PREAMBLE

Localized Information SAS (hereinafter Servinformación) in compliance with the provisions of Article 15 of the Political Constitution of Colombia and the Statutory Law 1581 of 2012 and its regulatory and complementary rules, guarantees in an integral manner (legal, technical and organizational) the protection and the exercise of the fundamental right of Habeas Data (know, rectify and update) of all the Holders of the personal information, of which it is Responsible or Responsible for its Treatment, likewise, will guarantee at all times the fundamental rights to the privacy, the good name and privacy of natural persons, which is why it adopts and applies this Manual of Policies and Procedures for the Protection of Personal Data.

In Servinformación we are aware that in many cases the breach of the Law is due to the lack of knowledge and information of the existing norms, rights and procedures recognized in the Colombian legal framework. Therefore, this Manual allows you to know each of the internal and external members or groups that are part of Servinformación or have any relationship with us, the rights and obligations that Law 1581 of 2012 and the complementary regulations have developed, guaranteed and established for the Holders of personal information.

INTRODUCTION

INFORMACION LOCALIZADA SAS, is a company born as the result of the effort and dedication of a group of specialized professionals dedicated to different areas of consulting, the collection of Information and Implementation of Geographic Information Systems (GIS). We are leaders in urban georeferencing in Colombia. We provide professional services in different projects related to georeferencing and geographic information systems, in addition we are technological integrators of different geographic products houses of recognition worldwide.

Servinformación has decided to adopt this Manual voluntarily and responsibly, which establishes the conditions of organization, obligations of those involved and involved in the Treatment and / or use of personal information, operating regime, and procedures applicable to the Treatment personal data that in the development of the activities of its corporate purpose have to request, use, store, correct, assign, delete or treat.

The above has been resolved, in order to fully comply with the provisions of Article 15 of the Political Constitution of Colombia and Law 1581 of 2012, as well as other regulations that regulate and complement the Treatment for the Protection of Personal Data in Colombia as already indicated above.

For any purpose, Servinformación is responsible for the Processing of Personal Data and in compliance with the provisions of Article 13 of Regulatory Decree 1377 of 2013, adopts and publishes to all interested parties this Handbook that contains all the essential elements, simple and insurance for compliance with the legislation corresponding to the Protection of Personal Data in Colombia. Likewise, this Manual will serve as pedagogical material for all sectors or groups of interest that sustain some type of relationship with Servinformation directly or indirectly, contributing to the correct knowledge of the fundamental right to the Protection of Personal Data in compliance with and development of the principle of Demonstrated Responsibility or Accountability.

The data administered or processed by Servinformación in compliance with its function and purpose will not require prior, express, informed and unequivocal authorization by the Owner in cases where this personal information is of a public nature or in the cases exempted by the Decree. Regulatory 1377 of 2013, as well as personal data and databases that are outside the scope of application of Law 1581 of 2012. However, all personal information, including databases that contain historical data, statisticians or scientists and others who are excluded, will be subject to the guiding principles provided by Law 1581 of 2012, the Regulatory Decrees and other regulations that complement, add or repeal, in terms of Protection of Personal Data in Colombia.

FOR ALL ABOVE, SERVINFORMACIÓN IS DECLARED RESPONSIBLE FOR THE PRESENT POLICY AND THE DATA PROTECTION PROCESS THAT IN THE EXERCISE OF ITS FUNCTIONS AS A SOCIETY DEVELOPS AGAINST THE NATURAL PERSONS HOLDING PERSONAL DATA.

LOCALIZED INFORMATION SAS

Address: Cl 84 24-78

Mail: habeasdata@servinformacion.com

Telephone: 57 (1) 2562030 ext. 103

  1. DEFINITIONS
  • Notice of Privacy:

Verbal or written communication generated by the Responsible (Servinformación), directed to the Owner for the Treatment of their personal data, by means of which it is informed about the existence of the Information Treatment policies that will be applicable, the way to access the same and the purposes of the Treatment that is intended to give personal data.

  • Authorization:

Prior, express and informed consent of the Holder of personal data to carry out the processing of personal data. Or any unequivocal conduct that the Owner may make.

  • Database:

Organized set of personal data that are subject to Treatment.

  • Personal data:

Any information linked to or associated with one or several natural persons determined or determinable[1]. The "personal data" must then be understood as information related to a natural person (individually considered person).

  • Public information:

It is the data that is not semi-private, private or sensitive. They are considered public data, among others, the data relative to the civil status of the people, to their profession or trade and to their quality of merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins, and judicial sentences duly executed that are not subject to reservation. It will also be understood that all the data that is contained in public records will have this same nature.

  • Semiprivate Data:

It is semi-private data that has no private nature, reserved, or public and whose knowledge or disclosure may interest not only the owner but a certain sector or group of people or society in general, as the financial and credit data of commercial activity or of services referred to in Title IV of this law.

  • Private Data:

All personal information that has a restricted knowledge, and in principle private for the general public.

  • Sensitive Data:

Any data that affects the privacy of the Holder or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or to promote the interests of any political party or to guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data,[2] among others.

  • In charge of the Treatment:

Servinformación acts as the Person in Charge of the Treatment of personal data in cases, which by itself or in association with others, performs the processing of personal data on behalf of a Responsible.

  • Responsible for the Treatment:

Servinformación acts as Responsible for the processing of personal data against all personal data on which it decides directly, in compliance with its own functions.

  • Headline:

Natural person whose personal data are subject to Treatment, which may be:

  1. Holder, who must prove his identity sufficiently by the different means made available by the Responsible.
  2. Causation, who must prove such quality.
  3. Representative and / or agent of the Holder, after proof of representation or empowerment.
  4. By stipulation in favor of another or for another.
  • Transfer:

The transfer of data takes place when the Responsible and / or Person in Charge of the Treatment of personal data, located in Colombia, sends the information or the personal data to a receiver, who in turn is Responsible for the Treatment and is inside or outside the country. .

  • Transmission:

Processing of personal data that implies the communication of the same inside or outside the territory of the Republic of Colombia when it has for its object the realization of a Treatment by the Person in Charge on behalf of the Responsible.

  • Treatment:

Any operation or set of operations that Servinformación performs on personal data such as collection, processing, advertising, storage, use, circulation or suppression. The foregoing shall only apply exclusively to personal data of natural persons.

  • Information Security Officer:

It is the person within Servinformación, whose function is the surveillance and control of the application of the Personal Data Protection Policy, under the guidance and guidelines of the Information Security Committee. The Information Security Committee will designate the Data Protection Officer.

The above definition refers to a role or function that must be performed by an official appointed by the Servinformation Safety Committee.

  1. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

In order to comply with the Personal Data Protection Policy, as well as the obligations provided by Law 1581 of 2012 and the other complementary regulations, the following shall be taken into account.

The handling and processing of personal, sensitive and juvenile data, within Servinformación are framed under the following principles:

 

2.1. Access and Circulation: the data operated by Servinformación will have the legal, organizational and technical measures possible and necessary that allow access and restricted circulation according to the nature of the data (public, semi-private, private, sensitive or of minors) and with the authorizations given by the Holder or other persons provided for in the Law.  

 

2.2. Confidentiality: In accordance with the above definition, Servinformación guarantees the confidentiality of the data depending on the nature of the same. Therefore, Servinformación will reserve information during and after the activities that legally justify the processing of personal data.

 

2.3. Purpose: in all cases the purpose will be legitimate, informed, temporary and material. The purpose corresponds to the functions or activities of Servinformación that allow the full development of the corporate purpose for which it will request the prior, express and informed authorization by the Holder for its Processing of personal data exclusively when dealing with data different from the of public nature.

 

2.4. Legality: The data that Servinformación treats or will treat will fulfill the legitimate purposes and subject to Law 1581 of 2012 and to the other norms that develop or complement it.

 

2.5. Freedom: Servinformación guarantees the right to informative self-determination of the Holders that provide personal data and will always take into account your consent to any treatment.

 

2.6. Security: Servinformación guarantees the definition and implementation of technical, human and administrative measures necessary to avoid adulteration, loss, consultation, use or unauthorized or fraudulent access to databases that are under its control.

 

2.7. Transparency: Servinformación guarantees the owners of personal data by means of simple and agile mechanisms, the right of access and knowledge of the personal information that is being treated in accordance with the provisions of Regulatory Decree 1377 of 2013.

 

2.8. Truthfulness or Quality: Servinformación will do everything in its power to ensure that the information stored in its databases is accurate, complete, accurate, updated, verifiable and understandable. For the fulfillment of this principle.

  1. PROCEDURE FOR THE PROCESSING OF PERSONAL DATA

3.1. Treatment of public data

Servinformación warns that it deals with personal data of a public nature without prior authorization from the Owner. This situation does not imply that the necessary measures are not adopted to guarantee compliance with the rest of the principles and obligations contemplated in Law 1581 of 2012 and other regulations that regulate this matter, becoming duties for Servinformation.

3.2. Treatment of sensitive data

Servinformación only treats sensitive personal data for the strictly necessary, requesting prior, express and informed consent to the Owners (legal representatives, attorneys-in-fact, assignees) and informing them of the exclusive purpose for their Treatment. According to the format M-SI-01-R04 Authorization processing of sensitive data.

Servinformación uses and treats data classified as sensitive, when:

  1. The Treatment is necessary to safeguard the vital interest of the Holder and he is physically or legally incapacitated. In these events, the owner or legal representatives must grant the authorization for said Treatment.
  1. The Treatment refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process;
  1. The Treatment has a historical, statistical or scientific purpose or, within the framework of improvement processes; the latter, provided that the measures leading to the suppression of identity of the Holders or the data is dissociated, that is, the sensitive data is separated from the identity of the Holder and is not identifiable or can not identify the person Data holder or sensitive data.

In addition to the above, Servinformación complies with the following obligations:

  1. Inform the Owner that because it is sensitive data is not required to authorize its Treatment.
  2. Inform the Holder explicitly and in advance, in addition to the general requirements of the authorization for the collection of any type of personal data, which data subject of Treatment are of a sensitive nature and the purpose of the Treatment, and obtain the express consent.
  3. Do not condition any activity to the Owner providing sensitive personal data (unless there is a legal or contractual cause to do so).

3.3. Data processing of minors

Servinformación only treats personal data of minors when these are of a public nature or come from the information provided by their parents, guardians, legal representatives, employees or contractors, at the time of their connection, employment or service provision with Servinformación. The foregoing, in accordance with the provisions of Article 7 of Law 1581 of 2012 and, when the Treatment meets the following parameters and requirements:

  1. That responds and respects the best interests of children and adolescents.
  2. That the respect of their fundamental rights be ensured.

Once the above requirements have been complied with, Servinformación will require the legal representative or guardian of the child or adolescent, the authorization of these, prior to the minor's opinion regarding the Treatment that will be given to their data, which opinion will be valued taking into account maturity, autonomy and ability to understand the matter, as indicated by the Law. In accordance with the format M-SI-01-R03 Authorization of data processing of minors.

Servinformación and any person, public or private, natural or legal, involved in the processing of personal data of children and adolescents, will ensure the proper use of them. In compliance with the foregoing, the principles and obligations established in Law 1581 of 2012 and Decree 1377 of 2013 and the other regulations that regulate this matter, as well as the Political Constitution of Colombia, are applied and developed.

4. CLASSIFICATION OF DATABASES

Servinformación has classified its Databases in the following way.

As Responsible for the Treatment:

  1. Human Resources

It is the manual and automated database that contains data collected in the selection processes of applicants; staff plant relationship; result of occupational entrance and retirement exams; contact data of internal personnel; resumes; results of aptitude tests of the aspirants. The data included in this database are of a semi-private, private, sensitive nature and of minors, such as: identification document, first and last names, address, telephone number, email address, health data, entrance exams and occupational exams. , disabilities and medical diagnoses, images, among others, necessary for this procedure which will be duly authorized.

  1. Legal

It is the manual and automated database that contains general information which allows the elaboration of civil and commercial contracts. The data included in this database are of a public nature.

  1. Financial and Accounting

It is the manual and automated database that contains data collected in the accounting, financial and payroll processes of Servinformación. The data included in this database are of a public nature in terms of the data of suppliers, customers, financial entities, public entities.

On the other hand, this database contains data of a sensitive nature and of minors corresponding to employees, such as names, surnames, identification card, address, number of children, spouse's name, children's name, first name, father card, mother name, mother card, some documents of children.

  1. Commercial and Marketing

It is the manual and automated database that contains data that allow the relationship and contact with the prospects clients, clients, the sending of News Letters, invitation to events, publicity and communication of new products and services of Servinformación. The personal data included in this database are data of a public nature.

  1. Census

It is the manual and automated database that allows to determine and recognize commercial establishments nationwide including their geographical location and the classification characteristics requested by our clients. The personal data included in this database are public and semi-private data.

 

  1. Systems

It is the automated database that contains data collected in the processes of maintenance, support, security, backup, contact of technological suppliers, and video surveillance, biometric reader information. The personal data included in this database are sensitive, private and semi-private data.

  1. BackOffice

It is the automated database that guarantees the quality of the information and the location of the clients of our clients.

As In Charge of the Treatment: SAS LOCALIZED INFORMATION

 

  1. PREROGATIVES AND RIGHTS OF THE HOLDERS

Servinformación recognizes and guarantees the owners of personal data the following fundamental rights:

  • Access, know, update and rectify your personal data against Servinformation in your capacity as Responsible for the processing of personal data.
  • Request proof of the existence of the authorization granted to Servinformación, except in those cases in which the Law excepts the authorization.
  • Receive information from Servinformación, upon request, regarding the use that has been given to your personal data.
  • Submit complaints for infractions to the provisions of current regulations before the Superintendence of Industry and Commerce (SIC) once the procedural requirement has been exhausted.
  • Modify and revoke the authorization and / or request the deletion of personal data, when the treatment does not respect the principles, rights and constitutional and legal guarantees in force. This right to revoke the authorization is not absolute provided there is a legal or contractual obligation that limits this right.
  • Have knowledge and access for free to your personal data that have been subject to Treatment.

To comply with the above, Servinformacion has established the following formats as a mechanism for the processing of personal data:

  • M-SI-01-R05 Authorization data processing providers
  • M-SI-01-R06 Request for rectification or update of personal data
  • M-SI-01-R07 Request for revocation of personal data authorization
  • M-SI-01-R08 Request for deletion of personal data
  • M-SI-01-R09 Request for access to personal data

This document, in the following sections, defines the procedures implemented to guarantee these rights.

  1. SERVINFORMATION DUTIES IN RELATION TO THE PROCESSING OF PERSONAL DATA

Servinformación is aware that personal data belong to the people to whom they refer and only they can decide about them. Likewise, Servinformación will make use of said data, only in fulfillment of the purposes for which it is duly authorized and previously authorized by the Owner, or by Law and, at all times, it respects the current regulations on the Protection of Personal Data, both national and foreign. , the latter, when so ordered.

Servinformación as Responsible for the processing of personal data, fulfills the duties and obligations provided in Article 17 of Law 1581 of 2012, and other rules that regulate or modify, namely:

  1. a) Guarantee the Holder, at all times, the full and effective exercise of the right of habeas data;
  2. b) Request and keep, in the conditions provided by law 1581 of 2012, a copy of the respective authorization granted by the Holder;
  3. c) Properly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted;
  4. d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
  5. e) Guarantee that the information provided to the Person in Charge of the Treatment is truthful, complete, accurate, up-to-date, verifiable and understandable;
  6. f) Update the information, communicating in a timely manner to the Person in Charge of Processing, all the news regarding the data previously provided to it and adopt the other necessary measures so that the information provided to it is kept updated;
  7. g) Rectify the information when it is incorrect and communicate the pertinent to the Person in charge of the Treatment;
  8. h) Provide the Data Processor, as the case may be, only data whose Treatment is previously authorized in accordance with the provisions of this law;
  9. i) To demand from the Person in Charge of the Treatment at all times, respect for the security and privacy conditions of the Holder's information;
  10. j) Process the consultations and claims formulated in the terms indicated in this law;
  11. k) Adopt an internal Manual of policies and procedures to ensure adequate compliance with this law and, in particular, to attend to inquiries and complaints;
  12. l) Inform the Person in Charge of the Treatment when certain information is under discussion by the Holder, once the claim has been filed and the respective procedure has not been completed;
  13. m) Inform at the Holder's request about the use given to their data;
  14. n) Inform the data protection authority (Superintendence of Industry and Commerce - Delegation of Data Protection -) when there are violations of the security codes and there are risks in the administration of the information of the Owners.
  15. o) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

To comply with the above, Servinformacion informs about the processing of personal data and its purpose by means of:

  • M-SI-01-R01 Privacy notice
  • M-SI-01-R02 Video Camera Notice

Servinformation as Person in Charge of the Treatment of personal data, complies with the duties and obligations set forth in article 18 of Law 1581 of 2012, and norms that regulate or modify it, namely:

  1. a) Guarantee the Holder, at all times, the full and effective exercise of the right of habeas data;
  2. b) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
  3. c) Carry out timely update, rectification or deletion of data in the terms of this law;
  4. d) Update the information reported by the Treatment Managers within five (5) business days counted from its receipt;
  5. e) Process inquiries and claims made by the Holders in the terms indicated in this law;
  6. f) Adopt an internal manual of policies and procedures to ensure adequate compliance with this law and, in particular, to address inquiries and complaints by the Owners;
  7. g) Registrar en la base de datos la leyenda «reclamo en trámite» en la forma en que se regula en la presente ley;
  8. h) Insertar en la base de datos la leyenda «información en discusión judicial» una vez notificado por parte de la autoridad competente sobre procesos judiciales relacionados con la calidad del dato personal;
  9. i) Refrain from circulating information that is being disputed by the Holder and whose blockade has been ordered by the Superintendence of Industry and Commerce;
  10. j) Allow access to information only to the people who may have access to it;
  11. k) Inform the Superintendence of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Owners;
  12. l) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

6.1. Duty of secrecy and confidentiality

 

Servinformación guarantees and requires every person that intervenes in any phase of the processing of personal data that is carried out or comes to be performed, the professional secrecy and confidentiality, regarding them and the duty to keep them; obligations that will subsist even after finalizing their contractual relations with Servinformación.

Failure to comply with the duty of secrecy or confidentiality shall be sanctioned in accordance with the provisions of the Internal Work Regulation of Servinformation and current legislation.

 

  1. INFORMATION PROCESSING POLICIES

7.1 General information about authorization

In the case of data different from those of a public nature, or those defined in numeral 2 of article 3 of Regulatory Decree 1377 of 2013, Servinformación will request prior, express and informed authorization for the processing of personal data by any means that allow later to be used as proof. Depending on the case, such authorization may be part of a broader document, such as a contract, or a specific document (format, form, etc.).

In the case of personal data corresponding to natural persons, the description of the purpose of the Data Processing will be informed by means of the same or specific document. Servinformación will inform the Data Holder of the following:

  • The Treatment to which your personal data and the specific purpose of it will be submitted.
  • The time by which your personal data will be processed.
  • The rights that assist him as Owner.
  • Who is the Responsible for the Treatment.
  • The web page, email, physical address and other communication channels through which you can make inquiries and / or claims or exercise your rights of access, rectification, updating, deletion, or revocation of the authorization before the Responsible or Manager of the Treatment.

7.2 Of the right of access

Servinformación guarantees the right of access pursuant to Law 1581 of 2012 and its other complementary regulations, only to the Holders of personal data that correspond to natural persons recognized by the legislation in force, previous accreditation of their identity as Holder, making available to the latter , without any cost or expense, in a detailed and detailed manner, the respective personal data processed, through any means of communication, including electronic means that allow direct access by the Owner. Said access is subject to the limits established in article 21 of Regulatory Decree 1377 of 2013. (This access is free only once every 30 calendar days)  Format M-SI-01-R09 - Request for access to personal data

7.3 Of the right of consultation

The Owner of personal data may consult the information of a personal nature that rests in any database of Servinformación. Consequently, Servinformación guarantees the right of consultation in accordance with the provisions of Law 1581 of 2012 and other complementary rules on personal data, corresponding to natural persons, providing the Holders of these personal data, the information contained in each of our databases.

Servinformación will establish the authentication measures that allow to identify in a secure way the Owner of the personal data that makes the query or request.

With respect to the attention of requests for consultation of personal data, Servinformación guarantees:

  • Enable electronic or other means of communication that you consider pertinent and safe;
  • Establish forms, systems and other methods that will be informed in the Privacy Notice;
  • Use customer service or claims that are in operation.

Independently of the mechanism implemented for the attention of requests for consultation, these will be processed in a maximum term of ten (10) business days counted from the date of receipt. In the event that a request for consultation can not be answered within the aforementioned term, the interested party will be informed before the expiration of the term of the reasons why his query has not been answered, which in no case may it exceed five (5) business days following the expiration of the first term.

7.4 Of the right to claim

The Holder of personal data that corresponds to a natural person and considers that the information contained or stored in any of our databases may be subject to correction, updating or deletion, or when it notices an alleged breach of any of the duties and principles contained in the regulations on Protection of Personal Data, may submit a claim to the person in charge or in charge of the Treatment of Servinformation.

Servinformación has the necessary authentication measures that allow to identify in a secure way the Owner of the personal data that makes the claim.

The claim may be presented by the Holder, taking into account the information indicated in article 15 of Law 1581 of 2012.

If the claim was incomplete, the Personal Protection Information Protection Officer, must carry out the respective procedure, will require the Holder before the expiration of the first term (15 days) for it to complete it within five (5) business days following receipt of the request, correcting faults or errors. After two (2) months from the date of the request, without the applicant submitting the requested information, It will be understood that the claim has been abandoned, proceeding to the filing by means of a certificate or official notice which must be notified to the claimant Holder. Without prejudice to the Holder being able to make use of his claim right again.

In case of receipt of the claim and that this is not the competence of Servinformación to resolve it, if possible will be transferred to the corresponding in a maximum term of two (2) business days and inform the interested party of the situation.

Once Servinformación has received the complete claim, a legend will be included in the database. «claim in process« and the reason for it, in a No more than two (2) business days. This legend will remain until the claim is decided. The maximum term to resolve the claim is fifteen (15) business days, counted from the day following the date of receipt. When it is not possible to meet the claim within said term, Servinformación will inform the interested party of the reasons for the delay and the date on which his claim will be handled, which in no case may it exceed eight (8) business days following the expiration of the first term.

7.5 Right to rectification and updating of data

Servinformación is obliged to rectify and update at the request of the Owner, the personal information that corresponds to natural persons, which is incomplete or inaccurate, in accordance with the procedure and the terms indicated above. In this regard, Servinformación will take into account the following:

  • In the requests for rectification and updating of personal data, the Holder must indicate the corrections to be made and provide the documentation that supports your request.
  • Servinformación, has full freedom to enable mechanisms that facilitate the exercise of this right, as long as they benefit the holder of personal data. As a result, electronic or other means that the company considers relevant and safe may be enabled.
  • Servinformación, may establish forms, formats, systems and other methods, which will be informed in the Privacy Notice and will be made available to interested parties on the website, facilities or Servinformación headquarters.

Format M-SI-01-R06 Request for rectification or update of personal data

7.6 Of the right to deletion of data.

The holder of personal data, has the right to request Servinformacion, the deletion (deletion) of your personal data. For this, the following assumptions will be taken into account:

  • That they are not being treated in accordance with the principles, duties and obligations set forth in the current regulations on Personal Data Protection.
  • That they are no longer necessary or relevant for the purpose for which they were collected.
  • That the period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

This suppression implies the total or partial deletion or deletion of personal information in accordance with what is requested by the Owner in the records, files, databases or treatments performed by Servinformacion.

The right of withdrawal is not an absolute right, and Servinformacion as Responsible for the processing of personal data, may deny or limit the exercise of the same when:

  • The owner of the data has the legal or contractual duty to remain in the database.
  • The elimination of data hinder judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
  • The data are necessary to protect the legally protected interests of the Holder; to perform an action based on the public interest, or to comply with an obligation legally acquired by the Holder.

Format M-SI-01-R08 Request for deletion of personal data

7.7 Of the right to revoke the authorization

Any Owner of personal data that correspond to natural persons, can revoke at any time, the consent to the Treatment of these, provided it is not prevented by a legal or contractual provision. For this, Servinformacion has established simple and free mechanisms that allow the Owner to revoke their consent.

In cases where it is possible to revoke the authorization, it will be addressed under the following two modalities:

  • Total Revocation: on the totality of consented purposes, that is, that Servinformacion must stop completely dealing with the data of the Personal Data Holder.
  • Partial Revocation: about certain consented purposes such as for advertising purposes or market studies or others. In this case, Servinformación must partially suspend the processing of the data of the Owner. Other purposes of the Treatment are then maintained that the Responsible, in accordance with the authorization granted, can carry out and with which the Holder agrees.

 

The right of revocation is not an absolute right and Servinformación as Responsible for the processing of personal data, may deny or limit the exercise of the same when:

  • The owner of the data has the legal or contractual duty to remain in the database.
  • The revocation of the authorization of the Treatment hinders judicial or administrative actions linked to fiscal obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
  • The data are necessary to protect the legally protected interests of the Holder; to perform an action based on the public interest, or to comply with an obligation legally acquired by the Holder.

Format M-SI-01-R07 Request for revocation of personal data authorization

7.8 Data protection in contracts.

In employment contracts or for the provision of services, Servinformación has included clauses in order to authorize prior and general the processing of personal data related to the execution of the contract, which includes the authorization to collect, modify or correct, in moments future, personal data of the Holder corresponding to natural persons. It has also included authorization for some of the personal data, if any, may be delivered or assigned to third parties with which Servinformación has contracts for the provision of services, for carrying out outsourced or other tasks. In these clauses, mention is made of this Manual and its location on the Servinformación website, for due consultation.

In contracts for the provision of external services, when the contractor requires personal data, Servinformación will supply said information, provided that there is prior and express authorization from the Holder of the personal data for this transfer, and this data is excluded from this authorization. personal nature of public nature defined in paragraph 2 of Article 3 of Regulatory Decree 1377 of 2013. Since in these cases, third parties are responsible for data processing and their contracts include clauses that specify the purposes and treatments authorized by Servinformación and they delimit precisely the use that these third parties can give to those data, as well as the obligations and duties established in Law 1581 of 2012, Regulatory Decree 1377 of 2013 and other regulations that regulate or complement this matter, including measures security measures that guarantee confidentiality at all times, in tegridad and availability of the information of personal character ordered for its Treatment.

For its part, Servinformación at the time of receiving data from third parties and Servinformación as Person in Charge of the processing of personal data, must verify that the purpose, or purposes, of the treatments authorized by the Owner or permitted by legal, contractual or jurisprudential causes are they are valid and that the content of the purpose is related to the cause for which said personal information is going to be received from the third party, because only in this way will it be entitled to receive and process said personal data. Servinformación is exempt from any treatment of illegal personal data made by the Treatment Manager.

Format P-COM-01-R01 REGISTRATION OF SUPPLIERS

7.9 Transfer of personal data to third countries

In the cases in which Servinformación in development of any of its functions or own activities in the development of its corporate purpose implies the transfer of personal data to third countries, will be governed by the following conditions:

The transfer of personal data to third countries will only be carried out when there is prior authorization from the Owner and prior authorization of the Delegation of Personal Data of the Superintendence of Industry and Commerce (SIC). These same conditions will be transferred and applied to the Treatment Managers.

An international transfer is considered to be any Treatment that involves a transmission of data outside the Colombian territory, whether a data transfer is made, or if its purpose is to provide a service to the Responsible party outside of Colombia.

Likewise, prior authorization must be obtained from the Delegate for the Protection of Personal Data of the Superintendence of Industry and Commerce (SIC), when it is foreseen to make international transfers of data to countries that do not provide a certain level of protection. This authorization can only be granted if adequate guarantees are obtained, such as contracts based on the standard clauses approved by the Superintendency of Industry and Commerce (SIC), or the Binding Corporate Rules.

The international transfer of data can be done by request of Servinformación, establishing the purpose, the groups of interested or Holders of the personal information, the data object of transfer and the documentation that incorporates the guarantees required to obtain the authorization; in which there is a description of the specific security measures that are going to be adopted, both by Servinformation and by the person Responsible for or in charge of the data in its place of destination.

Servinformación will not request authorization when the international transfer of data is covered by any of the exceptions provided for in the Law, its Regulatory Decrees or any rule that regulates this matter. An example of this is the consent of the affected party to the transfer, the transfer is necessary to establish the contractual relationship between the affected party and the Data Base Manager and the transfer refers to a monetary transaction.

7.10 Applicable general rules.

Servinformación has established the following general rules for the protection of personal, sensitive and juvenile data, such as the care of databases, electronic files and personal information:

  • Servinformación guarantees the authenticity, confidentiality and integrity of the information you have under your responsibility.
  • The Information Security Committee of Servinformación is the body that executes and designs the strategy for compliance with this Manual. Servinformación adopted all the necessary and possible technical measures to guarantee the protection and control of the existing databases and under its control.
  • In cases where the infrastructure depends on a third party, Servinformación will ensure that both the availability of information and the care of personal, sensitive and juvenile data is a fundamental objective.
  • Servinformación will conduct periodic audits and controls to guarantee the correct implementation of Law 1581 of 2012, its decrees and regulatory standards.
  • It is the responsibility of Servinformación officials to immediately report to the Superintendence of Industry and Commerce - Delegation of Personal Data - any incident of information leakage, computer damage, violation of personal data, data commercialization, use of personal data of children, or adolescents, identity theft, security incidents, violation of security codes or any type of behavior that may violate the privacy of a person or may generate any type of discrimination.
  • The training and qualification of the officials, suppliers, contractors, will be a fundamental duty and complement of this Manual.
  • The Data Protection Officer must identify and promote the authorization of the Owners, notices of privacy, notices in the web site, awareness campaigns, claim legends and other procedures to comply with Law 1581 of 2012 and other regulations that complement it.
  1. PROCEDURE FOR THE INFORMATION HOLDERS TO EXERCISE THE RIGHTS TO KNOW, UPDATE, RECTIFY AND DELETE INFORMATION AND REVOKE THE AUTHORIZATION.

 

  • Any query or claim regarding the inherent rights of the Holders regarding personal data must be made by means of a letter sent to the mail habeasdata@servinformacion.com of Servinformation attaching a photocopy of the identity document of the interested Holder or any other equivalent document that proves his identity and Ownership according to Law.
  • The rights of access, update, rectification, deletion and revocation of the authorization of personal data are very personal and may be exercised only by the Holder. However, the Holder may exercise their rights through a legal representative or proxy when the person is in a situation of disability or a minor that makes it impossible for them to exercise their personal rights, in which case it will be necessary for the legal representative or attorney-in-fact Accredit such condition.
  • No value or fee will be required for the exercise of the rights of access, updating, rectification, deletion or revocation of the authorization in the case of personal data of natural persons. (The provisions of article 21 of Regulatory Decree 1377 of 2013 will be taken into account)
  • In order to facilitate the exercise of these rights, Servinformación makes available to interested parties, the physical or electronic formats suitable for this purpose.
  • Once fulfilled and exhausted the terms indicated by Law 1581 of 2012 and the other rules that regulate or complement it, the Holder to which is denied, totally or partially, the exercise of the rights of access, update, rectification, suppression and revocation , by the company, may inform the National Authority for the Protection of Personal Data (Superintendence of Industry and Commerce - Delegation of Protection of Personal Data -) the denial or disagreement against the exercised right.
  1. FUNCTION OF THE PROTECTION OF PERSONAL DATA INSIDE SERVINFORMATION

9.1 The Responsible

The Person Responsible for the processing of personal data of Servinformación, is Rocío Domínguez Who will ensure the proper compliance of this Manual and the other rules that regulate the proper use of personal data.

Your contact information is: habeasdata@servinformacion.com

9.2 The Managers

The person in charge of the processing of personal data is any natural or legal person, public or private, who performs the processing of personal data on behalf of the Person in Charge of the Treatment of Servinformation. This means that for each Data Treatment, their respective Managers have been defined and that they act by precise instruction of the Person in Charge of Servinformation, information that will be delivered to the Owner.

9.2.1 Duties of the Managers.

Servinformación distinguishes between Internal Manager and External Manager. The internal managers are employees of Servinformación, while the external ones are natural or legal persons that process data that Servinformación provides them for the realization of an assigned task (agreements, suppliers, consultants, outsourcing companies, etc.)

The groups of Managers that Servinformación designates to carry out specific data treatments are:

From the Financial and Accounting area - Financial Manager

From the Human Resources area - Human Management Manager

From the Commercial and Marketing area - Commercial Manager

From the Legal Area - Legal Advisor

From the Census area - Census Manager

From the Systems area - IT Coordinator

  1. THE NATIONAL REGISTER OF DATABASES -RNBD-

In accordance with Art. 25 of Law 1581, its decrees, circulars and regulatory and complementary rules, the Holder or any interested party may find in the National Registry of Databases (RNBD) established by the Superintendence of Industry and Commerce (SIC) ) in his web page https://rnbd.sic.gov.co/sisi/consultaTitulares/consultas/  registered all databases with personal information processed by Servinformación and this Manual of Policies and Procedures.

  1. VALIDITY

This Manual applies as of the first (01) of December 2016.

Manual Updates: Servinformación may modify the terms and conditions of this policy as part of our effort to comply with the obligations established by Law 1581 of 2012, the regulatory decrees and other regulations that complement, modify or repeal this policy, in order to reflect any change in our operations or functions. In the cases that this happens, the new policy will be published in:

In the RNBD

  1. CONTACT INFORMATION

If you have any questions about this policy, please contact Servinformación or send your inquiry directly through any of the following communication channels:

LOCALIZED INFORMATION SAS - QUALITY AREA

ADDRESS CL 84 No24-78

EMAIL:  habeasdata@servinformacion.com  

TELEPHONE: 57 (1) 2562030

  1. REFERENCE TO OTHER DOCUMENTS

This manual for the protection of personal data has been prepared in accordance with the following standards and documents:

Political Constitution of Colombia.

Law 1266 of 2008.

Law 1581 of 2012.

Decree 1377 of 2013.

Decree 886 of 2014.

Law 1273 of 2009.

Circular 002 of 2015 of the SIC.

Security Document

Notice of Privacy.

Internal Regulation of Servinformation Work.

  1. EXCHANGE HISTORY
CHANGE HISTORY
Date Revision Description
1/12/2016 00 Issue of the document.
1/12/2017 01 Adding formats for control

[1] Law 1581 of 2012, Article 3 ° literal c). Available in: http://www.secretariasenado.gov.co/senado/basedoc/ley/2012/ley_1581_2012.html. Last access: August 29, 2013.

[2] Article. 5 Law 1581/12. Available in: http://www.secretariasenado.gov.co/senado/basedoc/ley/2012/ley_1581_2012.html. Last access: August 29, 2013.