Personal data processing policies
1. Identification of the data controller
CIDENET S.A.S, hereinafter referred to as THE COMPANY, a commercial company identified with NIT. 900.574.473-8 and created by certificate of incorporation 5135 on November 14, 2012, registered in the Chamber of Commerce on November 14, 2012.
Location of principal office
THE COMPANY is located in the city of Medellin, and its principal office is located at Carrera 69 #49A – 11 Suramericana neighborhood.
2. Principles of data processing
The principles established in the Colombian personal data protection regime shall be applied in all personal data processing carried out by THE COMPANY, especially the following:
- Principle of legality of data processing:
The rules of the Colombian legal system related to the personal data protection regime and all those contained in the aforementioned shall be applied for the processing of personal data carried out by THE COMPANY.
- Principle of purpose:
The treatment given by THE COMPANY to the personal data it treats obey the purposes established in the aforementioned regime, which are in harmony with the Colombian legal system.
In regards to what is not regulated through these policies, the superior rules that regulate, add, modify of derogate it shall be applied.
- Principle of freedom:
The treatment to personal data carried out by THE COMPANY is done in accordance with the prior, expressed and consented authorization of the owner of the personal data.
- Principle of security:
THE COMPANY will implement all technical, human and administrative measures necessary to protect the personal data processed in its databases, avoiding their use, adulteration and loss, and unauthorized or unwanted consultations.
- Principle of confidentiality:
The treatment given to personal data from THE COMPANY’s databases shall be carried out with strict confidentiality and discretion, according to the purposes described in this policy.
- For more information on these principles, Law 1581 of 2012 and Decree 1377 of 2013 may be consulted. As well as other regulatory provisions that modify, clarify, supplement or derogate them.
- Principle of truthfulness or quality:
The information subject to processing by THE COMPANY shall be truthful, complete, updated, verifiable and understandable.
- Principle of transparency
THE COMPANY guarantees that the owner of the personal data can obtain information about their data at any time and without restrictions according to the procedures described in this policy.
- Principle of restricted access and circulation:
THE COMPANY guarantees that the processing of personal data given to the databases for which it is responsible is carried out by people authorized by the owner and / or other individuals permitted by law.
3. Treatment to which the data will be subjected and its purpose
The treatment of the personal data of the person with whom THE COMPANY has established or establishes a permanent or occasional relationship will be carried out within the legal framework that regulates this matter. In any case, the personal data may be collected and processed for the following purposes:
- To develop the corporate purpose of THE COMPANY in accordance with its legal bylaws.
- To Comply with the applicable tax and commercial regulations.
- Use of information, audiovisual, computer and technical means to carry out advertising or marketing activities of THE COMPANY.
- Video surveillance and security activities of THE COMPANY and of the people who access its facilities.
- To Comply with the provisions of the Colombian legal system on labor and social security matters, among others, which are applicable to former employees, current employees and candidates for future employment.
- Comply with the regulations of the health sector and the requirements demanded by the entities that control and monitor the provision of services in regards to social security and health services in Colombia, such as the Ministry of Health, the Superintendence of Health, municipal and departmental health departments, EPS, IPS, among others.
- Conduct surveys related to the services or goods of THE COMPANY.
- To send commercial information from THE COMPANY.
- To develop programs in accordance with its bylaws.
- Fulfill all contractual, legal and regulatory commitments of THE COMPANY.
4. Treatment of sensitive data
Biometric data related to the health and identification of individuals are considered to be of a sensitive nature and, therefore, are protected more rigorously by the individuals who have access to them in their capacity as persons IN CHARGE of handling the information.
The treatment of sensitive personal data will be exclusively for use in relation to the prevention of the spread of contagious diseases, such as covid-19; health controls and cooperation with state entities and provisions, in cases such as submission of indicators to control entities, population health analysis and risk analysis in the examinations performed. At no time, without prior authorization, would such sensitive data be used for marketing, sales of databases and/or other purposes unrelated to those expressed in this policy.
5. Rights of the owner of the information
In accordance with the provisions of the current applicable regulations on data protection, the holders of personal data have the right to:
- Access, know, update and rectify their personal data with THE COMPANY as the entity entitled as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or those whose treatment is expressly prohibited or has not been authorized.
- Request proof of the authorization granted to THE COMPANY for the processing of data, by any valid means, except in cases where authorization is not required.
- Be informed by THE COMPANY, upon request, of the use it has given to your personal data.
- To file complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other rules that modify, add or complement it, after a consultation or request to THE COMPANY.
- To revoke the authorization and/or request the suppression of the data.
- Have free access to their personal data that have been subject to processing at least once every calendar month, and whenever there are substantial changes to this policy that may encourage new consultations.
These rights may be exercised by:
- The holder, who must sufficiently prove his identity by the various means made available by THE COMPANY.
- The assignees of the holder, who must prove such liability.
- The representative and/or attorney-in-fact of the holder, with prior accreditation of the representation or power of attorney.
- Others in favor, or whom the holder may have given the right to.
6. Data controller and processor of personal data
THE COMPANY shall be held responsible for the processing of personal data. The administrative department shall be responsible for the processing of personal data.
Any communications on this matter shall be made through the e-mail firstname.lastname@example.org
7. Procedure for the attention of consultations, claims, requests for rectification, updating and data suppression
The holders or their assignees may consult the personal information of the holder that is held by THE COMPANY, who will provide all the information contained in the individual record or that is linked to the identification of the holder. Likewise, THE COMPANY provides the mechanism through which the holder may file claims to update, rectify, suppress the data or revoke the authorization in a definite manner.
In any case, regardless of the mechanism implemented for the attention of consultation requests, they shall be attended within a maximum term of ten (10) working days from the date of receipt. When it is not possible to attend the consultation within such term, the interested party shall be informed before the expiration of the 10 days stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.
Inquiries may be sent to the e-mail address email@example.com
8. Information security measures
In accordance with the principle of security established under the current legislation, THE COMPANY shall adapt the necessary technical, human and administrative actions for the security of all record and data collected, avoiding its non-authorized or fraudulent alteration, loss, access or use.
THE COMPANY is committed to the correct use and treatment of the personal data of its customers and users, avoiding unauthorized access to third parties that would allow them to know or violate, modify, disclose and/or destroy the information contained in THE COMPANY’s databases. For this reason, THE COMPANY has security protocols and access to its information, storage and processing systems, including physical measures to control security risks.
Therefore, it must adopt the measures that allow it to comply with the provisions of Law 1581 of 2012, and any other law or regulation that modifies or replaces them. As a consequence of this legal obligation, among others, it shall adopt security measures of logical, administrative and physical type according to the criticality of the personal information to which it has access to ensure that this type of information will not be used, traded, assigned, transferred and/or will not be subjected to any other treatment contrary to the purpose included in the provisions of the object of this contract. Any suspicion of loss, leakage or attack against personal information held in the databases of THE COMPANY will be reported and released once the knowledge of such eventualities are known, and shall be communicated through the most relevant or effective mechanisms, such as publication on the website or networks of THE COMPANY, direct communication to the reported email of the person affected or the means established by it for that purpose, or in any way that guarantees the right to information of the holder. The loss, leakage or attack against personal information also implies the obligation to manage the security incident according to the legal guidelines on the matter.
This policy is effective as of November 14, 2012.
Bryan Zapata Ceballos