Policy for the treatment of personal data
OUR COMPANY informs the Holders of Personal Data that are processed in any way by the company of this information processing policy, thereby complying with the Law. The main purpose of this Policy is to inform the Holders of Personal Data of their rights, the procedures and mechanisms provided by the company to enforce those rights of the Holders, and to inform them of the scope and purpose of the Processing to which the Personal Data will be subjected in case the Holder grants its express, prior and informed authorization. The company also ratifies its commitment with the various stakeholders with whom it relates; and with the clear interest to respect all their rights, especially with this instrument their right to Habeas Data, privacy and other related rights.
CHAPTER I
General Provisions
a) Authorization: It is the prior, express and informed consent of the Data Subject to carry out the Processing of his/her personal data.
b) Database: It is the set of personal data that are subject to processing regardless of the modality of the same.
c) Financial Data: It is all Personal Data referring to the birth, execution and extinction of monetary obligations, regardless of the nature of the contract that gives rise to them, whose Processing is governed by the corresponding rules.
d) Personal Data: It is any information related or relatable to a natural person.
e) Public Data: It is that which the law designates as such, or that which is contained in public records, certificates, documents or databases.
f) Sensitive Data: It is personal data related to the privacy of the Data Subject or that may give rise to discrimination or differential treatment. Biometric data are also part of this category.
g) Data Processor: It is the natural or legal person, of public or private nature, which by itself or in association with others, performs the Processing of Personal Data on behalf of the Data Controller.
h) Authorized: It is the person and his dependents who by virtue of the Authorization and these Policies have the legitimacy to Process the Personal Data of the Data Subject. The Authorized Party includes the gender of the Entitled Parties.
i) Qualification: It is the legitimization that expressly and in writing by means of a contract or document that takes its place, granted by the Company to third parties, in compliance with the applicable Law, for the Processing of Personal Data, turning such third parties into Processors of the Personal Data provided or made available.
j) Responsible for Treatment: The person, authorized by the Data Subject, who manages and makes decisions regarding the Database.
k) Headline: It is the natural person to whom the data contained in the Database refer, and the object of protection of the Law and concordant norms.
l) Transfer: It is the communication of personal data between the processor and the data controller.
m) Transmission: It is the activity of Personal Data Processing by means of which the same are communicated, internally or with third parties, inside or outside the country, when such communication has the purpose of carrying out any activity of Personal Data Processing.
n) Processing of Personal Data: It is all aimed at the processing of databases, as well as their transfer to third parties.
The purpose of the Database and Information Processing Policy is to develop the procedure for collecting, storing, using and performing any activity on personal data, and the other rights, freedoms and constitutional guarantees; as well as the right to information of the same, as stipulated by law and other concordant norms.
The Company states that the guidelines for the processing of personal data will be those provided by the regulations in force on the matter.
All data collected by The Company is intended to: i) Generate and manage the collection of all the information necessary to comply with tax, commercial, civil, civil, labor, legal obligations and in general any obligation that concerns The Company; ii) Manage The Company with respect to its customers, suppliers, shareholders and other stakeholders; with respect to customers, the information collected may be used, without restriction, for the following purposes: providing information to financial entities for the management of financial services; customer loyalty; customer service management; advertising; marketing; commercial management and contact; contacts for informative mailings; sending physical and e-mail correspondence; portfolio management; offering for sale, rent and exchange of real estate; receiving and sending real estate offers; transferring information for contractual purposes; updating or correcting real estate data; information from our commercial allies; making calls (call center) for administrative, commercial and advertising purposes; and in general, information related to the activity implied by the contracts entered into between the parties; developing technologies, services or plans that represent a better service for the clients iii) To comply with the legal and contractual obligations of The Company; iv) Act within the framework of the legal requirements in order to verify the legal nature and situation of some clients, contractors or suppliers; v) Keep the physical or digital file for the legally required time in such a way that they can be consulted later by the Holder or an authority; vi) The transfer and transmission of the Databases when necessary to comply with collection actions, credit processing, legal actions and in general the other purposes provided for in this numeral; vii) Management of employee information related to payroll, social management, social security, selection processes, contractual linkage and employee welfare ix) Other activities necessary for the effective provision of any of the usual or incidental services provided by The Company.
The principles indicated in this article are the guidelines that will be respected by The Company in the processes of collection, storage, use and administration of personal data:
- Principle of legality in the processing of personal data: The Processing referred to in this Policy is an activity regulated by law, which must be subject to the provisions set forth therein and in the other provisions that develop it.
- Principle of finality: The treatment obeys to the purposes established in the fourth article of the present document.
- Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.
- Principle of truthfulness: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable.
- Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the Processing.
- Principle of restricted access and circulation: The processing of personal data and databases may only be done by The Company or whoever it delegates according to the authorization given by the Holder. Personal data may not be available in media of public access and mass dissemination. In case of being stored in the cloud, software or similar mechanisms, these will have restricted access and will not be public.
- Safety principle: The company will provide minimum security conditions to protect the information contained in its databases, for this purpose, basic archiving measures will be implemented for physical documents and digital security systems such as anti-virus and/or cloud storage for digital files.
- Principle of confidentiality: As a general rule and except as provided by law, in the respective contract, or in this Policy (with the authorization of the Holder in the latter two cases) the information and personal data will be treated confidentially.
CHAPTER II
Rights and Duties
In accordance with the Law, the Personal Data Owners have the following rights: i) To know, update and rectify their Personal Data with respect to the company or the Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose Processing is expressly prohibited or has not been authorized; ii) Request proof of the Authorization granted to the company, unless the Law indicates that such Authorization is not necessary; iii) Submit requests to the company or the Data Processor regarding the use given to their personal data, and that they provide such information; v) To revoke their Authorization and/or request the deletion of their Personal Data from the company's databases, when the Superintendence of Industry and Commerce has determined through a definitive administrative act that in the Processing the company or the Data Processor has incurred in conduct contrary to the Law or when there is no legal or contractual obligation to maintain the personal data in the database of the Responsible Party; vi) Request access and access free of charge to their personal data that have been subject to Processing in accordance with the Law; vii) Be informed of the modifications to the terms of this Policy prior to the implementation of the new modifications or, failing that, of the new information processing policy; viii) Have easy access to the text of this Policy and its modifications; ix) To have easy and simple access to the personal data under the control of the company in order to effectively exercise the rights granted to the Data Controllers by the Law; x) To know the agency or person authorized by the company to whom he/she may submit complaints, queries, claims and any other request regarding his/her personal data.
The Holders may exercise their legal rights and carry out the procedures established in this Policy by presenting their original identification document. Minors may exercise their rights personally, or through their parents or adults who hold parental authority, who must prove it through the relevant documentation. Likewise, the rights of the Holder may be exercised by the assignees who can prove such capacity, the representative and/or attorney-in-fact of the holder with the corresponding accreditation and those who have made a stipulation in favor of another or for another. The petitions may be filed physically or via e-mail according to the data in the header.
The company will be directly responsible for and in charge of the processing of personal data; it may delegate any area or unit for such purposes. In general, the company undertakes to: i) Receive the requests from personal data owners, process and respond to those that are based on the Law or this document, such as, for example: requests to update personal data; requests to know the personal data; requests for deletion of personal data when the Data Subject submits a copy of the decision of a competent control body in accordance with the provisions of the Law, requests for information on the use given to their Personal Data, requests to update the Personal Data, requests for proof of the Authorization granted, when it has proceeded according to the Law; ii) Give response to the Personal Data Holders on those requests that do not proceed in accordance with the Law. The company's contact details are those indicated in the corresponding section.
CHAPTER III
Procedures
The holder may claim his rights, using the following procedures:
8.1. Queries: The company will have mechanisms in place so that the Data Subject, their successors in title, their representatives and/or attorneys-in-fact, those to whom it has been stipulated in favor of or for another, and/or the representatives of minor Data Subjects, may make inquiries regarding which personal data of the Data Subject are contained in the company's Databases.
Whatever the means, the company will keep proof of the consultation and its response. a) If the applicant has the capacity to formulate the consultation, in accordance with the accreditation criteria established in the Law, the company will collect all the information about the Data Subject that is contained in the individual record of that person or that is linked to the identification of the Data Subject within the company's databases and will make it known to the applicant. b) The Responsible for answering the query will respond to the applicant as long as he/she has the right to do so because he/she is the Data Subject of the Personal Data, his/her assignee, proxy, representative, has been stipulated by or for another person, or is the legal responsible in the case of minors. This response will be sent within ten (10) business days from the date on which the request was received by the company. c) In the event that the request cannot be fulfilled within ten (10) business days, the applicant will be contacted to communicate the reasons why the status of the request is being processed. For this purpose, the same or a similar means to the one used by the Data Subject to communicate his/her request will be used. d) The final response to all requests will not take more than fifteen (15) business days from the date on which the initial request was received by the company.
8.2. Claims: The company has mechanisms for the Data Subject, their successors in title, representatives and/or attorneys-in-fact, those who stipulated by or for another, and/or the representatives of minors, to file claims regarding (i) Personal Data processed by the company that must be corrected, updated or deleted, or (ii) the alleged breach of the company's legal duties. The claim must be submitted by the Data Subject, their successors or representatives or accredited in accordance with the Law, as follows:
You should contact the company electronically at the e-mail address given in the relevant section; or physically at the address given by the company.
It must contain the name and identification document of the Holder.
It must contain a description of the facts giving rise to the claim and the objective pursued (updating, correction or deletion, or fulfillment of duties).
It should indicate the address and contact and identification data of the claimant.
It must be accompanied by all documentation that the claimant wishes to assert.
8.2.1 Before attending to the claim, the company will verify the identity of the Personal Data Subject, his or her representative and/or proxy, or the accreditation that there was a stipulation by or for another. For this purpose, it may require the original ID card or identification document of the Data Subject, and the special or general powers of attorney or documents required, as the case may be.
8.2.2 If the claim or the additional documentation is incomplete, the Company will require the claimant one time within five (5) days of receipt of the claim to remedy the deficiencies. If the claimant does not submit the required documentation and information within two (2) months from the date of the initial claim, it shall be understood that the claim has been withdrawn.
8.2.3 Once the claim with the complete documentation has been received, a legend stating "claim in process" and the reason for the claim shall be included in the company's Database where the Data Subject to claim is stored, within a term no longer than two (2) business days. This legend shall be maintained until the claim is decided.
8.2.4 The maximum term to address the claim shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
VALIDITY. This Policy is effective as of July 1, 2017. Personal data that is stored, used or transmitted will remain in our Database, based on the criteria of temporality and necessity, for as long as necessary for the purposes mentioned in this Policy, for which they were collected.