Data Policy

• General principles and postulates. 

USAENE, (hereinafter THE COMPANY) guarantees the protection of fundamental and constitutional rights of all persons and especially those such as Habeas Data, privacy, intimacy, good name and image, for that purpose all actions will be governed by principles of good faith, legality, computer self-determination, freedom and transparency. 

Whoever, in the exercise of any activity, including training, consulting, cultural, academic, commercial and labor activities, whether permanent or occasional, supplies any type of information or personal data to THE COMPANY and in which THE COMPANY acts as data processor or data controller, may know, update and rectify it. 

• Legal framework. 

Political Constitution, Article 15. Law 1266 of 2008 Law 1581 of 2012 Regulatory Decrees 1727 of 2009 and 2952 of 2010, and partial Regulatory Decree No. 1377 of 2013 Constitutional Court Rulings C - 1011 of 2008, and C - 748 of 2011; 

• Definitions. 

In accordance with the current legislation in force on the matter, the following definitions are established, which will be applied and implemented taking into account the interpretation criteria that guarantee a systematic and integral application, and in accordance with technological advances, technological neutrality; and the other principles and postulates that govern the fundamental rights that surround, orbit and surround the right of Habeas Data and protection of personal data. 

Authorization: Prior, express and informed consent of the holder to carry out the Processing of personal data.

Database: Organized set of personal data that is the object of Processing.

Personal dataAny information linked or that can be associated to one or several determined or determinable natural persons.

Data processorNatural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the data controller.

Data controllerNatural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of data.

Data subject: Natural person whose personal data is the subject of processing.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

4. Specific principles 

THE COMPANY will apply the following specific principles set forth below, which constitute the rules to be followed in the collection, handling, use, processing, storage and exchange of personal data: 

1. a) Principle of legalityIn the use, capture, collection and processing of personal data, the current and applicable provisions governing the processing of personal data and other related fundamental rights recognized by the Republic of Colombia shall be applied.

1. b) Principle of freedomThe use, capture, collection and processing of personal data can only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal, statutory or judicial mandate that relieves consent.

1. c) Principle of purpose: The use, capture, collection and processing of personal data to which it has access and are collected and gathered by THE COMPANY, will be subordinated and will serve a legitimate purpose, which must be informed to the respective holder of the personal data.

1. d) Principle of veracity or qualityThe information subject to use, capture, collection and processing of personal data must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.

1. e) Principle of transparency: In the use, capture, collection and processing of personal data, the right of the Data Subject to obtain from THE COMPANY, at any time and without restrictions, information about the existence of any type of information or personal data of his/her interest or ownership must be guaranteed.

1. f) Principle of restricted access and circulation.Personal data, except for public information, shall not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or authorized third parties. For these purposes, the obligation of THE COMPANY will be of medium.

1. g) Security PrinciplePersonal data and information used, captured, collected and subject to treatment by THE COMPANY, will be protected to the extent that the technical resources and minimum standards allow it, through the adoption of technological protection measures, protocols, and all kinds of administrative measures necessary to provide security to electronic records and repositories avoiding their adulteration, modification, loss, consultation, and in general against any unauthorized use or access.

1. h) Principle of confidentialityAll and each one of the persons who administer, manage, update or have access to information of any kind that is in databases or data banks, undertake to keep and maintain strictly confidential and not disclose to third parties, all personal, commercial, accounting, technical, commercial or any other type of information provided in the performance and exercise of their duties. All persons who are currently working or will be hired in the future for such purpose, in the administration and management of databases, must sign an additional document to their employment or service contract in order to ensure such commitment. This obligation persists and is maintained even after the end of their relationship with any of the tasks involved in the processing.

• Sensitive data: 

Sensitive data are understood as those that affect the privacy of the holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data, among others, of human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data, among others, the capture of still or moving images, fingerprints, photographs, iris, voice, facial or palm recognition, etc. 

• Processing of sensitive data:

Data classified as sensitive may be used and processed when: 

1. a) The Data Subject has given his/her explicit authorization to such processing, except in those cases where the law does not require the granting of such authorization; 

1. b) The processing is necessary to safeguard the vital interest of the holder and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization; 

1. c) The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or to persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the owner's authorization; 

1. d) The Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial proceeding; 

1. e) The Processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Controllers must be adopted. 

5.1 Authorization of the holder: 

Notwithstanding the exceptions provided by law, the processing requires the prior, express and informed authorization of the holder, which must be obtained by any means that may be subject to consultation and subsequent verification. 

5.3 Cases in which authorization is not required: 

The authorization of the Holder shall not be necessary in the case of: 

1. a) Information required by a public or administrative entity in the exercise of its legal functions or by court order. 

1. b) Data of a public nature. 

1. c) Cases of medical or sanitary emergency. 

1. d) Processing of information authorized by law for historical, statistical or scientific purposes. 

1. e) Data related to the Civil Registry of Persons.

6. Rights of children and adolescents. 

Treatment shall ensure respect for the prevailing rights of minors. 

The processing of personal data of minors is prohibited, except for data of a public nature. 

It is the task of the State and educational entities of all kinds to provide information and train legal representatives and guardians on the possible risks faced by minors with respect to the improper processing of their personal data, and to provide knowledge about the responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of their personal information and that of others. 

7. Duties of THE COMPANY as the party responsible for the Processing of Personal Data. 

THE COMPANY, when acting as Controllers of personal data, shall comply with the following duties: 

1. a) Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data. 

1. b) Request and keep a copy of the respective authorization granted by the holder. 

1. c) Duly inform the owner about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted. 

1. d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. 
2. e) Ensure that the information provided to the data processor is truthful, complete, accurate, updated, verifiable and understandable. 

1. f) Update the information, communicating in a timely manner to the data processor, all the news regarding the data previously provided and adopt the other necessary measures so that the information provided to the data processor is kept up to date. 

1. g) To rectify the information when it is incorrect and to communicate the pertinent to the person in charge of the treatment. 

1. h) To provide to the Data Processor, as the case may be, only data whose Processing has been previously authorized. 

1. i) To demand from the Data Processor, at all times, respect for the security and privacy conditions of the Data Subject's information. 

1. j) To process the consultations and claims formulated. 

1. k) Inform the Data Controller when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed. 

1. l) Inform upon request of the Data Subject about the use given to his/her data. 

1. m) Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the data subjects' information.

8. National Database Registry. 

THE COMPANY reserves, in the events contemplated in the law and in its bylaws and internal regulations, the right to maintain and classify certain information contained in its databases or data banks as confidential in accordance with the rules in force, its bylaws and regulations. 

THE COMPANY, shall proceed in accordance with current regulations and the regulations issued for that purpose by the National Government, to register its databases, before the National Registry of Databases (RNBD) to be administered by the Superintendence of Industry and Commerce. The RNBD is the public directory of the databases subject to processing operating in the country, which will be freely available for consultation by citizens, in accordance with the regulations issued by the National Government for such purpose. 

9. Authorizations and consent. 

The collection, storage, use, circulation or deletion of personal data by THE COMPANY requires the free, prior, express and informed consent of the data owner. 

9.1 Means and manifestations for granting the authorization. 

The authorization may be recorded in a physical document, electronic, data message, Internet, Websites, in any other format that allows to guarantee its subsequent consultation, or through a suitable technical or technological mechanism, which allows to express or obtain the consent via click or double click, by which it can be concluded unequivocally that, had there not been a conduct of the holder, the data would never have been captured and stored in the database. The authorization will be generated by THE COMPANY and will be made available to the holder in advance and prior to the processing of their personal data. 

See Annex No. 1 model of authorization for the collection and processing of personal data. 

9.2 Proof of authorization. 

THE COMPANY will use the mechanisms it currently has, and will implement and adopt the necessary actions to maintain records or suitable technical or technological mechanisms of when and how it obtained authorization from the owners of personal data for the treatment of the same. To comply with the above, physical files or electronic repositories may be established directly or through third parties contracted for this purpose. 

10. Privacy Notice: 

The Privacy Notice is the physical, electronic or any other format known or to be known, which is made available to the Data Subject for the processing of personal data. Through this document, the Data Subject is informed about the existence of the information processing policies that will be applicable to him/her, the way to access them and the characteristics of the processing that is intended to be given to the personal data. 

See Annex No. 2 model privacy notice. 

10.1 Scope and Content of the Privacy Notice. 

The Privacy Notice, at a minimum, shall contain the following information: 

1. a) The identity, address and contact details of the Data Controller. 

1. b) The type of processing to which the data will be subjected and its purpose. 

1. c) The general mechanisms provided by the Controller so that the Data Subject is aware of the information processing policy and the substantial changes therein. In all cases, the Data Controller must inform the Data Subject how to access or consult the information processing policy.

11. Prerogatives and other rights of the owners of the information. 

In attention and in accordance with the provisions of the current and applicable regulations on the protection of personal data, the owner of the personal data has the following rights: 

1. a) Access, know, rectify and update their personal data against THE COMPANY, in its capacity as data controller. 

1. b) By any valid means, request proof of the authorization granted to THE COMPANY, in its capacity as Data Controller. 

1. c) To receive information from THE COMPANY, upon request, regarding the use it has made of your personal data. 

1. d) Go before the legally constituted authorities, especially before the Superintendence of Industry and Commerce, and file complaints for infringements to the provisions of the applicable regulations in force, after consultation or request to the Data Controller. 

1. e) Modify and revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees in force. 

1. f) To have knowledge and access free of charge to their personal data that have been subject to Processing. 

12. Duties of THE COMPANY in relation to the processing of personal data. 

THE COMPANY, will keep in mind, at all times, that personal data are the property of the persons to whom they refer and that only they can decide on them. In this sense, it will use them only for those purposes for which it is duly authorized, and respecting in any case the current regulations on personal data protection. 

13. Guarantees of the Right of Access. 

THE COMPANY will guarantee the right of access when, prior accreditation of the identity of the holder, legitimacy, or personality of its representative, making available to the latter, at no cost or expense, in a detailed and detailed manner, the respective personal data through all types of media, including electronic media that allow direct access to them by the Holder. Such access must be offered without any limit and must allow the holder the possibility of knowing and updating them online. 

14. Inquiries.

The holders, or their assignees may consult the personal information of the Holder that is contained in any database. Consequently, THE COMPANY will guarantee the right of consultation, providing the holders, all the information contained in the individual record or that is linked to the identification of the Holder. 

With respect to the attention of requests for consultation of personal data THE COMPANY guarantees: 

Enable electronic means of communication or other means it deems pertinent. 

Establish forms, systems and other simplified methods, which must be informed in the privacy notice. 

Use the customer service or claims services it has in operation. 

In any case, regardless of the mechanism implemented for the attention of consultation requests, they will be attended within a maximum term of ten (10) working days from the date of receipt. When it is not possible to attend the consultation within such term, the interested party shall be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.  

15. Claims. 

The Data Subject or its assignees who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the Law, may file a complaint with the Data Controller, channeling it and sending it through the designated unit and whose contact details are specified below in paragraph 22 of this document and that will exercise the function of protection of personal data within the COMPANY. 

The claim may be filed by the Holder, taking into account the information indicated in Article 15 of Law 1581 of 2012 and Decree 1377 of 2013, and other regulations that modify or add to them. 

16. Implementation of procedures to guarantee the right to file complaints. 

At any time and free of charge, the holder or his representative may request to COMPANY personnel, the rectification, updating or deletion of his personal data, upon proof of identity. 

The rights of rectification, updating or suppression may only be exercised by: 

1. a) The holder or his successors in title, upon proof of identity, or through electronic instruments that allow him to identify himself. 

1. b) Its representative or attorney-in-fact, upon accreditation of the representation or mandate. 

When the request is formulated by a person other than the owner, the legal capacity or mandate to act must be duly accredited; and if such capacity is not accredited, the request shall be deemed not to have been filed. 

The request for rectification, update or suppression must be submitted through the means enabled by THE COMPANY indicated in the privacy notice and contain, at least, the following information: 

The name and address of the holder or any other means to receive the response 

The documents proving the identity or the personality of its representative. 

The clear and precise description of the personal data with respect to which the holder seeks to exercise any of the rights. 

If necessary, other elements or documents that facilitate the location of personal data. 

17. Rectification and updating of data. 

THE COMPANY has the obligation to rectify and update at the request of the holder, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the procedure and terms indicated above. In this regard, the following shall be taken into account: 

In requests for rectification and updating of personal data, the holder must indicate the corrections to be made and provide the documentation supporting his request. 

THE COMPANY is free to enable mechanisms that facilitate the exercise of this right, as long as they benefit the holder. Consequently, electronic or other means may be enabled as it deems appropriate. 

THE COMPANY may establish forms, systems and other simplified methods, which must be informed in the privacy notice and will be made available to interested parties on the website. 

18. Data suppression. 

The holder has the right, at any time, to request to THE COMPANY, the suppression (deletion) of his/her personal data when: 

1. a) Consider that they are not being treated in accordance with the principles, duties and obligations set forth in the regulations in force. 

1. b) Are no longer necessary or relevant for the purpose for which they were collected. 

1. c) The period necessary for the fulfillment of the purposes for which they were collected has been exceeded. 

This deletion implies the total or partial elimination of the personal information as requested by the holder in the records, files, databases or treatments carried out by THE COMPANY. It is important to note that the right of cancellation is not absolute and the data controller may deny the exercise of the same when: 

1. a) The owner has a legal or contractual duty to remain in the database. 

1. b) The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions. 

1. c) The data are necessary to protect the legally protected interests of the holder; to carry out an action in the public interest, or to comply with an obligation legally acquired by the holder. 

19. Revocation of authorization. 

The holders of personal data may revoke their consent to the processing of their personal data at any time, provided that it is not prevented by a legal or contractual provision. For this purpose, THE COMPANY shall establish simple and free mechanisms that allow the holder to revoke their consent, at least by the same means by which it was granted. 

It should be noted that there are two ways in which the revocation of consent may occur. The first can be on the totality of the consented purposes, that is, that THE COMPANY must completely stop processing the data of the owner; the second can occur on specific types of treatment, such as for advertising or market research purposes. With the second modality, that is, the partial revocation of consent, other purposes of the processing that the data controller, in accordance with the authorization granted, may carry out and with which the data subject agrees, remain unchanged. 

20. Information security and security measures. 

In development of the security principle established in the regulations in force, THE COMPANY will adopt the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. 

21. Use and international transfer of personal data and personal information by THE COMPANY. 

Depending on the nature of the permanent or occasional relationships that any person holding personal data may have with THE COMPANY, all of your information may be transferred abroad, subject to applicable legal requirements, with the acceptance of this policy, expressly authorizes to transfer Personal Information. The information will be transferred for all relationships that may be established with THE COMPANY. 

Without prejudice to the obligation to observe and maintain the confidentiality of the information, THE COMPANY will take the necessary measures so that these third parties know and commit to observe this Policy, under the understanding that the personal information they receive may only be used for matters directly related to the relationship with THE COMPANY, and only while it lasts, and may not be used or intended for a different purpose or purpose. 

THE COMPANY may also share Personal Information with governmental or other public authorities (including, but not limited to, judicial or administrative authorities, tax authorities and criminal, civil, administrative, disciplinary and fiscal investigative bodies), and third parties involved in civil legal proceedings and their accountants, auditors, attorneys and other advisors and representatives, when necessary or appropriate: (a) to comply with applicable laws, including laws other than those of your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities, and to respond to requests from public and government authorities other than those of your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety or property, yours or others; and (g) to obtain any applicable indemnification or limit any damages that may be incurred by us. 

22. Function of personal data protection within THE COMPANY. 

THE COMPANY, under the terms established in the regulations in force, will act as PERSON RESPONSIBLE FOR THE PROCESSING of Personal Data; and NESTOR RAMÍREZ CASTRO will act as PERSON IN CHARGE OF THE PROCESSING of personal data. 

23. THE COMPANY designates the office of NESTOR RAMÍREZ CASTRO, or the unit that takes its place, as the person who will receive, process and channel the different requests that are received, and will forward them to the respective unit already mentioned in charge of the treatment, units that once they receive these communications, will begin to comply with the function of personal data protection, and must process the requests of the holders, in the terms, terms and conditions established by current regulations, for the exercise of the rights of access, consultation, consultation, and processing of personal data, Once they receive these communications, they will begin to comply with the function of protection of personal data, and must process the requests of the owners, in the terms, terms and conditions established by the regulations in force, for the exercise of the rights of access, consultation, rectification, updating, suppression and revocation referred to in the regulations in force on protection of personal data. 

24. In the event that you consider that THE COMPANY gave a use contrary to the authorized and applicable laws, you may contact us through a motivated communication addressed to the Administrative Director of THE COMPANY. Address: Calle 82 No. 19ª-14 second floor, E-mail: [email protected]; Telephone: 6210211. 

EFFECTIVENESS. This manual is effective as of November 1, 2016 and supersedes any special regulations or manuals that may have been adopted by THE COMPANY.