PERSONAL DATA PROTECTION POLICIES AND PROCEDURES MANUAL
CREATIVE GROUP LTDA
Tax ID: 830.144.329-7
Address: Carrera 20 No. 63c- 33
Phone: (1) 2120043
E-mail: administracion@creativegroup.com.co
BOGOTA – COLOMBIA
2016
CHAPTER I GENERAL PROVISIONS
ARTICLE 1. APPLICABLE LEGISLATION.
This document was prepared taking into account the provisions contained in Articles 15 and 20 of the Political Constitution, Law 1581 of 2012 “Whereby general provisions are issued for the protection of personal data”, Decree 1377 of 2013 “Whereby Law 1581 of 2012 is partially regulated “and Decree 886 of 2014, “Whereby Article 25 of Law 1581 of 2012 is regulated, regarding the National Database Registry”. All other regulations that complement or replace the above shall be applicable to these Policies.
ARTICLE 2. SCOPE OF APPLICATION.
This document applies to the treatment of personal data collected and handled by CREATIVE GROUP LTDA, a company domiciled at Carrera 20 No. 63c-33 in Bogotá D.C. with e-mail: administracion@creativegroup.com.co and telephone: 2120043 in Bogotá.
ARTICLE 3. DATABASES.
The policies and procedures contained in this document apply to the databases managed by the company, which will be registered in accordance with the provisions of Decree 886 of 2014 “By which Article 25 of Law 1581 of 2012 is regulated” and External Circular 002 of 2015 that “Added the Second Chapter in Title V of the Single Circular of the Superintendence of Industry and Commerce”, whose period of validity will be counted from the date of authorization and until the cessation of operations of the company.
ARTICLE 4. OBJECT.
This document complies with the provisions of Article 17(k) of Law 1581 of 2012, which regulates the duties of those responsible for the processing of personal data, among which is the adoption of an internal manual of policies and procedures to ensure proper compliance with the law and especially for the attention of queries and complaints, as well as the provisions of Article 13 of Decree 1377 of 20134 which establishes the obligation of the Controllers to develop their policies for the processing of personal data and ensure that the Processors fully comply with them and Decree 886 of 2014, which regulates matters related to the National Registry of Databases. It also has the purpose of regulating the procedures for the collection, handling and treatment of personal data by CREATIVE GROUP LTDA, in order to guarantee and
4 Decree 1377 of 2013: “By which Law 1581 of 2012 is partially regulated” 6 fundamental right of habeas data in the framework of the provisions of Law 1581 of 2012 and its regulatory Decrees.
ARTICLE 5. DEFINITIONS.
For the purposes of the application of the rules contained in this document and in accordance with the provisions of Article 3 of Law 1581 of 2012, it is understood by:
a) Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data.
b) Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the processing of his personal data, by means of which he is informed about the existence of the information processing policies that will be applicable to him, the way to access them and the purposes of the processing that is intended to be given to the personal data.
c) Database: Organized set of personal data that is the object of processing.
d) Personal data: Any information linked or that can be associated to one or several determined or determinable natural persons.
e) Public data: Data that is not semi-private, private or sensitive. Data related to the marital status of individuals, their profession or trade and their status as merchants or public servants, among others, are considered public data. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality.
f) Private data: Data that, due to its intimate or reserved nature, is only relevant to the Data Subject.
The definitions used in this article are indispensable elements for the protection of the right to habeas data, and allow a correct and appropriate interpretation of this document and the provisions contained in Law 1581 of 2012, its regulatory Decrees and other binding rules, and contribute to determine the responsibilities of those involved in the processing of personal data.
g) Sensitive data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.
h) Data Processor: Natural or legal person, public or private, that by itself or in association with others, carries out the Processing of personal data on behalf of the Controller.
i) Data Controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of data;
j) Data Subject: Natural person whose personal data is the object of Processing;
k) Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is the Data Controller and is located inside or outside the country.
l) Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is the performance of a Processing by the Processor on behalf of the Controller.
m) Processing: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion thereof.
ARTICLE 6. PRINCIPLES.
The principles set forth below constitute the general parameters to be respected by CREATIVE GROUP LTDA in the processes of collection, use and processing of personal data.
a) Principle of legality in data processing: The processing referred to in this law is a regulated activity that must be subject to the provisions set forth therein and in the other provisions that develop it.
b) Principle of purpose: The processing of personal data collected by CREATIVE GROUP LTDA must obey a legitimate purpose of which the Data Subject must be informed.
c) Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves the consent.
d) Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
e) Principle of transparency: The right of the Data Subject to obtain from CREATIVE GROUP LTDA, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the processing of such data.
f) Principle of restricted access and circulation: Processing may only be carried out by persons authorized by the Data Controller and/or by the persons provided for in the Law. Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to Data Holders or authorized third parties.
g) Principle of security: The information subject to treatment by CREATIVE GROUP LTDA, shall be protected through the use of technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
h) Principle of confidentiality: All persons involved in the processing of personal data are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing.
CHAPTER II AUTHORIZATION
ARTICLE 7. AUTHORIZATION.
The collection, storage, use, circulation and deletion of personal data by CREATIVE GROUP LTDA requires the free, prior, express and informed consent of the data owners. CREATIVE GROUP LTDA, as the party responsible for the processing of personal data, has put in place the necessary mechanisms to obtain the authorization of the data subjects, at the latest at the time of the collection of their data, ensuring in any case that it is possible to verify the granting of such authorization.
ARTICLE 8. FORM AND MECHANISMS FOR GRANTING THE AUTHORIZATION.
The authorization may be recorded in a physical or electronic document, or in any other format that guarantees its subsequent consultation, or by means of a suitable technical or technological mechanism by means of which it may be unequivocally concluded that, had there been no conduct by the Data Subject, the data would never have been collected and stored in the database. The authorization form will be prepared by CREATIVE GROUP LTDA and will be made available to the Data Subject prior to the processing of his/her personal data, in accordance with the provisions of Law 1581 of 2102 and Decree 1377 of 2013. The consent authorization procedure guarantees that the Data Subject has been informed that his/her personal information will be collected and used for specific and known purposes, and that he/she has the right to request access, updating, rectification and deletion of his/her personal information at any time, through the mechanisms made available by CREATIVE GROUP LTDA. The above is done in order for the Data Subject to make informed decisions regarding his/her personal information and to control the use of his/her personal information. The authorization is a statement that informs the Data Subject of the personal data:
a) Who collects your personal information (responsible or in charge)
b) What is collected (data collected)?
c) Why do you collect the data (the purposes of the processing)?
d) How to exercise rights of access, correction, updating or deletion of personal data provided. e) Inform the Data Subject that since it is sensitive data (if applicable) he/she is not obliged to authorize its processing.
ARTICLE 9. PROOF OF AUTHORIZATION.
CREATIVE GROUP LTDA will adopt the necessary measures to keep records or suitable technical or technological mechanisms of when and how it obtained the authorization by the owners of personal data for the processing of the same.
ARTICLE 10. PRIVACY NOTICE.
The Privacy Notice is the physical document, electronic or in any other format, which is made available to the Data Subject for the processing of their personal data no later than the time of collection of personal data. Through this document, the Data Subject is informed of the existence of the information processing policies that will be applicable to him/her, the way to access them and the characteristics of the processing that is intended to be given to the personal data.
ARTICLE 11. MINIMUM CONTENT OF THE PRIVACY NOTICE.
The Privacy Notice, at a minimum, shall contain the following information:
a) The identity, address and contact details of the Data Controller;
b) The type of processing to which the data will be subjected and its purpose;
c) The rights of the Holder; d) The general mechanisms provided by the Controller for the Data Subject to know the information processing policy and the substantial changes that occur in it or in the corresponding Privacy Notice. In all cases, it must inform the Data Subject how to access or consult the information processing policy. e) Notwithstanding the foregoing, when sensitive personal data is collected, the privacy notice shall expressly state the optional nature of the response to questions concerning this type of data.
ARTICLE 12. PRIVACY NOTICE AND INFORMATION TREATMENT POLICIES.
CREATIVE GROUP LTDA will keep the model of the privacy notice that was transmitted to the Data Controllers as long as the processing of personal data is carried out and the obligations deriving therefrom last. For the storage of the model, CREATIVE GROUP LTDA may use computer, electronic or any other technology.
CHAPTER III RIGHTS AND DUTIES
ARTICLE 13. RIGHTS OF THE OWNERS OF THE INFORMATION.
In accordance with the provisions of Article 8 of Law 1581 of 2012 and Articles 21 and 22 of Decree 1377 of 2013 the Holder of personal data has the following rights:
a) To know, update and rectify their personal data before CREATIVE GROUP LTDA, in its capacity as data controller.
b) To request proof of the authorization granted to CREATIVE GROUP LTDA, in its capacity as Data Controller.
c) Be informed by CREATIVE GROUP LTDA, upon request, regarding the use that has been made of their personal data.
d) File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it, once the consultation or complaint process has been exhausted before the Data Controller.
e) To revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees.
f) Access free of charge to your personal data that have been subject to Processing.
CREATIVE GROUP LTDA will maintain enabled means of contact so that the Data Owners may exercise their rights and apply the procedures set forth in Chapter IV of these Policies, which will be informed and made available in the Privacy Notice.
ARTICLE 14. DUTIES OF CREATIVE GROUP LTDA IN RELATION TO THE PROCESSING OF PERSONAL DATA.
CREATIVE GROUP LTDA will keep in mind, at all times, that the personal data is the property of the
persons to whom they refer and that only they can decide on them. In this sense, it will use them only for those purposes for which it is duly empowered, and respecting in any case Law 1581 of 2012, Decree 1377 of 2013 and Decree 886 of 2014 and other applicable rules on personal data protection In accordance with the provisions of Article 17 of Law 1581 of 2012 and Articles 21 and 22 of Decree 1377 of 2013, CREATIVE GROUP LTDA undertakes to comply permanently with the following duties in relation to in the processing of personal data:
a) Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data;
b) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
c) Duly inform the Data Subject about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted;
d) Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable;
e) Update, rectify or delete data in a timely manner, that is, within the terms set forth in Articles 14 and 15 of Law 1581 of 2012;
f) To provide to the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of this law;
g) To demand from the Data Processor at all times, respect for the security and privacy conditions of the Data Subject’s information;
h) To inform, upon request of the Data Subject, about the use given to his/her data;
i) To process the queries and claims made by the Holders under the terms set forth in Articles 14 and 15 of Law 1581 of 2012;
j) Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality or details of the personal data;
k) Insert in the database the legend “claim in process” and the reason for the claim, within a term no longer than two (2) business days of receiving the completed claim.
l) Refrain from circulating information that is being disputed by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce;
m) Allow access to information only to those persons who may have access to it;
n) Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Holders;
o) Designate an area that assumes the function of personal data protection, which will process the requests of the Holders, for the exercise of the rights referred to in Law 1581 of 2012 and Decree 1377 of 2013.
p) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
CHAPTER IV ACCESS, CONSULTATION AND COMPLAINT PROCEDURES
ARTICLE 15. RIGHT OF ACCESS.
The power of disposition or decision that the Data Subject has over the information that concerns him/her, necessarily entails the right to access and consult if his/her personal information is being processed, as well as the scope, conditions and generalities of such processing.
In this way, CREATIVE GROUP LTDA must guarantee the Data Subject’s right of access in three ways:
a) The first implies that the Data Subject may know the effective existence of the processing to which his or her personal data are subjected.
b) Secondly, that the Data Subject may have access to his/her personal data held by the Data Controller.
c) The third one, implies the right to know the essential circumstances of the processing, which translates into the duty of CREATIVE GROUP LTDA to inform the Data Subject about the type of personal data processed and each and every one of the purposes that justify the processing.
PARAGRAPH: CREATIVE GROUP LTDA will guarantee the right of access when, prior accreditation of the identity of the Holder or the personality of its representative, the details of the personal data are made available to the Holder, free of charge, through electronic means that allow direct access to them by the Holder. Such access must be provided without time limit and must allow the Data Subject to know and update them online.
ARTICLE 16. CONSULTATIONS.
In accordance with the provisions of Article 14 of Law 1581 of 2012 and Article 21 of Decree 1377 of 2013, the Holders or their successors in title may consult the personal information of the Holder contained in any database.
Consequently, CREATIVE GROUP LTDA will guarantee the right of consultation, providing the Data Controllers with all the information contained in the individual registry or that is linked to the identification of the Data Controller.
For the attention of requests for consultation of personal data CREATIVE GROUP LTDA guarantees:
a) Enable electronic means of communication or other means it deems pertinent.
b) Establish forms, systems and other simplified methods, which must be informed in the privacy notice.
c) Use the customer service or claims services it has in operation. In any case, regardless of the mechanism implemented for the attention of consultation requests, they will be attended within a maximum term of ten (10) working days from the date of receipt. When it is not possible to attend the consultation within said term, the interested party shall be informed before the expiration of ten (10) days, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.
ARTICLE 17. CLAIMS.
In accordance with the provisions of Article 15 of Law 1581 of 2012, the Data Subject or their assignees who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, Decree 1377 of 2013 or any other applicable regulation, may file a complaint with the Data Controller, which will be processed under the following rules:
a) The claim may be filed by the Holder, taking into account the information set forth in Article 15 of Law 1581 of 2012 and Article 9 of Decree 1377 of 2013. If the claim received does not have complete information that allows it to be processed, that is, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying documents to be asserted, the interested party will be required within five (5) days of receipt to correct the faults. After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that the claim has been withdrawn.
b) If for any reason a claim is received that in reality should not be directed against CREATIVE GROUP LTDA, it will transfer it, to the extent of its possibilities, to the appropriate person within a maximum term of two (2) working days, and will inform the interested party of the situation.
c) Once the complete claim has been received, a legend stating “claim in process” and the reason for the claim will be included in the database maintained by the Responsible Party, within a term no longer than two (2) business days of receipt of the complete claim. Such legend shall be maintained until the claim is decided.
d) The maximum term to address the claim shall be fifteen (15) business days from the day following the date of its receipt. When it is not possible to attend it within said term, the interested party will be informed before the expiration of said term the reasons for the delay and the date on which the claim will be attended, which in no case may exceed eight (8) working days following the expiration of the first term.
ARTICLE 18. IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO FILE COMPLAINTS.
At any time and free of charge, the Data Subject or his/her representative may request CREATIVE GROUP LTDA to rectify, update or delete his/her personal data, prior accreditation of his/her identity.
1) The rights of rectification, updating or suppression may be exercised by:
a) The Holder or its assignees, upon proof of their identity, or through electronic instruments that allow them to identify themselves.
b) By the representative and/or attorney-in-fact of the Holder, prior accreditation of the representation or power of attorney.
c) By stipulation in favor of or for another.
d) The rights of children or adolescents shall be exercised by persons who are authorized to represent them. When the request is made by a person other than the Holder and it is not accredited that such person is acting on behalf of the Holder, it shall be deemed not to have been filed.
2) The request for rectification, update or deletion must be submitted through the means enabled by CREATIVE GROUP LTDA indicated in the privacy notice and contain, at least, the following information:
a) The name and address of the Registrant or any other means to receive the response.
b) Documents proving the identity or personality of its representative.
c) The clear and precise description of the personal data with respect to which the Data Subject seeks to exercise any of the rights.
d) If necessary, other elements or documents that facilitate the location of the personal data.
PARAGRAPH ONE. RECTIFICATION AND UPDATING OF DATA. CREATIVE GROUP LTDA has the obligation to rectify and update at the Holder’s request, the information of the Holder that turns out to be incomplete or inaccurate, in accordance with the procedure and terms indicated above. In requests for rectification and updating of personal data, the Data Subject must indicate the corrections to be made and provide the documentation supporting his request. CREATIVE GROUP LTDA is free to enable mechanisms that facilitate the exercise of this right, as long as they benefit the Data Subject. Accordingly, electronic or other means deemed appropriate may be made available. CREATIVE GROUP LTDA may establish forms, systems and other simplified methods, which must be informed in the privacy notice and will be made available to interested parties on the website. Whenever CREATIVE GROUP LTDA makes available a new tool to facilitate the exercise of their rights by the Holders of information or modifies the existing ones, it will inform through a digital or physical communication.
PARAGRAPH TWO. SUPPRESSION OF DATA. The Data Subject has the right, at any time, to request CREATIVE GROUP LTDA the suppression (deletion) of his/her personal data when:
a) Consider that they are not being treated in accordance with the principles, duties and obligations set forth in Law 1581 of 2012 and Decree 1377 of 2013.
b) Are no longer necessary or relevant for the purpose for which they were collected.
c) The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.
THIRD PARAGRAPH. EXERCISE OF THE RIGHT TO SUPPRESSION. This deletion implies the total or partial elimination of personal information as requested by the Holder in the records, files, databases or processing carried out by CREATIVE GROUP LTDA. It is important to note that the right of cancellation is not absolute and the Controller may deny the exercise of the same when:
a) The Data Subject has a legal or contractual duty to remain in the database.
b) The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
c) The data is necessary to protect the legally protected interests of the Data Subject; to carry out an action in the public interest, or to comply with an obligation legally acquired by the Data Subject. In the event that the cancellation of the personal data is appropriate, CREATIVE GROUP LTDA must carry out the deletion in such a way that the deletion does not allow the recovery of the information.
ARTICLE 19. REVOCATION OF THE AUTHORIZATION.
Personal data subjects may revoke their consent to the processing of their personal data at any time, provided that this is not prevented by a legal or contractual provision. For this purpose, CREATIVE GROUP LTDA shall establish simple, easily accessible and free mechanisms that allow the Data Subject to revoke his/her consent, at least by the same means by which it was granted and in the terms stipulated in Law 1581 of 2012, its regulatory Decrees and amending or complementary rules. It should be noted that there are two ways in which revocation of consent may occur.
The first one, may be on the totality of the consented purposes, that is, CREATIVE GROUP LTDA must stop processing the data of the Data Subject; the second one, may occur on specific types of processing, such as for advertising or market research purposes. With the second modality, that is, the partial revocation of consent, other purposes of the processing that the Controller, in accordance with the authorization granted, may carry out and with which the Data Subject agrees, remain unaffected.
Therefore, at the time of submitting the revocation request, it will be necessary for the Holder to indicate whether the revocation he/she intends to make is total or partial. In the second hypothesis, it should be indicated with which treatment the Data Subject does not agree. There will be cases in which the consent, due to its necessary nature in the relationship between the Data Subject and the Data Controller for the fulfillment of a contract, may not be revoked by law. The mechanisms or procedures that CREATIVE GROUP LTDA establishes to meet the requests for revocation of the consent granted may not exceed the deadlines set to meet the claims as stated in Article 15 of Law 1581 of 2012.
CHAPTER V INFORMATION SECURITY
ARTICLE 20. SECURITY MEASURES.
In development of the security principle established in Law 1581 of 2012, CREATIVE GROUP LTDA will adopt the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
ARTICLE 21. IMPLEMENTATION OF SECURITY MEASURES.
CREATIVE GROUP LTDA will maintain security protocols of mandatory compliance for personnel with access to personal data and information systems.
The procedure should consider, as a minimum, the following aspects:
a) Training of the personnel that enters the Company about the Personal Data Processing Policy and the security mechanisms and protocols for the processing of personal data.
b) Scope of application of the procedure with detailed specification of the protected resources.
c) Measures, norms, procedures, rules and standards aimed at guaranteeing the level of security required by Law 1581 of 2012 and Decree 1377 of 2013.
d) Functions and obligations of the personnel.
e) Structure of the personal databases and description of the information systems that process them.
f) Procedure for notification, management and response to incidents.
g) Procedures for backing up and recovering data.
h) Periodic controls to be carried out to verify compliance with the provisions of the security procedure to be implemented.
i) Measures to be adopted when a medium or document is transported, discarded or reused.
j) The procedure shall be kept up to date at all times and shall be reviewed whenever relevant changes occur in the information system or in its organization.
k) The content of the procedure shall at all times comply with the provisions in force regarding the security of personal data.
CHAPTER VI FINAL PROVISIONS
ARTICLE 22.
CREATIVE GROUP LTDA designates the ADMINISTRATION area or whoever takes its place, to comply with the function of personal data protection. ADMINISTRACION or whoever acts in its stead, will process the requests of the Holders, for the exercise of the rights of access, consultation, rectification, updating, suppression and revocation referred to in Law 1581 of 2012. The above, if necessary, will be done with the support of the CUSTOMER SERVICE area.
PARAGRAPH. CREATIVE GROUP LTDA designates ADMINISTRATION as responsible for the adoption and implementation of the obligations set forth in Law 1581 of 2012.
ARTICLE 23. VALIDITY.
This Personal Data Policy was created on October 07, 2016 and is effective as of November 01, 2016. Any change with respect to the present policy will be informed through a written or virtual communication.