PRIVACY AND PERSONAL DATA POLICY
CARTAGENA TOP EXPERIENCES, in compliance with the provisions of Law 1581 of 2012, Decree 1377 of 2013 and the other legal provisions related to the protection of Personal Data, it is allowed to inform that: 1. It is Responsible for the Processing of Personal Data. 2. It has a POLICY FOR THE TREATMENT OF PERSONAL DATA, which includes the procedures for the Holders of Personal Data to exercise their rights in relation to such Data. 3. Said POLICY includes the Purpose of the Processing of Personal Data accessed by CARTAGENA TOP EXPERIENCES 4. The POLICY OF PERSONAL DATA PROCESSING from CARTAGENA TOP EXPERIENCES can be consulted on the website cartagenatopexperiences.com 5. By sending any information and / or document to CARTAGENA TOP EXPERIENCES through any of its communication channels, the Holder of Personal Data authorizes CARTAGENA TOP EXPERIENCES to carry out the Treatment of such Data, in accordance with the provisions of the POLICY previously mentioned.
I. SCOPE OF APPLICATION
This PERSONAL DATA TREATMENT POLICY refers to the protection of the data registered in the databases of THE COMPANY , collected on the occasion of the exercise of their commercial and work activities. This treatment policy will be applicable to the personal data of natural persons that are included in the databases of THE COMPANY.
II. DEFINITIONS
Authorization: Prior, express, and informed consent of the Holder to carry out the Processing of personal data.
Privacy notice: Verbal or written communication generated by the person responsible for the Treatment, addressed to the owner for the treatment of their personal data, through which they are informed about the existence of the information treatment policies that will be applicable, the form to access them and the purposes of the treatment that is intended to give personal data.
Database: Organized set of personal data that is the object of treatment.
Personal data: Any information linked or that may be associated with one or more specific or determinable natural persons.
Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the processing of personal data on behalf of CARTAGENA TOP EXPERIENCES.
Responsible for the Treatment: CARTAGENA TOP EXPERIENCES (THE COMPANY).
Owner: natural persons (clients, consumers, employees, former employees, suppliers, among others) whose personal data is subject to treatment.
Transfer: activity in which the person in charge and / or person in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is inside or outside the country.
Transmission: Treatment of Personal Data that implies the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a treatment by the person in charge on behalf of the person in charge.
III. TREATMENT POLICY
When processing Personal Data, THE COMPANY will consider the following guidelines:
- This POLICY must always comply with the provisions of Law 1581 of 2012, Decree 1377 of 2013 and other applicable legal provisions, and must be always available to the owners and third parties who wish to consult it.
- Any modification suffered by this POLICY must be informed to the holders by any suitable means.
- The modifications suffered by this POLICY may not disregard the minimum rights of the holders of personal data established in the Law, nor impair the protection conditions conferred on them by means of this document.
- Unless expressly requested otherwise by the owner of the personal data, THE COMPANY may continue the processing of such data in execution of the modifications of this POLICY.
- THE COMPANY must implement a PRIVACY NOTICE in all communications it generates with holders of personal data.
- Unless expressly indicated otherwise by the Owner, both the initial contact made by the owner of THE COMPANY, and the response to any communication sent by the owner of THE COMPANY will be presumed as an AUTHORIZATION of the processing of your personal data in the terms of this POLICY.
- THE COMPANY will be responsible for the processing of personal data, which are collected (i) by its staff, (ii) by third parties to whom it has entrusted such work, (iii) or by any electronic means that it makes available to the owners to this end.
- The personal data contained in the databases of THE COMPANY will be handled under strict security and confidentiality policies.
- Neither THE COMPANY, nor the person in charge, may carry out the treatment, transfer and / or transmission of personal data, including sensitive data and personal data of children and adolescents, that for any reason I will come to know, without prior consent, express and informed of the owner of the information and / or, in the case of minors, their parents or legal representatives.
IV. PURPOSE
THE COMPANY collects personal data from clients to whom it provides services, its employees, former employees, suppliers, and strategic allies to:
- Execute the contractual obligations that THE COMPANY may have such as (add economic activity according to the chamber of commerce), as well as the obligations that it may acquire as a contractor of goods and services necessary for the development of the corporate purpose and performance of THE COMPANY.
- Inform about new services and / or changes in them, as well as the sending of relevant information for their clients.
- Register the information of employees and former employees, to execute the obligations that THE COMPANY has as an employer.
- Carry out marketing, promotion and / or advertising activities, market research, own or third parties, through various suitable means (such as invoices, emails or messages, text messages (SMS) and telephone communications).
- Carry out the tasks required to offer and / or provide the services offered by THE COMPANY (such as the sale, billing, collection, collection, enabling means of payment, technical support, service improvement, programming, control, fraud prevention or any other activity related to the current or future products of THE COMPANY) that are relevant or necessary for the fulfillment of its corporate purpose or its contractual obligations.
- To have contact with the clients of the services in relation to the current or future products or services of THE COMPANY and about promotions, packages, premieres, or additional services.
- Comply with the obligations contracted with the Holders of Personal Data, among which are suppliers, customers, employees, former employees, and future employees.
- Carry out studies on consumer habits.
- Share, Transfer and Transmit data of the Holders to commercial allies, external advisors, related companies, including, but not limited to subsidiaries and / or parent company, or to people with whom THE COMPANY has or will have commercial relationships, to carry out (i) commercial and promotional activities of the products or services owned by said companies or (ii) legal, financial, commercial analysis among others that THE COMPANYmay require.
All data must be collected directly from the Data Holders or taken from physical, electronic documents, data messages or communications in any format sent by them.
THE COMPANY or the person in charge may only collect, store, use or circulate personal data for as long as is reasonable and necessary, in accordance with the purposes that justified the treatment. Once deemed necessary, you may proceed to delete personal data.
V. DUTIES OF THE COMPANY AS RESPONSIBLE FOR THE TREATMENT
- Guarantee the holder, always, the full and effective exercise of the right to habeas data.
- Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Owner.
- Properly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted.
- Keep the data of the Holders in adequate security conditions to prevent their adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Guarantee that the information provided to the person in charge of the treatment is true, complete, exact, updated, verifiable and understandable.
- Update the data obtained from the owners and adopt the other necessary measures so that the information provided to them is kept up to date.
- Rectify the information when it is incorrect and communicate the pertinent to the Person in Charge of Treatment.
- Provide the person in charge of the treatment only data whose treatment is previously authorized in accordance with the provisions of the law and in this POLICY.
- Guarantee and demand that the person in charge of the treatment respect the security and privacy conditions of the owner’s information.
- Process inquiries and claims formulated in the terms indicated in the law.
- Inform the person in charge of the treatment when certain information is under discussion by the owner once the claim has been submitted and the respective procedure has not been completed.
- Inform at the request of the owner about the use given to their data.
- Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the Holders.
- Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
- When THE COMPANY carries out the transfer or transmission of personal data, these will remain confidential information and may not be treated for a purpose other than that established in these policies or that indicated in the document that contains the contractual relationship that is executed. In case of transfer, whoever receives the information will be considered responsible for the treatment and their privacy policies will apply to said information.
- When this POLICY suffers any type of modification, it will be necessary to notify the owners of the personal data of the same. Said modification may be made through the means of communication normally used between the parties.
- To carry out the Treatment, Transfer or Transmission of Personal Data, THE COMPANY must request and keep proof of the authorizations granted by the Data Holders for this purpose.
SAW. DUTIES OF THE DATA PROCESSOR
- Guarantee the Holder, always, the full and effective exercise of the right to habeas data.
- Keep the information of the Holder under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Timely update, rectify or delete the data in accordance with the law.
- Update the information reported by those responsible for Treatment within five (5) business days from receipt.
- Process the queries and claims made by the Holders in the terms indicated in the law.
- Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for the attention of queries and claims by the Holders.
- Register in the database the legend “claim in process” in the way it is regulated by law.
- Insert in the database the legend “information in judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
- Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendency of Industry and Commerce.
- Allow access to information only to people who can have access to it.
- Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders.
- Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
VII. RIGHTS OF THE HOLDERS
In accordance with Law 1581 of 2012, the Holders of Personal Data will have the following rights:
- Know, update, and rectify your personal data in front of THE COMPANY or Treatment Managers. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or those whose Treatment is expressly prohibited or has not been authorized.
- Request proof of the authorization granted to THE COMPANY except when expressly excepted as a requirement for Treatment, in accordance with the provisions of article 10 of Law 1581 of 2012.
- Be informed by THE COMPANY or the Person in Charge of Treatment, upon request, regarding the use that has been given to your personal data.
- Present before the Superintendency of Industry and Commerce complaints for infractions to the provisions of Law 1581 of 2012, Decree 1377 of 2013, and other regulations that modify, add, or complement it.
- Revoke the authorization and / or request the deletion of the data when in the Treatment the principles, rights and constitutional and legal guarantees are not respected. The revocation and / or deletion will proceed when the Superintendency of Industry and Commerce has determined that, in the Treatment, THE COMPANY or Person in Charge have engaged in conduct contrary to the law and the Constitution.
- However, the foregoing, the revocation of the authorization or deletion of the data will not proceed when the Holder has a legal or contractual duty to remain in the database.
- In accordance with the provisions of article 21 of Decree 1377 of 2013, the Holder may freely access those personal data that have been subject to Treatment.
To exercise the rights enshrined here, the Personal Data Holders must consider number IX of this document.
VIII. AUTHORIZATION
When THE COMPANY collects the Owner’s Personal Data, it will request their prior, express and informed consent, except in the following cases:
- When the Holder has given his explicit authorization to said Treatment, except in cases where the granting of said authorization is not required by law.
- When it comes to data related to the Civil Registry of people and, in general, any data of a public nature.
- When the Treatment refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
- When the Treatment has a historical, statistical or scientific purpose.
IX PROCEDURE FOR ATTENTION TO INQUIRIES AND CLAIMS ABOUT THE INFORMATION TREATED
The owners of the data that are part of the databases of THE COMPANY may consult the information that is processed by it, as well as file claims against it.
For this purpose, the Holder may direct his claim to THE COMPANY, making use of any of the following means of contact:
By cell phone number: (57) 324 5500787
Via email: sales@cartagenatopexperiences.com
Via physical mail: Torices neighborhood, av. 13th # 54/147 San Pedro y Libertad sector – Cartagena de Indias – Bolívar – Colombia
Holders of Personal Data may exercise their rights at any time. When making inquiries about your Personal Data, these will be provided free of charge, in the terms enshrined in Decree 1377 of 2013.
The procedure that will be followed for the exercise of the rights of the Holders will be the following:
Queries:
- When the Holder, his representative or right holder requires to consult his Personal Data contained in the databases of the person in charge and / or in charge of the Treatment, he must formulate the respective query through any of the means enabled for this purpose.
- The right holders or third parties authorized by the owner to consult the Personal Data of the same, must sufficiently prove to THE COMPANY and in its opinion, their legitimacy to request said information.
iii. Once the inquiry is received, THE COMPANY must attend to it within the following ten (10) business days, counted from the date of receipt.
- If THE COMPANY cannot answer the query made within said term, it will inform the Holder of the reasons for the delay and will indicate the date on which it will respond to its query, which in no case may exceed five (5) business days following the expiration of the first term.
Claims:
When the Holders consider that the information should be subject to correction, update, or deletion, or when they consider that the violation of one of the rights or duties contained in this document and / or in the law has occurred, they may submit a claim of agreement to the procedure and the formalities established in article 15 of Law 1581 of 2012, or the one that modifies or replaces it.
- The Holder, his representative or successor in title may process a claim by means of a written request containing the following information: i) Identification of the Holder, ii) description of the facts that give rise to the claim, iii) Correspondence address of the Holder and iv) copy of the documents that support the request.
- If the application turns out to be incomplete, THE COMPANY will require the interested party to provide the missing documents, within five (5) business days following receipt of the claim. The interested party will have up to sixty (60) calendar days to respond to the required information. In case of no response, it will be understood that you have withdrawn the claim or request.
- Once the claim is received, a note stating that there is a claim in progress with its respective filing number must be included in the respective Database within two (2) business days after receiving it.
- THE COMPANY must attend the Claim within fifteen (15) business days after receiving it. If THE COMPANY cannot address the claim within that term, it will inform the Holder of the reasons for the delay and will indicate the date on which it will respond to its claim. In any case, THE COMPANY and / or Manager must respond within a maximum period of eight (8) business days.
X. SECURITY MEASURES
In compliance with the security principle established in current regulations, THE COMPANY will adopt the technical, human and administrative measures necessary to grant security to the conservation of the information, in order to avoid its (i) adulteration, (ii) loss, ( iii) consultation, (iv) use or (v) unauthorized or fraudulent access.
These measures include, but are not limited to, the following:
- Subscription of contractual clauses and Confidentiality Agreements with Employees and External Advisors.
XI. EFFECTIVE DATE
This Personal Data policy was created on January the 09 of 2022 and becomes effective as of January 9, 2022. Any change in it will be reported by the means it deems convenient and sufficient to reach all Holders of Personal Data.
The databases subject to this PERSONAL DATA TREATMENT POLICY will be valid for twenty (20) years, extendable for equal periods unless otherwise provided by THE COMPANY.
Cordially,
JORGE ARMANDO MONDOL ROMERO
LEGAL REPRESENTATIVE – CARTAGENA TOP EXPERIENCES
ID. # 73214453.