where applicable, the person representing it, as well as the document accreditation of such representation.
  • Request that the request for access or consultation be made. Address for notifications, date and signature of the applicant.
  • Documents accreditation of the request made, where applicable.

The Owner may choose one of the following forms of database consultation to receive the requested information:

  • On-screen display.
  • In writing, with copy or photocopy sent by certified mail or not.
  • Fax.
  • Email or other electronic means.
  • Another system suitable for the configuration of the database or the nature of the processing, offered by Polifuncionales S.A.S.

Once the request has been received, Polifuncionales S.A.S will resolve the request for consultation within a maximum period of ten (10) working days from the date of receipt of the same. Where it is not possible to attend the consultation within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which his consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term. These time limits are laid down in Article 14 of the LEPD.

Once the consultation process is exhausted, the Owner or successor may file a complaint with the Superintendency of Industry and Commerce.

10.2 Complaint and complaint right

The Data Subject may exercise the rights of claim on his data by writing to Polifuncionales S.A.S. Sent, by email servicioalcliente@Polifuncionales.com.co indicating in the Subject “Exercise of the right of access or consultation”, or by postal mail sent to Calle 73 No. 22-06 Barrio San Felipe -Bogotá. The request shall contain the following data:

  • Name and surname of the Holder.
  • Photocopy of the Holder’s Citizenship Certificate and, where applicable, the person representing it, as well as the document accreditation of such representation.
  • Description of the facts and request that the request for correction, deletion, revocation or inflation be made.
  • Address for notifications, date and signature of the applicant.
  • Documents accreditation of the request made that are to be enforced, where appropriate.

Once the complete claim is received, a legend that says “claim pending” and the reason for it will be included in the database within two (2) business days. Such legend must be maintained until the claim is decided.

Polifuncionales S.A.S will resolve the request for consultation within a maximum period of fifteen (15) working days from the date of receipt of the same. Where it is not possible to respond to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be addressed, which in no case may exceed eight (8) working days following the expiration of the first term.

Once the claim process has been exhausted, the Owner or successor may file a complaint with the Superintendency of Industry and Commerce.

11. Security measures

 

Polifuncionales S.A.S, in order to comply with the safety principle enshrined in Article 4(g) of the LEPD, has implemented technical, human and administrative measures necessary to ensure security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

On the other hand, Polifuncionales S.A.S, by subscriing the corresponding transmission contracts, has required the processors with which it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the processing of personal data.

Below are the security measures implemented by Polifuncionales S.A.S, which are collected and developed in its Internal Safety Manual (I, II, III, IV).

 

TABLE I: Common security measures for all types of data
(public, semi-private, private, sensitive) and databases (automated, non-automated)

 

Document and media management Access control Incidents Personal Internal Safety Manual
1. Measures that prevent improper access or recovery of data that has been discarded, deleted or destroyed.

2. Restricted access to where the data is stored.

1. Limited user access to the data necessary for the development of its functions.

2. Updated list of users and authorized accesses.

1. Record of incidents: type of incident, time of production, issuer of notification, recipient of notification, effects andcorrector measures.

2. Procedure for notification and management of incidents.

1. Definition of the functions and obligations of users with access to the data.

2. Definition of the control functions and authorizations delegated by the controller.

1. Preparation and implementation of the Mandatory Handbook for Staff.

2. Minimum content: scope, security measures and procedures, staff functions and obligations, description of databases, incident procedure, data copying and retrieval procedure, security measures for the transport, destruction and reuse of documents, identification of rattling.

3. Authorization of the controller for the output of documents or media for physical or electronic permission.

4. Delabeled system or identification of the type ofinformation.
5. Media inventory.

3. Mechanisms to prevent access to data with the rights of the Authorized.
4. Granting, altering or cancelling sperm by the authorized person
3. Disclosure between the staff of the rules and the conditions of the same

 

TABLE II: Common security measures for all types of data (public, semi-private, private, sensitive) depending on the type of databases

 

Non-automated databases
File
Document storage
Custody of documents
1. File documentation following procedures that ensure proper preservation, location and consultation and allow the exercise of the rights of the Holders.
1. Storage devices with mechanisms that prevent access to unauthorized persons.
1. Duty of diligence and custody of the person in charge of documents during the review or processing thereof.

 

Automated databases
Identification and authentication
Telecommunications
  1. Personalized identification of users to access the information systems and verification of their authorization.
  2. Identification and authentication mechanisms; Passwords: Mapping, expiration, and encrypted storage.
1. Access to data through secure networks.

 

TABLE III: Security measures for private data depending on the type of databases

 

Automated, non-automated databases
Audit
Security Manager
Internal Safety Manual
  1. Ordinary audit (internal or external) every two months.
  2. Extraordinary audit for substantial changes in information systems.
  3. Report on the detection of deficiencies and proposal for corrections.
  4. Analysis and conclusions of the security manager and the controller.
  5. Preservation of the Report at the disposal of the authority.
  1. Designation of one or more security managers.
  2. Appointment of one or more responsible for the control and coordination of the measures of the Internal Security Manual.
  3. Prohibition of delegation of responsibility of the controller to the security manager.
1. Periodic compliance checks

 

Automated databases
Document and media management
Access control
Identification and authentication
Incidents
1. Check-in and check-out of documents and

means: date, emitter and receiver, number, type of
information, form of shipment, responsible for receipt or delivery.

1. Control ofaccess to the place or

places where information systems are located.

1. Mechanismlimiting the number of repeated consents of unauthorized access.
1. Registrationof data recovery procedures,person who executes it,restored data and manually recorded data.

2. Responsible authorization of the processing for the execution of the recovery processes.

 

TABLE IV: Security measures for sensitive data depending on the type of databases

 

Non-automated databases
Access control
Document storage
Copying or playing
Transferring documentation
  1. Access only for authorized personnel.
  2. Access identification mechanism.
  3. Registration of unauthorized user accesses.
1. Cabinets, cabinets or others located in key-protected access areas or other measures.
  1. Only by authorized users.
  2. Destruction that prevents data access or recovery.
1. Measures that prevent access or manipulation of documents.

 

Automated databases
Document and media management
Access control
Telecommunications
  1. Confidential labeling system.
  2. Data encryption.
  3. Encryption of portable devices when they are out.
  1. Access log: user, time, database to which you access, type of access, registration that you access.
  2. Control of access registration by the security manager. Monthly report.
  3. Data retention: 2 years.
1. Transmission of data over encrypted electronic networks.

12. Transferring data to third countries

 

According to Title VIII of the LEPD, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it meets the standards set by the Superintendency of Industry and Commerce on the subject, which in no case may be lower than those required by this law to its recipients. This prohibition shall not apply in the case of:

  • Information for which the Owner has granted his express and unequivocal authorization for the transfer.
  • Exchange of medical data, where required by the treatment of the Holder for reasons of health or public hygiene.
  • Bank or stock transfers, in accordance with the legislation applicable to them.
  • Transfers agreed under international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
  • Transfers necessary for the execution of a contract between the Owner and the controller, or for the execution of pre-contractual measures provided that the Authorization of the Owner is available.
  • Transfers legally required for the safeguarding of the public interest, or for the recognition, exercise or defense of a right in a judicial process.

In cases not covered by an exception, it will be for the Superintendency of Industry and Commerce to issue the declaration of conformity concerning the international transfer of personal data. The Superintendent is empowered to require information and advance the steps to establish compliance with the budgets required by the viability of the operation.

International transmissions of personal data between a controller and a processor to allow the controller to carry out the processing on processing on processing on without the controller, will not require to be informed to the Owner or have their consent, provided that there is a contract for the transmission of personal data.”

13. Term

 

The databases responsible for Polifuncionales S.A.S will be subject to processing for as long as it is reasonable and necessary for the purpose for which the data are collected. Once the purpose or purposes of the processing have been fulfilled, and without prejudice to legal rules that provide otherwise. Polifuncionales S.A.S will proceed to the deletion of the personal data in its possession unless there is a legal or contractual obligation that requires its preservation. Therefore, this database has been created without a defined period of validity.

“This treatment policy has been in force since 2016-11-25.”