Corficolombiana POLICY ON PERSONAL DATA PROCESSING

Transcription

1 Corficolombiana POLICY ON PERSONAL DATA PROCESSING 1

2 Corficolombiana DOCUMENT TITLE: PERSONAL DATA HANDLING POLICY CODE: CFC-PO-RH-10 Version: 2 C.E.: Page: DATE OF UPDATE June 17/2016 TABLE OF CONTENTS 1. OBJECTIVE DEFINITIONS PRINCIPLES POLICIES AUTHORIZATION GRANTED BY THE OWNER EVENTS IN WHICH AUTHORIZATION IS NOT REQUIRED DELIVERY OF INFORMATION TO OWNERS, LEGAL REPRESENTATIVES, PROXIES AND/OR ASSIGNEES OR SUCCESSORS DUTIES OF THE CORPORATION AS PERSON RESPONSIBLE FOR PROCESSING DUTIES OF THE CORPORATION AS PERSON IN CHARGE OF PROCESSING RIGHTS OF OWNERS PROCEDURES INQUIRIES CLAIMS MEANS OF COMMUNICATION FOR THE EXERCISE OF THE RIGHTS AND THE ATTENTION OF INQUIRIES AND COMPLAINTS FROM OWNERS VALIDITY CHANGES SUBSEQUENT TO THE CREATION OF THE POLICY

3 INTRODUCTION In order to ensure that the personal information processed by CORPORACION FINANCIERA COLOMBIANA S.A., hereinafter referred to as The Corporation, in connection with the activities for which it has been legally authorized, is carried out in accordance with the provisions on the protection of personal data (Statutory Law 1581/2012 and its regulatory decrees), especially in relation to the attention of inquiries and claims by owners, this internal document of policies and procedures is adopted. 1. OBJECTIVE Describe the guidelines for the handling of personal data. 2. DEFINITIONS The definitions indicated in Law 1581/2012 and in regulatory decree 1377/2013: a) Authorization: Prior, express and informed consent of the owner to carry out the processing of personal data. b) Database: Organized set of personal data to be processed. c) Personal data: Any information related to or associated with one or more determined or determinable natural persons. d) Public data: Any data that is not semi-private, private or sensitive. e) Sensitive data: Those that affect the privacy of the owner or which misuse may generate discrimination. f) Person in charge of handling: Natural or legal person, public or private, that by itself or in association with others, will carry out the processing of personal data on behalf of the Person responsible for handling. g) Person responsible for handling: Natural or legal person, public or private, that by itself or in association with others, will decide on the database and/or the handling of the data. h) Owner: Natural person whose personal data will be processed. i) Transfer: The transfer of data takes place when the Person in charge and/or the Person responsible for the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is located in or outside the country. j) Conveyance: Processing of personal data that implies the communication of the same inside or outside the territory of the Republic of Colombia when intended for the processing of such data by the Person in charge on behalf of the Person responsible. 3

4 k) Handling: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. 3. PRINCIPLES The principles set out below are the general parameters that will be respected by CORFICOLOMBIANA in the processes of handling personal data. a) Principle of purpose: The processing of the personal data collected by CORFICOLOMBIANA S.A., must obey a legitimate purpose, which must be informed to the owner; b) Principle of freedom: The processing may only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate releasing such consent; c) Principle of truth or quality: The information to be processed must be truthful, complete, accurate, up-to-date, verifiable and understandable. The processing of partial, incomplete, fractional or misleading data is prohibited; d) Principle of transparency: The right of the owner to obtain from CORFICOLOMBIANA S.A. or from the person in charge of handling, at any time and without any restrictions, information about the existence of data concerning the owner must be guaranteed; e) Principle of access and restricted circulation: Personal data, except for public information, may not be available on the Internet or through other means of mass communication or dissemination, unless access is technically controllable to provide restricted knowledge only to owners or authorized third parties. f) Principle of security: The information to be processed by CORFICOLOMBIANA S.A. must be protected by the use of technical, human and administrative measures necessary to provide security to records, to avoid unauthorized or fraudulent tampering, loss, consultation, use or access; g) Principle of confidentiality: All persons involved in the processing of personal data are required to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the handling of data. 4. POLICIES 4.1. AUTHORIZATION GRANTED BY THE OWNER The processing of personal data requires the prior and informed consent from the owner of such data, which must be obtained through the form authorization for the processing of personal data or through any other means established by the Corporation for that purpose, it being understood that all such must allow their subsequent consultation. 4

5 4.1.2 Without any exception, the data processing authorization form must be completed in order to engage natural persons such as customers, suppliers, contractors or officers. This document must be filed in the owner's folder, in the case of suppliers, contractors and officers; and for customers it must be digitized in the application defined for this purpose, as an integral part of the documentation requested at the time of engagement Any positive or negative data contained in any database of the person in charge of the processing of the information, without authorization from its owner, must be eliminated immediately once the absence of the same is noticed as a consequence of a request made by the owner through the respective claim The Corporation has designated the Commercial Area SAC as responsible for ensuring compliance with this policy; however, the answers to inquiries and complaints made by owners will be managed by the areas that manage the databases, as follows: Administrative services: suppliers and contractors. Payroll: officers. Corporate Commercial Management: customers The person responsible for processing shall have the duty to certify every six months to the person in charge of processing that the information provided has been authorized in accordance with the Law EVENTS IN WHICH AUTHORIZATION IS NOT REQUIRED The authorization of the owner will not be required in the following events: a) When the information is required by a public or administrative entity in the exercise of its legal functions or by a court order. b) In the case of public data. c) In cases of medical or health urgencies. d) When the processing of personal data is authorized by law for historical, statistical or scientific purposes. e) In the case of data related to the vital record of persons DELIVERY OF INFORMATION TO OWNERS, LEGAL REPRESENTATIVES, PROXIES AND/OR ASSIGNEES OR SUCCESSORS The Corporation, as responsible for the processing and/or in charge of the processing of personal data, must take into account the following rules when answering the inquiries or complaints filed by the owners of personal information, their legal representatives, proxies and/or assignees or successors: a) Verify the title of person who verbally formulates a request or inquiry, as follows: 5

6 If the request or inquiry is made personally at the main office, the display of any suitable identification document must be recorded. Such documents may be the following: In the case of persons of legal age: Citizenship or alien identification document. In the case of underage persons: Birth certificate of the child and citizenship identification document of the father or mother who exercises parental authority, or guardian. In the latter case, a copy of the judicial decision in which the designation was made must be attached. In the case of a person authorized by the owner, it must include the respective power of attorney granted by a notary public, or by the first political authority, in such places where there is no notary; with proof of recognition of the signature and content of the document. In the case of assignees or successors, the death certificate of the owner and civil record evidencing the relationship with the owner must be included. b) Verify that written inquiries are duly signed by the owner, who must prove his/her capacity as follows: i) By displaying any suitable identification document, in accordance with subparagraph a) above; or, ii) By any other means of identification. c) Verify that the capacity of legal representative, proxy and/or assignee or successor of the owner is duly accredited, as indicated in subparagraph a) above, when the request or inquiry is filed in writing by the person invoking any such capacities; Public entities of the executive branch, judicial or supervisory bodies and other disciplinary, fiscal or administrative investigation agencies requesting information from The Corporation in its capacity as responsible or in charge of processing, must expressly And unequivocally indicate in the corresponding request the specific purpose for which they require the information requested and the precise functions that have been conferred by law in relation to that purpose. These entities, bodies and dependencies will be subject to the fulfillment of the duties of the users of information, as established in the law. 5. DUTIES OF THE CORPORATION AS PERSON RESPONSIBLE FOR PROCESSING The Corporation, as the person responsible for treatment, must fulfill the following duties: a) To guarantee to the owner, at all times, the full and effective exercise of the Right of Habeas Data. b) To request and retain, on the conditions stipulated in the law, a copy of the respective authorization granted by the owner. 6

7 c) To duly inform the owner about the purpose of collecting the authorization and the rights he/she is entitled to under the authorization granted. d) To retain the information under the necessary security conditions to prevent its unauthorized or fraudulent tampering, loss, consultation, use or access. e) To ensure that the information provided to the person in charge of processing is truthful, complete, accurate, up-to-date, verifiable and comprehensible. f) To update the information, communicating in a timely manner to the person in charge of processing, all new information regarding the data previously provided and to take any other measures that may be necessary so that the information supplied to is kept up-to-date. g) To correct the information when it is incorrect and to communicate any relevant matters to the person in charge of processing. h) To provide the person in charge of processing, as the case may be, with only the data which handling has been previously authorized in accordance with the law. i) To require those who in charge of processing, respect for the conditions of security and privacy of the owner s information. j) To process any inquiries and claims filed in accordance with the terms indicated in the law. k) To inform the person in charge of processing when certain information is under discussion by the owner, once a complaint has been filed and the respective process has not been completed. l) To inform about the use given to the data at the request of the owner. m) To inform the data protection authority when there is evidence that there have been violations of security codes and there are risks in the management of the information of the owners. n) To comply with the instructions and requirements issued by the Superintendence of Industry and Commerce. 6. DUTIES OF THE CORPORATION AS PERSON IN CHARGE OF PROCESSING The Corporation, as the person in charge of treatment, must fulfill the following duties: a) To allow the owner, at all times, the full and effective exercise of the Right of Habeas Data. b) To retain the information under the necessary security conditions to prevent its unauthorized or fraudulent tampering, loss, consultation, use or access. c) To timely update, correct or delete any data under the terms of Law 1581/

8 d) To request the certification from the person in charge of processing, of the existence of the authorization granted by the owner. e) To update the information reported by the persons responsible for processing within five (5) business days from the date of receipt. f) To process all inquiries and claims filed by owners on the terms indicated in Law 1581/2012. g) To record the legend RECLAMO EN TRÁMITE (CLAIM IN PROCESS) in the database as regulated in Law 1581/2012. h) To insert the legend INFORMACIÓN EN DISCUSIÓN JUDICIAL (INFORMATION UNDER JUDICIAL DISCUSSION) in the database once notified by the competent authority of judicial processes related to the quality of personal data. i) To refrain from circulating information that is being disputed by the owner and which blocking has been ordered by the Superintendence of Industry and Commerce. j) To allow access to the information only to those who may have access to it. k) To inform the data protection authority when there is evidence that there have been violations of security codes and there are risks in the management of the information of the owners. l) To comply with the instructions and requirements issued by the Superintendence of Industry and Commerce. 7. RIGHTS OF OWNERS The owner of the personal data will be entitled to the following rights: a) To know, update and correct his/her personal data regarding the persons responsible or in charge of processing. This right may be exercised, inter alia, with respect to partial, inaccurate, incomplete, fractioned, misleading data or data which handling has been expressly prohibited or has not been authorized. b) To request proof of the authorization granted to the person responsible, except when expressly excepted as a requirement for processing, in accordance with the provisions of article 10 of Law 1581/2012. c) To be informed by the person responsible for processing, upon request, of the use that he has given to his/her personal data. d) To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of the current legislation. 8

9 e) Save for the exceptions of law, to revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the processing of data. The revocation and/or deletion shall be applicable when the Superintendence of Industry and Commerce has determined that the person responsible has incurred in conducts contrary to the law and to the Constitution in the handling of such data. f) To have free access to his/her personal data that has been processed. 8. PROCEDURES 8.1 INQUIRIES The owners, their legal representatives, proxies, successors or assignees and other persons authorized by the Law, may consult the personal information of the owner contained in any database held by the Corporation, and, in its capacity as person responsible for processing and/or person in charge of processing, it must supply to the owners all the information contained in the individual record or that related to the identification of the owner. The inquiry will be address by the Corporation within a maximum term of ten (10) business days from the date of receipt thereof. When it is not possible to address the inquiry within such time period, the interested party will be informed of the reasons for the delay and of the date when the inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the first period. 8.2 CLAIMS The owner, his/her legal representative and/or successors or assignees who consider that the information contained in a database held by the Corporation must be corrected, updated or deleted, or when they notice any alleged breach of any of the duties contained in Law 1581/2012, may file a complaint, which will be processed under the following rules: 1. The complaint shall be made through a request addressed to the Corporation, with the identification of the owner, the description of the events that give rise to the complaint, dates, address and enclosing any documents that they wish to assert. If the complaint is incomplete, the interested party will be required to remedy the faults within five (5) business days of receipt of the claim. After two (2) months from the date of the request without the applicant submitting the information requested, it shall be understood that he/she has withdrawn the complaint. If the person receiving the complaint is not competent to solve it, he/she must transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party about this situation. 2. Once a complete complaint has been received, the legend reclamo en trámite (claim in process) and the reason for it must be included in the database within a period no longer than two (2) business days. This legend must be maintained until the complaint is settled. 9

10 3. The maximum term to address the complaint shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to deal with the complaint within such term, the interested party will be informed of the reasons for the delay and the date when his/her complaint will be dealt with, which in no case may exceed eight (8) business days following the expiration of the first time period. 4. Replies must be sent to the address indicated by the owner at the time of submitting his/her request and if the address has not been specified, they must be sent to the last address registered with the Corporation. 5. Requests or claims will be managed in accordance with the procedures established within the Corporation and must leave a copy of the response as management support. The referral of inquiries and complaints by the Corporation, as long as it is in charge of the processing of the information, does not relieve the persons responsible for processing (who possess the source of the information) from the obligation to be accountable to the owner for all and each one of the issues raised within the term indicated in the law. In this regard, the Corporation must inform the owner of everything that has been expressed by the person responsible for processing. DUTY TO DECLARE THAT CERTAIN INFORMATION IS UNDER DISCUSSION BY ITS OWNER Based on the duty established in paragraph 1 of article 15 of Law 1581/2012, it is the duty of the person responsible for processing to inform the person in charge of processing that certain information is under discussion by the owner to include the legend reclamo en trámite (claim in process). If the person responsible for processing the information solves the complaint submitted by the information owner within two (2) business days following the date of filing, there will be no need to inform the person in charge of processing that the report is under discussion. When the Superintendence of Industry and Commerce notifies the Corporation of the commencement of an administrative action or notifies the opening of an investigation aimed at determining the origin of the deletion, updating or correction of the data of a specific owner, they must inform the person responsible or in charge of processing the information, as applicable, within the next two (2) working days to include the legend actuación administrativa o investigación en trámite (administrative action or investigation in process), which must remain until the final decision of the Entity is taken. In cases where the owner claims identity theft, the Corporation must inform the person in charge of processing to include the respective legend regarding the owner and the obligation or obligations affecting him/her as a result of the identity theft. In any case, the person responsible for processing must carry out the corresponding procedure in order to establish whether there are indications that lead to the deletion of the report of the information, both positive and negative. If as a result of the procedure it is determined that the deletion of the information is not applicable, the owner may go to the Superintendence of Industry and Commerce for a decision MEANS OF COMMUNICATION FOR THE EXERCISE OF THE RIGHTS AND THE ATTENTION OF INQUIRIES AND COMPLAINTS FROM OWNERS For the exercise of their rights and the attention of inquiries and complaints, the owner may use the channels authorized by the Corporation: through the customer service hotline in 10

11 Bogota or in the rest of the country through the national hotline or by In the case of customers, complaints may be also addressed to the Financial Consumer Protection Office of CORFICOLOMBIANA S.A., as defined in the Complaints and Claims Procedure with the Financial Consumer Advocate. 9. VALIDITY This Policy is governed by the terms of Law 1581/2012. The validity of the databases mentioned herein and the corresponding personal data will be kept in accordance with the contractual terms or with the terms of the law on the retention of documents. 10. CHANGES SUBSEQUENT TO THE CREATION OF THE POLICY DATE VERSION NATURE OF THE CHANGE September 06/ Creation of the document. The name of the document is changed from policy on personal data protection to policy on personal data processing. June 17/ Change of the area responsible for the adoption and implementation of policies consistent with the Law on the Protection of Personal Data (formerly: Human Resources Management and Administration, currently: Commercial Management - SAC). The policy is aligned according to the new unified clause of authorization for the processing of personal data issued by AVAL. The authorization form for the processing of personal data is replaced and the Privacy Notice is updated. The previous modifications have been approved in minutes No of May 11,