1. ABOUT US
This document establishes the Personal Data Processing Policies of iKONO TELECOMMUNICATIONS SAS, onwards iKONO, commercial company identified with the NIT 900.253.186-1, a company dedicated to developing activities related to computer consulting and computer facility management activities, as well as the retail trade of computers, peripheral equipment, computer programs and telecommunications equipment in specialized establishments, among others.
IKONO In compliance with the provisions of the Political Constitution of Colombia, Statutory Law 1581 of 2012 and Decree 1377 of 2013 and its regulatory and complementary standards, it comprehensively guarantees the protection and exercise of the fundamental right of Habeas Data of all holders. of the personal information for which it is responsible or in charge of processing, and also guarantees at all times the fundamental rights to privacy, good name and privacy of people, which is why it adopts and applies this Policy. and Personal Data Protection Procedure, which contains all the essential, simple and secure elements for compliance with the legislation corresponding to the Protection of Personal Data.
In this policy you will find the company name, address, email address and telephone number of iKONO, the processing to which the data will be subjected and its purpose, the rights that assist you as the Owner, the area responsible for handling requests, queries and claims before which you can exercise your rights to know, update, rectify and delete the data and revoke the authorization and validity of the database.
2. DEFINITIONS
2.1. Notice of Privacy: Verbal or written communication generated by the person responsible, addressed to the owner for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the way to access them and the purposes of the treatment that is intended to be given to personal data.
2.2. Authorization: Prior, express and informed consent of the owner of the personal data to carry out the processing of personal data.
2.3 Database: Organized set of personal data that is subject to Processing.
2.4 Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons[1]. “Personal data” must then be understood as information related to a natural person (individually considered person).
2.5 Public data: It is the data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade, and their status as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality. It will also be understood that all data contained in public records will have this same nature.
2.6 Sensitive data: That data that affects the privacy of the Owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data[2].
2.7 Person in charge of treatment: The company acts as the person in charge of the processing of personal data in cases where, by itself or in association with others, it processes personal data on behalf of a person responsible for the treatment.
2.8 Responsible for the treatment: The company acts as the person responsible for the processing of personal data for all personal data about which it decides directly, in compliance with its legally recognized functions.
2.9 Owner: Natural person whose personal data is the subject of Processing.
2.10 Transfer: The transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is located inside or outside the country. .
2.11 Transmission: Processing of personal data that involves the communication thereof within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the person in charge on behalf of the person responsible.
2.12 Treatment: Any operation or set of operations that the company carries out on personal data such as collection, processing, advertising, storage, use, circulation or deletion.
2.13 Data Protection Officer: It is the person within the company whose function is the monitoring and control of the application of the Personal Data Protection Policy. The officer will be appointed by the manager or, failing that, by the Board of Directors.
3. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
To comply with the Personal Data Protection Policy, the following principles will be applied in a harmonious and comprehensive manner:
3.1. Principle of legality in matters of data processing: Treatment is a regulated activity that must be subject to the provisions of the Law and its regulatory decrees.
3.2. Purpose principle: The Treatment will obey a legitimate purpose in accordance with the Constitution and the Law and will be informed to the Owner;
3.3 Principle of freedom: Treatment can only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without authorization, by legal or judicial mandate that requires the revocation of consent;
3.4 Principle of truthfulness or quality: The information subject to Treatment will be true, complete, accurate, updated, verified and understandable. The Processing of partial, incomplete, fragmented or misleading data will not be carried out;
3.5 Principle of transparency: The Owner's right to obtain, at any time and without restrictions, information about the existence of the data that concerns him or her will be guaranteed;
3.6 Principle of restricted access and circulation: The Treatment will be subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the Treatment will only be carried out by people authorized by the Owner or by the people provided for by law;
Except for public information, the data will not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide knowledge restricted only to the Owners or authorized third parties.
3.7 Safety principle: The information will be handled with the necessary technical, human and administrative measures to guarantee the security of the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access;
3.8 Principle of confidentiality: All persons involved in the Processing of personal data that are not public in nature will guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the Processing has ended, and may only supply or communicate personal data. when this corresponds to the development of the activities authorized in the Law.
4. PROCESSING AND PURPOSE OF PERSONAL DATA
4.1. Treatment
iKONO You will obtain freely, prior, express and voluntary authorization to transfer, store, use, circulate, delete, share, update and transmit personal data through physical, electronic mail, cell phone or mobile device, via text messages, media of communication, (television, newspaper and website), social networks or any analog and/or digital means of communication, known or to be known in accordance with this Personal Data Protection Policy
4.2 Data controller
Business name iKONO TELECOMMUNICATIONS SAS
NIT. 900.253.186-1
Home Pereira – Risaralda – Colombia
Address Carrera 12 #1 A – 43, Popular Neighborhood Model
Email [email protected]
Phone (6) 3401719
4.3 Processing of public data
The company warns that it will process public data and data contained in public records without prior authorization from the Owner. This situation does not imply that the necessary measures are not adopted to guarantee compliance with the other principles and obligations contemplated in Law 1581 of 2012 and other regulations that regulate this matter, as well as in this manual.
4.4. Treatment of sensitive data
The company will only process sensitive personal data for what is strictly necessary, requesting prior and express consent from the owners and informing them of the exclusive purpose for their processing.
The company will only use and process data classified as sensitive when:
The processing has been expressly authorized by the Owner of the sensitive data, except in cases where, by Law, the granting of said authorization is not required.
The Treatment is necessary to safeguard the vital interest of the owner and he or she is physically or legally incapacitated. In these events, representatives must grant authorization.
The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process;
In this sense, the company will comply with the following obligations:
- Inform the owner that because it is sensitive data, he or she is not required to authorize its processing.
- Inform the owner explicitly and in advance, in addition to the general requirements of the authorization for the collection of any type of personal data, which data subject to Treatment are of a sensitive nature and the purpose of the treatment, and obtain express consent.
- Do not condition any activity on the owner providing sensitive personal data (unless there is a legal or contractual cause to do so).
4.5. Processing of data of minors.
The company will only process personal data of minors when they are of a public nature, come from the information provided by employees or contractors, at the time of their employment relationship or provision of services with the company and/or are provided under the commercial activity carried out by the company. The above, in accordance with the provisions of article 7 of Law 1581 of 2012 and, when the treatment meets the following parameters and requirements:
- That responds to and respects the best interests of children and adolescents.
- That respect for their fundamental rights is ensured.
Once the above requirements have been met, the company will require the legal representative or guardian of the child or adolescent to authorize the minor, prior to the minor's exercise of his or her right to be heard, an opinion that will be valued taking into account maturity, autonomy and ability to understand. The issue.
The company and any person involved in the processing of personal data of children and adolescents will ensure its appropriate use. In compliance with the above, the principles and obligations established in Law 1581 of 2012 and Decree 1377 of 2013 are applied and developed.
4.6. Database classification
The company has classified its Databases as follows:
Customer Databases: They are manual or automated databases, which are structured and contain data of a public and private nature, sensitive data and data on minors. The database is made up of legal and/or natural persons. The company will process your data for the following purposes:
- Manage processing of requests, complaints and claims
- Carry out risk analysis, carry out satisfaction surveys regarding the company's goods and services, internal studies of consumer habits, evaluate quality, changes in products and/or services, for the company and its commercial allies;
- Provide commercial, advertising or promotional information about products and/or services, in order to promote, invite, direct, execute, inform and, in general, carry out campaigns, events, promotions or contests.
- Provide contact information to the sales force and/or distribution network, telemarketing, market research and any third party with which the company has a contractual relationship.
- Provide contact information and relevant documents to the commercial force and/or distribution network, telemarketing, market research and any third party with which the company has a contractual relationship of any kind.
- Make known, transfer and/or transmit personal data inside and outside the country to third parties as a result of a contract, law or legal link that requires it, or to implement cloud computing services.
- Carry out, through any means, directly or through third parties, programming and provision of technical services, sales, purchases, billing, portfolio management, monitoring of product performance, collection, business intelligence, marketing, promotion or advertising activities. , service improvement, collection monitoring, verification, consultation and control, enabling payment methods as well as any other related to our current and future products and services, for compliance with contractual obligations and the company's corporate purpose.
- Consult and report to any Risk Center
- Information to control and prevent fraud and MLFT in any of its forms.
- Send congratulatory messages on special dates (Example: Women's Day, Christmas, achievements, among others.)
Employee Databases: They are manual or automated databases that contain data of natural persons who are working with the company, the purpose of which is to comply with legal provisions, regulations and business policies. This database includes private and public information, sensitive data and data on minors. The processing of data for purposes other than the obligations derived from the employment relationship will require prior authorization from the owner or his legal representative, as the case may be. Under no circumstances will the company process sensitive or minor data without prior authorization.
The company will process your data for the following purposes:
- Comply with the obligations contracted by the company with the Information Owner, in relation to the payment of salary and other remuneration established in the employment contract or as provided by law.
- Offer corporate wellness programs and plan business activities for the owner and their beneficiaries (children, spouse, permanent partner).
- Sending information to governmental or judicial entities upon their express request.
- Support in external/internal audit processes.
- Registration of information about candidates, contractors and employees in the Company's database and making contact through any means to send information.
- For security or fraud prevention purposes.
- Provide commercial, advertising or promotional information about products and/or services, in order to promote, invite, direct, execute, inform and, in general, carry out campaigns, events, promotions or contests.
- To process data related to admission, prevention and withdrawal medical examinations, as well as medical records if required.
- Use of biometric data (sensitive data) such as fingerprint, audio, video and/or photograph or through any other means known or to be known (the “image” is understood to be the name, pseudonym, voice, signatures, initials, figure, physiognomy of body, face or any sign that is related to the identity of the person), for reproduction, communication or transmission on social networks and media such as television, newspapers, websites and video surveillance systems, for security, institutional events, advertising campaigns, promotions and contests, among others.
- To collect, use, store and circulate your resume.
- Transfer of data to third parties to carry out selection processes, affiliation with health companies, pension, ARL, insurance companies and others that are required for the formalization of the hiring process.
- Consult and report to any Risk Center.
- Carry out the pertinent steps for the development of the company's corporate purpose in what has to do with compliance with the purpose of the contract entered into with the Owner of the information.
- Information to control and prevent fraud and MLFT in any of its forms.
Supplier and Contractor Databases: They are manual or automated databases that contain data of natural or legal persons who maintain a contractual and commercial relationship, the purpose of which is to comply with the contractual provisions stipulated by the company, for the acquisition of services and goods demanded by it. for its normal functioning or the fulfillment of some of its functions. This database contains personal, public, private and sensitive data, the purpose of which is the development of contractual relationships. The processing of these data for purposes other than the maintenance of the contractual relationship or the fulfillment of legal duties requires prior authorization from the owner.
The company will process your data for the following purposes:
- Comply with the obligations contracted by the company with the Information Owner, in relation to the payment of fees and other remuneration established in the employment contract or as provided by law.
- Carry out analysis, evaluations and selection of potential suppliers and/or contractors.
- Contact the Owner through any means to carry out surveys, studies and/or confirmation of personal data necessary for the execution of a contractual relationship and to send news related to loyalty campaigns or service improvements.
- Contact the Owner through any means to send statements, account statements or invoices in relation to the obligations derived from the contract entered into between the parties.
- Carry out, through any means, directly or through third parties, programming and provision of technical services, sales, purchases, billing, portfolio management, monitoring of product performance, collection, business intelligence, marketing, promotion or advertising activities. , service improvement, collection monitoring, verification, consultation and control, enabling payment methods as well as any other related to our current and future products and services, for compliance with contractual obligations and the company's corporate purpose.
- Communication of our policies and procedures for linking suppliers.
- Analysis of information on quality and service levels received from suppliers. Legal compliance in tax, customs and commercial matters with administrative and judicial entities.
- Business agreements to acquire goods or services
- Monitoring, control and accounting recording tasks of the obligations contracted with suppliers. Consultations, audits and reviews derived from agreements with suppliers and/or contractors.
- Information to control and prevent fraud and MLFT in any of its forms. Some of these tasks are carried out in compliance with a legal and contractual duty and therefore the processing of personal data is understood to be included in them.
- Provide commercial, advertising or promotional information about products and/or services, in order to promote, invite, direct, execute, inform and, in general, carry out campaigns, events, promotions or contests.
- Consult and report to any Risk Center
- Invitations to events and general corporate information to strengthen relationships.
Databases of social bodies: They are manual or automated databases that contain data of natural persons who are part of the corporate bodies, such as the board of directors and the shareholders' assembly, whose processing is intended to comply with legal and regulatory provisions and business policies. . This database includes public, private, public information and sensitive data. In addition, it will be considered reserved information, since it is registered in commercial books and is subject to special protection by legal provision.
The company will process your data for the following purposes:
- Carry out the relevant steps for the development of the company's corporate purpose.
- Collect, use and store your resume.
- Send company information, including Calls, summonses, invitations to meetings, events, newsletters, presentations, annual report and those communications related to the activities carried out by the company.
- Issue certifications related to the relationship of the data owner with the company such as income certificates, shareholding certificates, among others;
- Use of biometric data (sensitive data) such as fingerprint, audio, video and/or photograph or through any other means known or to be known (the “image” is understood to be the name, pseudonym, voice, signatures, initials, figure, physiognomy of body, face or any sign that is related to the identity of the person), for reproduction, communication or transmission on social networks and media such as television, newspapers, websites and video surveillance systems, for security, institutional events, advertising campaigns, promotions and contests, among others.
- Carry out, through any means, directly or through third parties, programming and provision of technical services, sales, purchases, billing, portfolio management, monitoring of product performance, collection, business intelligence, marketing, promotion or advertising activities. , service improvement, collection monitoring, verification, consultation and control, enabling payment methods as well as any other related to our current and future products and services, for compliance with contractual obligations and the company's corporate purpose.
- Information to control and prevent fraud and MLFT in any of its forms.
In employment contracts, the company has included clauses with the purpose of prior and general authorization for the processing of personal data related to the execution of the contract, which includes the authorization to collect, modify or correct, at future times, personal data. of the Owner corresponding to natural persons. It has also included the authorization so that some of the personal data, if applicable, can be delivered or transferred to third parties with whom the company has service provision contracts, for the performance of outsourced tasks. In these clauses, mention is made of this Manual and its location on the institutional website, for due consultation.
In contracts for the provision of external services, when the contractor requires personal data, the company will provide said information as long as there is prior and express authorization from the Owner of the personal data for this transfer, excluding this authorization, the data personal data of a public nature defined in paragraph 2 of article 3 of Regulatory Decree 1377 of 2013 and those contained in public records.
In these cases, the third parties are Data Processors and their contracts will include clauses that specify the purposes and treatments authorized by the company and precisely delimit the use that these third parties can give to them, as well as the obligations and duties. established in Law 1581 of 2012 and Regulatory Decree 1377 of 2013, including the necessary security measures that guarantee at all times the confidentiality, integrity and availability of the personal information entrusted for processing.
For its part, the company, when receiving data from third parties and acting as the person in charge of processing personal data, verifies that the purpose, or purposes, of the treatments authorized by the owner or permitted for legal, contractual or jurisprudential reasons. are in force and that the content of the purpose is related to the reason for which said personal information will be received from the third party, since only in this way will it be authorized to receive and process said personal data.
4.8 Transfer and transmission of personal data.
For the transmission and transfer of personal data, the following rules will apply:
4.9 Video Surveillance Systems
Video Surveillance Systems (SV) or security cameras implemented with the purpose of guaranteeing the security of goods or people in a certain place, are considered an ideal means to monitor and observe activities in the business, work and public.
This monitoring and observation task carried out through the SVs involves the collection of images of people, that is, personal data in accordance with the definition contained in literal c) of article 3 of Law 1581 of 2012, “For which establishes general provisions for the protection of personal data”, understood as “any information linked to or that can be associated with one or several specific or determinable natural persons”.
Consequently, in the handling or processing of data, the company will observe the principles established in the standard, that is, legality, purpose, freedom, quality or veracity, security, confidentiality, restricted access and circulation, and transparency, as well as the other provisions. contained in the General Personal Data Protection Regime.
This policy applies to the taking of images of people by means of cameras, video cameras, analog or digital, IP cameras or mini-cameras, closed circuit television (CCTV) and, in general, any means by which the Treatment is carried out. of images of holders of personal data, especially for surveillance purposes.
4.9.1 Rights of the Owner of Personal Data
to. Access to images by personal data holders
b. Deletion of images
4.9.2 Treatment of Images of Children and Adolescents
For the Processing of images of children and adolescents, the company will respect their prevailing rights and will only collect them when (i) it responds to and respects their best interest, and (ii) ensures respect for their fundamental rights.
In all cases, when the company uses SV that involves the Processing of images of children and/or adolescents, it will observe the following rules:
- Have the authorization of the parents or legal representatives of the minors and their acquiescence, taking into account their maturity, autonomy and ability to understand the matter.
- Inform parents or legal representatives about the purpose and Treatment to which the personal data of minors will be subjected, as well as the rights that assist them.
- Limit the collection and other processing of images, in accordance with what is proportional and appropriate in consideration of the previously informed purpose.
- Guarantee the security and confidentiality of the personal data of minors.
- Restrict access and circulation of images, in accordance with the provisions of the law.
The parent and/or legal representative of the child or adolescent will only be able to access the child's images. Thus, in the event that it is intended to provide access or circulate images of classes and/or activities where other children or adolescents appear, the authorization of the parents and/or legal representatives of all of them will be requested.
Whenever the implementation of SV also involves the Processing of personal data of other Owners, such as managers, administrative staff, parents, etc., the company will respect the rights of those and will comply with the obligations that such quality imposes on them.
5. DUTIES AND RIGHTS
5.1. General information about authorization
The company will previously request authorization for the processing of personal data by any means that allows it to be used as evidence. Depending on the case, said authorization may be incorporated into a document such as a contract, form, form, etc., invoice, etc. The authorization will contain at least:
a) The Treatment to which the personal data will be subjected and the purpose thereof;
b) The optional nature of the response to the questions asked, when they relate to sensitive data or the data of children and adolescents;
c) The rights that assist the Owner of the information;
d) The identification, physical or electronic address and telephone number of the Data Controller.
The company guarantees the Owners of personal data the right of access in accordance with Law 1581 of 2012, prior accreditation of the identity of the owner, legitimacy, or personality of their representative, making available to the latter, without cost or expenditure, in a detailed and detailed manner, the respective personal data processed, through any means of communication, including electronic means that allow direct access by the owner. Access is subject to the limits established in article 21 of Regulatory Decree 1377 of 2013.
5.3. Of the right of consultation
The company guarantees the right of consultation in accordance with the provisions of Law 1581 of 2012 exclusively on private, sensitive and minor personal data corresponding to natural persons, providing the Holders of these personal data with the information contained in each of the bases. of corresponding data and that are under the control of the company, which will establish the authentication measures that allow the owner of the personal data who makes the query or request to be securely identified.
Regarding the attention to consultation requests, the company guarantees:
- Enable electronic or other means of communication that you consider relevant and secure;
- Establish forms, systems and other methods that will be reported in the authorization or in the Privacy Notice;
- Use the customer service or complaints services that are in operation.
Regardless of the mechanism implemented to respond to consultation requests, these will be processed within a maximum period of ten (10) business days from the date of receipt. In the event that a consultation request cannot be responded to within the aforementioned term, the interested party will be informed before the deadline expires of the reasons why their query has not been answered, which in no case may exceed the five (5) business days following the expiration of the first term.
The Owner who considers that personal data may be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties and principles contained in the regulations on Protection of Personal Data, may file a claim with the company.
The claim may be presented by the owner, taking into account the information indicated in article 15 of Law 1581 of 2012, as follows:
- The claim will be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Owner, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claim has been abandoned.
In the event that the person who receives the claim is not competent to resolve it, he or she will forward it to the appropriate person within a maximum period of two (2) business days and will inform the interested party of the situation.
- Once the complete claim is received, a legend that says "claim in process" and the reason for it will be included in the database, within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided.
- The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
5.5. The right to rectification and updating of data
The company undertakes to rectify and update, at the request of the Owner, personal information that corresponds to natural persons, that is incomplete or inaccurate, in accordance with the procedure and terms indicated above. The company will take into account the following:
- In requests for rectification and updating of personal data, the Owner must indicate the corrections to be made and provide the documentation that supports their request.
- The company has complete freedom to enable mechanisms that facilitate the exercise of this right, as long as they benefit the Owner of the personal data. Consequently, electronic or other means that the company considers relevant and secure may be enabled.
- The company may establish forms, formats, systems and other methods, which will be informed in this policy and/or authorization and/or Privacy Notice and which will be made available to interested parties on the company's website or offices.
5.6. From the right to data deletion.
The Owner of personal data has the right at any time to request the deletion (elimination) of his or her personal data. The company will take into account the following assumptions:
- That they are not being treated in accordance with the principles, duties and obligations provided for in current regulations on Personal Data Protection.
- That they are no longer necessary or relevant for the purpose for which they were collected.
- That the period necessary to fulfill the purposes for which they were collected has been exceeded.
This deletion implies the elimination or secure deletion, total or partial, of personal information in accordance with what is requested by the owner in the records, files, databases or treatments carried out by the company.
The right to deletion is not an absolute right, and the company, as responsible for the processing of personal data, may deny or limit its exercise when:
- The data owner has a legal or contractual duty to remain in the database.
- The deletion of data hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
- The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.
5.7. The right to revoke authorization
Any owner of personal data that corresponds to natural persons may revoke consent to their processing at any time, as long as it is not prevented by a legal or contractual provision. To do this, the company has established simple and free mechanisms that allow the owner to revoke their consent.
In cases where the revocation of the authorization is possible, it will be handled under the following two modalities:
- Total: Regarding all permitted purposes, that is, the company must completely stop processing the data of the Owner of personal data.
- Partial: Regarding certain consented purposes, in which case the company must partially suspend the processing of the owner's data. Other purposes of the processing are then maintained that the Controller, in accordance with the authorization granted, can carry out and with which the owner agrees.
The right of revocation is not an absolute right and the company, as responsible for the processing of personal data, may deny or limit its exercise when:
- The data owner has a legal or contractual duty to remain in the database.
- The revocation of the authorization of the treatment hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
- The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.
- The data is data of a public nature and corresponds to public records, which are intended for publicity.
5.8 Right to file complaints with the competent authority
The Owner of personal data has the right at all times to present complaints to the Superintendency of Industry and Commerce for violations of the law and other regulations that modify, add or complement it.
5.9 Duties as Data Controller.
The company will fulfill the following duties:
- Guarantee to the Holder, at all times, the full and effective exercise of the right of habeas data;
- Request and keep a copy of the respective authorization granted by the Owner;
- Duly inform the Owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted;
- Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
- Guarantee that the information provided to the Data Processor is true, complete, accurate, updated, verifiable and understandable;
- Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it remains updated;
- Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor;
- Provide the Data Processor, as the case may be, only data whose Processing is previously authorized;
- Demand that the Data Processor at all times respect the security and privacy conditions of the Owner's information;
- Process queries and complaints;
- Adopt an internal procedures manual to guarantee adequate compliance for the attention of queries and complaints;
- Inform the Data Processor when certain information is under discussion by the Owner, once the claim has been submitted and the respective process has not been completed;
- Inform at the request of the Owner about the use given to their data;
- Inform the data protection authority when violations of security codes occur and there are risks in the administration of the Owners' information.
- Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
5.10 Duties of the Data Processor
The Treatment Managers must comply with the following duties:
- Guarantee to the Holder, at all times, the full and effective exercise of the right of habeas data;
- Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
- Timely update, rectify or delete data
- Update the information reported by the Data Controllers within five (5) business days from receipt;
- Process queries and complaints;
- Adopt an internal manual of procedures for handling queries and complaints by the Owners;
- Register in the database the legend “claim in process”
- Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data;
- Refrain from circulating information that is being controversial by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce;
- Allow access to information only to people who can have access to it;
- Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the administration of the Owners' information;
- Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
6. MODIFICATIONS TO POLICIES
The company reserves the right to modify the Personal Data Protection policy at any time. Any modification will be communicated in a timely manner to the Data Owners through the usual means of contact and/or through their website https://ikono.co/
In the event of substantial changes in the content of the Treatment policies, referring to the identification of the Controller and the purpose of the Processing of personal data, which affect the content of the authorization, the Controller will communicate these changes and obtain from the Holder a new authorization when the change refers to the purpose of the Treatment.
7. THE NATIONAL REGISTRY OF DATABASES
The company, as responsible for the processing of personal data and as established by Law, is not obliged to register its databases in the RNBD. Notwithstanding the above, if the required requirements are met, the provisions of Decree 1074 of 2015 and other regulations that modify, repeal or replace it will apply.
8. REFERENCE TO OTHER DOCUMENTS
This personal data protection policy has been prepared in accordance with the following standards:
- Political Constitution of Colombia
- Law 1581 of 2012
- Decree 1377 of 2013
- Single Decree 1074 of 2015
The term of validity of this policy is the same as that established for the duration of the company in the bylaws.
[1] Law 1581 of 2012, Article 3 literal c).
[2] Article. 5 Law 1581/12