GENERAL INFORMATION
Company Name: CST – Conserto S.A.S.
Tax Identification Number: 900.275.048-8
Address: Carrera 7 # 180 – 30, Office 502
City: Bogotá D.C.
Phone Numbers: 6017812514 / 6017912472
Email: comercial@cstrisk.com
Website: www.cstrisk.com
LEGAL REGULATIONS AND SCOPE OF APPLICATION
In compliance with applicable legislation on Personal Data Protection (Law 1581 of 2012, Decree 1377 of 2013, and other provisions that modify, supplement, or amend them), Conserto S.A.S. Conserto S.A.S. must ensure that when a person provides information and it is incorporated into the Company’s databases or files, adequate processes are in place to protect it and that it is used appropriately. In this regard, this Information Protection Policy is developed.
This Policy will apply to all Data Subjects (clients, suppliers, contractors, employees, and the general public) who have a relationship with Conserto S.A.S. and/or whose Personal Data has been collected and processed in any way as a result of or in connection with a relationship established with the Company.
In this Policy, Conserto S.A.S. details the general corporate guidelines taken into account to protect the Data Subjects’ Personal Data, the purposes of information processing, Data Subjects’ rights, the area responsible for addressing complaints and claims, and the procedures that must be known, including the procedures for updating, rectifying, and deleting information.
Conserto S.A.S. In compliance with the constitutional right to Habeas Data, we only collect and process Personal Data when previously authorized by the Data Subject, implementing clear measures regarding the confidentiality and privacy of Personal Data.
DEFINITIONS
For the purposes of this Policy, the definitions set forth in Law 1581 of 2012 will be taken into account, as transcribed below:
Authorization: The prior, express, and informed consent of the Data Subject to carry out the Processing.
Database: The organized set of Personal Data that is subject to Processing, whether electronic or not, regardless of the method of its formation, storage, organization, and access.
Personal Data: Information of any type, linked to or that can be associated with one or more specific or determinable natural persons, such as identification data (name, ID, age, gender), contact information (telephone, email, address), consumer preferences, internet visits and behavior, financial information, and other relevant data.
Public Data: Personal Data classified as such under the mandates of the law or the Political Constitution and that which is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person’s marital status, their profession or occupation, their status as a merchant or public servant, and data that can be obtained without reservation. By its nature, public data may be contained in, among others, public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.
Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse may lead to discrimination.
Data Processor: The natural or legal person, public or private, who, either alone or in association with others, processes Personal Data on behalf of the Data Controller.
Data Controller: Conserto S.A.S. or the natural or legal person, public or private, who, on their own or in association with others, decides on the Database and/or the Processing of Personal Data.
Data Subject: A natural person whose Personal Data is subject to Processing.
Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion, as well as its transfer and/or transmission to third parties through communications, queries, interconnections, assignments, or data messages.
Transfer: The transfer of Personal Data occurs when the controller and/or processor of Personal Data, located in Colombia, sends the Personal Data to a recipient, who is in turn the controller and is located within or outside the country.
Transmission: Processing of Personal Data that involves communicating such data to a third party within or outside the territory of the Republic of Colombia, when such communication is intended for processing by the processor on behalf of and for the account of the controller, to fulfill the latter’s purposes.
PRINCIPLES OF PROCESSING
In accordance with Article 4 of Law 1581 of 2012, the principles governing the Processing of Personal Data at Conserto S.A.S. are:
Principle of legality in data processing: The processing of personal data is a regulated activity that must comply with the provisions of Law 1581 of 2012 and Decree 1377 of 2013, as well as any other provisions that develop, supplement, or modify it.
Principle of purpose: The processing must comply with a legitimate purpose in accordance with the Constitution and the law, of which the data subject must be informed.
Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial order that waives consent.
Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The Processing of partial, incomplete, fragmented, or misleading data is prohibited.
Principle of transparency: Processing must guarantee the Data Subject’s right to obtain from the Controller or Processor, at any time and without restrictions, information about the existence of data concerning them.
Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the Personal Data. In this sense, Processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for in Law 1581 of 2012.
Principle of security: Information subject to Processing by the Controller or Processor must be handled with the technical, human, and administrative measures necessary to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent access, or consultation.
Confidentiality Principle: All persons involved in the Processing of Personal Data that are not public are required to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the Processing has ended. They may only provide or communicate Personal Data when it corresponds to the development of the activities authorized by Law 1581 of 2012 and under the terms thereof.
PURPOSES OF PERSONAL DATA PROCESSING
The Personal Data collected by Conserto S.A.S. is included in a Database to which Company personnel have access in the performance of their duties. Under no circumstances is Conserto S.A.S. authorized to process the information for purposes other than those described herein and/or those communicated directly to the Data Subject no later than the time of collection:
Manage all information necessary to comply with Conserto S.A.S.’s tax obligations and commercial, corporate, and accounting records.
Comply with Conserto S.A.S.’s internal processes regarding supplier and contractor management.
Fulfill service contracts entered into with clients.
Provide services according to the specific needs of Conserto S.A.S.’s clients and/or suppliers.
Conduct marketing activities and/or commercialization of new services or products.
Carry out archiving, system updates, and the protection and safekeeping of information and databases.
Send commercial offer information.
Send files containing medical data when required by internal procedures.
Prepare market studies, statistics, surveys, market trend analyses, consumer preference analyses, and satisfaction surveys on the services provided by Conserto S.A.S.
Transfer personal data to third parties with whom contracts have been entered into for this purpose, for commercial, administrative, and/or operational purposes.
Maintain and process, by computer or other means, any type of information related to the client’s business, in order to provide the relevant services and products. Human resource management, including, but not limited to, employment placement, training processes, performance evaluations, social welfare and occupational health and safety programs, issuing employment certifications, providing employment references upon request, establishing the database of personnel working at Conserto S.A.S., and paying payroll, when applicable.
Providing Conserto S.A.S. services according to the specific needs of its clients, in order to provide relevant services and products.
Conducting analysis for the control and prevention of fraud and money laundering, including, but not limited to, consulting and reporting on restricted lists and financial risk information centers.
Completing information and, in general, carrying out the activities necessary to manage requests, complaints, and claims submitted by Conserto S.A.S. clients. and by third parties, directing them to the areas responsible for issuing the corresponding responses.
Conduct events, training sessions, seminars, and workshops on topics related to the products and services offered by Conserto S.A.S.
Comply with Conserto S.A.S.’s tax and commercial, corporate, and accounting record obligations in accordance with current legal provisions.
Conduct studies to evaluate product launches.
Verify legal, financial, and technical information in contractual processes carried out by Conserto S.A.S. or third parties.
Processes within Conserto S.A.S., for operational development and/or system administration purposes.
Other purposes determined by Conserto S.A.S. in the processes for obtaining Personal Data, in order to comply with legal and regulatory obligations.
Conduct data update campaigns.
Send changes to the Policies, as well as requests for new authorizations for the Processing of Personal Data.
Evaluate service quality.
Support internal or external audit processes.
The information provided by the Data Subject will only be used for the purposes stated herein and/or expressly authorized by the Data Subject when requested. Once the need for processing Personal Data ceases, it will be deleted from Conserto S.A.S.’s databases or archived according to the term established within the authorization.
RIGHTS OF THE PERSONAL DATA HOLDER
All Personal Data Holders shall have the rights established by law. In the event of a contradiction between the provisions herein and the law, the terms of the law shall prevail:
To know, update, and rectify their Personal Data before the Data Controllers or Data Processors. This right may be exercised, among others, in the case of partial, inaccurate, incomplete, fragmented, or misleading data, or data whose processing is expressly prohibited or unauthorized.
To request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
To be informed by the Data Controller or Data Processor, upon request, regarding the use of their Personal Data.
Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, supplement, or complement it. A request to the Superintendency of Industry and Commerce will be admissible only after submitting the request directly to Conserto S.A.S.
Revoke authorization and/or request the deletion of Personal Data when the Processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will be admissible when the Superintendency of Industry and Commerce has determined that, in the Processing, the data controller or processor has engaged in conduct contrary to this law and the Constitution.
Access your Personal Data that has been processed free of charge.
AUTHORIZATION, PROCESSING, AND STORAGE OF PERSONAL DATA
Personal Data is collected, stored, organized, used, circulated, transmitted, transferred, updated, rectified, deleted, eliminated, and managed according to the purpose or purposes of each type of processing.
Conserto S.A.S. processes Personal Data with the authorization of the Data Subjects, who are informed of the specific purposes for which such consent is obtained.
Conserto S.A.S. processes the Personal Data voluntarily provided by the Data Subject. This data may be used only by the Company, its employees, consultants, advisors, and business and strategic partners expressly authorized by the Company.
Conserto S.A.S. may request and include in the Databases Personal Data, including, among others, the Data Subject’s first and last names, gender, date of birth, address, city, telephone number, email address, and identification numbers.
Conserto S.A.S. may request Sensitive Data at any time, informing you at the time of collection of the type of Sensitive Data it will collect. In any case, the Company will strictly observe the legal limitations on the Processing of Sensitive Data.
Conserto S.A.S. will never provide Sensitive Data under any circumstances or under any activity. Sensitive Data will be treated with the utmost diligence and the highest security standards.
Limited access to Sensitive Data will be a guiding principle to safeguard the privacy of such data, and therefore, only authorized personnel may have access to this type of information.
In the event that Conserto S.A.S. processes Personal Data of a minor under 18 years of age, it will request the consent of the parent or legal guardian before beginning such processing. Parents or legal guardians may change or revoke this authorization as described in this Policy. The Data Subjects’ authorization may be expressed in writing, orally, or through unequivocal conduct that allows us to reasonably conclude that authorization has been granted. Conserto S.A.S. will be solely responsible for establishing the mechanisms to obtain authorization. Conserto S.A.S. will appropriately retain proof of such authorizations, respecting the principles of confidentiality and privacy of information, and will comply with the obligations established by law.
AREA RESPONSIBLE FOR PERSONAL DATA PROCESSING
The administrative area of Conserto S.A.S. will be responsible for addressing requests, complaints, and claims submitted by data subjects in exercising the rights contemplated in section 6 of this policy.
The data related to this area are:
Email: comercial@cstrisk.com
Telephone: 6017812514, ext. 101
PRIVACY NOTICE
In the event that Conserto S.A.S. cannot make this information processing policy available to the personal data subject, it will publish the privacy notice, the text of which will be retained for subsequent consultation by the data subject and/or the Superintendency of Industry and Commerce.
PROCEDURES THAT THE HOLDER MUST FOLLOW TO EXERCISE THEIR RIGHTS OVER PERSONAL DATA
The Personal Data included in the Company’s Database comes from information collected in the course of activities carried out due to commercial, contractual, employment, or any other relationship with its users, clients, suppliers, contractors, employees, and/or the general public.
Channels such as our website, social media, telephone helpline, commercial and employment contracts, among others, are the means through which Conserto S.A.S. obtains the Personal Data referred to in this Policy.
Conserto S.A.S. will store and manage Personal Data securely and confidentially, and consequently, all necessary measures will be taken to protect Personal Data against loss, misuse, tampering, fraud, or unauthorized access/use by third parties. The Data Subject may exercise their rights regarding the Personal Data they have provided; they may also learn about the use of their Personal Data, revoke their authorization, and file complaints, requests, and claims. All of the above may be done through the administrative department established for this purpose, identified in this Policy, and through the following channels:
Electronic communication: comercial@cstrisk.com
Physical communication: Carrea 7 # 180 – 30, Office 502, Bogotá D.C., addressed to the administrative department.
Telephone communication: 6017812514 / 6017912472, Bogotá D.C.
Business hours: Monday to Friday, 8:00 a.m. to 5:00 p.m.
Inquiries regarding personal data:
The Data Subject, their successors in title, their representatives, and/or attorneys-in-fact may make inquiries regarding the Personal Data stored in the Company’s Databases, in accordance with the following rules:
The request must be submitted through the channels established by Conserto S.A.S.
All requests will be analyzed to verify the Data Subject’s identification. If the request is submitted by a person other than the Data Subject and the status of acting in accordance with current laws is not proven, the request will be rejected.
All inquiries will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to answer the request within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their request will be answered, which in no case may exceed five (5) business days after the expiration of the first period.
Complaints
The Data Subject or their successors in title who believe that the Personal Data contained in the Conserto S.A.S. Databases should be corrected, updated, or deleted, or when they become aware of an alleged breach of any of the Company’s duties in relation to the data, may file a complaint in accordance with the following rules:
The complaint must be submitted through the channels established by Conserto S.A.S.
The complaint will be reviewed to verify the Data Subject’s identity. If the request is submitted by a person other than the Data Subject and representation is not proven in accordance with current laws, the request will be rejected.
The complaint must contain, at a minimum, the following information:
The Data Subject’s identification.
Contact information (physical and/or email address and telephone numbers).
Documents proving the Data Subject’s identity or representation.
A clear and precise description of the Personal Data regarding which the Data Subject seeks to exercise any of their rights.
A description of the facts giving rise to the claim.
The documents to be asserted.
Signature and identification number.
If the claim is incomplete, Conserto S.A.S. will request the interested party to correct the deficiencies within five (5) business days of receiving it. After two (2) months from the date of the request, if the applicant does not submit the required information, the claim will be deemed withdrawn.
If the department receiving the claim is not competent to resolve it, it will forward it to the appropriate authority within a maximum of two (2) business days and inform the interested party of the situation.
Once the complete claim is received, a legend stating «claim in process» and the reason for it will be included in the database within a period of no more than two (2) business days. This legend must remain in effect until the claim is resolved.
The maximum period for addressing the claim will be fifteen (15) business days, starting from the day following the date of receipt. When it is not possible to address the claim within this period, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first period.
The Data Subject has the right, at any time, to request the deletion of their Personal Data. Deletion entails the total or partial elimination of Personal Data from the Databases, in accordance with the Data Subject’s request.
The right to erasure is not absolute. Conserto S.A.S may refuse to exercise its right in the following cases:
The Data Subject has a legal or contractual obligation to remain in the Database, or the data controller has a legal or contractual obligation requiring them to maintain the Personal Data.
The deletion of Personal Data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
The Personal Data is necessary to protect the legally protected interests of the Data Subject, to carry out an action based on the public interest, or to comply with a legal obligation acquired by the Data Subject or the data controller.
DATA COLLECTED BEFORE THE ISSUANCE OF DECREE 1377 OF 2013
In accordance with the provisions of Section 3 of Article 10 of Regulatory Decree 1377 of 2013, Conserto S.A.S. will publish a notice on its official website www.cstconsultoria.com.co to inform you of this information processing policy and how to exercise your rights as data subjects of personal data stored in Conserto S.A.S. databases.
INFORMATION SECURITY
In accordance with the security principle, Conserto S.A.S. has adopted reasonable technical, administrative, and human resources measures to protect the Data Subjects’ Personal Data and prevent tampering, loss, unauthorized or fraudulent access, use, or consultation.
Access to Personal Data is restricted to its Data Subjects and individuals authorized by Conserto S.A.S. in accordance with this Policy.
Conserto S.A.S. will not allow third parties to access this information under conditions other than those announced, except at the express request of the Data Subject or by individuals authorized in accordance with national regulations. Notwithstanding the foregoing, Conserto S.A.S. will not be liable for actions intended to violate or fraudulently lift the security measures established for the protection of Personal Data.
Please keep in mind that the Internet is a global communications network that involves the transmission of information. Therefore, although Conserto S.A.S. has the necessary measures in place to protect Personal Data, it is possible that such data may be affected by Internet-related failures.
EFFECTIVE DATE AND MODIFICATIONS
This Policy is effective as of December 13, 2019.
This Policy can be viewed at www.cstrisk.com or by requesting a copy by emailing comercial@cstrisk.com.
Personal Data included in the Databases subject to Processing will remain and be processed based on the criterion of temporality for the contractual term of the product or service, for the period in which the purpose for which it was collected subsists, plus the term established by law.
This Policy may be modified by the Company upon request without prior notice, provided that the modifications are non-substantial. Only modifications regarding the purposes of the Processing and the data controller’s data, or any other substantial modification, will be communicated in advance to the Data Subjects.