Securitas Consulting (hereinafter also the "Firm"), a legal entity duly incorporated in the city of Bogota D.C., Colombia, with Colombian Tax Identification Number (T.I.N.) 900.620.136-8, in compliance with article 15 of the Colombian Constitution, Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, and other related data protection legislation regarding the collection, processing, and transfer of personal data, established the following Privacy and Data Protection Policy (hereinafter also the "Policy"). This Policy, which is part of the Terms and Conditions published in the website (hereinafter also the "Site") of Securitas Consultingis made known to the Personal Data Holders (in accordance with term defined herunder in Definitions) and visitors of the Site.).
The Personal Data Holders who authorize the processing of their data by Securitas Consulting are important to us, thus we want you to feel safe and to know the rights and assurances set forth in this Policy.
- General Overview
- In compliance with the obligation that Securitas Consulting After implementing its Management System for the Treatment and Protection of Personal Data (SG-TDP), the following Policy is issued.
- The Firm's directors, employees, and contractors are obliged to revise and comply with the guidelines and orders issued by the Firm regarding the appropriate usage of personal data, as inadequate disclosure or improper use of private data may cause harm to the Personal Data Holders.
- The cooperation between Securitas Consulting and the recipients of this Policy is essential in order to guarantee compliance with the rights to privacy, to hábeas data y a la protección de datos personales.
- The information security policies in the Firm, particularly regarding employment and service provision, incorporate the protection of personal data regarding human resources management, as well as the rights and assurances of workers and service providers.
- Securitas Consulting undertakes procedures in order to respond to urgent cases of loss or imminent risks that alter or threaten valuable information and databases, especially those related to personal information kept by the Firm. Consequently, the Firm's employees are committed to provide due cooperation as required to investigate, analyze and capture evidence in case of security breaches.
The general information of the Firm at the date this Policy came into force is as follows:
Securitas Consulting is a firm focused on providing high quality legal advice and occupational health and safety (OHS). Collection and processing of personal data by the Firm are exclusively linked to the provision of our services with the main objective of delivering them in an adequate and efficient manner.
Securitas Consulting databases are kept strictly for the time necessary to comply with its corporate aims, legal mandates, and in accordance with document management regulation. Monitoring, handling and updating of the databases kept by the Firm shall be continuous according to the procedures set forth in this Policy, so as to guarantee the quality, security, and confidentiality of personal data.
The area of Compliance The Firm's Compliance Department is in charge of the adequate protection of personal data and, therefore, is responsible for the response of requests, queries, and complaints by Personal Data Holders, who may enforce their rights to know, update, revise, and delete personal data and revoke the authorizations granted to the Firm. For these purposes, they may contact our Compliance at the following email: email@example.com.
In order to guarantee the adequate processing and protection of personal data, the Firm has set the following general rules and provisions, which are mandatory for the addresses of this Policy.
2. of the Site.
- Authorization:Consent granted by Personal Data Holders, which is to be explicit, well-informed, and prior to processing of their personal data.
- Data Administrator (Admin): The natural or legal entity, either public or private, that collects personal data and decides on the purpose, content, and use of databases. The Data Admin is in charge and liable for the adequate management of personal data.
- Data Processing Any set of operations and technical procedures of an automated nature or not that are performed on personal data, such as the collection, recording, storage, conservation, use, transfer, modification, blocking, and cancellation of data, among others.
- Data Processor: A person or legal entity, either public or private, which by itself or in association with others, carries out the processing of personal data on behalf of the Data Administrator, which is in charge and liable for the adequate management of personal data.
- Habeas data: onstitutional remedy made available to every person, which enables them to find out, update, amend, and/or cancel the information, and personal data collected and/or processed in public or private databases, in accordance with the Law and applicable regulations.
- Keeper of the Database: It is a special category of specially protected personal data, because it is about health, sex, political affiliation, race or ethnic origin, biometric fingerprints, among others, which are part of the personal assets of the person and can be collected. only with the express and informed consent of its Owner and in the cases provided for in the Law.
- Processor: It is the natural or legal person, public or private authority, that by itself or in association with others, performs the processing of personal data on behalf of the person in charge.
- Sources accessible to the public: It refers to those databases that contain personal data that can be consulted by any person and that may or may not include the payment of a consideration in exchange for access to such data. Telephone directories and sector directories, among others, have this status as sources accessible to the public, as long as the information is limited to personal data of a general nature.
- Hábeas data: Fundamental right of every person to know, update, rectify and/or cancel the information and personal data that has been collected and/or processed in public or private databases, in accordance with the provisions of the Law and other applicable regulations.
- Principles for data processing: They are the fundamental rules, of a legal and/or jurisprudential nature, that guide the processing of personal data, based on which actions and criteria are determined to solve the possible collision between the right to privacy, the hábeas data, the protection of personal data and the right to information.
- Responsible for the treatment: It is the natural or legal person, of a public or private nature, who collects personal data and decides on the purpose, content and use of the database for its treatment.
- Titular del dato personal: It is the natural person whose data is processed. Regarding legal entities, it is understood that the name is legally protected.
- Data treatment: Any set of operations and technical procedures of an automated or non-automated nature that are carried out on personal data, such as the collection, recording, storage, conservation, use, circulation, modification, blocking and cancellation, among others.
- User: It is the natural or legal person who has an interest in the use of personal information.
- Violations of personal data security measures: Any situation that implies a violation of the Firm's security measures to protect the personal data delivered for its custody will be considered a security incident, as well as any other conduct that constitutes inappropriate processing of personal data contrary to the provisions of this Policy or what is indicated in the Law. Any security incident that compromises the personal data held by Securitas Consulting must be reported to the area of Compliance.
3. Aim of this Policy
This Policy establishes the applicable rules in order to guarantee the appropriate management of personal data collected, processed and/or stored by Securitas Consulting as it undertakes its business.
The rules contained in this Policy are in compliance with article 15 of the Colombian Constitution, Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, and other related data protection legislation, thus guaranteeing the privacy of individuals, hábeas data , and the adequate protection of personal data, in accordance with the right to information.
3.1. Purpose and Processing of Personal Data
In accordance with Securitas Consultingbusiness goals, personal data provided to the Firm is collected, used, stored, and processed, in compliance with the principles and guidelines set forth in this Policy. Therefore the Firm undertakes its due diligence when using your personal data for one of the following business purposes and pursuant to the corresponding legal framework:
- Human resources management
- Management of third party suppliers and service providers
- Marketing and customer relations
In order to adequately collect and process personal data in accordance with this Policy, Securitas Consulting adopts physical, technological, information and administrative security measures, according to the risk that may derive from the criticality of the personal data processed.
Scope of of this Policy
This Policy shall be observed when processing of personal data is carried out in Colombia and when there is transfer of personal data to countries that provide adequate levels of data protection, as long as there is explicit authorization from the Personal Data Holders for the latter.
The principles and provisions contained in this Policy shall apply to any database in our possession or under control of the Firm. Thus all Securitas Consultingbusiness processes, which incorporate the collection and processing of personal data, shall be subject to this Policy.
Addressees of this Polic
This Policy shall apply to and therefore is binding to the following addressees:
- Legal representatives and directors
- Employees who have access to or are in custody of databases with personal data
- Third party suppliers and service providers under any type of contract by virtue of which any processing of personal data is carried out
- Other individuals and legal entities that are required to abide to this Policy according to the Law
Responsibility for the proper processing of personal data within Securitas Consulting it is at the head of all the workers and managers of the organization, in the case of a transversal Policy for the entire Firm.
6. Guiding Principles
The collection, processing, and transfer of personal data in Securitas Consulting shall be subject to the following principles, which are based on international law, Colombian law, and the decisions of the Colombian Constitutional Court.
6.1. Mandatory Due Authorization by Personal Data Holders
The collection, processing, and transfer of personal data can only be done with the prior, explicit, and well-informed consent of Personal Data Holders. Personal data may not be obtained, processed, or disclosed without the authorization of the Personal Data Holders, except when there is a binding legal mandate or court order that requires us to do so.
The collection, processing, and transfer of personal data in Colombia is regulated and therefore the business processes in which the addresses of this Policy make use of personal data must abide by the law.
Personal data shall only be obtained and used for legitimate purposes, which are to be informed accurately and beforehand to the Personal Data Holders so that they may express their well-informed consent.
6.4. Accuracy and Quality of Data
The personal data collected must be complete, accurate, verifiable, comprehensible, and kept up to date. Partial, fragmented, incomplete or misleading data may not be processed.
Personal Data Holders have the right to obtain information on their personal data and know who is the person responsible and/or in charge of collecting and processing personal data at any time and without restrictions. Additionally Personal Data Holders have the right to obtain any information about data concerning them.
6.6. Relevance and Proportionality
The collection of personal data must take into account the purpose for which the data is obtained and processed, as well as the databases that have been created. Therefore, personal data obtained must be adequate, relevant, and not excessive or disproportionate in relation to the purpose for which it is obtained. It is thus forbidden to collect personal data that is not linked to a specific objective.
6.7 Restricted Access and Circulation
Personal data will be used only within the scope of the purpose and authorization granted by Personal Data Holders, thus it may not be accessed, transferred, or communicated to third parties.
Personal data under custody of the Firm will not be available on the Internet or any other means of mass communication, unless access is technically controllable and secure, and the communication mechanisms used provide restricted knowledge to the Personal Data Holders or authorized third parties, in accordance with the provisions of the Law and the principles set herein.
6.8. Data Retention
We will retain personal data only for so long as we need it for the purposes it was collected, including for the purposes of satisfying any legal requirements, unless a longer retention period is required under applicable law. To determine the appropriate retention period for personal data, the Firm considers the amount, nature, and sensitivity of the personal data, as well as the potential risk of harm from unauthorized use or disclosure of data, the purposes for which the personal data is processed, and the applicable legal requirements. Once the purpose for which the personal data was collected and/or processed has ceased, the Firm will refrain from using the data and, therefore, will undertake the relevant security measures to achieve the latter.
In the collection and processing of personal data by the Firm, the continuity of the data in its information systems will be determined by the purpose established for the personal data. Consequently, once the purpose for which the data was collected has ceased, it will be destroyed or returned, as the case may be, or it will be kept in accordance with the rules of law.
The Firm will adopt the physical, technological and/or administrative security measures that are necessary to guarantee the attributes of integrity, authenticity and reliability of personal data. Securitas Consulting, according to the classification of personal data, will implement high, medium or low level security measures, applicable as the case may be, in order to avoid adulteration, loss, leakage, consultation, use or unauthorized or fraudulent access.
All addresses of this Policy in charge of collecting, processing, and transferring of personal data have the obligation to maintain the confidentiality of such data. For employees of Securitas Consulting the obligation to keep personal data confidential remains even after their employment contract with the Firm has ceased. It should be noted the Firm makes use of data protection clauses in its employment contracts for that purpose.
7. Data Subject Rights
The Personal Data Holders whose data is kept in the databases stored in the Firm's information technology systems (IT systems) have the rights described below, in compliance with the relevant fundamental rights in the Colombian Constitution and the law.
Exercising these rights will be free of charge and not limited by the Firm, without prejudice of the applicable rules of law. However, Securitas Consulting may charge a “reasonable fee” if we believe that your request is excessive, in order to help us cover the costs of locating the personal data you have requested.
The exercise of hábeas data, expressed in the following rights, constitutes a personal power and will be exercised exclusively by the Data Owner.
The collection, processing and transferring of personal data shall be carried out in strict compliance with the freedom warranted to Personal Data Holders. The latter is the right of Personal Data Holders to make voluntary and informed decisions, which enable the processing of their personal data. Pursuant to the principle of due and informed consent by Personal Data Holders, they have the right to grant authorization by any means that may be subject to consultation in order to verify the adequate processing and management of personal data by Securitas Consulting.
Due authorization shall not be required in the exceptions established by law, such as any law enforcement, regulatory, or government agency requesting personal information in connection with any inquiry, subpoena, court order, or other legal or regulatory procedures. In these cases, although the authorization by the Personal Data Holder is not required, the principles and rights regarding personal data protection remain applicable.
Personal Data Holders have the right to request a copy of their personal data, including information regarding the processing of their data, the purpose of the data collected, the location of databases, and information regarding the transfer of data. If Personal Data Holders require additional copies of their personal information, we may charge a reasonable fee.
Personal Data Holders have the right to to update their personal data, when any changes regarding their data have taken place.
Personal Data Holders have the right to correct any inaccuracies regarding their personal data or when they believe information is incomplete.
If Personal Data Holders believe that we should not be processing their personal data any more, they may request that we delete it, particularly if they think the information we keep is no longer relevant or when the purpose for the collection of the data has ceased. Please note the latter may not always be possible due to legal obligations.
7.6. Withdrawal of Consent
If Personal Data Holders previously gave the Firm their consent in order for us to process their personal data, but they no longer wish to consent to us doing so, they can contact us to let us know that they withdraw their consent. Nevertheless, this will not affect the lawfulness of any processing carried out before the Personal Data Holders withdraw their consent. It should be noted that if a Personal Data Holder withdraws his/her consent, we may not be able to provide certain services to him/her. The Firm will advise the Personal Data Holder if this is the case at the time he/she withdraws their consent.
Personal Data Holders have the right to object to the processing of their personal data when there is something about their particular situation which makes them want to object to it if they feel it impacts their rights and the freedom warranted to them. Personal Data Holders also have the right to object where we are processing their personal data for marketing purposes. However in certain situations the Firm may override this right to protect the rights of others or for public interests purposes according to the law.
7.8. Information (Queries, Complaints and Claims)
Personal Data Holders have the right to make a complaint at any time to the competent data protection supervisory authority (in Colombia the Superintendence of Industry and Commerce) if they do not agree with how we have processed their personal data or responded to their queries and complaints. Securitas Consulting is committed to provide timely and adequate responses to the authorities regarding the rights of Personal Data Holders in connection with their personal data.
8. Duties of the Firm with Regards to Personal Data
When Securitas Consulting or any of the addressees of this Policy undertake the processing of personal data, they shall comply with the following duties, without prejudice of other provisions set forth in the law or best practices in the management of personal data.
- Enable Personal Data Holders full and effective exercise of hábeas data.
- Request and keep, according to the conditions established by law, a copy of the authorization and the consent granted by Personal Data Holders
- Duly inform Personal Data Holders about the purpose for which the personal data is collected and the rights they have regarding their data
- Keep information under the necessary security conditions to prevent its misrepresentation, loss, leakage, consultation, use, and unauthorized or fraudulent access
- Guarantee that the information provided to data processors, whenever necessary, is truthful, complete, accurate, updated, verifiable, and understandable
- Update information, communicating to data processors in a timely manner all changes regarding the data previously provided to them
- Rectify the information when it is incorrect and provide the accurate information to data processors
- Provide data processors, as the case may be, only data which may be processed on the basis of a previous authorization form the Personal Data Holders
- Require data processors to comply with appropriate security and privacy conditions to safeguard the data
- Review and answer the queries and claims from Personal Data Holders according to the terms established in this Policy and in the law
- Implement procedures to ensure proper compliance with the law and, in particular, to ensure adequate management of queries and claims
- Inform data processors when information from a given Personal Data Holder is revised due to a claim being filed
- Provide accurate information to Personal Data Holders when they request it
- Inform the data protection supervisory authority (in Colombia the Superintendence of Industry and Commerce) when there are security breaches that risk the adequate administration of personal data
- Comply with the instructions, orders, and requests from the Superintendence of Industry and Commerce
9.Procedure hábeas data so that the Holders can exercise their rights
In development of the constitutional guarantee of hábeas data regarding the rights of access, updating, rectification, cancellation and opposition by the Holder, Securitas Consulting adopt the following procedure:
- Personal Data Holders shall prove they are entitled to exercise habeas data in a given case by sending a copy of their identity document (ID), which may be sent as a hard or digital copy via email. In case a Personal Data Holder is represented by an authorized person, the latter must submit the Firma a power of attorney.
- Exercising any of the aforementioned rights under habeas data must be done in writing, which may be rendered via email. The request may be addressed to the main address of the Firm or to the e-mail enabled by our ComplianceDepartment for that purpose: firstname.lastname@example.org. Asimismo Securitas Consulting may also enable hard copy or digital formats to expedite this process. hábeas data.
The request to exercise any of the aforementioned rights will contain the following information:
- Name of the Personal Data Holder and his/her representative, if applicable
- Specific and precise request regarding the information, whether accessing, updating, rectifying or canceling data, or the withdrawal of consent. In each case the request must be reasonably grounded for the Firm to review and solve the request.
- Address or email for notifications to be promptly delivered
- Documents supporting the request
- Signature of the Personal Data Holder
If any of the requirements established herein are missing, the Firm will inform the Personal Data Holder within five (5) days following the receipt of the request, in order for the Personal Data Holder to correct his/her request, and then the Firm will respond to the hábeas data request that has been submitted. After two (2) months without receiving an accurate and corrected request from the Personal Data, it is understood that the request has been withdrawn.
Within two (2) days after receiving an accurate and corrected request from the Personal Data, Securitas Consulting shall indicate that it is a claim in process. The database shall note the status of the proceeding is in progress with the following mark: "request in process".Reclamo en trámite”.
The Firm will answer requests made within ten (10) days if it is a query and within fifteen (15) days if it is a claim.
In case it is not possible to answer a claim within fifteen (15) days, the Personal Data Holder shall be informed of the reasons for the delay and the date on which the claim will be answered. In any case, the term to answer a claim may not exceed eight (8) days after the first fifteen (15) days since the claim was submitted.
Securitas Consulting shall record and store requests made by Personal Data Holders or interested parties exercising any of the rights mentioned herein, as well as the answers provided to such requests.
It should be noted that in order for a Personal Data Holder to make a claim to the Superintendence of Industry and Commerce and undertake any of the legal actions available for Personal Data Holders or interested parties, the process established herein for requests and/or claims shall have been duly undertaken.
10. Central Registry of Personal Data Bases
Securitas Consulting, as the legal entity responsible for the appropriate collection, processing, and transfer of personal data, has a central registry in which it lists each of its databases in its information systems. Additionally the Firm labels each database with an appropriate registration number.
For compliance and auditing purposes, changes in the personal databases are continuously recorded. The occurrence and history of security breaches concerning personal databases under the custody of the Firm are also recorded in a central registry.
In accordance with this Policy, the following prohibitions and sanctions are established in case of non-compliance with the rules and regulations herein.
- Securitas Consulting prohibits the access, use, management, assignment, communication, storage, and any other processing of personal data without authorization of the Personal Data Holders.
Non-compliance with these prohibitions by the Firm's employees is considered as serious misconduct, which may result in the termination of contact, without prejudice to any applicable legal actions that may be undertaken.
The non-compliance with these prohibitions by contractors and service providers of the Firm, will result in the termination of contract, without prejudice to any applicable legal actions that may be undertaken.
- Securitas Consulting forbids the use, storage, processing and/or management of personal data of children and minors.
12. International Transfer of Data
The transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. Safe countries are understood as those that comply with the standards set by the Superintendence of Industry and Commerce
Exceptionally and in cases previously informed to Personal Data Holders, the Firm may transfer personal data internationally, prior informed authorization granted by the Personal Data Holders. The purpose of the transfer, linked to Securitas Consultingbusiness activities, shall be previously informed to the Personal Data Holders.
At the time of an international transfer of personal data, prior to sending or receiving the private data, the Firm shall sign the agreements it deems necessary to establish the obligations and duties for the legal entities and their employees undertaking the transfers.
The agreements and contracts shall comply with the provisions of this Policy, as well as with the applicable legislation and jurisprudence on privacy and the adequate protection of personal data.
13. Delivery of Personal Data to the Authorities
When authorities request Securitas Consulting access and/or delivery of personal data from any of its databases, the legality of the inquiry, plus the relevance of the data requested with regards to the purpose established by the authority should be verified. Additionally, the delivery of the personal information requested shall be duly registered. The Firm shall also ensure that the information provided complies with all its necessary attributes (authenticity, reliability and integrity) and that the officer making the request (i.e. person receiving the information), as well as the entity for which they work are warned about the duty of protection that must be compiled with regarding the personal data provided. The authority that requires the personal information will also be warned about the security measures that apply to the personal data provided and the risks involved in its improper use and/or inadequate treatment.
14. Relevant Criminal Law Sanctions
The Firm informs the addressees of this Policy that Law 1581 of 2012 (articles 22 and 23) establishes criminal sanctions that come into force if there is an inadequate treatment of personal data.
Taking into account the risks taken by Securitas Consulting, as the legal entity responsible for the adequate processing, treatment, and management of the personal data in its custody, non-compliance with this Policy by its employees, contractors or service providers is considered a serious offense and shall result in the termination of contract, without prejudice of any applicable legal actions that may be undertaken by the Firm.
15. Approval of this Policy
This Policy has been approved and incorporated by Securitas Consultingon March fifteenth (15th), two thousand twenty-one (2021).
SECURITAS CONSULTING S.A.S.
Tax identification Number (T.I.N.) 900.620.136-8