COLOMBIAN VISAS DATA PROCESSING POLICY
1. INTRODUCTION.
COLOMBIAN VISAS, committed to the privacy and security of the personal data of its holders, is aware of its responsibility in the proper handling of this information. For this reason, it has designed and implemented a Data Processing Policy that establishes the necessary guidelines to ensure the protection of personal data subject to processing. This policy is mandatory for all third parties who process personal data registered in the company’s databases, and its compliance is essential to ensure trust and transparency in our operations.
As the Data Controller, COLOMBIAN VISAS is obligated to provide the necessary guarantees so that individuals, fully exercising their rights, can know, update, rectify, and monitor all information we hold about them in our databases.
To this end, COLOMBIAN VISAS has created this PERSONAL DATA PROCESSING POLICY, whose application is mandatory for all natural or legal persons who process personal data registered in the Company’s databases, in order to provide the necessary guidelines for compliance with legal obligations regarding personal data protection.
COLOMBIAN VISAS wishes to inform all interested parties that the personal data obtained through the operations requested or entered into with the Company will be processed in accordance with the principles and duties defined in Law 1581 of 2012 and other applicable regulations. For all pertinent purposes, the address of COLOMBIAN VISAS will be CR 43a 10 47- OF 108 Medellín (Antioquia), phone: 3008158413, email: info@colombianvisasconsulting.com, and website: https://www.colombianvisasconsulting.com/
2. OBJECTIVE.
To properly inform interested parties and establish policies and procedures for the Processing of Personal Data of data subjects to ensure compliance with the law, particularly with respect to the exercise of the rights of the data subjects and the criteria for the collection, storage, use, circulation, and deletion of personal data processed by COLOMBIAN VISAS.
SCOPE.
This policy applies to all personal information registered in the databases and processed by COLOMBIAN VISAS, which acts as the responsible party.
This policy is directed at any data subject or their legal representative so they can understand the necessary information regarding the mechanisms for data processing.
Exercising their rights, the purposes of data processing, security measures, and other aspects related to the protection of personal information.
Compliance with this policy is mandatory for all natural or legal persons who process personal data registered in the company’s databases, especially for those employees or contractors who receive, attend to, and respond directly or indirectly to the requests, inquiries, or complaints from the data subjects.
3. DEFINITIONS.
Authorization: Prior, express, and informed consent from the data subject to carry out the processing of personal data.
Privacy Notice: One of the verbal or written communication options provided by law to inform data subjects about the existence of and ways to access the data processing policies and the purpose of data collection and use.
Database: An organized set of personal data that is subject to processing.
Personal Data: Any information related to or that can be associated with a specific person, such as their name or identification number, or that can make them identifiable, such as their physical characteristics.
Private Data: Data that, due to its intimate or confidential nature, is only relevant to the data subject. For example, a person’s tastes or preferences are considered private data.
Public Data: Public data is considered information about a person’s civil status, profession or trade, and their status as a merchant or public servant, among others. Due to its nature, public data may be found in public records, public documents, official gazettes, bulletins, and final court rulings that are not subject to confidentiality.
Semiprivate Data: Data that is neither intimate, confidential, nor public, and whose knowledge or disclosure may be of interest to the data subject and a particular sector or society in general. Examples of these include financial and credit data related to business or service activity.
Sensitive Data: Data that affects the privacy of the data subject or could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social or human rights organizations, as well as data related to health, sexual life, and biometric data, among others.
Data Processor: A natural or legal person, whether public or private, who alone or in collaboration with others, carries out the processing of personal data on behalf of the data controller.
Data Controller: A natural or legal person, whether public or private, who alone or in collaboration with others, decides on the database and/or the processing of data.
RNBD: It stands for the abbreviation of the National Register of Databases, which is the public directory of the databases of those obligated to process data operating in the country.
Data Subject: A natural person whose personal data is being processed.
Transfer: It refers to the operation carried out by the data controller or processor when sending the information to another recipient, who, in turn, becomes responsible for processing those data.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
4. GUIDING PRINCIPLES
This Policy is governed by and applies the principles that regulate the Processing of Personal Data, as follows:
Principle of legality in data processing: Processing is a regulated activity that must comply with the provisions of Law 1581 of 2012 and any other applicable regulations.
Principle of purpose: Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
Principle of freedom: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data cannot be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives the need for consent.
Principle of veracity or quality: Information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented data, or data that may cause confusion is prohibited.
Principle of transparency: Processing must guarantee the Data Subject's right to obtain, at any time and without restriction, information from the Data Controller or Data Processor regarding the existence of data related to them.
Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of Law 1581 of 2012, and the Constitution. In this regard, processing may only be carried out by individuals authorized by the Data Subject and/or by persons specified by law. Personal data, except for public information, cannot be available on the internet or other mass media unless access is technically controlled to provide restricted knowledge only to the Data Subjects or authorized third parties.
Principle of security: The information subject to processing by the Data Controller or Processor, as required by law, must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing alteration, loss, consultation, unauthorized use, or fraudulent access.
Principle of confidentiality: All persons involved in the processing of personal data that are not public in nature are required to guarantee the confidentiality of the information, even after their relationship with any of the tasks related to the processing has ended. Personal data may only be supplied or communicated when required.
correspond to the development of activities authorized by law and in the terms of the same.
COLOMBIAN VISAS is committed to processing the personal data of the data subjects as defined in literal g) of Article 3 of Law 1581 of 2012, in an absolutely confidential manner, using them exclusively for the specified purposes, as long as the data subject has not opposed such processing. For this, the company has implemented the necessary technical and organizational security measures to ensure the security of personal data and to prevent alteration, loss, processing, and/or unauthorized access.
Principle of temporality: Personal data will be kept only for the reasonable and necessary time to fulfill the purposes that justified the processing, considering the applicable provisions related to the subject matter and the administrative, accounting, fiscal, legal, and historical aspects of the information. Data will be retained when necessary to fulfill a legal or contractual obligation. Once the purpose of the processing has been fulfilled and the previously established terms have expired, the data will be deleted.
Principle of necessity: The personal data processed must be strictly necessary for the fulfillment of the purposes pursued with the database.
5. RESPONSIBLE FOR PROCESSING
COLOMBIAN VISAS, a legally constituted commercial company, identified with NIT 1.152.226.169-1, with its main address at CR 43 A 10 47 OF 108 Medellín, website www.colombianvisasconsulting.com, email info@colombianvisasconsulting.com, phone 3008158413 in the Department of Antioquia.
6. SPECIAL CATEGORIES OF DATA.
7.1. SENSITIVE DATA
Sensitive data will be processed in accordance with the law. Sensitive data refers to information related to the intimacy of the data subject, such as racial or ethnic origin, religious or philosophical beliefs, membership in social organizations or human rights groups, political party affiliations, and health, sexual life, and biometric data such as fingerprints, photographs, videos, and other data that may be considered sensitive under the law. COLOMBIAN VISAS will take the necessary measures to protect the security and confidentiality of this information, and data subjects will not be required to authorize such processing.
7.2. ACCESS CONTROL
Areas where processes related to confidential or restricted information are carried out must have access controls that only allow entry to authorized employees and that allow for the tracking of access and exits.
7.3. VIDEO SURVEILLANCE
COLOMBIAN VISAS uses surveillance cameras installed in its offices, with the purpose of complying with physical security policies for people, property, and facilities.
complying with the parameters established in the Guide for the Protection of Personal Data in Video Surveillance Systems, issued by the SIC as the supervisory authority.
"The images should be retained for a maximum period of 15 days. If the respective image becomes the subject or support of a complaint, grievance, or any judicial process, and is requested within 15 days of being captured by the competent authority, it will be retained until the matter is resolved."
7.4. PROCESSING OF PERSONAL DATA OF CHILDREN, GIRLS, AND/OR ADOLESCENTS (UNDER 18 YEARS OLD)
The processing of personal data of children, girls, and/or adolescents (under 18 years old)
that is collected under employment contracts is done in response to the best interest of the children, girls, and adolescents, ensuring their prevailing rights and meeting the following requirements:
a. It must respond to and respect the best interest of children, girls, and adolescents.
b. It must ensure respect for their fundamental rights.
c. The opinion of the minor should be considered when they have the maturity, autonomy, and capacity to understand the matter.
Once the above requirements are met, the legal representative of the child, girl, or adolescent may grant authorization for the processing in favor of COLOMBIAN VISAS, after exercising the minor’s right to be heard, and their opinion should be taken into account, considering the minor’s maturity, autonomy, and capacity to understand the matter.
7. PROCESSING AND PURPOSES
8.1. PROCESSING OF PERSONAL DATA
COLOMBIAN VISAS, as the responsible party for personal data, will process data that includes collection, storage, use, circulation, and deletion.
8.1.1. COLLECTION
COLOMBIAN VISAS collects personal information through various means in the development of different activities related to its corporate purpose and its obligations as an employer. Personal information is obtained in three different ways:
a) directly from the data subject,
b) from a third party, provided they have authorization,
c) from public sources of information.
Additionally, personal data collection may be carried out through physical, digital, or electronic means, and each of these will include a privacy notice and authorization, thus complying with the requirements established in Article 2.2.2.25.3.2 and 2.2.2.25.3.3 of Decree 1074 and adhering to the principles of freedom and purpose as outlined in Article 4 of Law 1581.
8.1.2. Storage
The storage of personal information contained in databases or information systems is done within the company's own corporate emails within the country and on external third-party servers, which have physical, technical, and administrative security measures in place, as well as access controls to the information, ensuring the principle of restricted access and circulation.
Personal information that is subject to legal requirements will remain stored in our databases in accordance with what the law has established. In cases where the law has not made any pronouncement, the information will remain stored as long as the purpose for which it was collected remains valid.
8.1.3. Circulation
As a general rule, COLOMBIAN VISAS does not share the personal data it collects with third parties. However, to effectively fulfill its obligations, it may provide the data to other entities, in accordance with Articles 2.2.2.25.5.1 and 2.2.2.25.5.2 of Decree 1074, which establishes that the transmission of personal data is permitted when necessary for the execution of a contract between the data subject and the data controller, or for the execution of pre-contractual measures, provided that there is authorization from the data subject or a personal data transmission contract exists.
8.1.4. Deletion
The deletion of personal information that has been collected will occur when:
(I) It is no longer necessary for the fulfillment of legal, contractual, tax, financial, auditing aspects, or is covered by legal provisions or requirements;
(II) It does not affect or result in the loss of traceability or integrity of the databases or information systems where the information is stored;
(III) The purpose for which it was collected has been fulfilled or eliminated
(IV) It is requested by the data subject or by someone who proves they are authorized, provided it does not conflict with the previous definitions. However, some information may be retained solely for statistical or auditing purposes.
8.2. PURPOSES OF DATA PROCESSING
The processing of data will be carried out exclusively for the purposes authorized and mentioned below:
Clients, Suppliers, and Strategic Partners
(1) To carry out administrative, economic, accounting, and fiscal management.
(2) Internal statistics management.
(3) Billing, collections, and payments management.
(4) Client and/or supplier management.
(5) Managing relationships, rights, and obligations with the data subjects.
(6) Managing and maintaining a historical, scientific, or statistical record of commercial relationships, market studies.
(7) Generating models and data for decision-making.
(8) Manage security in all its aspects,
(9) Verification of information in databases, offering of products and services,
(10) Sending communications and general contact through registered means,
(11) Own marketing and advertising,
(12) Commercial prospecting,
(13) Credit studies,
(14) Data transmission with the company's business partners to develop the purposes outlined here,
(15) Verify compliance with legal or regulatory requirements,
(16) Verify data or references provided with third parties or entities,
(17) Verify legal, technical, and/or financial requirements,
(18) Formalize adjustments or payment agreements,
(19) Apply sanctions related to non-compliance of any kind,
(20) Carry out data update campaigns and information on changes in personal data processing,
(21) Apply sanctions related to non-compliance of any kind,
(22) Register in applications and forms of state entities and organizations as required by law,
(23) Maintain, control, and develop the commercial relationship,
(24) Comply with legal requirements for the prevention of money laundering, terrorism financing, and financing of the proliferation of weapons of mass destruction,
(25) Comply with the rights of citizens,
(26) Comply with the legal requirements associated with contract formalization,
(27) Comply with the provisions of Colombian law regarding occupational safety and health,
(28) Fulfill the obligations derived from this document and ensure its proper execution,
(29) Carry out the necessary actions for the development of the company's corporate purpose in relation to the information holder,
(30) Any other purpose arising from the development of this document or the commercial relationship between the parties,
(31) Perform a query of the company and all administrators in restrictive, binding, and control lists, such as the police, attorney general's office, criminal courts, etc.,
Employees
(1) Internal statistics management
(2) Payroll management
(3) Personnel management, occupational risk prevention, employment promotion and management,
(4) Management of sanctions, warnings, reprimands, exclusions,
(5) Internal statistics management
(6) Administrative management
(7) Management of collections and payments
(8) Economic and accounting management
(9) Fiscal and financial management
(10) Granting and managing permits
(11) Licenses and authorizations,
(12) Historical, scientific, or statistical purposes,
(13) Staff training,
(14) Judicial procedures,
(15) Data and reference verification,
(16) Sending communications and contact through registered means (physical address, email, cellphone number, WhatsApp, and social media),
(17) Publications,
(18) Social benefits,
(19) Time management control,
(20) Historical, scientific, or statistical purposes,
(21) Private investigations of individuals,
(22) Epidemiological research and similar activities,
(23) Social benefits,
(24) Occupational risk prevention,
(25) Employment promotion and management,
(26) Staff promotion and selection,
(27) Promotion and prevention programs,
(28) Judicial procedures,
(29) Road safety,
(30) Staff promotion and selection, transmission and/or transfer of data nationally and internationally with business partners, subsidiaries, parent company, affiliates, and service providers of COLOMBIAN VISAS,
(31) Transmission and/or transfer of my data to third-party entities whose corporate purpose is to provide health services, pension and severance funds, ARL, electronic payroll services, family compensation funds, insurance companies, employee funds, the banking sector, with the specific purpose of making payments for social security, salaries and/or fees, and purchasing airline tickets, in any case, general administrative management,
(32) Requirement by a control entity - Non-sensitive data
8.RIGHTS OF THE DATA SUBJECTS
As the holder of your personal data, you have the right to:
a. Access your provided data free of charge that has been processed.
b. Know, update, and rectify your information in case of partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is prohibited or unauthorized.
c. Request proof of the authorization granted.
d. File complaints with the Superintendence of Industry and Commerce (SIC) for violations of the current regulations.
e. Revoke the authorization and/or request the deletion of the data, as long as there is no legal or contractual obligation that prevents their elimination.
f. Refrain from answering questions about sensitive data.
g. The responses concerning sensitive data or data of children and adolescents will be optional.
9. AUTHORIZATION FOR DATA PROCESSING
COLOMBIAN VISAS requests, in a free, prior, express, and duly informed manner, the authorization from the data subjects, and to do so, it establishes suitable mechanisms to ensure that the granting of such authorization can be verified in each case. This authorization may be in any medium, whether physical, digital, electronic, or any format that ensures its subsequent consultation through technical tools, complying with the requirements established by law.
The authorization for the processing of personal data will not be necessary when:
a. The databases or files are exclusively personal or domestic.
b. When these databases or files are going to be provided to third parties, the data subject must be informed in advance and their authorization must be requested. In this case, the data controllers and processors of the databases and files will be subject to the provisions of this law.
c. Databases and files that aim for national security and defense, as well as the prevention, detection, monitoring, and control of money laundering and terrorism financing.
d. Databases that aim for and contain intelligence and counterintelligence information.
e. Databases and files related to journalistic information and other editorial content.
f. Databases and files regulated by Law 1266 of 2008.
g. Databases and files regulated by Law 79 of 1993.
10. DUTIES OF THE RESPONSIBLE PARTIES AND DATA PROCESSORS
9.1 DUTIES OF THE DATA CONTROLLER
COLOMBIAN VISAS, acting as the data controller for personal information, must comply with the following duties, without prejudice to other provisions established by law and any regulations governing its activities:
a. Guarantee to the data subject, at all times, the full and effective exercise of the right to habeas data;
b. Request and retain, under the conditions set by law, a copy of the respective authorization granted by the data subject;
c. Properly inform the data subject about the purpose of the data collection and the rights they have as a result of the authorization granted;
c. Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access;
d. Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable;
e. Update the information, notifying the Data Processor in a timely manner about any changes to the data previously provided and take the necessary measures to keep the information up to date;
f. Rectify the information when it is incorrect and communicate the necessary corrections to the Data Processor;
g. Provide the Data Processor, as the case may be, only with data whose processing has been previously authorized in accordance with what is stipulated by law;
h. Require the Data Processor, at all times, to respect the conditions of security and privacy of the data subject's information;
i. Handle inquiries and complaints as specified by law;
j. Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to address inquiries and complaints;
k. Inform the Data Processor when certain information is in dispute by the data subject, once a complaint has been filed and the process has not been concluded;
l. Inform, upon the data subject's request, about the use given to their data;
m. Inform the data protection authority when violations of security codes occur and when there are risks in managing the data subject's information.
n. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
9.2 DUTIES OF THE DATA PROCESSORS
The Data Processors, and when COLOMBIAN VISAS acts as the processor, must comply with the following duties, without prejudice to other provisions established by this law and any other regulations governing their activity:
a. Guarantee the data subject, at all times, the full and effective exercise of the right to habeas data;
b. Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access;
c. Timely update, rectify, or delete the data in accordance with the law;
d. Update the information reported by the Data Controllers within five (5) business days from receipt;
e. Handle inquiries and complaints submitted by the data subjects in accordance with the provisions of this law;
f. Adopt an internal manual of policies and procedures to ensure proper compliance with the law, especially for addressing inquiries and complaints from data subjects;
g. Record in the database the legend "claim in process" as regulated by law;
h. Insert the legend "information in judicial dispute" in the database once notified by the competent authority about legal proceedings related to the quality of personal data.
i. Refrain from circulating information that is being contested by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
j. Allow access to the information only to those persons who are authorized to access it.
k. Inform the Superintendence of Industry and Commerce when violations of security codes occur and when there are risks in the management of the data subject's information.
l. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
m. Verify that the data controller has the authorization to process the data subject’s personal data.
11. TRANSFER AND TRANSMISSION OF PERSONAL DATA
When COLOMBIAN VISAS needs to transfer or transmit personal data to third parties with whom it has a contractual relationship for the full development of its corporate purpose, necessary measures will be taken to comply with this policy. These measures should include establishing contractual clauses or signing a personal data transmission agreement in which, among other things, the following is agreed upon:
a. Scope of the personal data processing.
b. Process personal data on behalf of the Data Controller according to the guiding principles.
c. Activities the processor will carry out on behalf of the controller for the processing of personal data.
d. The obligations of the processor toward the data subject and the Data Controller.
e. Confidentiality regarding the processing of personal data.
f. Security of the databases containing personal data.
Regarding the transfer or transmission of personal data to third parties located in countries that do not provide adequate levels of data protection: it is understood that countries offering an adequate level of data protection must meet the standards set by the Superintendence of Industry and Commerce, which in no case can be inferior to the requirements established by law for its recipients.
12. PROCEDURE FOR THE EXERCISE OF THE RIGHT OF HABEAS DATA
The Personal Data Protection Officer is responsible for processing the data subjects' requests to exercise their rights.
In compliance with personal data protection regulations, COLOMBIAN VISAS presents the procedure and minimum requirements for exercising your rights.
To submit and address your request, we ask that you provide the following information:
• Full name and surname.
• Contact details (physical address and/or email address and contact phone numbers).
• Methods to receive a response to your request.
• Reason(s)/fact(s) giving rise to the claim with a brief description of the right the data subject wishes to exercise (to know, update, rectify, request proof of the authorization granted, revoke it, delete, access the information).
• Signature (if applicable) and identification number.
The maximum term established by law to resolve your claim is fifteen (20) business days, starting from the day following its receipt. When it is not possible to address the claim within this term, COLOMBIAN VISAS will inform the interested party of the reasons for the delay and the date by which their claim will be addressed, which in no case may exceed eight (8) business days after the expiration of the first term.
Once the terms established by Law 1581 of 2012 and other regulations that regulate or complement it have been fulfilled, the data subject who is denied, in whole or in part, the exercise of rights of access, updating, rectification, deletion, and revocation, may bring their case to the attention of the Superintendence of Industry and Commerce – Delegate for the Protection of Personal Data.
FOR IMAGE AND VIDEO REQUESTS
In the event that the data subject requests access to images and/or videos in which their information is captured, they must follow the following procedure:
a. Indicate the facts of the request, specifying date, time, location, and any other information that helps locate the image or video fragment.
b. Justify the need for the request.
c. Provide the documents that justify that the data subject is the person authorized to make the request. If the interested party is a third party, they must provide the authorization document for the data subject to access that information.
11.1. CHANNELS FOR REQUESTS, COMPLAINTS, CLAIMS, SUGGESTIONS, AND INQUIRIES
The data subject or their legal representative may exercise their right to know, update, rectify, delete, and revoke the information contained in the database through the following channels:
Attention Channel
Website: www.colombianvisasconsulting.com
Email: info@colombianvisasconsulting.com
Document submission point: CR 43 A 10 47 OF 108
COMPLIANCE WITH THE POLICY
At COLOMBIAN VISAS, compliance with this personal data protection policy is mandatory for all persons associated with the company. The omission of this policy is considered a serious offense, which may result in penalties in accordance with the Internal Work Regulations and other sanctions established by law.
13. VALIDITY AND APPROVAL.
The validity of personal data records in our databases will be limited to the time necessary to fulfill the purposes established in this policy. Once these purposes have been fulfilled and as long as there is no legal or contractual obligation to retain your information, your data will be deleted from our databases.
It is important to note that this policy takes precedence over any other policy, agreement, or convention issued previously by COLOMBIAN VISAS.