PERSONAL INFORMATION PROCESSING POLICY (LAW 1581 OF 2013)
REGULATED BY DECREE 1377 OF 2013)
FIRST – LEGAL BASIS AND SCOPE OF APPLICATION
The Political Constitution of Colombia in its catalog of fundamental rights enshrines in its article 15 the right that all people have to their privacy, good name and habeas data. In addition to the above, Statutory Law 1581 of 2012 is found as the main regulatory instrument enacted on the protection of personal data, a rule through which the minimum conditions that must be observed to carry out an adequate treatment of personal data by users are established. Responsible for the treatment.
Law 1581 of 2012 was later regulated by decrees 1377 of 2013 and 886 of 2014, which complemented and clarified the normative provisions of the General Regulation and specified the scope of the duties and obligations that those responsible and in charge of treatment of personal data. S365 AGENCIA DE SEGUROS LTDA, hereinafter S365 SEGUROS, as the person responsible for the treatment of Personal Information, is committed to complying with the aforementioned regulations and, consequently, will promote respect for the principles and rules on protection of personal data by its workers and those in charge of data processing, leading continuous improvement processes and ensuring compliance with the Law.
SECOND – ESTABLISHED DEFINITIONS ART. 3 DECREE 1377 OF 2013 AND DECREE 1074 OF 2015
In accordance with the definitions given in the exposed legal antecedents, the basic definitions of the concepts that imply the handling of personal data are the following:
2.1. Authorization:
Prior, express and informed consent of the Owner to carry out the Processing of personal data.
2.2. Notice of Privacy:
Verbal or written communication generated by the person in charge, addressed to the owner for the treatment of their personal data, through which they are informed about the existence of the information treatment policies that will be applicable, the way to access them and the purposes of the treatment that is intended to give personal data.
2.3. Database:
Organized set of personal data that is subject to Treatment.
2.4. Consultation:
Request of the owner of the data or the persons authorized by it or by the Law to access the information that is in any database, whether it is contained in an individual record or that is linked to the identification of the Owner.
2.5. Personal data:
Any information linked or that can be associated with one or more specific or determinable natural persons.
2.6. Private data:
It is the data that, due to its intimate or reserved nature, is only relevant to the owner.
2.7. Public data:
It is the data that is not semi-private, private or sensitive. Public data is considered, among others, data related to the marital status of people, their profession or trade and their quality as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial decisions that are not subject to reservation.
2.8. Semi-private data:
Data that is not of an intimate, reserved, or public nature and whose knowledge and disclosure may be of interest not only to its owner but also to a certain sector or group of people, or to society in general, such as financial and credit data, is semi-private.
2.9. Sensitive data:
Those data that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
2.10. . Treatment Manager:
Natural or legal person, public or private, that by itself or in association with others, performs the Processing of personal data on behalf of the Data Controller.
2.11. Data Protection Officer:
Person(s) who have been designated internally by S365 SEGUROS. to formally exercise the function of coordinating and controlling compliance with Law 1581 of 2012, the complaints, requests or claims that the holders make.
2.12. Identifiable person:
Any person whose identity can be determined, directly or indirectly, through any information referring to their physical, physiological, mental, economic, cultural or social identity. A natural person will not be considered identifiable if such identification requires disproportionate time or activities.
2.13. Claim:
Request from the owner of the data or from the persons authorized by it or by the Law to correct, update, or delete their personal data or to revoke the authorization in the cases established by Law.
2.14. Responsible queries and claims:
Person(s) who have been designated internally by S365 SEGUROS to formally exercise the function of coordinating and managing queries and claims for personal data that the holders formulate.
2.15. Responsible for Treatment:
Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment thereof.
2.16. Headline:
Natural person whose personal data is subject to Treatment.
2.17. Treatment:
It refers to any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.
2.18. Transfer:
Sending personal data made by the Responsible or Manager from Colombia to a Responsible who is inside (national transfer) or outside the country (international transfer).
2.19. Transmission:
Treatment of personal data that implies the communication of the same within (national transmission) or outside of Colombia (international transmission) that has the purpose of carrying out a treatment by the
Commissioned on behalf of the Responsible.
THIRD – RESPONSIBLE FOR THE TREATMENT
NAME: S365 INSURANCE INSURANCE AGENCY LTDA
ADDRESS: Cl 27Sur No. 28-121 Int 809, Envigado – Antioquia
PHONE: (57+4) 3227089 – +(57)+321 815 58 95
E-MAIL. info@s365.com.co
Website: www.s365.com.co
The policies and procedures contained in this document apply to the databases that are under the responsibility of S365 SEGUROS. Which will have the security measures as requested by the General Law on Protection of Personal Data Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, also emphasizing that the information contained in each of these databases will be stored in accordance with the relevance or purpose for which it was collected as well as when the owner of the data has requested its deletion.
FOURTH – PERSONAL INFORMATION PROCESSING POLICY
S365 SEGUROS is committed to respecting and guaranteeing the rights of customers, employees and third parties in general. For this reason, it adopts the following personal information treatment policy that is mandatory for all activities that involve, totally or partially, the collection, storage, use, circulation, transmission and transfer of information. These policies are of mandatory and strict compliance for our organization and all those who make it up and are part of it; S365 SEGUROS as the person responsible for the processing of personal data, as well as all third parties that act on behalf of the entity, or that without acting on behalf of S365 SEGUROS, process personal data by disposal of the latter as those in charge of processing personal data.
Both the person in charge and those in charge must observe and respect these policies in the performance of their functions and/or activities even after the legal, commercial, or any other type of relationship has ended. From
Similarly, they undertake to maintain strict confidentiality in relation to the data processed. Any breach of the obligations and, in general, of the policies contained in this document must be
reported to the S365 SEGUROS office, in accordance with the provisions of article 23 of Law 1377 of 2013, which is why we make our Personal Data Treatment Policy available to you.
FIFTH – PRINCIPLES OF THE PERSONAL DATA PROCESSING POLICY
In the development, interpretation and application of the Processing of Personal Data by S365 SEGUROS, the following principles will be applied, in a harmonic and comprehensive manner, in accordance with the provisions of article 4 of Statutory Law 1581 of 2012:
5.1. Principle of legality regarding data processing:
The Processing of Personal Data by S365 SEGUROS is a regulated activity that must be subject to the provisions of this policy and the Constitution, the law and the judicial decisions adopted by the Colombian State.
5.2. Principle of purpose:
The Treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Holder.
5.3. Principle of freedom:
The Treatment can only be exercised with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
5.4. Principle of veracity or quality:
The information subject to Treatment by S365 SEGUROS must be truthful, complete, exact, up-to-date, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited.
5.5. Transparency principle:
In the Treatment, the right of the Holder to obtain from S365 SEGUROS, at any time and without restrictions, information about the existence of data that concerns him must be guaranteed.
5.6. Principle of restricted access and circulation:
The Treatment is subject to the limits derived from the nature of personal data, the provisions of law and the Constitution. In this sense, the Treatment can only be done by persons authorized by the Holder and/or by the persons provided for in the law; Personal data, except public information, may not be available on the Internet or other means of disclosure or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties in accordance with this law;
5.7. Safety principle:
The information subject to Treatment by S365 SEGUROS, must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
SIXTH – PROCESSING OF SENSITIVE DATA
In general terms, the processing of sensitive data is prohibited, except in cases when:
a) The holder has given his explicit authorization to said treatment, except in cases where the granting of said authorization is not required by law.
b) The treatment is necessary to safeguard the vital interest of the owner and the latter is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
c) The treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that it is refer exclusively to its members or to people who maintain regular contact by reason of its purpose. In these events, the data may not be provided to third parties without the authorization of the owner.
d) The treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
e) The treatment has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the holders must be adopted. Faced with the processing of sensitive data, S365 SEGUROS, emphasizes that this information is necessary for the purposes of insurability and obtaining special insurance policies (life and health insurance policies, among others), where they are taken as requirements prior to its approval, it also emphasizes that the owner of the information is empowered by law to deliver them or not.
SEVENTH – PERSONAL DATA OBJECT OF TREATMENT
S365 SEGUROS treats information mainly from its clients, suppliers and workers:
• Identification data.
• Location data.
• Sensitive data.
• Data of socioeconomic content.
• Other data.
EIGHTH – HOLDERS OF PERSONAL INFORMATION
The daily operation of S365 SEGUROS requires knowing and processing personal data. The headlines on which
deals with said information are:
• Aspiring workers
• Worker
• Ex worker
• Supplier
• Provider inactive
• Client or policyholder
• Inactive customer or policyholder
• Beneficiary
• Insured
• Intermediary
• Visitor
NINTH – PRIVACY NOTICE
The privacy notice is the verbal or written communication originated by the data controller addressed to the Owner of the personal data.
The privacy notice is made known to the Holder through physical, electronic or any other means that S365 SEGUROS considers, and in this document the following is reported at least:
9.1. Who is responsible for the treatment.
9.2. The treatment and purpose that will have the obtaining, collection, use, processing, exchange, transfer and
transmission of personal data.
9.3. Existence of the policy and how to consult it.
TENTH – RIGHTS OF THE HOLDERS OF THE INFORMATION.
In accordance with the provisions of article 8 of Law 1581 of 2012 and decree 1377 of 2013, the owner of personal data has the following rights against S365 SEGUROS. as Data Controller:
a) Know, update and rectify your personal data against S365 SEGUROS, in its capacity as responsible
of the treatment.
b) Request proof of the authorization granted to S365 SEGUROS, in its capacity as Data Controller.
c) Be informed by S365 SEGUROS, upon request, regarding the use that has been given to your personal data.
d) Revoke the authorization and/or request the deletion of the data when the principles are not respected in the Treatment,
constitutional and legal rights and guarantees.
e) Free access to your personal data that has been subject to Treatment