Valorem S.A.S. Commercial society identified with NIT. 830.038.885-7, incorporated in the Republic of Colombia, with its main domicile at Calle 75 No. 5-59 Bogotá D.C., as well as its affiliates, subsidiaries and other related parties, recognizes the importance of the security, privacy and confidentiality of the Personal data of its clients, shareholders, suppliers, employees and related third parties, for which in compliance with the constitutional and legal mandates, presents the following document that contains its manual of privacy and personal data protection policies.
1. GENERAL PRINCIPLES, POSTULATES AND SPECIFIC PRINCIPLES:
VALOREM S.A.S. (hereinafter, VALOREM or the Company) guarantees the protection of rights such as Habeas Data, privacy, intimacy, good name and image, for this purpose all actions will be governed by principles of good faith, legality, informatics self-determination, freedom and transparency.
Whoever in the exercise of any activity, including commercial and labor, be they permanent or occasional, may supply any type of information or personal data to VALOREM and in which it acts as the person in charge of the treatment or person responsible for the treatment it will be able to know, update and rectify it.
LEGAL FRAMEWORK: Political Constitution, article 15; Law 1266 of 2008; Law 1581 of 2012; Regulatory Decrees 1727 of 2009 and 2952 of 2010, and partial Regulatory Decree N° 1377 of 2013; Constitutional Court Rulings C – 1011 of 2008, and C – 748 of 2011; Decrees 886of 2014 and 1074 of 2015; other regulatory and complementary provisions.
In accordance with current legislation on the matter, the following definitions are established, which will be applied and implemented accepting the interpretation criteria that guarantee a systematic and comprehensive application, and in line with technological advances, technological neutrality and other principles and postulates that govern the fundamental rights that circle, orbit and surround the right to habeas data and protection of personal data.
- Authorization: Prior, express and informed consent of the owner to carry out the processing of personal data.
- Data base: Organized set of personal data that is subject to treatment.
- Personal datum: Any information linked to or that may be associated with one or several particular or determinable natural persons.
- Public datum: It is the datum that is not semi-private, private or sensitive. Public data, among others, are the data related to the civil status of people, their profession or trade and their status as a merchant or public servant.
- Person in charge of treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the processing of personal data on behalf of the person responsible for the treatment.
- Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on data bases and / or data processing.
- Owner: Natural person whose personal data are subject to processing.
- Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or suppression.
VALOREM will apply the following specific principles that are established below, which constitute the rules to be followed in the collection, handling, use, treatment, storage and exchange of personal data:
- Legality: In the use, capture, collection and processing of personal data, the current and applicable provisions that rule the treatment of personal data and other related fundamental rights, will be applied.
- Security: Personal data and information used, captured, collected and subject to treatment by VALOREM, will be subject to protection to the extent that technical resources and minimum standards allow for it, through the adoption of technological protection measures, protocols, and all kinds of administrative measures that are necessary to grant security to the electronic records and repositories avoiding their adulteration, modification, loss, consultation, and in general against any unauthorized use or access.
- Confidentiality: Each and everyone of the people that manage, handle, update or have access to information of any kind found in the Databases or Data Banks, are committed to preserve it and keep it strictly confidential and to not reveal it to third parties, all the personal, commercial, accounting, technical, commercial or of any other kind of information supplied in the execution and exercise of their functions. All the people that currently work or are in the future linked for this purpose, in the management and handling of databases, must subscribe an additional document or amendment to their work or service provision contract in order to ensure such commitment. This obligation persists and is maintained even after the end of their relationship with any of the tasks that the Treatment comprises.
- Liberty: The use, capture, collection and processing of personal data can only be carried out with the previous, express and informed consent by the Holder. Personal data may not be obtained or disclosed without previous authorization, or in the absence of legal, statutory or judicial mandate that relieves consent.
- Purpose: The use, capture, collection and processing of personal data which may be accessed, gathered and collected by VALOREM, will be subordinated and serve a legitimate purpose, which must be informed to the respective owner of the personal data.
- Veracity or quality: The information subject to use, capture, collection and processing of personal data must be truthful, complete, exact, updated, verifiable and understandable. Processing of partial, incomplete, fractioned or misleading data is prohibited.
- Transparency: In the use, capture, collection and processing of personal data, the right of the Holder to obtain from VALOREM, at any moment and without restrictions, information about the existence of any type of information of personal data belonging to his interest or ownership, must be guaranteed.
- Restricted circulation: Personal data, except for public information, cannot be available on the internet or any other circulation or mass communication media, except that the access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties. For these purposes, VALOREM’s obligation will be as a medium.
4. PURPOSE AND TYPE OF TREATMENT:
VALOREM carries out or reserves the right to carry out, in accordance with the terms and limits established in the current regulations, the processing of personal information for the following purposes:
- To carry out, through any means directly or through third parties, activities of marketing, promotion and / or own or third party advertising, sales, billing, collection management, collection, programming, technical support, market intelligence, improvement of the service, verifications and consultations, control, behavior, habit and enablement of means of payment, fraud prevention, as well as any other related with our products and services, current and future, for the fulfillment of contractual obligations and our corporate purpose.
- To evaluate the quality of our products and services and conduct studies on consumption habits, preference, purchasing interest, product test, concept, service evaluation, satisfaction and other related to our services and products.
- To carry out the necessary steps to comply with the obligations inherent to the corporate purpose of VALOREM.
- To control and prevent fraud in all its forms.
- To manage security and access control to the Company’s facilities.
- To comply with the biosafety standards and protocols provided by the competent authorities issued within the framework of the State of Health Emergency as a consequence of the COVID-19 pandemic; or any other health emergency or public health situation for which the national and local authorities require collection, treatment and use of personal data, including sensitive personal data.
- Report to the authorities and health entities that information necessary to manage or mitigate the effects generated by COVID-19, including sensitive personal data, or any other health emergency or public health situation for which the national and local authorities require the report to authorities of personal data, including sensitive personal data.
The type of treatment carried out on personal data contemplates the activities described under the definition “Treatment” included in Article 2nd of this document and in addition, the following:
To share information with:
- The person or persons in charge of the treatment.
- The legal persons who hold the quality of suppliers, allies, distributors, subcontractors, outsourcing and other third parties directly or indirectly related to the VALOREM corporate purpose, especially but not limited to: billing, collection, collection, advertising, marketing, promotions, sales, facilities, support, communication.
- The affiliates, subsidiaries, related companies or matrices of VALOREM.
- The operators necessary to comply with the rights and obligations derived from the contracts entered into in the ordinary course of business.
- The people with whom VALOREM makes arrangements to comply with its commercial, contractual, legal, administrative and other obligations.
5. SENSITIVE DATA:
Sensitive data is understood to be those that affect the intimacy of the holder or whose misuse may generate discrimination, such as those that reveal the racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, of human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data, among others, the capture of still or moving images, fingerprints, photos, iris, voice, facial or palm recognition, etc.
5.1 Sensitive data treatment:
- The data classified as sensitive can be used and processed when:
- The Holder has given his explicit authorization for such treatment, except in cases where by law the granting of said authorization is not required.
- The Treatment is necessary to safeguard the vital interest of the holder and he is physically and legally incapacitated. In these events, the legal representatives must grant their authorization.
- The Treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or union, whenever they refer exclusively to its members or to the people who maintain regular contact by reason of its purpose. In these events, the data may not be provided to third parties without the authorization of the owner.
- The Treatment refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
- The Treatment has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Holders must be adopted.
5.2 Holder’s authorization:
Without prejudice to the exceptions provided for in the law, the treatment requires the prior, express and informed authorization of the owner, which must be obtained by any means that may be subject to of subsequent consultation and verification.
5.3 Cases in which authorization is not required:
The authorization of the Holder will not be necessary in the case of:
- Information required by a public or administrative entity in the exercise of its legal functions or by court order.
- Public nature data.
- Cases of medical or health emergency.
- Treatment of information authorized by law for historical, statistical or scientific purposes.
- Data related to the Civil Registry of Persons.
6. RIGHT OF THE HOLDERS:
In accordance with the regulatory provisions on personal data, the Holder has the following rights:
- To know, update and rectify his personal data vis-à-vis the Persons Responsible for Treatment.
- To request proof of the authorization granted.
- To be informed, upon request, regarding the use that will be given to his personal data.
- To submit complaints to the SIC for violations of the provisions of the regulations on personal data.
- To request the deletion of personal data.
- To revoke the authorization by submitting an application and / or claim. This shall not proceed when the Holder has a legal or contractual duty to remain in the database.
- To request the SIC to order the revocation of the authorization and / or the deletion of the data.
- To consult his personal data free of charge, at least once every calendar month and each time there are substantial modifications of the policies for the Treatment of information.
7. RIGHTS OF BOYS, GIRLS AND ADOLESCENTS.
In the Treatment, respect for the prevalent rights of minors will be ensured.
The treatment of personal data of minors is banned, except for those data that are of a public nature.
8. DUTIES OF VALOREM AS RESPONSIBLE FOR THE TREATMENT OF PERSONAL DATA.
VALOREM, when acting as the person responsible for the treatment of personal data, will fulfill the following duties:
- To guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
To request and keep, a copy of the respective authorization granted by the holder.
To properly inform the owner on the purpose of the collection and the rights that assist him by virtue of the authorization granted.
- To keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
- To guarantee that the information furnished to the person in charge of treatment be truthful, complete, exact, updated, verifiable and understandable.
- To update the information, communicating in a timely manner to the person in charge of the treatment, all the news regarding the data previously supplied and adopt the other necessary measures so that the information supplied is kept updated.
- To rectify the information when it is incorrect and communicate the pertinent to the person in charge of the treatment.
- To provide the Treatment Manager, as the case may be, only data whose Treatment is previously authorized.
- To require the Treatment Manager, at all times, to respect the secutrity and privacy conditions of the Holder’s information.
- To process the queries and claims made.
- To inform the Treatment Manager when certain information is under discussion by the Holder, once the claim has been submitted and the respective procedure has not been completed.
- To inform at the request of the Holder about the use given to his data.
- To inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the Holders.
9. NATIONAL REGISTRY OF DATABASES
VALOREM reserves, in the events contemplated in the law and in its internal statutes and regulations, the power to maintain and catalog certain information that rests in its databases or data banks, as confidential in accordance with current standards, its statutes and regulations.
VALOREM, will proceed in accordance with the legislation in force and the regulations issued by the National Government for this purpose, to register its databases, before the National Registry of Databases (RNBD) that will be administered by the Superintendence of Industry and Commerce. The RNBD, is the public directory of databases subject to Treatment that operate in the country and that will be freely consulted by citizens, in accordance with the regulations issued by the National Government for this purpose.
10. AUTHORIZATIONS AND CONSENT.
The collection, storage, use, circulation or deletion of personal data by VALOREM, requires the free, prior, express and informed consent by the holder thereof.
10.1. Means and manifestation to grant authorization.
The authorization can be recorded in a physical, electronic document, data message, Internet, Websites, in any other format that allows guaranteeing its subsequent consultation, or through a suitable technical or technological mechanism, that allows expressing or obtaining consent via click or double click, by means of which it can be unequivocally concluded, that had not a conduct taken place by the holder, the data would never have been captured and stored in the database. The authorization will be generated by VALOREM and will be made available to the holder in advance and previously to the processing of his personal data.
10.2. Proof of authorization.
VALOREM will use the mechanisms it currently has, and will implement and adopt the actions aimed at and necessary to keep records or suitable technical or technological mechanisms of when and how it obtained authorization from the holders of personal data for the treatment thereof. To comply with the foregoing, physical files or electronic repositories may be established directly or through third parties hired for this purpose.
11. NOTICE OF PRIVACY
The Notice of Privacy is the physical, electronic document or in any other known or to be known format, which is made available to the Holder for the processing of his personal data. Through this document, the Holder is informed of the information related to the existence of the information treatment policies that will be applicable, the way to access them and the characteristics of the treatment intended to be given to personal data.
The holders, or his successors in title, will be able to consult the personal information of the Holder that rests in any database. Consequently, VALOREM will guarantee the right of consultation, supplying the holders with all the information contained in the individual record or that is linked to the identification of the Holder.
To this end, the LEGAL VICE-PRESIDENCY, will process the requests made by the Holders or their successors related to the treatment of their personal data. For this purpose, it is necessary that the Holder or his legal representative identify himself and make a clear, precise and detailed description of the data with respect to which he bases his request or seeks to exercise any of his rights, in order to guarantee a response timely and effective.
In the case of inquiries, VALOREM will respond to the petitioners within the term specified in Law 1581 of 2012, that is, within a maximum term of ten (10) business days from the date of receipt. When it is not possible to answer the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be attended, which in no case may exceed five (5) business days following the expiration of the first term.
The Holder or his successors in title may file a claim before the Person Responsible for Treatment, channeling and forwarding it through the designated dependency and whose contact details are specified in this document and which will exercise the function of protecting personal data within VALOREM.
The claim may be submitted by the Holder, taking into account the information indicated in article 15 of Law 1581 of 2012 and Decree 1074 of 2015, and other regulations that modify or add them.
- Procedures for submitting claims.
At any moment and without charge the holder or his representative may request Valorem, to rectify, update or delete his personal data, after accreditation of his identity.
The rights to rectify, update or delete may only be exercised by:
- The Holder or his successors in title, after proof of their identity, or through electronic instruments that allow them to identify themselves.
- His representative, after accreditation of the representation.
When the request is made by a person other than the holder, the legal capacity or mandate to act must be duly accredited; and in case of not accrediting such quality, the request will be considered as not presented.
The request for rectification, updating or deletion must be presented through the media enabled by VALOREM, enshrined in this document and must contain, at least, the following information:
- The name and address of the holder or any other means to receive the response.
- The documents that accredit the identity or personality of his representative.
- The clear and precise description of the personal data with respect to which the holder seeks to exercise any of the rights.
- If necessary, other elements or documents which facilitate locating the personal data.
In case of claims, VALOREM will respond to the petitioners within the term specified in Law 1581 of 2012, that is, within a maximum term of fifteen (15) business days counted as of the next day of the date of receipt. When it is not possible to answer the query within said term, the interested party will be informed, stating the reasons for the delay and the date on which the claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.
14. RECTIFICATION AND UPDATING OF DATA
VALOREM has the obligation to rectify and update, upon request of the holder, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the procedure and the terms previously indicated. To this respect, the following will be taken into account:
In the requests for rectification and updating of personal data, the holder must indicate the corrections to be made and provide the documentation that supports his petition.
VALOREM has full freedom to enable additional mechanisms that facilitate the exercise of this right, provided that these benefit the holder. Consequently, electronic or other means that it deems pertinent may be enabled.
15. DELETION OF DATA
The holder has the right, at all times, to request VALOREM the deletion (elimination) of his personal data when:
- He considers that these are not being treated in accordance with the principles, duties and obligations set forth in current regulations.
- They are no longer necessary or pertinent for the purpose for which they were collected.
- The period necessary to fulfill the purposes for which they were collected has been exceeded.
This deletion implies the total or partial elimination of the personal information in accordance with the holder’s request, from the records, files, databases or treatments carried out by VALOREM. It is important to take into account that the right to deletion is not absolute and the person responsible may deny the exercise thereof, when:
- The holder has a legal or contractual duty of staying in the database.
- The elimination of data obstructs judicial or administrative proceedings related to fiscal obligations, the investigation and prosecution of criminal offences or the updating of administrative sanctions.
- The data are necessary to protect the holder´s legally protected interests; ta carry out an action based on the public interest, or to fulfill an obligation legally acquired by the holder.
16. CONTACT MEANS
In order to guarantee the right of the Holders to make inquiries, complaints, claims or petitions, VALOREM makes the following contact mechanisms available to them:
- Email: [email protected]
- Physical address: Calle 75 No. 5-59 Bogotá D.C.
- Telephone: +57 (1) 7560809.
The previous means of contact are understood without prejudice to VALOREM´s power to establish additional contact mechanisms which will be published or announced through its website.
17. REVOCATION OF AUTHORIZATION.
The holders of personal data may revoke their consent to the processing of their personal data at any time, as long as it is not prevented by a legal or contractual provision.
The first may be about all the consented purposes, that is, that VALOREM must completely stop treating the data of the holder;
The second may occur on specific types of treatment, such as for advertising or market research purposes.
18. INFORMATION SECURITY AND SECURITY MEASURES
VALOREM will adopt the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
19. PERSONAL DATA PROTECTION FUNCTION WITHIN VALOREM
VALOREM, will act as RESPONSIBLE FOR THE TREATMENT of Personal Data and additionally, will act as MANAGER OF THE TREATMENT to the extent that the treatment of the respective database has not been delegated to a third party. In the event that you consider that VALOREM gave a use contrary to that authorized and to the applicable laws, you may contact us through a communication addressed to the LEGAL VICE-PRESIDENCY, which may be contacted by any of the means provided in this document.
This manual is valid as of October 4, 2016 and its last update was September 1, 2020.
Valorem S.A.S. (hereinafter “VALOREM” or the “Society”), responsible for the surveillance and reception of the building located at Calle 75 # 5-59 in Bogotá, in compliance with the provisions of Law 1581 of 2012 and its regulatory decrees, informs that the Personal Data that you provide when entering its offices and facilities, will be treated through the use and maintenance of technical, human and administrative security measures in order to prevent unauthorized third parties from accessing them.
1. Responsible for the Treatment:
The Responsible for the Treatment of your Personal Data is VALOREM, domiciled in Bogotá, whose main office is located at Calle 75 # 5-59 Bogotá, Colombia. For more information you may contact us at the email [email protected] or by phone +57 (1) 7560809.
2. Treatment and Purpose:
The Personal Data supplied will be collected, used, transmitted, transferred, stored and processed in order to:
- a. Control Access to the offices, including video-surveillance common areas in the building;
- b. Respond to inquiries, petitions, complaints and claims made by the Holders and to control bodies, and Transmit the Personal Data to the other authorities that by virtue of the applicable law must receive the Personal Data;
- c. Notify authorized contacts in case of emergencies during the access to our offices.
- d. To comply with the biosafety standards and protocols provided by the competent authorities issued within the framework of the State of Health Emergency as a consequence of the COVID-19 pandemic; or any other health emergency or public health situation for which the national and local authorities require collection, treatment and use of personal data, including sensitive personal data.
- e. Report to the authorities and health entities that information necessary to manage or mitigate the effects generated by COVID-19, including sensitive personal data, or any other health emergency or public health situation for which the national and local authorities require the report to authorities of personal data, including sensitive personal data.
3. Rights of the Holder of Personal Data:
We inform you that you have the rights provided in the Political Constitution, Law 1581 of 2012 and its regulatory decrees, and in particular to:
- a. Access the Personal Data provided to VALOREM that have been subject to Treatment, free of charge.
- b. Know, update and rectify your personal information against partial, inaccurate, incomplete, fractioned, misleading data, or with respect to those whose treatment is expressly prohibited or has not been authorized;
- c. Request proof of the Authorization granted to VALOREM;
- d. Be informed by the Responsible or Manager on the use that has been given to your Personal Data;
- e. Present before the Superintendency of Industry and Commerce (“SIC”) complaints for infractions to the provisions of current regulations;
- f. Revoke the Authorization granted and request the deletion of the data when the constitutional and legal principles, rights and guarantees are not respected;
- g. Refrain from answering questions about sensitive data. Answers to questions about children and adolescents and those related to health data will be optional.
4. Mechanisms to know the Information Treatment Policy:
You may exercise the rights that the Law provides, following the procedures that VALOREM provides for such purposes, which you can learn about in our Information Treatment Policy published on VALOREM website.
For questions and concerns related to these issues, you can write to us at [email protected].