iKono Telecommunications

Logo iKono Telecomunicaciones
Logo iKono Telecomunicaciones
Menú

 

 

Personal Data Processing Policy

Updated: January 8, 2025

1. About us

This document establishes the Personal Data Processing Policies of iKONO TELECOMMUNICATIONS SAS, from now on iKONO, commercial company identified with the NIT 900.253.186-1, a company dedicated to developing activities related to IT consulting and IT facility management, as well as the retail sale of computers, peripheral equipment, software, and telecommunications equipment in specialized establishments, among others.

iKONO In compliance with the provisions of the Colombian Political Constitution, Statutory Law 1581 of 2012 and Decree 1377 of 2013 and its regulatory and complementary norms, it comprehensively guarantees the protection and exercise of the fundamental right of Habeas Data of all holders of personal information for which it is responsible or in charge of processing, likewise guarantees at all times the fundamental rights to privacy, good name and privacy of individuals, which is why it adopts and applies this Personal Data Protection Policy and Procedure, which contains all the essential, simple and secure elements for compliance with the legislation corresponding to the Protection of Personal Data.

In this policy you will find the company name, address, email address and telephone number of iKONO, the processing to which the data will be subjected and its purpose, the rights you have as the Data Subject, the area responsible for handling requests, queries and complaints before which you may exercise your rights to know, update, rectify and delete the data and revoke the authorization and validity of the database.

2. Definitions

2.1. Privacy Notice: Verbal or written communication generated by the data controller, addressed to the data subject for the processing of their personal data, through which they are informed of the existence of the information processing policies that will apply to them, how to access them, and the purposes of the processing intended to be given to their personal data.

2.2. Authorization: Prior, express, and informed consent of the data subject to carry out the processing of personal data.

2.3 Database: Organized set of personal data that is subject to processing.

2.4 Personal data: Any information linked to or that can be associated with one or more natural persons, determined or determinable[1]. “Personal data” must therefore be understood as information related to a natural person (individually considered person).

2.5 Public data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person's marital status, their profession or occupation, and their status as a merchant or public servant. By its nature, public data may be contained in, among others, public registries, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality. It is also understood that all data contained in public registries will have this same nature.

2.6 Sensitive data: Any data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.[2].

2.7 Data controller: The company acts as the data controller in cases where, either on its own or in association with others, it processes personal data on behalf of a data controller.

2.8 Data controller: The company acts as the personal data controller for all personal data over which it directly decides, in compliance with its legally recognized functions.

2.9 Holder: Natural person whose personal data is subject to processing.

2.10 Transfer: Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is in turn the controller and is located within or outside the country.

2.11 Transmission: Processing of personal data that involves communicating the data within or outside the territory of the Republic of Colombia when the purpose is to carry out processing by the data processor on behalf of the controller.

2.12 Treatment: Any operation or set of operations that the company performs on personal data, such as collection, processing, disclosure, storage, use, circulation or deletion.

2.13 Data Protection Officer: This is the person within the company whose responsibility is to oversee and control the application of the Personal Data Protection Policy. The officer will be appointed by the manager or, failing that, by the Board of Directors.

3. Principles for the processing of personal data

In order to comply with the Personal Data Protection Policy, the following principles will be applied in a harmonious and comprehensive manner:

3.1. Principle of legality in data processing: Treatment is a regulated activity that must comply with the provisions of the Law and its regulatory decrees.

3.2. Principle of purpose: The processing will be for a legitimate purpose in accordance with the Constitution and the Law and will be reported to the Data Controller;

3.3 Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without authorization, by legal or judicial order requiring the withdrawal of consent;

3.4 Principle of truthfulness or quality: The information subject to processing will be true, complete, accurate, up-to-date, verified, and understandable. Data that is partial, incomplete, fragmented, or misleading will not be processed;

3.5 Principle of transparency: The Data Subject's right to obtain, at any time and without restrictions, information about the existence of data concerning him or her will be guaranteed;

3.6 Principle of restricted access and circulationProcessing will be subject to the limits derived from the nature of the personal data, the provisions of the law, and the Constitution. In this regard, processing will only be carried out by persons authorized by the Data Controller or by persons provided for by law. Except for public information, the data will not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Data Controllers or authorized third parties.

3.7 Safety Principle: The information will be handled with the necessary technical, human and administrative measures to guarantee the security of the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access;

3.8 Principle of confidentiality: All persons involved in the processing of personal data that are not public in nature shall guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended. They may only provide or communicate personal data when this corresponds to the development of the activities authorized by law.

4. Processing and purpose of personal data

4.1. Treatment: iKONO You will obtain free, prior, express and voluntary authorization to transfer, store, use, circulate, delete, share, update and transmit personal data through physical mail, electronic mail, cell phone or mobile device, via text messages, media (television, newspaper and website), social networks or any analogous and/or digital means of communication, known or to be known in accordance with this Personal Data Protection Policy.

4.2 Data controller:

Company name:                   iKONO TELECOMMUNICATIONS SAS

NIT.                                     900.253.186-1

Home                          Pereira – Risaralda – Colombia 

Address                          Carrera 12 #1 A – 43, Barrio Popular Model

Email         protecciondedatos@ikono.com.co

Phone                            (+57) 314 890 1850

4.3 Processing of public data: The company warns that it will process public data and data contained in public records without prior authorization from the Data Subject. This situation does not imply that the necessary measures will not be adopted to ensure compliance with the other principles and obligations contemplated in Law 1581 of 2012 and other regulations governing this matter, as well as in this manual.

4.4. Processing of sensitive data: The company will only process sensitive personal data for what is strictly necessary, requesting prior and express consent from the data subjects and informing them of the exclusive purpose for which it will be processed.

The company will only use and process data classified as sensitive when:

The processing has been expressly authorized by the owner of the sensitive data, except in cases where the granting of such authorization is not required by law.

The processing is necessary to safeguard the vital interests of the data subject and the data subject is physically or legally incapacitated. In these cases, the data subject's representatives must provide authorization.

The Processing relates to data that is necessary for the recognition, exercise or defense of a right in a judicial process;

In this sense, the company will comply with the following obligations:

  • Inform the data subject that since the data is sensitive, he or she is not required to authorize its processing.
  • Inform the data subject explicitly and in advance, in addition to the general requirements for authorization for the collection of any type of personal data, which data subject to processing is sensitive and the purpose of the processing, and obtain express consent.
  • Do not condition any activity on the data subject providing sensitive personal data (unless there is a legal or contractual reason to do so).

 

4.5. Processing of data of minors: The company will only process personal data of minors when such data is public, comes from information provided by employees or contractors at the time of their employment or provision of services to the company, and/or is provided in connection with the company's commercial activities. This is in accordance with the provisions of Article 7 of Law 1581 of 2012, and when the processing complies with the following parameters and requirements:

  • That responds to and respects the best interests of children and adolescents.
  • Ensure respect for their fundamental rights.

 

Once the above requirements have been met, the company will require the child or adolescent's legal representative or guardian to authorize the minor, prior to the minor exercising their right to be heard. This opinion will be assessed taking into account their maturity, autonomy, and ability to understand the matter.

The company and any person involved in the processing of personal data of children and adolescents will ensure their proper use. In compliance with the foregoing, the principles and obligations established in Law 1581 of 2012 and Decree 1377 of 2013 are applied and implemented.

4.6. Classification of databases: The company has classified its Databases as follows:

Customer Databases: These are manual or automated databases, which are structured and contain public, private, sensitive, and minor data. The database is comprised of legal and/or natural persons. The company will process your data for the following purposes:

  • Manage procedures for requests, complaints and claims
  • Conduct risk analysis, satisfaction surveys regarding the company's goods and services, internal consumer habits studies, evaluate quality, and make changes to products and/or services for the company and its business partners;
  • Provide commercial, advertising, or promotional information about products and/or services for the purpose of promoting, inviting, directing, executing, informing, and generally conducting campaigns, events, promotions, or contests.
  • Provide contact information to the sales force and/or distribution network, telemarketing, market research, and any third party with which the company has a contractual relationship.
  • Provide contact information and relevant documents to the sales force and/or distribution network, telemarketing, market research, and any third party with which the company has a contractual relationship of any kind.
  • Disclose, transfer, and/or transmit personal data within and outside the country to third parties as a result of a contract, law, or legal relationship that requires it, or to implement cloud computing services.
  • Carry out, through any means, directly or through third parties, programming and provision of technical service, sales, purchases, billing, portfolio management, product performance monitoring, collection, business intelligence, marketing, promotion or advertising activities, service improvement, collection monitoring, verification, consultation and control, enabling payment methods, as well as any other activities related to our current and future products and services, in order to fulfill contractual obligations and the company's corporate purpose.
  • Consult and report to any Risk Center
  • Information to control and prevent fraud and ML/AFT in any of its forms.
  • Send congratulatory messages on special dates (Example: Women's Day, Christmas, achievements, among others.)

 

Employee Databases: These are manual or automated databases containing data on individuals employed by the company. The purpose of processing these databases is to comply with legal, regulatory, and company policies. This database includes private, public, sensitive, and minor information. Processing data for purposes other than those related to the employment relationship requires prior authorization from the data subject or their legal representative, as applicable. Under no circumstances will the company process sensitive or minor data without prior authorization.

The company will process your data for the following purposes:

  • To comply with the obligations contracted by the company with the Data Subject, regarding the payment of salary and other remuneration stipulated in the employment contract or as provided by law.
  • Offer corporate wellness programs and plan business activities for the cardholder and their beneficiaries (children, spouse, permanent partner).
  • Sending information to government or judicial entities at their express request.
  • Support in external/internal audit processes.
  • Registering the information of candidates, contractors, and employees in the Company's database and contacting them through any means to send information.
  • For security or fraud prevention purposes.
  • Provide commercial, advertising, or promotional information about products and/or services for the purpose of promoting, inviting, directing, executing, informing, and generally conducting campaigns, events, promotions, or contests.
  • To process data relating to admission, preventive, and discharge medical examinations, as well as medical records if required.
  • Use of biometric data (sensitive data) such as fingerprints, audio, video and/or photographs or through any other known or unknown means (an "image" is understood to mean the name, pseudonym, voice, signatures, initials, figure, body physiognomy, face or any sign that relates to the identity of the person), for reproduction, communication or transmission on social networks and media such as television, newspapers, websites and video surveillance systems, for security, institutional events, advertising campaigns, promotions and contests, among others. 
  •  To collect, use, store and circulate your resume.
  • Data transfer to third parties for selection processes, affiliation with healthcare, pension, insurance, and other companies required for the formalization of the hiring process.
  • Consult and report to any Risk Center.
  • Carry out the relevant actions to develop the company's corporate purpose in relation to compliance with the contract entered into with the Data Subject.
  • Information to control and prevent fraud and ML/AFT in any of its forms.

 

Supplier and Contractor Databases: These are manual or automated databases containing data on individuals or legal entities with whom the company maintains a contractual and commercial relationship. The purpose of these databases is to comply with the contractual provisions stipulated by the company, to acquire services and goods required by the company for its normal operation, or to perform some of its functions. This database contains personal, public, private, and sensitive data, which are used to develop contractual relationships. The processing of this data for purposes other than maintaining the contractual relationship or fulfilling legal obligations requires prior authorization from the data subject.

The company will process your data for the following purposes:

  • To comply with the obligations contracted by the company with the Data Subject, regarding the payment of fees and other remuneration stipulated in the employment contract or as provided by law.
  • Conduct analysis, evaluations, and selection of potential suppliers and/or contractors.
  • Contact the Data Controller through any means to conduct surveys, studies, and/or confirm personal data necessary for the execution of a contractual relationship and to send news related to loyalty campaigns or service improvements.
  • Contact the Data Subject through any means to send statements, account statements, or invoices in relation to the obligations arising from the contract entered into between the parties.
  • Carry out, through any means, directly or through third parties, programming and provision of technical service, sales, purchases, billing, portfolio management, product performance monitoring, collection, business intelligence, marketing, promotion or advertising activities, service improvement, collection monitoring, verification, consultation and control, enabling payment methods, as well as any other activities related to our current and future products and services, in order to fulfill contractual obligations and the company's corporate purpose.
  • Communication of our policies and procedures for supplier engagement.
  • Analysis of information on quality and service levels received from suppliers. Legal compliance in tax, customs, and trade matters with administrative and judicial entities.
  • Business agreements to acquire goods or services
  • Monitoring, control, and accounting for obligations with suppliers. Consultations, audits, and reviews arising from agreements with suppliers and/or contractors.
  • Information to control and prevent fraud and AML/ML in all its forms. Some of these tasks are performed in compliance with a legal and contractual obligation, and therefore the processing of personal data is understood to be included within them.
  • Provide commercial, advertising, or promotional information about products and/or services for the purpose of promoting, inviting, directing, executing, informing, and generally conducting campaigns, events, promotions, or contests.
  • Consult and report to any Risk Center
  • Invitations to events and general corporate information to strengthen relationships.

 

Databases of corporate bodies: These are manual or automated databases containing data on individuals who are members of corporate bodies, such as the board of directors and shareholders' meetings. The purpose of these databases is to comply with legal and regulatory provisions and corporate policies. This database incorporates public, private, and sensitive information. It is also considered confidential information, as it is registered in commercial books and is subject to special protection by law.

The company will process your data for the following purposes:

  • Carry out the relevant procedures for the development of the company's corporate purpose.
  • Collect, use, and store your resume.
  • Send company information, including calls, summons, meeting invitations, events, newsletters, presentations, annual reports, and communications related to the company's activities.
  • Issue certifications relating to the relationship of the data subject with the company, such as income certificates, share ownership certificates, among others;
  • Use of biometric data (sensitive data) such as fingerprints, audio, video and/or photographs or through any other known or unknown means (an "image" is understood to mean the name, pseudonym, voice, signatures, initials, figure, body physiognomy, face or any sign that relates to the identity of the person), for reproduction, communication or transmission on social networks and media such as television, newspapers, websites and video surveillance systems, for security, institutional events, advertising campaigns, promotions and contests, among others. 
  • Carry out, through any means, directly or through third parties, programming and provision of technical service, sales, purchases, billing, portfolio management, product performance monitoring, collection, business intelligence, marketing, promotion or advertising activities, service improvement, collection monitoring, verification, consultation and control, enabling payment methods, as well as any other activities related to our current and future products and services, in order to fulfill contractual obligations and the company's corporate purpose.
  • Information to control and prevent fraud and ML/AFT in any of its forms.

 

4.7. Contracts: In its employment contracts, the company has included clauses granting prior and general authorization for the processing of personal data related to the execution of the contract. This includes authorization to collect, modify, or correct, at a future time, the Data Subject's personal data corresponding to natural persons. It has also included authorization for some of the personal data, if applicable, to be delivered or transferred to third parties with whom the company has service provision contracts for the performance of outsourced tasks. These clauses mention this Manual and its location on the company's website, for your reference.

In contracts for the provision of external services, when the contractor requires personal data, the company will provide said information provided that there is prior and express authorization from the Owner of the personal data for this transfer. Excluding from this authorization are personal data of a public nature defined in section 2 of article 3 of Regulatory Decree 1377 of 2013 and those contained in public records.

In these cases, third parties are Data Processors and their contracts will include clauses that specify the purposes and processing authorized by the company and precisely delimit the use that these third parties can give to those, as well as the obligations and duties established in Law 1581 of 2012 and Regulatory Decree 1377 of 2013, including the necessary security measures to guarantee at all times the confidentiality, integrity and availability of the personal information entrusted for processing.

For its part, when receiving data from third parties and acting as the Controller of personal data, the company verifies that the purpose or purposes of the processing authorized by the owner or permitted by legal, contractual or jurisprudential reasons are valid and that the content of the purpose is related to the reason why said personal information is going to be received from the third party, since only in this way will it be authorized to receive and process said personal data.

4.8 Transfer and transmission of personal data: For the transmission and transfer of personal data, the following rules apply:

4.9 Video Surveillance Systems: Video surveillance systems (VS) or security cameras implemented to ensure the safety of property or people in a specific location are considered an ideal means for monitoring and observing activities in the business, workplace, and public spheres.

This monitoring and observation task carried out through the SV, involves the collection of images of people, that is, personal data in accordance with the definition contained in literal c) of article 3 of Law 1581 of 2012, "By which general provisions are issued for the protection of personal data", understood as "any information linked to or that can be associated with one or more specific or determinable natural persons."

Consequently, in the handling or processing of data, the company will observe the principles established in the standard, that is, legality, purpose, freedom, quality or veracity, security, confidentiality, restricted access and circulation, and transparency, as well as the other provisions contained in the General Regime for the Protection of Personal Data.

This policy applies to the capture of images of individuals using cameras, video cameras, analog or digital, IP cameras or mini-cameras, closed-circuit television (CCTV) and, in general, any means by which the processing of images of personal data subjects is carried out, especially for surveillance purposes.

4.9.1 Rights of the Personal Data Subject

a. Access to images by personal data holders

b. Deletion of images

4.9.2 Processing of Images of Children and Adolescents: For the Processing of images of children and adolescents, the company will respect their prevailing rights and will only collect them when (i) it responds to and respects their best interests, and (ii) it ensures respect for their fundamental rights.

  • In all cases, when the company uses SV that involves the processing of images of children and/or adolescents, it will observe the following rules:
  • Ensure the security and confidentiality of minors' personal data. Obtain the authorization and consent of the minors' parents or legal guardians, taking into account their maturity, autonomy, and ability to understand the matter.
  • Limit the collection and other processing of images to what is proportional and appropriate in consideration of the previously reported purpose.
  • Inform parents or legal representatives about the purpose and processing to which the personal data of minors will be subjected, as well as the rights to which they are entitled.

 

Only the child's or adolescent's parent and/or legal guardian may access the child's or adolescent's images. Therefore, if images of classes and/or activities featuring other children or adolescents are to be accessed or circulated, authorization from the child's or adolescent's parents and/or legal guardians will be requested.

Whenever the implementation of SV also involves the processing of personal data of other Data Subjects, such as managers, administrative staff, parents, etc., the company will respect their rights and comply with the obligations that such status imposes on them.

5. Rights and duties

5.1. General information on authorization: The company will request prior authorization for the processing of personal data by any means that can be used as evidence. Depending on the case, this authorization may be incorporated into a document such as a contract, form, form, invoice, etc. The authorization must contain, at a minimum:

a) The processing to which the personal data will be subjected and the purpose thereof;

b) The optional nature of the response to the questions asked, when these relate to sensitive data or the data of girls, boys and adolescents;

c) The rights that the owner of the information has;

d) The identification, physical or electronic address and telephone number of the Data Controller.

5.2. On the right of access: The company guarantees the right of access to personal data subjects in accordance with Law 1581 of 2012, upon verification of the subject's identity, legitimacy, or legal capacity of their representative. The company makes the respective personal data processed available to the subject, free of charge or expense, in a detailed manner, through any means of communication, including electronic means that allow direct access by the subject. Access is subject to the limits established in Article 21 of Regulatory Decree 1377 of 2013.

5.3. On the right of consultation: The company guarantees the right to access, in accordance with the provisions of Law 1581 of 2012, exclusively for private, sensitive, and minor personal data belonging to natural persons. It provides the owners of this personal data with the information contained in each of the corresponding databases under the company's control. The company will establish authentication measures that allow the owner of the personal data making the query or request to be securely identified.

Regarding the attention of consultation requests, the company guarantees:

  • Enable electronic or other means of communication that it considers relevant and secure;
  • Establish forms, systems and other methods that will be reported in the authorization or in the Privacy Notice;
  • Use the customer service or complaints services that are in operation.

 

Regardless of the mechanism implemented for handling consultation requests, these will be processed within a maximum period of ten (10) business days from the date of receipt. In the event that a consultation request cannot be addressed within the aforementioned period, the interested party will be informed before the deadline expires of the reasons why their request has not been answered. This in no case may exceed five (5) business days after the expiration of the first term.

5.4. On the right to claim: Data Subjects who believe their personal data may be subject to correction, updating, or deletion, or who become aware of a suspected breach of any of the duties and principles contained in the Personal Data Protection regulations, may file a complaint with the company.

The claim may be filed by the owner, taking into account the information indicated in Article 15 of Law 1581 of 2012, as follows:

  1. The claim shall be submitted by means of a request addressed to the Data Controller or the Data Processor, including the Data Subject's identification, a description of the facts giving rise to the claim, the address, and the accompanying documents to be asserted. If the claim is incomplete, the interested party shall be required within five (5) days following receipt of the claim to rectify the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, it shall be deemed that the claim has been withdrawn.

    In the event that the person receiving the claim is not competent to resolve it, he/she will forward it to the appropriate person within a maximum period of two (2) business days and inform the interested party of the situation.

  • Once the complete claim has been received, a legend stating "claim in process" and the reason for the claim will be added to the database within a period of no more than two (2) business days. This legend must remain in effect until the claim is decided.
  • The maximum term for addressing the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

5.5. On the right to rectification and updating of data: The company undertakes to rectify and update, at the Data Subject's request, any personal information relating to individuals that is incomplete or inaccurate, in accordance with the procedure and terms set forth above. The company will take the following into account:

  • In requests for rectification and updating of personal data, the Data Subject must indicate the corrections to be made and provide documentation supporting their request.
  • The company is fully free to implement mechanisms that facilitate the exercise of this right, provided they benefit the data subject. Accordingly, electronic or other means that the company deems appropriate and secure may be implemented.
  • The company may establish forms, formats, systems, and other methods, which will be reported in this policy and/or authorization and/or Privacy Notice and which will be made available to interested parties on the company's website or offices.

5.6. On the right to data deletion: The data subject has the right to request the deletion (elimination) of his or her personal data at any time. The company will take into account the following circumstances:

  • That they are not being treated in accordance with the principles, duties, and obligations set forth in current regulations on Personal Data Protection.
  • That they are no longer necessary or relevant for the purpose for which they were collected.
  • That the period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

This deletion involves the secure elimination or erasure, in whole or in part, of personal information as requested by the owner from records, files, databases, or processing carried out by the company.

The right to erasure is not an absolute right, and the company, as the controller of personal data, may deny or limit the exercise of this right when:

  • The data subject has a legal or contractual obligation to remain in the database.
  • The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
  • The data may be necessary to protect the legally protected interests of the data subject; to carry out an action in the public interest; or to comply with a legal obligation of the data subject.

5.7. On the right to revoke authorization: Any data subject whose personal data corresponds to a natural person may revoke their consent to the processing of their data at any time, provided that this is not prevented by a legal or contractual provision. To this end, the company has established simple and free mechanisms that allow the data subject to revoke their consent.

In cases where revocation of the authorization is possible, it will be handled under the following two modalities:

  • Total: Regarding all the consented purposes, that is, the company must completely stop processing the data of the Personal Data Subject.
  • Partial: Regarding certain consented purposes, in which case the company must partially suspend the processing of the data subject's data. Other processing purposes are then maintained, which the Controller may carry out, in accordance with the authorization granted, and with which the data subject agrees.

The right of withdrawal is not an absolute right, and the company, as the controller of personal data, may deny or limit the exercise of this right when:

  • The data subject has a legal or contractual obligation to remain in the database.
  • The revocation of processing authorization hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
  • The data may be necessary to protect the legally protected interests of the data subject; to carry out an action in the public interest; or to comply with a legal obligation of the data subject.
  • The data must be public in nature and correspond to public records, which are intended to be made public.

5.8. Right to lodge complaints with the competent authority: The owner of personal data has the right at any time to file complaints with the Superintendency of Industry and Commerce regarding violations of the law and other regulations that modify, supplement, or complement it.

5.9. Duties as Data Controller:The company will comply with the following duties:

  1. Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data;

  • Request and keep a copy of the respective authorization granted by the Owner;
  • Properly inform the Owner about the purpose of the collection and the rights to which he/she is entitled by virtue of the authorization granted;
  • Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
  • Ensure that the information provided to the Data Processor is true, complete, accurate, up-to-date, verifiable and understandable;
  • Update the information, promptly communicating to the Data Processor all new developments regarding the data previously provided and adopting other necessary measures to ensure that the information provided to the Data Processor remains up-to-date;
  • Rectify information when it is incorrect and communicate the relevant information to the Data Processor;
  • Provide the Data Processor, as the case may be, only with data whose processing has been previously authorized;

    2. Demand that the Data Processor respect the security and privacy conditions of the Data Subject's information at all times;

  • Process queries and complaints;
  • Adopt an internal procedures manual to ensure proper compliance for handling queries and complaints;
  • Inform the Data Processor when certain information is being disputed by the Data Subject, once the claim has been submitted and the respective process has not been completed;
  • Inform the Owner, upon request, about the use given to their data;
  • Inform the data protection authority when security code violations occur and when there are risks in the management of Data Subjects' information.
  • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

5.10. Duties of the Data Controller: Data Processors must comply with the following duties:

  1. Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data;
  • Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
  • Carry out the updating, rectification or deletion of data in a timely manner
  • Update the information reported by the Data Controllers within five (5) business days from receipt;
  • Process queries and complaints;
  • Adopt an internal procedures manual for handling queries and complaints from Owners;
  • Record the legend "claim in process" in the database
  • Insert the legend "information under judicial discussion" into the database once notified by the competent authority about judicial proceedings related to the quality of personal data;

    2. Refrain from circulating information that is being disputed by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce;
  • Allow access to information only to people who can access it;
  • Inform the Superintendency of Industry and Commerce when security code violations occur and there are risks in the management of the Holders' information;
  • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

6. Policy Changes

The company reserves the right to modify its Personal Data Protection Policy at any time. Any modifications will be communicated to data subjects in a timely manner through the usual means of contact and/or through its website https://ikono.co/

In the event of substantial changes in the content of the Processing policies, referring to the identification of the Controller and the purpose of the Processing of personal data, which affect the content of the authorization, the Data Controller will communicate these changes and obtain a new authorization from the Owner when the change refers to the purpose of the Processing. 

7. The national database registry

As the data controller of personal data, and pursuant to the law, the company is not required to register its databases with the RNBD. Notwithstanding the foregoing, if the requirements are met, the provisions of Decree 1074 of 2015 and other regulations that modify, repeal, or replace it will apply.

8. References to other documents

This personal data protection policy has been prepared in accordance with the following standards:

  • Political Constitution of Colombia
  • Law 1581 of 2012
  • Decree 1377 of 2013
  • Single Decree 1074 of 2015

9. Validity

The term of validity of this policy is equal to that established for the duration of the company in the bylaws.

[1] Law 1581 of 2012, Article 3, literal c).

[2] Article 5 of Law 1581/12

en_USEnglish
es_COSpanish en_USEnglish