Etairos Business Solutions

Data processing policy

Protection of personal data or any other type of information that is used or resides in its databases and files

ETAIROS BUSINESS SOLUTIONS S.A.S. (hereinafter the "Company"), acting as the Data Controller for Personal Data, seeks to guarantee the protection of personal data or any other type of information that is used or resides in its databases and files, complying with the constitutional right of all individuals to know, update, and rectify the information collected about them in databases or files. All of this is in development of the provisions established by Article 15 of the Political Constitution, Law 1266 of 2008, and Law 1581 of 2012.

Therefore, this document seeks to establish the criteria for obtaining, collecting, using, treating, processing, exchanging, transferring, and transmitting personal data, and to set the responsibilities of the Company and its employees in the handling and processing of personal data residing in its databases, striving for the protection of rights such as Habeas Data, privacy, intimacy, good reputation, image, and university autonomy. For this purpose, all actions shall be governed by principles of good faith, legality, information self-determination, freedom, and transparency. Subjects of protection based on this policy will be those individuals who, in the exercise of any activity, including labor and commercial activities, whether permanent or occasional, may supply any type of information or personal data to the Company, which acts as the data controller and must allow the data owner to know, update, and rectify it.

In accordance with the foregoing, the procedures established by the Company for the processing of third-party personal data are described below.

The Company's privacy policies will be subject to:

2.1. Political Constitution, Article 15.

2.2. Law 1266 of 2008.

2.3. Law 1581 of 2012.

2.4. Regulatory Decrees 1727 of 2009, 2952 of 2010, and 1377 of 2013.

2.5. Rulings of the Constitutional Court C-1011 of 2008, and C-748 of 2011.

Any gap in the cited regulations will be interpreted according to the provisions of Colombian legislation.

In accordance with current legislation on the matter, the following definitions are established, which will be applied and implemented by adopting interpretation criteria that guarantee a systematic and comprehensive application, and in line with technological advances, technological neutrality, and other principles and postulates governing the fundamental rights that surround, orbit, and encompass the right of habeas data and personal data protection.

Authorization: Prior, express, and informed consent of the data owner to carry out the Processing of personal data;

Database: Organized set of personal data subject to Processing;

Personal data: Any information linked or that can be associated with one or more specific or identifiable natural persons;

Data Processor: Natural or legal person, public or private, who by themselves or in association with others, performs the processing of personal data on behalf of the data controller;

Data Controller: Natural or legal person, public or private, who by themselves or in association with others, decides on the database and/or the processing of the data.

Data Owner: Natural or legal person whose personal data is subject to processing.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

Sensitive data: Sensitive data is understood as that which affects the privacy of the data owner or whose improper use may generate discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations, or that promotes the interests of any political party or guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data, among others, the capture of still or moving images, fingerprints, photographs, iris, voice, facial, or palm recognition, etc.

The privacy policies will be applicable to the Company, its dependents, whether affiliates or subordinates, which by virtue of the legal and responsible development of the company's corporate purpose have obtained data from distributors, suppliers, customers, collaborators, workers, or third parties in general of whom it has knowledge or has collected information in accordance with the legal stipulations in force at the time the information was captured.

In the development, interpretation, and application of Law 1581 of 2012, by which general provisions are issued for the protection of personal data and the regulations that complement, modify, or add to it, the following guiding principles will be applied in a harmonious and comprehensive manner in the collection, management, use, processing, storage, and exchange of personal data, defined according to the Law:

Principle of legality: In the processing of personal data, application will be given to the current and applicable provisions governing the processing of personal data and other related fundamental rights.

Principle of freedom: The processing of personal data can only be carried out with the prior, express, and informed consent of the Data Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal, statutory, or judicial mandate that relieves consent.

Principle of purpose: The processing of personal data accessible to and collected by the Company will be subordinated to and serve a legitimate purpose, which must be informed to the respective personal data owner.

Principle of truthfulness or quality: The information subject to use, capture, collection, and processing of personal data must be true, complete, accurate, updated, verifiable, and understandable. The Processing of partial, incomplete, fractioned, or misleading data is prohibited.

Principle of transparency: In the processing of personal data, the Data Owner's right to obtain from the Company, at any time and without restrictions, information about the existence of any type of information or personal data of their interest or ownership must be guaranteed.

Principle of restricted access and circulation: Personal data, except public information, may not be available on the Internet or other media of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to Data Owners or authorized third parties. For these purposes, the Company's obligation will be one of means.

Principle of security: Personal data and information used, captured, collected, and subject to processing by the Company will be protected to the extent that technical resources and minimum standards allow, through the adoption of technological protection measures, protocols, and all kinds of administrative measures necessary to provide security to electronic records and repositories, preventing their alteration, modification, loss, consultation, and in general against any unauthorized use or access.

Principle of confidentiality: Each and every person who manages, handles, updates, or has access to information of any kind found in Databases or Data Banks undertakes to preserve and maintain strictly confidential and not disclose to third parties all personal, commercial, accounting, technical, business, or any other type of information supplied in the execution and exercise of their functions. All persons currently working or linked in the future for such purpose, in the administration and management of databases, must sign an additional document or addendum to their labor or service provision contract to ensure such commitment. This obligation persists and is maintained even after their relationship with any of the tasks comprising the Processing has ended.

In attention to and in line with the provisions of current and applicable regulations on personal data protection, the personal data owner has the following rights:

To access, know, rectify, and update their personal data before the Company, in its capacity as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, or misleading data, or data whose processing is expressly prohibited or has not been authorized;

By any valid means, to request proof of the authorization granted to the Company, in its capacity as Data Controller, except in cases expressly excepted by Law;

To receive information from the Company, upon request, regarding the use given to their personal data;

To turn to legally constituted authorities, especially the Superintendency of Industry and Commerce, and file complaints for violations of the provisions in current regulations and applicable rules, after completing the consultation or requirement process before the Data Controller.

To modify or revoke the authorization and/or request the deletion of data when the principles, rights, and constitutional and legal guarantees in force are not respected during the Processing. Excepting cases in which the data owner has a legal or contractual duty to remain in the database of the data controller;

To access free of charge their personal data that has been subject to processing. The information requested by the data owner may be supplied by any means, including electronic ones, as required by the data owner. The Company must make free and easily accessible mechanisms available to the data owner to submit the data deletion request or the revocation of the authorization.

The Company, when acting as Personal Data Controllers, will comply with the following duties:

To guarantee the Data Owner, at all times, the full and effective exercise of the right of habeas data.

To request and keep a copy of the respective authorization granted by the data owner.

To duly inform the data owner about the purpose of the collection and the rights assisting them by virtue of the authorization granted.

To keep the information under the security conditions necessary to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.

To guarantee that the information supplied to the data processor is true, complete, accurate, updated, verifiable, and understandable.

To update the information, communicating in a timely manner to the data processor all updates regarding the data previously supplied and adopt the other necessary measures so that the information supplied to the latter is kept updated.

To rectify the information when it is incorrect and communicate the relevant information to the data processor.

To supply the Data Processor, as the case may be, only with data whose Processing is previously authorized.

To require the Data Processor at all times to respect the security and privacy conditions of the Data Owner's information;

To process the consultations and claims made.

To refrain from employing the information when it is under discussion by the Data Owner, once the claim has been submitted and the respective process has not ended.

To inform, at the request of the Data Owner, about the use given to their data.

To inform the data protection authority when violations of security codes occur and risks exist in the administration of the Data Owners' information.

To comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

The Company must adopt procedures to request, at the latest at the time of collection of their data, the prior, express, and informed authorization of the data owner for its processing and inform them of the personal data that will be collected as well as all specific purposes of the processing for which consent is obtained. The collection of data must be limited to those personal data that are relevant and adequate for the purpose for which they are collected and must be obtained by any means that can be subject to subsequent consultation and verification by the data owner.

The Data Owner's authorization will not be necessary when dealing with:

Information required by a public or administrative entity in the exercise of its legal functions or by court order.

Data of a public nature.

Cases of medical or sanitary urgency.

Processing of information authorized by law for historical, statistical, or scientific purposes.

Data related to the Civil Registry of Persons.

The collection, storage, use, and circulation of personal data by the Company requires the free, prior, express, and informed consent of the data owner.

Obtaining authorization: The authorization may be contained in a physical or electronic document, data message, websites, in any other format that guarantees its subsequent consultation, or through a suitable technical or technological mechanism that allows expressing or obtaining consent via click or double click, through which it can be unequivocally concluded that if a conduct by the data owner had not occurred, the data would never have been captured and stored in the database. The authorization will be generated by the Company and made available to the data owner in advance and prior to the processing of their personal data.

Proof mechanisms. The Company will use the technological or physical mechanisms it currently has; and will implement and adopt the actions directed and necessary to maintain records or suitable technical or technological mechanisms of when and how it obtained authorization from personal data owners for the processing of the same. To comply with the foregoing, physical archives or electronic repositories may be established directly or through third parties contracted for such purpose.

Purpose of authorization. The Company guarantees that the information collected from third parties will be used correctly and for lawful purposes, in accordance with current regulations and without grievance to the right of habeas data contained in the Political Constitution of Colombia. Consequently, the information obtained will be used to develop by any means the corporate purpose of the Company, specifically to:

  • Consult, verify, and/or corroborate the payment capacity, background, and/or other qualities or variables, with the aim of determining the viability of starting the relationship or linkage with the Company.
  • Achieve efficient communication related to our products, and other activities related to the corporate purpose of the Company.
  • Perform promotional and/or marketing activities.
  • Conduct consumption preference studies.
  • Fulfill obligations contracted by customers, consumers, suppliers, and other persons linked to the Company.
  • Inform about changes in the Company's services.
  • Evaluate service quality.
  • Conduct internal studies on consumption habits of services and products.

The Company will guarantee the right of access when, upon prior accreditation of the data owner's identity, legitimacy, or personality of their representative, making the respective personal data available to them in a thorough and detailed manner without any cost or expense. The Company will allow such access only once within each calendar month, allowing the data owner the possibility to know and update them.

The rights of data owners may be exercised by the following persons:

By the data owner, who must sufficiently accredit their identity through the different means made available by the Company;

By the data owner's successors in interest (in cases where the data owner is absent due to death or disability), who must accredit such status;

By the representative and/or attorney-in-fact of the data owner, upon prior accreditation of the corresponding representation or power of attorney;

By stipulation in favor of another or for another.

In the Processing, respect for the prevailing rights of minors will be ensured. The Processing of personal data of minors is prohibited, except for data that is of a public nature.

It is the task of the State and educational entities of all kinds to provide information and train legal representatives and tutors on the eventual risks minors face regarding the improper processing of their personal data, and to provide knowledge about the responsible and safe use by children and adolescents of their personal data, their right to privacy, and the protection of their personal information and that of others.

Use and processing of data classified as sensitive may be made when:

The Data Owner has given their explicit authorization to said processing, except in cases where by law the granting of such authorization is not required.

The Processing is necessary to safeguard the vital interest of the data owner and they are physically or legally incapacitated. In these events, the legal representatives must grant their authorization.

The Processing refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial proceeding.

The Processing has a historical, statistical, or scientific purpose. In this event, measures leading to the deletion of the Data Owners' identity must be adopted.

Data owners may consult the personal information of the Data Owner residing in any database. Consequently, the Company will guarantee the right of consultation, supplying the data owners with all the information contained in the individual record or linked to the identification of the Data Owner. Regarding the attention to personal data consultation requests, the Company guarantees:

To enable electronic communication means or others it considers relevant.

To establish forms, systems, and other simplified methods, which must be informed in the privacy notice.

To use the customer service or claims services it has in operation.

The procedure for making consultations will be subject to the following rules:

The consultation will be made through the most expeditious communication mechanism that has been used between the parties through their commercial, labor, or whatever relationship it may be. Particularly, the Company has enabled the email address (info@etairos.tk).

The consultation will be attended by the Company within a maximum term of ten (10) business days counted from the date of receipt thereof. When it is not possible to attend the consultation within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.

The response to the consultation will be sent by any suitable means according to the information residing in the Company's database or that which has been communicated at the time the consultation was made.

The actions and procedures indicated above may be promoted directly by the Information Owner, their successors in interest, or through a duly accredited representative.

The Data Owner who considers that the information contained in a database of the Company should be subject to correction, update, or deletion, or when they notice the alleged breach of any of the duties contained in the Law, may file a claim before the Data Controller or the Data Processor, which will be processed under the following rules:

The claim will be made by means of a request addressed to the Data Controller or the Data Processor through the means enabled by the Company indicated in the privacy notice or to the email address (info@etairos.tk), which must contain at least the following information: specifying the name and address of the data owner or any other means to receive the response, the documents accrediting the identity or personality of their representative, and a clear and precise description of the personal data regarding which the data owner seeks to exercise any of the rights. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to remedy the faults. After two (2) months from the date of the requirement without the applicant presenting the required information, it will be understood that they have abandoned the claim.

In the event that the person receiving the claim is not competent to resolve it, they will transfer it to whom it corresponds within a maximum term of two (2) business days and inform the interested party of the situation.

Once the complete claim is received, a legend stating «claim in process» and the reason for it will be included in the database within a term not exceeding two (2) business days. Said legend must be maintained until the claim is decided.

The maximum term to attend the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.

The actions and procedures indicated may be promoted directly by the Information Owner, their successors in interest, or through a duly accredited representative.

The Company has the obligation to rectify and update, at the request of the data owner, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the procedure and terms indicated above. In this regard, the following will be taken into account: In requests for rectification and update of personal data, the data owner must indicate the corrections to be made and provide the documentation supporting their request. The Company has full freedom to enable mechanisms that facilitate the exercise of this right, provided that they benefit the data owner. Consequently, electronic or other means considered relevant may be enabled.

The Company may establish forms, systems, and other simplified methods, which must be informed in the privacy notice and which will be made available to interested parties on the website (www.etairos.tk).

The data owner has the right, at all times, to request from the Company the deletion (removal) of their personal data when:

They consider that the data is not being treated in accordance with the principles, duties, and obligations provided for in current regulations;

They have ceased to be necessary or relevant for the purpose for which they were collected;

The period necessary for the fulfillment of the purposes for which they were collected has been exceeded;

This deletion implies the total or partial removal of personal information according to what is requested by the data owner in the records, files, databases, or processing carried out by the Company. It is important to note that the right of cancellation is not absolute and the responsible party may deny the exercise of the same when:

The data owner has a legal or contractual duty to remain in the database.

The deletion of data obstructs judicial or administrative actions linked to fiscal obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.

The data is necessary to protect the legally protected interests of the data owner; to perform an action based on the public interest, or to comply with an obligation legally acquired by the data owner.

Personal data owners may revoke consent to the processing of their personal data at any time, provided that it is not prevented by a legal or contractual provision. To do this, the Company must establish simple and free mechanisms that allow the data owner to revoke their consent, at least by the same means through which it was granted. It should be taken into account that there are two modalities in which the revocation of consent can occur: the first can be over the totality of the consented purposes, that is, the Company must stop processing the data owner's data completely; the second can occur over specific types of processing, such as for advertising or market study purposes. With the second modality, that is, the partial revocation of consent, other purposes of the processing that the responsible party, in accordance with the authorization granted, can carry out and with which the data owner agrees, remain safe.

The Information Owner expressly authorizes that the entirety of their personal information may be transferred abroad, subject to applicable legal requirements, in the development of international relations. The information will be transferred for all relationships that may be established with the Company. Without prejudice to the obligation to observeNormally I can help with things like this, but I don't seem to have access to that content. You can try again or ask me for something else.