Switch Language
x brigar&Urrutia logo lupa
Idioma
x brigar&Urrutia logo lupa
Idioma

1. General

1.1. Objective

The expressions used in capital letters in this Policy shall have the meaning given herein or the meaning given by the applicable law or case law, as such law or case law is amended from time to time. 

Brigard & Urrutia Abogados S.A.S. domiciled in Bogotá, with street address Calle 70 BIS # 4 -41, email address protecciondedatos@bu.com.co and telephone (+57-601) 346 2011 (hereinafter, the "Firm") informs the Holders of the Personal Data (as said terms are defined below) that their Personal Data will be processed in any manner by the Firm, in accordance with this personal data protection and privacy policy (the “Policy”), in compliance with Law 1581 of 2012, Decree 1377 2013 and any regulations that replace or modify them. The main purpose of this Policy is to inform the Holders of Personal Data of their rights, the procedures and mechanisms established by the Firm to enforce the Holders rights; inform about the personnel within the Firm designated to solve queries, questions, claims and complaints, and inform the scope and purpose of the Processing (as said term is defined below) to which the Personal Data will be subject in the event that the Holder grants his/her express, prior and informed consent.
natural or legal persons.

1.2. Scope

This Policy apply for all Holders of Personal Data that is treated in any way by the Firm.

1.3. Main definitions

The expressions used in capital letters in this Policy shall have the meaning given herein or the meaning given by the applicable law or case law, as such law or case law is amended from time to time. In the event of any difference between the legal meaning and the meaning provided below, the legal meaning shall prevail.

  • Authorization: Is the prior, express and informed consent of the Holder for the processing of his/her Personal Data.
  • Database: Is the organized set of Personal Data that will be subject to processing, whether electronic or not, regardless of the modality for the creation, storage, organization and access of such Personal Data.
  • Financial Data: It is all Personal Data related to the birth, performance, and extinction of the monetary obligations, regardless of the nature of the contract that originates them, which processing is governed by Law 1266/2008 or by any regulations that replace or modify the Law.
  • Personal Data: Any information related or that may be associated with one or more determined or determinable natural or legal persons.
  • Public Data: Personal Data that is qualified according to the law or the Political Constitution and that is not semi-private, private or sensitive. Data relating to the marital status of a person, their profession or trade, their status as a trader or public servant, can be obtained without any restriction, among others. Due to their nature, public data may be contained in public records, public documents, official gazettes and newsletters, duly executed judicial decisions that are nor subject to any restriction.
  • Sensitive Data: The Personal Data that affects the privacy of the Holder or which misuse may generate discrimination, such as those that reveal trade union affiliations, racial or ethnic origin, political, religious, moral or philosophical orientation, membership to trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.
  • Data Processor: It is the natural or legal person, whether public or private, that by himself or in association with others, will perform the Processing of Personal Data on behalf of the Data Controller.
  • Data Controller: It is the natural or legal person, public or private, that by itself or in association with others, will decide on the Database and/or the Treatment of Personal Data.
  • Holder: It is the natural person whose Personal Data is subject to Processing, as a result of the relationship between the Holder and the Firm.
  • Transfer: It is when the Data Controller and/or Data Processor, located in Colombia, sends the information including Personal Data to a receiver located outside Colombia, who in turn is responsible for the processing.
  • Transmission: Processing of Personal Data that involves communication to a third party thereof within or outside the territory of Colombia, when such communication is intended to carry out a Processing by the Data Processor on behalf of and on behalf of the Data Contoller, to comply with their purposes.
  • Processing: Any systematic operation or procedure, electronic or not, even by tools as web bugs, cookies, spiders, web crawler, web beacons, that enables the collection, conservation, ordering, storage, modification, liaison, use, disclosure, assessment, blocking, destruction and, in general, Personal Data Processing, as well as the Transfer and/or Transmission thereof to third parties through communications, inquiries, interconnections, assignments, data messages.

2. Policies

2.1. Principles

In the course of its business activities, the Firm will collect, use, store, transmit, transfer and in general Proceed on the Personal Data of Holders, in accordance with the purposes established in this Policy. In any Personal Data Processing activity carried out by the Firm, the Data Controller, Data Processors and/or third parties to whom Personal Data are transferred shall comply with the principles and rules established in the Law and in this Policy, in order to guarantee the right to habeas data of the Holders and to fulfill the legal obligations of the Firm. These principles are as follows:

  • Prior Authorization: All Personal Data processing activities will be carried out once the previous, express and informed authorization of the Holder has been obtained, unless the Law establishes an exception to this rule. If the Personal Data have been obtained prior to the Decree 1377/2013, the Firm will seek ordinary and alternative means to convene the Holders and obtain their retroactive authorization, following the provisions of the mentioned Decree and any consistent rules.
  • Authorized Purpose: All Personal Data Processing activities must comply with the purposes mentioned in this Policy or in the Authorization granted by the Holder of Personal Data, or in the specific documents that regulate each type of Personal Data Processing activity. The purpose of a particular Personal Data Processing activity must be informed to the Holder of Personal Data at the time of obtaining his/her Authorization. Personal Data may not be processed with disregard for the purposes informed and consented to by the Data Holders.
  • Data Quality: The Personal Data subject to Processing must be truthful, complete, accurate, up-to-date, verifiable and understandable. When in possession of partial, incomplete, fractional or misleading Personal Data, the Firm must refrain from Processing such data, or must request the holder thereof to complete or correct the information.
  • Delivery of information to the Holder: When requested by the Data Holder, the Firm shall provide information about the existence of Personal Data concerning the applicant. This delivery of information shall be carried out by the area of the Firm in charge of the protection of personal data (see point 2.6 of this Policy).
  • Restricted Circulation: Personal Data may only be Processed by those personnel of the Firm who are authorized to do so, or who, within their functions, are in charge of carrying out such activities. Personal Data may not be given to those who do not have Authorization or who have not been authorized by the Firm to carry out the Processing.
  • Temporary Nature: The Firm will not use the information of the Holder beyond the reasonable time required by the purpose informed to the Holder of Personal Data.
  • Restricted Access/Security: Except for expressly authorized Personal Data, the Firm will not make Personal Data available for access over the Internet or among other mass media, unless technical and security measures are established to control and restrict access exclusively for Authorized personnel.
  • Confidentiality: The Firm must carry out the Processing by assuring necessary technical, human and administrative measures to maintain the confidentiality of the Personal Data and to prevent tampering, modification, consult, use, access, deletion, or knowledge by Unauthorized persons, or if the Personal Data will be lost. Any new project involving the Processing of Personal Data by the Firm must be reference this Processing Policy to ensure compliance with this rule.
  • Confidentiality and Subsequent Processing: Any Personal Data that is not Public Data must be considered confidential by the Data Processor, even if the contractual relationship or the link between the Holder of the Personal Data and the Firm has ended. Upon termination of such a link, the Personal Data must continue to be processed in accordance with this Policy and the Law.
  • Individuality: The Firm will maintain separate databases in which it acts as the Data Controller of the databases for which it is Responsible.
  • Necessity: Personal Data may only be Processed for the time and to the extent that the purpose of its Processing justifies it. The Firm will endeavor to collect only and exclusively the data necessary to fully comply with the regulation and the established purposes.

2.2. Personal Data Processing

Personal Data is collected, kept, ordered, stored, modified, linked, used, disclosed, updated, transferred, updated, deleted and managed according to the purpose sought for each type of Processing.

2.2.1. Processing of Personal Data of children and/or teenagers

The Firm will Process Personal Data of a child under the age of 18, provided that there is the prior express consent of a parent or legal guardian. In such cases, parents or legal guardians may change or revoke the Authorization as described in this Policy.

Additionally, the Processing of Personal Data of children and teenagers shall comply with the following parameters and requirements:

  • The Processing will answer and respect the best interests of children and teenagers.
  • At all times, respect for their fundamental rights will be ensured.
  • The child or teenager will be heard, and their opinion will be valued considering maturity, autonomy and ability to understand the matter.

2.2.2. Processing of Sensitive Data

The Firm may request the Sensitive Data that will be expressly mentioned in each Authorization. In any case, the Firm will strictly comply with the legal limitations for Processing of Sensitive Data, it will take place only when the Holder has given Authorization, except for the events where the Law does not require Authorization. When requesting Sensitive Data, the Firm shall inform what type of Personal Data collected falls under this category and no activity will be conditioned to providence
of Sensitive Data.

Sensitive Data will be Processed with high diligence standards and with the highest security and privacy standards. The limited access to Sensitive Data will be a principle to safeguard the privacy of said Personal Data. Only authorized personnel shall have access to this type of information.

2.2.3.Obligations of the Firm as Data Controller

When the Firm acts as Data Controller, it shall have the following obligations and/or commitments:

  • Have prior consent when it’s required.
  • Classify the Personal Data.
  • Store the authorization given by the Holder of Personal Data.
  • Comply with the purposes hereby in this Policy.
  • Attend the inquiries, questions, claims and complaints submitted by the Holder of Persona Data.
  • Ensure the Personal Data with the procedures of information security and privacy.

Likewise, when acting as Data Processor or third parties and having access to Personal Data, they will maintain the Processing within the following purposes contemplated for the collection of such data.

2.3. Purposes of Data Processing

The Firm will carry out the Processing of Personal Data for the purposes informed at the time the Personal Data is collected and that are expressly consented.


Likewise, the Processors or third parties that have access to the Personal Data by virtue of Law or contract, shall maintain the Processing within the following purposes provided or those informed at the time of data collection.

  • Manage all information necessary for compliance with the Firm's tax obligations and business, corporate and accounting records.
  • Comply with the Firm's internal processes for vendor and contractor management.
  • To provide its services in accordance with the particular needs of the Firm's clients, in order to fulfill service contracts entered into, including, but not limited to, verifying memberships and entitlements of individuals to whom the Firm's clients will provide services, using Personal Data for marketing and/or commercialization of new services or products.
  • The control and prevention of fraud, money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction including, but not limited to, consultation in binding lists, and all the necessary information required to comply with the regulation of fraud prevention, money laundering, financing of terrorism, financing of the proliferation of weapons of mass destruction, including the following activities:
    • Providing personal data to control and surveillance authorities, whether administrative, police, judicial, national or international. The above, by virtue of a legal or regulatory requirement.
    • Use and/or disclose information and personal data, in order to defend the rights and/or property of the Firm, its clients, website or its users for the detection and prevention of fraud and for the detection, apprehension or prosecution of criminal acts.
    • To perform monitoring and prevention of illicit activities such as fraud, corruption, money laundering and/or terrorist financing, including but not limited to querying binding, restrictive lists or public databases.
    • To allow access to personal data to auditors or third parties hired to execute and perform internal or external auditing processes, proper to the business activity developed by the Firm.
  • The filling and updating process of systems for the protection and custody of the information and Databases of the Firm.
  • Processes within the Firm, for development or operational and/or systems management purposes.
  • The transfer and transmission of Data to third parties with whom contracts have been entered into for this purpose, for commercial, administrative, marketing and/or operational purposes, including but not limited to the insurance of IDs, personalized certificates and certifications to third parties, in accordance with the legal provisions in force.
  • Maintain and process, by computer or using other means, any kind of information related to the costumer’s business to provide the relevant services and products.
  • The purposes determined by the Data Processor and the Data Controller of obtaining Personal Data, to comply with the legal and regulatory obligations and with the policies of the Firm.

2.4. Holders of Personal Data Rights

In accordance with Law, the Holders of Personal Data have the following rights:

  • Right to Update: To know, update and rectify their Personal Data to the Firm or to the Data Controller thereof. This right may be exercised, in respect of partial, inaccurate, incomplete, fractioned or misleading data, or data which Processing is expressly prohibited or has not been authorized.
  • Right of Evidence: To request evidence of the authorization granted to the Firm, unless the Law indicates that such authorization is not required as it is established in the article 10 of the Law 1581/2012 (and by any supplementing, amending or derogatory rules) or when it has been presented the continuity of the treatment according to the numeral 4 of the article 10 of the Decree 1377/2013.
  • Right of Information: To submit requests to the Firm or to the Data Controller regarding the use given to their Personal Data, and to receive such information from them.
  • Right to submit Complaints and claims: To submit complaints to the Superintendence of Industry and Trade for violations to the Law, once the process of consultation or claim before the Firm has been exhausted in accordance with the provisions of article 16 of Law 1581, 2012
  • Right to Revoke: To revoke their authorization and/or request the deletion of their Personal Data from the Databases of the Firm, when the Superintendence of Industry and Trade has been determined, by means of a final administrative act, that in the processing of such Personal Data the Firm or any responsible for the processing has behaved contrary to the Law or when there is no legal or contractual obligation to maintain the Personal Data in the Database of the relevant responsible for processing.
  • Right of Access: To request access and have free access to their Personal Data that has been subject to Processing in accordance with article 21 of Decree 1377, 2013.
  • Right of Awareness: To be aware of the amendments made to the terms of this Policy in an efficient manner before the implementation of new amendments, or, otherwise, of the new information processing Policy. As well to know the dependency or person in charge of the Firm to attend the inquires, questions, claims, complaints and any other requirement of Personal Data.
  • Right of Suppression: To request the deletion of the Personal Data of the Databases as long as there isn’t a legal or contractual obligation that makes non-viable the deletion.

The Holders may exercise their legal rights and carry out the procedures established in this Policy, by presenting their identification document or a copy thereof. Children and teenagers may exercise their rights personally, or through their parents or adults who hold parental authority, who must prove it through the relevant documentation. Likewise, the rights of the Holder may be exercised by the assignees who can prove such capacity, the representative and/or attorney-in-fact of the Holder with the corresponding accreditation and those who have made a stipulation in favor of another or for another.

2.5. Area responsible for handling requests, queries and complaints

The Firm has designated Customer Service as the area responsible for receiving and addressing request, complaints, claims and inquires of all kinds related to Personal Data. The person in charge of customer service will process inquiries and claims regarding Personal Data in accordance with the Law and this Policy. Some of the particular functions of this area in relation to Personal Data are as follows:

  • To receive in the requests form the Holders of the Personal Data, to process and answer those based on the Law or these Policies, such as: request of updating Personal Data; request to know Personal Data; requests for deletion of Personal Data, request for information on the use given to their Personal Data, request for updating Personal Data, requests for evidence of authorization granted, when carried out in accordance with the Law.
  • To answer Holders of the Personal Data regarding requests that are not appropriate in accordance with the Law.
  • The contact details of Customer Service are the following:
    Street address: Calle 70 Bis No. 4-41
    Email address: protecciondedatos@bu.com.co
    Telephone: (+601) 3462011
    Position of the contact person: Customer Service Analyst

2.6. Procedures for exercising the rights of Holders of Personal Data

2.6.1. Inquiries

The Firm will have mechanisms in place for the Holder, his/her successors in title, representatives and/or proxies, those who have been stipulated in favor of another or for another, and/or representatives of underage Holders, to make inquires regarding which are the Personal Data of the Holder recorded in the Databases of the Firm.
These mechanisms may be in person, such as window processes, electronic, through the Customer Service email protecciondedatos@bu.com.co or by telephone at the customer service line (+601) 346 2011, where the requests, complaints and claims will be received. Regardless of the means, the Firm will keep evidence of the inquiry and its response. The creation of the inquire will have to be as follows:

  • Requests must be in writing.
  • Requests will be analyzed for the verification of the identity of the Holder Personal Data. If the inquire is made by a different person and its not accredited that they act in profit of the Holder of Personal Data or in compliance with the Law, the inquire will be rejected. For that matter, the Firm can request the ID card or original identification document of the Holder of the Personal Data, or the legal documents required in the case.
  • If the requestor is enabled to formulate the inquiry, in accordance with the accreditation criteria established in Law 1581/12 and Decree 1377/13, the Firm will collect all the information about the Holder contained in the individual record of that person or related to the identification of the Holder within the Databases of the Firm and will be made known to the requestor.
  • The responsible for answer the inquiry will response within ten (10) business days from the date when request was received by the Firm.
  • The final answer to all requests will not take more than fifteen (15) business days from the date when the initial request was received by the firm.

2.6.2. Claims

The Firm has mechanisms in place for the Holder, his/her successors in title, representative and/or proxy, those stipulated by another or for another, and/or the representatives of underage Holders, to file claims regarding (i) the Personal Data processed by the Firm that must be corrected, updated, or delated, or (ii) the alleged breach of the legal duties of the Firm. These mechanisms may be in person, such as window processes; electronic trough the Customer Service email related in this Policy protecciondedatos@bu.com.co; or by telephone, at the customer service (+601) 346 2011, where the requests, complaints and claims will be received. Regardless of the mechanism, the Firm will keep evidence of the claim and its response. This procedure will be guided by the following rules:

  • The claim must be submitted in writing.
  • The claim will be reviewed in order to verify the Holder’s identification. If the claim is submitted by a person other than Holder, and he/she is not able to provide evidence that is legitimately acting in favor of the Holder according to existing and applicable laws, the request will be rejected. For this you can request the identification document of the Holder or a copy of it, and the special, general powers or documents that are required.
  • The claim must contain the following information: (i) name and identification of the Holder. (ii) the street and electronic address as well as the telephone number. (iii) The ID of the Holder or authorized persons. (iv) a description of the Personal Data which the Holder wants to enforce their rights. (v) a description of the facts that give rise to the claim and the purpose sought (update, correction or deletion, or fulfillment of duties). (vi) all the documentation that the claimant wishes to assert. (vii) signature, email address, name and ID of the claimant.
  • If the claim or additional documentation is incomplete, the Firm will request the claimant only once within five (5) days of receipt of the claim to remedy the failures. If the claimant fails to submit the required documentation and information within two (2) months of the date of the initial claim, he/she shall be deemed to have waived the claim.
  • If for any reason the person receiving the claim at the Firm is not competent to solve it, he/she will transfer it to the customer service analyst within two (2) business days of receiving the claim and shall inform the claimant of this.
  • Once the claim has been received with complete documentation, a legend will be included in the Database of the Firm where the Data of the Holder subject to claim is recorded that will read “claim in process” and the reason for it, within two (2) business days. This legend must be maintained until the claim is settled.
  • The maximum term to address the claim shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and of the date when the claim will be dealt with, which in no case may exceed eight (8) business days following the expiration of the first term.

2.6.3. Revocation

The Holder can revoke the Authorization for the Processing of his/her Personal Data at any time, as long as it is not prevented by a legal provision or there is a legal or contractual obligation.

2.7. Information Security and Privacy

Regarding the security and privacy principle, the Firm has implemented reasonable technical, administrative and human measures in order to protect Holder’s Personal Data and prevent its corruption, loss, unauthorized or fraudulent consultation, access or use. Access to Personal Data is restricted to the Holder and any authorized individuals by the Firm according to this Policy. The Firm will not allow access to Personal Data by third parties in different conditions other than those announced in the Policy, except for an express request of the Holder or those entitled in accordance with national regulations. However, the Firm will not be held liable for actions pursuing the infringement of security measures established for Personal Data protection.


Please take into account that Internet is a global communication network that implies transfer and transmission of information. In this regard, although the Firm has implemented necessary security measures for Personal Data protection, there is a possibility that Personal Data is affected by the common flaws of Internet.

2.8. Transfer and Tranmission of Personal Data

When the Firm makes the transfer and transmission of Personal Data will guarantee the strict and effective compliance of the literal a) of the article 26 of the Law 1581/12.

2.9. Video Surveillance

The Firm trough magnetic and technological media installed in the interior and exterior of their facilities, makes videos and/or images daily of the people that access or have access to the property in which the services of the Firm are developed. Therefore, Brigard Urrutia will inform about the existence of this security mechanisms through posters that will be in the different places of the building so they can be seen by the Holders. The poster will consider that, the finality of the images will be to provide safety places to the Holders and to protect the assets of the Firm. Likewise, the recollected information can be used as a prove to any authority, according to the applicable Law.

Additionally, the security videos will protect personal intimacy right.

2.10. Term

This Policy is effective as of March 1 of 2022. The Personal Data stored, used, or transmitted will remain in our Database, based on the criteria of temporality and necessity, for as long as necessary for the purposes mentioned in this Policy and the respective authorization, for which they were collected.

2.11. Modifications

This Policy can be modified by the Firm when it is required without prior notification if the modifications are not substantial. Otherwise, the modifications will be notified to the Holders.

2.12. Annexes

Annexe A: Specific purposes.

3. References

  • Article 15 of the Political Constitution of Colombia. Personal and Familiar Intimacy Right and
    individual’s right to their good name.
  • Sole Circular of the Superintendence of Industry and Trade.
  • Law 1581/12 that regulates the general dispositions of the protection of Personal Data.
  • Decree 1074/15 that partially regulates Law 1581/12.
  • Circular 886/14 that regulates article 15 of the Law 1581/12 related to the National Register of Database.
  • External Circular 02/15 where the Superintendence of Industry and Trade gave instructions to the responsible of the processing of Personal Data, legal entities registered in the chambers of commerce and legal entities of mixed economy, for the purpose of making the inscription of their Database in the national register of Database since November 9 of 2015.
  • Decree 1074/15 that regulates the Commerce, Industry and Tourism Sector.
  • ISO/ IEC 27701: Extension of ISO/IEC 27001 and ISO/IEC 27002, Requirements for the implementation of an Information Privacy Management System.

ANNEXE A

Specific purposes
Brigard & Urrutia Abogados S.A.S. (hereinafter, the “Firm”) makes the processing of Personal Data,considering the following specific purposes:

1. CLIENTS AND POTENTIAL CLIENTS:

  • Comply the Law and contractual obligations.
  • Execute in a diligent way contracted services, as well as it´s billing and collection.
  • Promote all the services that the Firm offers.
  • Comply with the regulation and the Law, including the Colombian tax Law.
  • Send related information about the consultancy, services, and products.
  • Validate commercial and juridical aptitude.
  • Control statistic purposes.
  • Comply the requirements of the administrative and judicial authorities.
  • Make the validations in order to comply with the regulation of prevention of fraud and money laundering, financing of terrorism and financing the proliferation of destructive weapons.

2. SHAREHOLDERS:

  • Comply with the legal and contractual obligations.
  • Execute the procedures related to the sale, assignment or disposal of the shares.
  • Make the inscriptions to the Chamber of Commerce.
  • Make the activities related to the payment of dividends.

3. SUPPLIERS AND POTENTIAL SUPPLIERS:

  • Comply the tax regulation in the Republic of Colombia.
  • Supply the validation process of the counterparties.
  • Comply with the legal and contractual obligations.
  • Report to the authorities.
  • Make the payment to the suppliers.
  • Make the validations in order to comply the regulation of prevention of fraud and money laundering, financing of terrorism and financing the proliferation of destructive weapons.

4. EMPLOYEES AND CANDIDATES:

  • Comply with the legal and contractual obligation.
  • Make the wellness activities.
  • Develop and manage the process of the recruitment, selection and hiring of personnel.
  • Evaluate the employee development, as well as the promotion process.
  • Manage the assistance, work hours control, the physical and logistic entrance to the building and assets of the Firm.
  • Evaluate risks.
  • Make organizational climate surveys.
  • Train the employees.
  • Develop intern campaigns.