DATA PRIVACY AND INFORMATION MANAGEMENT POLICIES LAW 1581 OF 2012 AND REGULATORY DECREE 1377 OF 2013
DATA CONTROLLER
NAME: Neusa Hills - Boutique Eco Hotel
NIT: 901820468-1
ADDRESS: Neusa Reservoir, Laureles Sector, Tausa, Cundinamarca.
EMAIL: reservas@neusahills.com
WEBSITE: neusahills.com
1. OBJECTIVE
Establish and disclose the Information Processing and Personal Data Protection Policies implemented by NEUSA HILL GLAMPING ., in order to ensure proper compliance with Law 1581 of 2012 and Decree 1377 of 2013, which aim to develop the constitutional right of all persons to know, update and rectify the information that has been collected about them in databases or files, and the other rights, freedoms and constitutional guarantees referred to in Article 15 of the Political Constitution "Habeas Data"; as well as the right to information enshrined in Article 20 thereof.
The company NEUSA HILL GLAMPING adopts the internal manual of policies and procedures to ensure compliance with this precept and these normative regulations.
2. SCOPE:
This document applies to personal data recorded in any database managed by the company that makes them susceptible to processing.
3. DEFINITIONS:
3.1. Authorization: prior, express and informed consent of the Owner to carry out the processing of personal data.
3.2. Database: organized set of personal data that is subject to processing.
3.3. Personal data: any information linked to or that may be associated with one or more specific or identifiable natural or legal persons.
3.4. Data processor: natural or legal person, public or private, who alone or in association with others, processes personal data on behalf of the data controller.
3.5. Data controller: natural or legal person, public or private, who alone or in association with others, decides on the database and/or its processing.
3.6. Owner: natural or legal person whose personal data is processed.
3.7. Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
3.8. Queries: request for personal information of the Holder that is stored in any database, for which NEUSA HILL GLAMPING has the obligation to provide the Holder or his/her successors in title with all the information contained in the individual record or that is linked to the Holder's identification.
3.9. Claim: request for correction, update or deletion of information contained in a database processed by NEUSA HILL GLAMPING . or request for alleged non-compliance with any of the duties contained in Law 1581 of 2012, made by the Owner or his successors in title.
3.10. Public data: is data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the civil status of persons, their profession or occupation and their status as a merchant or public servant. By its nature, public data may be contained in, among others, public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to reservation.
3.11. Sensitive data: personal data that reveal racial or ethnic origin, political opinions, religious or moral beliefs, trade union membership, information relating to health or sexual life or any other data that may, due to its nature or context, lead to discriminatory treatment of the data subject. These data are especially protected.
3.12. Habeas data: fundamental right that allows to know, update and rectify the information stored about people in databases and in the files of public and private entities. 3.13. Successor in title: person who has succeeded or has been subrogated by any title in the rights of another or others.
4. GENERAL GUIDELINES
4.1 The policies set forth in this document are mandatory for NEUSA HILL GLAMPING as a source of data information, as well as for those responsible for processing personal data on behalf of the Company.
4.2 Both the controller and those in charge must safeguard the databases containing personal data and maintain confidentiality regarding the processing.
5. REGULATORY BACKGROUND
5.1 Article 15 of the Political Constitution.
“All persons have the right to their personal and family privacy and to their good name, and the State must respect them and ensure that they are respected. Likewise, they have the right to know, update and rectify the information that has been collected about them in databases and in the archives of public and private entities. In the collection, processing and circulation of data, freedom and other guarantees enshrined in the Constitution shall be respected.”
5.2 Article 20 of the Political Constitution.
“Every person is guaranteed the freedom to express and disseminate his or her thoughts and opinions, to inform and receive truthful and impartial information, and to establish mass media. These are free and have social responsibility. The right to rectification under fair conditions is guaranteed. There shall be no censorship.”
6. NEUSA HILL GLAMPING IN THE REGULATIONS
We are a source of information.
6.1 WHY ARE WE A SOURCE OF INFORMATION?
Since NEUSA HILL GLAMPING is a company that is responsible for collecting credit information from users who are offered services through credit and cash payment systems, it constitutes the so-called sources of information referred to in literal (b) of the third article of Law 1266 of 2008. (…)
“It is the person, entity or organization that receives or knows personal data of the owners of the information, by virtue of a commercial or service relationship or of any other nature and that, by virtue of legal authorization or of the owner, supplies said data to an information operator, who in turn will deliver it to the end user. If the source delivers the information directly to the users and not through an operator, it will have the double condition of source and operator and will assume the duties and responsibilities of both. The source of the information is responsible for the quality of the data supplied to the operator who, as soon as it has access to and supplies personal information of third parties, is subject to compliance with the duties and responsibilities provided to guarantee the protection of the rights of the owner of the data” (…)
6.2 DUTIES OF INFORMATION SOURCES ARTICLE 8, LAW 1266 OF 2008:
Sources of information must comply with the following obligations, without prejudice to compliance with other provisions set forth in this law and in other laws that govern their activity:
a. Ensure that the information provided to database operators or users is true, complete, accurate, up-to-date and verifiable.
b. Report, periodically and in a timely manner, to the operator all new developments regarding the data previously provided and adopt other measures necessary to ensure that the information provided to the operator remains up to date.
c. Correct information when it is incorrect and report the relevant information to the operators.
d. Design and implement effective mechanisms to report information to the operator in a timely manner.
e. Request, where appropriate, and retain a copy or evidence of the respective authorization granted by the owners of the information, and ensure that no data is provided to the operators whose supply has not been previously authorized, when such authorization is necessary, in accordance with the provisions of this law.
f. Certify to the operator on a semi-annual basis that the information provided is authorized in accordance with the provisions of this law.
g. Resolve the claims and requests of the owner in the manner regulated in this law.
h. Inform the operator that certain information is being discussed by its owner, when a request for rectification or updating of the same has been submitted, so that the operator may include a mention to that effect in the database until said procedure has been completed.
i. Comply with the instructions issued by the supervisory authority in relation to compliance with this law.
j. Others arising from the Constitution or this law.
7. PROCESSING OF PERSONAL DATA
7.1 Principles for the processing of personal data.
The following principles will be taken into account by NEUSA HILL GLAMPING in the process of managing personal data.
7.1.1 Legality regarding data processing.
Data processing must be subject to the provisions contained in Law 1581 of 2012 and any regulations that develop or regulate such provision.
7.1.2 Purpose and treatment.
Data processing must be for a legitimate purpose in accordance with the Constitution and the Law, which must be reported to the Owner. The processing of data and the purpose of the information in the databases of NEUSA HILL GLAMPING are based on the provision of the service, the contractual relationship, commercial and/or advertising purposes. NEUSA HILL GLAMPING may transmit the information to third parties, suppliers and authorities.
The processing may only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives consent.
7.1.3 Truthfulness or quality.
The information subject to processing must be true, complete, accurate, up-to-date, verifiable and understandable. The processing of partial, incomplete, fractional or misleading data is prohibited.
7.1.4 Transparency.
In the processing, the right of the Owner to obtain from advertising companies or from the data processor, at any time and without restrictions, information about the existence of data concerning him/her must be guaranteed.
7.1.5 Restricted access and circulation.
The processing is subject to the limits arising from the nature of the personal data, the provisions of Law 1581 of 2012 and the Constitution. In this regard, processing may only be carried out by persons authorized by the Owner and/or by the persons provided for in the Law.
Personal data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties in accordance with the Law.
7.1.6 Security
The information subject to processing by the person responsible for or in charge of processing must be handled by taking reasonable technical, human and administrative measures to ensure the security of the records, seeking to prevent their adulteration, loss, consultation, use or unauthorized or fraudulent access.
7.1.7 Confidentiality.
All persons involved in the processing of personal data that are not public in nature are required to ensure the confidentiality of the information, even after their relationship with any of the tasks involved in said procedure has ended, and may only provide or communicate personal data when this corresponds to the development of the activities authorized by the Law and under the terms thereof.
7.2 Special categories of data.
7.2.1 Sensitive data.
These are data that affect the privacy of the Owner or whose improper use may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data.
7.2.1.1 The processing of sensitive data is prohibited, except when:
a. The Data Subject has given explicit authorization to such processing, except in cases where such authorization is not required by law. The processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapacitated. In such events, the legal representatives must grant their authorization.
b. The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, the purpose of which is political, philosophical, religious or trade union, provided that it refers exclusively to its members or to persons with whom it maintains regular contact by reason of its purpose.
c. In these events, the data may not be provided to third parties without the authorization of the Owner.
d. The processing concerns data that is necessary for the recognition, exercise or defence of a right in a judicial process. e. The processing has a historical, statistical or scientific purpose. In this event, measures must be taken to suppress the identity of the Data Subjects.
f. In the processing of sensitive personal data, when such processing is possible in accordance with the exceptions cited above contained in Article 6 of Law 1581 of 2012, the following obligations must be met:
Inform the Data Subject that, since the data is sensitive, he/she is not required to authorize its processing. Inform the Data Subject explicitly and in advance, in addition to the general requirements for authorization to collect any type of personal data, which of the data to be processed are sensitive and the purpose of the Processing, as well as obtain his/her express consent.
7.2.2 Rights of children and adolescents.
In the treatment, respect for the prevailing rights of children and adolescents will be ensured. The processing of personal data of children and adolescents is prohibited, except for those data that are of a public nature. 7.2.3 Rights of the Holders:
7.2.3.1 To know, update and rectify your personal data in front of NEUSA HILL GLAMPING or in front of the designated data processor. This right may be exercised, among others, in front of partial, inaccurate, incomplete, fractioned data, which lead to error, or those whose processing is expressly prohibited or has not been authorized.
7.2.3.2 Request proof of the authorization granted to NEUSA HILL GLAMPING Except when it is expressly excepted as a requirement for processing, in accordance with the provisions of article 10 of Law 1581 of 2012.
7.2.3.3 Be informed by NEUSA HILL GLAMPING, or by the designated data processor, upon request, regarding the use that has been given to your personal data.
7.2.3.4 Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to or complement it.
7.2.3.5 Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the processing, NEUSA HILL GLAMPING or the designated person in charge has incurred in conduct contrary to Law 1581 of 2012 and the Constitution.
7.2.3.6 Access free of charge, under the conditions defined in this document, to your personal data that have been processed.
8. CONDITIONS FOR DATA PROCESSING
8.1 Authorization
Pursuant to the principles of purpose and freedom, the collection of data carried out by NEUSA HILL GLAMPING must be limited to those personal data that are relevant and appropriate for the purpose for which they are collected or required in accordance with current regulations, except in cases expressly provided for in the Law.
8.2 Authorization of the Holder
In order for NEUSA HILL GLAMPING to carry out any personal data processing action, the prior and informed authorization of the Owner is required, which must be obtained by any means that can be subject to subsequent consultation. These mechanisms may be predetermined through technical means that facilitate the Owner's automated manifestation or may be in writing or orally. Authorizations by Owners will be recorded as follows:
NEUSA HILL GLAMPING requests authorization to process the information from all of its owners, as long as said collection involves the processing of information by NEUSA HILL GLAMPING or third parties (with prior authorization). This authorization request is made when generating business relationships with clients (Credit and Cash Sales), purchasing products and services from suppliers, and hiring personnel to perform the tasks inherent to the organization. NEUSA HILL GLAMPING adopts the procedures to request, no later than at the time of data collection, the authorization of the Owner for the processing of the same and will inform the personal data that will be collected as well as all the specific purposes of said processing for which consent is obtained.
Personal data found in publicly accessible sources, regardless of the means by which they are accessed, meaning those data or databases that are available to the public, may be processed by NEUSA HILL GLAMPING, provided that, by their nature, they are public data.
In the event of making substantial changes to the content of the Processing Policies, referring to the identification of the Controller and the Purpose of the processing of personal data, which may affect the content of the authorization, NEUSA HILL GLAMPING will communicate these changes to the Holders, at least 3 days before the new policy comes into effect, and will also obtain a new authorization from the Holder when the change refers to the Purpose of the Processing. For the communication of the changes and the authorization.
8.2.1 Cases where authorization is not required
a. Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b. Data of a public nature.
c. Cases of medical or health emergencies.
d. Processing of information authorized by law for historical, statistical or scientific purposes.
e. Data related to the Civil Registry of persons.
8.3 Supply of information The information requested by the Owner will be supplied by NEUSA HILL GLAMPING and may be supplied by any means, including electronic means, as required by the Owner. The information must be easy to read, without technical barriers that impede access and must correspond in all respects to that which is stored in the database.
8.4 Duty to inform the Owner NEUSA HILL GLAMPING, at the time of requesting authorization from the Owner, must inform him/her clearly and expressly of the following: The processing to which his/her personal data will be subjected and the purpose thereof. The optional nature of the response to the questions asked, when these deal with sensitive data or the data of girls, boys and adolescents. The rights that assist him/her as Owner. The identification, physical or electronic address and telephone number of the person responsible for the treatment.
8.5 Persons to whom the information may be provided: Information about personal data that has been processed by NEUSA HILL GLAMPING may be provided to the following persons: The Data Subjects, their successors in title or their legal representatives. Public or administrative entities in the exercise of their legal functions or by court order. Third parties authorized by the Data Subject or by law.
9. RIGHTS OF THE OWNER
9.1 Revocation of authorization and/or deletion of data:
The Holders may at any time request NEUSA HILL GLAMPING to delete their personal data and/or revoke the authorization granted for the processing thereof, by submitting a claim, in accordance with the provisions of article 15 of Law 1581 of 2012. The request for deletion of information and the revocation of authorization WILL NOT PROCEED WHEN THE HOLDER HAS A LEGAL OR CONTRACTUAL DUTY TO REMAIN IN THE NEUSA HILL GLAMPING DATABASE. The procedure will be the one established in this document for submitting claims.
9.2 Queries and complaints:
The Holder or his/her successors have the right to submit queries and/or complaints to NEUSA HILL GLAMPING, after validating their identity, through any of the following customer service mechanisms provided by the Company at a national level. NEUSA HILL GLAMPING will respond to the query and/or complaint through the same means by which it was submitted.
9.2.1 Consultation:
The Holders or their successors in title may consult the Holder's personal information that is stored in the database of the responsible party NEUSA HILL GLAMPING will provide the applicant with all the information contained in the individual record or that is linked to the Holder's identification.
The Holder may consult his/her personal data free of charge:
At least once (1) each calendar month. Each time there are substantial modifications to the Information Treatment Policies, which motivate new consultations. For consultations whose frequency is greater than one (1) per calendar month, NEUSA HILL GLAMPING will only charge the costs of sending, reproducing and, where applicable, certifying documents. Reproduction costs may not be greater than the costs of recovering the corresponding material.
Response to queries
For the purpose of responding to queries, NEUSA HILL GLAMPING has a term of ten (10) business days counted from the date of receipt of the same. When it is not possible to respond to the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be responded to, which in no case may exceed five (5) business days following the expiration of the first term.
Claims
The Owner or his/her successors in title who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged non-compliance of any of the duties contained in Law 1581 of 2012, may file a claim with NEUSA HILL GLAMPING , which will be processed under the following rules and will be formulated by means of a request addressed to NEUSA HILL GLAMPING , with at least the following information:
Name of the person responsible for the processing or the person in charge of the processing.
Name of the petitioner.
Petitioner's identification number.
Facts on which the request is based.
Purpose of the petition.
Address for sending correspondence.
Provide the documents you intend to assert.
If the claim is incomplete, the interested party will be required within five (5) days of receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that the claim has been withdrawn. In the event that the person receiving the claim is not competent to resolve it, he/she will forward it to the appropriate person within a maximum period of two (2) business days and will inform the interested party of the situation. Once the complete claim is received, a legend stating “claim in process” and the reason for it will be included in the database within a period of no more than two (2) business days. This legend must be maintained until the claim is resolved. The maximum period for addressing the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
9.2.3 Procedural requirement: The Owner or successor in title may only file a complaint with the Superintendency of Industry and Commerce once he or she has exhausted the consultation or claim process with the person responsible for the processing or in charge of the same.
9.2.4 Procedure for queries and complaints.
In compliance with the above, NEUSA HILL GLAMPING will respond to the query and/or claim using the same means by which it was formulated.
The procedure established by NEUSA HILL GLAMPING to file claims, make inquiries and/or exercise your rights as the owner of the information collected is as follows.
9.2.4.1 Reception of the claim or query in any of the complexes, these may be identified on the Web pages https://neusahills.com/ , they may also be sent in writing directly to the Administrative Offices at Neusa Reservoir, Tausa, Cundinamarca, Colombia 9.2.4.2 Claims or queries may also be sent via email: info@neusahills.com , in accordance with the Second Paragraph, Second Literal, ARTICLE 16 Law 1266 of 2008-Second Paragraph, Article 15, Law 1581 of 2012.
9.2.4.3 For requests or queries, there are 10 business days from receipt; if necessary, the response may be extended by 5 more business days.
9.2.4.4 For claims, there are 15 business days to resolve them, Section three of article 16 of Law 1266 of 2008.
9.2.4.5 Exceptionally, there are 8 additional business days to the first 15, to respond to the right to petition, as long as the person making the right to petition is notified.
9.2.4.6 NEUSA HILL GLAMPING, within 2 business days following receipt of the claim, will place in the operator's database the record or legend that the claim is “in process”.
9.2.4.7 If they are not competent, there are 2 business days to transfer the information to the competent entity.
9.2.4.8 Once the response to the query or claim submitted by the client is received, it will be sent to the address provided in the request or to the means by which the query was made.
9.2.4.9 In case of doubts or concerns about the procedure for filing complaints, making inquiries and/or exercising your rights as the owner of the data collected by NEUSA HILL GLAMPING, general information may be requested through the Customer Service department by email info@neusahills.com.
10. DUTIES OF NEUSA HILL GLAMPING IN DATA PROCESSING
a. Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
b. Request and retain, under the conditions provided for by law, a copy of the respective authorization granted by the Owner.
c. Properly inform the Owner of the purpose of the collection and the rights granted to him/her by virtue of the authorization granted.
d. Take measures to preserve the information under secure conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use or access.
e. Ensure that the information provided to the data controller is true, complete, accurate, up-to-date, verifiable and understandable.
f. Update the information, communicating in a timely manner to the data controller all new developments regarding the data previously provided and adopting other measures necessary to ensure that the information provided to the controller remains up to date.
g. Rectify information when it is incorrect and communicate the relevant information to the data controller.
h. Provide the data controller, as appropriate, only with data whose processing has been previously authorized in accordance with the provisions of the Law.
i. Demand that the data controller respect the security and privacy conditions of the Owner's information at all times.
j. Process queries and complaints made in accordance with the terms set out in the law.
k. Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, to address queries and complaints.
l. Inform the data controller when certain information is being disputed by the Data Controller, once the claim has been submitted and the respective process has not been completed.
m. Inform the Data Subject upon request about the use given to his/her data.
n. Inform the data protection authority when security code violations occur and there are risks in the management of the information of the Holders.
o. the instructions and requirements issued by the Superintendency of Industry and Commerce.
10.1 Duties of the data controller:
Data processors must comply with the following duties, without prejudice to other provisions set forth in the Law and in other provisions that govern their activity:
a. Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
b. Take measures to preserve the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use or access.
c. Timely update, rectify or delete data in accordance with the terms of this law.
d. Update the information reported by those responsible for the treatment within five (5) business days from its receipt.
e. Process queries and complaints made by the Owners in accordance with the terms set out in the Law.
f. Adopt a document that guarantees proper compliance with the Law and, in particular, for the handling of queries and complaints from the Owners.
g. Register the legend “claim in process” in the database in the manner regulated by law.
h. Insert into the database the legend “information under judicial discussion” once notified by the competent authority about judicial proceedings related to the quality of personal data.
i. Refrain from circulating information that is being disputed by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.
j. Allow access to information only to people who can access it.
k. Inform the Superintendency of Industry and Commerce when security code violations occur and there are risks in the management of the information of the Holders.
l. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
m. Safeguard databases containing personal data.
n. Maintain confidentiality regarding the processing of personal data.
11. SECURITY MEASURES
NEUSA HILL GLAMPING takes all reasonable precautions and technical, administrative and organisational measures to ensure the security of the personal data of the Data Subjects, mainly those intended to prevent their alteration, loss and unauthorised processing or access. The security measures apply to both the files and the processing. The application of the security measures is intended to ensure the conservation, confidentiality, integrity and availability of the data.
12. MODIFICATIONS
NEUSA HILL GLAMPING reserves the right to modify these Information Processing Policies, in whole or in part. In the event of substantial changes to the Processing Policies regarding the identification of NEUSA HILL GLAMPING and the purpose of the Processing of personal data, which may affect the content of the authorization, NEUSA HILL GLAMPING will communicate these changes to the owner at the latest when implementing the new policies.