A. Introduction
The Political Constitution of Colombia of 1991 established, in Article 15, the right to personal data protection as the right of every individual to know, update, rectify, and/or delete their personal information collected and/or processed in public or private databases.
Through Law 1581 of October 17, 2012, the Congress of the Republic regulated the aforementioned right by establishing General Provisions for the Protection of Personal Data in Colombia, further regulated by Decrees 1377 of 2013 and 886 of 2014 (now incorporated into Decree 1074 of 2015), among others.
Additionally, through Law 2300 of July 10, 2023, “which establishes measures to protect the Right to Privacy of Consumers,” the Congress of the Republic introduced special measures for collection activities, commercial prospecting, and obtaining authorizations to contact consumers.
In compliance with these provisions, TRÉBOL, recognizing its responsibility in the processing of Personal Data of data subjects, guarantees the constitutional right of all individuals to know, update, rectify, delete, and revoke authorization regarding the information collected about them in the databases compiled by the Entity for the purposes established by the Law and the respective authorizations, which have been processed in accordance with the national personal data protection regime.
For these purposes, TRÉBOL has developed this PERSONAL DATA PROCESSING POLICY, which is mandatory for all natural or legal persons handling personal data recorded in the Entity’s databases, to provide the necessary guidelines for complying with legal obligations regarding personal data protection.
TRÉBOL hereby informs all interested parties that the personal data obtained in connection with the operations requested or entered into with TRÉBOL will be processed in accordance with the principles and obligations defined in Law 1581 of 2012 and other regulations governing this matter. For all relevant purposes, the address of TRÉBOL JURÍDICO S.A.S. is Carrera 36 No. 8 A 46 Interior 201, Medellín, Antioquia, Colombia.
B. Purpose
The purpose of this Policy is to provide necessary and sufficient information to various stakeholders, as well as to establish guidelines that ensure the protection of personal data processed through TRÉBOL’s procedures. This aims to ensure compliance with the law, policies, and procedures related to the rights of data subjects, including criteria for the collection, storage, use, circulation, and deletion of personal data.
C. Recipients
This policy applies to all physical and digital databases containing personal data that are subject to processing by TRÉBOL, which is considered the data controller. It also applies to situations where TRÉBOL operates as a data processor.
The policy is intended to ensure that employees, suppliers, contractors, affiliated individuals, subjects involved in collection activities with TRÉBOL, and the general public have access to the necessary and sufficient information regarding the various treatments and purposes for which their data will be used, as well as the rights they, as data subjects, can exercise with respect to TRÉBOL when TRÉBOL is the data controller.
This policy must be known and complied with by all individuals and legal entities responsible for managing TRÉBOL’s personal data databases, particularly those managing TRÉBOL’s databases and those employees and contractors who handle, address, and respond to requests (queries or complaints) related to personal data protection law and Law 2300 of July 10, 2023.
D. Scope
To provide prompt and lawful processing of requests and complaints made by data subjects, as well as by their heirs or any other person with proper authorization.
To comply with current regulations on Personal Data Protection, as well as any requirements arising from the principle of accountability and consumer privacy protection.
To ensure adequate protection of the interests and needs of data subjects whose personal information is processed by TRÉBOL.
E. Glossary
In the development, interpretation, and application of the law, regulations, and current standards, the following definitions shall be applied harmoniously and integrally:
RESTRICTED ACCESS: A level of access to information limited by predefined parameters. TRÉBOL will not make Personal Data available for access via the Internet or other mass communication means, unless technical measures are established to control and restrict access solely to Authorized persons.
DATA PROTECTION RESPONSIBLE AREA: The area within TRÉBOL responsible for overseeing and controlling the application of the Personal Data Protection Policy and implementing the Comprehensive Personal Data Protection Program.
RESPONSIBLE AREA FOR HANDLING REQUESTS, COMPLAINTS, CLAIMS, AND INQUIRIES: Requests, complaints, claims, and inquiries made by data subjects will be handled by the Commercial Management through the Data Protection Officer assigned to this role.
DATABASE: An organized set of Personal Data subject to processing, including both physical and electronic files.
DATA QUALITY: Personal data subjected to processing must be truthful, complete, accurate, updated, verifiable, and understandable. When in possession of partial, incomplete, fragmented, or misleading personal data, TRÉBOL must refrain from processing it or request its completion or correction from the data subject.
RESTRICTED CIRCULATION: Personal data will only be processed by TRÉBOL personnel or those who, within their functions, are responsible for such activities. Personal Data cannot be provided to those without authorization or who have not been authorized by TRÉBOL to process it.
CONFIDENTIALITY: An information security element that determines who and under what circumstances information can be accessed.
PERSONAL DATA: Any information linked or that can be associated with one or more identified or identifiable natural persons. “Personal Data” should be understood as information related to an individual person.
PUBLIC DATA: Data that is not semi-private, private, or sensitive. Public data includes, among others, information related to an individual’s civil status, profession or trade, and their status as a merchant or public servant. By its nature, public data can be found in public records, official documents, gazettes, and court rulings that are not under confidentiality.
SEMI-PRIVATE DATA: Information that is neither intimate, reserved, nor public, and whose knowledge or disclosure may be of interest not only to the data subject but to a specific sector, group of people, or society at large, such as financial, credit, or commercial activity data.
SENSITIVE DATA: Data that affects the privacy of the data subject or whose improper use may result in discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social organizations, or data related to health, sexual life, and biometric data.
RIGHTS OF CHILDREN AND ADOLESCENTS: Processing must ensure respect for the prevailing rights of children and adolescents. Only data of a public nature may be processed.
DATA PROCESSOR: A natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the Data Controller. TRÉBOL acts as a data processor in cases where it processes personal data on behalf of a data controller, either alone or in association with others.
DIGITAL INFORMATION: Information stored or transmitted via electronic and digital means, such as email or other information systems.
DATA CONTROLLER: A natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the processing of data. TRÉBOL acts as a data controller with respect to all personal data for which it makes decisions directly, in compliance with its legally recognized functions.
DATA SUBJECT: A natural person whose personal data is subject to processing.
PROCESSING: Any operation or set of operations performed on Personal Data by TRÉBOL or Data Processors, such as collection, storage, use, circulation, or deletion.
F. Guiding Principles
In the development, interpretation, and application of the law, regulations, and current standards, the following principles shall be applied harmoniously and integrally:
- Principle of Legality in Data Processing: Processing is a regulated activity that must comply with Law 1581 of October 17, 2012, its regulatory decrees, and other related provisions.
- Principle of Purpose: Processing must serve a legitimate purpose in accordance with the Constitution and the Law, which must be communicated to the Data Subject.
- Principle of Freedom: Processing may only be carried out with the prior, explicit, and informed consent of the Data Subject. Personal data cannot be obtained or disclosed without prior authorization, except where legally or judicially mandated.
- Principle of Truthfulness or Quality: Data subjected to processing must be truthful, complete, accurate, updated, verifiable, and understandable. Processing of partial, incomplete, fragmented, or misleading data is prohibited.
- Principle of Transparency: Processing must guarantee the Data Subject’s right to obtain information from the Data Controller or Data Processor, at any time and without restrictions, regarding the existence of data concerning them.
- Principle of Restricted Access and Circulation: Processing must adhere to limits derived from the nature of the personal data, the provisions of the law, and the Constitution. Processing may only be carried out by persons authorized by the Data Subject and/or as provided by law. Personal data, except for public information, should not be available on the Internet or other mass communication media unless access is technically controllable to ensure restricted knowledge only to Data Subjects or authorized third parties.
- Principle of Security: Data must be managed with technical, human, and administrative measures necessary to ensure security, avoiding alteration, loss, unauthorized or fraudulent access, or use.
- Principle of Confidentiality: All employees and contractors involved in processing Personal Data, which is not of a public nature, are obligated to ensure the confidentiality of the information, even after their relationship with the processing activities ends. Data may only be supplied or communicated when necessary for authorized activities under the law. TRÉBOL commits to treating data subjects’ personal data as defined in Article 3(g) of Law 1581 of 2012, with absolute confidentiality, using it exclusively for the purposes stated previously, provided the data subject has not opposed such processing. TRÉBOL has implemented necessary technical and organizational security measures to ensure the safety of personal data and prevent its alteration, loss, processing, or unauthorized access.
- Principle of Temporal Limitation: Personal data will be retained only for the time reasonably necessary to fulfill the purposes that justified the processing, considering applicable regulations and administrative, accounting, fiscal, legal, and historical aspects. Data will be retained when necessary to fulfill a legal or contractual obligation. Once the purpose of processing is fulfilled and the terms previously established are met, data will be deleted.
- Integral Interpretation of Constitutional Rights: Rights will be interpreted in harmony and balance with the right to information as provided in Article 20 of the Constitution and applicable constitutional rights.
- Principle of Necessity: Personal data processed must be strictly necessary for the purposes pursued with the database.
- Principle of Non-Interference: Personal data associated with commercial prospecting and debt collection purposes will comply with the standards set forth in Law 2300 of July 10, 2023 and its regulatory decrees.
G. Special Data
Sensitive Data
Sensitive data refers to information that affects the privacy of the Data Subject or whose misuse could result in discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, membership in social or human rights organizations, or data related to health, sexual life, and biometric data.
Processing of Sensitive Data: The processing of sensitive data is prohibited except in the following cases:
- Explicit Authorization: When the Data Subject has given explicit consent for such processing, unless the law does not require this authorization.
- Vital Interest: When processing is necessary to safeguard the vital interests of the Data Subject, who is physically or legally incapacitated. In these cases, legal representatives must grant authorization.
- Judicial Processes: When processing is necessary for the recognition, exercise, or defense of a right in a legal process.
- Historical, Statistical, or Scientific Purposes: When processing serves historical, statistical, or scientific purposes, and measures are taken to ensure the data subject’s identity is anonymized.
Special Authorization for Sensitive Personal Data: TRÉBOL will inform its data subjects through various means of obtaining authorization that, in accordance with Law 1581 of 2012 and regulatory standards, they are not obligated to grant authorization for the processing of sensitive data.
For health-related data processing, TRÉBOL will implement necessary measures to protect the confidentiality of the information. Processed biometric sensitive data will be used for identification purposes, security, legal compliance, and proper service provision.
Children, Adolescents, and Minors
The processing of personal data of children, adolescents, and minors is prohibited except when dealing with public data and when the processing meets the following parameters and/or requirements:
- The processing must respond to and respect the best interest of children, adolescents, and minors.
- The processing must ensure respect for their fundamental rights.
The legal representative of the child or adolescent must grant authorization, after the minor’s right to be heard is exercised. The minor’s opinion should be considered based on their maturity, autonomy, and capacity to understand the matter.
H. Processing and Purposes
In accordance with Law 1581 of 2012 and the authorizations provided by data subjects, TRÉBOL will carry out operations or sets of operations including data collection, storage, use, circulation, and/or deletion. This processing will be exclusively for the authorized purposes outlined in this Policy and specific authorizations granted by the data subject. Processing will also occur when there is a legal or contractual obligation, always in line with information security policies.
Due to TRÉBOL’s legal nature, personal data may be processed for internal and external control processes and evaluations conducted by national or multilateral oversight bodies.
Furthermore, in executing TRÉBOL’s corporate purpose, personal data will be processed according to the interest group and in proportion to the purpose(s) of each processing activity, as described below:
Users, Clients, or General Public
TRÉBOL will process personal data for the following purposes:
- Request Management: To manage requests related to TRÉBOL’s products and services.
- Response Provision: To send responses to inquiries and petitions.
- Procedure Management: To handle procedures, products, and services executed directly or indirectly by TRÉBOL.
- Communications and Notifications: To send communications and notifications related to procedures issued by TRÉBOL’s operational and support areas.
- Database Updates: To update databases, including when information needs to be transmitted or transferred to a third party for validation, cleansing, enrichment, and data homogenization, subject to legal requirements.
- Vendor and Contractor Management: To manage information by vendors and/or contractors for activities related to TRÉBOL’s defined procedures and services, as long as it is strictly necessary.
- Studies and Analysis: To prepare studies, statistics, surveys, and trend analysis related to TRÉBOL’s products and services.
- Legal Compliance Reporting: To provide reports to external entities to meet legal, contractual, and statistical analysis requirements.
- Obligations Management: To manage information necessary for fulfilling tax, contractual, commercial, and commercial registry obligations.
- Operational Relationships: To transmit information to national or international partners providing necessary products and services for TRÉBOL’s operation.
- Product and Service Delivery: To provide information services through various contact means.
- Quality Evaluation: To assess the quality of the products and services offered.
- The additional purposes determined in the processes of obtaining Personal Data for its processing, in all cases in accordance with the Law and within the scope of TRÉBOL’s own mission functions.
- To store, organize, classify, and catalog personal data within TRÉBOL’s formats, systems, files, and databases.
- To conduct credit background checks and consultations with credit bureaus prior to the approval of a credit request, as well as the corresponding report in case of non-compliance with obligations.
- To carry out the necessary actions to ensure compliance with contracts.
- To manage procedures (requests, inquiries, complaints, claims), conduct risk analyses, and carry out satisfaction surveys regarding the company’s services as well as those of its commercial partners.
- To provide contact information and relevant documents to the commercial force and/or distribution network, telemarketing, market research, and any third party with which the company has a contractual relationship of any kind.
- To provide necessary and sufficient information regarding TRÉBOL’s products or services that would allow the completion of their purchase.
- To disclose, transfer, and/or transmit personal data of the data subjects both within and outside the country to third parties as a result of a contract, law, or legitimate relationship requiring such action, for the provision of respective services or in virtue of commercial agreements or alliances.
- To provide information to third parties with whom TRÉBOL has a contractual relationship when it is necessary for the fulfillment of the contracted purpose.
- Marketing and Sales: To inform and communicate about products and services through various channels, including text messages, physical materials, emails, online offers, and push notifications.
- Market Strategies: To develop market strategies by studying user behavior to improve content, personalization, and service.
- Behavior Analysis: To conduct studies of behavior related to offers and purchases to generate reports and statistics.
- Service Improvement: To use behavior studies to improve service delivery.
- Commercial Prospecting: To carry out commercial prospecting, market segmentation, debt collection, and asset consultation activities.
- Regulatory Reporting: To present reports to regulatory authorities and handle requests from administrative or judicial entities.
- Data Transfer: To transfer or transmit data nationally or internationally to providers or strategic partners for marketing, advertising, data analysis, and commercial promotions, in accordance with Colombian regulations.
- Fraud Prevention: To control and prevent fraud in all its forms.
Employees, Providers, and Contractors
TRÉBOL will process personal data for the following purposes:
- Legal Compliance: To fulfill legal obligations concerning applicants, employees, contractors, suppliers, and former employees.
- Social Security Compliance: To monitor compliance with the General Social Security System requirements.
- Corporate Directory: To publish a corporate directory for employee contact purposes.
- Biometric Data: For biometric data captured through surveillance systems, the processing aims to identify, ensure security, and prevent internal and external fraud.
- Legal Obligations for Minors: To fulfill legal obligations related to minors’ personal data.
- Selection Processes: To manage data for recruitment processes, with resumes processed under restricted access principles.
- Event Communication: To inform about events developed by TRÉBOL through suitable channels.
- Budget Management: To manage TRÉBOL’s budgetary processes, including payments, issuance of income certificates, and payment records.
- Accounting Processes: To manage TRÉBOL’s accounting processes.
- Contractual Obligations: For all purposes related to selection, contractual processes, or related activities.
- Internal Compliance: To handle internal procedures and meet accounting, tax, and legal obligations.
- Contractual Management: To ensure compliance with contractual stages involving suppliers and contractors.
- Certification Requests: To issue contractual certifications as requested by contractors or control entities.
- Digital Archiving: To maintain a digital archive for contract information.
- Additional Purposes: For any other purposes determined in the process of obtaining personal data for processing, in accordance with the Law and TRÉBOL’s statutory mission functions.
I. Transfer and Transmission of Personal Data
TRÉBOL may transfer and transmit personal data to third parties with whom it has operational relationships, providing necessary products and services for its proper operation, or in accordance with the functions assigned to it by law. In such cases, appropriate measures will be adopted to ensure that individuals with access to personal data comply with this Policy and the principles of personal data protection and obligations established by law.
In any case where TRÉBOL transmits data to one or more processors located within or outside the Republic of Colombia, it will establish contractual clauses or enter into a personal data transmission contract specifying:
- The scope of processing,
- The activities that the processor will carry out on behalf of the controller for the processing of personal data, and
- The obligations of the Processor towards the data subject and the controller.
Through this contract, the Processor will commit to applying the obligations of the controller under the information processing policy set by the controller and to processing data according to the purposes authorized by the data subjects and the applicable current laws.
In addition to the obligations imposed by applicable regulations within the mentioned contract, the following obligations must be included for the respective processor:
- Process, on behalf of the controller, personal data in accordance with the principles protecting them.
- Safeguard the security of the databases containing personal data.
- Maintain confidentiality regarding the processing of personal data.
In the event of transfer, comply with the obligations stipulated in Law 1581 of 2012 and its regulatory norms.
J. Rights and Legal Conditions for Processing
Rights of Data Subjects
In the processing of personal data by TRÉBOL, the rights of data subjects will be respected at all times, including:
- To know, update, and rectify data concerning themselves or the data processors, as well as to have an agile, simple, and efficient mechanism for canceling the reception of messages and emails, except where a contractual obligation or duty of permanence exists.
- To request proof of the authorization granted, or any other document subscribed by the data subject for this purpose, except where expressly exempted as a requirement for data processing in accordance with the law. To be informed by TRÉBOL or the data processor, upon request, about the use given to their data.
- To file complaints with the Competent Authority for violations of the law and other regulations that amend, replace, or add to it.
- To revoke the authorization and/or request the deletion of data when the processing does not respect the principles, rights, and constitutional and legal guarantees.
- Revocation and/or deletion will proceed when the Competent Authority has determined that, in processing, TRÉBOL or data processors have engaged in conduct contrary to the law and the Constitution. Revocation will proceed as long as there is no legal or contractual obligation to retain the personal data.
- To access, free of charge, personal data that has been processed.
- To be contacted in data processing associated with collection or commercial prospecting purposes only through channels expressly, clearly, and previously authorized by the data subjects for this purpose, within the hours of Monday to Friday from 7:00 am to 7:00 pm and Saturdays from 8:00 am to 3:00 pm. The data subject will not be contacted more than once a day for collection purposes or through multiple contact channels within the same week.
- Not to be required to consent to the processing of personal data for commercial prospecting purposes when making commercial transactions or entering buildings or premises.
- Not to be subjected to data processing for collection purposes through home or workplace visits and not to be questioned about reasons for non-compliance with any obligation.
- To refrain from answering questions about sensitive data or data concerning children and adolescents.
Authorization of Data Subjects
Notwithstanding exceptions provided by law, processing requires the prior and informed consent of the data subject, which must be obtained by any means that can be subject to later consultation. Consent will be deemed to meet these requirements when manifested (i) in writing, (ii) orally, or (iii) through unequivocal behaviors of the data subject that reasonably indicate consent, such as when submitting a resume for selection processes or entering premises with knowledge of the existence of video surveillance systems.
Cases where Authorization is Not Required: Consent from the data subject is not required when dealing with:
- Publicly available data.
- Cases of medical, health, or humanitarian emergencies.
- Processing of information authorized by law for historical, statistical, or scientific purposes.
- Data related to the Civil Registry of Persons.
Anyone accessing personal data without prior authorization must, in any case, comply with the provisions of Law 1581 of 2012 and other concordant and current regulations.
Authorization for Prospecting and Collection Purposes: When the processing of data subjects’ data is intended for commercial prospecting or collection of obligations, it must clearly and explicitly inform the channels the data subject can authorize for this purpose. The data subject may choose one or several of these channels.
Provision of Information
Information requested by data subjects will be provided primarily through electronic means or any other means if required by the data subject. Information provided by TRÉBOL will be delivered without technical barriers preventing access; its content will be easy to read, access, and must correspond in full to that held in the database.
Obligation to Inform
When requesting authorization from the data subject, TRÉBOL must clearly and expressly inform:
- The processing to which their personal data will be subjected and its purpose.
- The optional nature of responses to questions about sensitive data or data concerning children and adolescents.
- The rights available to them as data subjects.
- The identification, physical or electronic address, and phone number of the data controller.
- The channels expressly authorized by the data subject for processing data related to commercial prospecting or debt collection purposes.
TRÉBOL, as the data controller, must retain proof of compliance with the provisions of this numeral and, upon request by the data subject, provide a copy of this proof.
Individuals to Whom Information May Be Provided
Information meeting the conditions established by law may be provided to the following individuals:
- The data subjects, their heirs, or their legal representatives, as accredited.
- Public or administrative entities exercising their legal functions or by judicial order.
- Third parties authorized by the data subject or by law
K. Duties of Data Controllers and Processors
Duties of Data Controllers
As the data controller, TRÉBOL must fulfill the following duties, without prejudice to other provisions established by law and other regulations governing its activity:
- Ensure the data subject’s full and effective exercise of the right to habeas data at all times.
- Request and retain, under the conditions established by law, a copy of the respective authorization granted by the data subject.
- Maintain the information under necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.
- Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
- Update the information by promptly informing the data processor of any changes regarding the data previously provided and adopting other necessary measures to keep the information updated.
- Rectify information when it is incorrect and communicate the relevant corrections to the data processor.
- Provide the data processor with only data whose processing is previously authorized in accordance with the law.
- Ensure that the data processor respects the conditions of security and privacy of the data subject’s information at all times.
- Process queries and complaints as specified by law.
- Adopt specific procedures to ensure compliance with the law and, in particular, for handling queries and complaints.
- Inform the data processor when specific information is under dispute by the data subject, once a complaint has been filed and the respective process has not been completed.
- Inform the data subject, upon request, about the use of their data.
- Report to the data protection authority when there are violations of security codes and risks in managing the data subjects’ information.
Duties of Data Processors
Data processors, including TRÉBOL when acting as a processor, must fulfill the following duties, without prejudice to other provisions established by law and other regulations governing their activity:
- Ensure the data subject’s full and effective exercise of the right to habeas data at all times.
- Maintain the information under necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access. Processors must comply with the minimum security conditions defined in the National Database Registry.
- Promptly update, rectify, or delete data in accordance with Law 1581 of 2012 and other concordant and current regulations.
- Update the information reported by data controllers within five (5) business days from its receipt.
- Process queries and complaints from data subjects as specified in this policy.
- Adopt an internal manual of policies and procedures to ensure compliance with the law and, in particular, for handling queries and complaints from data subjects.
- Record the legend “claim in process” in the databases as regulated by law.
- Insert the legend “information in judicial dispute” in the database once notified by the competent authority about judicial processes related to the quality of the personal data.
- Refrain from disseminating information disputed by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce or the data controller.
- Allow access to information only to individuals who are authorized to access it.
- Inform the data controller of any violations of security codes and risks in managing the data subjects’ information.
- Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
- Verify that the data controller has authorization for the processing of personal data of the data subject.
- Provide data subjects with an agile, simple, and efficient mechanism to cancel the reception of messages and emails, except where there is a legal or contractual obligation of permanence.
General Actions for Personal Data Protection
The following are the general guidelines applied by TRÉBOL to comply with its obligations in accordance with the principles for the management of personal data.
These guidelines are supplementary to the existing and implemented general policies, procedures, or instructions, including data and information security policies, and are not intended to replace or disregard them at any time.
Data Processing
All TRÉBOL members, in performing their job duties, will assume the responsibilities and obligations associated with the proper handling of personal information, from its collection, storage, use, circulation, and up to its final disposal.
Use of Information
Personal information contained in databases must be used and processed in accordance with the purposes described in this policy.
If any area identifies new uses different from those described in this personal data processing policy, it must inform the Data Protection Officer, who will assess and manage its inclusion in this policy, where applicable. The following considerations should also be taken into account:
- If an area other than the one that initially collected the personal data needs to use the personal data obtained, this can be done as long as it is a foreseeable use for TRÉBOL’s mission purposes and for a purpose contemplated within this Personal Data Processing Policy.
- Each area must ensure that, during the physical document recycling practices, confidential information or personal data is not disclosed. Therefore, resumes, academic degrees, academic or work certifications, medical exam results, or any document containing information that identifies a person cannot be recycled.
- If a data handler has provided personal data or databases to an area for a specific purpose, the area that requested the personal data must not use that information for any purpose other than that stated in the Personal Data Processing Policy. Upon completing the activity, it is the duty of the area that requested the information to delete the database or personal data used, to avoid the risk of information becoming outdated or cases where a data subject has filed a complaint during that time.
- Employees cannot make decisions that have a significant impact on personal information, or that have legal implications, based solely on information provided by the information system. Therefore, they must validate the information through other physical or manual instruments and, if necessary, directly with the data subject in cases where this is required.
- Only authorized officials, employees, and contractors may input, modify, or delete data contained in databases or protected documents. User access permissions are granted by the area defined in the applicable protocols, according to the established profiles, which will be defined in advance by the leaders of the processes where the use of personal information is required.
- Any use of information different from the established must be consulted with the Data Protection Officer in advance.
Information Storage
Digital and physical information is stored in media or environments with adequate controls for data protection. This involves physical and IT security controls, technological, and environmental controls in restricted areas, in own facilities and/or data processing or documentation centers managed by third parties.
Information Destruction
The destruction of physical and electronic media is carried out through mechanisms that prevent reconstruction. It is done only when it does not violate any legal norms, always leaving a traceability of the action.
Destruction includes information held by third parties as well as in own facilities.
Information Security Incidents
An incident is understood as any anomaly that affects or could affect the security of databases or the information contained in them.
In the event of an incident, the user must report it to the Data Protection Officer, who will take appropriate measures regarding the reported incident.
The Data Protection Officer will inform the Delegation for Data Protection of the SUPERINTENDENCE OF INDUSTRY AND COMMERCE through the designated module within 15 days from the knowledge of the incident.
Incidents can affect both digital and physical databases and will trigger the following activities:
Incident Notification: If it is suspected that an incident may affect or has affected databases containing personal data, it must be reported to the Data Protection Officer, who will manage its report in the National Database Registry.
Incident Management: It is the responsibility of each employee, contractor, consultant, or third party to promptly report any suspicious event, weakness, or policy violation that may affect the confidentiality, integrity, and availability of TRÉBOL’s assets and personal information.
Incident Identification: All suspicious or abnormal events, such as those where there is a potential loss of confidentiality or information, must be evaluated to determine if they are incidents and reported to the appropriate level within the organization. Any decisions involving investigative or judicial authorities should be made jointly between the Data Protection Officer and TRÉBOL’s Legal Department, who will communicate with these authorities.
Incident Reporting: All incidents and suspicious events must be reported as soon as possible through the internal channels established by TRÉBOL.
If sensitive or confidential information is lost, disclosed to unauthorized personnel, or suspected of such events, the Data Protection Officer must be immediately notified.
Employees, contractors, and consultants must report to their direct supervisor and the Data Protection Officer any damage or loss of computers or other devices containing personal data held by TRÉBOL.
Unless there is a properly reasoned and justified request from the competent authority, no employee or contractor should disclose information about computer systems and networks affected by a cybercrime or system abuse. For the release of information or data under an authority’s order, TRÉBOL’s Legal Department must intervene to provide appropriate advice.
Containment, Investigation, and Diagnosis of Incidents: The Data Protection Officer must ensure that actions are taken to investigate and diagnose the causes of the incident and ensure that the entire incident management process is properly documented, supported by the Office of Technology and IT.
If a cybercrime is identified, as defined by Law 1273 of 2009, the Data Protection Officer and the Legal Department will report such information to the relevant judicial investigative authorities.
During investigations, the “Chain of Custody” must be ensured to preserve it in case legal action is required.
Incident Resolution: Any affected area and those directly responsible for personal data management must prevent the security incident from recurring by correcting all existing vulnerabilities.
Incident Closure and Follow-up: The Data Protection Officer and the areas that use or require the information will initiate and document all tasks related to the review of actions taken to remedy the security incident.
The Data Protection Officer will prepare an annual analysis of the reported incidents. The conclusions of this report will be used to develop awareness campaigns to help minimize the likelihood of future incidents.
Incident Reporting: Security incidents affecting databases will be reported according to the following rules:
Violations of security codes or the loss, theft, and/or unauthorized access to information from a database managed by the Data Controller or its Processor must be reported to the National Database Registry within fifteen (15) business days from the moment they are detected and brought to the attention of the responsible person or area.
Process leaders and/or information asset owners will internally report incidents related to personal data to the Data Protection Officer, who will report them to the National Database Registry within the legal timeframe.
M. Handling of Requests, Inquiries, and Complaints
Requests, inquiries, and complaints made by data subjects under TRÉBOL’s data processing to exercise their rights to access, update, rectify, and delete data, or to revoke consent, should be directed to:
- Personal Data Protection Officer: VANESSA DEL CARMEN FORTICH GRAU
- Email: atencionalcliente@treboljuridico.com
The aforementioned role will be the contact point for data subjects for all purposes outlined in this Policy.
Procedure for Handling Requests, Inquiries, and Complaints (PQRS)
Data subjects, regardless of their relationship with TRÉBOL, can exercise their rights to access, update, rectify, and delete information and/or revoke the consent granted, in accordance with the “Procedure for Updating, Rectifying, and Deleting Information and/or Revoking Authorizations.”
Responsible for Handling Inquiries
The Personal Data Protection Officer of TRÉBOL is responsible for receiving and processing requests in accordance with the terms, deadlines, and conditions established by Law 1581 of 2012 and these policies.
Inquiries directed to TRÉBOL must contain at least the following information:
- Full name of the data subject and/or their representative and/or heirs;
- The subject of the inquiry;
- Physical address, email address, and contact phone number of the data subject and/or their heirs or representatives;
- Signature, identification number, or corresponding validation procedure;
- Submission through TRÉBOL’s authorized inquiry channels.
Once an inquiry request is received from the data subject or their duly authorized representative or third party through the established channels, it will be forwarded to the Personal Data Protection Officer. The officer will verify that the request contains all required specifications to ensure that the right is exercised by a legitimate party.
Response Time for Inquiries
Requests received through the aforementioned means will be addressed within a maximum of ten (10) business days from the date of receipt.
If it is not possible to address the inquiry within this period, the interested party will be informed before the expiration of the ten (10) days, stating the reasons for the delay and indicating the date by which the inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the initial period.
Complaints Procedure
Guaranteed Rights through the Complaints Procedure:
- Correction or Update: TRÉBOL and/or its processors will guarantee data subjects the right to correct or update personal data contained in their databases by submitting a complaint, when the parameters established by law or in this Personal Data Processing Policy are met, for the correction or update request to be processed.
- Revocation of Authorization or Deletion of Personal Data: TRÉBOL and/or its processors will guarantee data subjects the right to request the revocation of authorization or deletion of information contained in their individual record or any information linked to their identification, when the parameters established by law or in this Personal Data Processing Policy are met. The right to submit complaints is also guaranteed when there is a suspected violation of Law 1581 of 2012 or this Personal Data Processing Policy.
Responsible for Handling Complaints
The Personal Data Protection Officer of TRÉBOL is responsible for receiving and processing complaints, according to the terms, deadlines, and conditions established by Law 1581 of 2012 and these policies.
Complaints directed to TRÉBOL must contain at least the following information:
- Full name of the data subject and/or their representative and/or heirs;
- The data to be UPDATED or RECTIFIED;
- Physical address, email address, and contact phone number of the data subject and/or their heirs or representatives;
- Signature, identification number, or corresponding validation procedure;
- Submission through TRÉBOL’s authorized inquiry channels.
Once a request for UPDATE or RECTIFICATION of information is received from the data subject or their duly authorized representative or third party through the established channels, it will be forwarded to the Personal Data Protection Officer. The officer will verify that the request contains all required specifications to ensure that the right is exercised by a legitimate party.
Complaints Not Meeting Legal Requirements
If a complaint is submitted without meeting the above legal requirements, the complainant will be asked within five (5) days of receipt to correct the deficiencies and provide the missing information or documents.
If the requested information is not provided within two (2) months from the request, it will be understood that the complainant has withdrawn the complaint.
Inclusion of Notice in the Database
Once the complaint is complete, TRÉBOL will include a notice stating “complaint in process” and the reason for it in the database containing the data subject’s personal data within a maximum of two (2) business days from receipt. This notice must be maintained until the complaint is resolved.
Response Time for Complaints
The maximum term for addressing the complaint will be fifteen (15) business days from the day following its receipt.
If it is not possible to address the complaint within this term, the interested party will be informed of the reasons for the delay and the date by which the complaint will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial term.
Procedure for Deleting Personal Data
If it is deemed appropriate to delete the personal data of the data subject in accordance with the submitted complaint, TRÉBOL must carry out the deletion in such a way that the information cannot be recovered. However, the data subject should be aware that certain information may need to remain in historical records for legal compliance purposes. Therefore, deletion will apply to active processing of the data in accordance with the data subject’s request.
N. Access Control and Video Surveillance
Access Control
Areas where processes related to confidential or restricted information are executed must have access controls that only allow entry to authorized personnel and ensure the traceability of ingress and egress.
O. Employee and Contractor Training
TRÉBOL will develop annual training and awareness programs on personal data protection and information security. TRÉBOL must make these policies known through appropriate channels and train its employees and contractors on personal data management at least annually to assess their understanding of the subject.
New employees and contractors must receive training on personal data protection and information security upon joining TRÉBOL, with records of their attendance and comprehension.
Training and awareness programs must ensure that employees, contractors, and third parties are aware of their responsibilities regarding personal data protection and information security.
Training programs will be updated periodically.
The Human Resources department, in conjunction with the Personal Data Protection Officer, will define training and evaluation plans for employees in accordance with any regulatory changes.
P. Audits and Control
TRÉBOL will conduct reviews or audits related to personal data protection, directly or through third parties, to verify that policies and procedures have been properly implemented at TRÉBOL.
Based on the results obtained, improvement plans (preventive, corrective, and enhancement) will be designed and implemented as necessary.
As a general rule, TRÉBOL will conduct these review processes at least annually or exceptionally in response to serious incidents affecting the integrity of personal databases.
The results of the review, along with any improvement plans, will be presented by the Personal Data Protection Officer to the Legal Representative for evaluation and approval.
Q. Data Retention Period
TRÉBOL’s databases will have a retention period corresponding to the purpose for which their processing was authorized, and in accordance with special regulations and those establishing the exercise of TRÉBOL’s legal functions or duties.
R. National Registry of Databases
In accordance with Article 25 of Law 1581 and its regulatory decrees, TRÉBOL, if required, will register its databases along with this Personal Data Processing Policy in the National Registry of Databases administered by the Superintendence of Industry and Commerce, following the established procedure.
S. Validity, Versions, and Updates
This personal data processing policy is effective from the date of its signing and complements the associated policies with indefinite validity.
Any substantial changes to the personal data processing policies will be communicated promptly to data subjects through usual contact methods and/or TRÉBOL’s website.
For data subjects who do not have access to electronic means or who cannot be contacted, notifications will be made through public notices at the company’s main office.
This policy will also have a summarized version made available to the public and users of the company’s products and services, in compliance with Law 1582 of 2012, regulatory decrees, and other relevant and current norms.
T. Summary of Changes from the Previous Version
This policy is version 2.0, expanded, supplemented, and adjusted to the national protection standard of the Republic of Colombia for the year 2023.
This policy comes into effect on October 1, 2023.