HomeData Protection

Considering the constitutional right that all persons have to know, update and rectify the information that has been collected about them in databases or files, and the other rights, liberties and constitutional guarantees referred to in articles 15 and 20 of the Political Constitution, Law 1581 of 2012 and its Regulatory Decree 1377 of 2013 have been developed, enshrining mechanisms that allow the full exercise of the aforementioned constitutional right.

The Organic Law of Protection of Personal Data (LOPD) contains a series of obligations to all natural and legal persons that contain files with personal data. Said law aims to guarantee and protect the treatment of personal data, public liberties and fundamental rights of natural persons, and especially as regards their honor and personal and family privacy.

This document has been drafted to comply with the provisions of the aforementioned standards and includes the technical and organizational measures possible and necessary to ensure the protection, confidentiality, integrity and availability of non-sensitive personal data of customers. , users, collaborators, employees, suppliers, strategic allies, third parties and other interested parties that are under the responsibility of Cipelog.

To comply with the rules of this Manual and in accordance with the provisions of Law 1581 of 2012 and Regulatory Decree 1377 of 2013, it is understood as:

1. Authorization: Prior, express and informed consent of the Holder to carry out the Processing of Personal Data.
2. Databases: Organized set of personal data that is subject to treatment.
3. Personal Data: Any information linked to or associated with one or several natural persons determined or determinable.
4. Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, perform the Processing of Personal Data on behalf of the person responsible for the Treatment.
5. Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and / or the Data Treatment.
6. Owner: Natural person whose personal data is subject to Treatment.
7. Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suspension.
8. Sensitive Data: Those that affect the privacy of the Owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, rights human rights or promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.
9. Private Data: It is the data that, due to its intimate nature, is only relevant for the Holder.
10. Public Data: It is the data that is not semi-private, private or sensitive. They are considered public data, among others, the data relative to the civil status of the people, to their profession or trade and to their quality of merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins and judicial sentences duly executed that are not subject to reservation.
11. Privacy Notice: Verbal or written communication generated by Cipelog, addressed to the Owner for the Processing of your Personal Data, through which you are informed about the existence of the Information Processing policies that will be applicable to you, the way to access the same and the purposes of the treatment that is intended to give personal data.
12. Transfer: Data transfer takes place when Cipelog, located in Colombia, sends the information or personal data to a receiver who is responsible for the processing and is located inside or outside the country.
13. Transmission: Treatment of personal data that implies the communication of the same inside or outside the Colombian territory, when it has for object the realization of a Treatment by the person in charge on behalf of Cipelog.

This document will apply to databases that contain personal data that are under the responsibility of Cipelog including information systems, media and equipment used for the processing of personal data, which must be protected in accordance to the provisions of current legislation on personal data protection.

The policies and procedures contained in this Manual apply to the databases that Cipelog manages that will be registered in accordance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013, whose term will be counted from the date of the authorization and up to a term of 10 years.

Through this Manual compliance with the provisions of paragraph k) of Article 17 of Law 1581 of 2012, which regulates the duties that assist those responsible for the processing of personal data, within which is the adopt an internal manual of policies and procedures to ensure adequate compliance with the Law and, in particular, to attend to inquiries and complaints of the holders of the information. It also has the purpose of regulating the collection, handling and treatment procedures of the personal data that Cipelog S.A.S. performs. in order to guarantee and protect the fundamental right of habeas data within the framework established by law.

The principles set out below are the general parameters that will be respected by Cipelog in the processes of collection, use and processing of personal data:

1. Principle of legality in the field of Data Processing: The Treatment referred to in this Manual obeys the provisions of Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other provisions that clarify, modify or develop these regulations.
2. Principle of purpose: The processing of the data collected by Cipelog must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Holder;
3. Principle of freedom: The Treatment can only be exercised with the prior, express and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent;
4. Principle of truth or quality: The information subject to Treatment must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited;
5. Principle of transparency: In the Treatment the right of the Holder must be guaranteed to obtain from the Person in Charge of the Treatment or the Person in Charge of the Treatment, at any time and without restrictions, information about the existence of data that concerns him;
6. Principle of access and restricted circulation: The Treatment is subject to the limits that derive from the nature of personal data, the provisions of the law and the Constitution. The Treatment can only be done by persons authorized by the Holder and / or by the persons provided by law. Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless the access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties;
7. Principle of security: The information subject to Treatment by Cipelog, will be handled with the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access;
8. Principle of confidentiality: All persons involved in the processing of personal data that do not have the nature of public are obliged to guarantee the reservation of information, even after the end of their relationship with any of the tasks comprising the treatment, being able to only perform supply or communication of personal data when this corresponds to the development of activities authorized by law.

The collection, storage, use, circulation or suppression of personal data by Cipelog requires the free, prior and informed consent of the Holder thereof. Cipelog in its capacity as Responsible for the processing of personal data, has arranged the necessary mechanisms to obtain the authorization of the holders guaranteeing in any case that it is possible to verify the granting of such authorization.

The authorization may be recorded in a physical or electronic document or in any other format that guarantees subsequent consultation, or through a suitable technical or technological mechanism through which it can be unequivocally concluded that, if the Holder’s conduct has not been fulfilled, the data will never have been captured and stored by Cipelog.

The authorization of the Holder is a fundamental requirement for Cipelog to initiate any kind of commercial activity with the Holder. Therefore, prior to the use of personal data of the Owners, Cipelog, must have the respective authorizations of the same. Paragraph: Cipelog, will establish the formats and procedures to apply the guidelines of Law 1581 of 2012.

The Holder’s Authorization is a declaration that it allows Cipelog to use their personal or sensitive data and that it must also contain:

1. Purpose of the authorization.
2. Purpose of the Processing of Personal Data.
3. Users of the information.
4. International transfer of information to third countries.
5. Personal information of children and adolescents.
6. Responsible and responsible for information.

The procedures and formats to be used in the ordinary operations of Cipelog, will be known to the company’s officers, through the Intranet of the same.

Cipelog will adopt the necessary measures to maintain records or suitable technical mechanisms of when and how they obtained the authorization of the Owner for the Treatment of the Data.

The Privacy Notice is the physical document, electronic or in any other format that is made available to the Owner for the Processing of their personal data. Through this document, the Owner is informed of the existence of the information processing policies that will be applicable to them, the way to access them and the characteristics of the Treatment that they intend to give to their personal data.

Cipelog will give a Privacy Notice to all the Information Holders that maintain personal data in the Company’s Databases in accordance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013.

The privacy notice, as a minimum, must contain the following information:

1. The identity, address and contact information of the Person in Charge of Data Processing;
2. The type of treatment to which the data and the purpose of the data will be submitted;
3. The general mechanisms provided by the Responsible so that the Holder knows the policy of Treatment of the information and the substantial changes that take place in it.
4. In all cases, you must inform the Owner how to access or consult the information processing policy.

Cipelog will keep the model of the privacy notice that was transmitted to the Owners while the processing of personal data is carried out and the obligations arising from it continue.

In accordance with the provisions of article 8 of Law 1581 of 2012, the holder of personal data has the following rights:

1. Know, update and rectify your personal data in front of Cipelog
2. Request proof of the authorization granted to Cipelog in its capacity as Responsible / in charge of the Treatment.
3. To be informed by Cipelog about the uses or treatment granted to the personal data of the Holder, after consultation by the latter.
4. Submit to the Superintendence of Industry and Commerce complaints for infractions to the provisions of Law 1581 of 2012 and Decree 1377 of 2013, once the process of consultation or claim before Cipelog has been exhausted
5. Revoke the authorization and / or request the deletion of the data when in the Treatment the principles, rights and constitutional and legal guarantees are not respected.
6. Access free of charge to personal data, which have been subject to processing.

Cipelog, will keep in mind at all times, that the personal data are property of the Holders of the information and that only they can decide on them. In this sense, they will use these only for those purposes for which they are duly authorized, and respecting, in any case, Law 1581 of 2012 on the protection of personal data.

Cipelog is committed to permanently comply with the following duties in relation to the processing of personal data:

1. Guarantee the Holder, at all times, the full and effective exercise of the right of habeas data;
2. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
3. Perform timely, this is in the terms provided in articles 14 and 15 of Law 1581 of 2012, updating, rectification or deletion of data;
4. Process inquiries and claims made by the Holders in the terms indicated in article 14 of Law 1581 of 2012;
5. Insert in the database the legend “Information in judicial discussion” once notified by the competent authority, about the judicial processes related to the quality or details of the personal data;
6. Refrain from circulating information that is being controverted by the owner and whose blockade has been ordered by the Superintendence of Industry and Commerce;
7. Allow access to information only to people who may have access to it;
8. Inform the Superintendence of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Owners;
9. Comply with the instructions given by the Superintendence of Industry and Commerce.

The power of disposition or decision held by the Holder over the information that concerns him necessarily implies the right to access and know if his personal information is being processed by Cipelog, as well as the scope, conditions and generalities of said Treatment. In this way Cipelog, must guarantee the Owner the right of access through:

Written request in the form of a petition right which should be addressed to Cipelog Customer Service. For the attention of requests of consultation, the same ones will be attended in a maximum term of fifteen (15) working days counted from the date of its receipt. When it is not possible to attend the consultation within said term, the interested party will be informed before the expiration of fifteen (15) days, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may be exceed the five (5) business days following the expiration of the first term.

In accordance with the provisions of Article 15 of Law 1581 of 2012, the Holder or his successors in title that consider that the information contained in a Database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties established by Law 1581 of 2012, may submit a claim to Cipelog through the channel indicated in the previous section, which will be processed as long as the claim meets the following requirements:

1. The claim may be presented by the Holder, informing the following:
   1. Holder identification number;
   2. Description of the facts that give rise to the Claim;
   3. Address to answer;
   4. Documents that are required to assert the claim.
2. Once Cipelog receives the claim, it will require the interested party within five (5) days following its receipt to correct the faults, in the events in which the claim does not meet the requirements established in the previous paragraph.
3. After two (2) months from the date of the request without the applicant submitting the required information, it shall be understood that the claim has been abandoned. If, for any reason, a claim is received that should not be directed against Cipelog, it will be transferred, to the extent possible, to the corresponding party within a maximum period of two (2) business days and will report the situation to interested.
4. Once the complete claim has been received by Cipelog, a legend will be included in the databases maintained by Cipelog that says “processing” and the reason thereof, within a term not exceeding three (3) business days. Said legend shall be maintained until the claim is answered to the Holder’s satisfaction.
5. The maximum term to attend the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to attend it within said term, the interested party will be informed before the expiration of said period of time of the reasons for the delay and the date on which his claim will be handled, which in no case may exceed eight (8) business days following the expiration of the first term.
6. Request for Updating, Rectification and Deletion of Data. Cipelog will rectify and update, at the request of the owner, the information of the latter that is incomplete or inaccurate, in accordance with the procedure and the aforementioned terms, for which the holder may submit his request in writing or by electronic means to the mail servicioalcliente@cipelog.com indicating the update, rectification of the data and attach the documentation that supports your request.
7. The Owner has the right at all times, to request Cipelog, the deletion (deletion) of your personal data when:
   1. Consider that they are not being treated according to the principles, duties and obligations set forth in Law 1581 of 2012.
   2. They have ceased to be necessary or pertinent for the purpose for which they were collected.
   3. The period necessary to fulfill the purposes for which they were collected has been exceeded.

   This suppression implies the total or partial elimination of personal information in accordance with the request by the Owner in the records, files, databases or treatment performed by Cipelog.

8. Cipelog may deny the deletion request when the data is necessary, in consideration of the legal or contractual duty that assists the Holder to remain in the database of Cipelog Likewise, Cipelog may deny the deletion of the data, when its removal hinders judicial proceedings or administrative or when the data are necessary to protect the legally protected interests of the Holder.
9. Revocation of the Authorization and / or Deletion of the Data. Holders of personal data may revoke the consent to the processing of their personal data at any time, provided that it is not prevented by a legal or contractual provision, for which the owner may revoke it by written or electronic means to the mail servicioalcliente@cipelog.com
10. If the respective legal term expires, the Company, as the case may be, has not suppressed the personal data, the Holder shall have the right to request the Superintendence of Industry and Commerce to order the revocation of the authorization and / or the deletion of the data. personal For these purposes, the procedure described in article 22 of Law 1581 of 2012 will be applied.
11. In the events in which an interested party other than the Holder requests to rectify the information and does not certify in what quality he / she is submitting the application, Cipelog shall consider the application not to have been filed.
12. The Company will collect the data that are strictly necessary to carry out the purposes pursued and will keep them to meet the need with which they have registered, as well as respect the freedom that the Holder has to authorize or not the use of their personal data, and consequently, the mechanisms used to obtain consent will allow the Holder to state unequivocally that it grants such authorization.
13. Cipelog has the obligation to rectify and update at the request of the Owner, the information of the latter that is incomplete or inaccurate, in accordance with the procedure and the terms indicated in this Manual.
14. Data Suppression Process. Cipelog must perform the deletion of the data operatively in such a way that the elimination does not allow the recovery of the information.

In development of the security principle established in Law 1581 of 2012, Cipelog, will adopt the technical, human and administrative measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

Cipelog will maintain mandatory compliance protocols for personnel with access to personal data and information systems. The procedure must consider at least the following aspects:

1. Scope of application of the procedure with detailed specification of the protected data.
2. Functions and obligations of the staff.
3. Procedures for back-up and recovery of the data.
4. Periodic checks that must be performed to verify compliance with the provisions of the security procedure.

Cipelog designates the Technology area to fulfill the function of protection of personal data.

Cipelog designates the Customer Service area to comply with the processing of requests, queries, rectifications, updates and deletion of data by the Owners.

Cipelog appoints the Customer Service area as responsible for the adoption and implementation of the obligations set forth in Law 1581 of 2012.

This Internal Manual of Policies and Procedures for the Protection of Personal Information Data was informed to our work team in its substantial aspects and the obligatory compliance of each and every one of the aspects that make up the same, in accordance with the above , this manual will begin to operate within the framework established by law.