TITLE I
RESPONSIBLE FOR THE TREATMENT
For all purposes, the company: GLOBAL BASH INC SAS identified with the Nit will be responsible for the data. 901.605.539-3 domiciled at: Carrera 47 # 52-62 Itagüí Antioquia.
TITLE II
OBJECTIVE
THE RESPONSIBLE is a company dedicated to the production of non-alcoholic beverages, the production of mineral waters and other bottled waters, and recognizes the importance of the security, privacy and confidentiality of the personal data of its workers, clients, suppliers and, in general, everyone. its agents of interest with respect to whom it processes personal information. For this purpose, and in compliance with Law 1581 of 2012, this policy has been created for the processing of personal data (hereinafter the “Treatment Policy”) which will regulate the information and data that are collected, stored and/or managed. by THE RESPONSIBLE.
TITLE III
DEFINITIONS
The concepts presented below are the result of what is stated in Law 1581 of 2012 and article 15 of the Political Constitution of Colombia. In the event that the law is modified or replaced in these aspects, its meaning will be that indicated in the current legal regulations:
Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data.
Database: Organized set of personal data that is subject to Treatment.
Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons.
Processor: Natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of personal data on behalf of the person responsible for the Treatment.
Responsible for the Treatment: Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the Processing of the data.
Owner: Natural person whose personal data is the subject of Treatment.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
Area in charge of Personal Data Protection/Privacy Officer: responsible within the Company, in charge of monitoring, controlling and promoting the application of the Personal Data Protection Policy.
TITLE IV
LEGAL FRAMEWORK APPLICABLE TO THE TREATMENT
Under this Treatment Policy, the following regulatory references and the procedures / guidelines issued by THE CONTROLLER will be applied for the processing of personal data. Statutory law 1581 of 2012 and regulatory decree 1377 of 2013 incorporated in decree 1074 of 2015, Title V of the sole Circular of the Superintendence of Industry and Commerce, and other concordant and complementary regulations.
Political Constitution of Colombia.
Law 1581 of 2012.
Decree 1377 of 2013, incorporated in Sole Decree 1074 of 2015.
Regulatory Decrees.
Circular 002 of 2015 of the Superintendency of Industry and Commerce.
Applicable jurisprudence.
Title V of the sole circular of the Superintendency of Industry and Commerce.
Other legal regulations that are created in the future and that are applicable.
TITLE V
PRINCIPLES TO WHICH THE TREATMENT IS SUBJECT
The processing of personal data carried out on the occasion of this Treatment Policy must be strictly governed by the following principles:
Legality: Treatment must be subject to the provisions of the Law.
Purpose: The purpose of the Treatment must be legitimate, temporary and informed to the owner.
Reasonable limit: The storage and processing of personal data will be limited to what is essentially necessary to fulfill the previously specified purposes of the business relationship, as well as the fulfillment of the purposes authorized by the Owner.
Freedom: The data can be processed only with the prior, express, informed and self-determined consent of the owner or by legal or judicial mandate.
Veracity or quality: The information must be true, complete, accurate, up-to-date, verifiable and understandable.
Transparency: The right of the owner to obtain information about their data at any time and without restrictions must be guaranteed.
Restricted access and circulation: Treatment may only be carried out by persons authorized by the Owner or by the persons provided for in the Law.
Security: The information must be managed with the necessary measures to provide security to the records and prevent their adulteration, loss, unauthorized or fraudulent consultation, use or access.
Confidentiality: Personal data that is not public in nature is reserved and can only be provided in the terms of the Law. Any person involved in the processing of the information must guarantee its confidentiality.
TITLE VI
PURPOSES OF TREATMENT
In its capacity as responsible for the processing of the collected data, THE CONTROLLER has various databases, with respect to which it declares that they will be processed for one(s) of the following purpose(s). ):
Administrative and Accounting Management.
Manage the data collected to administer account statements to each of these suppliers or clients.
Obtain authorization to review credit history in risk centers.
Administration and formalization of commercial agreements and contracts with the Company’s suppliers and service providers and support for external and internal audits.
Report annually to the National Tax and Customs Directorate (DIAN), complying with the Company’s legal obligations.
Registration and support of financial and accounting information in the Company’s software, in order to track the transactions carried out.
Administration of the Contracts of third parties that provide services to the Company, such as: lessors, surveillance, legal, among others.
Manage billing processes and manage the collection process associated with the expiration of payment terms granted in the Company’s billing, in order to support payments within internal accounting and serve as support for external audits and internal.
Commercial management, suppliers and contractors.
Manage the relationship of clients and suppliers to facilitate the internal management of the Company’s accounting, administrative and financial processes.
Maintain the business relationship and future negotiations with suppliers and contractors from the different areas of the Company.
Manage training and training programs for the Company’s workers in accordance with the requirements of the position of the Company’s commercial areas.
Control and monitoring of distribution and logistics percentages with the Company’s suppliers.
Advertising of commercial promotions.
Advertising and commercial prospecting by sending text messages to customers with promotional information.
Human Resources and Occupational Health.
Promote the verification and evaluation procedures of applicants in the selection processes, in order to fill the vacancies offered by the Company.
Carry out and verify the results of comprehensive security studies for the Company’s applicants, as a prior requirement for hiring.
Control and monitoring of the formalization of the employment relationship of the Company’s workers.
Support and monitoring of the delivery of staff to the Company’s workers, based on the requirements of the position to be filled and current labor legislation.
Control and monitoring of active and inactive personnel of the Company for statistical purposes.
Control and monitoring of temporary workers during the execution of their employment contract with the Company.
Verify the payroll payment of the Company’s workers in order to report labor news with an impact on the liquidation, recovery and payment of payroll.
Manage the occupational health and safety management system, in order to mitigate risks, as well as the appropriate attention to incidents or events in the development of different work activities.
Promote the development of well-being activities, action plans, staffing and comprehensive development of the worker in their work environment.
Control and monitoring of the reporting of risks that occur in the Company in order to detect unsafe areas and develop action plans in order to mitigate the risk.
Control and monitoring of absenteeism of the Company’s workers for statistical purposes.
Manage the occupational health and safety management system, to track the worker’s entry and exit medical examinations.
Technology and security.
Promote controls of the Company’s computer and technological systems in order to manage passwords, users, computer licenses and technological support.
Guarantee the security of the personal and financial information of our workers, suppliers, clients and collaborators; and at the same time have extensive and sufficient information that allows us to provide you with the best service.
Carry out the computational development of the visualization tool, as well as its constant updating. Management of security controls for the entry and exit of the Company’s facilities by workers and visitors.
TITLE VII
CASES WHICH AUTHORIZATION IS NOT REQUIRED
In accordance with the provisions of current regulations and corresponding jurisprudence, authorization will not be required for the processing of personal data of an exclusively public nature. Likewise, those subject to some degree of confidentiality may be revealed to a public authority, as appropriate in each case, after verification of compliance with the legal requirements for this purpose.
According to the provisions of article 10 of Law 1581 of 2012, it will not be necessary to obtain authorization for the processing of personal data in the following cases:
As developed by constitutional jurisprudence, personal data are divided into different categories according to the protection standards they require and the level of confidentiality that must be guaranteed, as follows: public, semi-private, private and sensitive. In accordance with said classification, different requirements are required for its treatment and disclosure to public authority, whether judicial or administrative. BASH processes the data in accordance with the standards applicable to each class and imposes the relevant reservation in each case.
PROCESSING OF PERSONAL DATA OF A SENSITIVE NATURE
According to Law 1581 of 2012, sensitive personal data are “those that affect the privacy of the Owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data.” Within them, the data of minors is also recognized.
THE CONTROLLER must process data of this nature, in the development of relationships with its employees and/or candidates in selection processes, especially those related to health, and eventually biometric data in the implementation of security measures in control systems. of access to its facilities or to some physical spaces, in any case in the processing of said data special security measures will be adopted, and in any case when authorization for the processing of sensitive data is to be requested, the owner will be warned of the purposes for which will be treated and they will be informed that they have the right to refrain from answering questions about sensitive data or about data of children and adolescents.
Processing of data of minors
THE CONTROLLER tries in the development of its economic activity not to collect information from minors. If you are under 18 years of age, your data may only be entered into our databases with the express consent of the legal representative of the minor.
The Processing of personal data of children and adolescents is prohibited, except when it involves data of a public nature, in accordance with the provisions of article 7 of Law 1581 of 2012 and when said Processing complies with the following parameters and requirements:
That responds to and respects the best interests of children and adolescents.
That respect for their fundamental rights is ensured.
Once the above requirements have been met, the legal representative of the child or adolescent will grant authorization prior to the minor’s exercise of his or her right to be heard, an opinion that will be valued taking into account maturity, autonomy and ability to understand the matter.
According to the Colombian Constitutional Court, the personal data of minors under 18 years of age may be processed, as long as the prevalence of their fundamental rights is not put at risk and it unequivocally responds to the realization of the principle of their best interest, without prejudice. Compliance with the above, the collection and any use of the data of minors that are registered in the databases of THE RESPONSIBLE or that are requested require the express authorization of the legal representative of the child or THE RESPONSIBLE will facilitate the possibility that they can exercise the rights of access, cancellation, rectification and opposition of the data of their wards.
Every person responsible and in charge involved in the processing of the personal data of children and adolescents must ensure their appropriate use. For this purpose, the principles and obligations established in Law 1581 of 2012 and in the regulatory decree must be applied.
The family and society must ensure that those responsible and in charge of processing the personal data of minors comply with the obligations established in Law 1581 of 2012 and in the regulatory decree.
By virtue of the above, THE CONTROLLER will only process data of minors, subject to respect for the principles already indicated in the collection of the authorization and as long as the best interests of minors are respected in their processing.
TITLE VIII
RIGHTS THAT ASSIST THE OWNER OF THE INFORMATION
Know, update and rectify your personal data that is being processed by THE CONTROLLER or those in charge of processing.
Request proof of the authorization granted to THE CONTROLLER, except when it is expressly excepted as a requirement for the treatment.
Be informed by THE CONTROLLER upon request, regarding the use that has been given to your personal data.
Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees.
Present complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012.
Know our Policy on the processing of Personal Data, and the substantial changes that may occur in it.
Access and know for free the personal data that is subject to processing in accordance with the provisions of the law, in the processing of personal data.
Refrain from answering questions about sensitive data. Responses that relate to sensitive data or data of children and adolescents will be optional.
Others granted by current legal regulations.
TITLE IX
OBLIGATIONS OF THE COMPANY AS THE CONTROLLER OF DATA PROCESSING
THE CONTROLLER is permitted to inform the duties that he assumes in his capacity as data controller:
Guarantee the Owner, at all times, the full and effective exercise of his rights.
Inform must find the means through which to obtain express authorization from the data owner to carry out any type of processing and keep a copy of said authorization.
Informar must clearly and expressly inform its users, employees, suppliers and third parties in general from whom it obtains data, the treatment to which they will be subjected, the purpose of said treatment and the rights that assist it by virtue of the authorization granted. . To do this, THE CONTROLLER must design the strategy through which for each event, mechanic or data request that is made, he will inform them of the respective processing in question.
Inform the data owners for each case of the optional nature of responding and granting the respective requested information.
In all cases in which data is collected, the rights that all owners have regarding their data must be informed.
Preserve the information under the security conditions necessary to prevent its adulteration, loss, unauthorized or fraudulent consultation, use or access.
Inform the identification, physical or electronic address and telephone number of the person or area that will be responsible for the treatment.
Guarantee at all times to the owner of the information, the full and effective exercise of the right to habeas data and petition, that is, the possibility of knowing the information that exists or rests on him in the data bank, requesting its update or correction. of data and process queries, all of which will be carried out through the query or complaint mechanisms provided for in this manual.
Maintain with due security the records of stored personal data to prevent their deterioration, loss, alteration, unauthorized or fraudulent use and periodically and timely update and rectify the data, each time the owners thereof report news or requests.
Guarantee that the information provided to the Data Processor is true, complete, accurate, updated, verifiable and understandable.
Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided remains updated.
Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor.
Provide the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of this Manual.
Demand that the Data Processor at all times respect the security and privacy conditions of the Owner’s information.
Process queries, claims and requests formulated in the terms indicated in the Law or in this Manual.
Adopt an internal manual of policies and procedures to guarantee adequate compliance with Law 1581 of 2012 and, especially, to respond to queries, complaints and requests.
Inform the Data Processor when certain information is under discussion by the Owner, once the request has been submitted and the respective process has not been completed.
Inform, at the request of the Owner, about the use given to their data.
Inform the data protection authority when violations of security codes occur and there are risks in the administration of the Owners’ information.
Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
TITLE
INTERNATIONAL DATA TRANSMISSION AND TRANSFER
On the occasion of the activities carried out by THE CONTROLLER, its parent company, affiliates, subsidiaries, branches and business group, it may use to transfer and/or transmit information so that it can be processed by responsible third parties inside and outside the national territory. This transfer of personal data must be carried out in strict compliance with the provisions of this Treatment Policy and the security standards implemented by THE CONTROLLER. THE CONTROLLER is authorized to carry out international transmission and transfer of data between its parent company, subsidiaries, subsidiaries, branches and business group.
TITLE XI
DATA SECURITY
Our platform has all the required licensing, in all aspects of software development, infrastructure and third-party tools. Having the required licensing levels that adapt to the needs in each situation and with support on them from manufacturers and experts.
It also applies at the level of access to data of our clients, suppliers and collaborators. Since these accesses are protected by audit concepts and are only granted through controlled access tools such as VPNs or proprietary tools that control and audit access.
Likewise, access to information by our collaborators is protected by filters and security levels that guarantee its restriction based on Roles and responsibilities. And a detailed record is kept of any query or modification thereof with audit data answering who, when and what was done.
TITLE XII
TREATMENT AUTHORIZATION
For the processing of personal information THE CONTROLLER will request prior and informed authorization from the owners of the information, this may be written, verbal or through unequivocal conduct such as that granted through digital media such as websites, social networks or WhatsApp. THE CONTROLLER will keep proof of the authorizations obtained for the processing of the data.
TITLE XIII
PROCEDURE FOR THE PRESENTATION OF CLAIMS, INQUIRIES AND CLAIMS
THE CONTROLLER will have the following procedures to respond to questions, complaints, queries, claims and suggestions presented by the Information Holders, in accordance with the provisions of Law 1521 of 2012:
Consultations
The owner of the information, his successors or any other person with legitimate interest, will make inquiries through written communication or by email to the emailprotection [email protected], in which:
Determine your identity, including your name and identification number.
The reason for the consultation is clearly and expressly specified.
The legitimate interest with which you act is proven, attaching in all cases the appropriate supports.
Indicate the physical or electronic correspondence address to which the response to the request can be sent.
In accordance with article fourteen (14) of Law 1581 of 2012, it is established that: “The query will be responded to within a maximum period of ten (10) business days from the date of receipt thereof. When it is not possible to attend to it within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be resolved, which in no case may exceed five (5) business days following the expiration of the foreground”.
Claims
The owner, his successors or any other person with a legitimate interest who considers that the information contained in a database must be corrected, updated, deleted, or revoked of the authorization granted for processing, or when they notice the alleged non-compliance. of any of the duties contained in Law 1581 of 2012, may, by physical or electronic means, submit a timely claim to the responsible area. In accordance with article fifteen (15) of Law 1581 of 2012, said claim will be admissible once compliance with the requirements presented below is verified:
The claim must: i) include the identity of the claimant, stating their name and identification number; ii) clearly and expressly specify the reason for the consultation; iii) prove the legitimate interest with which the claimant acts, attaching in all cases the appropriate supporting documents and, iv) indicate the physical or electronic correspondence address to which the response to the request should be sent. If it is found that the claim is incomplete, “the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that he has withdrawn from the claim.
In the event that THE CONTROLLER is not competent to resolve the claim, he or she will notify the appropriate party within a maximum period of two (2) business days and will inform the interested party of the situation.
“Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the database within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided.”
“The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to attend to it within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be resolved, which in no case may exceed eight (8) business days following the expiration of the first term. .
The request for deletion of information and revocation of authorization will not proceed when the Owner has a legal or contractual duty to remain in the database with THE CONTROLLER.
TITLE XIV
ATTENTION OF QUERIES AND CLAIMS
THE CONTROLLER has an area responsible for addressing and resolving queries and claims from personal data holders or persons authorized to do so. Owners may submit their queries and complaints through the following channels:
Email:protection [email protected]
Physical address: Carrera 47 #52-62, Itagüí, Colombia
TITLE XV
MODIFICATIONS TO THE POLICY
THE CONTROLLER reserves the right to modify the privacy policy for personal information at any time. For this purpose, a notice will be published on the website or in the mechanism enabled by THE CONTROLLER 15 business days prior to its implementation and during the validity of the policy. If you do not agree with the new personal information management policies, the owners of the information or their representatives may request the withdrawal of their information through the means indicated above. However, the withdrawal of data cannot be requested while a link of any kind with THE CONTROLLER is maintained.
TITLE XVI
VALIDITY OF THE DATABASES
The Personal Data provided will be kept as long as its deletion is not requested by the interested party (unless it is requested and there is a legal duty to preserve it). The databases of THE CONTROLLER will have an indefinite period of validity since their processing will be necessary as long as THE CONTROLLER subsists and the development of its corporate purpose, in any case this term will not be less than (50) years. This version of this policy applies from the date of its publication, which completely replaces any previous provision or data processing policy, and will be in force indefinitely and for as long as THE CONTROLLER executes the activities described in in it and they correspond to the processing purposes that inspired this policy.
