1. General information.
La ASOCIACIÓN AMESE, apoyo a mujeres con enfermedades del seno (la “Asociación”), entidad sin ánimo de lucro constituida y existente conforme a las leyes de la República de Colombia, con NIT 900.076.383-7 domiciliada en Bogotá, D.C., con oficinas principales en Calle 95#13-55 off. 304, teléfono 6103912-6232945, es una entidad comprometida con la protección de la privacidad y de toda información que pueda asociarse o relacionarse con personas naturales determinadas o determinables (los “Datos Personales”), a la cual tenga acceso en el desarrollo de sus actividades mercantiles.
En este sentido, la Asociación recibe, recolecta, utiliza, administra, procesa, analiza, segmenta, indexa, perfila, transmite, transfiere, compendia, anonimiza, almacena y, en general, procesa Datos Personales tales, como los de identificación (nombre, cédula, edad, género), de contacto (teléfono, correo electrónico, dirección), de preferencias de consumo, de visitas y de comportamiento en internet e información financiera, entre otros, información que podrá ser obtenida en el curso y para la realización de sus actividades mercantiles.
The present Information Treatment Policy of the Association (the “Policy”) is addressed to business partners, suppliers, customers, workers, collaborators, contractors and, in general, to any person whose Personal Data is being or will be treated by the Association (the "Owners"), and is intended to guarantee the rights of the Owners; publicize the mechanisms and procedures to enforce those rights; inform who is in charge within the Association to attend the queries, questions, claims and complaints, and, finally, to announce what are the purposes and the Treatments (as defined below) to which the Personal Data will be submitted in the development of the commercial activities of the Association.
This Policy will be applied to any Treatment carried out within the territory of the Republic of Colombia by the Association, its workers and, where appropriate, by those third parties with whom the Association agrees all or part of the performance of any activity related to, or in development of, the Processing of Personal Data for which the Association is Responsible (as defined below).
The Policy will be applied to third parties with whom the Association eventually signs Transmission contracts (as defined below), so that such third parties know the obligations that will apply to them, the purposes to which they must be submitted and the standards of security and confidentiality that they must adopt when they carry out the Treatment on behalf of the Association.
3. Contract terms
Words and terms that are in parentheses, underlined and written with initial capital letters in this Policy will have the meaning given to them before parentheses. Undefined terms will have the meaning
that the law or jurisprudence applicable in Colombia grants them. Despite the foregoing, the most relevant terms of this Policy are defined below:
It is the prior, express and informed consent of the Holder to carry out the Treatment.
It is the Association and every person under the responsibility of the Association that by virtue of the Authorization and this Policy, have legitimacy to carry out the Treatment.
It is the verbal or written communication generated by the Responsible, be it the Association or a third party, addressed to the Holder, through which their prior, express and informed consent is obtained, as long as they are informed about the existence of the Policy (according to defined below), how to access it, your rights, the contact details of the person responsible for the Treatment and the purposes thereof.
It is in fact the organized set of Personal Data that is the object of Treatment, electronic or not, whatever the modality of its training, storage, organization and access.
It is information of any kind, linked or not, that can be associated with one or several determined or determinable natural persons, such as identification data (name, ID, age, gender), contact information (telephone, email, address), of consumption preferences, visits and behavior on the internet, financial information and other data.
Means the Personal Data qualified as such according to the law and the Constitution also comprehend that information which is not semi-private, private or sensitive. Public data, among others, are the data related to the marital status of people, their profession or trade, their status as merchant or public servant and those that can be obtained without reservation. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official gazettes, duly enforced judicial sentences that are not subject to reservation.
It is the Personal Data that could affect the privacy of the Holder with those personal details considered private which improper use could generate their discrimination, such as those that reveal union affiliations, racial or ethnic origin, political orientation, religious, moral or philosophical convictions, union membership , social, human rights organizations or any of those that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life, and biometric data.
It is the natural or legal person, public or private, that by itself or in association with others, performs the Treatment on behalf of the Responsible.
Those whom can exercise the rights of the Holder, such as the same Holder, their successors, representatives and such and those who, by stipulation in favor of another or for another, are accredited, provided they can prove their condition.
It is the legal frame, Law 1581 of 2012, Decree 1377 of 2013 (25, Title 2, Part 2, Book 2 of Decree 1074 of 2015), Constitutional court ruling C-748 of 2011, the jurisprudence of the Constitutional Court stablished to personal data that It sets precedents and any regulation issued by the competent authorities regulating the legal precepts, which are in force at the time the Treatment begins by the Association, as said Law is modified from time to time and those modifications applies to the Treatment performed by the Association.
It is the document in which the policies and procedures to ensure proper compliance with the Law are consigned.
It is this actual document, in which the policy of treatment of the information required by the Law is consigned and that contains the orientations and guidelines in relation to the protection of personal data and that includes, among other things, (i) full identification of the Responsible (name, business name, address, address, email and telephone); (ii) the forms of Treatment; (iii) the purposes of this document; (iv) the rights of the Owners; (v) the procedures for inquiries, claims and complaints and for the exercise of the rights that are in the head of the Holders, and (vi) the person or agency responsible for attending all the inquiries of the Holders.
It is every person who is the recipient of this Policy and subject to compliance with it for carrying out Treatment activities on behalf of and on their own.
It is the natural person to whom the Personal Data belongs, whose information may be placed in a Database for habeas data purposes.
It is the Treatment that involves sending the information or Personal Data to a recipient, who is Responsible and is located outside or within the territory of the Republic of Colombia. In the Transfer, the recipient will act as Responsible and will not be subject to the terms and conditions of this Policy.
It is the Treatment that involves the communication of Personal Data inside or outside the territory of the Republic of Colombia when it is intended to carry out a Treatment by the Person in Charge on behalf of the Responsible. In the Transmission the receiver will act as Manager and will be subject to the Policy or to the terms established in the contract through which the Transmission is instructed.
It is any operation and systematic procedure, electronic or not, even through tools such as web bugs, cookies, spiders, web crawlers and web beacons, which allows the collection, conservation, ordering, storage, modification, indexing, profiling, relationship, use , circulation, analysis, segmentation, anonymization, compendium, evaluation, blocking, destruction and, in general, the processing of Personal Data, as well as its delivery to third parties through communications, consultations, interconnections, assignments, data messages and others means that serve the purpose.
En todo Tratamiento realizado por la Asociación, los responsables, encargados y/o terceros a quienes se les transfieran y/o transmitan
Datos Personales, se dará cumplimiento a los principios establecidos en la Ley y en esta Política, con el fin de garantizar el derecho al habeas data de los Titulares. Estos principios son:
The Association may not make Personal Data available for access through the Internet or other means of communication, unless technical and security measures are established to control access and restrict it only to Authorized personnel.
Personal Data can only be processed by those Association staff who have authorization for it in accordance with the provisions of this, or who within their functions are responsible for carrying out such activities. Personal Data may not be delivered to third parties, inside or outside the territory of the Republic of Colombia, without the Authorization or without the signing of a contract, in case there is Transmission.
The Treatment must be submitted to strict confidentiality requirements and, therefore, the people who intervene in it, must keep the reservation of the information, even after the event that was the main reason to the Treatment has been terminated.
The data handling requires Authorization, by all means, that those protocols must be able to confirm it even in further consultation, including through unequivocal methods, as established by Law.
Sensitive data collected during the Association operations must be handled with due diligence in order to protect and preserve its integrity and safety.
Every activity regarding private data must be according to its legitimate purposes metioned and detailed in this policy contract, which also must be informed to he holder before sign in the informed consent.
The Personal Data submitted to Treatment must be true, complete, accurate, updated, verifiable and understandable. When it is in the possession of partial, incomplete, fractional or misleading Personal Data, the Association must refrain from processing them or requesting the Holder to complete or correct the information. The Association must make its best efforts to maintain the integrity of the Personal Data that is contained in its Databases and the veracity of the same, implementing measures to verify and update the Personal Data.
To carry on with the data treatment, the Association must have the necessary technical and human security measures in order to maintain the confidentiality and security of Personal Data. The foregoing in order to prevent personal data from being adulterated, modified, consulted, used, accessed, deleted or known by unauthorized third parties. The Association will adjust the Processing of Personal Data to the security standards that will be regulated by the competent authorities in the future.
The Association will maintain separately the Databases in which it has the quality of Manager, from those in which it has the status of Responsible.
The Association will not use the Personal Data beyond the reasonable period required by the purpose that was informed to the respective holder and will apply measures aimed at guaranteeing the deletion of the Personal Data when they cease to fulfill the purpose for which they were collected.
In any event that the Holder requests it, the Association must give the information about the existence of Personal Data that concerns them or any other kind of information that could be Legitimized to request. The response to the eventual request must be granted by the same means or, at least, by a similar mean to that used by the Holder to request information and within the terms established by Law.
All Personal Data that is not Public Data must be treated by the Responsible as confidential and under the safety protocols given by the Superintendence of Industry and Commerce (national authority). Upon termination of such binding relationship, such Personal Data must continue to be treated in accordance with the Policy, the Manual and the Law.
5. Sorts of personal data and how do we to collect them
The Association obtains Personal Data and information that does not allow individualization of the individual, and processes the information that might come from the combination of these two types of data, as joint information.
The association obtains and processes the following categories considered personal data:
• Information obtained from register of new contractors, including but not limited to name and lastname, address, email, phone number, fax number, among other contact information.
• Register information given by the web visitors as well as the other social media accounts of the Association including but not limited
to full name, id number, phone number and email address.
• Information from the employees and collaborators, including but not limited to full name, address, country of origin, gender, email, phone number, and/or fax number.
• Information of clients and/or potential clients given by theirselves for example when they are requiring prices of our products or services including but not limited to full name, name of the business they are requiring the information, including but not limited to full name, address, email, phone number, fax number.
• Information obtained by the registration of new patients and donors, including but not limited to full name, address, email, phone number and fax number.
6. Treatment and storage of the information.
Personal data might be saved in Colombia as well as overseas. This Personal data storage could be in hands of a third party, whom
might be in a different country other than Colombia; in any case, the Association will guard the personal data and the guaranties according to the present policy draft and by the law.
7. Personal data and purposes.
The Association, in the course of its commercial activities, will collect, use, manage, store, analyze, index, segment, perform profiles, summarize, process, transmit, transfer and carry out different operations related to Personal Data. In accordance with the above, the Personal Data processed by the Association must be
submitted only to the purposes indicated below or those accepted by the Holders at the time of the collection of the Personal Data. Likewise, the Managers or third parties that have access to the Personal Data under the Law, contract or other binding document, will perform the Treatment for the achievement of the following purposes:
8. Holders rights
To keep Updated Personal Data collected by the Association to maintain its integrity and veracity.
To know and to Access to their personal data through association employees or delegated personnel, this Access could be asked once every month for free
Request proof of the Authorization granted to the Association, unless the Law indicates that such Authorization is not necessary or that it has been validated in accordance with the provisions of article 10 of Decree 1377 (article 126.96.36.199.2.7 of Decree 1074 from 2015).
File complaints before the Superintendence of Industry and Commerce for violations of the Law when the procedural requirement has been exhausted and go to the Association in the first instance.
Rectify the information and Personal Data collected by the Association.
Request the revocation of the Authorization, as long as there is no legal duty or obligation of a contractual nature in the head of the Holder with the Association, according to which the Holder does not have the right to request the deletion of his Personal Data.
Submit applications to the Association or the Person in Charge regarding the use that they have given to their Personal Data, including the right to have them provide such information.
Request the deletion of Personal Data from the Databases of the Association, as long as there is no legal duty or obligation of a contractual nature at the head of the Holder with the Association, according to which the Holder does not have the right to request the Deletion of your Personal Data.
The Holders may exercise their rights given by Law and perform the procedures established in this Policy by presenting their citizenship card or any identification document. Minors may exercise their rights personally or through their parents or adults who hold parental rights, who must prove it through the relevant documentation. Likewise, all the Legitimates may exercise the rights of the Holder by presenting the respective documentation.
9. Sensitive data
In the development of its activities the Association might collect and handle sensitive data including but not limited to:
Health history, medical charts of workers, collaborators, associates and patients and volunteers of the association.
Sensitive Data will be treated as diligently as possible and with the highest security standards. Limited access to Sensitive Data will be a guiding principle to safeguard their privacy, so that only authorized personnel may have access to that type of information.
The Authorization for the Treatment of Sensitive Data is optional and optional for the Holder, so that no activity will be restricted or conditioned to the supply of the same, so that the Holder may not authorize the Treatment of his Sensitive Data and the Association will respect that decision.
10. Personal data regarding minors.
The Treatment of Personal Data of children and adolescents by the Association may only be done in compliance with the provisions of article 7 of Law 1581 of 2012 and other concordant or replacing regulations, and subject to the requirements established by the applicable regulations.
When handling personal data of minors the dispositions are as follows:
• Notification to the parents (or legal guardian) about the practices that the Association implements regarding Personal Data of children and adolescents, including the types of Personal Data
that will be collected, the forms of Treatment, the purposes that will be pursued with the Treatment and if the Information will be shared and to whom.
• The Association will obtain the authorization of minors and their parents orguardians to carry out the Processing of Personal Data storage.
• The Association will only require strictly the necessary information of minors to be collected or processed, according to the respective purpose that is intended to be achieved for.
• Parents will have the prerogative to access or the possibility of requesting access to the Personal Data of children and adolescents, as well as the possibility of requesting that they can be changed or deleted.
All data handling must be preceded by obtaining the Authorization. Furthermore, the Association, its workers and Authorized third parties must refrain from collecting and processing Personal Data
12. Personal Data Protection
In the event of petitions, Complaints and Claims related to Personal Data, if it is for suppliers and customers, it will be the person in charge of the Financial Department also the are the personnel responsible for Human Resources, the one whom specifically will process the claims regarding Personnel data according to the Law, the Manual and this Policy. Some of the responsibilities of dependence are as follows:
• Address and receive all requests from the Holders, process and respond to requests such as:
(i) Data update requests;
(ii) Data knowledge requests;
(iii) Data suppression requests
(iv) Data Withdraw requests, when available;
(v) Data treatment and privacy policies requests;
(vi) solicitudes de información sobre las finalidades del Tratamiento; y (vii) solicitudes de obtener la prueba de la Autorización otorgada, cuando ella hubiere procedido según la Ley.
• Respond to the Holders about those requests that do not proceed in accordance with the Law.
• To assure to the holders their data protection by policy.
• To keep as a top priority a good practice regarding personal data handling and storage inside the Association.
• To keep the record of every database managed by the Association in the national database system and to keep it updated.
Contact data are as follows:
13. Procedures to demand holders rights
The Association has different channels for the holder, representative, or legal guardian in the minors case can effectively access or ask about any other subjects such as:
• ¿Which personal data has had the association on its database?
• ¿What treatment policy is applied to the collected data?
¿What are the purposes of collecting such data?
This tools could be either by the phone, written or at the office by the very own holders, in any case the Association will keep a record of the request.
Before giving answer to the request the responsible in charge will check:
a) The identity of the Holder or the Legitimate. For this purpose, the association will require the citizenship card or any original identification document of the Holder and the warrant, as the case may be.
b) The Authorization or contract with third parties to support the collected data by the Association.
If the holder has the capacity to formulate the consultation, the person in charge of attending it will gather all the information about the Holder that is contained in the individual record of that person
or that is linked to the identification of the Holder within the Association's Databases. Once the information is collected, it will be provided to the Holder so that he has access and can know it.
The person in charge of attending the consultation will respond to the applicant as long as the latter has the right to do so because they are the Holder of the Personal Data, Legitimized, or the legal responsible in the case of minors. This response will be sent within ten (10) business days from the date on which the request was received by the Association. In the event that the request cannot be answered within ten (10) business days, the applicant will be contacted to inform him of the reasons why the status of his application is being processed and indicating the date on which the consultation will be attended, which in no case may exceed five (05) business days following the expiration of the first term. For this, the same or similar means will be used to which the query was presented.
The final response to all requests may not take more than fifteen (15) business days from the date on which the initial request was received by the Association.
Even when the applicant does not have the capacity to lodge the consultation, the Association will have to inform the applicant of this circumstance and respond within the terms established above.
The Association will have mechanisms for the Holder, Legitimates or representatives of Minors Holders, to make CLAIMS regarding:
• Personal data handled by the association in case of update, suppression or correction;
• The alleged breach of some of the duties of the Association Legal obligations.
These mechanisms may be physically done by the holder, or by electromagnetic means, such as procedures through e-mail or telephone calls made to call centers responsible for receiving requests, complaints and claims. Whatever the case, the Association will keep a record of the query and its response.
The Holder, the Legitimates, or their representatives must fill the CLAIM, in case the Holder is a minor, thus:
• Should go directly to the Association head offices: Calle 95#13-55 office 304, or through email firstname.lastname@example.org if it is a contractor or associate, email@example.com if it is Association staff.
• The claim must have full name and id number.
• The claim must have a brief with the reasons why is there a nonconformity and what the pretentions are of what it is required (update, correction or deletion, or compliance with obligations).
• It must indicate the address and contact details and identification of the claimant (holder).
• It must have support documentation if there is any document or proof of any kind.
If the claim or additional documentation is incomplete, the Association will require the claimant only once within five (05) days following receipt of the claim to complete it or fix the failures. If the claimant does not submit the required documentation and information within two (02) months following the date of the initial claim, it will be taken as if the claim is withdrawn.
Once the claim has been received with the complete documentation, it will be included in the Association Database where the Personal Data of the Holder labeled with a “claim in process” pin, and the reason for it, in a term no longer to two (02) business days. This label must be kept on until the claim is decided.
The maximum term to solve the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which under no circumstances may exceed eight (08) business days following the expiration of the first given period.
The Association will keep proof of the consultation, the complaint and your response in case your subsequent consultation is necessary.
This Policy will be effectively applied from July 2, 2019. The Personal Data that is stored, used or transmitted will remain in the Association's Database, based on the temporality criteria, for as long as it is necessary to comply with the purposes mentioned in
this Policy, for which they were collected. Thus, the validity of the Database is closely related to the purposes for which the Personal Data were collected.
This Policy may be modified from time to time by the Association and will be part of the contracts entered into by the Association, where appropriate. Any substantial modification of this Policy will have to be previously communicated to the Holders through efficient mechanisms, such as the Association's website and / or emails. Substantial modification means, among others, the following situations:
a) Modification in the identification of the area, dependency or person in charge of attending the queries and complaints.
b) Obvious modification of the purposes that may affect the Authorization. In this case, the Association will seek a new Authorization. The modifications will be informed on the website of the Association and / or by email that will be sent to the Personal Data Holders, as long as the Association has that information.
The modifications will be informed on the Association's website and / or by email that will be sent to the Personal Data Holders, as long as the Association has that information in their possession.