Privacy and Data Protection
PRIVACY AND PERSONAL DATA PROTECTION POLICY
The objective of this Privacy and Data Protection Policy (hereinafter "Policy"), is to comply with the regulations that govern Protection of Personal Data in those countries in which, due to the way the treatment is carried out, the specific legislation applies.
This Policy is applicable to FENOMENA S.A.S. as responsible of the treatment and to direct and indirect employees, as well as to all those third parties, natural or legal, to whom they transmit personal data of the groups of interest of the responsible of the treatment, when they carry out any treatment on them on behalf of the responsible for the treatment.
3. IDENTIFICATION OF THE RESPONSIBLE FOR THE TREATMENT
Calle 79 B No. 8-31 oficina 102
For the purposes of this Policy, it will be understood by
People between 12 and 18 years of age.
Prior, express and informed consent of the personal data owner to carry out the treatment of their personal data, which can be collected in a (i) written, (ii) oral or (iii) way through unequivocal behaviors, which allow reasonably conclude that it granted the authorization.
Physical, electronic document or in any other format generated by the responsible of the treatment, which is made available to the owner for the treatment of their personal data. In the privacy notice, the owner is informed of the following information:
In Colombia: i) Name or company name and contact information of the person responsible for the treatment; ii) the Treatment to which the data will be submitted and the purpose thereof; iii) the rights of the owner; and iv) the mechanisms provided by responsible of the treatment so that the owner is aware of Privacy and Personal Data Protection Policy, and the substantial changes that may occur in it or in the corresponding Privacy Notice.
In Brazil: i) specific purpose of the treatment; ii) form and duration of the treatment, observing commercial and industrial secrets; iii) identification of the controller; iv) contact information of the data controller (controller); v) information about data sharing by the controller and the purpose; vi) responsibilities of the agents who will carry out the treatment; and vii) rights of the owner.
In Mexico: i) The identity and address of the person responsible for collecting them; ii) the purposes of data processing; iii) The options and means that the controller offers to the holders to limit the use or disclosure of the data; iv) the means to exercise the rights of access, rectification, cancellation or opposition; v) the data transfers carried out; and vi) procedure and means by which the person in charge will notify the owners of changes to the privacy notice.
Organized set of physical or electronic (digital) personal data that is subject to manual or automated treatment, set in one or more locations.
Any information linked or that may be associated with one or more specific or determinable natural or physical person. The nature of Personal Data can be public, semi-private, private or sensitive.
The data may be collected by the responsible for the treatment directly from the owner, by third parties that send it and / or by public access sources (including, but not limited to: social networks, web pages and / or platforms of public or private entities), guaranteeing at all times the rights of the owner.
It is the data that due to its intimate or reserved nature is only relevant for the owner.
It is the data classified as such according to the mandates of the law or the Political Constitution and that which is not semi-private, private or sensitive.
Are those that affect the privacy of the personal data owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, organizations social, human rights or that promotes the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data (fingerprint, iris of the eye, voice, way of walking, palm of the hand or facial features, photographs, videos, among others). To the personal data of boys, girls and/or adolescents, the same rules and procedures will be applied as to sensitive data, and no treatment will be given that may violate or threaten their physical, mental and emotional development.
In Nicaragua, the databases of legal persons, that contain information of clients, suppliers and human resources, are considered sensitive data, for advertising purposes and any other data that is considered commercial or business information fundamentally reserved for the free exercise of their economic activities.
Are those that do not have an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its owner, but to a group of people or society in general. Semi-private data is understood, among others, as information related to social security and financial and credit behavior.
Manager of the treatment
Natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of Personal Data on behalf of the responsible of the treatment.
Under Brazilian regulations, the manager of the treatment is referred to as the “operator”.
Boy or girl
People between 0 and 12 years old.
Personal data protection officer
Person or area responsible for ensuring that the PQRSD that are presented regarding the protection of personal data, are addressed, and ensuring that the policies, guidelines and procedures that make up the Personal Data Protection Program are complied with.
Under Brazilian regulations, the personal data protection officer is referred to as a “supervisor”.
Requests, complaints, queries, suggestions and claims regarding the protection of personal data.
Are all the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
Responsible for the treatment, controller, business, Personnel that collects personal information, responsible for the registry or data bank, responsible for the personal data files
Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the treatment of the data.
It is the natural or physical person whose personal data is subject to treatment.
In Nicaragua, natural or legal person.
In Colombia, the data transfer takes place when the responsible of the treatment and/or the manager of the treatment of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible of the treatment and is inside or outside from the country.
In Mexico and Brazil, the transfer is any communication of data made to a person other than the responsible for the treatment or manager of the treatment.
In Colombia, is the treatment of personal data that implies its communication within or outside the territory of the responsible of the treatment, when it is intended to carry out a treatment by the manager of the treatment on behalf of the responsible of the treatment.
In Chile, it means making personal data known in any way to people other than the owner, whether determined or undetermined.
Any operation or set of operations on personal data, such as the collection, storage, updating, use, circulation, Transfer, Transmission or deletion.
5. GUIDELINE PRINCIPLES
The following are the guiding principles regarding the protection of personal data, and they will apply to the Treatment carried out by the responsible of the treatment, their employees and all those natural or legal third parties to whom they transmit or transfer personal data of the owners, when they carry out any treatment on them.
Within the guiding principles, the following are highlighted, which will be applied not only in the referenced countries, but in all those countries in which they are applicable due to the treatments carried out by the person responsible for the treatment, in accordance with the regulations of the specific country:
The treatment of personal data will be carried out in accordance with the legal requirements established in the applicable current regulations.
The processing of personal data must obey a legitimate purpose in accordance with the constitution and the Law, which must be informed to the owner.
The Treatment can only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent. Public Data are excepted from this principle, which may be subject to Treatment without requiring authorization from the owner, in accordance with the provisions of current regulations.
Veracity or Quality Principle
The information subject to treatment must be true, complete, exact, updated, verifiable and understandable. Processing of partial, incomplete, fractioned or misleading data is prohibited.
In the treatment, the right of the owner to obtain at any time and without restrictions, information about the existence of data concerning him must be guaranteed.
Limited Access and Circulation Principle
Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or authorized third parties.
The information subject to treatment must be protected through the use of technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
All who intervene in the processing of personal data are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks that the treatment comprises.
Principle of legality
Personal data must be collected and processed in a lawful manner in accordance with the provisions established by applicable regulations.
Obtaining personal data should not be done through deceptive or fraudulent means.
All processing of personal data will be subject to the consent of the owner, except the exceptions provided by law.
The processing of personal data must be limited to fulfilling the purposes set forth in the privacy notice. If the responsible for the treatment intends to process the data for a different purpose that is not compatible or analogous to the purposes established in the privacy notice, the consent of the owner will be required to be obtained again.
The responsible for the treatment will ensure that the personal data contained in the databases are pertinent, correct and updated for the purposes for which they were collected.
When the personal data is no longer necessary for the fulfillment of the purposes set forth in the privacy notice and the applicable legal provisions, they must be canceled.
In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust that any person places in another, regarding that the personal data provided between them will be treated in accordance with what the parties agreed to in the terms established by the current laws.
The processing of personal data will be that which is necessary, adequate and relevant in relation to the purposes set forth in the privacy notice. In particular, for sensitive personal data, the responsible for the treatment must make reasonable efforts to limit the period of treatment thereof to the minimum indispensable.
The responsible for the treatment will ensure compliance with the principles of personal data protection established by the law, having to adopt the necessary measures for its application. The foregoing will apply even when these data were processed by a third party at the request of the responsible for the treatment. The responsible for the treatment must take the necessary and sufficient measures to guarantee that the privacy notice made known to the owner is respected at all times by him or by third parties with whom he has a legal relationship.
Treatment for legitimate, specific, explicit and informed purposes, without the possibility of subsequent treatment in a way that is incompatible with these purposes.
Principle of adequacy
Compatibility of the treatment with the purposes informed to the owner, according to the context of the treatment.
Principle of necessity
Limitation of the treatment to the minimum necessary for the achievement of its purposes, with the scope of the relevant, proportional and not excessive data in relation to the purposes of the data processing.
Free access principle
Guarantee, to the owners, of free and easy consultation on the form and duration of the treatment, as well as on the integrity of their personal data.
Data quality principle
Guarantee, to the interested parties, of the accuracy, clarity, relevance and updating of the data, according to the need and for the fulfillment of the purpose of its treatment.
Principle of transparency
Guarantee, to the holders, of clear, truthful and easily accessible information on the performance of the treatment and the respective treatment agents, observing commercial and industrial secrets.
Use of technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or illegal situations of destruction, loss, alteration, communication or diffusion.
Adoption of measures to prevent the occurrence of damages due to the processing of personal data.
Principle of non-discrimination
Impossibility of carrying out a treatment for illegal or abusive discriminatory purposes.
Demonstration, by the agent, of the adoption of effective measures capable of certifying the observance and compliance with the personal data protection regulations, and even the effectiveness of these measures.
6. DATA THAT IS COLLECTED
The responsible for the treatment may collect, among others, the following personal data of the owners, depending on the group interest to which they belong:
- First and last name;
- Identification number, passport, social security, tax identification number, among others;
- User names and access codes to computer systems;
- Date and / or place of birth;
- Civil status;
- Physical or postal address;
- Postal Code;
- Email address;
- Phone number;
- Bank or financial account numbers;
- Work and / or education history;
- Biometric data;
- Voice recordings;
- Health conditions;
- Any other information that allows to identify a natural person, physically or electronically.
7. TREATMENTS AND PURPOSES TO WHICH THE PERSONAL DATA WILL BE SUMITTED
For the purposes of this Policy, the responsible of the treatment directly or through managers of the treatment, may collect, store, use, circulate, update, delete or carry out any other type of manual or automated treatment on the personal data of their groups of interest, adjusting at all times to the provisions of current regulations and for the purposes described below.
7.1 General purposes for the processing of personal data of all groups of interest
- Identification of the owners.
- National and international transmission and transfer and storage and custody of information and/or personal data in physical files or own servers and/or third parties, located inside or outside the country, in countries considered safe or secure by the Superintendence of Industry and Commerce, and in countries that are not safe or secure, as long as it is required for the development of the company's own activities and relations with the different groups of interest.
- Preservation of information for historical, scientific and statistical purposes.
- Guarantee the exercise of any right of the owners, their employers or contractors.
- Registration and control of the entry and exit of documents.
- Information systems administration, user and password management, etc.
- Creation and administration of users and passwords to enter the different applications, technological and computer equipment of the responsible for the treatment and email accounts.
- Planning, control, measurement and monitoring of the impact of decisions made within the organization and analysis of the impact of external factors.
- Design, elaboration and implementation of strategies and goals to optimize economic, technological and human resources.
- Campaigns to update the data of the owner, his employer or contractor.
- Controls, statistics and history of the relationships maintained with the owners.
- Basis for decision making.
- Support in internal and/or external audits, tax audits, consultancies and implementation of improvement plans.
- Reports to competent administrative and judicial authorities.
- Attention to requests made by competent administrative and judicial authorities.
- Preparation and presentation of claims and complaints before the competent authorities, as well as exercising the right of defense in any administrative and/or judicial process.
- Compliance with the obligations derived from the contracts signed between the responsible of the treatment and the owners, or with their contracting parties or employers.
- Financial and accounting management, creation of third parties, and registration in the databases of the responsible of the treatment.
- Tax management and generation of tax information.
- PQRSDF care or attention.
- Hiring of insurance policies and request for protection.
- Request for credit or financial services.
7.2 Purposes for the processing of personal data of shareholders
- Convocation and execution of assemblies, raising and recording of minutes.
- Sending information related to the activities of the person responsible of the treatment.
- Guarantee the effective exercise of the shareholders' rights.
- Payment of dividends or profits.
- Capitalizations, mergers and / or spin-offs.
- Contracting with third parties’ services that benefit shareholders.
- Invitation to events.
- Publication of the quality of shareholder, including, but not limited to, forms of relationship with clients, insurers, financial entities and/or contractors and/or suppliers, among others.
- Use of information for advertising and communication media.
7.3 Purposes for the processing of personal data of applicants, direct and indirect employees, practitioners, apprentices, beneficiaries and families
- Collection of resumes directly from the owner or from third natural or legal persons who send them, either independently, or by commission of the responsible of the treatment.
- Management and employment promotion, development of the selection process, analysis of resumes, validation of work and/or personal references, interviews and certificates of occupational aptitude, psych technical and skills tests that are required.
- Preservation of resumes and results of the selection processes for future personnel hiring processes and/or for compliance with current legal regulations.
- Labor relationship, subscription of employment contracts.
- Induction and reinduction process.
- Expedition of owner’s company ID card process.
- Control of contract renewal.
- Entry and schedule control.
- Work scheduling and assignment of functions, roles and profiles associated with the position held.
- Register of information on active and inactive direct and indirect employees, pensioners and their families, for the development of affiliation and payment of social security and parafiscal, payroll, legal and non-legal bonuses, vacations, recognition of pension rights and settlements.
- Climate, organizational culture and well-being activities, for direct and indirect employees and their families.
- Management of permits, licenses and authorizations.
- Disciplinary processes, management of sanctions, reprimands, calls for attention, discharge and dismissal with or without just cause.
- Record of disciplinary history.
- Fulfillment of the obligations of the responsible of the treatment, by virtue of the current legal regulations.
- Training and education for direct and indirect personnel.
- Skills and performance evaluations.
- Discounts on salary allowed in current regulations and practice and registration of embargoes at the request of the competent authority.
- Delivery of endowments and fixed assets.
- Review of documents for retirement of severance pay.
- Contracting with third parties for services that benefit direct and indirect employees, beneficiaries and families.
- Compliance with current regulations on health and safety at work SG-SST.
- Provision of information to contractors and suppliers, for the execution of the contracts signed between them and the responsible of the treatment.
- Creation and control of access and modification of documents.
- Hotel reservations, air or land tickets, delivery of gas vouchers and tolls, request for vehicles, among others.
- Processing of disabilities or licenses before the corresponding entities.
- Identification and monitoring of income and expenses of personnel, payroll and promotions.
- Advertising of the responsible of the treatment and/or of strategic allies in any means of communication, as well as publication of editorial content, blogs or management reports, among others, that contain personal information of the owners including photographs and/or videos, with the indication of the position they hold and their name.
- Transfer of proof of payment of contributions to the social security and parafiscal system and proof of training carried out to collaborators, sent to the contractors of the person responsible of the treatment, when required for the payment of goods and/or services provided by the latter in quality of contractor and/or supplier, or to enter third parties’ facilities.
- Publication of employee status by any means of communication, including, but not limited to, contracts, forms of relationship with clients, financial entities and/or contractors and/or suppliers, email, among others.
7.4 Purposes for the processing of personal data of active and inactive clients, distributors and users, prospects, and/or their collaborators
- Clients’, users’ and/or distributors’ employee information.
- Analysis of behavior, profiles and market segmentation.
- Marketing and remarketing.
- Offer of goods and/or services of the responsible of the treatment and/or its strategic allies.
- Transfer of Personal Data to Suppliers, logistics operators, transporters, payment companies, financial entities, insurers, subsidiaries, holding companies and affiliates, among others, that need to have Access to the information to provide their services effectively.
- Follow-up and tracing of operations, including, but not limited to: products purchased, amount paid for each product, date of purchase, delivery time, quantity of products purchased, times of greatest demand for products, among other data related to the purchase and delivery of the products.
- Statistical studies of commercial, financial and credit risk behavior.
- Approval and renewal of credit quota.
- Own and partners or shareholder’s patrimonial information, to support or guarantee the payment of credit quotas.
- Consultations and report of positive and negative commercial, financial and credit information to operators or administrators of databases, financial and credit entities, commercial information agencies and legally established risk centers.
- Subscription and execution of contracts.
- Management of national and international logistics.
- Inventory control.
- Compliance with legal and contractual obligations.
- Portfolio recovery management through persuasive, extrajudicial and/or judicial collection.
- Identification of debtors and co-debtors.
- Management of clients, distributors and/or users.
- Management of social networks.
- Customer, distributor and/or user loyalty.
- History of commercial relationships.
- Sending of advertising, trade marketing, artificial intelligence, opinion polls, commercial prospecting, distance selling and electronic commerce.
- Evaluation of the quality of the goods and/or services provided by the responsible of the treatment.
7.5 Purposes for the processing of personal data of contractors and suppliers, prospects, and their collaborators
- Contractor and/or supplier’s employee information.
- Request, collection and analysis of quotes and/or offers.
- Invitations to participate in contracting processes.
- Development of contracting processes.
- Request for references and third party certificates.
- Subscription and execution of contracts and/or issuance of purchase orders and/or service orders.
- Contract administration.
- Inventory control.
- Training, if required for the execution of the contract.
- Compliance with legal and contractual obligations.
- Management of national and international logistics.
- Payment management.
- Evaluation of contractors and suppliers.
- Schedule control, in case of contracting services or tasks with contractually defined schedules.
- Technical consultations on products offered by suppliers.
- Contact with suppliers and contractors or their collaborators, for the development of the signed contracts or issued service orders and/or purchase orders.
- Verification of compliance with legal, technical and experience requirements.
- Verification of the payment of salaries and social benefits of contractors and suppliers and their collaborators.
- Programming of technical activities and confirmation its execution.
- Management of quality claims for products or services.
- History of commercial relationships.
7.6 Purposes for the processing of personal data of officials of state entities
Coordination of activities within the framework of compliance with current regulations.
8. RIGHTS OF THE OWNER
The rights of the owners of personal data are those established by the current regulations of the countries where, due to the treatment carried out, their legislation applies.
Among the rights, the following are highlighted, which will apply not only in the referenced countries, but in all those countries where they are applicable, in accordance with the regulations of the specific country:
- Know, update and rectify personal data before the responsible of the treatment or managers of the treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or those whose treatment is expressly prohibited or has not been authorized.
- Request proof of the authorization granted to the responsible of the treatment, except when expressly excepted as a requirement for the treatment.
- Be informed by the responsible of the treatment or the manager of the treatment, upon request, regarding the use that has been given to the owners’ personal data.
- File complaints for infractions of the provisions of current regulations before the Superintendence of Industry and Commerce.
- Revoke the authorization and/or request the deletion of the data when in the treatment the principles, rights and constitutional and legal guarantees are not respected.
- Free access to personal data that have been subject to Treatment.
The request to delete the information and revocation of the authorization will not proceed when the owner has a legal or contractual duty to remain in the database.
- Access their own personal data held by the responsible of the treatment, as well as know the Privacy Notice to which the treatment is subject.
- Rectification when the data is inaccurate or incomplete.
- Cancel their personal data. The cancellation of personal data will give rise to a blocking period after which the data will be deleted. The responsible for the treatment may keep the data exclusively for the purposes of the responsibilities arising from the treatment. The blocking period will be equivalent to the limitation period of the actions derived from the legal relationship that bases the treatment in the terms of the applicable Law on the matter. Once the data has been canceled, the owner will be notified. When the personal data had been transmitted prior to the date of rectification or cancellation and it continues to be processed by third parties, the responsible for the treatment must inform them of said request for rectification or cancellation, so that it can also be carried out. The responsible for the treatment will not be obliged to cancel the personal data when: i) it refers to the parties of a private, social or administrative contract and is necessary for its development and fulfillment; ii) must be treated by legal provision; iii) obstructs judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions; iv) are necessary to protect the legally protected interests of the owner; v) are necessary to carry out an action based on the public interest; vi) are necessary to comply with an obligation legally acquired by the owner; and vii) are subject to treatment for prevention or for medical diagnosis or management of health services, provided that such treatment is carried out by a health professional subject to a duty of secrecy.
- Oppose to the processing of their personal data. If appropriate, the responsible for the treatment will not be able to process the data related to the owner.
- Limit the use and disclosure of their personal data by requesting their registration in the Public Registry to Avoid Publicity by the Federal Consumer Prosecutor's Office (“PROFECO”) so that the personal data is not used to receive advertising or promotions from third parties.
- Confirmation of the existence of data treatment.
- Access to data.
- Correction of incomplete, inaccurate or outdated data.
- Anonymization, blocking or deletion of unnecessary, excessive or processed data in disagreement with the provisions of the Law.
- Portability of data to another provider of services or products, upon express request and keeping commercial and industrial secrets, in accordance with the regulations of the control body.
- Deletion of personal data processed with the consent of the owner, except in the cases provided by law.
- Information on public and private entities with which the responsible of the treatment shared data.
- Information on the possibility of not giving consent and on the consequences of refusal.
- Revocation of consent, in accordance with the Law.
- Submit petitions before the national authority against the responsible of the treatment.
- Oppose the treatment carried out based on one of the cases of waiver of consent, in case of non-compliance with the provisions of the Law.
- Require to whoever is responsible for a bank, that dedicates publicly or privately to the processing of personal data, information on the data relating to the owner, its origin and recipient, the purpose of storage and the individualization of people or organizations to which the data is transmitted regularly.
- In the event that the personal data is erroneous, inaccurate, misleading or incomplete, and thus proven, the owner will have the right to have it modified.
- Demand that the data be deleted, in case its storage lacks legal basis or when it is out of date.
- The same requirement of elimination, or that of blocking the data, where appropriate, may be made when the owner voluntarily provided personal data or it is used for commercial communications and the owner do not wish to continue appearing in the respective registry, either permanently or temporarily.
- The information, modification or deletion of the data will be absolutely free, and must also be provided, at the request of the owner, a copy of the altered record in the relevant part. If new modifications or deletions of data are made, the owner may also obtain a copy of the updated registry at no cost, provided that at least six (6) months have elapsed since the previous opportunity in which the owner made use of this right. The right to obtain a free copy can only be exercised personally.
- If the canceled or modified personal data has been previously communicated to specific or determinable persons, the person responsible for the data bank must notify them as soon as possible of the operation carried out. If it is not possible to determine the people to whom they have been communicated, it will post a notice that may be of general knowledge to those who use the information in the database.
- Request and obtain information on the personal data processed in public and private data files.
- Rectify, modify, delete, supplement, include, update or cancel personal data; The report must be provided within ten (10) business days of receipt of the request; Once the term has expired without the report having been submitted, the interested party may promote the personal data protection action provided for in the Law.
- Not to be obliged to provide personal data of a sensitive nature, except for the exceptions established in the Law on Protection of Personal Data.
9. DUTIES OF THE RESPONSIBLE OF THE TREATMENT
It is the duty of the responsible of the treatment:
- Guarantee the owner, at all times, the full and effective exercise of the Habeas Data Right.
- Request and keep by any means and under the conditions provided in current laws, a copy of the respective authorization granted by the owner.
- Properly inform the owner about the purpose of the collection of personal data and the rights that assist him by virtue of the authorization granted.
- Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Guarantee that the information provided to the manager of the treatment is true, complete, accurate, updated, verifiable and understandable.
- Update the information, communicating in a timely manner to the manager of the treatment, all the news regarding the data previously provided and adopt the other necessary measures so that the information provided is kept updated.
- Rectify the information when it is incorrect and communicate the pertinent to the manager of the treatment.
- Provide the manager of the treatment, as the case may be, only data whose treatment is previously authorized in accordance with current regulations.
- Require the manager of the treatment, at all times, to respect the security and privacy conditions of the owner's information.
- Process PQRSD formulated in the terms indicated in current regulations.
- Adopt an internal manual of policies and procedures to guarantee adequate compliance with current regulations, especially for the attention of PQRSD.
- Inform the manager of the treatment when certain information is under discussion by the owner, once the claim has been submitted and the respective process has not been completed.
- Inform at the request of the owners about the use given to their data.
- Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the owners.
- Comply with the instructions and requirements issued by the competent authorities in the matter.
10. DUTIES OF THE MANAGER OF THE TREATMENT
It is the duty of the manager of the treatment:
- Comply in the development of the contracted activities, with this policy, as well as with all those procedures, guides and/or guidelines issued by the responsible of the treatment in terms of personal data protection.
- Adopt, according to the instructions of the responsible of the treatment, all technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Implement a personal data protection policy that complies with the provisions of the rules that regulate the matter.
- Treat personal data in accordance with the instructions expressly received from the responsible of the treatment, refraining from using them for purposes other than those contracted.
- Refrain from supplying, assigning or marketing personal data with natural or legal, public or private third parties, unless it is of public nature without subject to reservation, or is required by a competent authority in the exercise of its legal functions.
- Keep strict confidentiality regarding the personal data to which the manager of the treatment has access in the exercise of the contracted activities, as well as to diligently comply with the duty of guardianship and custody over the data throughout the term of the contract, and even after the termination has occurred.
- Access or consult the information or personal data that rest in the databases of the responsible of the treatment only when it is strictly necessary for the exercise of the contracted activities.
- Report to the responsible of the treatment immediately upon its materialization or at the moment in which they come to their knowledge, through the channels and means established by it, any incident or threat of incident that affects or may affect directly or indirectly the protection of personal data.
- Guarantee at all times, the full and effective exercise of the Right to Habeas Data of the owners, as well as due process in the event of PQRSD being presented in the field of personal data protection.
- Timely update, rectify or delete the data in the terms of current regulations.
- Update the information reported by the responsible of treatment, within five (5) business days from its receipt.
- Adopt an internal manual of policies and procedures to guarantee adequate compliance with current regulations, especially, for the attention of PQRSD presented by the owners.
- Refrain from circulating information that is being contradicted by the owner and whose blocking has been ordered by the competent authority.
- Allow access to information only to people who can have access to it.
- Comply with the instructions and requirements issued by competent authorities.
- In case of collecting data on behalf of the responsible of the treatment, require the authorization of the owners, in the cases in which it is required, in accordance with current regulations.
11. PERSONAL DATA PROTECTION OFFICER
The area who will exercise the functions of personal data protection officer will be the Administrative Area, who will ensure, among others, the adequate guarantee of the rights of the owners, especially the attention of PQRSD.
12. PROCEDURE SO THAT THE OWNERS OF THE INFORMATION CAN EXERCISE THEIR RIGHTS
The owners or those persons who are legitimized by current regulations can present PQRSD through the following channel:
The following are the persons empowered to present PQRSD:
- The owner, who must prove his identity sufficiently.
- The successors in title of the owner, who must prove such quality.
- The owners’ representative and/or attorney-in-fact, prior accreditation of the representation or power of attorney.
- By stipulation in favor of another or for another, provided that there is acceptance by the owner, of which evidence must be submitted in the application.
The rights of Boys, Girls or Adolescents shall be exercised by the persons who are empowered to represent them.
The PQRSD must contain at least: i) name and address or other means to communicate the response to the request; ii) the documents that prove the identity (voting credential, passport or military card) or, where appropriate, the legal representation (in addition to the documents that prove the identity of the owner, power of attorney or special power of attorney and documents that prove the identification of the representative); iv) the clear and precise description of the personal data with respect to which it is requested to exercise any of the rights; v) if applicable, the express statement to revoke the consent to the processing of personal data, so that they are not used; and vi) any other element that facilitates the location of personal data.
n Mexico, the owner can use the unique format for the exercise of rights provided by the National Institute of Transparency, Access to Information and Protection of Personal Data on its site. Once the request has been submitted in the pre-established format, the "Data Privacy" area will notify the owner, in accordance with article 32 of the Federal Law on Protection of Personal Data Held by Private Parties, the result of the request. The revocation and the exercise of the rights will be free, as well as the reproduction in simple copy or sending by email.
The PQRSD will be resolved within the term established by the regulations in force in the applicable legislation.
The databases subject to treatment by the responsible of the treatment, will be in force while the purposes for which the data was collected subsist and/or the term established by law.