USAENE, (hereinafter THE COMPANY) guarantees the protection of fundamental and constitutional rights of all persons and especially those such as Habeas Data, privacy, intimacy, good name and image, for that purpose all actions will be governed by principles of good faith, legality, computer self-determination, freedom and transparency.
Whoever, in the exercise of any activity, including training, consulting, cultural, academic, commercial and labor activities, whether permanent or occasional, supplies any type of information or personal data to THE COMPANY and in which THE COMPANY acts as data processor or data controller, may know, update and rectify it.
Political Constitution, Article 15. Law 1266 of 2008 Law 1581 of 2012 Regulatory Decrees 1727 of 2009 and 2952 of 2010, and partial Regulatory Decree No. 1377 of 2013 Constitutional Court Rulings C - 1011 of 2008, and C - 748 of 2011;
In accordance with the current legislation in force on the matter, the following definitions are established, which will be applied and implemented taking into account the interpretation criteria that guarantee a systematic and integral application, and in accordance with technological advances, technological neutrality; and the other principles and postulates that govern the fundamental rights that surround, orbit and surround the right of Habeas Data and protection of personal data.
Authorization: Prior, express and informed consent of the holder to carry out the Processing of personal data.
Database: Organized set of personal data that is the object of Processing.
Personal dataAny information linked or that can be associated to one or several determined or determinable natural persons.
Data processorNatural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the data controller.
Data controllerNatural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of data.
Data subject: Natural person whose personal data is the subject of processing.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
THE COMPANY will apply the following specific principles set forth below, which constitute the rules to be followed in the collection, handling, use, processing, storage and exchange of personal data:
Sensitive data are understood as those that affect the privacy of the holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data, among others, of human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data, among others, the capture of still or moving images, fingerprints, photographs, iris, voice, facial or palm recognition, etc.
Data classified as sensitive may be used and processed when:
5.1 Authorization of the holder:
Notwithstanding the exceptions provided by law, the processing requires the prior, express and informed authorization of the holder, which must be obtained by any means that may be subject to consultation and subsequent verification.
5.3 Cases in which authorization is not required:
The authorization of the Holder shall not be necessary in the case of:
Treatment shall ensure respect for the prevailing rights of minors.
The processing of personal data of minors is prohibited, except for data of a public nature.
It is the task of the State and educational entities of all kinds to provide information and train legal representatives and guardians on the possible risks faced by minors with respect to the improper processing of their personal data, and to provide knowledge about the responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of their personal information and that of others.
THE COMPANY, when acting as Controllers of personal data, shall comply with the following duties:
THE COMPANY reserves, in the events contemplated in the law and in its bylaws and internal regulations, the right to maintain and classify certain information contained in its databases or data banks as confidential in accordance with the rules in force, its bylaws and regulations.
THE COMPANY, shall proceed in accordance with current regulations and the regulations issued for that purpose by the National Government, to register its databases, before the National Registry of Databases (RNBD) to be administered by the Superintendence of Industry and Commerce. The RNBD is the public directory of the databases subject to processing operating in the country, which will be freely available for consultation by citizens, in accordance with the regulations issued by the National Government for such purpose.
The collection, storage, use, circulation or deletion of personal data by THE COMPANY requires the free, prior, express and informed consent of the data owner.
9.1 Means and manifestations for granting the authorization.
The authorization may be recorded in a physical document, electronic, data message, Internet, Websites, in any other format that allows to guarantee its subsequent consultation, or through a suitable technical or technological mechanism, which allows to express or obtain the consent via click or double click, by which it can be concluded unequivocally that, had there not been a conduct of the holder, the data would never have been captured and stored in the database. The authorization will be generated by THE COMPANY and will be made available to the holder in advance and prior to the processing of their personal data.
See Annex No. 1 model of authorization for the collection and processing of personal data.
9.2 Proof of authorization.
THE COMPANY will use the mechanisms it currently has, and will implement and adopt the necessary actions to maintain records or suitable technical or technological mechanisms of when and how it obtained authorization from the owners of personal data for the treatment of the same. To comply with the above, physical files or electronic repositories may be established directly or through third parties contracted for this purpose.
The Privacy Notice is the physical, electronic or any other format known or to be known, which is made available to the Data Subject for the processing of personal data. Through this document, the Data Subject is informed about the existence of the information processing policies that will be applicable to him/her, the way to access them and the characteristics of the processing that is intended to be given to the personal data.
See Annex No. 2 model privacy notice.
10.1 Scope and Content of the Privacy Notice.
The Privacy Notice, at a minimum, shall contain the following information:
In attention and in accordance with the provisions of the current and applicable regulations on the protection of personal data, the owner of the personal data has the following rights:
THE COMPANY, will keep in mind, at all times, that personal data are the property of the persons to whom they refer and that only they can decide on them. In this sense, it will use them only for those purposes for which it is duly authorized, and respecting in any case the current regulations on personal data protection.
THE COMPANY will guarantee the right of access when, prior accreditation of the identity of the holder, legitimacy, or personality of its representative, making available to the latter, at no cost or expense, in a detailed and detailed manner, the respective personal data through all types of media, including electronic media that allow direct access to them by the Holder. Such access must be offered without any limit and must allow the holder the possibility of knowing and updating them online.
The holders, or their assignees may consult the personal information of the Holder that is contained in any database. Consequently, THE COMPANY will guarantee the right of consultation, providing the holders, all the information contained in the individual record or that is linked to the identification of the Holder.
With respect to the attention of requests for consultation of personal data THE COMPANY guarantees:
Enable electronic means of communication or other means it deems pertinent.
Establish forms, systems and other simplified methods, which must be informed in the privacy notice.
Use the customer service or claims services it has in operation.
In any case, regardless of the mechanism implemented for the attention of consultation requests, they will be attended within a maximum term of ten (10) working days from the date of receipt. When it is not possible to attend the consultation within such term, the interested party shall be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.
The Data Subject or its assignees who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the Law, may file a complaint with the Data Controller, channeling it and sending it through the designated unit and whose contact details are specified below in paragraph 22 of this document and that will exercise the function of protection of personal data within the COMPANY.
The claim may be filed by the Holder, taking into account the information indicated in Article 15 of Law 1581 of 2012 and Decree 1377 of 2013, and other regulations that modify or add to them.
At any time and free of charge, the holder or his representative may request to COMPANY personnel, the rectification, updating or deletion of his personal data, upon proof of identity.
The rights of rectification, updating or suppression may only be exercised by:
When the request is formulated by a person other than the owner, the legal capacity or mandate to act must be duly accredited; and if such capacity is not accredited, the request shall be deemed not to have been filed.
The request for rectification, update or suppression must be submitted through the means enabled by THE COMPANY indicated in the privacy notice and contain, at least, the following information:
The name and address of the holder or any other means to receive the response
The documents proving the identity or the personality of its representative.
The clear and precise description of the personal data with respect to which the holder seeks to exercise any of the rights.
If necessary, other elements or documents that facilitate the location of personal data.
THE COMPANY has the obligation to rectify and update at the request of the holder, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the procedure and terms indicated above. In this regard, the following shall be taken into account:
In requests for rectification and updating of personal data, the holder must indicate the corrections to be made and provide the documentation supporting his request.
THE COMPANY is free to enable mechanisms that facilitate the exercise of this right, as long as they benefit the holder. Consequently, electronic or other means may be enabled as it deems appropriate.
THE COMPANY may establish forms, systems and other simplified methods, which must be informed in the privacy notice and will be made available to interested parties on the website.
The holder has the right, at any time, to request to THE COMPANY, the suppression (deletion) of his/her personal data when:
This deletion implies the total or partial elimination of the personal information as requested by the holder in the records, files, databases or treatments carried out by THE COMPANY. It is important to note that the right of cancellation is not absolute and the data controller may deny the exercise of the same when:
The holders of personal data may revoke their consent to the processing of their personal data at any time, provided that it is not prevented by a legal or contractual provision. For this purpose, THE COMPANY shall establish simple and free mechanisms that allow the holder to revoke their consent, at least by the same means by which it was granted.
It should be noted that there are two ways in which the revocation of consent may occur. The first can be on the totality of the consented purposes, that is, that THE COMPANY must completely stop processing the data of the owner; the second can occur on specific types of treatment, such as for advertising or market research purposes. With the second modality, that is, the partial revocation of consent, other purposes of the processing that the data controller, in accordance with the authorization granted, may carry out and with which the data subject agrees, remain unchanged.
In development of the security principle established in the regulations in force, THE COMPANY will adopt the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
Depending on the nature of the permanent or occasional relationships that any person holding personal data may have with THE COMPANY, all of your information may be transferred abroad, subject to applicable legal requirements, with the acceptance of this policy, expressly authorizes to transfer Personal Information. The information will be transferred for all relationships that may be established with THE COMPANY.
Without prejudice to the obligation to observe and maintain the confidentiality of the information, THE COMPANY will take the necessary measures so that these third parties know and commit to observe this Policy, under the understanding that the personal information they receive may only be used for matters directly related to the relationship with THE COMPANY, and only while it lasts, and may not be used or intended for a different purpose or purpose.
THE COMPANY may also share Personal Information with governmental or other public authorities (including, but not limited to, judicial or administrative authorities, tax authorities and criminal, civil, administrative, disciplinary and fiscal investigative bodies), and third parties involved in civil legal proceedings and their accountants, auditors, attorneys and other advisors and representatives, when necessary or appropriate: (a) to comply with applicable laws, including laws other than those of your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities, and to respond to requests from public and government authorities other than those of your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety or property, yours or others; and (g) to obtain any applicable indemnification or limit any damages that may be incurred by us.
THE COMPANY, under the terms established in the regulations in force, will act as PERSON RESPONSIBLE FOR THE PROCESSING of Personal Data; and NESTOR RAMÍREZ CASTRO will act as PERSON IN CHARGE OF THE PROCESSING of personal data.
EFFECTIVENESS. This manual is effective as of November 1, 2016 and supersedes any special regulations or manuals that may have been adopted by THE COMPANY.