POLICIES AND PROCEDURES FOR THE PROCESSING OF PERSONAL DATA IMAGEN VIRTUAL S.A.S.
IMAGEN VIRTUAL S.A.S., hereinafter the Company, are committed to the protection of the fundamental right of HABEAS DATA that all persons have to know, update and rectify the information that has been collected about them in databases or files, and others rights, freedoms and constitutional guarantees referred to in articles 15 and 20 of the Political Constitution.
For the purposes of this document, the following definitions must be taken into account in order to apply the personal data processing policy.
a) Authorization: Prior, express and informed consent of the owner to carry out the processing of personal data.
b) Database: Organized set of personal data that is subject to processing.
c) Personal data: Any information linked or that may be associated with one or more specific or determinable natural persons.
d) Responsible for the processing: Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of the person responsible for the treatment.
e) Responsible for the processing: Natural or legal person, public or private, that by itself or in association with others, decides on the basis of data and / or data processing.
f) Owner: Natural person whose personal data is subject to processing.
g) Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.
2. GUIDING PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
The Company will harmoniously and comprehensively apply the following principles when processing personal data:
2.1. Principle of legality in terms of data processing: The processing of personal data must be subject at least to what is established in the laws in force that regulate the matter and provisions that develop it.
2.2. Principle of purpose: The treatment must obey a legitimate purpose in accordance with the Constitution and the law, which must be informed to the owner.
2.3. Principle of freedom: The treatment can only be exercised with the prior, express and informed consent of the holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
2.4. Principle of truthfulness or quality: The information subject to treatment must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractional or error-inducing data should not be carried out.
2.5 Principle of transparency: In the treatment, the right of the holder to obtain information about the existence of their personal data must be guaranteed from the person responsible for the treatment or the person in charge of the treatment, at any time and without restrictions.
2.6. Principle of access and restricted circulation: The processing is subject to the limits derived from the nature of personal data, the provisions of the Constitution and the law. In this sense, the treatment can only be done by persons authorized by the holder and / or by the persons authorized by the law or the judicial authority.
2.7. Security principle: The information subject to treatment should be handled with the necessary technical, human and administrative measures to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
2.8. Principle of confidentiality: All persons involved in the processing of personal data that do not have the nature of audiences are obliged to guarantee the reservation of information, even after the end of their relationship with any of the tasks included in the processing, being able only make provision or communication of personal data when permitted by law and in the terms provided by it.
3. RIGHTS OF THE HOLDERS
The Company in all processing of personal data will be respectful of the rights of the owners. For the purposes of this manual, the holder of personal data will have the following rights:
a) Know, update and rectify your personal data against those responsible for the treatment or those in charge of the treatment. This right may be exercised, inter alia, against partial, inaccurate, incomplete, fractional data that is misleading, or those whose treatment is expressly prohibited or has not been authorized.
b) Request proof of authorization granted to the person responsible for the treatment except when expressly exempted by law.
c) Be informed by the person in charge of the treatment or the person in charge of the treatment, upon request, regarding the use he has given to his personal data.
d) Submit complaints to the Superintendencia de Industria y Comercio for violations of the law that regulates the protection of personal data and the other regulations that modify, add or complement it.
e) Revoke the authorization and / or request the deletion of the data when the constitutional and legal principles, rights and guarantees are not respected in the treatment. The revocation and / or deletion will proceed when the Superintendencia de Industria y Comercio, or the competent authority, has determined that in the treatment the person responsible or responsible has incurred in conduct contrary to the Constitution or the law.
f) Access free of charge to your personal data that have been processed.
3.1 Authorization of the holder
Any treatment that the Company makes of personal information requires the prior and informed authorization of the holder, which must be obtained by any means that may be subject to subsequent consultation.
The authorization will not be necessary in the exceptions provided in the law, by way of example and without prejudice to the rules modify, add or complement, the authorization will not be necessary in the following cases:
a) Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b) Data of a public nature.
c) Cases of medical or sanitary urgency.
d) Treatment of information authorized by law for historical, statistical or scientific purposes.
e) Data related to the Civil Registry of persons.
3.2 Duty to inform the holder
The person responsible for the treatment, at the time of requesting the authorization from the holder, must clearly and expressly inform the following:
a) The treatment to which your personal data will be submitted and the purpose thereof;
b) The optional nature of the answer to the questions asked, when these are about sensitive data or about the data of girls, boys and adolescents;
c) The rights that assist you as the holder;
d) The identification, physical or electronic address of the controller.
4. DUTIES OF THE RESPONSIBLE FOR THE TREATMENT AND MANAGERS OF THE TREATMENT
Those responsible for the treatment must comply with the following duties, without prejudice to the other provisions set forth in this manual and in the provisions that regulate their activity:
4.1 Duties of those responsible for the treatment
a) Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
b) Request and keep a copy of the authorization granted by the holder.
c) Inform the owner about the purpose of the collection and the rights that assist him by virtue of the authorization granted.
d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
e) Ensure that the information provided to the person in charge of the treatment is truthful, complete, accurate, updated, verifiable and understandable.
f) Update the information, communicating in a timely manner to the person in charge of the treatment, all the news regarding the data that you have previously provided and take the other necessary measures so that the information provided to it is kept updated.
g) Rectify the information when it is incorrect and communicate the pertinent to the person in charge of the treatment.
h) Provide the data controller with only data whose treatment is previously authorized in accordance with the provisions of the law.
i) Require the person in charge of the treatment at all times to respect the security and privacy conditions of the owner's information.
j) To process the queries and claims made in the terms indicated in this manual and in the law that regulates the matter.
k) Inform the person in charge of the treatment when certain information is under discussion by the owner, once the claim has been submitted and the respective procedure has not been completed.
l) Inform at the request of the owner about the use given to their data.
m) Inform the data protection authority when there are violations of security codes and there are risks in the administration of the information of the owners.
n) Comply with the instructions and requirements issued by the Superintendencia de Industria y Comercio.
4.2 Duties of treatment managers.
Those in charge of treatment must comply with the following duties, without prejudice to the other provisions set forth in this manual and in the regulations governing their activity:
a) Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
b) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
c) Timely update, rectify or delete the data in the terms of this manual.
d) Update the information reported by those responsible for the treatment within the next five (5) business days, counted from the receipt of your request.
e) To process the consultations and claims made by the holders in the terms indicated in the law.
f) Record in the database the legend “claim in process” in the way it is regulated by law.
g) Insert in the database the legend “information in judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
h) Refrain from circulating information that is being controversial by the holder and whose blockade has been ordered by the Superintendencia de Industria y Comercio.
i) Allow access to information only to people who may have access to it.
j) Inform the Superintendencia de Industria y Comercio when there are violations of security codes and there are risks in the administration of the information of the owners.
k) Comply with the instructions and requirements issued by the Superintendencia de Industria y Comercio.
5. TREATMENT OF SENSITIVE DATA
For the purposes of this manual and as established by law, sensitive data means those that affect the privacy of the owner or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, convictions religious or philosophical, membership in unions, social organizations, human rights or that promotes interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data
5.1 Processing of sensitive data
In general terms, the company will refrain from processing sensitive data according to the limitations imposed by law. It is understood that the processing of this type of data can be carried out when one of the following circumstances occurs:
a) The holder has explicitly authorized said treatment, except in cases where the granting of the authorization is not required by law.
b) The treatment is necessary to safeguard the vital interest of the holder and he is physically or legally incapacitated. In these events, legal representatives must grant their authorization.
c) The treatment is carried out in the course of legitimate activities and with the due guarantees by a foundation, ONG, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that refer exclusively to its members or to people who maintain regular contacts because of their purpose. In these events, the data cannot be provided to third parties without the authorization of the owner.
d) The treatment refers to data that are necessary for the recognition, exercise of defense of a right in a judicial process.
e) The treatment has a historical, statistical or scientific purpose. In this event, the measures leading to the deletion of the identity of the owners must be adopted.
5.2 Treatment of personal data of children and adolescents.
The processing of this type of personal data requires special respect for the prevailing rights of children and adolescents.
The use of personal data of children and adolescents is prohibited in the
Company except in cases allowed by law.
The holders or their successors may consult the personal information of the holder that rests in the Company's database. The person responsible or in charge of the treatment must provide to them all the information contained in the individual registry or that is linked to the identification of the owner.
The query will be made through the following emails:
and / or by the means authorized by the Company for this purpose, as long as proof of it can be maintained.
The consultation will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which his query will be attended, which in no case may exceed five (5) business days following the expiration of the first term.
The holder or his successors who consider that the information contained in a database must be subject to correction, update or deletion, or when they notice the alleged breach of any of the duties contained in the Constitution and the law, may file a complaint with the responsible or responsible for the treatment designated by the Company, which will be processed under the following rules:
1) The claim will be formulated by means of a request addressed with the identification of the holder, the description of the facts that give rise to the claim, the address, and accompanying the documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the failures. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has given up the claim.
2) In the event that the person receiving the claim is not competent to resolve it, they will transfer it to the appropriate party within a maximum period of two (2) business days and inform the interested party of the situation.
3) Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the database, in a term not exceeding two (2) business days. This legend must be maintained until the claim is decided.
4) The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first finished.
7. DATA TRANSFER TO THIRD COUNTRIES
The transfer of personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it meets the standards set by the Superintendencia de Industria y Comercio on the subject or by the authority provided by law.
Personal data may be sent or transmitted to third countries in the following events:
a) Information regarding which the holder has granted express and unequivocal authorization for the transfer.
b) Exchange of medical data, when required by the holder's treatment for reasons of health or public hygiene.
c) Bank or stock transfers, in accordance with the applicable legislation.
d) Transfers agreed in the framework of international treaties in which the Republic of Colombia is a party, based on the principle of reciprocity.
e) Transfers necessary for the execution of a contract between the holder and the person responsible for the treatment, or for the execution of pre-contractual measures as long as the authorization of the holder is available.
f) Transfers legally required for the safeguarding of the public interest, or for the recognition, exercise or defense of a right in a judicial process.
g) Other cases determined by law, the Superintendencia de Industria y Comercio or the competent authority.
8. CONTACT DATA FOR THE PROCESSING OF PERSONAL DATA
For the purposes of requesting clarifications, presenting complaints or claims or requesting in general any information regarding the processing of personal data, the Company has enabled the email firstname.lastname@example.org and the telephone numbers (+57) 3687802 or (+57) 3687835.
© 2020 Imagen Virtual · Bogotá D.C, Colombia