Privacy Notice
The International Maria Luisa de Moreno Foundation, with Tax Identification Number (NIT) 830.073.822-1, respects the confidentiality and right to habeas data of its users.
The International Maria Luisa de Moreno Foundation is a non-profit social organisation, aimed at benefiting the most vulnerable communities at all levels. It achieves this through the development and implementation of educational, social, and humanitarian programmes. These programmes include the management and execution of projects and initiatives at both national and international levels, seeking to improve the quality of life of beneficiaries within the communities of our influence and interest groups.
To comply with Law 1581 of 2012 on personal data protection and Decree 1377 of 2013, which regulates it, the International Maria Luisa de Moreno Foundation informs that, prior to the issuance of these regulations, it has collected some of your personal data and used it to involve you in its activities and events. In this regard, we inform you that:
- The International Maria Luisa de Moreno Foundation has adopted internal policies for personal data processing, allowing you to know, update, rectify, and delete the information held in our records (data deletion applies unless the data was provided in compliance with a legal or contractual obligation).
- To continue using your personal data for the originally stated purpose, the International Maria Luisa de Moreno Foundation requires your consent. If you wish your data to be deleted from our databases or prefer not to be contacted again, please communicate this by sending an email to the following address: [email protected]
- If you act as a legal representative, heir, or proxy of the data subject, you must provide a document accrediting such status.
- If the International Maria Luisa de Moreno Foundation receives no communication regarding the modification or deletion of your data, it will continue processing it as before.
PERSONAL DATA PROCESSING POLICY
In compliance with Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, THE INTERNATIONAL MARIA LUISA DE MORENO FOUNDATION (hereinafter THE FOUNDATION) adopts this policy for the processing of personal data, which will be communicated to all data subjects whose data has been collected or will be obtained in the course of activities contemplated in its social purpose.
1. IDENTIFICATION OF THE DATA PROCESSING CONTROLLER: THE FOUNDATION is a non-profit organisation, duly registered with the Bogotá Chamber of Commerce on 23 April 2000 under number 00032505 in Book I of Non-Profit Legal Entities, with NIT. 830.073.822-1.
2. REGISTERED OFFICE AND ADDRESS: THE FOUNDATION’s registered office is in Bogotá D.C., and its main headquarters is located at Carrera 51 No. 130 – 29, Prado Veraniego neighbourhood. Email: [email protected] Phone: 7953000.
3. LEGAL FRAMEWORK: This Personal Data Processing Policy is developed in accordance with the provisions of the Colombian Political Constitution, Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other complementary and related regulations.
4. SCOPE OF APPLICATION: THE FOUNDATION applies this policy regarding the collection, storage, use, circulation, deletion, compilation, exchange, provision, updating, and other activities, procedures, and processes constituting data processing.
5. DEFINITIONS, PRINCIPLES, AND AUTHORISATION: This policy utilises the terms authorisation, database, personal data, data processing controller, data processing processor, data subject, and data processing, as defined below:
a) Authorisation: Prior, express, and informed consent of the data subject to process their personal data;
b) Database: An organised set of personal data that is subject to processing;
c) Personal data: Any information linked or that can be associated with one or more determined or determinable natural persons;
d) Data processing processor: A natural or legal person, public or private, that processes personal data on behalf of the data processing controller;
e) Data processing controller: A natural or legal person, public or private, that, alone or jointly with others, decides on the database and/or the processing of data;
f) Data subject: A natural person whose personal data is subject to processing;
g) Data processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
Additionally, regarding the terms privacy notice, public data, sensitive data, transfer, and transmission, the following are defined:
Privacy Notice: A verbal or written communication generated by the Data Processing Controller, directed to the Data Subject, informing them about the existence of data processing policies applicable to them, how to access them, and the purposes for which the data will be processed.
Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data related to an individual’s civil status, profession or occupation, and status as a merchant or public servant. By nature, public data may be found in public records, public documents, gazettes, official bulletins, and finalised judicial sentences that are not subject to confidentiality.
Sensitive Data: Data that affects the privacy of the data subject or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade union membership, health, sexual life, or biometric data.
Transfer: The transfer of data occurs when the Data Processing Controller and/or Processor, located in Colombia, sends the information or personal data to a recipient, who in turn is the Data Processing Controller and is located inside or outside the country.
Transmission: Data processing that involves the communication of the same within or outside the territory of the Republic of Colombia when it aims to carry out processing by the Data Processing Processor on behalf of the Data Processing Controller.
In processing personal data provided in this policy, THE FOUNDATION will apply the following guiding principles: Principle of Legality; Principle of Purpose; Principle of Freedom; Principle of Truthfulness or Quality; Principle of Transparency; Principle of Restricted Access and Circulation; Principle of Security; and Principle of Confidentiality.
Principle of Legality in Data Processing: The processing referred to by the law is a regulated activity that must comply with the provisions set forth therein and in other related regulations;
Principle of Purpose: Processing must serve a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject;
Principle of Freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data cannot be obtained or disclosed without prior authorisation, unless a legal or judicial mandate provides otherwise;
Principle of Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented data or data that induces errors is prohibited;
Principle of Transparency: The right of the Data Subject to obtain from the Data Processing Controller or Processor, at any time and without restrictions, information about the existence of data concerning them must be guaranteed;
Principle of Restricted Access and Circulation: Processing is subject to the limits arising from the nature of the personal data, the law, and the Constitution. In this regard, processing can only be carried out by authorised individuals and/or those stipulated by law. Personal data, except for public information, cannot be available on the Internet or other mass dissemination or communication media unless access is technically controllable to provide restricted knowledge to the Data Subjects or authorised third parties according to the law;
Principle of Security: The information subject to processing by the Data Processing Controller or Processor must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, consultation, unauthorised or fraudulent use, or access;
Principle of Confidentiality: All individuals involved in the processing of personal data that are not public are obligated to ensure the confidentiality of the information, even after their relationship with any of the tasks comprising the processing has ended. Data may only be supplied or disclosed when authorised by law and under the terms established therein.
The rights of Data Subjects may be exercised by the following individuals:
- The Data Subject, who must sufficiently verify their identity through various means provided by the Data Processing Controller.
- Their successors, who must provide evidence of their status.
- The representative and/or proxy of the Data Subject, subject to the verification of representation or authorisation.
- Those acting on behalf of another or for another.
- The rights of children and adolescents will be exercised by individuals authorised to represent them.
6. GENERAL PURPOSES OF DATA PROCESSING: Any data processing carried out by THE FOUNDATION has the general purpose of fulfilling and exercising THE FOUNDATION’s social purpose, as well as all activities related to it. The general purpose of the processing is aligned with THE FOUNDATION’s statutory objectives and related legal provisions.
7. PROCESSING TO WHICH DATA WILL BE SUBJECTED AND ITS PURPOSE WHEN NOT SPECIFIED IN THE PRIVACY NOTICE: THE FOUNDATION will process personal data for general purposes associated with its objectives, which include, but are not limited to, collection, storage, use, circulation, or deletion.
8. INSTRUMENTS FOR THE PROCESSING OF COLLECTED DATA: Data will be processed through manual or technological mechanisms. For each processing activity and purpose, formats or instruments, whether manual or digital, may be designed by the Processor on behalf of THE FOUNDATION, which will adhere to this Data Processing Policy.
9. RIGHTS OF DATA SUBJECTS WHOSE DATA IS PROCESSED BY THE FOUNDATION: In accordance with current regulations, the data subject whose data is processed by THE FOUNDATION has the following rights:
a) Authorise THE FOUNDATION to process their data.
b) Know, update, and rectify their personal data held by THE FOUNDATION through the channels, instruments, means, and/or resources provided, such as websites, email addresses, phone numbers, or physical addresses, among others.
c) This right applies, among others, to partial, inaccurate, incomplete, fragmented data that induces errors or to data whose processing is expressly prohibited or has not been authorised;
d) Request proof of the authorisation granted to THE FOUNDATION unless such authorisation is not required by law under Article 10 of Law 1581 of 2012;
e) Be informed by THE FOUNDATION, upon written request, about the use of their personal data;
f) Access their personal data free of charge that has been subject to processing.
g) Exercise all other rights provided under the Data Protection Law.
10. AUTHORISATION OF THE DATA SUBJECT: When prior, express, and informed consent from the data subject is required to process their personal data, THE FOUNDATION may obtain it through any medium that allows for subsequent verification. This includes written, verbal, or implied conduct by the data subject that reasonably concludes they have given their authorisation. THE FOUNDATION may use automated, digital, video, audio, or other available mechanisms to obtain consent. The written authorisation requested by THE FOUNDATION from data subjects must include, at a minimum, the following terms:
11. AUTHORISATION FOR PERSONAL DATA PROCESSING: Authorisation will not be required from THE FOUNDATION when processing is related to:
a) Information requested by a public or administrative entity in the exercise of its legal functions or by court order;
b) Data of a public nature;
c) Cases of medical or health emergencies;
d) Processing of information authorised by law for historical, statistical, or scientific purposes;
e) Data related to the Civil Registry of Persons.
Any individual accessing personal data without prior authorisation must, in all cases, comply with the provisions of the law.
12. SENSITIVE DATA: In the case of sensitive personal data, THE FOUNDATION may process it only when:
a) The data subject has given explicit consent, except in cases where such consent is not required by law;
b) Processing is necessary to safeguard the vital interest of the data subject, and they are physically or legally incapacitated. In these cases, the legal representatives must provide their authorisation;
c) Processing is carried out in the context of legitimate activities and with appropriate guarantees by a foundation, NGO, association, or any other non-profit organisation with political, philosophical, religious, or trade union purposes, provided it relates exclusively to its members or individuals with regular contact due to its purpose. In these cases, the data may not be supplied to third parties without the data subject’s authorisation;
d) Processing refers to data necessary for recognition, exercise, or defence of a right in a judicial process;
e) Processing has historical, statistical, or scientific purposes, provided measures are taken to anonymise the data subjects’ identity.
Notwithstanding the exceptions provided by law, the processing of sensitive data requires the prior, express, and informed consent of the data subject, which must be obtained by any medium that allows for consultation and verification.
13. DUTIES OF THE FOUNDATION AS THE DATA CONTROLLER: THE FOUNDATION, as the data controller, will fully comply with its obligations, including the following duties, without prejudice to other provisions stipulated by law and those governing its activity:
a) Guarantee the data subject, at all times, the full and effective exercise of their right to habeas data;
b) Request and retain, under the conditions provided by law, a copy of the respective authorisation granted by the data subject;
c) Properly inform the data subject of the purpose of the data collection and the rights they are entitled to under the authorisation granted;
d) Safeguard the information under security conditions necessary to prevent its alteration, loss, consultation, use, or unauthorised or fraudulent access;
e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable;
f) Update the information, promptly notifying the Data Processor of all changes to previously supplied data and taking necessary steps to ensure the information remains up-to-date;
g) Rectify the information when it is incorrect and inform the Data Processor accordingly;
h) Provide the Data Processor, as applicable, only data authorised for processing under this policy and the law;
i) Require the Data Processor to respect, at all times, the security and privacy conditions of the data subject’s information;
j) Handle consultations and complaints submitted in accordance with the terms outlined by law;
k) Inform the Data Processor when specific information is under dispute by the data subject, once the claim has been submitted and the respective procedure has not been concluded;
l) Inform the data subject, upon request, of the use made of their data;
m) Notify the Data Protection Authority when security codes are breached, and risks arise in managing data subjects’ information.
n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
14. DUTIES OF DATA PROCESSORS: THE FOUNDATION may directly or through third parties act as a data processor. In such cases, it will comply with or ensure compliance with the duties of data processors stipulated in Article 18 of Law 1581 of 2012 and related complementary provisions. As of the date of issuance of this policy, THE FOUNDATION is both the data controller and processor.
15. PRIVACY NOTICE: The Privacy Notice is a physical, electronic, or any other format document made available to the data subject to inform them about the processing of their personal data. Through this document, the data subject is informed about the existence of THE FOUNDATION’s data processing policies, how to access them, and the characteristics of the data processing intended. The Privacy Notice must include, at a minimum, the following information:
a) The identity, registered office, and contact details of the data controller.
b) The type of processing to which the data will be subjected and its purpose.
c) The data subject’s rights.
d) The general mechanisms made available by the data controller to allow the data subject to know the data processing policy and any substantial changes thereto. In all cases, the data subject must be informed about how to access or consult the data processing policy.
e) The voluntary nature of responding to questions about sensitive data.
If THE FOUNDATION cannot provide the data subject with this data processing policy, they will be informed through a privacy notice about its existence and how to consult it.
16. RETENTION PERIOD OF PERSONAL DATA: Personal data belonging to data subjects will remain registered in THE FOUNDATION’s databases for a term of ten (10) years, automatically renewable indefinitely for equal or successive periods, unless the data subject expressly states otherwise in writing, in accordance with the purposes that justified the processing. Personal data may be retained for longer periods in compliance with legal requirements, such as those related to document management, evidence handling, or for historical or statistical purposes, among others. Personal data may be retained for shorter periods when the purpose of its processing has been fulfilled.
17. GUARANTEES OF THE RIGHT TO ACCESS: To guarantee the data subject’s right to access their data, THE FOUNDATION will make the data available to them, upon verification of their identity, legitimacy, or representation, free of charge and in a detailed manner. The data must be provided through any medium, including electronic ones, allowing the data subject to access and update their data online.
18. PROCEDURE FOR HANDLING QUERIES, CLAIMS, REQUESTS FOR RECTIFICATION, UPDATING, AND DATA DELETION:
Queries: Data subjects or their successors may query the data subject’s personal information held by THE FOUNDATION. THE FOUNDATION will provide all the information contained in the individual record or linked to the data subject’s identification. For responding to queries about personal data, THE FOUNDATION guarantees:
a) Enable electronic or other means of communication deemed appropriate.
b) Establish forms, systems, and other simplified methods, which will be informed in the privacy notice.
c) Use the customer service or claims handling services currently in operation.
d) The query must be submitted to THE FOUNDATION’s Digital Area using the contact details mentioned herein, providing at least the full name of the data subject, their identification number, and their physical or electronic address for responding. Once the request is received, a copy of the authorisation will be sent within ten (10) business days from the day following the receipt of the query. If it cannot be addressed within this timeframe, the individual will be informed of the reasons for the delay and the expected response date, which will not exceed eight (8) additional business days.
e) Queries may be submitted via email at [email protected]
Claims: Data subjects or their successors who consider that the information contained in a database should be corrected, updated, or deleted, or who identify a possible violation of any legal duties, may file a claim with THE FOUNDATION, which will process it under the following rules:
The claim must be submitted via email at [email protected] or via written communication to [email protected], including the identification of the data subject, a description of the facts leading to the claim, the address, and the documents the claimant wishes to use as evidence. If the claim is incomplete, the claimant will be required to correct the deficiencies within five (5) days following its receipt. If two (2) months pass without the claimant submitting the required information, the claim will be deemed withdrawn. If the claim is received by an unauthorised party, it will be forwarded to the appropriate person within two (2) business days, and the claimant will be informed accordingly.
Once a complete claim is received, it will be labelled as “claim in process,” along with its reason, within a maximum term of two (2) business days. This label will remain until the claim is resolved.
The maximum term for addressing a claim will be fifteen (15) business days from the day following its receipt. If it cannot be resolved within this term, the claimant will be informed of the reasons for the delay and the expected resolution date, which will not exceed eight (8) additional business days.
Petitions for Updating and/or Rectification: THE FOUNDATION will update and rectify the information of the data subject when it is incomplete or inaccurate, following the procedure and deadlines indicated above. To do so, the data subject must:
Submit their request via email to [email protected] or in physical form to THE FOUNDATION at the address mentioned in this policy, specifying the required update or rectification and providing supporting documentation.
THE FOUNDATION may enable mechanisms to facilitate the exercise of this right for the data subject, provided these benefit them. Accordingly, electronic or other means deemed suitable may be enabled, which will be informed in the privacy notice and made available on the website.
Petitions for Data Deletion: The data subject has the right to request the deletion of their personal data in the following cases:
a) If they believe the data is not being processed in accordance with the principles, duties, and obligations set forth in current regulations.
b) If the data is no longer necessary or relevant for the purpose for which it was collected.
c) If the period required to fulfil the purpose for which the data was collected has been exceeded.
This deletion implies the total or partial elimination of personal information as requested by the data subject from the records, archives, databases, or processing activities carried out by THE FOUNDATION. However, this right is not absolute, and THE FOUNDATION may deny its exercise when:
a) The data subject has a legal or contractual obligation to remain in the database.
b) Deleting the data hinders judicial or administrative actions related to fiscal obligations, investigations, or sanctions.
c) The data is necessary to protect the data subject’s legally protected interests, perform an action in the public interest, or comply with a legal obligation acquired by the data subject.
19. NATIONAL DATABASE REGISTRY: THE FOUNDATION reserves the right, in the events contemplated by law, its statutes, and internal regulations, to maintain and classify certain information in its databases as confidential, in accordance with applicable regulations, its statutes, and internal rules.
20. INFORMATION SECURITY AND SECURITY MEASURES: In compliance with the security principle established in current regulations, THE FOUNDATION will adopt technical, human, and administrative measures necessary to safeguard the records, preventing their alteration, loss, consultation, unauthorised or fraudulent use, or access.
21. USE AND INTERNATIONAL TRANSFER OF PERSONAL DATA BY THE FOUNDATION: In fulfilling its social purpose and considering the nature of the relationships any data subject may have with THE FOUNDATION, it may transfer and transmit personal data, even internationally, as long as the applicable legal requirements are met. By accepting this policy, data subjects expressly authorise the transfer and transmission of their personal data internationally. Data will be transferred for any relationship established with THE FOUNDATION. For the international transfer of personal data, THE FOUNDATION will take necessary measures to ensure that third parties know and commit to observing this policy. The information received can only be used for matters directly related to THE FOUNDATION and only while these relationships last. For international data transfers, THE FOUNDATION will comply with Article 26 of Law 1581 of 2012. Data transmissions made by THE FOUNDATION do not require informing the data subject or obtaining their consent when a data transmission contract is in place under Article 25 of Decree 1377 of 2013. THE FOUNDATION may also share information with governmental or public authorities, including judicial or administrative authorities, tax authorities, and legal representatives, to comply with applicable laws or regulations, respond to legal processes, enforce terms and conditions, or protect its rights, privacy, and safety or those of others.
22. DATA CONTROLLER AND PROCESSOR: THE FOUNDATION will act as the data controller. The Digital Area will handle personal data processing on behalf of THE FOUNDATION.
23. VALIDITY: This policy is effective from 20 January 2016 and replaces any previous policies, regulations, or special manuals adopted by THE FOUNDATION.
MANUAL FOR PERSONAL DATA PROCESSING
Entity Responsible for Personal Data Processing:
INTERNATIONAL MARIA LUISA DE MORENO FOUNDATION
NIT. 830.073.822 – 1
Registered Office: Bogotá D.C.
Address: Carrera 51 No. 130 – 29, Prado Veraniego Neighbourhood
Phone: PBX +57 (1) 7953000
Email: [email protected]
1. PURPOSE
To guarantee the constitutional right of all individuals to know, update, and rectify the information collected about them in the databases or records held by the INTERNATIONAL MARIA LUISA DE MORENO FOUNDATION (hereinafter THE FOUNDATION). For the purposes of this Manual, THE FOUNDATION will be considered responsible for the information collected.
2. SCOPE OF APPLICATION
This Manual applies to all personal data recorded in any database that makes them subject to processing by THE FOUNDATION.
3. COVERAGE
This Manual applies to all levels of THE FOUNDATION and all personal databases under its control, including those managed by data processors acting on its behalf.
4. BACKGROUND
Through Law 1581 of 17 October 2012, the Colombian Congress issued General Provisions for the Protection of Personal Data, establishing the framework for the rights of data subjects and the obligations of data controllers and processors. The regulation aims to ensure proper authorisation from data subjects, define data processing policies, facilitate the exercise of data subject rights, and regulate data transfers and accountability in personal data processing. On 27 June 2013, Decree 1377 was issued to regulate the law and aid its implementation.
5. PURPOSE OF THE DATABASE
The collection of personal data by THE FOUNDATION has the following purposes:
a) To disseminate content of a social, cultural, commercial, or educational nature, or for use in literary, artistic, or any reproducible works aimed at teaching, research, or promotion, with or without commercial purposes. This includes, but is not limited to, transformation, reproduction, public communication, and distribution rights.
b) To disclose, transfer, and/or transmit personal data domestically and internationally to any organisation or third party as required by agreements, laws, or legitimate purposes, including cloud computing services.
c) To manage and achieve the goals and objectives outlined in THE FOUNDATION’s social purpose.
d) To carry out activities related to THE FOUNDATION’s projects, programmes, and other social, commercial, educational, or humanitarian initiatives, involving employees, contractors, associates, volunteers, suppliers, or beneficiaries.
e) To execute and fulfil contractual obligations.
f) To prevent and control fraud.
g) To meet requirements for accessing the General System of Comprehensive Social Security.
h) To exchange tax-related information under international treaties and agreements signed by Colombia.
i) To prevent and control money laundering and terrorism financing.
6. PERSONAL DATA PROCESSING
In compliance with Law 1581 of 2012 and relevant regulations, and under the authorisation provided by data subjects, THE FOUNDATION will perform operations or sets of operations involving data collection, storage, use, circulation, and/or deletion exclusively for authorised purposes outlined in this Manual. Processing will also be carried out when there is a legal or contractual obligation to do so.
7. DATA SUBJECT RIGHTS
In processing personal data, THE FOUNDATION respects the rights of data subjects, which include:
a) The right to know, update, and rectify their data, including data that is partial, inaccurate, incomplete, fragmented, or unauthorised.
b) The right to request proof of the authorisation granted for data processing, except when legally exempt.
c) The right to be informed about the use of their data upon request.
d) The right to file complaints with the relevant authority for breaches of data protection regulations.
e) The right to revoke authorisation and/or request data deletion when principles, rights, and guarantees are not respected.
f) The right to free access to their data that has been processed.
8. RESPONSIBLE AREA FOR HANDLING REQUESTS, QUERIES, AND CLAIMS
Requests, queries, and claims made by data subjects regarding the exercise of their rights to know, update, rectify, and delete data, or to revoke authorisation, should be directed to:
Digital Area
International Maria Luisa de Moreno Foundation
Address: Carrera 51 No. 130 – 29
Bogotá, D.C.
Phone: PBX +57 (1) 795 3000
Email: [email protected]
This area will serve as the contact point for data subjects for all matters specified in the authorisation granted in this Manual, in accordance with the procedure outlined below.
9. PROCEDURES FOR EXERCISING DATA SUBJECT RIGHTS
Data subjects, regardless of their relationship with THE FOUNDATION, may exercise their rights to know, update, rectify, and delete information and/or revoke authorisation by following these procedures:
a. Procedure for Requesting Proof of Authorisation
Requests must be submitted to THE FOUNDATION’s Digital Area using the contact details mentioned, providing at least the full name of the data subject, their identification number, and their physical or electronic address for responding. Upon receiving the request, a copy of the authorisation will be sent within ten (10) business days from the day after the request is received. If it cannot be addressed within this timeframe, the data subject will be informed of the reasons for the delay and the new deadline, which will not exceed eight (8) additional business days.
b. Procedure for Updating Information
The data subject interested in updating their information processed by THE FOUNDATION or the Data Processor may submit updated information through any of the channels established for this purpose, including the website or email provided by THE FOUNDATION.
c. Procedure for Rectifying, Deleting Information, and/or Revoking Authorisation
When the data subject intends to rectify, delete, and/or revoke authorisation for data processing, they must submit a request as follows:
- The request must be directed to THE FOUNDATION’s Digital Area, identifying the data subject, describing the facts leading to the request, providing their address, and including any supporting documents.
- If the request is incomplete, the data subject will be required to correct the deficiencies within five (5) business days of receiving the request. If two (2) months pass without the requested information being submitted, the request will be deemed withdrawn.
- If the request is received by an unauthorised person, it will be forwarded to the appropriate party within two (2) business days, and the data subject will be informed.
- Once a complete request is received, it will be flagged in the database as “request in process,” including the reason, within two (2) business days. This label will remain until the request is resolved.
The maximum term for addressing the request will be fifteen (15) business days from the day after it is received. If it cannot be resolved within this term, the data subject will be informed of the reasons for the delay and the new deadline, which will not exceed eight (8) additional business days.
10. OBLIGATIONS OF THE FOUNDATION
a) Guarantee the data subject full and effective exercise of their rights at all times.
b) Request and retain a copy of the authorisation granted by the data subject under the conditions provided by law.
c) Inform the data subject about the purpose of the data collection and the rights granted under the authorisation.
d) Safeguard the information under security measures necessary to prevent its alteration, loss, unauthorised consultation, or fraudulent use.
e) Ensure the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
f) Update the information, notifying the Data Processor promptly about any changes, and taking measures to keep the information up-to-date.
g) Rectify incorrect information and notify the Data Processor accordingly.
h) Provide the Data Processor with only the data authorised for processing in compliance with this policy and the law.
i) Require the Data Processor to respect security and privacy conditions at all times.
j) Handle queries, claims, and requests in accordance with legal terms and this Manual.
k) Develop an internal manual of policies and procedures to ensure compliance with Law 1581 of 2012 and facilitate handling of queries, claims, and requests.
l) Notify the Data Processor when certain information is under dispute by the data subject, once the claim has been submitted and not yet resolved.
m) Inform the data subject, upon request, about the use of their data.
n) Notify the Data Protection Authority in case of security breaches posing risks to the data subject’s information.
o) Comply with instructions and requirements issued by the Superintendence of Industry and Commerce.
11. RETENTION PERIOD OF DATABASES
THE FOUNDATION’s databases will remain active for the duration necessary to fulfil their authorised purpose or, by default, for a period of ten (10) years.