Personal data processing policies
I. Identification of the data controller
Corporate name and identification
CEIBA SOFTWARE HOUSE S.A.S,
hereinafter referred to as THE COMPANY, a commercial company identified with NIT.
900022972-3 and created by public deed 1238 on May 11, 2005, registered in the Chamber of
Commerce on May 12, 2005.
Domicile and address
THE COMPANY has its domicile in the city of Medellin, and its main office is located at 65-191, 8B street, office 409. Puertoseco Business Center. Zip code 050024
444 51 11
II. Data processing principles
In all processing of personal data carried out by THE COMPANY, the principles established in the Colombian General Regime for the Protection of Personal Data shall be applied, especially the following:
a. Principle of legality of data processing:
For the processing of personal data carried out by THE COMPANY, the rules of the Colombian legal system relating to the General Regime for the Processing of Personal Data and those contained in this policy apply.
b. Principle of purpose:
The treatment given by THE COMPANY to the personal data it treats, obey the purposes established in this policy, which are in harmony with the Colombian legal system. In what is not regulated in this policy, the superior norms that regulate, add, modify or supersede it will be applied.
c. Principle of freedom:
The treatment carried out by THE COMPANY to personal data is done in accordance with the prior, express and consented authorization of the owner of the personal data.
d. Principle of truthfulness or quality
The information subject to processing by THE COMPANY shall be truthful, complete, updated, verifiable and understandable.
e. Principle of transparency
THE COMPANY guarantees that the owner of the personal data can obtain information about their data at any time and without restrictions according to the procedures described in this policy.
f. Principle of restricted access and circulation:
THE COMPANY guarantees that the processing of personal data given to the databases for which it is responsible, is carried out by people authorized by the owner and / or other individuals permitted by law.
g. Principle of security:
THE COMPANY will implement all technical, human and administrative measures necessary to protect the personal data processed in its databases, avoiding the use, adulteration, loss and unauthorized or unwanted consultation.
h. Principle of confidentiality
The treatment given to the personal data of the COMPANY’s databases will be carried out with strict confidentiality and reserve, according to the purposes described in this policy.
i. For more information on these principles, please refer to Law 1581 of 2012 and Decree 1377 of 2013, as well as other regulatory provisions that modify, clarify, supplement or supersede them.
III. Treatment to which the data will be subjected and its purpose
The treatment of the personal data of the person with whom THE COMPANY has established or establishes a relationship, permanent or occasional, will be carried out within the legal framework that regulates the matter. In any case, personal data may be collected and processed for the following purposes:
To develop the corporate purpose of THE COMPANY in accordance with its legal bylaws.
Comply with the applicable tax and commercial regulations.
Use of information, audiovisual, computer and technical means to carry out advertising or marketing activities of the company.
Video surveillance and security activities of the company and of the people who access its facilities.
Comply with the provisions of the Colombian legal system on labor and social security matters, among others, applicable to former employees, current employees and candidates for future employment.
Comply with the regulations of the health sector and the requirements demanded by the entities that control and monitor the provision of social security and health services in Colombia, such as the Ministry of Health, the Superintendence of Health, municipal and departmental health departments, EPS, IPS, among others.
Conduct surveys related to the services or goods of THE COMPANY.
To send commercial information of THE COMPANY.
To develop programs in accordance with its bylaws.
Fulfill all contractual, legal and regulatory commitments of the company.
IV. Treatment of sensitive data.
Biometric data related to the health and identification of individuals are considered to be of a sensitive nature and therefore are protected more rigorously by the individuals who have access to them in their capacity as persons in charge of handling the information.
The treatment of sensitive personal data will be exclusively for use in relation to the prevention of the spread of contagious diseases, such as covid-19, health controls and cooperation with state entities and provisions, cases such as submission of indicators to control entities, population health analysis and risk analysis in the examinations performed. at no time, without prior authorization, such sensitive data would be used for marketing purposes, sale of databases and/or other purposes unrelated to those expressed in this policy.
V. Rights of the owner of the information
in accordance with the provisions of the current applicable regulations on data protection, the holders of personal data have the right to:
access, know, update and rectify their personal data against the company in its capacity as data controller. this right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or those whose treatment is expressly prohibited or has not been authorized.
request proof of the authorization granted to the company for the processing of data, by any valid means, except in cases where authorization is not required.
be informed by the company, upon request, regarding the use it has given to your personal data.
to file before the superintendence of industry and commerce, complaints for violations of the provisions of law 1581 of 2012 and other rules that modify, add or complement it, after consultation or request to the company.
to revoke the authorization and/or request the deletion of the data.
access free of charge to their personal data that have been subject to processing, at least once every calendar month, and whenever there are substantial changes to this policy that motivate new consultations.
These rights may be exercised by:
- The holder, who must prove his identity sufficiently by the various means made available by the company.
- The assignees of the holder, who must prove such quality.
- The representative and/or attorney-in-fact of the holder, prior accreditation of the representation or power of attorney.
- Other in favor or for whom the holder has stipulated.
VI. Data controller and processor of personal data
The company will be responsible for the processing of personal data. the administrative department will be responsible for the processing of personal data.
Any communication on the matter should be made through the e-mail firstname.lastname@example.org
VII. Procedure for handling queries, claims, requests for rectification, updating and deletion of data
The holders or their assignees may consult the personal information of the holder that is held by the company, who will provide all the information contained in the individual record or that is linked to the identification of the holder. likewise, the company provides the mechanism through which the holder may file claims to update, rectify, delete the data or revoke the authorization definitively.
In any case, regardless of the mechanism implemented for the attention of consultation requests, they will be attended within a maximum term of ten (10) working days from the date of receipt. when it is not possible to attend the consultation within such term, the interested party shall be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.
inquiries may be sent to the e-mail address email@example.com
VIII. Information security measures
In accordance with the principle of security established under the current legislation, THE COMPANY shall adapt the necessary technical, human and administrative actions for the security of all record and data collected, avoiding its non-authorized or fraudulent alteration, loss, access or use.
The company is committed to the correct use and treatment of the personal data of its customers and users, avoiding unauthorized access to third parties that would allow them to know or violate, modify, disclose and/or destroy the information contained in the company’s databases. for this reason, the company has security protocols and access to its information, storage and processing systems, including physical measures to control security risks.
Therefore, it must adopt the measures that allow it to comply with the provisions of law 1581 of 2012, and any other law or regulation that modifies or replaces them. as a consequence of this legal obligation, among others, it shall adopt security measures of logical, administrative and physical type, according to the criticality of the personal information to which it has access, to ensure that this type of information will not be used, traded, assigned, transferred and/or will not be subjected to any other treatment contrary to the purpose included in the provisions of the object of this contract. any suspicion of loss, leakage or attack against personal information held in the databases of the company will be reported, notice to be given once it has knowledge of such eventualities through the most relevant or effective mechanisms, such as publication on the website or networks of the company, direct communication to the reported email of the affected or the means established by it for that purpose or in any way that guarantees the right to information of the holder. the loss, leakage or attack against personal information also implies the obligation to manage the security incident according to the legal guidelines on the matter.
This policy is effective as of august 12, 2016.
Stibenzon Cañas Sánchez
The fields marked with * are required