PREAMBLE

Proa IA SAS (hereinafter Proa IA) in compliance with the provisions of article 15 of the Political Constitution of Colombia and Statutory Law 1581 of 2012 and its regulatory and complementary norms, guarantees comprehensively (legal, technical and organizational) The protection and exercise of the fundamental right of Habeas Data (to know, rectify and update) of all the Holders of the personal information, of which it is Responsible or Responsible for its Treatment, also, will guarantee at all times the fundamental rights to the privacy, good name and privacy of natural persons, which is why it adopts and applies this Manual of Policies and Procedures for the Protection of Personal Data.

In Proa IA we are aware that in many cases the breach of the Law is due to the lack of knowledge and information of the existing norms, rights and procedures recognized in the Colombian legal framework. Therefore, this Manual allows you to know each of the internal and external or collective members that are part of Proa IA or have any relationship with us, the rights and obligations that Law 1581 of 2012 and the complementary norms have developed, Guaranteed and established for the Holders of personal information.

INTRODUCTION

Proa IA has decided to voluntarily and responsibly adopt this Manual, which establishes the organizational conditions, obligations of those involved and intervening in the Treatment and / or use of personal information, operating regime, and procedures applicable to the Treatment of personal data that in the development of the activities of its corporate purpose have to request, use, store, correct, assign, delete or process.

The above has been resolved, in order to fully comply with the provisions of article 15 of the Political Constitution of Colombia and Law 1581 of 2012, as well as the other rules that regulate and complement the Treatment for the Protection of Personal Data in Colombia as already indicated above.

For any purpose, Proa IA is Responsible for the Processing of Personal Data and in compliance with the provisions of Article 13 of Regulatory Decree 1377 of 2013, adopts and makes public to all interested parties this Manual that contains all the essential elements, simple and insurance for compliance with the legislation corresponding to the Protection of Personal Data in Colombia. Likewise, this Manual will serve as pedagogical material for all sectors or groups of interest that sustain some kind of relationship with Proa IA directly or indirectly, contributing to the correct knowledge of the fundamental right to the Protection of Personal Data in compliance and development of the Principle of Demonstrated Responsibility or Accountability.

The data administered or processed by Proa IA in compliance with its function and purpose will not require prior, express, informed and unambiguous authorization by the Holder in cases where this personal information is of a public nature or in cases excepted by the Regulatory Decree 1377 of 2013, as well as personal data and databases that are outside the scope of Law 1581 of 2012. However, all personal information, including databases containing historical data , statistical or scientific and the others that are excluded, will be subject to the guiding principles provided by Law 1581 of 2012, the Regulatory Decrees and the other regulations that complement, add or repeal it, regarding the Protection of Personal Data in Colombia .

THEREFORE, PROA IA SHALL BE RESPONSIBLE FOR THIS POLICY AND THE DATA PROTECTION TREATMENT WHICH IN THE EXERCISE OF ITS FUNCTIONS AS A SOCIETY DEVELOPED AGAINST PERSONAL NATURAL PERSONAL DATA HOLDERS.

PROA IA SAS

Address: CRA 12 # 90 & #8211; 20. Office 306

Mail: info@proaia.com

Telephone: +57 317 7948138

  1. DEFINITIONS
  • Notice of Privacy:

Verbal or written communication generated by the Responsible (Proa IA), addressed to the Holder for the Treatment of his personal data, by means of which he is informed about the existence of the information Processing policies that will be applicable to him, the way to access to them and the purposes of the Treatment that is intended to give personal data.

  • Authorization:

Prior, express and informed consent of the Holder of personal data to carry out the Processing of personal data. Or any unequivocal conduct that the Holder may perform.

  • Database:

Organized set of personal data that are subject to Treatment.

  • Personal data:

Any information linked or that may be associated with one or more specific or determinable natural persons[1]. The "personal data" should then be understood as information related to a natural person (individually considered person).

  • Public data:

It is the data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade and their status as merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins, and duly enforced judicial sentences that are not subject to reservation. It will also be understood that all data that is contained in public records will have this same nature.

  • Semiprivate Data:

It is semi-private data that has no intimate, reserved, or public nature and whose knowledge or disclosure may interest not only its owner but also a certain sector or group of people or society in general, such as financial and credit data of commercial activity or of services referred to in Title IV of this law.

  • Private Data:

All personal information that has restricted knowledge, and in principle private to the general public.

  • Sensitive Data:

Any data that affects the privacy of the Holder or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data,[2] among others.

  • Treatment Manager:

Proa IA acts as the Person in Charge of the Processing of personal data in cases, which by itself or in association with others, carry out the Processing of personal data on behalf of a Responsible.

  • Treatment Manager:

Proa IA acts as Responsible for the Processing of personal data against all personal data on which it decides directly, in compliance with its own functions.

  • Headline:

Natural person whose personal data are subject to Treatment, which may be:

  1. Holder, who must prove his identity sufficiently by the various means made available to him by the Responsible.
  2. Cause holders, who must prove such quality.
  3. Representative and / or proxy of the Holder, prior accreditation of the representation or empowerment.
  4. By stipulation in favor of another or for another.
  • Transfer:

The data transfer takes place when the Responsible and / or Person in Charge of the Processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is Responsible for the Processing and is inside or outside the country .

  • Transmission:

Treatment of personal data that involves the communication of them within or outside the territory of the Republic of Colombia when it is intended to carry out a Treatment by the Manager on behalf of the Responsible.

  • Treatment:

Any operation or set of operations that Proa IA performs on personal data such as collection, processing, advertising, storage, use, circulation or deletion. The foregoing will only apply exclusively to personal data of natural persons.

  • Information Security Officer:

It is the person within Proa IA, whose function is the monitoring and control of the application of the Personal Data Protection Policy, under the guidance and guidelines of the Information Security Committee. The Information Security Committee will designate the Data Protection Officer.

The above definition refers to a role or function to be performed by an official designated by the Proa IA Safety Committee.

  1. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

To comply with the Personal Data Protection Policy, as well as the obligations imparted by Law 1581 of 2012 and the other complementary regulations, the following shall be taken into account.

The handling and processing of personal, sensitive and minor data, within Proa IA are framed under the following principles:

 

2.1. Access and Circulation: the data operated by Proa IA will have the possible and necessary legal, organizational and technical measures that allow restricted access and circulation according to the nature of the data (public, semi-private, private, sensitive or minors) and with the authorizations given by the Holder or other persons provided for in the Law.  

 

2.2. Confidentiality: according to the previous definition, Proa IA guarantees the confidentiality of the data depending on the nature of the same. Therefore, Proa IA will keep reserve of the information during and after the activities that legally justify the Processing of personal data.

 

2.3. Purpose: In all cases the purpose will be legitimate, informed, temporary and material. The purpose corresponds to the functions or activities of Proa IA that allow the full development of the corporate purpose for which it will request prior, express and informed authorization by the Holder for the Processing of personal data only when they are data other than those of a public nature.

 

2.4. Legality: the data that Proa IA treats or will treat will comply with the legitimate purposes and subject to Law 1581 of 2012 and the other regulations that develop or complement it.

 

2.5 Freedom: Proa IA guarantees the right to informative self-determination of the Holders that provide personal data and will always take into account their consent to any treatment.

 

2.6. Security: Proa IA guarantees the definition and implementation of technical, human and administrative measures necessary to prevent adulteration, loss, consultation, use or unauthorized or fraudulent access to the databases under its control.

 

2.7. Transparency: Proa IA guarantees to the Holders of personal data through simple and agile mechanisms, the right of access and knowledge of the personal information that is being treated in accordance with the provisions of Regulatory Decree 1377 of 2013.

 

2.8. Veracity or Quality: Proa IA will do everything in its power so that the information stored in its databases is truthful, complete, accurate, updated, verifiable and understandable. For the fulfillment of this principle.

  1. PROCESSING PROCESSING OF PERSONAL DATA

3.1. Processing of public data

Proa IA warns that, without prior authorization of the Owner, it treats personal data of a public nature. This situation does not imply that the necessary measures are not taken to guarantee compliance with the rest of the principles and obligations contemplated in Law 1581 of 2012 and other regulations that regulate this matter, becoming duties for Proa IA.

3.2. Processing of sensitive data

Proa IA only treats sensitive personal data for the strictly necessary, requesting prior, express and informed consent to the Holders (legal representatives, proxies, assignees) and informing them about the exclusive purpose for their Treatment. According to the format M-SI-01-R04 Authorization processing sensitive data.

Proa IA uses and treats data classified as sensitive, when:

  1. The Treatment is necessary to safeguard the vital interest of the Holder and he is physically or legally incapacitated. In these events, the owner or legal representatives must grant authorization for said Treatment.
  2. The Treatment refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process;
  3. The Treatment has a historical, statistical or scientific purpose or, within the framework of improvement processes; the latter, as long as the measures leading to the deletion of identity of the Holders are adopted or the data is dissociated, that is, the sensitive data is separated from the identity of the Holder and is not identifiable or the person cannot be identified. Owner of the data or sensitive data.

In addition to the above, Proa IA meets the following obligations:

  1. Inform the Holder that because they are sensitive data, they are not obliged to authorize their Treatment.
  2. Inform the Holder explicitly and previously, in addition to the general requirements of the authorization for the collection of any type of personal data, which data subject to Treatment are sensitive and the purpose of the Treatment, and obtain the express consent.
  3. Not to condition any activity to which the Holder provides sensitive personal data (unless there is a legal or contractual cause to do so).

3.3. Data processing of minors

Proa IA only treats personal data of minors when they are of a public nature or come from the information provided by their parents, guardians, legal representatives, employees or contractors, at the time of their connection, employment or provision of services with Proa IA . The foregoing, in accordance with the provisions of article 7 of Law 1581 of 2012 and, when the Treatment complies with the following parameters and requirements:

  1. That responds and respects the best interests of children and adolescents.
  2. That respect for their fundamental rights be ensured.

Once the above requirements have been met, Proa IA will require the legal representative or guardian of the child or adolescent, their authorization, before the minor of their opinion regarding the Treatment that will be given to their data, an opinion that will be valued taking into account Maturity, autonomy and ability to understand the matter, as indicated by the Law. According to the format M-SI-01-R03 Authorization of data processing of minors.

Proa IA and any person, public or private, natural or legal, involved in the processing of personal data of children and adolescents, will ensure the proper use of them. In compliance with the above, the principles and obligations established in Law 1581 of 2012 and Decree 1377 of 2013 and the other regulations governing this matter, as well as the Political Constitution of Colombia, are applied and developed.

  1. CLASSIFICATION OF DATABASES

Proa IA has classified its Databases as follows.

As Responsible for Treatment:

  1. Human Resources

It is the manual and automated database that contains data collected in the candidate selection processes; staff plant ratio; result of occupational examinations of entry and withdrawal of staff; contact details of internal staff; resumes; results of aptitude tests of the applicants. The data included in this database are semi-private, private, sensitive and of a minor nature such as: identification document, names and surnames, address, telephone, email, health data, entrance and occupational exams , medical disabilities and diagnoses, images, among others, necessary for this procedure which will be duly authorized.

  1. Legal

It is the manual and automated database that contains general data which allows the elaboration of civil and commercial contracts. The data included in this database are of a public nature.

  1. Financial and Accounting

It is the manual and automated database that contains data collected in the accounting, financial and payroll processes of Proa IA. The data included in this database are of a public nature regarding the data of suppliers, customers, financial entities, public entities.

On the other hand, this database contains data of a sensitive nature and of minors corresponding to employees such as: names, surnames, ID, address, number of children, spouse's name, name of children, father's name, father card, mother name, mother card, some documents of children.

  1. Commercial and Marketing

It is the manual and automated database that contains data that allows the relationship and contact with prospective clients, clients, the sending of News Letters, invitation to events, advertising and communication of new products and services of Proa IA. The personal data included in this database are public data.

  1. Census

It is the manual and automated database that allows the determination and recognition of commercial establishments nationwide including their geographical location and the classification characteristics requested by our customers. The personal data included in this database are data of a public and semi-private nature.

 

  1. Systems

It is the automated database that contains data collected in the processes of maintenance, support, security, backup, contact of technology providers, and video surveillance, biometric reader information. The personal data included in this database are sensitive, private and semi-private data.

  1. Backoffice

It is the automated database that guarantees the quality of the information and the location of our clients' clients.

As Treatment Manager: PROA IA SAS

 

  1. PRERROGATIVES AND RIGHTS OF THE HOLDERS

Proa IA recognizes and guarantees to the Holders of personal data the following fundamental rights:

  • Access, know, update and rectify your personal data against Proa IA in your capacity as Responsible for the Processing of personal data.
  • Request proof of the existence of the authorization granted to Proa IA, except in cases where the Law exempts the authorization.
  • Receive information from Proa IA, upon request, regarding the use you have given to your personal data.
  • File complaints for violations of the provisions of the regulations in force before the Superintendence of Industry and Commerce (SIC) once the procedural requirement has been exhausted.
  • Modify and revoke the authorization and / or request the deletion of personal data, when the current constitutional and legal principles, rights and guarantees are not respected in the Treatment. This right to revoke the authorization is not absolute as long as there is a legal or contractual obligation that limits this right.
  • Have knowledge and access free of charge to your personal data that have been subject to Treatment.

To comply with the above, Servinformacion has established the following formats as a mechanism for the processing of personal data:

  • M-SI-01-R05 Authorization data processing suppliers
  • M-SI-01-R06 Request for rectification or update of personal data
  • M-SI-01-R07 Request for revocation of authorization of personal data
  • M-SI-01-R08 Request for deletion of personal data
  • M-SI-01-R09 Request for access to personal data

This Document, in the following sections, defines the procedures implemented to guarantee these rights.

  1. DUTIES OF PROA IA IN RELATION TO THE PROCESSING OF PERSONAL DATA

Proa IA is aware that personal data is the property of the people they refer to and only they can decide on it. Likewise, Proa IA will make use of said data, only in compliance with the purposes for which it is duly authorized and previously authorized by the Holder, or by Law and, at all times, respects the current regulations on Protection of National Personal Data and foreign, the latter, when so ordered.

Proa IA as Responsible for the Processing of personal data, fulfills the duties and obligations provided for in article 17 of Law 1581 of 2012, and the other regulations that regulate or modify it, namely:

  1. a) Guarantee the Holder, at all times, the full and effective exercise of the right of habeas data;
  2. b) Request and keep, under the conditions set forth in Law 1581 of 2012, a copy of the respective authorization granted by the Holder;
  3. c) To duly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted;
  4. d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
  5. e) Ensure that the information provided to the Treatment Manager is truthful, complete, accurate, updated, verifiable and understandable;
  6. f) Update the information, communicating in a timely manner to the person in charge of the Treatment, all the news regarding the data that he has previously provided and take the other necessary measures so that the information provided to him is kept updated;
  7. g) Rectify the information when it is incorrect and communicate the pertinent to the Treatment Manager;
  8. h) Provide the Data Controller, as appropriate, only data whose Treatment is previously authorized in accordance with the provisions of this law;
  9. i) Require the Treatment Manager at all times, respect for the security and privacy conditions of the Holder's information;
  10. j) To process the queries and claims made in the terms indicated in this law;
  11. k) Adopt an internal Manual of policies and procedures to ensure adequate compliance with this law and especially for the attention of inquiries and complaints;
  12. l) Inform the Person in Charge of the Treatment when certain information is under discussion by the Holder, once the claim has been submitted and the respective procedure has not been completed;
  13. m) Inform at the request of the Holder about the use given to their data;
  14. n) Inform the data protection authority (Superintendence of Industry and Commerce - Delegation of Data Protection -) when there are violations of security codes and there are risks in the administration of the information of the Holders.
  15. o) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

To comply with the above, Servinformacion informs about the processing of personal data and its purpose through:

  • M-SI-01-R01 Privacy Notice
  • M-SI-01-R02 Video Camera Warning

Proa IA as Responsible for the Processing of personal data, complies with the duties and obligations provided for in article 18 of Law 1581 of 2012, and rules that regulate or modify it, namely:

  1. a) Guarantee the Holder, at all times, the full and effective exercise of the right of habeas data;
  2. b) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
  3. c) Timely update, rectify or delete the data in the terms of this law;
  4. d) Update the information reported by the Treatment Managers within five (5) business days from the date of receipt;
  5. e) To process the consultations and claims made by the Holders in the terms indicated in this law;
  6. f) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the attention of inquiries and complaints by the Holders;
  7. g) Record in the database the legend "claim in process" in the way it is regulated in this law;
  8. h) Insert in the database the legend «information in judicial discussion» once notified by the competent authority about judicial processes related to the quality of personal data;
  9. i) Refrain from circulating information that is being disputed by the Holder and whose blockade has been ordered by the Superintendence of Industry and Commerce;
  10. j) Allow access to information only to people who may have access to it;
  11. k) Inform the Superintendence of Industry and Commerce when there are violations of security codes and there are risks in the administration of the information of the Holders;
  12. l) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

6.1. Duty of secrecy and confidentiality

 

Proa IA guarantees and requires any person to intervene in any phase of the Processing of personal data that is carried out or becomes, professional secrecy and confidentiality, regarding them and the duty to keep them; obligations that will remain even after the end of their contractual relations with Proa IA.

The breach of the duty of secrecy or confidentiality will be sanctioned in accordance with the provisions of the Proa IA Internal Labor Regulations and current legislation.

 

  1. INFORMATION PROCESSING POLICIES

7.1 General information about the authorization

In the case of data other than those of a public nature, or those defined in paragraph 2 of article 3 of Regulatory Decree 1377 of 2013, Proa IA will request in advance, express and informed the Authorization for the Processing of personal data by any means which subsequently allows to be used as evidence. Depending on the case, this Authorization may be part of a larger document, such as a contract, or a specific document (format, form, other, etc.).

In the case of personal data corresponding to natural persons, the description of the purpose of the Data Processing will be informed by the same specific or attached document. Proa IA will inform the Holder of the data the following:

  • The Treatment to which your personal data will be submitted and the specific purpose thereof.
  • The time for which your personal data will be processed.
  • The rights that assist you as Holder.
  • Who is responsible for the Treatment.
  • The website, email, physical address and other communication channels through which you can make inquiries and / or complaints or exercise your rights of access, rectification, update, deletion, or revocation of authorization before the Responsible or Responsible for Treatment.

7.2 The right of access

Proa IA guarantees the right of access in accordance with Law 1581 of 2012 and its other complementary regulations, only to the owners of personal data that correspond to natural persons recognized by current legislation, prior accreditation of their identity as Holder, making available to this, without cost or disbursement, in detail and in detail, the respective personal data processed, through any means of communication, including the electronic ones that allow direct access of the Holder. Said access is subject to the limits established in article 21 of Regulatory Decree 1377 of 2013. (This access is free only once every 30 calendar days)  Format M-SI-01-R09 - Request for access to personal data

7.3 The right to consultation

The Holder of personal data may consult the personal information that rests in any Proa IA database. Consequently, Proa IA guarantees the right of consultation in accordance with the provisions of Law 1581 of 2012 and other complementary rules on personal data, corresponding to natural persons, providing the Holders of this personal data, the information contained in each of Our databases.

Proa IA will establish the authentication measures that allow to identify in a secure way the Holder of the personal data that makes the query or request.

With respect to the attention of requests for consultation of personal data, Proa IA guarantees:

  • Enable electronic or other means of communication that it deems pertinent and safe;
  • Establish forms, systems and other methods that will be reported in the Privacy Notice;
  • Use customer service or claims that are in operation.

Regardless of the mechanism implemented for the attention of requests for consultation, these will be processed in a maximum term of ten (10) business days counted from the date of receipt. In the event in which a request for consultation cannot be answered within the aforementioned term, the interested party will be informed before the expiration of the deadline the reasons why there has been no response to his query, which in no case may it exceed five (5) business days following the expiration of the first term.

7.4 The right to claim

The Holder of personal data that corresponds to a natural person and considers that the information contained or stored in any of our databases, may be subject to correction, update or deletion, or when he warns of an alleged breach of any of the duties and principles contained in the regulations on Protection of Personal Data, you can file a claim with the Responsible or Responsible for the Treatment of Proa IA.

Proa IA has the necessary authentication measures that allow a secure identification of the Holder of the personal data that makes the claim.

The claim may be submitted by the Holder, taking into account the information indicated in article 15 of Law 1581 of 2012.

If the claim is incomplete, the Proa IA Personal Data Protection Officer must carry out the corresponding procedure, will require the Holder before the expiration of the first term (15 days) for it to complete it within five (5) business days following receipt of the requirement, correcting faults or errors. After two (2) months from the date of the request, without the applicant submitting the requested informationit will be understood that he has withdrawn from the claim, proceeding to file by means of an act or trade which must be notified to the complaining Holder. Without prejudice to the Holder being able to reuse his claim right.

If the claim is received and if it is not within the competence of Proa IA to resolve it, if possible, it will be transferred to the corresponding party in a maximum term of two (2) business days and inform the interested party of the situation.

Once Proa IA has received the complete claim, a legend that says will be included in the database «claim pending« and the reason for it, in a term not exceeding two (2) business days. This legend will remain until the claim is decided. He Maximum term to resolve the claim is fifteen (15) business days, counted from the day following the date of receipt. When it is not possible to address the claim within said term, Proa IA will inform the interested party of the reasons for the delay and the date on which their claim will be addressed, which In no case may it exceed eight (8) business days following the expiration of the first term.

7.5 The right to rectification and updating of data

Proa IA undertakes to rectify and update at the request of the Holder, the personal information that corresponds to natural persons, which is incomplete or inaccurate, in accordance with the procedure and the terms indicated above. In this regard, Proa IA will take into account the following:

  • In the requests for rectification and updating of personal data, the Holder must indicate the corrections to be made and provide the documentation that supports his request.
  • Proa IA, has full freedom to enable mechanisms that facilitate the exercise of this right, as long as they benefit the Holder of personal data. Consequently, electronic or other means that the company deems relevant and safe may be enabled.
  • Proa IA, may establish forms, formats, systems and other methods, which will be informed in the Privacy Notice and that will be made available to those interested in the website, facilities or offices of Proa IA.

Format M-SI-01-R06 Request for rectification or update of personal data

7.6 The right to data deletion.

The Holder of personal data, has the right to request Servinformacion, the deletion (deletion) of his personal data. For this, the following assumptions will be taken into account:

  • That they are not being treated in accordance with the principles, duties and obligations set forth in the current regulations on Protection of Personal Data.
  • That they are no longer necessary or relevant for the purpose for which they were collected.
  • That the period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

This deletion implies the safe or total or partial deletion or deletion of personal information as requested by the Holder in the records, files, databases or treatments carried out by Servinformacion.

The right of deletion is not an absolute right, and Servinformacion as Responsible for the Processing of personal data, may deny or limit the exercise thereof when:

  • The Data Holder has a legal or contractual duty to remain in the database.
  • The elimination of data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the update of administrative sanctions.
  • The data is necessary to protect the legally protected interests of the Holder; to perform an action based on the public interest, or to comply with an obligation legally acquired by the Holder.

Format M-SI-01-R08 Request for deletion of personal data

7.7 The right to revoke the authorization

Any Holder of personal data that corresponds to natural persons, may revoke at any time, the consent to the Treatment of these, provided that a legal or contractual provision does not prevent it. For this, Servinformacion has established simple and free mechanisms that allow the Holder to revoke his consent.

In cases where the revocation of the authorization is possible, it will be treated under the following two modalities:

  • Total Revocation:on all consensual purposes, that is, Servinformacion must stop treating the data of the Holder of personal data completely.
  • Partial Revocation:on certain consensual purposes such as for advertising or market research or other purposes. In this case, Proa IA must partially suspend the Processing of the Holder's data. Other purposes of the Treatment are then maintained that the Responsible, in accordance with the authorization granted, may carry out and with which the Holder agrees.

 

The right of revocation is not an absolute right and Proa IA as Responsible for the Processing of personal data, may deny or limit the exercise thereof when:

  • The Data Holder has a legal or contractual duty to remain in the database.
  • The revocation of the authorization of the Treatment hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the update of administrative sanctions.
  • The data is necessary to protect the legally protected interests of the Holder; to perform an action based on the public interest, or to comply with an obligation legally acquired by the Holder.

Format M-SI-01-R07 Request for revocation of authorization of personal data

7.8 Data protection in contracts.

In labor contracts or for the provision of services, Proa IA has included clauses with the purpose of previously and generally authorizing the Processing of personal data related to the execution of the contract, which includes the authorization to collect, modify or correct, in future moments, personal data of the Holder corresponding to natural persons. It has also included the authorization so that some of the personal data, if any, can be delivered or transferred to third parties with whom Proa IA has contracts for the provision of services, for the performance of outsourced or other tasks. In these clauses, mention is made of this Manual and its location on the Proa IA website, for proper consultation.

In contracts for the provision of external services, when the contractor requires personal data, Proa IA will provide such information, provided there is a prior and express authorization of the Holder of the personal data for this transfer, being excluded from this authorization, personal data of a public nature defined in numeral 2 of article 3 of Regulatory Decree 1377 of 2013. Since in these cases, third parties are in charge of data processing and their contracts will include clauses that specify the purposes and the treatments authorized by Proa IA and precisely define the use that these third parties can give to that data, as well as the obligations and duties established in Law 1581 of 2012, Regulatory Decree 1377 of 2013 and other regulations that regulate or complement this matter, including the necessary security measures that guarantee confidentiality, integrity and availability at all times bility of the personal information in charge for its Treatment.

For its part, Proa IA at the time of receiving data from third parties and Proa IA as Responsible for the Processing of personal data, must verify that the purpose, or purposes, of the Treatments authorized by the Holder or allowed by legal, contractual or jurisprudentials are in force and that the content of the purpose is related to the cause for which said personal information will be received from the third party, because only in this way will it be empowered to receive and process such personal data. Proa IA is exempted from any processing of illegal personal data by the Data Controller.

Format P-COM-01-R01 SUPPLIER REGISTRATION

7.9 Transfer of personal data to third countries

In the cases in which Proa IA in the development of any of its own functions or activities in the development of its corporate purpose implies the transfer of personal data to third countries, it will be governed by the following conditions:

The transfer of personal data to third countries will only be carried out when there is corresponding prior authorization from the Holder and prior authorization from the Delegation of Personal Data of the Superintendence of Industry and Commerce (SIC). These same conditions will be transferred and applied to those responsible for the Treatment.

An international transfer is considered to be any Treatment that involves a transmission of data outside the Colombian territory, whether a transfer of data is made, or if it was intended to provide a service to the Responsible outside Colombia.

Likewise, prior authorization must be obtained from the Delegate of Protection of Personal Data of the Superintendence of Industry and Commerce (SIC), when international transfers of data to countries that do not provide a certain level of protection are planned. This authorization can only be granted if adequate guarantees are obtained, such as contracts based on the type clauses approved by the Superintendence of Industry and Commerce (SIC), or the Binding Corporate Rules.

The international transfer of data may be made by request of Proa IA, establishing the purpose, groups of interested parties or Holders of personal information, the data subject to transfer and the documentation that incorporates the guarantees required to obtain the authorization ; which contains a description of the specific security measures that are going to be adopted, both by Proa IA and by the person in charge of the data at its destination.

Proa IA will not request authorization when the international transfer of data is covered by any of the exceptions provided in the Law, its Regulatory Decrees or any norm that regulates this matter. An example of this is the consent of the affected party to the transfer, the transfer is necessary to establish the contractual relationship between the affected party and the Data Controller and the transfer refers to a monetary transaction.

7.10 General rules applicable.

Proa IA has established the following general rules for the protection of personal, sensitive and minor data, such as the care of databases, electronic files and personal information:

  • Proa IA guarantees the authenticity, confidentiality and integrity of the information under its responsibility.
  • The Proa IA Information Security Committee is the body that executes and designs the strategy for compliance with this Manual. Proa IA adopted all the necessary and possible technical measures to guarantee the protection and control of existing databases and under its control.
  • In cases where the infrastructure depends on a third party, Proa IA will ensure that both the availability of information and the care of personal, sensitive and minor data is a fundamental objective.
  • Proa IA will carry out periodic audits and controls to guarantee the correct implementation of Law 1581 of 2012, its decrees and regulations.
  • It is the responsibility of Proa IA officials to report immediately to the Superintendence of Industry and Commerce - Delegation of Personal Data - any incident of information leakage, computer damage, violation of personal data, data marketing, use of children's personal data or adolescents, impersonation, security incidents, violation of security codes or any type of behavior that could violate the privacy of a person or generate any type of discrimination.
  • The education and training of officials, suppliers, contractors, will be a fundamental duty and complement to this Manual.
  • The Data Protection Officer must identify and promote the authorizations of the Owners, privacy notices, notices in the web site, awareness campaigns, claim legends and other procedures to comply with Law 1581 of 2012 and other regulations that complement it.
  1. PROCEDURE SO THAT THE HOLDERS OF THE INFORMATION MAY EXERCISE THE RIGHTS TO KNOW, UPDATE, RECTIFY AND DELETE INFORMATION AND REVOKE THE AUTHORIZATION.

 

  • Any query or claim against inherent rights of the Owners on personal data must be made by writing to the mail habeasdata@servinformacion.comof Proa IA attaching a photocopy of the identity document of the interested Holder or any other equivalent document that proves his identity and Ownership in accordance with Law.
  • The rights of access, update, rectification, deletion and revocation of the authorization of personal data are very personal and may only be exercised by the Owner. However, the Holder may exercise their rights through a legal representative or proxy when the person is in a situation of disability or minority events that make it impossible for them to exercise them, in which case it will be necessary for the legal representative or proxy Prove such condition.
  • No value or fee will be required for the exercise of the rights of access, update, rectification, deletion or revocation of the authorization in the case of personal data of natural persons. (The provisions of article 21 of Regulatory Decree 1377 of 2013 will be taken into account)
  • In order to facilitate the exercise of these rights, Proa IA makes available to the interested parties the appropriate physical or electronic formats for this purpose.
  • Once the terms set forth by Law 1581 of 2012 and the other regulations that regulate or complement it have been fulfilled, the Holder who is denied, totally or partially, the exercise of the rights of access, update, rectification, deletion and revocation , by the company, may inform the National Authority for the Protection of Personal Data (Superintendence of Industry and Commerce - Delegation of Protection of Personal Data -) the denial or disagreement against the right exercised.
  1. ROLE OF PERSONAL DATA PROTECTION INSIDE PROA IA

9.1 The Responsible

The Responsible for the Processing of personal data of Proa IA, is Rocío Domínguez Who will ensure due compliance with this Manual and the other regulations that regulate the proper use of personal data.

Your contact details are: habeasdata@servinformacion.com

9.2 The Managers

Is in charge of the Processing of personal data any natural or legal person, public or private, who performs the Processing of personal data on behalf of the Responsible for the Processing of Proa IA. This means that for each Data Processing their respective Managers have been defined and that they act by precise instruction of the Head of Proa IA, information that will be delivered to the Holder.

9.2.1 Duties of the Managers.

Proa IA distinguishes between Internal Manager and External Manager. Internal Managers are employees of Proa IA, while external managers are natural or legal persons that process data provided by Proa IA for the performance of an assigned task (agreements, suppliers, consultants, outsourcing companies, etc.)

The groups of Managers that Proa IA designates to perform specific data treatments are:

From the Financial and Accounting area - Financial Manager

From the Human Resources area - Human Management Manager

From the Commercial and Marketing area - Commercial Manager

From the Legal Department - Legal Advisor

From the Census Area - Census Manager

From the Systems area - IT Coordinator

  1. THE NATIONAL REGISTRY OF DATABASES -RNBD-

In accordance with Art. 25 of Law 1581, its decrees, circulars and regulations and complementary regulations, the Holder or any interested party may find in the National Registry of Databases (RNBD) provided by the Superintendence of Industry and Commerce (SIC ) in his web page https://rnbd.sic.gov.co/sisi/consultaTitulares/consultas/  Registered all databases with personal information treated by Proa IA and this Manual of Policies and Procedures.

  1. VALIDITY

This Manual is effective as of the first (01) of December 2016.

Manual Updates: Proa IA may modify the terms and conditions of this policy as part of our effort to comply with the obligations established by Law 1581 of 2012, regulatory decrees and other regulations that complement, modify or repeal this policy, in order to reflect Any changes in our operations or functions. In cases where this occurs, the new policy will be published in:

In the RNBD

  1. CONTACT INFORMATION

If you have any questions about this policy, contact Proa IA or send your inquiry directly through any of the following communication channels:

SAS LOCATED INFORMATION - QUALITY AREA

ADDRESS CL 84 No24-78

EMAIL:  habeasdata@servinformacion.com  

PHONE: 57 (1) 2562030

  1. REFERENCE TO OTHER DOCUMENTS

This personal data protection manual has been prepared in accordance with the following standards and documents:

Political Constitution of Colombia.

Law 1266 of 2008.

Law 1581 of 2012.

Decree 1377 of 2013.

Decree 886 of 2014.

Law 1273 of 2009.

SIC Circular 002 of 2015.

Security Document

Notice of Privacy.

Internal Work Regulations of Proa IA.

  1. CHANGE HISTORY
CHANGE HISTORY
Date Revision Description
1/12/2016 00 Issue of the document.
1/12/2017 01 Add formats for control

[1] Law 1581 of 2012, Article 3 literal c). Available in: http://www.secretariasenado.gov.co/senado/basedoc/ley/2012/ley_1581_2012.html. Last access: August 29, 2013.

[2] Article. 5 Law 1581/12. Available in: http://www.secretariasenado.gov.co/senado/basedoc/ley/2012/ley_1581_2012.html. Last access: August 29, 2013.