Personal data processing policy
Chapter I. Identification
SMARTCHIP SAS (hereinafter SMARTCHIP), a commercial company incorporated by public deed No. 910, Granted in Notary 6 of Medellín on July 15, 2004 under the name of SMARTCHIP SA and amended in Act No. 011 of July 31, 2012 Registered at the Medellin Chamber of Commerce on August 28, 2012, through which the company is transformed from a public limited company to a simplified joint stock company and hereinafter will be called: SMARTCHIP SAS
• MAIN ADDRESS: Carrera 67 # 1B - 06, Medellín, Antioquia, Colombia.
• ELECTRONIC ADDRESS FOR JUDICIAL NOTICE: firstname.lastname@example.org
• SWITCH: +57 (4) 2040737 CHAPTER II. LEGAL FRAMEWORK.
• Article 15 Political Constitution of the Republic of Colombia.
• Law 1266 of 2008 (general provisions of habeas data).
• Law 1581 of 2012 (General Regime for the Protection of Personal Data).
• Partial Regulatory Decree 1377 of 2013.
Chapter II. Legal framework
• Article 15 Political Constitution of the Republic of Colombia.
• Law 1266 of 2008 (general provisions of habeas data).
• Law 1581 of 2012 (General Regime for the Protection of Personal Data).
• Partial Regulatory Decree 1377 of 2013.
Chapter III. Definitions
• DATABASE ADMINISTRATOR: Official who is in charge of and performs treatment on one or more databases that have personal information.
• AUTHORIZATION: prior, express and informed consent of the owner to carry out the processing of personal data.
• PRIVACY NOTICE: verbal or written communication generated by the person in charge addressed to the owner for the treatment of his personal data, by means of which he is informed about the existence of the information treatment policies that will be applicable to him, the way of accessing to them and the purposes of the treatment that is intended to be given to personal data.
• DATABASE: organized set of personal data that is subject to treatment.
• RECIPIENT: person who has succeeded another due to the death of the latter (heir).
• PERSONAL DATA: any piece of information linked to one or several determined or determinable persons or that may be associated with a natural or legal person.
• PUBLIC DATA: it is the data that is not semi-private, private or sensitive. Public data is considered, among others, data related to the civil status of people, their profession or trade and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official gazettes and duly executed judicial decisions that are not subject to reservation.
• SEMIPRIVED DATA: It is the one that does not have an intimate, reserved or public nature and whose knowledge may interest not only its owner but a certain sector or group of people or society in general, such as the financial and credit data of a commercial activity or of services.
• PRIVATE DATA. It is the one that due to its intimate or reserved nature is only relevant to its owner. Public data are considered, among others, the information contained in the books of merchants, medical records, information obtained from home visits, tax information, biographical data, affiliation, information regarding contributions to the Social Security System.
• SENSITIVE DATA: sensitive data means those that affect the privacy of the owner or whose improper use may generate their discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, union membership , social or human rights organizations or those that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.
• TREATMENT MANAGER: natural or legal person, public or private that by itself or in association with others, performs the processing of personal data on behalf of the Data Controller.
• RESPONSIBLE FOR THE TREATMENT. Natural or legal person, public or private, that by itself or in association with others, decides on the data base and / or the treatment of the data.
• HABEAS DATA: right of any person to know, update and rectify the information that has been collected about them in the data bank and in files of public and private entities.
• HOLDER: natural person whose personal data is subject to Treatment.
• TREATMENT: any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
• TRANSFER: the data transfer takes place when the person responsible and / or in charge of the treatment of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is inside or outside the country.
• TRANSMISSION: processing of personal data that involves the communication thereof within or outside the territory of the Republic of Colombia when it is intended to carry out a treatment by the person in charge on behalf of the person in charge.
Chapter IV. Beginning
• LEGALITY: The processing of personal data is a regulated activity that must be subject to the provisions of the law and the other provisions that develop it.
• PURPOSE: The processing of personal data must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the owner.
• FREEDOM: The processing of personal data can only be exercised with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate releasing consent.
• VERACITY OR QUALITY: The personal information subject to treatment must be truthful, complete, exact, updated, verifiable and understandable, in this sense, the treatment of partial, incomplete, fractional or misleading data is prohibited.
• TRANSPARENCY: In the treatment of personal data, the right of the owner to obtain from the data controller, at any time and without restrictions, information on the existence of the data that concerns him must be guaranteed.
• ACCESS AND RESTRICTED CIRCULATION: The processing of personal data is subject to the limits derived from their nature, from the provisions of the Law and the Constitution. In this sense, its treatment can only be done by people authorized by the owner and / or by the people provided for in Law. Therefore, personal data, except public information, may not be available on the Internet or other means of disclosure or mass communication, unless access is technically controllable to provide restricted knowledge only to the holders or authorized third parties in accordance with the law.
• SECURITY: The personal information subject to treatment by the person responsible for the treatment, must be handled with the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
• CONFIDENTIALITY: All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks that comprise the processing, being able to only make provision or communication of personal data when it corresponds to the development of activities authorized by law and in the terms thereof.
Chapter V. Rights of the owner
• Know, update and rectify your personal data before SMARTCHIP as Responsible or Responsible for Treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fractional data that is misleading, or those whose Treatment is expressly prohibited or has not been authorized.
• Request proof of the authorization granted to SMARTCHIP for the collection and treatment of Personal Data.
• Be informed by SMARTCHIP, upon request, regarding the use it has made of their personal data.
• Submit complaints to the Superintendency of Industry and Commerce for infractions of the provisions of Law 1581 of 2012, Decree 1377 of 2013 and other regulations that modify, add or complement it, once the process of consultation or claim before the SMARTCHIP.
• Modify or revoke the authorization and / or request the deletion of the data when the Treatment does not respect the constitutional and legal principles, rights and guarantees.
• Free access to your personal data that has been processed.
Chapter VI. Rights of children and adolescents
• The treatment will ensure respect for the prevailing rights of children and adolescents.
• The processing of personal data of children and adolescents is prohibited, except for those data that are public in nature.
• It is the task of the State and educational entities of all kinds to provide information and train legal representatives and guardians on the possible risks that children and adolescents face regarding the improper treatment of their personal data, and provide knowledge about the responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of their personal information and that of others.
Chapter VII. Aims
• The complete identification and classification of third parties in categories of customers and suppliers in order to develop the company's corporate purpose, which includes the sale and marketing of products and services related to the industry of person identification (identification) and printing of cards, electronic engineering and related projects, applications in the form of software as a cloud service, security systems, among others.
• Satisfaction surveys and product knowledge to evaluate the quality of our services and create improvement strategies in their provision.
• To carry out studies on consumption habits.
• Sending marketing and advertising campaigns aimed at customer loyalty, offering them benefits to position our brand, products and services and introduce new products and services to the market.
• For commercial agreements with the aim of promoting the benefits of our clients in other commercial establishments.
• For staff recruitment including calls, selection processes and interview citations.
• To fulfill labor obligations, such as the link to the General Social Security System, payment of wages and other labor issues.
• For contractual matters of execution and settlement of contracts signed with suppliers, creditors or clients.
• For portfolio issues such as collection of delinquent invoices, among others.
Chapter VIII. Authorization and consent of the owner
• The authorization will be obtained from the Owner of the personal data, for the collection and treatment of the same. Said authorization must be prior, express and informed.
• The collection of personal data should be limited to those that are pertinent and appropriate for the purpose for which they are collected or required in accordance with current regulations.
• The owners will be informed of the personal data that will be collected about them, as well as all the purposes of the treatment for which consent is obtained, at the latest at the time of collection of their personal data.
• Authorization may also be obtained from unequivocal conduct of the data owner that allows the conclusion, in a reasonable manner, that he gave his consent to the processing of his information.
Chapter IX. Means and manifestations to grant authorization
The authorization may consist of a physical, electronic document, data message, web form or any other format that guarantees its subsequent consultation, or through a suitable technical or technological mechanism to express or obtain consent via digital signature, by clicking on a button or selected a particular option in multiple choice, by means of which it can be unequivocally concluded that, had the owner's conduct not been provided, the data would never have been captured and stored in the database. The authorization will be generated SMARTCHIP and will be made available to the owner in advance and prior to the processing of their personal data.
Chapter X. Cases in which authorization is not required
The authorization of the owner will not be necessary in the case of:
• Information required by a public or administrative entity, in the exercise of its legal functions or by court order.
• Data of a public nature (such as that contained in the RUT for legal persons and in the identification document for natural persons).
• Cases of medical or sanitary emergency.
• Treatment of information authorized by law for historical, statistical or scientific purposes.
• Data related to the civil registry of people.
Chapter XI. Duty to inform the owner
To obtain authorization, it is necessary to inform the owner of the following:
• The Treatment to which your personal data will be submitted and its purpose.
• The optional nature of the answer to the questions that are asked, when these are about sensitive data or about the data of children and adolescents.
• The rights that assist you as the Owner.
• SMARTCHIP identification, physical, electronic and telephone address.
Chapter XII. Proof of authorization
SMARTCHIP, will keep the proofs of the authorizations granted by the holders of personal data for the treatment of the same.
Chapter XIII. Revocation of authorization
• The Holders may request at any time, the deletion of their personal data and / or revoke the authorization granted for the treatment thereof. The request for deletion of personal data and the revocation of authorization will not proceed when the owner has a legal or contractual duty to remain in the database.
• Once the validity of the databases expires, the personal data in your possession must be deleted. However, personal data must be kept when required to fulfill a legal or contractual obligation.
Chapter XIV. Duties of smartchip as controller
• Guarantee to the Holder, at all times, the full and effective exercise of the right of habeas data. • Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Owner.
• Properly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted.
• Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
• Guarantee that the information provided to the Treatment Manager is truthful, complete, exact, updated, verifiable and understandable.
• Update the information, communicating in a timely manner to the Person in Charge of the Treatment, all the news regarding the data that has previously been provided and adopt the other necessary measures so that the information provided to it is kept up to date.
• Rectify the information when it is incorrect and communicate what is pertinent to the Treatment Manager.
• Provide the Treatment Manager, as the case may be, only data whose Treatment is previously authorized in accordance with the provisions of this policy and the law.
• Require the Treatment Manager at all times, respect for the security and privacy conditions of the Owner's information.
• Process inquiries and claims formulated in the terms indicated in the law.
• Inform the Treatment Manager when certain information is under discussion by the owner, once the claim has been submitted and the respective procedure has not been completed.
• Inform at the request of the owner about the use given to their data.
• Inform the data protection authority when there are violations of the security codes and there are risks in the management of the information of the holders.
• Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
• Allow data processing to those officials who have permission to do so, or who within their functions are responsible for carrying out such activities.
• Appoint a database administrator and give you authorization to carry out the necessary treatment and that requested by the owner of the information.
• Treat non-public personal data as confidential, even when the contractual relationship or the link between the owner of the personal data and SMARTCHIP has ended.
• Delete personal data when its owner requires it, provided that such data should not remain in the database by legal or contractual provision that requires it. In the event of a partial revocation of the authorization for the processing of personal data for some of the purposes, SMARTCHIP may continue to use the data for other purposes for which such revocation does not proceed.
• Publicize this POLICY, for which you must publish it on the Institutional website.
• Take special care with the treatment of the personal data of children and adolescents, since they have special protection. Therefore, its treatment is prohibited, except in the case of data of a public nature, when said treatment responds and respects the best interests of minors, and when it ensures respect for their fundamental rights.
• SMARTCHIP will not transfer information related to personal data to countries that do not have adequate levels of data protection.
• SMARTCHIP will refrain from processing sensitive data, except: when the owner has given his explicit authorization to said treatment or except in cases where the authorization is not required by law.
• In development of the principles of purpose and freedom, SMARTCHIP may only collect and process personal data that is relevant and appropriate for the purpose for which it is collected or required in accordance with current regulations. Once the purpose or purposes of the treatment have been fulfilled and without prejudice to legal regulations that provide otherwise, SMARTCHIP will proceed to the deletion of the personal data in its possession.
Chapter XV. Smartchip duties as data processor
For the reception of personal data as a manager, SMARTCHIP must sign a contract or a clause for the processing of personal data as a manager with the entity or company that sends the information, which establishes the following:
• The scope of the treatment.
• The activities that SMARTCHIP will perform as a manager on behalf of the controller.
• The obligations in charge of SMARTCHIP in charge of the data holder.
• The duty of SMARTCHIP as the person in charge of treating the data in accordance with the purpose that was authorized, in compliance with the principles enshrined in the law and in this policy.
• SMARTCHIP's obligation as manager to adequately protect personal data, as well as databases, and to keep the treatment of the data received confidential.
• The databases received may not be used for purposes other than fulfillment of the order.
• Transfer the queries and claims made by the Holders directly to the entity that sends the information so that it meets the requests in accordance with the terms indicated in their respective policy on the processing of personal data and in the law.
• Once notified of a rectification, update or deletion by the sender of the information, the information will be modified within five (5) business days from its receipt.
• Allow access to information, only to people who may have access to it.
• In any case, the third party that delivers the information will continue to hold the position of direct responsible for the treatment of the data obtained in relation to the owner (s) of the data in accordance with the legal framework and their respective policy of processing of personal data.
Chapter XVI. Consultation procedures
• The owners, their successors in title or their duly authorized proxies, will have the right to consult the personal information of the Owner that resides in the SMARTCHIP databases.
• The consultation will be attended within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which his query will be answered, which in no case may exceed five (5) business days following the expiration of the first term.
• The means enabled by SMARTCHIP for receiving queries are: by email to the mailbox email@example.com; Queries may also be physically presented at Carrera 67 # 1B - 06, Medellín, Antioquia, Colombia.
Chapter XVII. Procedures for claims and requests for rectification, updating or deletion
At any time, and free of charge, the owner or his authorized representative who considers that the information contained in our databases should be subject to rectification, updating or deletion, or when they notice the alleged breach of any of the duties contained in the Law, they may file a claim with SMARTCHIP requesting the Data Processing Manager to rectify, update or delete their personal data.
The request for rectification, update or deletion must contain, as a minimum, the following information:
• The documents that prove the identity of the owner or his authorized representative.
• Data for notification with physical or electronic address.
• The clear and precise description of the personal data with respect to which the owner seeks to exercise any of the rights.
• Evidence and documents that you intend to assert.
If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the failures. If two (2) months have elapsed since the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.
Once the complete claim has been received, a legend will be included in the database that says "claim pending" and the reason for it, within a term not exceeding two (2) business days. Said legend must be kept until the claim is decided.
In the event that the person who receives the claim is not competent to resolve it, he will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.
The maximum term to attend the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days after the expiration of the first finished.
The means enabled by SMARTCHIP for the reception of requests for rectification, updating or deletion are: by email to the mailbox firstname.lastname@example.org; Queries may also be physically presented at Carrera 67 # 1B - 06, Medellín, Antioquia, Colombia.
Chapter XVIII. Revocation request procedures
Holders of personal data may revoke consent to the processing of their personal data at any time, as long as a legal or contractual provision does not prevent it.
If the respective legal term has expired, SMARTCHIP, as the case may be, they have not deleted the personal data, the Holder will have the right to request the Superintendence of Industry and Commerce to order the revocation of the authorization and / or the deletion of the personal data . For these purposes, the procedure described in article 22 of Law 1581 of 2012 will be applied.
The means enabled by SMARTCHIP for the reception of revocation requests are: by email to the mailbox email@example.com; Queries may also be physically presented at Carrera 67 # 1B - 06, Medellín, Antioquia, Colombia.
Chapter XIX. International transfer and transmission
SMARTCHIP in compliance with its corporate purpose can establish agreements and alliances with institutions or companies of international origin so that all the information of a holder stored in our databases can be transferred abroad, subject to applicable legal requirements.
Without prejudice to the obligation to observe and maintain the confidentiality of the information, SMARTCHIP will take the necessary measures so that third parties from abroad know and commit to observe this Policy, with the understanding that the personal information they receive may only be used to matters directly related to the relationship with SMARTCHIP and only while it lasts, and may not be used or intended for any other purpose or purpose.
The international transmissions of personal data made by SMARTCHIP, will not need to be informed to the Holder or have his consent when there is a contract for the transmission of personal data in accordance with article 25 of Decree 1377 of 2013.
With the acceptance of this policy, the owner expressly authorizes to transfer his Personal Information. The information will be transferred and transmitted for all relationships that SMARTCHIP may establish with third parties abroad.
Chapter XX. Validity
This PERSONAL DATA PROCESSING POLICY version 1.1 is effective as of September 30, 2016 and completely replaces the previous version of 2015 and its validity is 20 years from the date.
Chapter XXI. Version list
|Version||Date||Changes||Elaborated by||Revised by|
|1.1||30/09/2016||National registry databases adjustments||MFM||WMC|