• Cra. 14 No. 23 - 15 Armenia, Quindío, Colombia. Armenia Chamber of Commerce Building. 4th Floor
Linkedin Instagram Youtube
Make an appointment

Regulations

  1. Legal basis and scope of application:

The Information treatment policy is developed in compliance with Articles 15 and 20 of the Political Constitution; Articles 17 paragraph k) and 18 paragraph f) of the Statutory Law 1581 of 2012, which establishes general provisions for the Protection of Personal Data (LEPD); and Decree 1074 of 2015, which regulates the previous Law.

This policy shall be applicable to all personal data recorded in databases that are processed by the data controller.

  • Definitions established in chapter 25 section 1 article 2.2.2.2.25.1.3. of decree 1074 of 2015:
  • Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.
  • Database: Organized set of personal data that is subject to processing.
  • Personal data: Any information linked or that can be associated to one or several determined or determinable natural persons.
  • Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.
  • Sensitive data: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
  • Data Processor: A natural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the data controller.
  • Data Controller: Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of data.
  • Data subject: Natural person whose personal data is the object of processing.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
  • Privacy notice: Verbal or written communication generated by the responsible party, addressed to the Data Subject for the processing of his personal data, by means of which he is informed about the existence of the information processing policies that will be applicable to him, the way to access them and the purposes of the processing that is intended to be given to the personal data.
  • Transfer: The transfer of data takes place when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.
  • Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is the performance of a processing by the processor on behalf of the controller.

3.  Authorization of the treatment policy

According to article 9 of the LEPD, for the processing of personal data, the prior and informed authorization of the Data Subject is required. By accepting this policy, any Data Subject who provides information regarding their personal data is consenting to the processing of their data by the Corporación Agencia de Promoción de Inversión del Quindío y Armenia under the terms and conditions set forth herein.

The authorization of the Holder will not be necessary in the case of:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Data of a public nature.
  • Cases of medical or sanitary emergency.
  • Processing of information authorized by law for historical, statistical or scientific purposes.
  • Data related to the Civil Registry of persons.

4. Responsible for the treatment

The person responsible for the processing of the databases covered by this policy is the Corporación Agencia de Promoción de Inversión del Quindío y Armenia whose contact details are as follows:

Address: Carrera 14 No 23 – 15 Piso 4 – Edificio Cámara de Comercio (Armenia, Quindío) E-mails:diana.caicedo@investinarmenia.org and .ncarrillo@investinarmenia.org

 5. Treatment and purposes of the databases

The Corporación Agencia de Promoción de Inversión del Quindío y Armenia, in the development of its activity and purpose, carries out the processing of personal data related to natural persons that are contained and processed in databases for legitimate purposes, in compliance with the Constitution and the Law.

The following table (Table I) presents the different databases managed by the institution and the purposes assigned to each of them.

Table I. Databases and Purposes

NamePurpose
Contractor and suppliersThe data will be used for the following purposes: Request for bids and economic proposals for the acquisition of products and services; for the analysis and feasibility of each product and/or service; sending communications through text messages and emails; submission of relevant reports to the different control entities; review and verification of commercial references; pre-contractual and contractual negotiations; supply of information in internal and external auditing processes carried out within the corporation; sending information on products, services or news of the foundation; tracking in restrictive databases such as (police, attorney general, comptroller, SARLAFT – Risk Management System for Money Laundering and Financing of Terrorism and others that the Colombian regulations provide) the above purposes are illustrative and not exhaustive.
Employees  The data will be used for the following purposes: Requesting data concerning personal identification, contact information, academic data, work, professional and financial history data; adequately developing the process of registration and labor linkage; implementing labor welfare actions; disseminating job offers to participate in internal personnel selection processes in the Institution; communicating institutional information; executing activities for statistical purposes; to properly develop the process of updating data; to develop registration processes for congresses, events or seminars organized by the Institution; to update data and verify the identity of employees and their family members (partner, parents, children); to summon applicants in the selection process to scheduled interviews, conduct home visits, verify work and personal references, work experience and professional trajectory; Providing information to the companies with which the company has an agreement and to the employee fund, preparing equipment items, sending information via text messages and e-mails, delivering and assigning equipment to employees, and drafting human resources reports; process of affiliation to the social security system and compensation funds of employees and their beneficiaries; delivery of labor references, use of photographic images and videos for corporate purposes, obtaining and providing data of employees’ children in the development of recreational and welfare activities through the Institutions or allied entities, performance evaluations; generation of labor certifications, promotion, transfer, retirement interview, in internal and external audit and control processes, in the delivery of mandatory institutional reports in retirement interviews, deactivation of information systems, use of photographic images and videos for corporate purposes; use of fingerprints and other health data and / or sensitive data for mission purposes; the above purposes are enunciative and not exhaustive. 

6. data

The navigation system and the software necessary for the functioning of this website collect some personal data, the transmission of which is implicit in the use of Internet communication protocols.

By its very nature, the information collected could allow the identification of users through its association with third party data even if it is not obtained for that purpose. This category of data includes the IP address or domain name of the computer used by the user to access the website, the URL address, the date and time and other parameters relating to the user’s operating system.

These data are used for the sole purpose of obtaining anonymous statistical information on the use of the website or to control its correct technical operation, and are cancelled immediately after being verified.

8. Rights of the Holders

In accordance with article 8 of LEPD law 1581 of 2012 and chapter 25 section 4 article 2.2.2.2.25.4.1. of Decree 1074 of 2015, Data Owners may exercise a number of rights in relation to the processing of their personal data. These rights may be exercised by the following persons.

By the Holder, who must prove his identity sufficiently by the different means made available to him by the responsible party.

By their successors in title, who must prove their status as such.

By the representative and/or attorney-in-fact of the Holder, upon accreditation of the representation or power of attorney.

By stipulation in favor of another and for another.

The rights of children or adolescents shall be exercised by the persons who are empowered to represent them.

The rights of the Holder are as follows:

  • Right of access or consultation: This is the right of the Data Subject to be informed by the data controller, upon request, regarding the origin, use and purpose of his or her personal data.
  • Complaints and claims rights: The Law distinguishes four types of complaints:

Claim for correction: The right of the Data Subject to have any partial, inaccurate, incomplete, fractioned, misleading data updated, rectified or modified, or data whose processing is expressly prohibited or has not been authorized.

Claim for suppression: The right of the Data Subject to have data that is inadequate, excessive or that does not respect the constitutional and legal principles, rights and guarantees suppressed.

Claim of revocation: The right of the Data Subject to cancel the authorization previously given for the processing of his or her personal data.

Claim of infringement: The Data Subject’s right to request that a breach of Data Protection regulations be remedied.

  • Right to request proof of the authorization granted to the data controller: Except when expressly exempted as a requirement for the processing in accordance with the provisions of Article 10 of the LEPD.
  • Right to file before the Superintendence of Industry and Commerce complaints for infringements: The Data Subject or assignee may only raise this complaint once he/she has exhausted the consultation or complaint process before the data controller or data processor.

9. Attention to Data Subjects

The responsible for the information is the Corporación Agencia de Promoción de Inversión del Quindío y Armenia, who is identified with NIT. 901063201-2, and will be responsible for the attention of requests, queries and claims to which the owner of the data can exercise their rights, in the following emails:diana.caicedo@investinarmenia.org and .ncarrillo@investinarmenia.org

10. Procedures for exercising the rights of the Data Subject

Right of access or consultation

In accordance with chapter 25 section 4 article 2.2.2.2.25.4.4.2. 21 of Decree 1074 of 2015, the Data Subject may consult his or her personal data free of charge in two cases:

At least once every calendar month.

Whenever there are substantial modifications to the information processing policies that lead to new consultations.

For consultations whose frequency is greater than one per calendar month, the Corporación Agencia de Promoción de Inversión del Quindío y Armenia, may only charge the Holder the costs of shipping, reproduction and, where appropriate, certification of documents. Reproduction costs may not be higher than the costs of recovery of the corresponding material.

The Data Subject may exercise the right to access or consult his/her data by writing to the Corporación Agencia de Promoción de Inversión del Quindío y Armenia, sent by e-mail todiana.caicedo@investinarmenia.org andncarrillo@investinarmenia.org , indicating in the subject “exercise of the right to access or consult”, the request must contain the following data:

  • Name and surname of the Holder.
  • Photocopy of the Holder’s Citizenship Card and, if applicable, of the person who represents him/her, as well as the document accrediting such representation.
  • Request in which the request for access or consultation is specified.
  • Address for notifications, date and signature of the applicant.

Documents accrediting the request made, when applicable:

The Data Subject may choose one of the following ways to consult the database in order to receive the requested information:

On-screen display.

In writing, with copy or photocopy sent by certified mail or not.

E-mail or other electronic means.

Another system appropriate to the configuration of the database or the nature of the processing, offered by the Corporación Agencia de Promoción de Inversión del Quindío y Armenia

Once the request is received, the Corporación Agencia de Promoción de Inversión del Quindío y Armenia, will resolve the consultation request within a maximum term of ten (10) working days from the date of receipt thereof. When it is not possible to attend the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are set forth in Article 14 of the LEPD.

10.2. Complaints and claims rights

The Data Subject may exercise the right to complain about his/her data by writing to the Corporación Agencia de Promoción de Inversión del Quindío y Armenia, through the e-mail addressesdiana.caicedo@investinarmenia.org andncarrillo@investinarmenia.org , indicating in the subject “exercise of complaints and/or claims”, or through postal mail sent to Cra 14 No. 23-15 floor 4 INVEST IN ARMENIA. The request must contain the following information:

  • Name and surname of the Holder.
  • Photocopy of the Holder’s Citizenship Card and, if applicable, of the person who represents him/her, as well as the document accrediting such representation.
  • Description of the facts and request in which the request for correction, deletion, revocation or inflation is made.
  • Address for notifications, date and signature of the applicant.
  • Documents accrediting the petition formulated that are to be asserted, when applicable.

If the claim is incomplete, the interested party will be required within five (5) days of receipt of the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been abandoned.

Once the complete claim has been received, a legend will be included in the database stating “claim in process” and the reason for the claim, within a term no longer than two (2) business days. Said legend shall be maintained until the claim is decided.

The Corporación Agencia de Promoción de Inversión del Quindío y Armenia, will resolve the request for consultation within a maximum period of fifteen (15) business days from the date of receipt thereof. When it is not possible to respond to the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.

11. Security measures

The Corporación Agencia de Promoción de Inversión del Quindío y Armenia, in order to comply with the principle of security enshrined in Article 4 paragraph g) of the LEPD, has implemented technical, human and administrative measures necessary to ensure the security of the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

On the other hand, the Corporación Agencia de Promoción de Inversión del Quindío y Armenia, by means of the subscription of the corresponding transmission contracts, has required the data processors with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the processing of personal data.

The following are the security measures implemented by the Corporación Agencia de Promoción de Inversión del Quindío y Armenia: (Tables II, III, IV and V).

Table II. Common security measures for all types of data (public, semi-private, private, sensitive) and databases (automated, non-automated).

Audit1. Regular audit (internal or external) every year. 2. Eventual extraordinary audits due to substantial changes in the information systems. 3. Deficiency detection report and proposed corrections. 4. Analysis and conclusions of the security officer and the data controller. 5. Conservation of the Report at the disposal of the authority.  
Document and Media ManagementMeasures such as paper shredders that prevent improper access to or recovery of data that has been discarded, erased or destroyed.   2. Restricted access to the place where the data is stored.   3. Authorization of the person responsible for the output of documents or media by physical or electronic means.   4. Labeling system or identification of the type of information.
5. Inventory of the media on which databases are stored.  
Access control1. User access limited to the data necessary for the development of their functions, according to the role they perform.   2. Updated list of authorized users and accesses.   3.Written authorization of the owner of the information for the delivery of their data to third parties, to prevent access to data with rights other than those authorized.   4. Granting, alteration or cancellation of permits by authorized personnel.  
Incidents1. Record of incidents: type of incident, time of occurrence, sender of the notification, recipient of the notification, effects and corrective measures. 2. Incident notification and management procedure.
Staff1. Definition of the roles and obligations of users with access to the data.

2. Definition of the control functions and authorizations delegated by the data controller.   3. Dissemination among staff of the rules and the consequences of non-compliance

Table III. Common security measures for all types of data (public, semi-private, private, sensitive) according to type of databases

Non-automated databaseAutomated database
ArchiveDocument StorageCustody of DocumentsIdentification and authenticationTelecommunications
1. File documentation following procedures that guarantee correct conservation, location and consultation and exercise of the rights of the Holders.  1. Storage devices with mechanisms to prevent access by unauthorized persons.  1. Duty of care and custody of the person in charge of documents during the review or processing of the same.  1. Personalized identification of users to access information systems and verification of their authorization.  Data access through secure networks.  

Table IV. Security measures for private data according to the type of data bases.

Non-automated databaseAutomated database
AuditSecurity ManagerDocument and media managementAccess controlIdentification and authenticationincidents 
1. Regular audit (internal or external) every year. 2. Eventual extraordinary audits due to substantial modifications in the information systems. from 3. Deficiency detection report and proposed corrections. 4. Analysis and conclusions of the security officer and the data controller. 5. Preservation of the Report at the disposal of the authority.  1. Designation of one or more safety officer(s). 2. Designation of one or more persons in charge of the control and the coordination of the measures of the Internal Security Manual.  3. Prohibition of delegation of the controller’s responsibility to the security officer.  1. Record of incoming and outgoing documents and media: date, sender and receiver, number, type of information, form of sending, person responsible for receipt or delivery.  1. Access control to the place or places where the information systems are located.  1.
Mechanism that limits the number of repeated unauthorized access attempts.  		1. Record of data recovery procedures, person performing the procedures, data restored and data recorded manually. 2. Authorization of the person in charge of treatment for the execution of the recovery procedures.   

Table V. Security measures for sensitive data according to the type of databases.

Non-automated databaseAutomated database
Access controlDocument storageCopying or reproductionTransfer of documentationDocument and media managementAccess controlTelecommunications
Access only for authorized personnel. 2. Access identification mechanism. 3. Logging of unauthorized user access.  Filing cabinets, lockers or other cabinets located in access areas protected by keys or other measures.  1. Only by authorized users. Destruction that prevents access to or recovery of the data.  1. Measures to prevent access to or manipulation of documents.  1. Confidential labeling system 2. Data encryption. 3. Encryption of portable devices when they go out out.  1. Access log: user, time, database accessed, type of access, record accessed. 2. Control of the access register by the person in charge of security. Monthly report. 3. conservation of data: for the period imposed by law.  1. Data transmission by means of encrypted electronic networks.  

12. Transfer of data to third

According to Title VIII of the LEPD, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it complies with the standards set by the Superintendence of Industry and Commerce on the matter in the in accordance with Circular 005 of August 10, 2017, which in no case may be lower than those required by this law to its recipients. This prohibition shall not apply in the case of:

Information with respect to which the Data Subject has given express and unequivocal authorization for the transfer.

Exchange of medical data, when so required by the treatment of the Data Subject for reasons of health or public hygiene.

Bank or stock exchange transfers, in accordance with the applicable legislation.

Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.

Transfers necessary for the performance of a contract between the Data Subject and the Data Controller, or for the performance of pre-contractual measures, provided that the Data Subject’s authorization has been obtained.

Transfers legally required to safeguard the public interest, or for the recognition, exercise or defense of a right in a judicial proceeding.

In cases not contemplated as an exception, the Superintendency of Industry and Commerce shall be responsible for issuing the declaration of conformity regarding the international transfer of personal data. The Superintendent is empowered to request information and take the necessary steps to establish compliance with the requirements for the viability of the operation.

International transfers of personal data that are made between a controller and a processor to enable the processor to carry out the processing on behalf of the controller, , shall not require the data subject to be informed or to have his or her consent, provided that a contract for the transfer of personal data is in place.

13. Validity

The databases under the responsibility of the Corporación Agencia de Promoción de Inversión del Quindío y Armenia, will be subject to processing during the time that is reasonable and necessary for the purpose for which the data is collected. Once the purpose or purposes of the processing have been fulfilled, and notwithstanding legal regulations to the contrary, the Corporación Agencia de Promoción de Inversión del Quindío y Armenia, shall proceed to delete the personal data in its possession unless there is a legal or contractual obligation that requires its preservation. Therefore, this database has been created without a defined period of validity.