I. IDENTIFICATION OF THE DATA CONTROLLER
CORPORATE NAME AND IDENTIFICATION: PIRANI S.A.S, hereinafter referred to as THE COMPANY, a commercial company identified with NIT 900.484.747-4 and created by public deed on November 22, 2011, registered in the Chamber of Commerce on November 22, 2011.
ADDRESS: THE COMPANY has its domicile in the city of Medellín and its main office is located in the Milla de Oro building, Avenida El Poblado, Carrera 42 Nº 3 Sur 81 Torre 1 Piso 15.
TELEPHONE: +57 (323) 563 9223
II. DATA PROCESSING PRINCIPLES
In all processing of personal data carried out by THE COMPANY, the principles enshrined in the Colombian General Regime for the Protection of Personal Data shall be applied, especially the following:
- Principle of legality of data processing: For the processing of personal data carried out by THE COMPANY, the rules of the Colombian legal system relating to the General Regime for the Processing of Personal Data and those contained in this policy shall apply.
- Principle of purpose: The treatment given by THE COMPANY to the personal data it treats, obey the purposes established in this policy, which are in harmony with the Colombian legal system. In what is not regulated in this policy, the superior norms that regulate, add, modify or repeal it will be applied.
- Principle of freedom: The treatment carried out by THE COMPANY to personal data is done according to the prior, express and consented authorization of the owner of the personal data.
- Principle of truthfulness or quality: The information subject to treatment by THE COMPANY must be truthful, complete, updated, verifiable and understandable.
- Principle of transparency: THE COMPANY guarantees that the holder of the personal data can obtain information about their data at any time and without restrictions according to the procedures described in this policy.
- Principle of restricted access and circulation: THE COMPANY guarantees that the processing of personal data given to the databases for which it is responsible, is carried out by persons authorized by the owner and/or other persons permitted by law.
- Security Principle: THE COMPANY will implement all technical, human and administrative measures necessary to protect the personal data processed in its databases, avoiding the use, adulteration, loss and unauthorized or unwanted consultation.
- Principle of confidentiality: The treatment given to the personal data of the COMPANY's databases will be carried out with strict confidentiality and reserve, according to the purposes described in this policy.
For more information on these principles, please refer to Law 1581 of 2012 and Decree 1377 of 2013, as well as other regulatory provisions that modify, clarify, supplement or repeal them.
III. PROCESSING TO WHICH THE DATA WILL BE SUBJECTED AND THE PURPOSE FOR WHICH IT WILL BE USED
The processing of personal data of the person with whom THE COMPANY has established or establishes a relationship, permanent or occasional, will be carried out within the legal framework that regulates the matter. In any case, personal data may be collected and processed in the following cases:
- To develop the corporate purpose of THE COMPANY in accordance with its legal statutes.
- To comply with applicable tax and commercial regulations.
- Comply with the provisions of the Colombian legal system in labor and social security matters, among others, applicable to former employees, current employees and candidates for future employment.
- Invitations to academic events and informative content. Invitations to participate in Academia Pragma events and activities.
- Conduct surveys related to the services or goods of THE COMPANY.
- Send commercial information of THE COMPANY.
- Develop programs in accordance with its bylaws.
- Fulfill all its contractual commitments.
IV. RIGHTS OF THE HOLDER OF THE INFORMATION
In accordance with the provisions of the current applicable regulations on data protection, the holders of personal data have the right to:
- Access, know, update and rectify their personal data against the COMPANY in its capacity as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data or those whose treatment is expressly prohibited or has not been authorized.
- Request proof of the authorization granted to the COMPANY for the processing of data, by any valid means, except in cases where authorization is not required.
- To be informed by THE COMPANY, upon request, regarding the use given to their personal data.
- To file complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other rules that modify, add or complement it, after consultation or request to THE COMPANY.
- Revoke the authorization or request the deletion of the data.
- Access free of charge to their personal data that have been processed, at least once every calendar month, and whenever there are substantial changes to this policy that motivate new consultations.
These rights may be exercised by:
- The holder, who must prove his identity sufficiently by the various means made available to him by THE COMPANY.
- The assignees of the holder, who must prove such quality.
- The representative or attorney-in-fact of the holder, prior accreditation of the representation or power of attorney.
- Another in favor or for which the holder has stipulated.
V. CONTROLLER AND PROCESSOR OF PERSONAL DATA
THE COMPANY will be responsible for the processing of personal data. The administrative department will be responsible for the processing of personal data. Any communication on the matter should be made through the e-mail firstname.lastname@example.org.
Transfers and transmissions for processing by third parties of personal data provided to THE COMPANY.
The acceptance of this policy implies for the holder of the personal data the acceptance of the possibility that THE COMPANY has, respecting at all times the legal provisions that regulate the matter, to transmit or transfer the totality of the holder's data to third parties in the country or abroad.
In turn, THE COMPANY undertakes to inform third parties, the parameters under which the authorization has been granted and the due respect that must be made of this policy, informing third parties that they may only make use of such data and / or information while the legal or contractual relationship with THE COMPANY subsists, solely and exclusively, for the uses expressly defined by it.
VI. PROCEDURE FOR THE HANDLING OF QUERIES, CLAIMS, REQUESTS FOR RECTIFICATION, UPDATING AND DELETION OF DATA
The holders or their assignees may consult the personal information of the holder that is in the COMPANY, who will provide all the information contained in the individual record or that is linked to the identification of the holder. Likewise, THE COMPANY provides the mechanism through which the holder may file claims to update, rectify, delete the data or revoke the authorization definitively.
In any case, regardless of the mechanism implemented for the attention of requests for consultation, these will be answered within a maximum period of ten (10) working days from the date of receipt. When it is not possible to attend the consultation within such term, the interested party shall be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.
THE COMPANY reserves the right to modify, at any time, unilaterally, the Information Processing Policy. The Policy of Treatment of the Information in force at any time will be available in the web page and in the facilities of the company. Any substantial change in the Information Processing Policy that may affect the content of the authorization granted by the holder will be communicated to the holder or will be made available to him/her under the terms established by the regulations in force. In addition, the previous versions of the Information Processing Policy shall be kept.
The holder's non-opposition to the use of his/her data, within thirty (30) days following the notification of the new Information Processing Policy constitutes acceptance of the same.
VII. INFORMATION SECURITY MEASURES
In compliance with the security principle established in the current regulations, THE COMPANY will adopt the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
The company is committed to give a correct use and treatment of the personal data of its customers and users, avoiding unauthorized access to third parties that allow to know or violate, modify, disclose and / or destroy the information contained in the databases of the company. For this reason, the company has security protocols and access to its information, storage and processing systems, including physical measures to control security risks.
Therefore, it must adopt the measures that allow it to comply with the provisions of Law 1581 of 2012, and any other law or regulation that modifies or replaces them. As a consequence of this legal obligation, among others, it shall adopt security measures of logical, administrative and physical type, according to the criticality of the personal information to which it has access, to ensure that this type of information will not be used, traded, assigned, transferred and/or will not be subject to any other treatment contrary to the purpose included in the provisions of the object of this contract. Any suspicion of loss, leakage or attack against the personal information contained in the databases of THE COMPANY shall be reported, notice to be given once it has knowledge of such eventualities through the most relevant or effective mechanisms, such as publication on the website or networks of the company, direct communication to the reported email of the affected person or the means established by it for such purposes or in any way that guarantees the right to information of the holder. The loss, leakage or attack against personal information also implies the obligation to manage the security incident in accordance with the legal guidelines on the matter. Some of the minimum standards voluntarily adopted from the ISO 27001/27002 standards may be taken as a reference.
This policy is effective as of November 18, 2020, the date of update.
Marcos Vélez Botero