POLICIES AND SECURITY PROCEDURES
1. Legal Basis and Scope of Application:
The right to Data Protection aims to enable all individuals to know, update, and rectify information collected about them in files or databases. This constitutional right is enshrined in articles 15 and 20 of the Political Constitution; in Statutory Law 1581 of 2012, which establishes general provisions for the Personal Data Protection Law (PDPL); in Decree 1074 of 2015, and Chapter 25 Section 3 Article 2.2.2.25.3.2. of Decree 1074 of 2015, which partially regulates Law 1581 of 2012. When the Data Subject gives consent for their data to be part of a database of an institution, whether public or private, legal or natural, this is done through the data controller. The data controller acquires various obligations, such as treating the data securely and cautiously, ensuring its integrity, and serving as the entity to whom the Data Subject can address for information monitoring and control, exercising rights of consultation and claims. While the responsibility for data processing lies with the data controller, their competencies are realized in the functions assigned to their service personnel. Personnel of the institution responsible for data processing, with direct or indirect access to databases containing personal data, must be familiar with data protection regulations, the company’s data protection policy, and the Manual of Policies and Procedures for Data Protection. They are obligated to fulfill security obligations related to their functions and position. To ensure compliance with security obligations, INVERSIONES ECHEVERRY BARSA SAS appoints LINA MARIA HURTADO SANCHEZ as the security officer, responsible for developing, coordinating, controlling, and verifying compliance with security measures outlined in the Manual of Policies and Procedures for Data Protection. This policy applies to all personal data registered in databases subject to processing by the data controller and is directed at all data users, including both internal and external personnel of INVERSIONES ECHEVERRY BARSA SAS. All users identified in this security document are obliged to comply with the established security measures for data processing and are subject to the duty of confidentiality, even after the termination of their employment or professional relationship with the organization responsible for data processing. The duty of confidentiality, as outlined in Article 4, section h) of the Data Protection Law (PDPL), is formalized through the signing of a confidentiality agreement between the user and the data controller.
.
Tipo de Norma | Número y fecha de expedición | Titulo | Expedida por | Aplicación especifica |
---|---|---|---|---|
Ley Estatutaria | 1581 de 2012 | “Por la cual se dictan disposiciones generales para la protección de datos personales”. | Congreso de la Republica. | Por medio de la cual desarrollar el derecho constitucional que tienen todas las personas a conocer, actualizar y rectificar las informaciones que se hayan recogido sobre ellas en bases de datos o archivos, y los demás derechos, libertades y garantías constitucionales a que se refiere el artículo 15 de la Constitución Política; así como el derecho a la información consagrado en el artículo 20 de la misma. |
Ley | 1273 de 2009 | Por medio de la cual se modifica el Código Penal, se crea un nuevo bien jurídico tutelado – denominado “de la protección de la información y de los datos” | Congreso de la Republica. | Por medio de la cual se modifica el Código Penal, se crea un nuevo bien jurídico tutelado – denominado “de la protección de la información y de los datos”- y se preservan integralmente los sistemas que utilicen las tecnologías de la información y las comunicaciones, entre otras disposiciones. |
Decreto | 1377 de 2013 | ‘Por medio del cual se reglamenta parcialmente la ley 1581 de 2012’ | Presidente de la República de Colombia | Mediante la cual se reglamenta parcialmente la Ley 1581 de 2012, por la cual se dictan disposiciones generales para la protección de datos personales. |
Decreto | 1074 de 2015 | ‘Por medio del cual se expide el Decreto Único Reglamentario del Sector Comercio, Industria y Turismo.’ | Presidente de la República de Colombia. | El Ministerio de Comercio, Industria y Turismo tiene como objetivo primordial dentro del marco de su competencia: formular, adoptar, dirigir y coordinar las políticas generales en materia de desarrollo económico y social del país, relacionadas con la competitividad, integración y desarrollo de los sectores productivos de la industria |
2. Definitions established in Article 3 of the PDPL and Chapter 25 Section 1 Article 2.2.2.25.1.3 of Decree 1074 of 2015.
Authorized Access: Authorization granted to a user for the use of specific resources. In automated devices, it results from successful authentication, usually through the entry of a username and password. Authentication: The process of verifying the identity of a user. Authorization: Prior, express, and informed consent of the Data Subject to carry out the processing of personal data. Privacy Notice: Verbal or written communication generated by the data controller, directed to the Data Subject for the processing of their personal data. It informs them about the existence of information processing policies applicable to them, how to access them, and the purposes of the intended data processing. Database: An organized set of personal data subject to processing. Password: A secret code that allows access to devices, information, or previously inaccessible databases. It is used in user authentication to enable authorized access. Access Control: Mechanism that allows access to devices, information, or databases through authentication. Backup Copy: A copy of the data from a database on a support that allows for recovery. Personal Data: Any information linked or that can be associated with one or more identified or identifiable natural persons. Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, information related to the marital status of individuals, their profession or occupation, and their status as a trader or public servant. Public data, by nature, can be contained in public records, official documents, gazettes and bulletins, and duly executed court judgments not subject to confidentiality. Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse may lead to discrimination. This includes data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or promoting the interests of any political party, as well as data related to health, sexual life, and biometric data. Data Processor: Natural or legal person, public or private, who, either independently or in association with others, processes personal data on behalf of the data controller. Identification: The process of recognizing the identity of users. Incident: Any anomaly that affects or may affect data security, posing a risk to the confidentiality, availability, or integrity of databases or personal data they contain. User Profile: A group of users granted access. Protected Resource: Any component of the information system, such as databases, programs, media, or equipment, used for the storage and processing of personal data. Security Officer: One or more persons appointed by the data controller to control and coordinate security measures. Information System: A set of databases, programs, media, and/or equipment used for the processing of personal data. Data Controller: Natural or legal person, public or private, who, either independently or in association with others, decides on the database and/or the processing of data. Support: Material on whose surface information is recorded or on which data can be stored or retrieved, such as paper, video tape, CD, DVD, hard disk, etc. User: An authorized subject to access data or resources, or a process that accesses data or resources without the identification of a subject. Data Subject: Natural person whose personal data is subject to processing. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion. Transfer: The transfer of data occurs when the data controller and/or data processor, located in Colombia, sends information or personal data to a recipient, who is also responsible for processing and is located inside or outside the country. Transmission: The processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when it aims to carry out processing on behalf of the data controller. 3. Principles of Data Protection:
Article 4 of the Data Protection Law (DPL) establishes principles for the processing of personal data that must be applied harmoniously and comprehensively in the development, interpretation, and application of the Law. The legal principles of data protection are as follows: **Principle of Legality:** Data processing is a regulated activity that must adhere to what is established in the Data Protection Law (DPL), Decree 1074 of 2015, and other provisions that develop it. Principle of Purpose: Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject. Principle of Freedom: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data cannot be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that reveals consent. Data processing requires the prior and informed authorization of the Data Subject by any means that can be consulted subsequently, except in cases exempted by Article 10 of the Data Protection Law (DPL): – Information required by a public or administrative entity exercising its legal functions or by judicial order. – Public nature data. – Cases of medical or health emergencies. – Information processing authorized by the Law for historical, statistical, or scientific purposes. – Data related to the Civil Registry of individuals. Principle of Truth or Quality: Information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited. Principle of Transparency: Processing must ensure the Data Subject’s right to obtain, at any time and without restrictions, information from the data controller or data processor about the existence of data concerning them. When requesting authorization from the Data Subject, the data controller must clearly and expressly inform them of the following, retaining proof of compliance with this duty: – The processing to which their data will be subjected and its purpose. – The voluntary nature of the Data Subject’s response to questions that concern sensitive data or data of children, minors, or adolescents. – The rights they have as Data Subject. – The identification, physical address, email, and phone number of the data controller. Principle of Access and Restricted Circulation: Processing is subject to limits derived from the nature of personal data, the provisions of the Data Protection Law (DPL), and the Constitution. In this sense, processing can only be carried out by persons authorized by the Data Subject and/or persons provided for by law. Personal data, except for public information, cannot be available on the internet and other means of mass disclosure or communication unless access is technically controllable to provide restricted knowledge only to Data Subjects or third parties authorized under the Law. Principle of Security: Information subject to processing by the data controller or data processor must be handled with the technical, human, and administrative measures necessary to provide security to the records, avoiding their alteration, loss, consultation, use, or unauthorized or fraudulent access. The data controller is responsible for implementing the corresponding security measures and informing all personnel with direct or indirect access to the data. Users accessing the data controller’s information systems must be aware of and comply with the security rules and measures that correspond to their functions. These security rules and measures are outlined in the Manual of Policies and Procedures for Data Protection, mandatory for all users and personnel of INVERSIONES ECHEVERRY BARSA SAS. Any modification of the rules and measures regarding the security of personal data by the data controller must be communicated to the users. Principle of Confidentiality: All individuals involved in the processing of personal data that does not have the nature of public data are obliged to ensure the confidentiality of the information, even after their relationship with any of the tasks comprising the processing has ended. They can only provide or communicate personal data when it corresponds to the development of activities authorized in the DPL and in accordance with its terms.
4. Special Categories of Data.
4.1. Sensitive Data. Sensitive data refers to information that impacts the privacy of the Data Subject, and its misuse may lead to discrimination. This includes data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or promoting interests of any political party, as well as data related to health, sexual life, and biometric data. According to Article 6 of the Statutory Law on Personal Data Protection (PDPL), the processing of sensitive data is prohibited except when:
- The Data Subject has given explicit authorization for such processing, except in cases where the granting of such authorization is not required by law.
- The processing is necessary to safeguard the vital interests of the Data Subject, and the Data Subject is physically or legally incapacitated. In these events, legal representatives must provide their authorization.
- The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association, or any other non-profit organization, whose purpose is political, philosophical, religious, or union-related, and exclusively refers to its members or individuals with regular contact due to its purpose. In these events, data cannot be provided to third parties without the authorization of the Data Subject.
- The processing relates to data necessary for the recognition, exercise, or defense of a right in a judicial process.
- The processing has a historical, statistical, or scientific purpose. In this case, measures must be taken to ensure the suppression of the identity of the Data Subjects.
- It responds to and respects the best interests of children and adolescents.
- It ensures respect for their fundamental rights.
- By the Data Subject, who must prove their identity sufficiently through various means provided by the data controller.
- By their successors in interest, who must prove such quality.
- By the representative and/or attorney of the Data Subject, after accrediting the representation or power of attorney.
- By stipulation for another and for another.
- The rights of children or adolescents will be exercised by those authorized to represent them.
- Correction Claim: The right of the Data Subject to have partial, inaccurate, incomplete, fragmented data updated, rectified, or modified, or data that leads to errors or whose processing is expressly prohibited or not authorized.
- Deletion Claim: The right of the Data Subject to have data that is inadequate, excessive, or that does not respect constitutional and legal principles, rights, and guarantees deleted.
- Revocation Claim: The right of the Data Subject to nullify the previously granted authorization for the processing of their personal data.
- Infringement Claim: The right of the Data Subject to request correction of non-compliance with data protection regulations.
5. Authorization of the Data Processing Policy.
In accordance with Article 9 of the Statutory Law on Personal Data Protection (PDPL), the prior and informed authorization of the Data Subject is required for the processing of personal data. By accepting this policy, every Data Subject providing information regarding their personal data is consenting to the processing of their data by INVERSIONES ECHEVERRY BARSA SAS, under the terms and conditions outlined in the policy. Authorization from the Data Subject will not be necessary in the following cases: – Information required by a public or administrative entity in the exercise of its legal functions or by court order. – Public nature data. – Cases of medical or health emergencies. – Processing of information authorized by law for historical, statistical, or scientific purposes. – Data related to the Civil Registry of individuals. 6. Data Controller.
The data controller for the databases subject to this policy is INVERSIONES ECHEVERRY BARSA SAS, with the following contact information: Email: Protecciondedatos@echeverribarsa.com Phone: 3166913606 INVERSIONES ECHEVERRY BARSA SAS, in the course of its activities, processes personal data related to natural persons that are contained and processed in databases intended for legitimate purposes, in compliance with the Constitution and the Law. In accordance with the provisions of Law 1581 of 2012 and with the authorizations granted by the information owners, INVERSIONES ECHEVERRY BARSA SAS will carry out operations or a set of operations that include the collection, storage, use, circulation, and/or deletion of data, delivering data to third parties as data processors or controllers; all of this in accordance with the agreement reached between the parties. This data processing will be carried out exclusively for the authorized purposes outlined in this Policy and in the specific authorizations granted by the data subject. Similarly, the processing of personal data will occur when there is a legal or contractual obligation to do so, always following the guidelines of the Information Security policies of INVERSIONES ECHEVERRY BARSA SAS. In all cases, personal data may be processed for the purpose of conducting internal and external control and audit processes and evaluations carried out by supervisory bodies. Likewise, in the execution of the corporate purpose of INVERSIONES ECHEVERRY BARSA SAS, personal data will be processed according to the stakeholder group and in proportion to the purpose or purposes of each treatment, as described below: The following table presents the different databases and the purposes assigned to each of them.
Databases and Purposes
7.Navigation Data
The navigation system and the software necessary for the operation of this website collect some personal data, the transmission of which is implicit in the use of Internet communication protocols. Due to its nature, the information collected could allow the identification of users through its association with third-party data, even if it is not obtained for that purpose. In this category of data, you will find the IP address or the domain name of the user’s device used to access the website, the URL address, the date and time, and other parameters related to the user’s operating system. These data are used solely for the purpose of obtaining anonymous statistical information about the use of the website or monitoring its correct technical functioning, and are immediately deleted after verification. 8. Cookies or Web Bugs This website does not use cookies or web bugs to collect personal user data, but their use is limited to facilitating user access to the website. The use of session cookies, not permanently stored on the user’s device and disappearing when the browser is closed, is only intended to collect technical information to identify the session for the purpose of facilitating secure and efficient access to the website. They will also be used to improve your experiences, understand how our services are used, and personalize them. For example, we use cookies to provide our services and other services based on the uses of our website. We may also use cookies to understand which articles are most popular in our help center in order to show you relevant content related to our services. Additionally, we may use cookies to remember the choices you made, such as language preferences, to provide you with a safer experience, and otherwise to customize our services according to your interests. If you do not wish to allow the use of cookies, you can reject or delete them by configuring your browser and disabling JavaScript code in the browser’s security settings.
9. Attention to Data Subjects
LINA MARIA HURTADO SANCHEZ will be in charge of handling requests, inquiries, and complaints where the data subject can exercise their rights, at the following email: Protecciondedatos@echeverribarsa.com.
10. Procedures for Exercising Data Subject Rights
10.1. Right of Access or Inquiry According to Chapter 25 Section 4 Article 2.2.2.25.4.2.21 of Decree 1074 of 2015, the Data Subject may consult their personal data for free in two cases:
- At least once every calendar month.
- Each time there are substantial modifications to the information processing policies that prompt new inquiries.
- Name and surname of the Data Subject.
- Copy of the ID card of the Data Subject and, if applicable, of the person representing them, as well as the document accrediting such representation.
- Petition specifying the request for access or inquiry.
- Address for notifications, date, and signature of the applicant.
- Documents accrediting the request made, when applicable.
- On-screen visualization.
- In writing, with a copy or photocopy sent by certified or non-certified mail.
- Email or other electronic means.
- Another system suitable for the database configuration or the nature of the processing.
- Name and surname of the Data Subject.
- Copy of the ID card of the Data Subject and, if applicable, of the person representing them, as well as the document accrediting such representation.
- Description of the facts and request specifying the request for correction, deletion, revocation, or inflation.
- Address for notifications, date, and signature of the applicant.
- Documents accrediting the request made that you want to assert, when applicable.
11.Securit Measures
INVERSIONES ECHEVERRY BARSA SAS, to comply with the security principle established in Article 4 literal g) of the LEPD, has implemented the necessary technical, human, and administrative measures to ensure the security of records, preventing their alteration, loss, consultation, use, or unauthorized or fraudulent access. On the other hand, INVERSIONES ECHEVERRY BARSA SAS, through the signing of the corresponding transmission contracts, has required the processors with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the processing of personal data.12. Validity
The databases under the responsibility of INVERSIONES ECHEVERRY BARSA SAS will be subject to processing for as long as is reasonable and necessary for the purpose for which the data is collected. Once the purpose or purposes of the processing have been fulfilled, and without prejudice to legal norms that stipulate otherwise, INVERSIONES ECHEVERRY BARSA SAS will proceed to delete the personal data in its possession unless there is a legal or contractual obligation that requires its retention. Therefore, this database has been created without a defined validity period. This document enters into effect on 01-09-2022.