Diez Hotel Categoría Colombia ’s Data Policy, in Medellín
Information about management policies and personal information protection
DIEZ MEDELLIN SAS is committed to fulfill what is disposed in the law 1581 of 2012 and the 1377 ordinance of 2013, whereby it discloses to its clients’ the present information of management policies and personal information protection.
To which DIEZ MEDELLIN SAS will be in obligation to comply with, as responsible of the management, its employees and those third parties that by disposition of DIEZ MEDELLIN SAS, assume the responsibility of the management.
1. AIM: To inform the clients’ the extent and the purpose of the management to which their personal information will be subject to by part of DIEZ MEDELLIN SAS, as well as to have knowledge of their rights, procedures and mechanisms to undergo any process involving their personal information. 2. DEFENITIONS:
For the effects of the implementation of the present policy and in accordance with the current legislation, the following definitions will be applicable:
Authorization: it is the previous authorization, specifically and informed of the client authorizing the management of their personal information.
Privacy notice: verbal or written communication generated by the party in charge, directed to the client in refers to the management of their personal information, through which they are informed about the current policies in reference to information management which will be applicable, the means by which they can be accessed and the purpose of the management to which the personal information is intended.
Data Bases: it is an organized group of personal information which is the object of management, electronic or not, whichever the modality of the information, storage, organization and access.
Personal Data: it is any form of information, related or that can be associated to one or varies natural or juridical persons determined or determinable.
Public data: it is personal information which the norms and the constitution have determined specifically as public and, to which the collection and management, is not necessary the authorization of the client to use the information. For example, the information pertaining to a person’s marital status, to their profession or occupation, to their standing as businessmen or a public servant. Due to their nature, public data can be contained in public records, public documents, official newsletters and judicial sentences properly binding that are not subject to reserve.
Semiprivate data: it is personal information that does not have an intimate nature, it is not reserved nor public and whose knowledge of or disclosure can interest not only the client but a specific sector, group of persons or society in general.
Sensitive data: it is personal information that concerns the clients’ intimacy or which the wrongful use of can generate discrimination, including those that reveal, racial or ethnic origin, political position, religious, moral or philosophical beliefs, belonging to a labor union, social organization, human rights organization or favors any political group, guaranteeing rights and guarantee of any political group of the opposition, as well as information in relation to health, sexual habits and bio-metric information.
Management officer: it is a natural or judicial person, public or private, who on their own or in association with others, proceeds to the management of personal information given by the responsible of the management.
Responsible of the management: it is the person, natural or judicial, public or private, who on their own or in association with others, decides on the data base and/or the management of personal information.
Client of personal information: it is the person, natural or judicial, who the information refers to in the data base and who is the subject of the habeas data right.
Management of personal information: it is all the operation and procedure of the system, electronic or not, that permits the collection, conservation, organization, storage, modification, relation, use, circulation, evaluation, block, destruction, and in general, the procedure of personal information, likewise, its transfer to a third party through communication, consult, interconnection, stoppage, data messages.
3. REQUEST OF AUTHORIZATION TO THE CLIENT OF PERSONAL INFORMATION
To obtain and collect personal information from the client, DIEZ MEDELLIN SAS, will implement automated technical and written means, that will permit to have evidence of said authorization for an eventual consult or in case it is needed. The responsible at the moment of the collection of personal information will request the authorization from the client, indicating the purpose of the information.
In the event that DIEZ MEDELLIN SAS can not contact the client of personal information about the present policy of management, a privacy notification will be published, which will be conserved for later consultation by part of the client of the information and/or of the industry and commerce superintendence.
5. THE PURPOSE AND MANAGEMENT OF THE COLLECTION OF PERSONAL INFORMATION The purpose of the information: • To carryout the accomplishment of the contracts underwritten between DIEZ MEDELLIN SAS with their clients, suppliers and employees.
• To contact in case of complaints, claims, suggestions or evaluation of service.
• To send commercial information, publicity or promotions about the products and/or services with the purpose of promoting and/or inviting.
• To develop the selection process, evaluation, contract signing, offers of employment and legal processes. To generate payroll, social securities, tax contributions. To keep in our data base information about emergency contact numbers, academic background and career.
• To make orders and payments to suppliers and report tax information about purchases to suppliers.
• To protect visitors and employees inside the facilities, through CCTV cameras installed in varies areas, these will be used only for security purposes of the persons and elements that are found in community areas of DIEZ MEDELLIN SAS facilities and can be used as evidence in any type of internal or external process, if the victim reports it to the competent authorities and these take a stance. The information will only be used for the purposes here stated and thus, DIEZ MEDELLIN SAS will not proceed to sell, transmit or disclose it, unless an express written authorization exists. Management of information: • The collection of information for the management process, will fall upon the personal information that DIEZ MEDELLIN SAS receives and stores, it will contain all the information that is provided, supplied or given when the website www.diezhotel.com is visited, likewise, all related to the services or reservations, supplied to DIEZ MEDELLIN SAS. All the information is located in our coordinated servers from our offices by the IT department, these shall not be sold, nor will they be rented to third parties and will be maintained under privacy. The access of employees to this information shall be controlled. • In the management of public information, the information collected will correspond to name, identification number, profession, nationality, date of birth, email address, personal likes and preferences, work or occupation, travel habits, among others. • The entrance of employees at DIEZ MEDELLIN SAS to the facilities and begin their shifts, will register their fingerprint on a bio-metric system. This register will only be used for this purpose, employee information collected through varies sources, is managed and under custody of the administrative department. • The video recordings obtained through CCTV cameras in the building are controlled and monitored 24 hours a day by the co-owner y stored for 15 days in a system of video surveillance. The video recordings obtained through CCTV cameras in the hotel are recorded while the areas are in use and will only be consulted as evidence for any administrative process, external consulting for a client will be done if the competent authority requires doing so, the validity of this information is of 3 days. • DIEZ MEDELLIN SAS, can subcontract a third party as support in the development of the operation. When personal information is given to a third party, DIEZ MEDELLIN SAS will warn about the need to protect said information with appropriate means of security, prohibits the use of said information with a personal purpose, and is asked not to disclose said information. • DIEZ MEDELLIN SAS will not treat data considered as sensitive, nor will the gathering be oriented as sensitive. • The collection of information in reference to children or minors, and the respective authorization, shall always be given through a legal representative, the management of said information shall respond and respect the higher interest of the child or minor, and their fundamental rights. • The data and information in general that is received when the website www.diezhotel.com is accessed with the purpose of optimizing and having a more effective experience, cookies can be used, as well as the information of websites visited, of the IP address, through a process of recognition and tracking to permit identification of preferences and identity when visits are done again, from their IP address, this will not be associated or is linked to their name nor their personal information. The user has the possibility of setting up their navigator so they are informed of the reception of cookies, being able to, if they wish, to deny the installation on their hard drive. However, to access Diez Hotel website cookies will not be noted.
The clients’ rights to their personal information The rights the clients have to the management of their personal information are: • To know, validate and/or update their personal information. This right can be exercised, among others to partial, inexact, incomplete, fractioned information, that can indulge in a mistake or those that are specifically prohibited to management or that have not been authorized. • To ask for evidence of the authorization given, except when the requirement is specifically exempt to the management, in conformance with what is stated in the 10th article of the 1581 law of 2012. • To request DIEZ MEDELLIN SAS or the party in charge of the management about the use being given to their personal information. • To report to the industry and commerce superintendence complaints for infractions to the law. • To revoke the authorization and/or request the suspension of the information when they consider the principles were not respected by part of the party in charge of the management and has incurred in an opposite conduct to the law or when there is not a binding law to store the personal information in the data bases of the party in charge. • To have free access to their personal information, which has been object to management at least once a calendar month, and any time substantial modifications exist to the management policies which cause consultation. In the case of requests which exceeds a periodicity of more than one each calendar month, DIEZ MEDELLIN SAS, will generate a cost to the client for shipping costs, reproduction and in the given case, document certification. • To have previous and effective knowledge of any modifications to the policies prior to the implementation of the new modifications and to have easy access to the text. • To know the department or authorized person by DIEZ MEDELLIN SAS, to whom they can present a complaint, consult, claim and any request about their personal information. The clients can exercise their rights by law and perform the procedures here stated, directly or through the person able to do so authorized by the general protection of personal information regime, by means of the national identification (cedula de ciudadania) or original document of identification. Minors can exercise their rights through their parents or adult with legal custody, who must prove legal custody through the relevant documents. Responsibilities of the party in charge of the management DIEZ MEDELLIN SAS, shall comply with the following in respect to the management of information of their clients: • Inform clients in a clear and effective form about the purpose of the collection and the use given to their personal information and the rights they have. • To process the consultations and claims formulated in the terms here stated, described in number 9 of this document. • To conserve the information under the security conditions necessary to prevent its alteration, lost, consult, unauthorized or fraudulent access. • To require the party in charge of the management in any moment, to respect the security and privacy conditions of the information of the user. • To comply with the instructions and requirements that the industry and commerce superintendence imparts. Responsible for the protection of personal information in DIEZ MEDELLIN SAS DIEZ MEDELLIN SAS has entrusted the general direction, quality analyst and customer service departments as the responsible of the attention of the clients. These departments will be jointly responsible of the reception and attention of petitions, complaints and claims. In a specific manner the consultation and claims will be processed as personal information as stated by the law.
Some of the functions of these areas in relation to personal information are:
• Receiving the requests from clients of personal information, processing and replying those which are based on the law, for example: request for updating personal information, request of suspension of personal information, request for the use and management of the information, request of evidence of authorization given, when it has proceeded in conformance with the law.
• To reply to the clients of personal information about those requests that do not proceed in conformance with the law.
Contact information of the General Direction are: Address: Calle 10ª No 34 -11 Int. 127, Medellín Antioquia Email address: email@example.com Telephone: (054) 448-10-34 Person in charge of contact: General Management
Procedures to exercise the rights of the client of personal information
DIEZ MEDELLIN SAS will dispose of mechanisms so the client or representative of a minor, form consultations in respect to personal information of the client that are in the data bases of DIEZ MEDELLIN SAS, these mechanisms can be in person through a teller, or electronic as in by email. Whichever the mean, DIEZ MEDELLIN SAS shall keep proof of the consultation and reply.
Before having access, the party responsible of attending the consultation shall verify:
• The identity of the client of personal information or their representative. To do so, they can be asked for their national identification card (cedula de ciudadania) or original identification document, and the special or general authorizations if the case merits.
• If the requestor has the ability to form the consultation, the party responsible shall collect all the information that is contained in the individual registry of this person or that is related with the identification of the client in the data base of DIEZ MEDELLIN SAS.
• The party responsible of attending the consultation shall reply the requestor as long as they have the right to it for being the rightful owner of the personal information or the legal representative in case of a minor. This reply shall be sent within the next ten (10) working days after the date the request was received. This reply will be binding even in the cases where it is considered that the requestor is not in the capacity for carrying out the consult, in this case, the requestor will be informed and will be given the option to show interest and be able to show additional documentation.
• In case the request cannot be attended within the next ten (10) working days after the consult, the requestor will be contacted to inform the reasons their request is still in procedure.
• The final reply to all request shall not be delayed more than fifteen (15) working days after the date the initial request was received.
DIEZ MEDELLIN SAS will dispose of mechanisms so that the client or legal representative of a minor, can form CLAIMS in respect to personal information handled by DIEZ MEDELLIN SAS which may be subject to correction, updating or suspension, the alleged failure of the law by DIEZ MEDELLIN SAS. These mechanisms could be in person with a teller, or electronic as by email, whichever the means of communication, DIEZ MEDELLIN SAS shall keep proof of the consult and their reply.
THE CLAIM shall be presented by the client or the legal representative, in the following order:
• should be directed to DIEZ MEDELLIN SAS
• Should contain the name and identification number of the client.
• Should contain a description of the facts that give way to the claim and end result of the claim (updating, correction, suspension, or fulfillment of duties).
• Should indicate the address, contact information and identification of the claimant.
• Should be accompanied by all the documentation that the claimant wishes to make available.
Before proceeding, the party responsible of attending the claim will verify:
• The identity of the client of personal information or their representative. In order to do so, they shall be asked for the national identification card (cedula de ciudadania) or original document of identification of the client, and the special or general authorization or whichever is the case.
• If the claim or the additional documentation is incomplete, DIEZ MEDELLIN SAS will inform the claimant only once within the next five (5) days after the reception to supply the missing documentation. If the claimant does not present the requested documentation or information within the following two (2) months after the date of the inicial claim, it will be understood the claimant has desisted from the claim.
• If by any means the person who receives the claim inside DIEZ MEDELLIN SAS is not competent in resolving it, a transfer will be made to the General Direction and/or Quality Management, within the following two (2) days to the reception of the claim, and will inform of said remission to the claimant.
• Once the claim is received with the complete documentation, it will be included in the data base of DIEZ MEDELLIN SAS where the clients’ claim information will be stored under the heading ¨claim in procedure¨ and the motive of said claim, in a term of no more than two (2) working days. This heading shall be kept until the claim is decided.
• The maximum term to attend a claim shall be of fifteen (15) working days starting the next day of the reception. When it is not possible to attend the claim within said term, the claimant will be informed the reasons of the delay and the date the claim will be attended, which in no case can surpass eight (8) working days after the expiration of the first term.
Collected information before the expedition of the decree 1377 of 2013
In conformance with what is disposed in numeral 3 of the 10th article of the regulatory decree 1377 of 2013 DIEZ MEDELLIN SAS will proceed to publish a newsletter on its official website www.diezhotel.com directed to the clients of personal information for effects of knowing about the present policy of management of information and the modes to exercise their rights as clients of personal information which is housed in the data bases of DIEZ MEDELLIN SAS.
The information collected will always be treated in a confidentiality setting, it will not be issued, transferred or given to any person different or apart to DIEZ MEDELLIN SAS. The data base is submitted to security protocols which ensure the protection of personal information from unauthorized or fraudulent access, adulteration, lost and consult.
Date of validation entry
The present policy of personal information was created on the 30th of august 2016 and will enter in validation on the 20th of September 2016. The period of validation of the data base will be undetermined or for the time that is reasonable and necessary in accordance to the purpose of the management exposed in the present policy. Any considerable change to the present policy shall be notified in a timely fashion to the clients of personal information, in an effective way, before the new policies are implemented.