Personal data protection policies and privacy notices
Corporate name: CARDOZO ORDOÑEZ S.A.S
NIT: 860.075.625 – 5
Address: Calle 110 No. 9 – 25 Oficina 1710
City Bogotá – Colombia
Phone: +57 1 742 7230
E/mail: abogados@cardozoordonez.com
Web site: www.cardozoordonez.com
1. Legal regulations and scope of application
This personal data processing policy is prepared in accordance with the provisions of the Political Constitution, Law 1581 of 2012, Regulatory Decree 1377 of 2013 and other complementary provisions and will be applied by CARDOZO ORDOÑEZ.
S.A.S. – hereinafter THE COMPANY – with respect to the collection, storage, use, circulation, deletion and all those activities that constitute the processing of personal data.
2. Definitions
For the purposes of the implementation of this policy and in accordance with legal regulations, the following definitions shall apply:
- Authorisation: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data;
- Privacy notice: A physical, electronic or any other format document generated by the Controller that is made available to the Data Subject for the processing of his or her personal data. The Privacy Notice informs the Data Subject of the existence of the information processing policies that will be applicable to him/her, how to access them and the purpose of the processing that is intended to be given to the personal data;
- Database: Organised set of personal data that is the object of Processing;
- Personal data: Any information linked or capable of being linked to one or more specific or identifiable natural person(s);
- Public data: Data qualified as such according to the law or the Political Constitution and that which is not semi-private, private or sensitive. Data concerning, inter alia, the civil status of persons, their profession or trade, their status as merchants or public servants, and data that can be obtained without any reservation whatsoever, are public. By their nature, public data may be contained, inter alia, in public registers, public documents, gazettes and official gazettes;
- Private data: Data which, due to its intimate or reserved nature, is only relevant to the data subject; Semi-private data: Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as financial and credit data on commercial activity or services;
- Sensitive dataSensitive data are understood to be those that affect the privacy of the Data Subject or whose improper use may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social organisations, human rights organisations or those that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data;
- Data Processor: A natural or legal person, public or private, who by himself or in association with others, carries out the Processing of personal data on behalf of the Controller;
- Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of the data;
- Data subject: Natural person whose personal data is the object of processing;
- Transmission of Data: Processing of Personal Data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose of the Processing is carried out by the Processor on behalf of the Controller;
- Data Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is a Controller and is located inside or outside the country;
- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion of personal data.
3. Principles
THE COMPANY in the course of its activities will collect, use, store, transmit and perform various operations on the personal data of Data Subjects. All Processing of Personal Data carried out by THE COMPANY shall adhere to the following principles:
- Principle of Legality: The processing of data is a regulated activity that must be subject to the provisions of the Statutory Law on Data Protection, Decree 1377 of 2013 Compiled in Chapter 25 of Decree 1074 of 2015 and other provisions that develop it.
- Principle of Freedom: All Processing of Personal Data shall be carried out once the prior, express and informed Authorisation of the Data Subject has been obtained, unless the Law establishes an exception to this rule. In the event that the Personal Data have been obtained prior to the Law, THE COMPANY will seek the ordinary and alternative relevant means to summon the Data Subjects and obtain their retroactive authorisation, following the provisions of Decree 1377 and concordant regulations.
- Principle of Purpose: All Personal Data Processing activities must obey the purposes mentioned in this Policy or in the Authorisation granted by the Data Subject, or in the specific documents regulating each type or process of Personal Data Processing. The purpose of the particular Processing of a Personal Data must be informed to the Data Subject at the time of obtaining his or her Authorisation. Personal Data may not be processed outside the purposes informed and consented to by the Data Subjects.
- Principle of truthfulness or quality: Personal Data subject to Processing must be truthful, complete, accurate, up-to-date, verifiable and comprehensible. When in possession of partial, incomplete, fractioned or misleading Personal Data, THE COMPANY shall refrain from processing them, or request the completeness or correction of the information from the data subject.
- Principle of Transparency: When requested by the Data Subject, THE COMPANY shall provide information about the existence of Personal Data concerning the applicant.
- Principle of restricted access and circulation: Personal Data may only be Processed by those personnel of THE COMPANY who are authorised to do so, or who, within their functions, are in charge of carrying out such activities. Personal Data may not be provided to those who do not have Authorisation or have not been Authorised by THE COMPANY to carry out the Processing. Personal data, except for public information, may not be made available on the Internet and other means of mass dissemination or communication, unless access is technically controllable in order to provide restricted knowledge only to Data Subjects or authorised third parties in accordance with the Law.
- Principle of Confidentiality: All Personal Data that is not Public Data must be treated by the Controllers as confidential, even if the contractual relationship or the link between the Data Subject and THE COMPANY has ended. Upon termination of such relationship, such Personal Data shall continue to be Processed in accordance with this Policy and the Law.
- Necessity Principle: Personal Data may only be Processed for as long as and to the extent that the purpose of the Processing justifies it.
- Security Principle: The information subject to processing is handled with the technical, human and administrative measures necessary to ensure the security of the records, avoiding their adulteration, loss, consultation, unauthorised or fraudulent use or access. Therefore, the corresponding security measures are implemented, which are made known to all personnel who have direct or indirect access to the data. Users accessing the company’s information systems must be aware of and comply with the security rules and measures appropriate to their functions. These security rules and measures are set out in the Internal Security Policies, which must be complied with by all users and company personnel. Any modification of the rules and measures concerning the security of personal data by the company will be brought to the attention of the users.
4. Processing and purpose for which the collection of personal data and the processing thereof is carried out
THE COMPANY will process your Personal Data, that is to say, it will carry out activities such as collection, storage, use, circulation or deletion, in order to comply with the normal development of the corporate purpose of our company and our relationship with you. Within this purpose, we will process your Personal Data for:
- Candidates, workers and former workers
The processing of the essential personal data of applicants, employees and former employees shall be in accordance with the law and the status of the company and shall be all that is necessary for the fulfilment of its obligations as an employer.
The information subject to processing will be used, among others, to: (a) enter into the employment contract and proceed with affiliations to the comprehensive social security and parafiscal systems, as well as to the severance fund administrator; (b) comply with legal and extralegal labour obligations in the event that they exist, arising from the employment contract; (c) make reports to administrative, police and judicial authorities, when required by them; (d) benefits administration; payroll payment; recognition of legal obligations, audits; accounting reports; statistical analysis; interaction with the entities that manage or may manage the general social security system, parafiscal collection entities, Ministry of Labour, UGPP, Superintendence of Health, operator of the Integral Contribution Settlement Plan, Superintendence of Industry and Commerce, Regional and National Board for the qualification of disability; training and education; access to agreements with third parties; among other processes inherent to personnel administration. e) Others related to the events in which the information may be susceptible to be shared.
The information provided by active workers, including that of their family group and beneficiaries, shall be stored physically, electronically or by other means available for the term indicated by labour and accounting regulations.
The information provided by applicants or candidates to become employees of the company and which is collected in the development of the selection process, is intended to proceed with the verification, comparison, evaluation of the work and personal skills of the candidates with respect to the selection criteria of THE COMPANY; schedule interviews and application of tests to applicants; evaluate directly or through third parties the selection tests of the applicants; to inform the general results of the selection process; to consult and evaluate all the information about the applicant for the position that is stored in the databases of judicial or security backgrounds legitimately constituted, of state or private, national or foreign nature and in any case, the information will be eliminated from the information systems of the company when such applicants or candidates are not selected by the company and/or when for any reason an employment contract is not concluded with the company.
The information provided by former employees of the company under the terms of an employment relationship shall be retained by the company under the terms of the applicable commercial, labour, occupational risk and occupational health and safety management regulations, and shall be stored physically, electronically or by other available means.
-
Suppliers
The Personal Data processed by THE COMPANY shall be subject strictly and solely to the purposes set out below. Likewise, the Processors or third parties who have access to the Personal Data by virtue of Law or contract, shall maintain the Processing within the following purposes:
- Manage all information necessary for the fulfilment of the tax obligations and commercial, corporate and accounting records of THE COMPANY. b) Comply with the COMPANY’s internal processes for supplier and contractor management. c) The process of archiving, updating systems, protection and custody of information and databases of THE COMPANY. d) Processes within the COMPANY, for developmental or operational and/or systems administration purposes. e) consult, compare and evaluate all information on the supplier that is stored in lawfully constituted judicial or security background databases, of a state or private, national or foreign nature, or any commercial or service database that makes it possible to comprehensively establish the supplier’s behaviour, including consultations in the lists for the prevention and control of money laundering and terrorist financing; f) analyse, process, evaluate and compare information provided by suppliers; g) sending information of commercial or non-commercial interest and invitations to events scheduled by THE COMPANY; h) comply with Colombian or foreign law and the orders of judicial and/or administrative authorities; (i) issuance of certifications relating to the business relationship between the data subject and the COMPANY; j) provision of information to inspection, monitoring, control, regulatory bodies or internal or external auditors; k) to make payments for services rendered or products sold by the supplier; l) for the preparation of invitations to tender; m) Other purposes determined by the Controllers in processes of obtaining Personal Data for its Processing, in order to comply with legal and regulatory obligations, as well as the policies of THE COMPANY.
-
Clients
The Personal Data processed by THE COMPANY shall be subject strictly and solely to the purposes set out below. Likewise, the Processors or third parties who have access to the Personal Data by virtue of Law or contract, shall maintain the Processing within the following purposes:
- Manage all information necessary for the fulfilment of the tax obligations and commercial, corporate and accounting records of THE COMPANY. b) Comply with the company’s internal processes for supplier and contractor management. c) Fulfil the contracts for legal services concluded with the clients, in which case the obligations of THE COMPANY with regard to the services are of means and not of result.. d)To provide its services in accordance with the particular needs of the company’s clients, in order to fulfil the legal services contracts entered into, including but not limited to defining defence strategies, submitting the documents and other evidentiary elements provided as means of proof before administrative and judicial authorities, issuing legal opinions, in general exercising the legal profession with respect to the entrusted assignments, using the Personal Data for marketing and/or commercialisation of new services or products. e) The control and prevention of fraud and money laundering, including but not limited to consultation on restrictive lists, and all necessary information required for SARLAFT. f) The process of archiving, updating systems, protection and custody of information and databases of THE COMPANY. g) Processes within THE COMPANY, for development or operational and/or systems administration purposes. h) Maintain and process by computer or other means, any information related to the client’s business in order to provide relevant services and products. i) to submit tenders and quotations; j) conduct evaluations and/or surveys related to the level of satisfaction of our customers in relation to the products and services we offer and loans; k) execution of customer analysis and profiling to define products and services that meet their needs; l) sending legal and commercial communications related to the products and services we offer and loans; m) development of market research and consumer habits, statistical analysis and customer behaviour reports, n) Other purposes determined by the Controllers in processes of obtaining Personal Data for its Processing, in order to comply with legal and regulatory obligations, as well as the policies of THE COMPANY.
-
Processing of financial data:
THE COMPANY will process your financial Personal Data only when this information is necessary to carry out the processes of invoicing, portfolio, collection and payment for the products and services that have been provided or supplied by and/or for THE COMPANY, and for the sending of invoices either electronically, physically or by any means agreed with you and in the cases previously established in this POLICY.
-
Processing of personal data of minors:
In application of the provisions of the law, THE COMPANY will proceed to process the Personal Information of children and adolescents, respecting their best interests and ensuring, in all cases, respect for their fundamental rights and minimum guarantees.
In all events in which it is necessary to process the Personal Information of minors, THE COMPANY shall obtain the authorisation of their legal representatives, who for this purpose are their father and/or mother or guardian.
The processed information may be shared, inter alia, in the following situations:
- Electronic use of the data provided, for sending reports on payroll and social security payments, training and education courses, and any other type of information directly or indirectly related to the employment contract.
- Sharing personal data with banks and financial institutions where you have applied for credit or are a debtor, as well as companies that offer benefits to workers.
- Providing data to administrative, police and judicial authorities when requested by them
- Allow access to information and personal data to internal or external auditors to carry out internal or external audits, due diligence, among others.
- Marketing and/or commercialisation of new services or products
- To consult and update personal data, at any time, in order to keep such information up to date.
5. General
THE COMPANY collects your Personal Data through various sources of information such as personal or work-related electronic messages, through the web page www.cardozoordonez.com or physical correspondence, by information already existing in the COMPANY’s databases as established in the procedure of Decree 1377 of 2013, in its article 10, through voice messages, information filed in computers and electronic devices of the COMPANY, fax systems, internet access, correspondence or through any other electronic device for communications and any other technological resource.
THE COMPANY will only use the Personal Data within the use you have authorised, will only transmit it to customers or third parties when this is necessary as a result of the ordinary course of business of THE COMPANY and to judicial and administrative authorities when required to do so by judicial or administrative order. THE COMPANY will safeguard and protect the Personal Data received at its address, limiting its use and disclosure to the authorised purpose.
6. Rights of the holders
Law 1581 of 2012 establishes that data subjects shall have the following rights:
- To know, update and rectify their personal data with respect to the Controllers or Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorised.
- Request proof of the authorisation granted to the Data Controller, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of article 10 of the aforementioned law.
- To be informed by the Controller or the Processor, upon request, about the use made of his or her personal data.
- File complaints with the Superintendency of Industry and Commerce for infringements of the provisions of the aforementioned law and other regulations that modify, add to or complement it.
- To revoke the authorisation and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the Controller or Processor has engaged in conduct contrary to the law and the Constitution.
- Access free of charge to their personal data that has been the subject of Processing. In addition, Regulatory Decree 1377 of 2013 defines that Controllers must keep proof of the authorisation granted by Data Controllers for the Processing of personal data.
7. Mechanisms for the protection of information, procedure for the holder to exercise their rights
All information subject to processing will be properly safeguarded, either through the physical storage of the curriculum vitae folders of each employee, or through technological tools.
In any case, the company shall ensure that access to the data undergoing processing is restricted to authorised personnel only.
Data subjects may exercise their rights by sending a request to the following e-mail address
abogados@cardozoordonez.com expressing the right being exercised.
Queries will be dealt with within a maximum of ten (10) working days from the date of receipt of the query. When it is not possible to respond to the query within this period, the Data Subject will be informed, stating the reasons for the delay, in any case the query will be answered within five (5) working days following the expiry of the initial ten (10) working days.
Claims for correction, updating or deletion, or for alleged breach of any of the duties contained in the law, will be processed under the following rules: 1. The complaint shall be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Data Subject, the description of the facts giving rise to the complaint, the address, and accompanied by the documents to be asserted. If the claim is incomplete, the interested party will be required to rectify the faults within five (5) days of receipt of the claim. If two (2) months have elapsed since the date of the request without the applicant submitting the required information, it shall be understood that the claim has been withdrawn. In the event that the person who receives the complaint is not competent to resolve it, he/she will transfer it to the appropriate person within a maximum of two (2) working days and will inform the interested party of the situation. 2. The maximum term to deal with the claim will be fifteen (15) working days from the day following the date of receipt. If it is not possible to deal with the complaint within this period, the interested party will be informed of the reasons for the delay and in all circumstances the complaint will be answered within eight (8) working days following the expiry of the initial fifteen (15) working days.
8. Responsible for dealing with queries and complaints
THE COMPANY has provided that the Senior Personal Data Protection Lawyer shall be responsible for the definition, implementation and monitoring of the actions required to guarantee this right to the Holders of personal data held by THE COMPANY, in accordance with the regulations in force.
9. Modification and/or updating of the personal data protection and information handling policy.
Any changes to these policies will be communicated through the COMPANY’s website. www.cardozoordonez.com
10. Validity of the databases
The databases shall have a validity period equal to the period during which the purpose of the database is maintained, or the period of validity specifically indicated by a legal, contractual or jurisprudential cause.
11. Request for authorisation from the personal data subject
Before and/or at the time of collecting the personal data, THE COMPANY shall request the data subject’s authorisation to collect and process the data, indicating the purpose for which the data is requested, using automated, written or oral technical means for this purpose, which allow proof of the authorisation and/or the unequivocal conduct described in article 7 of Decree 1377 of 2013 to be preserved. Such authorisation shall be requested for such time as is reasonable and necessary to meet the needs giving rise to the request.
Authorisation is not required in the case of: a. Information required by a public or administrative body in the exercise of its legal functions or by court order. b. Data of a public nature. c. Cases of medical or health emergencies. d. Processing of information authorised by law for historical, statistical or scientific purposes. e. Data related to the Civil Registry of Persons.
It is the responsibility of Data Subjects to provide information in a truthful, complete, timely and responsible manner. For the collection and processing of sensitive personal data, the data subject shall be clearly informed of what the data are, the purpose of the processing and the information that he/she is not obliged to authorise the processing.
12. Validity
This policy will come into force once it is made known and in any case THE COMPANY may only collect, store, use or circulate the personal data for the time that is reasonable and necessary, in accordance with the purposes that justified the processing, taking into account the provisions applicable to the matter in question and the administrative, accounting, fiscal, legal and historical aspects of the information. Once the purpose or purposes of the processing have been fulfilled, and without prejudice to legal provisions to the contrary, the personal data in its possession shall be deleted. Notwithstanding the foregoing, personal data shall be retained where this is required for compliance with a legal or contractual obligation.
Given on the first day (01) of the month of June two thousand and fifteen (2.015)
CARDOZO ORDOÑEZ S.A.S
Privacy Notice
Compliance
CARDOZO ORDOÑEZ S.A.S, in compliance with Law 1581 of 2012 and its regulatory decrees, through this Privacy Notice informs the holders of personal data on the conditions and treatment to which the data stored in our databases will be subjected:
Data Controller
CARDOZO ORDOÑEZ S.A.S identified with NIT 860.075.625-5, company domiciled in the city of Bogotá at Calle 100 No. 9-25, Office 1710.
Processing and purpose of personal data collection
CARDOZO ORDOÑEZ S.A.S., informs users, workers, visitors, suppliers and customers that the collection, registration, storage, use, circulation, administration, updating and deletion of data taken by our staff, are intended to leave a record of entry to the office facilities, in compliance with the administrative management of the company and for strictly security reasons, to manage internal statistics, marketing, commercial prospecting, studies on consumer habits, customer loyalty, opinion polls, data update campaigns and information on changes in the processing of personal data, sales and information queries.
With regard to the provision of legal services, personal data is recorded and stored for the purpose of preparing and submitting proposals for services, participating in competitions, seminars and training organised by the company or in which it participates as a speaker, billing management, collection and payment management, economic and accounting management, and also, once a contractual relationship is established, it is understood that the data will be processed to comply with the contracted service and to comply with legal and tax obligations with regard to the company’s accounting records and the issuing of invoices required by the Tax Statute.
Rights of the Holders
Data subjects may exercise the following rights by sending an e-mail to abogados@cardozoordonez.com:
- Acceso gratuito a los datos facilitados que hayan sido objeto de tratamiento.
- Request the updating and rectification of your information regarding partial, inaccurate, incomplete, incomplete, fractioned, misleading data, or data whose processing is prohibited or has not been authorised.
- Request proof of the authorisation granted.
- File complaints before the Superintendence of Industry and Commerce (SIC) for infringements of the provisions of the regulations in force.
- To revoke the authorisation and/or request the deletion of the data, unless there is a legal or contractual duty that makes it imperative to retain the information.
It is optional to answer questions that deal with sensitive data or data on children and adolescents. If you require further information about our policy on the processing of personal data and any substantial changes to it, please consult our website at www.cardozoordonez.com.
Authorisation for the processing of personal data
Personal data subject
The holder of the personal data through the voluntary provision and registration of their data in the channels enabled on the website of CARDOZO ORDOÑEZ S.A.S. authorises the company as responsible for the treatment to collect, register, store, use, circulate, manage, update and delete their data for the following purposes: To carry out administrative management, management of internal statistics, marketing, commercial prospecting, carry out studies on consumer habits, customer loyalty, opinion polls, data update campaigns and information on changes in the processing of personal data, sales and service offerings, and attention to information queries.
Rights of the Holders
Data subjects may exercise the following rights by sending an e-mail to abogados@cardozoordonez.com:
Access free of charge to the data provided which have been processed.
Request the updating and rectification of your information regarding partial, inaccurate, incomplete, incomplete, fractioned, misleading data, or data whose processing is prohibited or has not been authorised.
Request proof of the authorisation granted.
File complaints before the Superintendence of Industry and Commerce (SIC) for infringements of the provisions of the regulations in force.
To revoke the authorisation and/or request the deletion of the data, unless there is a legal or contractual duty that makes it imperative to retain the information.
It is optional to answer questions that deal with sensitive data or data on children and adolescents.
For more information about our policy on the processing of personal data and any substantial changes to it, please consult our website www.cardozoordonez.com.