In compliance with the provisions of Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, HOTEL NUTIBARA adopts this policy for the processing of personal data, which will be informed to all owners of the data collected or that in the future are obtained in the exercise of academic, cultural, commercial or work activities.
HOTEL NUTIBARA states that it guarantees the rights of privacy, intimacy, good name, in the processing of personal data, and consequently all its actions will be governed by the principles of legality, purpose, freedom, veracity or quality, transparency, restricted access and circulation, security and confidentiality.
All people who, in the development of different contractual, commercial, labor activities, among others, whether permanent or occasional, provide HOTEL NUTIBARA with any type of information or personal data, will be able to know it, update it and rectify it.
I. IDENTIFICATION OF THE RESPONSIBLE FOR THE TREATMENT
COMPANY NAME: HOTEL NUTIBARA – HOTEL CHN SAS, which from now on is
will be called THE COMPANY.
ADDRESS AND ADDRESS: THE COMPANY has its domicile in the city of Medellín, and its main headquarters are located at Calle 52 AN 50 46 MEDELLÍN, ANTIOQUIA, COLOMBIA
EMAIL: info@hotelnutibara.com
PHONE: (57-4) 5115111
II. LEGAL FRAMEWORK
Political Constitution, article 15. Law 1266 of 2008
Law 1581 of 2012
Regulatory Decrees 1727 of 2009 and 2952 of 2010,
Partial Regulatory Decree 1377 of 2013
Sentences C – 1011 of 2008, and C – 748 of 2011, of the Constitutional Court
III. AREA OF APPLICATION
This policy will be applicable to personal data registered in any database of THE COMPANY whose owner is a natural person.
IV. DEFINITIONS
For the purposes of this policy and in accordance with current regulations on the protection of personal data, the following definitions will be taken into account:
Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data.
Privacy notice: Verbal or written communication generated by the Controller, addressed to the Owner for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the way to access the same and the purposes of the treatment that is intended to be given to personal data.
Database: Organized set of personal data that is subject to processing.
Incumbent: person who has succeeded another due to the latter's death (heir).
Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons.
Public data: It is data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade, and their status as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality.
Sensitive data: Sensitive data is understood to be data that affects the privacy of the Owner or whose improper use may generate discrimination, such as revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, organizations. social, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
Data Processor: Natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller.
Responsible for the Treatment: Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the Processing of the data.
Owner: Natural person whose personal data is the subject of Treatment.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
Transfer: the transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is located inside or outside from the country.
Transmission: processing of personal data that involves communicating it within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the person in charge on behalf of the person responsible.
V. PRINCIPLES
For the purposes of guaranteeing the protection of personal data, THE COMPANY will harmoniously and comprehensively apply the following principles, in light of which the processing, transfer and transmission of personal data must be carried out:
Principle of legality regarding data processing: Data processing is a regulated activity, which must be subject to the current and applicable legal provisions that govern the subject.
Principle of purpose: the personal data processing activity carried out by THE COMPANY or to which it has access, will obey a legitimate purpose in accordance with the Political Constitution of Colombia, which must be informed to the respective owner of the personal data.
Principle of freedom: the processing of personal data can only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal, statutory, or judicial mandate that requires consent.
Principle of truthfulness or quality: the information subject to Personal Data Processing must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited.
Principle of transparency: In the processing of personal data, THE COMPANY will guarantee the Owner their right to obtain, at any time and without restrictions, information about the existence of any type of information or personal data that is of interest or ownership.
Principle of restricted access and circulation: The processing of personal data is subject to the limits that derive from their nature, the provisions of the law and the Constitution. Consequently, the treatment can only be carried out by people authorized by the owner and/or by the people provided for by law. Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide knowledge restricted only to the owners or third parties authorized in accordance with the law. For these purposes, the obligation of THE COMPANY will be medium.
Security principle: the information subject to processing by THE COMPANY must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.
Principle of confidentiality: All people who, in THE COMPANY, administer, manage, update or have access to information of any type found in Databases, are obliged to guarantee the confidentiality of the information, so they undertake to keep and keep strictly confidential and not reveal to third parties, all the information that they come to know in the execution and exercise of their functions; except when these are activities expressly authorized by the data protection law. This obligation persists and will continue even after its relationship with any of the tasks included in the Treatment has ended.
SAW. RIGHTS OF THE INFORMATION HOLDER
In accordance with what is contemplated by the current applicable regulations on data protection, the following are the rights of the owners of personal data:
to. Access, know, update and rectify your personal data before THE COMPANY in its capacity as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.
b. Request proof of the authorization granted to THE COMPANY for data processing, by any valid means, except in cases where authorization is not necessary 1 .
c. Be informed by THE COMPANY, upon request, regarding the use it has given to your personal data.
d. Submit to the Superintendence of Industry and Commerce, or the entity that takes its place, complaints for violations of the provisions of Law 1581 of 2012 and the other regulations that modify, add or complement it, after processing a consultation or request before THE COMPANY. .
and. Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees.
F. Access free of charge to your personal data that has been processed, at least once every calendar month, and whenever there are substantial modifications to this policy that motivate new queries.
These rights may be exercised by:
• The owner, who must prove his or her identity sufficiently by the different means made available to him by THE COMPANY.
• The successors in title of the owner, who must prove such quality.
• The representative and/or attorney-in-fact of the owner, prior accreditation of the representation or power of attorney.
• Another in favor or for which the owner has stipulated.
Rights of children and adolescents
In the processing of personal data, respect for the prevailing rights of minors will be ensured.
The processing of personal data of minors is prohibited, except for those data that are public in nature, and in this case the processing must comply with the following parameters:
to. Respond to and respect the best interests of minors.
b. Ensure respect for the fundamental rights of minors.
It is the task of the State and educational entities of all types to provide information and train legal representatives and guardians about the possible risks that children and adolescents face regarding the improper processing of their personal data, and to provide knowledge about of the responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of their personal information and that of others.
VII. DUTIES OF THE COMPANY AS RESPONSIBLE AND IN CHARGE OF THE PROCESSING OF PERSONAL DATA
THE COMPANY recognizes the ownership of personal data held by individuals and consequently they can exclusively decide on it.
Therefore, THE COMPANY will use personal data to fulfill the purposes expressly authorized by the owner or by current regulations.
In the treatment and protection of personal data, THE COMPANY will have the following duties, without prejudice to others provided for in the provisions that regulate or come to regulate this matter:
to. Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
b. Request and keep a copy of the respective authorization granted by the owner for the processing of personal data.
c. Duly inform the owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.
Whoever accesses personal data without prior authorization must in all cases comply with the provisions contained in this law.
d. Preserve the information under the security conditions necessary to prevent its adulteration, loss, unauthorized or fraudulent consultation, use or access.
and. Guarantee that the information is true, complete, accurate, up-to-date, verifiable and understandable.
F. Timely update the information, thus addressing all new developments regarding the owner's data. Additionally, all necessary measures must be implemented so that the information remains updated.
g. Rectify information when it is incorrect and communicate what is pertinent.
h. Respect the security and privacy conditions of the owner's information.
Yo. Process queries and claims made in the terms established by law.
j. Identify when certain information is under discussion by the owner.
k. Inform at the request of the owner about the use given to their data.
l. Inform the data protection authority when violations of security codes occur and there are risks in the administration of the owners' information.
m. Comply with the requirements and instructions issued by the Superintendence of Industry and Commerce on the particular topic.
n. Only use data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012.
either. Ensure the appropriate use of the personal data of children and adolescents, in those cases in which the processing of their data is authorized.
p. Register in the database the legend "claim in process" in the manner in which it is regulated by law.
q. Insert the legend "information under judicial discussion" into the database once notified by the competent authority about judicial processes related to the quality of personal data.
r. Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.
s. Allow access to information only to people who can have access to it.
t. Use the personal data of the owner only for those purposes for which it is duly authorized and respecting in all cases the current regulations on the protection of personal data.
VIII. AUTHORIZATION AND CONSENT OF THE OWNER
THE COMPANY requires the free, prior, express and informed consent of the owner of the personal data for the processing thereof, except in cases expressly authorized by law, namely:
to. Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b. Public data.
c. Medical or health emergency cases.
d. Processing of information authorized by law for historical, statistical or scientific purposes.
and. Data related to the Civil Registry of Persons
Declaration of authorization
Authorization to THE COMPANY for the processing of personal data will be granted by:
• The owner, who must prove his or her identity sufficiently by the different means made available to him by THE COMPANY.
• The successors in title of the owner, who must prove such quality.
• The representative and/or attorney-in-fact of the owner, after accreditation of the representation or power of attorney.
• Another in favor or for which the owner has stipulated.
Means to grant authorization
THE COMPANY will obtain authorization through different means, including physical, electronic document, data message, Internet, Websites, or in any other format that in any case allows obtaining consent through unequivocal conduct through which it is concluded. that if it had not been provided by the owner or the person authorized to do so, the data would not have been stored or captured in the database.
Authorization will be requested by THE COMPANY prior to the processing of personal data.
Proof of authorization
THE COMPANY will keep proof of the authorization granted by the owners of the personal data for its processing, for which it will use the mechanisms available at its disposal currently as well as adopt the necessary actions to maintain the record of the form and date and in which he obtained this. Consequently, THE COMPANY may establish physical files or electronic repositories made directly or through third parties hired for this purpose.
Revocation of authorization.
The owners of personal data may at any time revoke the authorization granted to THE COMPANY for the processing of their personal data or request its deletion, as long as it is not prevented by a legal or contractual provision. THE COMPANY will establish simple and free mechanisms that allow the owner to revoke their authorization or request the deletion of their personal data, at least by the same means by which it was granted.
For the above, it must be taken into account that the revocation of consent can be expressed, on the one hand, completely in relation to the authorized purposes, and therefore THE COMPANY must cease any data processing activity; and on the other hand partially in relation to certain types of processing, in which case these will be the ones on which the processing activities will cease, such as for advertising purposes, among others. In the latter case, THE COMPANY may continue processing personal data for those purposes in relation to which the owner has not revoked his or her consent.
IX. TREATMENT TO WHICH THE DATA WILL BE SUBJECTED AND PURPOSE OF THE SAME
The processing of personal data of employees, former employees, retirees, suppliers, contractors, or any person with whom THE COMPANY has established or will establish a relationship, permanent or occasional, will be carried out within the legal framework that regulates the matter and in by virtue of their condition, and will be all those necessary for the fulfillment of the Business mission.
In any case, personal data may be collected and processed to:
to. Send information related to programs, activities, products and other goods or services offered by THE COMPANY.
b. Develop the mission of THE COMPANY in accordance with its statutes
c. Comply with the regulations applicable to suppliers and contractors, including but not limited to tax and commercial regulations
d. Comply with the provisions of the Colombian legal system on labor and social security matters, among others, applicable to former employees, current employees and candidates for future employment.
and. Conduct surveys related to the services or goods of THE COMPANY
F. Develop programs in accordance with its statutes.
g. Inform about job opportunities
h. Fulfill all your contractual commitments.
The processing of personal data of children and adolescents will proceed in accordance with what is contemplated in this policy in the section related to their rights.
Sensitive data
In the case of sensitive personal data, THE COMPANY may use and process them when:
to. The owner has given explicit authorization, except in cases where the granting of said authorization is not required by law.
b. The treatment is necessary to safeguard the vital interest of the Owner and the Owner is physically or legally incapacitated. In these events, legal representatives must grant their authorization.
c. The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or union, provided that they refer exclusively to to its members or to people who maintain regular contacts due to their purpose. In these events, the data cannot be provided to third parties without the authorization of the owner.
d. The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
and. The Treatment has a historical, statistical or scientific purpose. In this event, measures must be adopted leading to the deletion of the identity of the owners.
Without prejudice to the exceptions provided for in the law, the processing of sensitive data requires the prior, express and informed authorization of the owner, which must be obtained by any means that can be subject to subsequent consultation and verification.
X. PRIVACY NOTICE
The Privacy Notice is the physical, electronic or any other format document made available to the owner to inform them about the processing of their personal data. Through this document, the owner is informed of the information related to the existence of THE COMPANY's information processing policies that will be applicable to them, the way to access them and the characteristics of the treatment that is intended to be given to the data. personal.
The privacy notice must contain, at a minimum, the following information:
to. The identity, address and contact information of the person responsible for the treatment.
b. The type of processing to which the data will be subjected and its purpose.
c. The rights of the owner.
d. The general mechanisms established by the person responsible so that the owner is aware of the information processing policy and the substantial changes that occur in it. In all cases, you must inform the owner how to access or consult the information processing policy.
and. The optional nature of the response regarding questions about sensitive data.
XI. GUARANTEES OF THE RIGHT OF ACCESS
To guarantee the right of access of the owner of the data, THE COMPANY will make available to him, after accreditation of his identity, legitimacy, or personality of his representative, without cost or expense, in a detailed and detailed manner, the respective personal data. through all types of media, including electronic media that allow the owner direct access to them. Said access must be offered without any limit and must allow the owner the possibility of knowing and updating them online.
XII. PROCEDURE FOR ATTENDING QUERIES, CLAIMS, REQUESTS FOR RECTIFICATION, UPDATE AND DELETION OF DATA.
to. Queries:
The owners or their successors may consult the personal information of the owner that resides in THE COMPANY, who will provide all the information contained in the individual record or that is linked to the identification of the Owner.
Regarding the attention to requests for consultation of personal data THE COMPANY guarantees:
b. Claims
The Owner or his successors who consider that the information contained in a database must be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a claim with THE COMPANY, which will be processed under the following rules:
1. The Owner's claim will be formulated by means of a request addressed to THE COMPANY at the email info@hotelnutibara.com or by written communication addressed to the systems department, with the identification of the owner, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claim has been abandoned. In the event that the person who receives the claim is not competent to resolve it, he or she will forward it to the appropriate person within a maximum period of two (2) business days and will inform the interested party of the situation.
2. Once the complete claim is received, it will be cataloged with the label "claim in process" and the reason for it, within a period of no more than two (2) business days. This label will remain until the claim is decided.
3. The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended to, which in no case may exceed eight
(8) business days following the expiration of the first term.
c. Request for update and/or rectification
THE COMPANY will rectify and update, at the request of the owner, the information of the owner that turns out to be incomplete or inaccurate, in accordance with the procedure and terms indicated above, for which the following will be taken into account:
1. The owner must send the request to the email info@hotelnutibara.com or in physical form addressed to the systems department indicating the update and/or rectification to be made and will provide the documentation that supports their request.
2. THE COMPANY may enable mechanisms that facilitate the exercise of this right by the owner, as long as they benefit the owner. Consequently, electronic or other means that are considered relevant may be enabled, which will be informed in the privacy notice and will be made available to interested parties on the website.
d. Data deletion request
The owner of the personal data has the right to request THE COMPANY for its deletion (elimination) in any of the following events:
1. Consider that they are not being treated in accordance with the principles, duties and obligations provided for in current regulations.
2. They have ceased to be necessary or relevant for the purpose for which they were collected.
3. The period necessary to fulfill the purposes for which they were collected has been exceeded.
This deletion implies the total or partial elimination of personal information in accordance with what is requested by the owner in the records, files, databases or treatments carried out by THE COMPANY. However, this right of the owner is not absolute and consequently THE COMPANY may deny the exercise of it when:
a) The owner has a legal or contractual duty to remain in the database.
b) The deletion of data hinders judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
c) The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.
XIII. NATIONAL DATABASE REGISTRY
THE COMPANY reserves, in the events contemplated in the law and in its statutes and internal regulations, the power to maintain and catalog certain information that resides in its databases or databases, as confidential in accordance with current regulations, its statutes. and regulations, all of the above and in line with fundamental and constitutional law.
THE COMPANY, will proceed in accordance with the current regulations and the regulations issued for this purpose by the National Government, to register its databases, before the National Registry of Databases (RNBD), which will be administered by the Superintendency of Industry and Commerce. The RNBD is the public directory of databases subject to Treatment that operate in the country; and that it will be of free consultation for citizens, in accordance with the regulations issued for this purpose by the National Government.
XIV. INFORMATION SECURITY AND SECURITY MEASURES
In compliance with the security principle established in current regulations, THE COMPANY will adopt the technical, human and administrative measures that are necessary to provide security to the records, preventing their adulteration, loss, consultation, unauthorized or fraudulent use or access.
XV. USE AND INTERNATIONAL TRANSFER OF PERSONAL DATA AND PERSONAL INFORMATION BY THE COMPANY.
In compliance with the institutional mission and the strategic development plan of THE COMPANY, and taking into account the nature of the permanent or occasional relationships that any person holding personal data may have with THE COMPANY, the COMPANY may carry out the transfer and transmission, including internationally, of all personal data, as long as the applicable legal requirements are met; and consequently the owners, with the acceptance of this policy, expressly authorize the transfer and transmission, even internationally, of personal data. The data will be transferred, for all relationships that may be established with THE COMPANY.
For the international transfer of personal data of the owners, THE COMPANY will take the necessary measures so that third parties are aware of and agree to observe this policy, with the understanding that the personal information they receive may only be used for matters directly related to THE COMPANY and only while it lasts and it cannot be used or destined for a different purpose or purpose. For the international transfer of personal data, the provisions of article 26 of Law 1581 of 2012 will be observed.
International transmissions of personal data carried out by THE COMPANY will not require the owner to be informed nor have his consent when there is a contract for the transmission of personal data in accordance with article 25 of the Decree.
1377 of 2013.
THE COMPANY may also exchange personal information with governmental or other public authorities (including, among other judicial or administrative authorities, tax authorities and criminal, civil, administrative, disciplinary and fiscal investigation bodies), and third parties participating in civil legal proceedings. and your accountants, auditors, attorneys and other advisors and representatives, because it is necessary or appropriate: (a) to comply with applicable laws, including laws other than those of your country of residence; (b) to comply with legal processes; (c) to respond to requests from public and government authorities, and to respond to requests from public and government authorities other than those of your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety or property, yours or others; and (g) obtain the applicable compensation or limit the damages that may affect us.
XVI. RESPONSIBLE AND IN CHARGE OF PERSONAL DATA PROCESSING
THE COMPANY will be responsible for the processing of personal data.
The systems department will be in charge of processing personal data, on behalf of THE COMPANY.
XVII. VALIDITY
This policy takes effect as of December 1, 2016 and leaves without effect any regulations or special manuals that may have been adopted in the COMPANY.
--------------------------------------------------------------------------------------
1 Law 1581 of 2012. Article 10. Cases in which authorization is not necessary. The authorization of the Owner will not be necessary when it comes to:
a) Information required by a public or administrative entity in the exercise of its legal functions
or by court order;
b) Data of a public nature;
c) Cases of medical or health emergency;
d) Processing of information authorized by law for historical, statistical or scientific purposes;
e) Data related to the Civil Registry of Persons.