Brigard & Urrutia S.A.S., domiciled in Bogotá, with street address Calle 70ª # 4-41, email address info@bu.com.co and telephone (+57-1) 346 2011 (hereinafter referred to as the “Firm”), makes available this information processing policy (the “Policy”) to the Holders of the Personal Data that will be processed by the Firm, in compliance with Law 1581/2012 and Decree 1377/2013. The main purpose of this Policy is to inform the Holders of Personal Data of their rights, the procedures and mechanisms established by the Firm to enforce the rights of Holders, and to inform the scope and purpose of the process to which the Personal Data will be subject in the event that the Holder grants his/her express, prior and informed consent.
1. Main definitions
The expressions used in capital letters in this Policy shall have the meaning given herein or the meaning given by the applicable law or case law, as such law or case law is amended from time to time.
a) “Authorization”: It is the prior, express and informed consent of the Holder for the Processing of his/her Personal Data.
b) “Database”: It is the organized set of Personal Data that will be subject to Processing, whether electronic or not, regardless of the modality for the creation, storage, organization and access of such Personal Data.
c) “Financial Data”: It is all Personal Data related to the birth, performance and extinction of monetary obligations, regardless of the nature of the contract that originates them, which Processing is governed by Law 1266/2008 or by any supplementing or amending rules.
d) “Personal Data”: Any information of any kind, related or that may be associated with one or more determined or determinable natural or legal persons.
e) “Public Data”: Personal Data is qualified as such according to the law or the Political Constitution and that is not semi-private, private or sensitive. Data relating to the marital status of persons, their profession or trade, their status as a trader or public servant, and that which can be obtained without any restriction are public, among others. Due to their nature, public data may be contained, inter alia, in public records, public documents, official gazettes and bulletins, duly executed judicial decisions that are not subject to any restriction.
f) "Sensitive Data": The Personal Data that affects the privacy of the Holder or which misuse may generate discrimination, such as those that reveal trade union affiliations, racial or ethnic origin, political, religious, moral or philosophical orientation, membership to trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.
g) “Processing Officer”: It is the natural or legal person, whether public or private, that by himself or in association with others, will perform the Processing of Personal Data on behalf of the Responsible for Processing.
h) “Authorized Party”: It is the Company and all persons under the responsibility of the Company, who by virtue of the Authorization and these Policies, are authorized to Process the Personal Data of the Holder. The Authorized Party includes the category of Enabled Parties.
i) “Authorization”: It is the legitimation expressly granted in writing, by means of a contract or any other document, by the Company to third parties, in compliance with the applicable Law, for the Processing of Personal Data, converting such third parties into the Processing Officers of the Personal Data delivered or made available.
j) “Responsible for Processing”: It is the natural person or legal entity, whether public or private, that by itself or in association with others, will decide on the Database and/or the Processing of Personal Data.
h) “Holder” of Personal Data: It is the natural or legal person to whom the information recorded in a Database makes reference, and who is the subject of the right of habeas data.
l) “Transfer”: It is the Processing of Personal Data that involves the communication thereof inside or outside the territory of the Republic of Colombia when the Processing Officer intends to Process such Personal Data on behalf of the Responsible for Processing.
m) “Transmission”: This is the Personal Data Processing activity whereby the same are communicated internally or to third parties, inside or outside the territory of the Republic of Colombia, when said communication is intended to carry out any Processing activity by the recipient of the Personal Data.
n) “Processing of Personal Data”: Any systematic operation and procedure, whether electronic or not, that allows the collection, retention, ordering, storage, modification, relationship, use, circulation, evaluation, blocking, destruction and in general processing of Personal Data, as well as the transfer thereof to third parties through communications, inquiries, interconnections, assignments, data messages.
2. Principles
In the course of its business activities, the Firm will collect, use, store, transmit and perform various operations on the personal data of Holders. In any Personal Data Processing activity carried out by the Firm, the Responsible for Processing, Processing Officers and/or third parties to whom Personal Data are transferred shall comply with the principles and rules established in the Law and in this Policy, in order to guarantee the right to habeas data of the Holders and to fulfill the legal obligations of the Firm. These principles are as follows:
a) Prior Authorization: All Personal Data Processing activities will be carried out once the previous, express and informed Authorization of the Holder has been obtained, unless the Law establishes an exception to this rule. In the event that Personal Data have been obtained prior to the Law, the Firm will seek the relevant ordinary and alternative means to convene the Holders and obtain their retroactive authorization, following the provisions of Decree 1377 and any consistent rules.
b) Authorized Purpose: All Personal Data Processing activities must comply with the purposes mentioned in this Policy or in the Authorization granted by the Holder of Personal Data, or in the specific documents that regulate each type of Personal Data Processing activities. The purpose of a particular Personal Data Processing activity must be informed to the Holder of Personal Data at the time of obtaining his/her Authorization. Personal Data may not be processed with disregard to the purposes informed and consented to by the Data Holders.
c) Data Quality: The Personal Data subject to Processing must be truthful, complete, accurate, up-to-date, verifiable and understandable. When in possession of partial, incomplete, fractional or misleading Personal Data, the Firm must refrain from Processing such data, or must request the holder thereof to complete or correct the information.
d) Delivery of Information to the Holder: When the Holder so requests it, the Firm must provide information about the existence of Personal Data that concerns the requestor. The delivery of this information will be carried out by the area of the Firm in charge of the protection of personal data (see numeral 7 of this Policy). Restricted Circulation: Personal Data may only be Processed by the personnel of the Firm authorized to do so, or by those who are responsible for carrying out such activities within their duties. Personal Data may not be delivered to those who do not have an Authorization or who have not been Authorized by the Firm to carry out such Processing.
e) Temporary Nature: The Firm will not use the information of the holder beyond the reasonable time required by the purpose informed to the Holder of Personal Data.
f) Restricted Access: Except for expressly authorized Data, the Firm may not make Personal Data available for access over the Internet or on other mass media, unless technical and security measures are established to control access and restrict it to Authorized persons only.
g) Confidentiality: The Firm must always carry out the Processing by providing technical, human and administrative measures that are necessary to maintain the confidentiality of the data and to prevent it from being tampered, modified, consulted, used, accessed, deleted, or known by Unauthorized persons or by Authorized and Unauthorized persons in a fraudulent manner, or if the Personal Data will be lost. Any new project involving the Processing of Personal Data must be consulted in accordance with this Processing Policy to ensure compliance with this rule.
h) Confidentiality and Subsequent Processing: Any Personal Data that is not Public Data must be considered confidential by the Responsible for Processing, even if the contractual relationship or the link between the Holder of the Personal Data and the Firm has ended. Upon termination of such link, the Personal Data must continue to be Processed in accordance with this Policy and with the Law.
i) Individuality: The Firm will maintain separate databases in which it acts as the Responsible for Processing of the databases for which it is Responsible.
j) Necessity: Personal Data may only be Processed during the time and to the extent warranted by the purpose for which they are Processed.
3. Processing and Purpose
The Personal Data processed by the Firm must be strictly subject only to the purposes indicated below. Likewise, the Responsible for Processing or third parties who have access to Personal Data by virtue of the Law or contract, will ensure that such Processing is limited to the following purposes:
a) To manage all the information necessary for the fulfillment of the tax obligations and of the commercial, corporate and accounting records of the Firm.
b) To comply with the internal processes of the Firm regarding the management of suppliers and contractors.
c) To comply with the service agreements entered into with customers.
d) To provide their services according to the particular needs of the customers of the Firm, in order to fulfill the service agreements entered into, including but not limited to the verification of the affiliations and rights of the individuals to whom the customers of the Firm will provide their services, use the Personal Data for the marketing of new services or products.
e) Any other purposes determined by the Responsible for Processing for obtaining Personal Data communicated to the Holders at the time of collecting the personal data.
f) The control and prevention of fraud and money laundering, including but not limited to restrictive lists, and all necessary information required for the Money-Laundering and Terrorism-Financing Risk Management System (SARLAFT).
g) The filing and updating process of systems for the protection and custody of the information and databases of the Firm.
h) Processes within the Firm, for development or operational and/or systems management purposes.
i) The transmission of data to third parties with whom contracts have been entered into for this purpose, for commercial, administrative, marketing and/or operational purposes, including but not limited to the issuance of IDs, personalized certificates and certifications to third parties, in accordance with the legal provisions in force.
j) To maintain and process, by a computer or using other means, any kind of information related to the customer’s business in order to provide the relevant services and products.
k) The other purposes determined by the Responsible for Processing for obtaining Personal Data, in order to comply with the legal and regulatory obligations and with the policies of the Firm.
4 Rights of the Holders of Personal Data
In accordance with the Law, the Holders of Personal Data have the following rights:
a) To know, update and rectify their Personal Data to the Firm or to the Responsible for Processing thereof. This right may be exercised, inter alia, in respect of partial, inaccurate, incomplete, fractioned or misleading data, or data which Processing is expressly prohibited or has not been authorized.
b) To request evidence of the Authorization granted to the Firm, unless the Law indicates that such Authorization is not required.
c) To submit requests to the Firm or to the Responsible for Processing regarding the use given to their Personal Data, and to receive such information from them.
d) To submit complaints to the Superintendence of Industry and Trade for violations to the Law.
e) To revoke their Authorization and/or request the deletion of their Personal Data from the databases of the Firm, when the Superintendence of Industry and Trade has determined, by means of a final administrative act, that in the Processing of such Personal Data the Firm or any Responsible for Processing has behaved contrary to the Law or when there is no legal or contractual obligation to maintain the Personal Data in the database of the relevant Responsible for Processing.
f) To request access and have free access to their Personal Data that have been subject to Processing in accordance with article 21 of Decree 1377/2013.
g) To be aware of the amendments made to the terms of this Policy in an efficient manner before the implementation of new amendments or, otherwise, of the new information processing policy.
h) To have easy access to the text of this Policy and its amendments.
i) To have easy access to the Personal Data under the control of the Firm to effectively exercise the rights granted to Holders by the Law.
j) To know the area or person authorized by the Firm with whom they can file complaints, inquiries, claims and any other request regarding their Personal Data.
Holders may exercise their legal rights and carry out the procedures established in this Policy, by submitting their ID card or original identification document. Minors may exercise their rights in person or through their parents or adults who have parental authority, who must prove it through the relevant documentation. Likewise, the rights of Holders may be exercised by the successors in title who accredit such status, by the representative and/or proxy of the holder with the corresponding accreditation and by those who have made a stipulation in favor of another or for another.
5. Responsible for Protecting Personal Data
The firm has designated Customer Service as the area Responsible for receiving and addressing requests, complaints, claims and inquiries of all kinds related to Personal Data. The person in charge of Customer Service will process inquiries and claims regarding Personal Data in accordance with the Law and this Policy.
Some of the particular duties of this area in relation to Personal Data are as follows:
a) To receive the requests from the Holders of Personal Data, to process and answer those based on the Law or these Policies, such as: requests for updating Personal Data; requests to know Personal Data; requests for deletion of Personal Data when the Holder submits a copy of the decision from the Superintendence of Industry and Trade in accordance with the Law, requests for information on the use given to their Personal Data, requests for updating Personal Data, requests for evidence of the Authorization granted, when carried out in accordance with the Law.
b) To answer Holders of the Personal Data regarding requests that are not appropriate in accordance with the Law.
The contact details of Customer Service are the following:
- Street address: Calle 70ª No. 4 - 41
- Email address: info@bu.com.co
- Telephone: (+57-1) 3462011 Ext. 8769
- Position of the contact person: Customer Service Analyst
6. Procedures for exercising the rights of Holders of Personal Data
6.1. Inquiries
The Firm shall have mechanisms in place for the Holder, his/her successors in title, representatives and/or proxies, those who have been stipulated in favor of another or for another, and/or the representatives of underage Holders, to make inquiries regarding which are the Personal Data of the Holder recorded in the Databases of the Firm.
These mechanisms may be in person, such as window processes; electronic, through the Customer Service email info@bu.com.co; or by telephone, at the customer service line (+57-1) 346 2011 Ext. 8769, where the requests, complaints and claims will be received.
Regardless of the means, the Firm will keep evidence of the inquiry and its response.
a) If the requestor is enabled to formulate the inquiry, in accordance with the accreditation criteria established in Law 1581 and Decree 1377, the Firm will collect all the information about the Holder contained in the individual record of that person or related to the identification of the Holder within the databases of the Firm and will be made known to the requestor.
b) The person Responsible for answering the inquiry will answer the requestor provided he/she is entitled thereto because he/she is the Holder of the Personal Data, his/her successor in title, proxy, representative, when it has been stipulated by another or for another, or the legal representative in the case of minors. This response will be sent within ten (10) business days from the date when request was received by the Firm.
c) If the request cannot be addressed within ten (10) business days, the requestor will be contacted to inform the reasons for which the status of his/her request is in process. For this purpose, the same or similar means used by the Holder to communicate his/her request will be used.
d) The final answer to all requests will not take more than fifteen (15) business days from the date when the initial request was received by the Firm.
6.2. Claims
The Firm has mechanisms in place for the Holder, his/her successors in title, representative and/or proxy, those stipulated by another or for another, and/or the representatives of underage Holders, to file claims regarding (i) the Personal Data Processed by the Firm that must be corrected, updated or deleted, or (ii) the alleged breach of the legal duties of the Firm.
These mechanisms may be in person, such as window processes; electronic, through the Customer Service email info@bu.com.co; or by telephone, at the customer service line (+57-1) 346 2011 Ext. 8769, where the requests, complaints and claims will be received.
e) The claim must be submitted by the Holder, his/her successors in title or representatives or authorized persons in accordance with Law 1581 and Decree 1377, as follows:
- It must be addressed to Brigard & Urrutia electronically at the email info@bu.com.co; physically at the address Calle 70ª No. 4-41; or by telephone on the customer service line (+57-1) 346 2011 Ext. 8769.
- It must contain the name and identification document of the Holder.
- It must contain a description of the facts that give rise to the claim and the purpose sought (update, correction or deletion, or fulfillment of duties).
- It must indicate the address and contact details and identification document of the claimant.
- It must be accompanied by all the documentation that the claimant wishes to assert.
The Firm, before answering the claim, will verify the identity of the Holder of the Personal Data, his/her representative and/or proxy, or the accreditation that there was a stipulation by another or for another. For this purpose, it may require the ID card or original identification document of the Holder, and the special or general powers of attorney or documents that may be required as the case may be.
f) If the claim or additional documentation is incomplete, the Firm will request the claimant only once within five (5) days of receipt of the claim to remedy the failures. If the claimant fails to submit the required documentation and information within two (2) months of the date of the initial claim, he/she shall be deemed to have waived the claim.
g) If for any reason the person receiving the claim at the Firm is not competent to solve it, he/she will transfer it to the Customer Service Analyst within two (2) business days of receiving the claim, and shall inform the claimant of this.
h) Once the claim has been received with complete documentation, a legend will be included in the Database of the Firm where the Data of the Holder subject to claim is recorded that will read “claim in process” and the reason for it, within two (2) business days. This legend must be maintained until the claim is settled.
i) The maximum term to address the claim shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and of the date when the claim will be dealt with, which in no case may exceed eight (8) business days following the expiration of the first term.
7. Term
This Policy is effective as of July 25. The Personal Data stored, used or transmitted will remain in our Database, based on the criteria of temporality and necessity, for as long as necessary for the purposes mentioned in this Policy for which they were collected.
8. Annexes
Procedure for filing a request, complaint or claim.
Information Processing Flowchart