Privacy Policy
Cerca Technology SAS
PERSONAL DATA PROCESSING POLICY MANUAL
January 2016.
1. General Principles and Postulates.
Cerca Technology SAS ensures the protection of rights such as Habeas Data, privacy, intimacy, good name, image, and autonomy. For this purpose, all actions will be governed by principles of good faith, legality, informatic self-determination, freedom, and transparency.
Whoever, in the exercise of any activity, including commercial and labor activities, whether permanent or occasional, may provide any type of information or personal data to Cerca Technology SAS, and in which it acts as the data processor or data controller, may know it, update it, and rectify it.
2. Legal Framework
Political Constitution, article 15.
Law 1266 of 2008 – Law 1581 of 2012
Regulatory Decrees 1727 of 2009 and 2952 of 2010, and Partial Regulatory Decree No. 1377 of 2013
Judgments of the Constitutional Court C – 1011 of 2008, and C – 748 of 2011;
3. Definitions
In accordance with the current legislation on the subject, the following definitions are established, which will be applied and implemented adopting criteria of interpretation that guarantee a systematic and integral application, and in line with technological advances, technological neutrality; and other principles and postulates governing fundamental rights surrounding, orbiting, and surrounding the right to habeas data and the protection of personal data.
Authorization: Prior, express, and informed consent of the owner to carry out the Processing of personal data.
Database: Organized set of personal data that is subject to Processing.
Personal data: Any information linked or that can be associated with one or more identified or identifiable natural persons.
Data processor: Natural or legal person, public or private, who by itself or in association with others, processes personal data on behalf of the data controller.
Data controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of data.
Owner: Natural person whose personal data are subject to processing.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
4. Specific Principles
Cerca Technology SAS will apply the following specific principles set forth below, which constitute the rules to be followed in the collection, handling, use, processing, storage, and exchange of personal data:
a) Principle of legality: In the use, capture, collection, and processing of personal data, the current and applicable provisions governing the processing of personal data and other related fundamental rights will be applied.
b) Principle of freedom: The use, capture, collection, and processing of personal data can only be carried out with the prior, express, and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal, statutory, or judicial mandate that relieves consent.
c) Principle of purpose: The use, capture, collection, and processing of personal data accessed and collected by Cerca Technology SAS will be subject to and serve a legitimate purpose, which must be informed to the respective owner of the personal data.
d) Principle of truthfulness or quality: Information subject to use, capture, collection, and processing of personal data must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
e) Principle of transparency: In the use, capture, collection, and processing of personal data, the right of the Owner to obtain from Cerca Technology SAS, at any time and without restrictions, information about the existence of any type of information or personal data that is of interest or ownership.
f) Principle of restricted access and circulation: Personal data, except for public information, may not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to Owners or authorized third parties.
g) Principle of security: Personal data and information used, captured, collected, and subject to processing by Cerca Technology SAS will be protected to the extent that technical resources and minimum standards allow, through the adoption of technological protection measures, protocols, and all types of administrative measures necessary to provide security to electronic records and repositories, preventing their tampering, modification, loss, consultation, and generally against any unauthorized use or access.
h) Principle of confidentiality: All individuals who administer, manage, update, or have access to any type of information in Databases or Data Banks are committed to preserving and maintaining strictly confidential and not disclosing it to third parties, all personal, commercial, accounting, technical, commercial, or any other information provided in the execution and exercise of their functions. All individuals currently working or to be engaged in the future for this purpose, in the administration and management of databases, must sign an additional document or addendum to their employment or service contract to ensure such commitment. This obligation persists and remains even after their relationship with any of the tasks comprising the Processing is terminated.
i) Sensitive data:
Sensitive data refers to data that affect the privacy of the owner or whose misuse can lead to discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or that promotes the interests of any political party or guarantees the rights and guarantees of opposition political parties as well as data relating to health, sexual life, and biometric data, among others, fixed or moving image capture, fingerprints, photographs, iris, voice, facial or hand palm recognition, etc.
5.1 Sensitive data processing:
Sensitive data categorized as such may be used and processed when:
a) The Owner has given explicit authorization for such processing unless such authorization is not required by law.
b) Processing is necessary to safeguard the vital interests of the owner and they are physically or legally incapacitated. In these events, legal representatives must grant their authorization.
c) Processing is carried out in the course of legitimate activities and with the necessary guarantees by a foundation, NGO, association, or any other non-profit organization, whose purpose is political, philosophical, religious, or union-related, provided they refer exclusively to their members or to persons with whom they have regular contact by reason of their purpose. In these events, data may not be provided to third parties without the owner’s authorization.
d) Processing relates to data necessary for the recognition, exercise, or defense of a right in a judicial process.
e) Processing has a historical, statistical, or scientific purpose. In this event, measures must be taken to suppress the identity of the Owners.
5.2. Owner’s authorization:
Without prejudice to the exceptions provided by law, prior, express, and informed authorization of the owner is required for the processing, which must be obtained by any means that can be subject to subsequent consultation and verification.
5.3 Cases where authorization is not required:
The authorization of the Owner will not be necessary in cases of:
a) Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b) Public nature data.
c) Cases of medical or health emergency.
d) Processing of information authorized by law for historical, statistical, or scientific purposes.
e) Data related to the Civil Registry of Persons.
6. Rights of children and adolescents.
In the Treatment, the prevailing rights of minors will be respected. The Treatment of personal data of minors is prohibited, except for those data that are of a public nature.
It is the task of the State and educational entities of all kinds to provide information and train legal representatives and guardians about the potential risks that minors face regarding the improper treatment of their personal data, and to provide knowledge about the responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of their personal information and that of others.
7. Duties of Cerca Technology SAS as responsible for the Treatment of Personal Data.
Cerca Technology SAS, when acting as the Data Controller of personal data, will comply with the following duties:
a) Guarantee the Holder, at all times, the full and effective exercise of the habeas data right.
b) Request and keep a copy of the respective authorization granted by the holder.
c) Properly inform the owner about the purpose of the collection and the rights they have by virtue of the authorization granted.
d) Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.
e) Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
f) Update the information, promptly informing the data processor of any changes regarding the data previously provided and take any other necessary measures to keep the information provided to them up-to-date.
g) Rectify the information when it is incorrect and communicate the pertinent information to the data processor.
h) Provide the data processor, as appropriate, only with data whose Processing has been previously authorized.
i) Demand from the data processor at all times respect for the security and privacy conditions of the Holder’s information.
j) Process the queries and claims made.
k) Inform the data processor when certain information is under discussion by the Holder, once the claim has been submitted and the respective process has not been finalized.
l) Inform, at the request of the Holder, about the use given to their data.
m) Inform the data protection authority when violations of security codes occur and there are risks in the administration of the information of the Holders.
8. National Database Registry.
Cerca Technology SAS reserves, in the events contemplated in the law and in its statutes and internal regulations, the power to maintain and catalog certain information that is in its databases or data banks, as confidential in accordance with the current regulations, its statutes, and regulations, all of the above and in line with the fundamental right of corporate autonomy.
Cerca Technology SAS will proceed in accordance with current regulations and the regulations issued by the National Government for this purpose, to register its databases with the National Database Registry (RNBD) which will be administered by the Superintendence of Industry and Commerce. The RNBD is the public directory of databases subject to Processing operating in the country; and it will be freely accessible to citizens, in accordance with the regulations issued by the National Government for this purpose.
9. Authorizations and consent.
The collection, storage, use, circulation, or deletion of personal data by Cerca Technology SAS requires the free, prior, express, and informed consent of the owner thereof.
9.1 Means and expressions to grant authorization.
The authorization may be in a physical document, electronic, data message, Internet, websites, or in any other format that allows its subsequent consultation to be ensured, or through a suitable technical or technological mechanism, that allows expressing or obtaining consent via a click or double click, through which it can be unequivocally concluded that if the owner had not taken an action, the data would never have been captured and stored in the database. The authorization will be generated by Cerca Technology SAS and will be made available to the owner in advance and prior to the Processing of their personal data. See Annex No. 1 authorization model for the collection and processing of personal data.
9.2 Proof of authorization.
Cerca Technology SAS will use the mechanisms it currently has, and will implement and adopt the necessary actions to keep records or suitable technical or technological mechanisms of when and how it obtained authorization from the owners of personal data for their Processing. To comply with the above, physical files or electronic repositories may be established directly or through third parties contracted for this purpose.
10. Privacy notice:
The Privacy Notice is the physical, electronic document, or in any other known or unknown format, made available to the Holder for the Processing of their personal data. This document informs the Holder about the information regarding the existence of the information processing policies that will apply, how to access them, and the characteristics of the Processing that is intended to be carried out with the personal data.
10.1 Scope and content of the Privacy Notice.
The Privacy Notice, at a minimum, must contain the following information:
a) The identity, address, and contact information of the Data Controller.
b) The type of Processing to which the data will be subjected and its purpose.
c) The general mechanisms set up by the Controller for the Holder to know the information processing policy and the substantial changes that occur in it. In all cases, it must inform the Holder how to access or consult the information processing policy.
11. Rights and other privileges of the information holders.
In compliance with and in accordance with the provisions of the current and applicable regulations on the protection of personal data, the holder of personal data has the following rights:
a) Access, know, rectify, and update their personal data with Cerca Technology SAS, in its capacity as the Data Controller.
b) By any valid means, request proof of the authorization granted to Cerca Technology SAS, in its capacity as Data Controller.
c) To receive information from Cerca Technology SAS, upon request, regarding the use that has been given to their personal data.
d) Go to legally constituted authorities, especially to the Superintendence of Industry and Commerce, and file complaints for violations of the provisions in the current regulations and applicable norms, following the consultation or requirement process before the Data Controller.
e) Modify and revoke the authorization and/or request the deletion of the data when the Processing does not respect the principles, rights, and legal and constitutional guarantees in force.
f) Be informed and access their personal data that has been subject to Processing in a free manner.
12. Duties of Cerca Technology SAS regarding the Processing of personal data.
Cerca Technology SAS will bear in mind at all times that personal data belong to the individuals to whom they refer and that only they can decide on them. In this sense, it will use them only for those purposes for which it is duly authorized and respecting in any case the current regulations on the protection of personal data.
13. Guarantees of the Right of Access.
Cerca Technology SAS will guarantee the right of access when, after accrediting the identity of the owner, legitimacy, or representation, it makes available to them, at no cost or expense, in a detailed and detailed manner, the respective personal data through all kinds of means, including electronic means that allow the Holder direct access to them. This access must be offered without any limitation and must allow the Holder to know and update them online.
14. Queries.
The holders, or their successors in title, may consult the personal information of the Holder that is held in any database. Consequently, Cerca Technology SAS will guarantee the right of consultation, providing the holders with all the information contained in the individual record or linked to the identification of the Holder.
Regarding the handling of requests for personal data consultation, Cerca Technology SAS guarantees:
Enabling electronic communication channels or other relevant means.
Establishing simplified forms, systems, and other methods, which must be communicated in the privacy notice.
Using customer service or complaint handling services that are in operation.
In any case, regardless of the mechanism implemented for handling consultation requests, they will be addressed within a maximum period of ten (10) business days from the date of receipt. If it is not possible to address the consultation within this period, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date when their consultation will be addressed, which in no case may exceed five (5) business days following the expiration of the initial deadline.
15. Claims.
The Holder or their successors in title who consider that the information contained in a database should be corrected, updated, or deleted, or who notice the alleged breach of any of the duties contained in the Law, may file a claim with the Data Controller, channeling and submitting it through the designated department, the contact details of which are specified later in item 22 of this document, and which will perform the function of personal data protection within Cerca Technology SAS.
The claim may be filed by the Holder, taking into account the information indicated in Article 15 of Law 1581 of 2012 and Decree 1377 of 2013, and other regulations that amend or supplement them.
16. Implementation of procedures to guarantee the right to file claims.
At any time and free of charge, the Holder or their representative may request from Cerca Technology SAS the rectification, updating, or deletion of their personal data, upon accreditation of their identity.
The rights of rectification, updating, or deletion may only be exercised by:
a) The Holder or their successors in title, upon accreditation of their identity, or through electronic instruments that allow them to identify themselves.
b) Their representative, upon accreditation of the representation.
When the request is made by a person other than the Holder, their authority or mandate must be duly accredited; and if such quality is not accredited, the request will be deemed not to have been submitted.
The request for rectification, updating, or deletion must be submitted through the channels enabled by Cerca Technology SAS as indicated in the privacy notice and must contain, at a minimum, the following information:
The name and address of the Holder or any other means to receive the response.
Documents accrediting the identity or representation of their representative.
A clear and precise description of the personal data regarding which the Holder seeks to exercise any of the rights.
Any other elements or documents that facilitate the location of the personal data.
17. Rectification and updating of data.
Cerca Technology SAS is obliged to rectify and update, at the request of the Holder, the information that is incomplete or inaccurate, in accordance with the procedure and terms indicated above. In this regard, the following will be taken into account:
In requests for rectification and updating of personal data, the Holder must indicate the corrections to be made and provide the documentation supporting their request.
Cerca Technology SAS has full discretion to enable mechanisms that facilitate the exercise of this right, provided that they benefit the Holder. Consequently, electronic or other means that it deems pertinent may be enabled.
Cerca Technology SAS may establish forms, systems, and other simplified methods, which must be communicated in the privacy notice and made available to interested parties on the website.
18. Deletion of data.
The Holder has the right, at all times, to request from Cerca Technology SAS the deletion (elimination) of their personal data when:
a) They consider that such data are not being processed in accordance with the principles, duties, and obligations provided by current regulations.
b) They are no longer necessary or relevant for the purpose for which they were collected.
c) The period necessary for the fulfillment of the purposes for which they were collected has elapsed.
This deletion implies the total or partial elimination of personal information as requested by the Holder in the records, files, databases, or treatments carried out by Cerca Technology SAS. It is important to note that the right to deletion is not absolute, and the controller may deny its exercise when:
a) The Holder has a legal or contractual duty to remain in the database.
b) Deleting data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
c) The data is necessary to protect legally protected interests of the Holder; to take action in the public interest, or to comply with a legal obligation acquired by the Holder.
19. Revocation of consent.
The holders of personal data may revoke their consent to the processing of their personal data at any time, provided that a legal or contractual provision does not prevent it. For this purpose, Cerca Technology SAS must establish simple and free mechanisms that allow the Holder to revoke their consent, at least through the same means by which it was granted.
It should be noted that there are two modalities in which consent revocation can occur. The first may be for all the authorized purposes, meaning that Cerca Technology SAS must completely cease processing the Holder’s data; the second may be for specific types of processing, such as for advertising or market research purposes. With the second modality, i.e., partial revocation of consent, other processing purposes that the controller, in accordance with the granted authorization, may carry out and with which the Holder agrees, remain unaffected.
20. Information security and security measures.
In line with the security principle established in current regulations, Cerca Technology SAS will adopt the technical, human, and administrative measures necessary to provide security to the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use or access.
21. Use and international transfer of personal data and personal information by Cerca Technology SAS
Depending on the nature of the permanent or occasional relationships that any individual data subject may have with Cerca Technology SAS, all of their information may be transferred abroad, subject to applicable legal requirements. By accepting this policy, you expressly authorize the transfer of Personal Information. The information will be transferred for all relationships that may be established with Cerca Technology SAS.
Without prejudice to the obligation to observe and maintain confidentiality, Cerca Technology SAS will take the necessary measures to ensure that these third parties are aware of and commit to complying with this Policy, with the understanding that the personal information they receive may only be used for matters directly related to the relationship with Cerca Technology SAS and only as long as it lasts, and may not be used or intended for a different purpose.
Cerca Technology SAS may also exchange Personal Information with government or public authorities of any kind (including, among others, judicial or administrative authorities, tax authorities, and criminal, civil, administrative, disciplinary, and tax investigation bodies), and third parties involved in legal civil proceedings and their accountants, auditors, lawyers, and other advisors and representatives, because it is necessary or appropriate:
(a) To comply with current laws, including laws other than those of your country of residence.
(b) To comply with legal processes.
(c) To respond to requests from public and government authorities, and to respond to requests from public and government authorities different from those of your country of residence.
(d) To enforce our terms and conditions.
(e) To protect our operations.
(f) To protect our rights, privacy, security, or property, yours or those of third parties.
(g) To obtain applicable indemnities or limit damages that may affect us.
22. Function of personal data protection within Cerca Technology SAS
Cerca Technology SAS, as a company, and in accordance with current regulations, will act as the Data Controller for Personal Data; and the various commercial and administrative departments will act as Data Processors for personal data. For example, for customer data, financial data, and commercial data, the Administrative and Financial Management acts as the data processor.
VALIDITY.
This manual is effective from January 1st, 2016, and renders null any special regulations or manuals that may have been adopted by academic and/or administrative instances in Cerca Technology SAS.
ANNEX 1
AUTHORIZATION AND REFUNDATION DOCUMENT FOR THE USE OF PERSONAL DATA
Through Law 1581 of 2012, the General Regime for the Protection of Personal Data was issued with the purpose of «…developing the constitutional right that all individuals have to know, update, and rectify the information that has been collected about them in databases or files, and the other rights, freedoms, and constitutional guarantees referred to in Article 15 of the Political Constitution; as well as the right to information established in Article 20 of the same.»
To facilitate the implementation and compliance with said law, the National Government issued Decree 1377 of June 27, 2013, which expressly regulates the authorization of the Information Holder for the Processing of their personal data and develops the constitutional right that all natural persons have to know, update, and rectify all types of information collected or that have been subject to processing of personal data in banks or databases, and in general in files of public and/or private entities.
CognosOnLine Solutions Colombia S.A. (CognosOnLine), as a private entity that stores and collects personal data, with the purpose of staying in contact with its clients and informing them about the different activities it carries out for the provision of consultancy services, implementation, training, support, and other activities derived from its economic activity, requires your authorization so that, freely, prior, express, voluntary, and duly informed, it allows all areas of CognosOnLine to collect, raise, store, use, suppress, process, update, and dispose of the data that have been provided and that have been incorporated into the database that CognosOnLine has. This information is and will be used in the development of the Company’s functions, directly or through third parties.
CognosOnLine, under the terms provided by Article 10 of Decree 1377 of 2013, is expressly and unequivocally authorized to maintain and manage all your information, unless you express otherwise directly, expressly, unequivocally, and in writing, within thirty (30) business days from the receipt of this communication to the email address set for this purpose: servicioalcliente@cognosonline.com.
I expressly and unequivocally consent and authorize that my personal data be processed in accordance with the provisions of this document.
The Manual of Personal Data Treatment Policy can be consulted at: http://cercatechnology.com/contactenos/
In the event that it is considered that the company has used the data contrary to the authorized and applicable laws, you may contact us through a communication addressed to: marketing@cercatech.com.