fbpx

Privacy policy for the protection, handling, and processing of personal data

GRUPO EMPRESARIAL NEXO S.A.S (hereinafter referred to as “THE COMPANY” or “THE OPERATOR“), a legally established company in Colombia, identified with N.I.T. 901522184 – 5 and domiciled in the city of Medellin, Antioquia, has adopted this policy for the protection and handling of personal data, recognizing the importance of the information provided by its clients, users, employees, contractors, and partners, as well as the right granted to them by the law to know, update, and rectify it at any time, in compliance with the applicable regulations on HABEAS DATA in Colombian territory. In accordance with this policy, the personal data provided by clients, users, employees, contractors, partners, or any other natural or legal person, that are collected and/or stored in the database of THE COMPANY or provided at the time of acquiring services, will be managed in accordance with the provisions stated herein.

This document contains the general policy for the treatment of information and personal data of THE COMPANY, to inform our users about the required and stored information by GRUPO EMPRESARIAL NEXO S.A.S. in the provision of our services. This information is handled with respect to the values of respect, confidentiality, and privacy, which are integrated for the effective fulfillment of corporate and business objectives.

This policy aims to comply with Laws 1266 of 2008 and 1581 of 2012, as well as other regulatory norms that regulate the fundamental right of Habeas Data and the handling of information and personal data.

Therefore, the provisions contained herein are an integral part of the Terms and Conditions of GRUPO EMPRESARIAL NEXO S.A.S., which are accepted by our users, clients, employees, contractors, and partners, either through the “acceptance of the Terms and Conditions” notice provided on our website, as well as through our various electronic means or any other authorized and designated means for the acceptance of these terms.

The holders of personal data, that is, our users, employees, contractors, clients, and partners, accept the processing of their personal data in accordance with the terms of this policy and, therefore, authorize their treatment once they share their information through the website, databases, forms, service proposals, contracts, emails, social networks, WhatsApp, telephone and/or in-person communication, and in general, anyone who, in the exercise of any labor, commercial, civil, or any other legal activity, whether permanent or occasional, may provide any type of information or personal data to GRUPO EMPRESARIAL NEXO S.A.S.

 

I.SCOPE

This policy applies to all personal information registered in the databases of THE COMPANY, acting as the data controller. Therefore, the information that GRUPO EMPRESARIAL NEXO S.A.S. collects, receives, or stores on its behalf includes, among other things, but is not limited to:

  • User data: Contact information that the user provides electronically, by phone, or in person in order to request information, quotes, and other situations related to our services.
  • Customer data: Individuals who view, show interest in, or acquire our services, that is, all those individuals who, due to their personal interest in the established commercial relationship, provide personal data to the company, which will be for the exclusive use of the company under the terms and conditions of this policy.
  • Employees or contractors: Those who, due to their employment relationship or current civil contractual bond with the company, must provide enough information to formalize the legal relationship and carry out activities or functions for and on behalf of the company. This information should include, at a minimum, full name, identification, email address, physical and contact address, bank account for payment, signature, video recordings made by the company’s security cameras, among others that may arise from the current contractual and employment relationship.
  • Partner data: Contact information that the partner provides electronically, by phone, or in person in order to maintain constant communication with GRUPO EMPRESARIAL NEXO S.A.S. and execute the respective commercial agreements.
  • Demographic data: Occasionally collected data on demographic information of users, customers, and partners who are interested in knowing our services and visiting our website and other enabled channels of communication.
  • User-generated content: Any information that users send when establishing communication with THE COMPANY’s customer service, requesting quotes, providing feedback, compliments, or contacting in any way to report legal situations that require their support.

 

II.OBJECTIVE

The objective of this policy is to ensure the protection of information and personal data of clients, employees, contractors, users, allies, and any natural or legal person who has a contractual, civil, or commercial relationship with GRUPO EMPRESARIAL NEXO S.A.S.

At THE COMPANY, we prioritize security and recognize the importance of protecting the privacy and sensitive data of our clients, users, employees, contractors, allies, and any natural or legal person associated with THE COMPANY, who, for all legal purposes, are referred to as INFORMATION HOLDERS AND/OR RECIPIENTS.

 

III. DEFINITIONS

The following definitions help understand the provisions of this policy:

Information holder: The natural or legal person to whom the information contained in the database refers. Therefore, they are the only ones entitled to authorize its collection, processing, and rectification at any time.

  • Authorization: The prior, express, and informed consent of the information holder to carry out the processing of personal data.
  • Database: An organized set of personal data that is subject to processing and is extracted from any physical or electronic means authorized by the information holder.
  • Cookies: Virtual text strings sent and stored by the operator using the platform, for the consultation of user activities and preferences.
  • User: An individual who occasionally or regularly uses/views/shows interest in a service, either directly or through the provided platform.
  • Personal data: Any information linked to one or more identified or identifiable natural persons. Examples include merchants’ books, private documents, information obtained through the inspection of a domicile.
  • Client: An individual who occasionally or regularly acquires/purchases a specific service.
  • Ally: A natural or legal person engaged in an economic activity connected or related to THE COMPANY and involved in commercial agreements or transactions that allow for reciprocal benefits.
  • Private personal data: Data that, due to its intimate or confidential nature, is relevant only to the data subject. Examples include merchants’ books, private documents, information obtained through the inspection of a domicile, among others.
  • Semi-private personal data: Data that is not of an intimate, confidential, or public nature, but whose knowledge or disclosure may be of interest not only to the data subject but also to a certain sector or society in general. Financial and credit data related to commercial or service activities are some examples.
  • Sensitive data: Data that may affect the privacy of the data subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, among others.
  • Interaction on the Platform: The ability for clients to access and learn about the services displayed by THE OPERATOR and its advertising.
  • Advertising: Any form of communication carried out by THE OPERATOR to provide information about commercial activities and communicate its own or third-party marketing or advertising campaigns, conducted as a reference mechanism and not as a public offer.
  • Platform Operator: Responsible for the operational and functional administration of the Platform, represented for the purposes of this policy by GRUPO EMPRESARIAL NEXO S.A.S., or by the natural or legal person designated by it.
  • Data Controller: The natural or legal person, public or private, who, either alone or in association with others, decides on the database and/or the processing of data, represented for the purposes of this policy by GRUPO EMPRESARIAL NEXO S.A.S.
  • Data Processor: The natural or legal person, public or private, who, either alone or in association with others, processes personal data on behalf of the data controller.
  • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
  • Data transmission: Processing of personal data that involves the communication of such data within (national transmission) or outside of Colombia (international transmission), and must be carried out by the data processor and controller.
  • Complaint: The power and right of the data subject to request the correction, update, or deletion of their information, or when they believe that any of the obligations of Law 1581 of 2012 or those provided in the data processing policy have been violated.
  • Requirement for proceedability: A prerequisite that the data subject or their legal representative must fulfill before filing a complaint with the Superintendence of Industry and Commerce. It consists of exhausting the consultation or complaint process with the data controller or data processor.

 

IV. GUIDING PRINCIPLES FOR THE HANDLING OF PERSONAL DATA

    • Principle of legality in the processing of data: The processing referred to in this document is a regulated activity that must comply with the provisions of the law and other regulations that develop it.
    • Principle of purpose: The processing must serve a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the data subject.
    • Principle of freedom: Processing can only be carried out with the prior, express, and informed consent of the data subject. Personal data cannot be obtained or disclosed without prior authorization, except in cases where there is a legal or judicial mandate that exempts the requirement for consent.
    • Principle of truth or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
    • Principle of transparency: The data subject has the right to obtain, at any time and without restrictions, information from the data controller or data processor about the existence of data concerning them.
    • Principle of restricted access and circulation: The processing is subject to the limitations derived from the nature of personal data, as well as the provisions of this policy and the Constitution. In this sense, the processing can only be carried out by authorized persons appointed by the data subject and/or as provided in this policy.
    • Principle of security: The information subject to processing by the data controller or data processor must be handled with technical, human, and administrative measures to ensure its security.
    • Principle of confidentiality: All individuals involved in the processing of personal data that is not of a public nature are obligated to guarantee the confidentiality of the information, even after their relationship with the processing activities has ended. They may only disclose or communicate personal data when it corresponds to the authorized activities defined in this policy and under the terms specified.
    • Principle of comprehensive interpretation of constitutional rights: Constitutional rights shall be interpreted broadly and comprehensively.
    • Principle of proportionality in establishing exceptions: The law may establish exceptions to the general regime for data management, but such special treatment must be justified in terms of proportionality and comply with international protection standards.
    • Principle of an independent authority: The adoption of regulations is effective only if there is a body within the state structure responsible for ensuring compliance with the principles set out above. This authority must guarantee impartiality and independence.
    • Principle of requiring equivalent protection standards for international data transfers: As deduced from Article 26 of the Statutory Law Project, there is an international prohibition on transferring data to countries that do not provide adequate levels of data protection.

 

V. REGULATORY FRAMEWORK

Article 15 of the Political Constitution of Colombia states:

“All individuals have the right to their personal and family privacy and to their good name, and the State must respect and protect these rights. Likewise, individuals have the right to know, update, and rectify the information collected about them in databases and files of public and private entities. Freedom and other guarantees established in the Constitution shall be respected in the collection, processing, and circulation of data.

Correspondence and other forms of private communication are inviolable. They may only be intercepted or recorded by judicial order, in cases and with the formalities established by law. For tax or judicial purposes, as well as for inspection, surveillance, and intervention by the State, the presentation of accounting books and other private documents may be required, in the terms indicated by law.”

Article 20 of the Political Constitution of Colombia states:

“All individuals are guaranteed the freedom to express and disseminate their thoughts and opinions, to inform and receive truthful and impartial information, and to establish mass media outlets. These outlets are free and have social responsibility. The right to rectification under equitable conditions is guaranteed. There shall be no censorship.”

Law 1581 of 2012, regulated by Decree 1377 of 2013, developed the constitutional right that all individuals have to know, update, and rectify the information collected in databases and/or files, as well as the constitutional rights enshrined in the aforementioned articles of the political constitution of Colombia.

THE COMPANY, in compliance with Colombian regulations regarding the processing of personal data, is committed to protecting the personal data of its users, clients, employees, contractors, and allies, and to respecting the rights of the data subjects. Therefore, it subscribes to and makes known the following Personal Data Processing Policy, which is mandatory in all activities involving the processing of personal data and must be complied with by the company, its administrators, employees, and officials.

 

VI. AUTHORIZATION AND CONSENT

The data provided by users, clients, employees, contractors, and allies may fall into certain categories, such as sensitive data, which requires the free, prior, express, and informed consent of the Data Subject for its processing by THE COMPANY.

THE COMPANY will always keep a record of the authorization given by the Data Subject through appropriate means that ensure it was expressly, freely, priorly, and informedly granted. These means include written authorizations, electronic media, accepting terms and conditions of services on the website, the corresponding privacy notice supporting the Processing of Personal Data, or any other mechanism that allows proving and demonstrating a record, access, or affiliation to THE COMPANY’s services.

Likewise, consent may be implicit in cases where, once accessing the website and viewing GRUPO EMPRESARIAL NEXO S.A.S.’s policies, the user decides to use our services.

Considering the above, the following personal data may be collected:

Customer Information:

Information about the services acquired and contracted by our clients. This process may involve collecting data such as:

  • Contact information, including name, identification number, nationality, date of birth, email address, contact phone number, marital status.
  • When making a payment, the credit card number and billing and/or shipping information may be requested. Information related to personal interests and service preferences.

FIRST PARAGRAPH: Some data provided through our website, or other physical or digital means may be considered sensitive data since the disclosure of such data may lead to distinctions of moral, ideological, and other nature. Therefore, we have a privacy policy for handling personal data of our users or clients, which is reserved solely for fulfilling the main purpose of the company, as well as those stipulated in the “Processing and Purposes” section.

SECOND PARAGRAPH: The services provided by THE COMPANY can only be acquired by individuals who have legal capacity to enter contracts according to the current Colombian legislation (Article 1502 C.C.), meaning they have the authority to bind themselves. Therefore, if the User/client lacks such legal capacity, they will NOT be able to carry out transactions with our company for the purpose of service contracting.

 

VII. RIGHTS OF DATA SUBJECTS PROVIDING PERSONAL DATA

  • Know, update, and rectify their personal data in front of the Data Controllers or Data Processors. This right can be exercised, among others, regarding partial, inaccurate, incomplete, fragmented data, misleading information, or data whose Processing is expressly prohibited or has not been authorized.
  • Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for Processing, in accordance with Article 10 of Law 1581 of 2012.
  • Be informed by the Data Controller or Data Processor, upon request, about the use that has been given or will be given to their personal data.
  • File complaints with the Superintendence of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add to, or complement it.
  • Revoke the authorization and/or request the deletion of the data when the Processing does not comply with constitutional and legal principles, rights, and guarantees. The revocation and/or deletion shall be granted when the Superintendence of Industry and Commerce has determined that the Data Controller or Data Processor have engaged in conduct contrary to this law and the Constitution.
  • Access their personal data that has been subject to Processing free of charge.

 

VIII. OBLIGATIONS

The Data Controllers must fulfill the following duties, without prejudice to other provisions established in this law and in others governing their activity:

  • Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.
  • Request and keep, under the conditions provided in Law 1581 of 2012, a copy of the respective authorization granted by the Data Subject.
  • Properly inform the Data Subject about the purpose of the data collection and the rights they are entitled to by virtue of the granted authorization.
  • Preserve the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.
  • Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable.
  • Update the information by promptly communicating any changes to the Data Processor regarding the data previously provided and take the necessary measures to keep the information supplied to them up to date.
  • Rectify the information when it is incorrect and communicate the relevant corrections to the Data Processor.
  • Only provide the Data Processor with data whose Processing has been previously authorized in accordance with the provisions of Law 1581 of 2012.
  • Demand from the Data Processor, at all times, compliance with the security and privacy conditions of the Data Subject’s information.
  • Process queries and complaints in the terms indicated in Law 1581 of 2012.
  • Develop an internal manual of policies and procedures to ensure the proper compliance with this law, especially for handling queries and complaints.
  • Inform the Data Processor when certain information is under discussion by the Data Subject, once a claim has been submitted and the respective process has not yet concluded.
  • Provide information, upon request of the Data Subject, regarding the use of their data.
  • Notify the data protection authority in case of security breaches or risks in the administration of the Data Subject’s information.
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

 

IX. DATA PROCESSING AND PURPOSE

THE COMPANY will carry out, among other things, but not limited to, the processing, collection, storage, and use of personal data in accordance with the conditions established by the data subject. The law or public entities require the fulfillment of activities related to THE COMPANY’s social purpose, such as contracting, execution, and commercialization of services offered by THE COMPANY through different communication channels. The processing of personal data will be carried out through automated, telephone, or digital means. The purpose of using personal data, among others, will be:

  • Know, store, and process all the information provided by data subjects in one or more databases, in the format deemed most convenient.
  • Perform all tax, accounting, fiscal, and billing-related tasks.
  • Organize, catalog, classify, divide, validate, investigate, or verify the provided information with any legitimately available information.
  • Access, consult, compare, and evaluate all the information about the data subject stored in databases of any credit, financial, judicial and criminal history, whether public or private, national or foreign, or any commercial or service database that allows for a comprehensive understanding of their behavior.
  • Those provided for by law or by the explicit authorization of the user or client.
  • Sufficiently know their users, clients, workers, contractors, and allies with whom they intend to establish relationships, provide services, and assess the present or future risk of such relationships and services. Carry out the necessary procedures for the development of the pre-contractual, contractual, and post-contractual stages for the provision of services offered by THE COMPANY.
  • Carry out marketing, sales, promotional activities, customer service, promotions directly or through third parties derived from commercial alliances or any other link.
  • By acquiring any service from THE COMPANY through its website or in person, authorize the generation of statistics, receive information about benefits from commercial alliances, receive information about new services, their expiration, and updates.
  • Provide timely responses to requests, complaints, claims, among others, and conduct satisfaction surveys regarding the services offered.
  • Disclose, transfer, and/or transmit personal data within and outside the country to parent companies, subsidiaries, or third parties as required by a contract, law, or lawful relationship, or to implement services.
  • Comply with Colombian laws.
  • Comply with requirements from judicial and administrative authorities.

In general, THE COMPANY will collect data for its own purposes related to the operational and commercial development of the company, including:

  • Use the information for marketing purposes and for the benefit of third parties with whom we have a business relationship.
  • Provide personal data to police or judicial control and surveillance authorities, in accordance with legal or regulatory requirements.
  • Provide information to auditors or third parties contracted to conduct internal or external audits related to the commercial activity of THE COMPANY.
  • Consult and update personal data at any time in order to keep the information up to date.
  • Allow the transfer of information to third parties responsible for storing, digitizing, organizing, auditing, among other tasks related to the information.
  • In the event of a sale, merger, acquisition, consolidation, change in corporate control, transfer or assignment of assets for any reason, reorganization, or liquidation of the company.
  • Credit bureaus for the purpose of checking and reporting credit behavior; with suppliers, intermediaries, affiliates, and subsidiaries; to be contacted for the delivery of service information.

 

X. AUTHORIZATION FOR DATA PROCESSING

The processing of personal data requires the prior and informed authorization of the Data Subject, which will be included in the commercial proposal, service agreement, business alliance contracts, communication channels, or any other means that may be subject to subsequent consultation. Authorization refers to the consent given by the Data Subject for the responsible party to use their personal data.

In compliance with this policy and Colombian law, a procedure must be established to obtain authorization for the processing of personal data.

  1. Procedure for obtaining authorization:
    1. Clearly and expressly inform the Data Subject about the purpose and processing of their personal data.
    2. Inform the Data Subject about the rights granted to them as Data Subjects under Article 8 of Law 1581 of 2012.
    3. Provide the Data Subject with the identification and physical or electronic address of THE COMPANY.
    4. Make available to the Data Subject the authorization form and/or expression of consent through any means that may be subject to subsequent consultation, such as digital, physical, applications, social networks, among others.
    5. If sensitive data is involved, the authorization must be specific, informing the Data Subject that they are not obligated to authorize the processing of such information.

It is the duty of the data controller to explicitly and priorly inform the Data Subject about which data is sensitive and the purpose of the processing it will undergo.

  1. Authorization for the processing of data of children and adolescents.

THE COMPANY will ensure the respect for the prevailing rights of children and adolescents. Therefore, in order to obtain authorization for the processing of their personal data, the following must be guaranteed:

    1. The authorization must be granted by persons authorized to represent them.
    2. The representative must ensure their right to be heard and consider their opinion regarding the processing, taking into account their maturity, autonomy, and capacity.
    3. It must be made clear that it is optional to answer questions about data related to minors and/or adolescents.
  1. Strategies for Proper Data Processing Management

LEGAL STRATEGY: THE COMPANY carries out all its procedures and legal solutions in accordance with the provisions of Law 1581 of 2012 and other regulatory norms that govern Habeas Data.

INFORMATION TECHNOLOGY STRATEGY: THE COMPANY provides and anticipates possible alterations and vulnerabilities that personal data of users, clients, workers, contractors, and allies may suffer because of current IT risks. For this reason, through its website, it implements a technological security system and cookie management exclusively used by THE OPERATOR.

INSTITUTIONAL STRATEGY: THE COMPANY conducts training sessions on the current legal provisions of Colombian legislation regarding Data Processing and Policies to guarantee the right to Habeas Data. These training sessions are primarily aimed at those responsible for collecting personal data from users, as well as third parties directly involved in these functions. Additionally, the company will implement a prior evaluation of data processing, as indicated in the following chapter.

PARAGRAPH: The databases managed by THE COMPANY in which personal data is registered will remain valid as long as the information is kept and used for the purposes described in this policy. The data will be retained unless the Data Subject requests its deletion and there is no legal or contractual obligation to retain the information.

 

XI. INFORMATION TO BE REQUESTED

THE COMPANY, in order to fulfill its purpose and provide its services, will request the following information from its users, clients, and allies, i.e., “Data Subjects,” although it is not limited to:

  • Email address.
  • Landline phone number.
  • Mobile number.
  • First and last names.
  • Address
  • Date of birth.

 

XII. PRIOR PRIVACY IMPACT ASSESSMENT

As part of the strategies implemented by THE COMPANY to guarantee its users/clients the peace of mind of keeping their personal data safe while being collected and handled by the company, a prior privacy impact assessment will be conducted. This assessment will be internal to THE COMPANY and aims to identify the risks and internal controls that must be followed for the proper use and handling of personal data. This evaluation must contain, at a minimum, the following:

    1. A detailed description of the personal data processing operations carried out by the company and the relationship between data handling and the company’s mission.
    2. A detailed analysis of specific risks that may affect the rights and freedoms of the Data Subjects, as well as their classification and the subsequent adoption of measures to mitigate them.
    3. Description of the measures to be implemented to mitigate inherent risks generated by the handling of personal data, with the purpose of improving the quality and protection of such data.

XII.I Privacy Ethics

From an axiological perspective, THE COMPANY seeks to generate a policy of consciousness regarding information handling, based on privacy ethics. This entails adopting preventive and conscious measures regarding the importance of protecting the personal data of all clients/users.

XII.II Legitimacy And Purpose Of Data Processing

Law 1581 of 2021 states that “the processing must comply with a legitimate purpose according to the Constitution and the law, which must be informed to the Data Subject.” The Constitutional Court has further specified that “personal data must be processed for a specific and explicit purpose.” Therefore, the purpose of collecting and using personal data must not only be legitimate in terms of the authorization granted by the Data Subject for such processing, but also aligned with the purposes for which it was provided by the Data Subject. This means that the data controller must inform the Data Subject in a clear, sufficient, and prior manner about the purpose of the information. The use of data cannot be arbitrary or have ambiguous or indeterminate purposes; instead, the purpose must be previously defined to guarantee the constitutional rights granted to the client/user.

XII.III Specific Data Processing

The handling of personal data must not be broad or ambiguous in any case. The data controller must collect and use only the data that is essential to fulfill the purpose for which it was collected, in accordance with the company’s mission. Therefore, every organization must be able to describe the purposes for which the information was collected and justify, if necessary, the need to gather that data, in accordance with the provisions of Article 4 of Decree 1377 of 2013 and the chapter 9 of this document.

The Constitutional Court, in sentence C-748 of 2011, has pronounced on the matter and established that the registration and disclosure of data that is not strictly related to the objective of the created database and the information previously provided to the Data Subject is prohibited. Entities responsible for such data handling must do everything reasonably possible to limit the processing of data to the minimum necessary for their requirements.

Furthermore, the following characteristics are established regarding the collected data:

    • Adequate
    • Relevant
    • In accordance with the purposes for which they were intended

XII.IV. Legality In The Collection Of Personal Data

As established by the Constitutional Court in ruling C-170 of 2001, the principle of legality has a dual condition. On one hand, it serves as the guiding principle for the proper exercise of power, and on the other hand, it serves as the guiding principle for imposing sanctions. Under this framework, it is stated that no public or private entity has any authority that is not expressly, clearly, and precisely prescribed by law. Therefore, THE COMPANY ensures that it fully complies with the provisions of the law regarding the handling and use of personal data in relation to the fundamental right of habeas data.

XII.V. Diagnosis

THE COMPANY ensures compliance with the principle of legality by conducting an internal assessment through the diagnostic questionnaire for compliance with Law 1581 of 2012, published in December 2018 by the Delegation for the Protection of Personal Data of the Superintendence of Industry and Commerce. This diagnosis is carried out by verifying the following aspects:

    • Principles for the Treatment of Personal Data.
    • Treatment of Sensitive Data and Data of Minors.
    • Rights of Data Subjects.
    • Authorization for the Treatment of Personal Data.
    • Minimum Information for Data Subjects.
    • Provision of Personal Information.
    • Handling of Data Subject Inquiries and Complaints.
    • Personal Data Treatment Policy.
    • Privacy Notice.
    • Reporting Security Breaches.
    • Management of Data Processors.
    • Transfer and International Transmission of Personal Data.
    • Demonstrated Accountability.
    • National Database Registry.

XII.VI. Legality In The Collection Of Personal Data

In accordance with the provisions of the law, it is prohibited to use deceptive or fraudulent means to collect and process personal data.

The legality in the collection of personal data is linked to the explicit consent granted by the data subject. As stated in Chapter 6 of this policy, as established in Article 5 of Decree 1377 of 2013, “the data controller must adopt procedures to request, at the latest at the time of data collection, the consent of the data subject and inform them of the data that will be collected and the purpose thereof.”

It will be understood that the data subject has given their authorization for the processing of personal data, and therefore, the handling of such data by THE COMPANY is legal and agreed upon with the data subject when:

    • It is in writing.
    • It is verbal.
    • It is through unequivocal conduct, that is, conduct that does not allow any doubt or misunderstanding from the data subject, leading to a reasonable conclusion that they have granted their authorization. In other words, authorization can also be obtained through evident, clear, and incontrovertible conduct of the data subject that leaves no doubt or misunderstanding about their willingness to consent to the processing of their data, such as accepting a commercial proposal for the acquisition of services.

 

XIII. GUIDELINES FOR DATA PROCESSING BY THIRD PARTIES

THE COMPANY, in the exercise of its corporate purpose, may require third parties to perform functions within the company. Although THE COMPANY is the sole responsible party for user/customer data in its services, it is also responsible for the actions of its employees with regards to that information, as it will be accessible to them in the course of their duties within the company. In this regard, it is necessary to implement measures aimed at constant surveillance and control of data, as well as the training of employees on the improper use of such data. Likewise, the employment or service contracts entered with our employees specify the obligations and duties they must fulfill as data processors, in accordance with Article 18 of Law 1581 of 2012. The duties for employees and contractors will be as follows:

  • Comply with THE COMPANY’s Information Processing policies.
  • Ensure the security and confidentiality of Personal Data in accordance with the confidentiality agreement signed in the contract.
  • Not use Personal Data for purposes other than those authorized.
  • Not retain Personal Data (copies of forms, records, electronic files) after the termination of the service contract.
  • Return to THE COMPANY all the data processed during the provision of their services.

XIII.I Security Duty for Stored And Collected Data

All data collected through templates, forms, video calls, facial or fingerprint recognition, biometric systems, or any other physical or electronic means provided by THE COMPANY will be protected by the company through security measures and constant monitoring of our employees to prevent:

    • Unauthorized or improper access to information.
    • Manipulation of information.
    • Destruction of information.
    • Unauthorized or improper use of information.
    • Circulation or disclosure of information to unauthorized individuals.

The security measures implemented by THE COMPANY will be based on the following factors:

    • The risk levels associated with the processing that may affect the rights and freedoms of data subjects.
    • The nature of the data.
    • The potential consequences that may arise from a breach for data subjects, as well as the extent of the harm that may be caused to them, the data controller, and society in general.
    • The number of data subjects and the amount of information.
    • The size of the organization.
    • The resources available to mitigate risks.
    • The state of the art.
    • The scope, context, and purposes of the information processing.

XIII.II Data Deletion

THE COMPANY is committed to deleting from its databases any information that is no longer necessary, meaning that it no longer serves the purpose for which it was provided by the data subject or as a result of the termination of the contract between the company and the data subject/user/client, in accordance with Article 11 of Decree 1377 of 2013. The goal is not to store data indefinitely and without purpose, but rather to generate trust and reassurance for our clients.

 

XIV. PRIVACY NOTICE

The privacy notice is the physical, electronic, or any other format document made available to the data subject to inform them about the processing of their personal data. Through this document, the data subject is provided with information regarding the existence of THE COMPANY’s information processing policies that are applicable to them, how to access these policies, and the characteristics of the intended data processing. The privacy notice is publicly available on the website: https://nexo.legal/

 

XV. PROCEDURE FOR INQUIRIES, COMPLAINTS, RECTIFICATION, AND UPDATING OF DATA

At any time and free of charge, the data subject or their representative may request the responsible party for the processing of their personal data to rectify, update, or delete their personal data, subject to verification of their identity. The departments within THE COMPANY responsible for handling inquiries, requests, and complaints, and where the data subject can exercise their rights to access, update, rectify, or revoke authorization as provided by law, are as follows:

RESPONSIBLE

AREA

CONTACT

Miguel Ángel Sánchez

Comercial

direccioncomercial@nexo.legal

 

XV.I. Inquiries

Data subjects, their successors, or authorized or empowered third parties may inquire about the personal information of the data subject held in any database. Consequently, THE COMPANY will guarantee the right to inquire by providing data subjects with all the information contained in the individual record or that is linked to the identification of the data subject. To exercise this right, the data subject, successor, authorized third party, or representative may make the inquiry through:

    • Written communication: Addressed to THE COMPANY, which must include at least the following: Date of the request, home address, and telephone number for notification purposes.
    • Email: THE COMPANY has provided the email address direccioncomercial@nexo.legal for this purpose.

Regardless of the medium used to exercise this right, THE COMPANY will attend to the request if the following requirements are met:

    • Data Subject: Written communication accompanied by a photocopy of the identification document, a description of the request, and an explanation of the reasons behind it.
    • Authorized Third Party / Representative: Written communication, an authorization letter, or a document that proves the representation, if applicable, the identification document of the data subject, and the authorized person.

Requests for inquiries will be addressed within a maximum period of ten (10) business days from the date of receipt. If it is not possible to address the inquiry within this period, the interested party will be informed before the expiration of the 10-day period, stating the reasons for the delay and indicating the date when the inquiry will be addressed, which in no case will exceed double the initial term indicated.

 

XVI. CLAIMS

The data subject or their successors who believe that the information contained in a database should be corrected, updated, or deleted, or who notice the alleged non-compliance with any of the duties contained in the Law, may file a claim with the data controller, channeling and sending it through the indicated email addresses, and it must contain:

  • Identity of the applicant.
  • Copy of the identification document.
  • Reference of the case.
  • The response will be provided within a period of ten (10) calendar days from the receipt of the claim.

XVI.I. Rectification and updating of data.

The claim shall be made through a written request addressed to THE COMPANY, through the areas indicated above. In requests for rectification and updating of personal data, the data subject must indicate the corrections to be made and provide the documentation that supports their request. If the claim is incomplete, the applicant will be requested to rectify the shortcomings within the following five (5) business days after the receipt of the claim. If two (2) months have elapsed since the date of the requirement and the applicant has not submitted the requested information, it will be understood that they have withdrawn the claim. The maximum term to address the claim will be fifteen (15) business days from the day following the date of its receipt. If it is not possible to address the claim within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial term. The right to cancellation is not absolute, and THE COMPANY may deny its exercise when: i) The data subject has a legal or contractual duty to remain in the database. ii) The deletion of data obstructs judicial or administrative actions related to tax obligations, investigations, and prosecution of crimes.

In accordance with the guidelines established by law, before resorting to the Superintendence of Industry and Commerce, the data subject must initially process their claim with THE COMPANY, through the contacts indicated in this document.

 

XVII. DATA ERASURE

The data subject has the right, at any time, to request THE COMPANY the deletion or elimination of their personal data when:

  • They consider that the data is not being processed in accordance with the principles, duties, and obligations provided by current regulations.
  • The data is no longer necessary or relevant for the purpose for which it was collected.
  • The period necessary for the fulfillment of the purposes for which it was collected has expired.

This erasure implies the total or partial elimination of personal information as requested by the data subject in the records, files, databases, or treatments carried out by THE COMPANY. It is important to note that the right to cancellation is not absolute, and THE COMPANY may deny the exercise of this right when:

  • The data subject has a legal or contractual duty to remain in the database.
  • The deletion of data obstructs judicial or administrative actions related to tax obligations, investigations, and prosecution of crimes.
  • The data is necessary to protect legally protected interests of the data subject, to carry out an action in the public interest, or to comply with a legal obligation acquired by the data subject.

 

XVIII. REVOCATION OF AUTHORIZATION

Data subjects may revoke their consent to the processing of their personal data at any time if it is not prevented by a legal or contractual provision. For this purpose, THE COMPANY establishes that the data subject, representative, or authorized person must send a communication attaching their identification document through the following channels:

  • Written communication: Addressed to THE COMPANY, which must contain at least the following information: Date of the request, home address, and telephone number for notification purposes.
  • Email: THE COMPANY has provided the indicated email addresses for this purpose: direccioncomercial@nexo.legal, according to the case.

It should be noted that there are two modalities in which the revocation of consent can occur. The first one can be for all the consented purposes, which means that THE COMPANY must completely stop processing the data of the data subject. The second one can be for specific types of processing, such as for advertising purposes or market studies. With the second modality, that is, the partial revocation of consent, other processing purposes that the data controller can carry out and with which the data subject agrees will be kept safe.

 

XIX. REQUEST FOR CORRECTION, UPDATE, AND DATA ERASURE

The purpose of complaints is solely for the data subject to request the correction, update, or deletion of data or to file a complaint regarding the alleged non-compliance with any of the duties established for the data protection regime and in this policy. The complaint must be submitted through the channels established in this policy:

  • Email: direccioncomercial@nexo.legal
  • Physical address: Calle 11 # 43 B 50, Parque Empresarial Calle 11, Barrio Manila, Medellín, Antioquia.
  • Website: https://nexo.legal/
  • Cell phone number: (+57) 3153354174

The complaint must indicate:

  • Name and identification of the data subject or the authorized person.
  • Accurate and complete description of the facts that give rise to the complaint.
  • Physical or email address to send the response and inform about the status of the process.
  • Documents and other relevant evidence that the complainant wishes to submit.

If additional documentation is required, the complainant will be notified so that they can provide or submit the missing information within a maximum period of 5 days. If, after a period of 2 months, the requester does not provide the requested information, it will be understood that they have withdrawn the complaint, and the case will be closed. If the complaint is complete, a note stating, “complaint in progress” and the reason for it will be included in the database or information system within a maximum period of two (2) business days. This note must be maintained until the complaint is resolved. The maximum period to address the complaint will be fifteen (15) business days from the day following its receipt. If it is not possible to address the complaint within that period, the interested party will be informed of the reasons for the delay and the date on which their complaint will be addressed, which will in no case exceed eight (8) business days following the expiration of the initial term.

 

XX. DATA PROTECTION AND MANAGEMENT RESPONSIBLE PARTY

The Personal Data Protection Officer is the person and department responsible for the data protection function, and can be contacted through:

  • Email: direccioncomercial@nexo.legal
  • Physical address: Calle 11 # 43 B 50, Parque Empresarial Calle 11, Barrio Manila, Medellín, Antioquia.
  • Website: https://nexo.legal/
  • Cell phone number: (+57) 3153354174

 

XXI. PERSONAL DATA PROTECTION RESPONSIBLE PARTY

The Personal Data Protection Officer is the person and department responsible for the data protection function, and can be contacted through:

  • Email: direccioncomercial@nexo.legal
  • Physical address: Calle 11 # 43 B 50, Parque Empresarial Calle 11, Barrio Manila, Medellín, Antioquia.
  • Website: https://nexo.legal/
  • Cell phone number: (+57) 3153354174

 

XXII. EFFECTIVENESS

This policy comes into effect upon its promulgation and will adhere to the guidelines outlined in Law 1581 of 2012 and Decree 1377 of June 27, 2013. Its validity will be for a reasonable and necessary period of time to fulfill the purposes of the data processing, taking into account the provisions of Article 11 of Decree 1377 of 2013.

 

XXIII. MODIFICATIONS

If updates to this policy are required, THE COMPANY will notify the data subjects of such changes via email in order to obtain their acceptance and/or revocation of the processing of their data under the new terms.

 

COOKIES POLICY

 

I. WHAT ARE COOKIES?

Cookies are small files that are installed on the hard drive or browser of a computer, tablet, smartphone, or equivalent device with internet browsing capabilities. They help, among other things, to personalize the services of the website owner, facilitate navigation and usability, obtain aggregated information about website visitors, enable the playback and display of multimedia content on the website, allow interaction between the user and the website, or enable tools.

 

II. AUTHORIZATION FOR THE USE OF OWN COOKIES AND CLICKSTREAM TECHNOLOGY

The internet browser automatically collects information about what the user accessed before entering our website, the type of search they used to access our portal, among other things. In order to understand how visitors, use our website and provide them with a better and safer browsing experience, our website may track the pages visited by our users. For this purpose, information is collected using “Cookies” or Clickstream Technology. By accepting these terms and conditions, the user authorizes the collection of cookies used in their browsing according to the conditions and the following:

 

III. AUTHORIZATION FOR THE USE OF THIRD-PARTY COOKIES

This refers to the collection of data on our website, which aims to compile statistical information about the user by storing cookies on the visitor’s hard drive. To gather this information and subject it to statistical analysis for our website and application, we use the services of Google Analytics. This implies the collection and storage of the mentioned information.

 

IV. AUTHORIZATION FOR COOKIES THAT CAN IDENTIFY THE USER

Only aggregated and anonymous data is stored for the purpose of conducting strictly statistical analysis on the number of visitors and the most visited content, in order to improve the website and increase the effectiveness of its online presence. Therefore, users, customers, employees, contractors, and partners of THE COMPANY acknowledge that they are aware that in the collection of data through the website or mobile applications, we may access such data.

 

V. NATIONAL OR INTERNATIONAL TRANSFER OF PERSONAL DATA

The user or customer acknowledges and accepts that THE COMPANY may transfer data to other data controllers when authorized by the data subject, by law, or by an administrative or judicial mandate.

 

VI. PROCEDURES FOR EXERCISING DATA SUBJECT RIGHTS

The procedures for data subjects to exercise their rights to access, update, rectify, and delete information, or revoke consent as stated in this policy will be detailed in the Data Protection and Data Management Policy.

  1. PERSONS AUTHORIZED TO EXERCISE RIGHTS:
    • By the Data Subject, who must sufficiently prove their identity through the various means made available by the data controller.
    • By their legal representatives, who must prove such representation.
    • By the authorized representative and/or attorney-in-fact of the Data Subject, upon proof of representation or power of attorney.
    • By stipulation in favor of or for the benefit of another person.
    • The rights of children or adolescents shall be exercised by individuals authorized to represent them.

2. RIGHT OF ACCESS:

Frequency: At least once every calendar month and/or whenever there are substantial modifications to the Information Processing Policies that warrant new inquiries.

3. UPDATE, RECTIFICATION, AND SUSPENSION

Methods: All inquiries and claims to THE COMPANY can be made through the following channels:

    • Email: direccioncomercial@nexo.legal
    • Physical address: Calle 11 # 43 B 50, Parque Empresarial Calle 11, Barrio Manila, Medellín, Antioquia.
    • Website: https://nexo.legal/
    • Phone number: (+57) 3153354174

 

VII. VALIDITY

This policy is effective from the date of its enactment and will comply with the guidelines set forth in Law 1581 of 2012 and Decree 1377 of June 27, 2013. Its validity will be for a reasonable and necessary period to fulfill the purposes of data processing, in accordance with Article 11 of Decree 1377 of 2013.

 

Authorized by,

SANTIAGO OCHOA TAMAYO

CEO, NEXO BUSINESS GROUP S.A.S.

plugins premium WordPress
es_COES
Scroll to Top