PRIVACY AND
DATA PROTECTION POLICY
Securitas Consulting S.A.S. (hereinafter also the "Firm"), a legal entity duly incorporated in the city of Bogota D.C., Colombia, with Colombian Tax Identification Number (T.I.N.) 900.620.136-8, in compliance with article 15 of the Colombian Constitution, Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, and other related data protection legislation regarding the collection, processing, and transfer of personal data, established the following Privacy and Data Protection Policy (hereinafter also the "Policy"). This Policy, which is part of the Terms and Conditions published in the web page (hereinafter also the "Site"), is made known to the Personal Data Holders (in accordance with term defined hereunder in Definitions) and visitors of the Site.
The Personal Data Holders who authorize the processing of their data are important to us, thus we want you to feel safe and to know the rights and assurances set forth in this Policy.
1. General Overview
〉The Firm has issued this Policy in compliance with its Management System for Information Usage and Protection of Personal Data.
〉The Firm's directors, employees, and contractors are obliged to revise and comply with the guidelines and orders issued by the Firm regarding the appropriate usage of personal data, as inadequate disclosure or improper use of private data may cause harm to the Personal Data Holders.
〉Cooperation between the Firm and the addressees of this Policy is essential in order to guarantee compliance with the rights to data privacy and personal data protection.
〉The information security policies in the Firm, particularly regarding employment and service provision, incorporate the protection of personal data regarding human resources management, as well as the rights and assurances of workers and service providers.
〉Securitas Consulting undertakes procedures to respond to urgent cases of loss or imminent risks that alter or threaten valuable information and databases, especially those related to personal information kept by the Firm. Consequently, the Firm's employees are committed to provide due cooperation as required to investigate, analyze and capture evidence in case of security breaches.
The general information of the Firm at the date this Policy came into force is as follows:
Business name | City | Address | Telephone | |
SECURITAS CONSULTING S.A.S. | Bogota, D.C. | Cra. 13 No. 79 – 30 | +57 313 488 67 71 |
Securitas Consulting S.A.S. is a firm focused on providing high quality legal advice and occupational health and safety (OH&S). Collection and processing of personal data by the Firm are exclusively linked to the provision of our services with the main objective of delivering them in an adequate and efficient manner.
The databases of Securitas Consulting are kept strictly for the time necessary to comply with its corporate aims, legal mandates, and in accordance with document management regulation. Monitoring, handling and updating of the databases kept by the Firm shall be continuous according to the procedures set forth in this Policy, to guarantee the quality, security, and confidentiality of personal data.
The Firm's Compliance Department oversees the adequate protection of personal data and, therefore, is responsible for the response of requests, queries, and complaints by Personal Data Holders, who may enforce their rights to know, update, revise, and delete personal data and revoke the authorizations granted to the Firm. For these purposes, they may contact our Compliance Department at the following email: contacto@securitasconsulting.com.
To guarantee the adequate processing and protection of personal data, the Firm has set the following general rules and provisions, which are mandatory for the addresses of this Policy.
2. Definitions
〉Authorization: Consent granted by Personal Data Holders, which is to be explicit, well-informed, and prior to processing of their personal data.
〉Data Administrator (Admin): The person or legal entity, either public or private, that collects personal data and decides on the purpose, content, and use of databases. The Data Admin is in charge and liable for the adequate management of personal data.
〉Data Processing: Any set of operations and technical procedures of an automated nature or not that are performed on personal data, such as the collection, recording, storage, conservation, use, transfer, modification, blocking, and cancellation of data, among others.
〉Data Processor: A person or legal entity, either public or private, which by itself or in association with others, carries out the processing of personal data on behalf of the Data Administrator, which is in charge and liable for the adequate management of personal data.
〉Habeas Data: Constitutional remedy made available to every person, which enables them to find out, update, amend, and/or cancel the information, and personal data collected and/or processed in public or private databases, in accordance with the Law and applicable regulations.
〉Keeper of the Database: The person in charge of adequately managing a personal database within the Firm.
〉Personal Data: Any data and/or information that identifies an individual person or makes him/her identifiable.
〉Personal Data Holder: The person whose personal data is processed. It should be noted that the corporate names of legal entities are protected by Law.
〉Personal Database: An organized set of personal data, regardless of the procedure used for its development, storage, organization, and access.
〉Principles for Data Processing: These are fundamental rules, grounded in the law and/or on court decisions, which guide the processing of personal data and determine the actions and criteria to solve potential conflicts between the right to privacy, habeas data, the protection of personal data, and the right to information.
〉Public Sources: Those databases containing personal data that may be searched by any person, and which may or may not require a payment in exchange for access to such data. Phone books and industry directories, among others, are examples of sources available to the public, provided that the information they keep refers to general personal data.
〉Security Breaches Concerning Personal Data: Any situation that involves a violation of the Firm's security measures to protect the personal data in its custody, as well as any other conduct that constitutes an inappropriate processing of personal data contrary to the provisions of this Policy or the Law. Any security breach that compromises personal data held by the Firm is to be reported to its Compliance Department.
〉Sensitive Personal Data: It is a distinctive category of personal data specially protected because it concerns health, sex, political affiliation, race or ethnicity, biometric fingerprints, among others, which are part of person's privacy and can be collected only with the explicit and well-informed consent of the Personal Data Holder and in those cases provided by Law.
〉Transfer of Data: Processing of data that involves its disclosure to a person other than the Personal Data Holder or those initially authorized to process the data.
〉User: The person or legal entity that has an interest in the use of personal data and information..
3. Aim of this Policy
This Policy establishes the applicable rules in order to guarantee the appropriate management of personal data collected, processed and/or stored by Securitas Consulting as it undertakes its business.
The rules contained in this Policy are compliant with article 15 of the Colombian Constitution, Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, and other related data protection legislation, thus guaranteeing the privacy of individuals, habeas data, and the adequate protection of personal data, in accordance with the right to information.
3.1. Purpose and Processing of Personal Data
In accordance with our business goals personal data provided to the Firm is collected, used, stored, and processed, in compliance with the principles and guidelines set forth in this Policy. Therefore, the Firm undertakes its due diligence when using your personal data for one of the following business purposes and pursuant to the current legal framework:
〉Human resources management
〉Management of third party suppliers and service providers
〉Marketing and customer relations
3.2. Security Measures
To adequately collect and process personal data in accordance with this Policy, the Firm employs appropriate organizational, physical, technical and procedural safeguards and measures to protect your personal data in our possession or under our control, to the extent possible, from unauthorized or accidental access and improper use.
4. Scope of this Policy
This Policy shall be observed when processing of personal data is carried out in Colombia and when there is transfer of personal data to countries that provide adequate levels of data protection, as long as there is explicit authorization from the Personal Data Holders for the latter.
The principles and provisions contained in this Policy shall apply to any database in our possession or under control of the Firm. Thus, all of our business processes, which incorporate the collection and processing of personal data, shall be subject to this Policy.
5. Addressees of this Policy
This Policy shall apply to and therefore is binding to the following addressees:
〉Legal representatives and directors
〉Employees who have access to or are in custody of databases with personal data
〉Third party suppliers and service providers under any type of contract by virtue of which any processing of personal data is carried out
〉Other individuals and legal entities that are required to abide to this Policy according to the Law
It is understood that all employees, including legal representatives and directors, are obliged to abide by this Policy, which pertains to the whole Firm, and thus must guarantee the adequate collection and processing of personal data.
6. Guiding Principles
The collection, processing, and transfer of personal data in Securitas Consulting shall be subject to the following principles, which are based on international law, Colombian law, and the decisions of the Colombian Constitutional Court.
6.1. Mandatory Due Authorization by Personal Data Holders
The collection, processing, and transfer of personal data can only be done with the prior, explicit, and well-informed consent of Personal Data Holders. Personal data may not be obtained, processed, or disclosed without the authorization of the Personal Data Holders, except when there is a binding legal mandate or court order that requires us to do so.
6.2. Legality
The collection, processing, and transfer of personal data in Colombia is regulated and therefore the business processes in which the addresses of this Policy make use of personal data must abide by the law.
6.3. Purpose
Personal data shall only be obtained and used for legitimate purposes, which are to be informed accurately and beforehand to the Personal Data Holders so that they may express their well-informed consent.
6.4. Accuracy and Quality of Data
The personal data collected must be complete, accurate, verifiable, comprehensible, and kept up to date. Partial, fragmented, incomplete or misleading data may not be processed.
6.5. Transparency
Personal Data Holders have the right to obtain information on their personal data and know who is the person responsible and/or in charge of collecting and processing personal data at any time and without restrictions. Additionally Personal Data Holders have the right to obtain any information about data concerning them.
6.6. Relevance and Proportionality
The collection of personal data must consider the purpose for which the data is obtained and processed, as well as the databases that have been created. Therefore, personal data obtained must be adequate, relevant, and not excessive or disproportionate in relation to the purpose for which it is obtained. It is thus forbidden to collect personal data that is not linked to a specific objective.
6.7 Restricted Access and Circulation
Personal data will be used only within the scope of the purpose and authorization granted by Personal Data Holders, thus it may not be accessed, transferred, or communicated to third parties.
Personal data under custody of the Firm will not be available on the Internet or any other means of mass communication, unless access is technically controllable and secure, and the communication mechanisms used provide restricted knowledge to the Personal Data Holders or authorized third parties, in accordance with the provisions of the Law and the principles set herein.
6.8. Data Retention
We will retain personal data only for so long as we need it for the purposes it was collected, including for the purposes of satisfying any legal requirements, unless a longer retention period is required under applicable law. To determine the appropriate retention period for personal data, the Firm considers the amount, nature, and sensitivity of the personal data, as well as the potential risk of harm from unauthorized use or disclosure of data, the purposes for which the personal data is processed, and the applicable legal requirements. Once the purpose for which the personal data was collected and/or processed has ceased, the Firm will refrain from using the data and, therefore, will undertake the relevant security measures to achieve the latter.
In the collection and processing of personal data by the Firm, the continuity of the data in its information systems will be determined by the purpose established for the personal data. Consequently, once the purpose for which the data was collected has ceased, it will be destroyed or returned, as the case may be, or it will be kept in accordance with the rules of law.
6.9. Security
The Firm shall undertake the physical, technological and/or administrative security measures necessary to guarantee the integrity, authenticity and reliability of personal data. Also, based on the classification given to personal data, the Firm shall undertake different security measures (high, medium or low level) applicable as the case may be, in order to avoid misrepresentation, loss, leakage, consultation, use, and unauthorized or fraudulent access to the data.
6.10. Confidentiality
All addresses of this Policy in charge of collecting, processing, and transferring of personal data have the obligation to maintain the confidentiality of such data. For employees of Securitas Consulting the obligation to keep personal data confidential remains even after their employment contract with the Firm has ceased. It should be noted the Firm makes use of data protection clauses in its employment contracts for that purpose.
7. Data Subject Rights
The Personal Data Holders whose data is kept in the databases stored in the Firm's information technology systems (IT systems) have the rights described below, in compliance with the relevant fundamental rights in the Colombian Constitution and the law.
Exercising these rights will be free of charge and not limited by the Firm, without prejudice of the applicable rules of law. However, the Firm may charge a reasonable fee if we believe that your request is excessive, to help us cover the costs of locating the personal data you have requested.
Exercising habeas data, according to the rights hereinafter, is made available to all Personal Data Holders or authorized agents acting on their behalf.
7.1. Authorization
The collection, processing and transferring of personal data shall be carried out in strict compliance with the freedom warranted to Personal Data Holders. The latter is the right of Personal Data Holders to make voluntary and informed decisions, which enable the processing of their personal data. Pursuant to the principle of due and informed consent by Personal Data Holders, they have the right to grant authorization by any means that may be subject to consultation in order to verify the adequate processing and management of personal data by
Due authorization shall not be required in the exceptions established by law, such as any law enforcement, regulatory, or government agency requesting personal information in connection with any inquiry, subpoena, court order, or other legal or regulatory procedures. In these cases, although the authorization by the Personal Data Holder is not required, the principles and rights regarding personal data protection remain applicable.
7.2. Access
Personal Data Holders have the right to request a copy of their personal data, including information regarding the processing of their data, the purpose of the data collected, the location of databases, and information regarding the transfer of data. However, if Personal Data Holders require additional copies of their personal information, we may charge a reasonable fee.
7.3. Update
Personal Data Holders have the right to to update their personal data, when any changes regarding their data have taken place.
7.4. Correction
Personal Data Holders have the right to correct any inaccuracies regarding their personal data or when they believe information is incomplete.
7.5. Deletion
If Personal Data Holders believe that we should not be processing their personal data any more, they may request that we delete it, particularly if they think the information we keep is no longer relevant or when the purpose for the collection of the data has ceased. Please note the latter may not always be possible due to legal obligations.
7.6. Withdrawal of Consent
If Personal Data Holders previously gave the Firm their consent in order for us to process their personal data, but they no longer wish to consent to us doing so, they can contact us to let us know that they withdraw their consent. Nevertheless, this will not affect the lawfulness of any processing carried out before the Personal Data Holders withdraw their consent. It should be noted that if a Personal Data Holder withdraws his/her consent, we may not be able to provide certain services to him/her. The Firm will advise the Personal Data Holder if this is the case at the time he/she withdraws their consent.
7.7. Objection
Personal Data Holders have the right to object to the processing of their personal data when there is something about their particular situation which makes them want to object to it if they feel it impacts their rights and the freedom warranted to them. Personal Data Holders also have the right to object where we are processing their personal data for marketing purposes. However in certain situations the Firm may override this right to protect the rights of others or for public interests purposes according to the law.
7.8. Information (Queries, Complaints and Claims)
Personal Data Holders have the right to make a complaint at any time to the competent data protection supervisory authority (in Colombia the Superintendence of Industry and Commerce) if they do not agree with how we have processed their personal data or responded to their queries and complaints. Securitas Consulting is committed to provide timely and adequate responses to the authorities regarding the rights of Personal Data Holders in connection with their personal data.
8. Duties of the Firm with Regards to Personal Data
When Securitas Consulting or any of the addressees of this Policy undertake the processing of personal data, they shall comply with the following duties, without prejudice of other provisions set forth in the law or best practices in the management of personal data.
〉Enable Personal Data Holders full and effective exercise of habeas data
〉Request and keep, according to the conditions established by law, a copy of the authorization and the consent granted by Personal Data Holders
〉Duly inform Personal Data Holders about the purpose for which the personal data is collected and the rights they have regarding their data
〉Keep information under the necessary security conditions to prevent its misrepresentation, loss, leakage, consultation, use, and unauthorized or fraudulent access
〉Guarantee that the information provided to data processors, whenever necessary, is truthful, complete, accurate, updated, verifiable, and understandable
〉Update information, communicating to data processors in a timely manner all changes regarding the data previously provided to them
〉Rectify the information when it is incorrect and provide the accurate information to data processors
〉Provide data processors, only data which may be processed on the basis of a previous authorization form the Personal Data Holders
〉Require data processors to comply with appropriate security and privacy conditions to safeguard the data
〉Review and answer the queries and claims from Personal Data Holders according to the terms established in this Policy and in the law
〉Implement procedures to ensure proper compliance with the law and to ensure adequate management of queries and claims
〉Inform data processors when information from a given Personal Data Holder is revised due to a claim being filed
〉Provide accurate information to Personal Data Holders when they request it
〉Inform the data protection supervisory authority (in Colombia the Superintendence of Industry and Commerce) when there are security breaches that risk the adequate administration of personal data
〉Comply with the instructions, orders, and requests from the Superintendence of Industry and Commerce
9. Habeas Data Procedure for Personal Data Holders
In compliance with the constitutional remedy of habeas data, which enables Personal Data Holders to find out, update, amend, and/or cancel their information and personal data that has been collected and/or processed, Securitas Consulting established the following procedure:
9.1. Procedure:
〉Personal Data Holders shall prove they are entitled to exercise habeas data in a given case by sending a copy of their identity document (ID), which may be sent as a hard or digital copy via email. In case a Personal Data Holder is represented by an authorized person, the latter must submit the Firm a power of attorney.
〉Exercising any of the aforementioned rights under habeas data must be done in writing, which may be rendered via email. The request may be addressed to the main address of the Firm or to the e-mail enabled by our Compliance Department for that purpose: contacto@securitascosulting.com.
9.2. Request:
To exercise any of the aforementioned rights the request shall include the following information:
〉Name of the Personal Data Holder and, if applicable, of his/her representative.
〉Specific and precise request regarding the information, whether accessing, updating, rectifying or canceling data, or the withdrawal of consent. In each case the request must be reasonably grounded for the Firm to review and solve the request.
〉Address or email for notifications to be promptly delivered.
〉Documents supporting the request
〉Signature of the Personal Data Holder.
If any of the requirements established herein are missing, the Firm will inform the Personal Data Holder within five (5) days following the receipt of the request, for the Personal Data Holder to correct his/her request, and then the Firm will respond to the habeas data request that has been submitted. After two (2) months without receiving an accurate and corrected request from the Personal Data, it is understood that the request has been withdrawn.
Within two (2) days after receiving an accurate and corrected request from the Personal Data, Securitas Consulting shall indicate that it is a claim in process. The database shall note the status of the proceeding is in progress with the following mark: "request in process".
The Firm will answer requests made within ten (10) days if it is a query and within fifteen (15) days if it is a claim.
In case it is not possible to answer a claim within fifteen (15) days, the Personal Data Holder shall be informed of the reasons for the delay and the date on which the claim will be answered. In any case, the term to answer a claim may not exceed eight (8) days after the first fifteen (15) days since the claim was submitted.
Securitas Consulting shall record and store requests made by Personal Data Holders or interested parties exercising any of the rights mentioned herein, as well as the answers provided to such requests.
It should be noted that for a Personal Data Holder to make a claim to the Superintendence of Industry and Commerce and undertake any of the legal actions available for Personal Data Holders or interested parties, the process established herein for requests and/or claims shall have been duly undertaken.
10. Central Registry of Personal Data Bases
The Firm, as the legal entity responsible for the appropriate collection, processing, and transfer of personal data, has a central registry in which it lists each of its databases in its information systems. Additionally, the Firm labels each database with an appropriate registration number.
For compliance and auditing purposes, changes in the personal databases are continuously recorded. The occurrence and history of security breaches concerning personal databases under the custody of the Firm are also recorded in a central registry.
11. Prohibitions
In accordance with this Policy, the following prohibitions and sanctions are established in case of non-compliance with the rules and regulations herein.
〉Securitas Consulting prohibits the access, use, management, assignment, communication, storage, and any other processing of personal data without authorization of the Personal Data Holders.
Non-compliance with these prohibitions by the Firm's employees is considered as serious misconduct, which may result in the termination of contact, without prejudice to any applicable legal actions that may be undertaken.
The non-compliance with these prohibitions by contractors and service providers of the Firm, will result in the termination of contract, without prejudice to any applicable legal actions that may be undertaken.
〉Securitas Consulting forbids the use, storage, processing and/or management of personal data of children and minors.
12. International Transfer of Data
The transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. Safe countries are understood as those that comply with the standards set by the Superintendence of Industry and Commerce.
Exceptionally and in cases previously informed to Personal Data Holders, the Firm may transfer personal data internationally, prior informed authorization granted by the Personal Data Holders. The purpose of the transfer, linked to the business of the Firm, shall be previously informed to the Personal Data Holders.
At the time of an international transfer of personal data, prior to sending or receiving the private data, the Firm shall sign the agreements it deems necessary to establish the obligations and duties for the legal entities and their employees undertaking the transfers.
The agreements and contracts shall comply with the provisions of this Policy, as well as with the applicable legislation and jurisprudence on privacy and the adequate protection of personal data.
13. Delivery of Personal Data to the Authorities
When authorities request Securitas Consulting access and/or delivery of personal data from any of its databases, the legality of the inquiry, plus the relevance of the data requested with regards to the purpose established by the authority should be verified. Additionally, the delivery of the personal information requested shall be duly registered. The Firm shall also ensure that the information provided complies with all its necessary attributes (authenticity, reliability and integrity) and that the officer making the request (i.e. person receiving the information), as well as the entity for which they work are warned about the duty of protection that must be compiled with regarding the personal data provided. The authority that requires the personal information will also be warned about the security measures that apply to the personal data provided and the risks involved in its improper use and/or inadequate treatment.
14. Relevant Criminal Law Sanctions
The Firm informs the addressees of this Policy that Law 1581 of 2012 (articles 22 and 23) establishes criminal sanctions that come into force if there is an inadequate treatment of personal data.
Considering the risks taken by the Firm, as the legal entity responsible for the adequate processing, treatment, and management of the personal data in its custody, non-compliance with this Policy by its employees, contractors or service providers is considered a serious offense and shall result in the termination of contract, without prejudice of any applicable legal actions that may be undertaken by the Firm.
15. Approval of this Policy
This Policy was last approved and incorporated on May 15, 2024.
Version: 2.0.
SECURITAS CONSULTING S.A.S.
Tax Identification Number (T.I.N.) 900.620.136-8