Privacy and data protection policy

PErsonal information processing policies at the taap foundation


GENERAL

According to the definition established in Law 1581 of 2012, personal data is any information linked or that can be associated to one or more determined or determinable natural persons, such as name, age, sex, marital status, address, among others.

 

This data can be stored in any physical or electronic support and can be processed manually or automatically.

 

Law 1266 of 2008 defines the following types of personal data:

 

(a) Private data: “It is the data that due to its intimate or reserved nature is only relevant to the Holder”.

  1. b) Semi-private data: “Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as financial and credit data of commercial activity or services referred to in Title IV” of Law 1266.
  2. c) Public data: “It is the data qualified as such according to the mandates of the Law or the Political Constitution and all those that are not semi-private or private”, in accordance with Law 1266 of 2008. “They are public, among others, the data contained in public documents, duly executed court rulings that are not subject to reserve and those relating to the civil status of persons”.

Additionally, Law 1581 of 2012 establishes the following special categories of personal data:

 

(d) Sensitive data: are “those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data.”

Law 1581 of 2012 prohibits the processing of sensitive data with the exception of the following cases: (i) when the Data Subject grants consent, (ii) the Processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapacitated, (iii) the Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or to persons who maintain regular contacts by reason of its purpose, (iv) the Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial proceeding, and (v) the Processing has a historical, statistical or scientific purpose, in the latter case the measures leading to the suppression of the identity of the Holders must be adopted.

 

  1. e) Personal data of children and adolescents: It should be noted that although Law 1581 of 2012 prohibits the processing of personal data of children and adolescents, except for those that by their nature are public, the Constitutional Court specified that regardless of the nature of the data, the processing of these may be carried out “provided that the purpose pursued with such processing responds to the best interests of children and adolescents and ensures without exception respect for their prevailing rights”.

 

The law also defines the following roles:

 

(a) Data Controller: “Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the Processing of the data”. The Superintendence of Industry and Commerce, in accordance with the law, is responsible for the processing of personal data contained in its databases,

  1. b) Data Processor: “Natural or legal person, public or private, who by itself or in association with others, carries out the Processing of personal data on behalf of the Data Controller”. The SIC may carry out the processing of personal data through Data Processors.

 

Additionally, the following roles are included in this document.

 

  1. c) Personal database administrator: Official or person in charge who is in charge of and processes one or more databases containing personal information.
  2. d) Manager: The Planning Advisory Office will control the registration of databases with personal information in the SIC and will support the entry of the information in the National Database Registry.
  3. e) Guarantor: The Office of Consumer Services and Business Support (OSCAE) will coordinate and process the attention and response to the petitions, complaints and claims related to the personal data protection law that the owners make to the Superintendency.

 

 

1.1 GENERAL PROVISIONS ESTABLISHED IN LAW 1581 OF 2012 FOR THE PROTECTION OF PERSONAL DATA

 

Law 1581 of 2012 develops the constitutional right to know, update and rectify the information collected in databases and the other rights, freedoms and guarantees referred to in articles 15 and 20 of the Constitution (right to privacy and right to information, respectively).

 

The aforementioned law applies to personal data recorded in any database that makes them susceptible to processing by public or private entities.

 

Considering the mode of conservation of a database, a distinction can be made between automated databases and manual databases or files.

 

Automated databases are those that are stored and managed with the help of computer tools.

 

Manual databases or files are those whose information is organized and stored in a physical form, such as supplier order forms containing personal information relating to the supplier, such as name, identification, telephone numbers, e-mail address, etc.

 

The law exempts from the protection regime (i) files and databases belonging to the personal or domestic sphere; (ii) those whose purpose is national security and defense, prevention, detection, monitoring and control of money laundering and financing of terrorism, (iii) those whose purpose is and contain intelligence and counterintelligence information, (iv) journalistic information and other editorial content, (v) those regulated by Law 1266 of 2008 (financial and credit information, commercial, services and from third countries) and (vi) those regulated by Law 79 of 1993 (on population and housing censuses).

 

 

1.2 DUTIES OF THE DATA CONTROLLER

 

The Data Controller has been defined by Law 1581 of 2012 as the natural or legal person, public or private, who by itself or in association with others decides on the database and/or the processing of the data.

 

The Superintendence of Industry and Commerce, in addition to being the authority for the protection of personal data, is the Data Controller for the databases created by the entity.

 

The duties of the Data Controllers and, consequently, of the SIC are those established in article 17 of Law 1581 of 2012:

 

  1. a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
  2. b) Request and keep, under the conditions set forth in the aforementioned law, a copy of the respective authorization granted by the Data Subject.

granted by the Data Subject.

 

  1. c) Duly inform the Data Subject about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted.

authorization granted.

 

  1. d) To keep the information under the security conditions necessary to prevent its adulteration,

loss, consultation, use or unauthorized or fraudulent access.

 

  1. e) Guarantee that the information provided to the Data Processor is truthful, complete, exact, updated, verifiable and understandable,

accurate, updated, verifiable and understandable.

 

  1. f) To update the information, communicating in a timely manner to the Data Processor, all the news regarding the

the data previously provided and adopt the other necessary measures so that the information provided to the Data Processor is true, complete, accurate, updated, verifiable and understandable.

 

necessary so that the information supplied to it is kept up to date.

 

  1. g) Rectify the information when it is incorrect and communicate the pertinent to the Data Processor.
  2. h) To provide to the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of the

previously authorized in accordance with the provisions of the aforementioned law.

 

  1. i) To demand from the Data Processor, at all times, respect for the security and privacy of the Data Subject’s information.

privacy of the Data Subject’s information.

 

  1. j) To process the queries and claims formulated in the terms set forth in the aforementioned law.
  2. k) Adopt an internal manual of policies and procedures to guarantee the adequate compliance with the aforementioned law and, in particular, to

the aforementioned law and, in particular, for the handling of queries and claims.

 

  1. l) To inform the Data Controller when certain information is under discussion by the Data Subject, once it has been

by the Data Subject, once the claim has been filed and the respective process has not been completed.

 

  1. m) Inform at the request of the Data Subject about the use given to his/her data.
  2. n) Inform the data protection authority when there are violations to the security codes and there are risks in the management of the

security codes and there are risks in the administration of the information of the Data Subject.

 

  1. o) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce”.

 

 

1.3 RIGHTS OF THE OWNERS

 

Law 1581 of 2012 establishes that the Holders of personal data shall have the following rights:

 

(a) To know, update and rectify their personal data against the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.

  1. b) Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of Article 10 of the aforementioned law.
  2. c) To be informed by the Data Controller or the Data Processor, upon request, regarding the use made of their personal data.
  3. d) File complaints before the Superintendence of Industry and Commerce for violations of the provisions of the aforementioned law and other rules that modify, add or complement it.
  4. e) To revoke the authorization and/or request the deletion of the data when the processing does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that in the Processing the Controller or Processor has incurred in conduct contrary to the law and the Constitution.
  5. f) Access free of charge to their personal data that have been subject to Processing.

Additionally, the Regulatory Decree 1377 of 2013 defines that the Controllers must keep proof of the authorization granted by the Data Controllers for the Processing of personal data.

 

 

  1. POLICIES

The following general guidelines are established:

 

First: Comply with all current Colombian legal regulations that dictate provisions for the protection of personal data.

 

Second: Comply with the personal data protection law in accordance with the provisions of the Code of Ethics of the TAAP FOUNDATION.

 

Third: Servants must abide by the disqualifications, impediments, incompatibilities and conflict of interests contemplated in Law 734 of 2002 for the treatment of Personal Data.

 

Specific policies related to the treatment of Personal Data:

 

  1. a) The TAAP FOUNDATION carries out the processing of Personal Data in the proper exercise of its functions and for this purpose requires the prior, express and informed authorization of the Data Subject. However, when it does not correspond to its functions, it shall obtain the authorization by means of a physical or electronic document, data message, Internet, website, or also verbally or by telephone or in any other format that allows its subsequent consultation in order to unequivocally verify that without the consent of the holder, the data would never have been captured and stored in electronic or physical media. Likewise, it may be obtained by means of clear and unequivocal conduct of the Data Subject that allows concluding in a reasonable manner that he/she gave his/her consent for the handling of his/her Personal Data.
  2. b) The TAAP FOUNDATION shall request authorization from the Data Subject and shall keep evidence of such authorization when, by virtue of the promotion, dissemination and training functions, it makes invitations to lectures, conferences or events that involve the Processing of Personal Data for a different purpose than the one for which they were initially collected.
  3. c) Consequently, any processing of Personal Data carried out by the TAAP FOUNDATION must correspond to the exercise of its legal functions or to the purposes mentioned in the authorization granted by the Data Subject, when the situation so warrants. In particular, the main purposes for the processing of Personal Data that corresponds to the TAAP FOUNDATION to develop in the exercise of its legal functions are related to the following procedures:

 Humanitarian care 

 

Inclusion in training programs 

 

Inclusion in Human Rights protection programs.

 

Inclusion in social development programs 

 

Invitation to programs and events related to social development and training.

 

  1. d) The Personal Data subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. The TAAP FOUNDATION will maintain the information under these characteristics as long as the holder informs its news in a timely manner.
  2. e) Personal Data shall only be processed by those TAAP FOUNDATION employees who have permission to do so, or who are in charge of carrying out such activities as part of their duties, or by those in charge of such activities.
  3. f) The TAAP FOUNDATION shall expressly authorize the Administrator of the databases to carry out the processing requested by the Data Subject.
  4. g) The TAAP FOUNDATION will not make Personal Data available for access through the Internet or other mass media, unless it is public information or technical measures are established to control access and restrict it only to persons authorized by law or by the holder.
  5. h) Any Personal Data that is not Public Data shall be treated by the TAAP FOUNDATION as confidential, even if the contractual relationship or link between the Data Subject and the TAAP FOUNDATION has ended. Upon termination of such relationship, such Personal Data shall continue to be treated in accordance with the provisions of the Archive and Document Retention Manual GD01-M01.
  6. i) Each area of the TAAP FOUNDATION must evaluate the relevance of anonymizing administrative acts and/or public documents containing Personal Data for publication.
  7. j) The Data Subject, directly or through duly authorized persons, may consult his/her Personal Data at any time and especially whenever there are modifications to the Information Processing Policies.
  8. k) The TAAP FOUNDATION will provide, update, ratify or delete the Personal Data at the request of the Data Subject to correct partial, inaccurate, incomplete, fractioned or misleading information, or information that has been processed prior to the law coming into force and that is unauthorized or prohibited.
  9. l) The policies established by the TAAP FOUNDATION regarding the treatment of Personal Data may be modified at any time. Any modification will be made in accordance with the current legal regulations, and they will come into force and will be effective from their publication through the mechanisms provided by the TAAP FOUNDATION so that the owners are aware of the information processing policy and the changes that occur in it.
  10. M) Personal Data may only be processed for the time and to the extent that the purpose of its processing justifies it.
  11. N) The TAAP FOUNDATION will be more rigorous in the application of information processing policies when it comes to the use of personal data of children and adolescents, ensuring the protection of their fundamental rights.
  12. O) The TAAP FOUNDATION may exchange information of Personal Data with governmental or public authorities such as administrative authorities, tax authorities, research bodies and judicial authorities, when requested in the exercise of their functions.
  13. P) The Personal Data subject to treatment shall be handled providing all human and technical measures for its protection, providing the security that it cannot be copied, adulterated, eliminated, consulted or in any way used without authorization or for fraudulent use.
  14. Q) When any of the processing of Personal Data by the Servants, contractors or Data Processors ends, and even after the end of their contractual relationship with the TAAP FOUNDATION, they are obliged to maintain the confidentiality of the information in accordance with the regulations in force on the matter.
  15. R) The Holder of the personal data may exercise, mainly, his/her rights by submitting queries and claims to the TAAP FOUNDATION, by e-mail to fundaciontaap@gmail.com.