Data Protection Policy
The purpose of this Personal Data Processing Policy is to establish the parameters and rules that ensure the correct handling of personal information, as well as to explain the procedure for addressing inquiries and complaints regarding personal data submitted by the holders of personal information.
This policy has been developed in accordance with the provisions of the Political Constitution of Colombia and in compliance with the provisions of the data protection regime, which is composed of Law 1581 of 2012, Regulatory Decree 1377 of 2013, Decree 886 of 2014, External Circular 002 of 2015, Decree 1072 of 2015, External Circular 005 of 2017, Decree 090 of 2018, and encompasses other complementary provisions that cover all activities constituting the processing of personal data, thus guaranteeing the rights to privacy and habeas data of the holders of personal information.
I. Identification of the Data Controller
The Data Controller is the natural or legal person, public or private, who, by themselves or in association with others, decides on the Processing of Data, determines the purposes, content, and use of the personal data collected in the course of their economic activity. The data controller is the one who defines the purposes and means of processing personal information, and therefore, is responsible for requesting and retaining the authorization that includes the express consent of the data subject for the processing of their data, as well as clearly informing the purpose of the same.
For the purposes of this policy, Partner Comunicación S.A.S may act as the data controller or processor of personal information, as the case may be, a situation that will be timely informed to each data subject.
- Company Name: Partner Comunicación S.A.S
- Tax Identification Number: 900432631 – 6
- Main Address: Avenida 8N # 51N – 22
- Phone: (+57) 3127984066
- Email: protecciondedatos@partnercomunicacion.co
Thus, PARTNER COMUNICACIÓN S.A.S may be responsible for or in charge of processing the personal information of the data subjects from the stakeholder groups involved in its operations, which include identified candidates, shareholders, employees, clients, suppliers, among others.
II. Processing to which the personal information collected by the data controller will be subjected
To understand what personal data processing means, the first thing to be clear about is what is meant by personal data and subsequently identify the implications of processing it.
Personal data is information concerning physical persons that allows them to be identified thanks to the overall view made of it. Depending on its nature, personal data can be classified as private, semi-private, public, and sensitive; and there are various types of personal data, not limited simply to identification data, but also including labor, patrimonial, academic, ideological, health, physical characteristics, life, habits, among others.
The processing of personal data refers to any physical or automated operation or procedure involved within the data lifecycle, including activities such as capture, creation, use, storage, custody, maintenance, modification, access, transmission, transfer, dissociation, suppression, and deletion.
The processing of personal information is subject to special rules, known as principles of personal data processing, which are established in Law 1581 of 2012. These principles are: legality, purpose, freedom, truthfulness, transparency, restricted access and circulation, security, and confidentiality.
The personal data collected may include, but is not limited to, identification, contact, location, financial, academic, labor, socioeconomic, biometric data, among others, which have been provided directly or indirectly by the data subject according to the identified and authorized purposes to facilitate the exchange of services, goods, and services, as well as to fulfill the legal, commercial, civil, and labor obligations of the data controller.
The data controller states that it will only share personal information with third parties when the data subject authorizes it, giving their consent for the transfer or transmission, when required by judicial authority, authorized by law, or when necessary to ensure the continuity of its operation, such as service providers for administration, technology, messaging, security, among others, regardless of whether the service provider is in countries other than Colombia, regardless of whether they meet the minimum adequate requirements for personal data protection established by law for its processing. However, in this situation, it is mentioned that the data controller has warned these third parties about the need to protect personal information with appropriate security measures, prohibiting the use of the information for their own purposes and requesting that personal information not be disclosed to other third parties without due authorization.
When the processing of information involves sensitive data, that is, data that affects the privacy of the data subject or whose misuse can generate discrimination, such as those revealing physical and mental health information, sexual life, biometric data, ethnic origin, political orientation, religious beliefs, union affiliation, and political interests, the data controller guarantees that its processing will be carried out in accordance with legal limitations and ensuring that: (i) prior, informed, explicit, and express authorization is always obtained for such processing; (ii) the data subject has been informed of the optional nature of their authorization; (iii) no activity will be conditioned on the request for such data; and (iv) when its processing is explicitly regulated by law.
When it is necessary to process personal data of minors and adolescents, their fundamental rights and the best interests of children and adolescents will always be respected. Their fundamental rights will be respected, and as much as possible, such processing will be carried out taking into account their opinion considering their (i) maturity; (ii) autonomy; (iii) ability to understand the purpose of the processing; (iv) understanding of the consequences of the processing.
Finally, the data controller indicates that the processing of personal data will be carried out for the time that is pertinent, necessary, and reasonable according to the purposes that justify the processing, considering the administrative, accounting, fiscal, legal, and historical aspects of the information. Therefore, the information will be retained when required to fulfill a legal or contractual obligation. Once the purposes of the processing have been fulfilled, the information will be deleted unless there is existing legislation that provides otherwise.
III. Purposes of Personal Data Processing Applicable to Each of the Stakeholder Groups Involved in the Data Controller’s Operations
The data controller will process personal data to ensure the agency’s operational development, considering the following processing purposes:
1. PURPOSES OF PROCESSING SHAREHOLDERS’ PERSONAL INFORMATION
The data controller informs the entity’s shareholders that the processing of their personal data will be carried out in accordance with current regulations, and the purposes applicable to the processing of their personal information are as follows:
- Include them in the database and shareholder registry as a shareholder of the entity.
- Inform, organize, control, and accredit the relevant activities in their capacity as a shareholder.
- Allow the exercise of rights and duties as shareholders.
- Make dividend payments according to their economic and shareholding participation.
- Comply with judicial, administrative, and legal decisions related to their status as shareholders.
- Inform about substantial changes in the Personal Data Processing Policy.
- Respond to requests, inquiries, claims, and/or complaints made by the holders of personal information through any of the channels enabled by the data controller for this purpose.
- Transfer or transmit personal information to third parties, whose management ensures the correct operation of the data controller, whether for services such as accounting, systems, among others, even if they are in countries other than Colombia, regardless of whether they meet the minimum adequate requirements for personal data protection established by Colombian law for its processing.
2. PURPOSES APPLICABLE TO THE PROCESSING OF CANDIDATES’ DATA FOR A VACANCY
- The data controller informs that your personal information will be processed during the recruitment and selection process to carry out performance tests, competency and skills assessments, home visits, psychotechnical and psychosocial evaluations, reference checks, work history analysis, and other necessary evaluations to identify the suitability of the hiring. Your information will be stored in the database called CANDIDATES FOR A VACANCY, which is kept in physical and automated files, for a maximum period of six (6) months, after which the file or folder will be destroyed or deleted.
- Transfer or transmit personal information to third parties, whose management ensures the correct operation of the data controller, whether for services such as technology and infrastructure, labor lawyers, among others, even if they are in countries other than Colombia, regardless of whether they meet the minimum adequate requirements for personal data protection established by Colombian law for its processing.
3. APPLICABLE PURPOSES FOR EMPLOYEE AND INTERNSHIP-RELATED DATA.
The responsible party will process employee and intern personal data for the following purposes:
- To include their personal data in the labor contract or practice agreement, and any necessary documents to administer the employment or internship relationship and related obligations that are the responsibility of the employer.
- To process personal data to comply with obligations imposed on the employer or internship provider, including management of social benefits, contributions, withholdings, taxes, labor disputes, registration with social security systems, pension funds, labor risk administrators, family compensation funds, and other entities where the employee has previously authorized the processing of their information.
- To process the personal data of the data subject and their family members for the purpose of registering them with health insurance providers, family compensation funds, workers’ compensation administrators, and other relevant entities, as required by the employer’s obligations.
- To ensure the proper implementation of the provisions set forth in the Internal Labor Regulations.
- To manage their personal data to ensure proper allocation of work tools, including technological resources such as email, mobile phone, access to operating systems, applications, and others.
- To process payroll payments, including making deductions for payments to third parties previously authorized by the data subject.
- To address employee requests for certificates, letters of recommendation, and other documents pertaining to their employment relationship.
- To maintain and securely store active and historical employee records, ensuring their confidentiality and integrity.
- To send internal communications related to or unrelated to their employment relationship.
- To promote participation in programs developed to enhance well-being and a positive work environment.
- To develop and administer the talent acquisition process, including recruitment, selection, and onboarding.
- To manage psychotechnical tests, performance assessments of competencies and skills, home visits, psychosocial evaluations, polygraph tests, and other relevant evaluations deemed necessary for the selection and hiring process.
- To notify about significant updates to the Data Protection Policy.
- To respond to requests, inquiries, complaints, and/or claims made by personal data owners through any of the enabled channels designated by the responsible party for such purposes.
- To share or transfer personal data to third-party service providers, including but not limited to accounting, recruitment, labor law firms, and other vendors, whether domestic or international, to ensure the responsible party’s operational efficiency, notwithstanding the recipients’ compliance with Colombian data protection regulations.
4. PURPOSES APPLICABLE TO THE PROCESSING OF SUPPLIERS AND CONTRACTORS’ DATA
- The personal data we collect from suppliers and their workers will be processed for the following purposes:
- Register them in the database.
- Collect, record, update, and maintain their personal data to inform, communicate, organize, control, attend to, and accredit activities related to their status as suppliers and contractors of the entity.
- Store their personal data in folders, software, or any other system for administrative and accounting management, known or to be known, required for the proper functioning of the entity.
- Manage the data of the SUPPLIER/CONTRACTOR to carry out the processes of invoice payments and collection accounts presented to the entity.
- Fulfill the obligations derived from the contractual relationship established with the SUPPLIER.
- Transfer information to administrative authorities that require it in the course of their functions to fulfill our legal obligations.
- Transfer or transmit personal information to third parties, whose management ensures the correct operation of the data controller, whether for services such as accounting, systems, among others, even if they are in countries other than Colombia, regardless of whether they meet the minimum adequate requirements for personal data protection established by Colombian law for its processing.
THE DATA CONTROLLER, understands that the personal data of both the provider or contractor and any third parties they supply, such as authorized workers to carry out the assigned management or service, commercial references, and certifications, have the authorization of the data subjects to be delivered and processed in accordance with the purposes outlined in this PERSONAL DATA PROCESSING POLICY.
5. PURPOSES APPLICABLE TO CLIENTS
- Collect, record, and update the personal data of CLIENTS’ users to carry out activities related to the development of the contractual object.
- Respond to requests or information requirements about CLIENTS’ products and services.
- Provide, process, complete, and follow up on the services acquired by the CLIENT.
- Perform billing tasks.
- Manage the collection of financial obligations acquired by the client with the entity.
- Send commercial, advertising, or promotional information about products and/or services, events, and/or commercial promotions to physical mail, email, cell phone, or mobile device via text messages (SMS and/or MMS, WhatsApp, Facebook Messenger) or through any other analogous and/or digital communication means created or to be created, to promote, invite, direct, execute, inform, and generally carry out commercial or advertising campaigns, promotions, or contests, directly by the CONTROLLER and/or by third parties.
- Transfer or transmit personal information to third parties, whose management ensures the proper functioning of the controller’s operation, whether through service provision such as accounting, systems, marketing services, among others, even if they are in countries other than Colombia, regardless of whether they meet the minimum adequate requirements for personal data protection established by Colombian law for their processing.
THE DATA CONTROLLER understands that their personal data and that of third parties they provide, such as authorized workers to be the communication channel in projects, payment processes, commercial referencing, among others; and of the data subjects to whom the advertising campaigns for which the entity is hired are directed, have the authorization of the same for their personal data to be processed in accordance with the purposes outlined in this PERSONAL DATA PROCESSING POLICY. All databases of THE AGENCY will have a validity equal to the period in which the purpose or purposes of the processing in each database are maintained, except for the database called CANDIDATES FOR A VACANCY, which will be kept for a maximum period of six (6) months, and once this time has elapsed, it will be destroyed or deleted.
IV. Rights of the Data Subject
Data subjects may exercise the right of Habeas Data before the data controller, meaning they can access, know, rectify, or oppose the processing of their personal data. Therefore, we proceed to describe the content and details of each of the rights.
- Right to Know: The data subject has the right to know if their personal data has been subjected to any form of processing and may exercise the right to know the origin of their data, the form of authorization, and if it has been transmitted or transferred to third parties, as well as to know the identification of those third parties.
- Right to Update: The data subject has the right to update the information maintained.
- Right to Rectification: The data subject may verify with the data controller the accuracy and truthfulness of their information, and in case of any discrepancy, due to inaccuracy, incompleteness, or errors, may request the rectification of their personal information.
- Right to Object: The data subject may object to the processing of their personal information when its use is excessive or inappropriate. They must indicate the data to be canceled, with the aim of generating a block of their data or definitive cancellation of the data or cessation of unauthorized use. The data may be retained for the periods provided in the applicable regulations and cannot be completely deleted when the data subject has a legal or contractual obligation to remain in the data controller’s database.
V. Procedure to Exercise Rights as a Data Subject Before the Data Controller
The data subject may exercise their rights at any time to ensure their right of access, rectification, deletion, and proof of authorization before the controller through the following enabled channels, addressed to the Personal Data Protection Officer, understood as the ADMINISTRATIVE DIRECTOR responsible for managing everything related to the comprehensive personal data management program:
(i) Email: You can contact via email at hola@partnercomunicacion.co
(ii) Main Office: You can go to the main office located at Av. 8N # 51N 22 in the city of Cali. To exercise your right, you should note that the data subject can exercise their right on their own behalf, through a representative, and in the case of minors, by the person who proves their legitimate legal representation. When the exercise of the right is carried out through a representative, the representative of the data subject must attach a copy of the power of attorney as a suitable document to submit the request; otherwise, the request will be considered as not submitted.
(iii) Contact Phone: (57) 3127984066. In exercising your rights, you can submit a query or a complaint, and each of these requests has a particular procedure, which are described below:
1. QUERY.
1.1. Applicability: When the data subject requires to know the personal information that is stored or linked in the databases owned by the controller, wishes to know the origin of the data, any other personal data obtained through any procedure, operation, or processing, to whom their personal data has been transmitted and/or transferred, or to whom it is intended to be communicated.
1.2. Response Time: The query will be answered within a maximum term of ten (10) business days from the date of receipt of the request.
1.3. Extension: If it is not possible to address the query within this term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be addressed, which in no case may exceed five (5) business days following the expiration of the first term, without prejudice to the provisions contained in special laws or regulations issued by the National Government that may establish shorter terms, depending on the nature of the personal data.
1.4. Information to be Provided: When data subjects make a query about their personal information, the controller, in its capacity as responsible or in charge of processing their personal data, will provide all the information contained in the individual record or that is linked to the data subject.
2. COMPLAINT.
2.1. Applicability: Complaints are filed when the data subject considers that the information contained in a database owned by the controller should be corrected, updated, or deleted, or when they notice the alleged non-compliance with any of the duties contained in Law 1581 of 2012. 2.2.
2.2 Response Time: The maximum term to address the complaint will be fifteen (15) business days from the day following the date of receipt. If it is not possible to address the complaint within this term, the interested party will be informed of the reasons for the delay and the date on which the complaint will be addressed, which in no case may exceed eight business days following the expiration of the first term.
2.3. Incomplete Complaint: If the complaint is incomplete, the interested party will be required within five (5) days following the receipt of the complaint to correct the deficiencies.
2.4. Withdrawal of the Complaint by the Interested Party: If the complaint has been filed incompletely and the interested party was duly notified to correct the error and has not responded within two (2) months from the date of the request, it will be understood that they have withdrawn the complaint.
2.5. Identification of the Procedure in the Database: Once the complete complaint is received, within no more than two (2) business days, a legend will be included in the database owned by the controller stating “complaint in process” and the reason for it. This legend must be maintained until the complaint is decided.
2.6. Competence to Respond: In the event that the controller receives a complaint from a data subject and is not competent to resolve it, it will transfer it to the appropriate party within a maximum term of two (2) business days and inform the interested party of the situation.
VI. Effective Date, Modifications, and Updates.
These personal data processing guidelines are effective from March 1, 2019.