Personal Data Processing Policy
Personal Data Processing Policy
Article 15 of the Constitution of the Republic of Colombia establishes the right of any person to know, update, and rectify their personal data held in databases or files by public or private entities. It also requires those handling personal data of third parties to respect the rights and guarantees provided by the Constitution when collecting, processing, and disseminating such information.
A. Definitions
Authorization:
The prior, explicit, and informed consent of the data subject for data processing. This consent can be given in writing, verbally, or through unequivocal actions that reasonably indicate the data subject has granted authorization.
Database:
A structured set of personal data subject to processing, whether electronic or not, regardless of its formation, storage, organization, and access method.
Query:
A request by the data subject or individuals authorized by law to access the information stored about them in databases or files.
Personal Data:
Any information linked to or that can be associated with one or more identifiable individuals. These data are classified as sensitive, public, private, or semi-private.
Sensitive Personal Data:
Information that affects an individual’s privacy or whose misuse could lead to discrimination. This includes data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social or human rights organization affiliations, political party membership, and data about health, sexual life, or biometric data (e.g., fingerprints).
Public Personal Data:
Data classified as public by law or the Constitution. These include information in public documents, public registries, official bulletins, or judicial rulings not subject to confidentiality. Public data can also include civil status, profession, occupation, and public official roles.
Private Personal Data:
Data that, due to its intimate or reserved nature, is only relevant to the data subject. Examples include business books, private documents, or information obtained through home inspections.
Semi-Private Personal Data:
Data that is neither intimate, reserved, nor public and whose knowledge or dissemination may interest not only the data subject but also certain sectors or groups or society in general. Examples include financial compliance information or data related to social security entities.
Data Processor:
The individual or entity that processes data on behalf of the Data Controller.
Claim:
A request by the data subject or authorized individuals to correct, update, or delete personal data or to report an alleged violation of the data protection regime as per Article 15 of Law 1581 of 2012.
Data Subject:
The natural person to whom the information refers.
Processing:
Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
Transmission:
The processing of personal data involving its communication within (national transmission) or outside Colombia (international transmission) for processing by a Processor on behalf of the Controller.
Transfer:
The transmission of personal data by the Data Controller and/or Processor in Colombia to a recipient, who is also responsible for processing and is located within or outside the country.
Requirement of Procedural Exhaustion:
The data subject or successor may file a complaint with the Superintendence of Industry and Commerce only after exhausting the consultation or claim process with the Data Controller or Processor, as outlined in Article 16 of Law 1581 of 2012.
B. Principles for Personal Data Processing
The processing of personal data must comply with general and special regulations in the field and be limited to activities permitted by law. The following principles shall be harmoniously and comprehensively applied in the development, interpretation, and implementation of this policy:
FREEDOM:
Unless otherwise stipulated by law, data collection can only occur with the prior, explicit, and informed consent of the data subject. Personal data cannot be obtained or disclosed without such consent unless authorized by a legal or judicial mandate.
LEGITIMACY:
Only the personal data strictly necessary for achieving the purposes of processing should be collected. The registration and dissemination of data unrelated to the processing’s objectives are prohibited. Data must be:
(i) adequate, (ii) relevant, and (iii) consistent with the purposes for which they were collected.
PURPOSE:
Processing must serve a legitimate purpose as per the Constitution and the Law, which must be communicated to the data subject. The data subject must be clearly and sufficiently informed in advance of the purpose for which their data is collected, and data cannot be collected without a specific purpose.
TEMPORALITY:
Personal data shall only be retained for a reasonable and necessary period to fulfill the processing purpose and comply with legal requirements or instructions from oversight and control authorities or other competent entities. Data shall be retained when required to meet legal or contractual obligations. The processing term will consider the applicable laws, administrative, accounting, tax, legal, and historical aspects of the information.