Legal Notice Personal Data

WEB PROCESSING POLICIES

TABLE OF CONTENTS

  1. OBJECTIVE
  2. LEGAL BASIS AND SCOPE
  3. DEFINITIONS
  4. TREATMENT POLICY AUTHORIZATION
  5. CONTROLLER
  6. TREATMENT AND PURPOSES OF THE DATABASES
  7. NAVIGATIONAL DATA
  8. COOKIES OR WEB BUGS
  9. HOLDER'S RIGHTS
  10. ATTENTION DATA HOLDERS
  11. PROCEDURES FOR EXERCISING THE HOLDER'S RIGHTS

11.1 Right of access or consultation

11.2 Rights of complaints and grievances

  1. SAFETY FEATURES
  2. TRANSFER OF DATA TO THIRD COUNTRIES
  3. VALIDITY
  4. APPENDIX
  5. PREPARATION AND APPROVAL OF THE DOCUMENT
  6. DOCUMENT HISTORY

1. OBJECTIVE

To inform about the actions that E-MOTION ACTIVITY SAS carries out when users visit or browse the website, and to inform about the proper use of personal data in compliance with internal security policies and the law on personal data protection.

LEGAL BASIS AND SCOPE OF APPLICATION

The information processing policy is developed in compliance with Articles 15 and 20 of the Political Constitution; Articles 17(k) and 18(f) of the Statutory Law 1581 of 2012, by which general provisions are issued for the Protection of Personal Data (LEPD), Article 2.2.2.25.1.1 Section 1 Chapter 25 of Decree 1074 of 2015, which partially regulates Law 1581 of 2012 (Article 13 of Decree 1377 of 2013).

This policy shall apply to all personal data recorded in databases that are processed by the Data Controller.

3. DEFINITIONS

Established in Article 3 of Statutory Law 1581 of 2012 and Article 2.2.2.25.1.3 Chapter 25 of Compilation Decree 1074 of 2015 (Article 3 of Decree 1377 of 2013).

Authorization: Prior, express and informed consent of the Owner to carry out the processing of personal data.

Privacy Notice: Verbal or written communication generated by the person in charge, addressed to the Holder for the treatment of his/her personal data, by means of which he/she is informed about the existence of the information treatment policies that will be applicable to him/her, the way to access them and the purposes of the treatment that is intended to be given to the personal data.

Database: Organized set of personal data that is processed.

Cookie: This is a small piece of information sent by a website and stored in the user's browser, so that the website can consult the user's previous activity. Its main functions are: i) To take control when a user enters his or her user name and password, so that he or she does not have to be entering them for every page. But it does not identify a person, but rather a combination of browser and user computer class. ii) To obtain information about the user's browsing habits, and spyware attempts, by advertising agencies and others. This can cause privacy issues and is one of the reasons why cookies have detractors.

Personal data: Any information linked or likely to be linked to one or more specific or identifiable natural persons.

Public data: This is data that is not semi-private, private or sensitive. Public data are considered to be, among others, data relating to the marital status of persons, their profession or trade and their status as traders or public servants. By its nature, public data may be contained, among others, in public registers, public documents, official gazettes and gazettes and duly executed court rulings that are not subject to reservation.

Sensitive data: Sensitive data is defined as data that affect the privacy of the Data Subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of trade unions, social organizations, human rights or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data concerning health, sex life, and biometric data.

Processor: Natural or legal person, public or private, who by himself/herself or in association with others, carries out the processing of personal data on behalf of the data controller.

Data controller: Natural or legal person, public or private, who by himself/herself or in association with others, decides on the database and/or the processing of the data.

Holder: Natural person whose personal data are processed.

Transfer: The transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is inside or outside the country.

Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when it has the purpose of carrying out a processing on behalf of the person responsible.

Processing: Any operation or set of operations involving personal data, such as collection, storage, use, circulation or deletion.

4. AUTHORIZATION OF THE TREATMENT POLICY

In accordance with Article 9 of the LEPD, the processing of personal data requires the prior and informed consent of the Data Subject. By accepting this policy, any Holder who provides information regarding his/her personal data is consenting to the processing of his/her data by E-MOTION ACTIVITY SAS under the terms and conditions set forth herein.

5. CONTROLLER

The person responsible for processing the databases covered by this policy is E-MOTION ACTIVITY SAS, whose contact details are as follows

Address: AUT. MEDELLIN KM 1 CENTRO EMPRESARIAL LOS ROBLES BG 8, COTA, CUNDINAMARCA

E-mail: atencionalusuario@emotion-a.com

Telephone: 6944104

6. TREATMENT AND PURPOSES OF THE DATABASES

E-MOTION ACTIVITY SAS, in the development of its business activity, carries out the processing of personal data relating to natural persons that are contained and processed in databases intended for legitimate purposes, in compliance with the Constitution and the Law.

In "Annex 1. PL-01. Database Organization" presents the different databases that are managed, the information and characteristics of each one of them.

7. NAVIGATIONAL DATA

It is possible to visit the website without reporting any personal identification. However, the navigation system and the software necessary for the operation of this website may have the option of collecting some personal data, the transmission of which has been implicit in the use of Internet communication protocols.

By its very nature, the information collected may allow users to be identified through its association with data from third parties, even if it is not obtained for that purpose. This category of data includes the IP address or domain name of the computer used by the user to access the website, the URL, the date and time and other parameters relating to the user's operating system.

These data are used for the purpose of obtaining anonymous statistical information on the use of the website or to monitor its proper technical functioning, and are deleted immediately after verification.

When using the contact option, you can choose whether you want to provide us with personal information, such as your name and postal or e-mail address, telephone number, and so on, so that we can communicate with you and process your request or provide information.

8. COOKIES OR WEB BUGS

This website does not use cookies or web bugs to collect personal data from the user, but their use is limited to providing the user with access to the website. The use of session cookies, which are not permanently memorised on the user's computer and disappear when the browser is closed, is limited to collecting technical information to identify the session in order to facilitate safe and efficient access to the website, with the aim of providing better service on the site.

If you do not wish to allow the use of cookies, you can reject them or delete existing ones by configuring your browser (Internet Explorer, Firefox, Safari, Chrome, among others), and disabling the browser's Java Script code in the security settings.

Most web browsers allow you to manage your cookie preferences, however, please note that if you choose to block them you may affect or prevent the operation of the site. Also, one of the third party services that may be used to track service related activity, e.g. Google Analytics, so if you do not want information to be collected and used, you can install an "opt-out" system on your web browser, such as: tools.google.com/dlpage/gaoptout?hl=None.

9. HOLDER'S RIGHTS

In accordance with Article 8 of the LEPD and Articles 21 and 2.2.2.25.4.3 Chapter 25 of the Compilation Decree 1074 of 2015 (Article 22 of Decree 1377 of 2013), the data subjects may exercise a number of rights in relation to the processing of their personal data. These rights may be exercised by the following persons.

  1. By the Holder, who must prove his/her identity sufficiently by the various means made available to him/her by the
  2. By their successors in title, who must prove that
  3. By the representative and/or proxy of the Holder, after accreditation of the representation or
  4. By stipulation in favour of another and for

The rights of children or adolescents will be exercised by the persons who are empowered to represent them.

The Holder's rights are as follows:

Right of access or consultation: This is the right of the Data Subject to be informed by the Data Controller, upon request, regarding the origin, use and purpose given to his/her personal data.

Complaints and grievance rights: The law distinguishes four types of claims:

Correction claim: It is the right of the Owner to update, rectify or modify those partial, inaccurate, incomplete, fractioned, misleading, or those whose treatment is expressly prohibited or has not been authorized.

Claim of suppression: It is the right of the Holder to have the data that is inadequate, excessive or that does not respect the principles, rights and constitutional and legal guarantees, suppressed.

Claim for revocation: It is the right of the Holder to revoke the authorization previously given for the processing of his personal data.

Claim of violation: It is the right of the Owner to request that the breach of the Data Protection regulations be corrected.

Right to request proof of authorisation given to the controller: Except where expressly exempted as a requirement for processing in accordance with Article 10 of the LEPD.

Right to file complaints with the Superintendence of Industry and Commerce about violations: The Owner or successor in title may only submit this complaint once the consultation or complaint process has been exhausted before the person responsible for the processing or in charge of the processing.

10. ATTENTION TO DATA HOLDERS

JOSÉ LUIS LÓPEZ GONZÁLEZ with C.C. No. 1032406865 of E-MOTION ACTIVITY SAS will be in charge of the attention of requests, consultations and claims before which the Holder of the data can exercise his rights. Telephone: 6944104. E-mail: atencionalusuario@emotion-a.com.

11. PROCEDURES FOR EXERCISING THE HOLDER'S RIGHTS

11.1. Right of access or consultation

In accordance with Article 2.2.2.25.4.2 Chapter 25 of the Compilation Decree 1074 of 2015 (Article 21 of Decree 1377 of 2013), the Data Subject may consult his/her personal data free of charge in two cases:

  1. At least once a month
  2. Whenever there are substantial changes in information processing policies that lead to new

For queries whose frequency is greater than one per calendar month, E-MOTION ACTIVITY SAS may only charge the Holder the costs of shipping, reproduction and, where appropriate, certification of documents. The reproduction costs may not be higher than the costs of recovering the corresponding material. For this purpose, the responsible party must demonstrate to the Superintendence of Industry and Commerce, when required, the support of such expenses.

The Holder of the data can exercise the right of access or consultation of their data by writing to E-MOTION ACTIVITY SAS sent by e-mail to: atencionalusuario@emotion-a.com, indicating in the Subject "Exercise of the right of access or consultation", or by mail sent to the AUT. MEDELLIN KM 1 CENTRO EMPRESARIAL LOS ROBLES BG 8, COTA, CUNDINAMARCA.

The application must contain the following information:

Name and surname of the Holder.

Photocopy of the Citizenship Card of the Holder and, if applicable, of the person representing him/her, as well as the document proving such representation.

Request in which the request for access or consultation is specified. Address for notifications, date and signature of the applicant.

Supporting documents for the request made, where applicable.

The Holder may choose one of the following ways to consult the database in order to receive the requested information:

On-screen display.

In writing, with a copy or photocopy sent by registered or unregistered mail.

Fax.

E-mail or other electronic means.

Another system suitable for the configuration of the database or the nature of the processing, offered by E-MOTION ACTIVITY SAS

Once the request has been received, E-MOTION ACTIVITY SAS will resolve the consultation request within a maximum period of ten (10) working days from the date of receipt. When it is not possible to deal with the query within this period, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be dealt with, which in no case may exceed five (5) working days following the expiry of the first period. These deadlines are set out in Article 14 of the LEPD.

Once the consultation process has been exhausted, the Owner or successor in title may file a complaint with the Superintendence of Industry and Commerce.

11.2. Complaints and claims rights

The Holder of the data can exercise the rights of claim on their data by writing to E-MOTION ACTIVITY SAS , by e-mail to atencionalusuario@emotion-a.com indicating in the Subject "Exercise of the right of access or consultation", or by mail sent to AUT. MEDELLIN KM 1 CENTRO EMPRESARIAL LOS ROBLES BG 8, COTA, CUNDINAMARCA. The application must contain the following information:

Name and surname of the Holder.

Photocopy of the Citizenship Card of the Holder and, if applicable, of the person representing him/her, as well as the document proving such representation.

Description of the facts and the request for correction, deletion, revocation or inflation

Address for notifications, date and signature of the applicant

Supporting documents for the request made that are to be enforced, where applicable.

If the claim is incomplete, the claimant will be required within five (5) days of receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

Upon receipt of the completed claim, a legend stating "claim in process" and the reason for the claim will be included in the database within two (2) business days. This legend shall be maintained until the claim is decided.

E-MOTION ACTIVITY SAS will resolve the request for consultation within a maximum period of fifteen (15) working days from the date of receipt. When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended to, which in no case may exceed eight (8) working days following the expiry of the first term.

Once the claim process has been exhausted, the Owner or successor in title may file a complaint with the Superintendence of Industry and Commerce.

12. SECURITY MEASURES

E-MOTION ACTIVITY SAS, in order to comply with the principle of security enshrined in Article 4, paragraph g) of the LEPD, has implemented technical, human and administrative measures necessary to ensure the security of the records by preventing their adulteration, loss, consultation, unauthorized or fraudulent use or access.

On the other hand, E-MOTION ACTIVITY SAS, by signing the corresponding transmission contracts, has required the data processors with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the processing of personal data.

Below are the safety measures implemented by E-MOTION ACTIVITY SAS, which are set out and developed in its Internal Safety Manual (I, II, III, IV).

TABLE I: Common security measures for all types of data (public, semi-private, private, sensitive) and databases (automated, non-automated)

 

Document and media management Access Control Incidents Staff Internal Safety Manual
Measures to prevent improper access to or recovery of data that has been discarded, deleted or destroyed.
2. Restricted access to the place where the data is stored.
3. Authorisation by the person responsible for the output of documents or media by physical or electronic means.
4. System of labelling or identification of the type of information.
5. Inventory of media
1. User access limited to the data necessary for the development of their functions.
2. Updated list of authorized users and accesses.
3. Mechanisms to prevent access to data with rights other than those authorised.
4. Granting, alteration or cancellation of permissions by authorised personnel
1. Recording of incidents: type of incident, time of occurrence, sender of the notification, recipient of the notification, effects and corrective measures.
2. Notification and incident management procedure.
1. Definition of the roles and obligations of users with access to data
2. Definition of the control functions and authorisations delegated by the controller
3. Dissemination among staff of the rules and the consequences of non-compliance
1. Elaboration and implementation of the Manual of obligatory fulfillment for the personnel.
2. Minimum content: scope of application, security measures and procedures, functions and obligations of the personnel, description of the databases, procedure in the event of incidents, identification of those responsible for processing.

 

TABLE II: Common security measures for all types of data (public, semi-private, private, sensitive) according to the type of database
Non-automated databases Automated databases
Archive Document storage Custody of documents Identification and authentication Telecommunications
1. Archiving of documentation following procedures that guarantee the correct conservation, location and consultation and allow the exercise of the rights of the Owners. 1. Storage devices with mechanisms to prevent access by unauthorised persons 1. Duty of care and custody of the person in charge of documents during the review or processing of the documents. 1. Personalised identification of users to access information systems and verification of their authorisation.
2. Identification and authentication mechanisms; Passwords: assignment, expiry and encrypted storage
1. Access to data through secure networks.

 

TABLE III: Security measures for private data according to the type of database
Automated and non-automated databases Automated databases
Audit Security Manager Internal Safety Manual Document and media management Access Control Identification and authentication Incidents
1. Ordinary audit (internal or external) every two months
2. Extraordinary audit due to substantial modifications in the information systems.
3. Report on the detection of deficiencies and proposal of corrections.
4. Analysis and conclusions of the security officer and the controller.
Designation of one or more persons responsible for the administration of the databases.
2. Designation of one or more persons responsible for the control and coordination of the measures of the Internal Security Manual.
3. Prohibition on delegating the responsibility of the data controller to persons responsible for administering the databases.
1. Periodic compliance checks 1. Record of entry and exit of documents and media: date, sender and receiver, number, type of information, method of dispatch, person responsible for receipt or delivery 1. Access control to the place or places where the information systems are located. 1. A mechanism to limit the number of repeated attempts at unauthorised access. 1. Recording of data recovery procedures, person executing them, restored data and manually recorded data.
2. Authorisation of the data controller for the execution of the retrieval procedures.

 

TABLE IV: Security measures for sensitive data according to the type of database
Non-automated databases Automated databases
Access Control Document storage Copy or reproduction Transfer of documentation Document and media management Access Control Telecommunications
1. Access for authorized personnel only.
2. Access identification mechanism.
3. Record of access by unauthorized users.
1. File cabinets, lockers or others located in access areas protected by keys or other measures. 1. Only by authorized users.
2. Destruction that prevents access or recovery of the data.
1. Measures to prevent access to or handling of documents 1. Definition of user profiles according to their function.
2. Data encryption.
3. Encrypting portable devices when they are out.
1. Access record: user, time, database accessed, type of access, record accessed.
2. Monthly control of the access register by the person responsible for administering the databases.
1. Data transmission via encrypted electronic networks.

13. TRANSFER OF DATA TO THIRD COUNTRIES

In accordance with Title VIII of the LEPD, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it complies with the standards set by the Superintendence of Industry and Commerce on the matter, which in no case may be less than those required by this law of its recipients. This prohibition shall not apply in the case of

Information for which the Cardholder has given his/her express and unequivocal authorization for the transfer.

Exchange of medical data, when the treatment of the Holder requires it for reasons of health or public hygiene.

Bank or stock exchange transfers, in accordance with the legislation applicable to them.

Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.

Transfers necessary for the execution of a contract between the Data Subject and the Controller, or for the execution of pre-contractual measures provided that the Data Subject's authorization is obtained.

Transfers legally required for the safeguard of public interest, or for the recognition, exercise or defence of a right in legal proceedings.

In the cases not contemplated as an exception, the Superintendence of Industry and Commerce will be responsible for issuing the declaration of conformity regarding the international transfer of personal data. The Superintendent is empowered to request information and to take steps to establish compliance with the budgets required for the viability of the operation.

International transfers of personal data between a data controller and a processor to enable the processor to carry out the processing on behalf of the data controller do not require the data controller to be informed or to give his consent, provided that a contract for the transfer of personal data exists.

14. VALIDITY

The databases for which E-MOTION ACTIVITY SAS is responsible will be processed for the time that is reasonable and necessary for the purpose for which the data is collected. Once the purpose or purposes of the treatment have been fulfilled, and without prejudice to legal regulations that provide otherwise. E-MOTION ACTIVITY SAS, will proceed to delete the personal data in its possession unless there is a legal or contractual obligation that requires its conservation. For all these reasons, this database has been created without a defined period of validity.

The present treatment policy remains in force from 01-10-2018

15. APPENDIX

Not applicable.