DATABASE INFORMATION TREATMENT POLICIES INFRAPOL SAS.
4.1. RESPONSIBLE FOR THE DATABASES
Infrapol sas with Nit 901335577-4
Address: Former fairground winery OK1B
Phone: 322 392 6222
Infrapol sas, a company committed to complying with the law and protecting the rights of Habeas Data, we have designed the following policies for the storage, treatment and use of your personal data.
4.1.1. This document was prepared in accordance with (arts. 15 and 20) of Law 1581 of 2012; of the Political Constitution of Colombia “by which general provisions are issued for the protection of personal data” and Decree 1377 of 2013 “by which Law 1581 of 2012 is partially regulated.”
4.1.2. This document is applicable to the treatment of personal data that Infrapol sas obtains and manages, it is also applicable for the treatment of personal data obtained in companies where they own shares in their capacity as partner and administrator of all their databases.
4.1.3. The policies and procedures contained in this document will be used
for the databases contained in the following:
CUSTOMERS.
EMPLOYEES.
SUPPLIERS.
4.2. PURPOSE
By means of these policies, the provisions of letter k) of article 17 and letter f) of article 18 of Law 1581 of 2012 are complied with, which regulate the duties that oblige those responsible and in charge of the treatment of personal data, as well as the provisions of Chapter Three of Decree 1377 of 2013 on “Treatment Policies”, within which is the obligation to adopt an internal manual of policies and procedures to guarantee adequate compliance with the law , especially for the attention of queries and claims, and ensure that those in charge of the treatment comply with it. Likewise, this document aims to regulate the procedures for the collection, storage and processing of personal data carried out by “INFRAPOL SAS” in order to guarantee and protect the fundamental right of habeas data in accordance with the provisions of the law, pursues the following purposes:
- Facilitate general access to information related to the products and services of Infrapol sas; for commercialization through the different media and communication channels own or third parties.
- Provide, inform and promote products and services.
- Make loyalty and verification calls to our customers.
- Comply with obligations contracted with our affiliates and suppliers.
- Evaluate the quality of products and services.
- Conduct surveys, internal and external market studies.
- Collection management through our own different collection channels and through third parties or contractors.
- Digitize the database for our software for entries, withdrawals and updates.
- Issuance of legal and contractual documents.
- Share data with the different notaries and registries.
- Preparation of legal collection documents.
- Notices for arrears and information on account statements.
- Data consultation to: verify customer information, to update their data, to verify products, payments, account statements, reconciliations, to provide services, for refinancing, for service changes, to reconcile payment of agreements, preparation of credit cards. collections, withdrawals and withdrawals, for the preparation of contracts, for the renewal of contracts, to make refunds, to send incentives and aid, calls for recreation and training programs, sending information and advertising.
- Data processing to obtain information testing, design, development and implementation of applications.
- Database backups on different preservation media.
- Generation of reports, indicators, statistics and flat files for internal management and state control entities.
- Responses to requests, complaints, claims and suggestions.
4.3. RIGHTS OF THE REGISTERED INFORMATION
In accordance with the provisions of article 8 of Law 1581 of 2012, the registered data
You have the following rights:
- Know, update and rectify your personal data in front of INFRAPOL SAS in its capacity as Responsible and in Charge of Treatment.
- Request proof of the authorization granted to IN, in its capacity as Responsible and in Charge of Treatment.
- Be informed by INFRAPOL SAS. Upon request, regarding the use you have given your personal data.
- Present before the Superintendence of Industry and Commerce complaints for infractions to the provisions of Law 1581 of 2012, once the consultation or claim process before INFRAPOL SAS has been exhausted.
- Revoke the authorization and request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the treatment.
- Free access to your personal data that have been subject to Treatment.
4.4. DUTIES IN RELATION TO THE PROCESSING OF PERSONAL DATA.
INFRAPOL SAS will keep in mind, at all times, that personal data are the property of the natural persons to whom they refer and that only they can decide on them. In this sense, it will use them only for those purposes for which it is duly empowered in the authorization obtained and respecting at all times the mandates of the Constitution, Law 1581 of 2012 on protection of personal data and Decree 1377 of 2013 that regulates it In accordance with the provisions of article 17 of Law 1581 of 2012, INFRAPOL SAS undertakes to permanently comply with the following duties in relation to the processing of personal data:
- Guarantee the owner of the data, at all times, the full and effective exercise of the right to habeas data.
- Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Carry out in a timely manner, that is, in the terms provided in articles 14 and 15 of Law 1581 of 2012, the update, rectification or deletion of the data.
- Process inquiries and claims made by the owners of the data in the terms indicated in article 14 of Law 1581 of 2012.
- Insert in the database the legend “information in judicial discussion” once notified by the competent authority about judicial processes related to the quality or details of the personal data.
- Refrain from circulating information that is being controversial by the owners of the database and whose blocking has been ordered by the
- Superintendency of Industry and Commerce.
- Allow access to information only to people who can have access to it.
- Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the owners of the database.
- Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
4.5. ACCESS, CONSULTATION AND COMPLAINT MECHANISMS
Law 1581 of 2012 confers on all natural persons, rights and guarantees that seek to provide them with tools to protect their personal data and the use that is given to them. Any right that claims to be effective must have a known and efficient mechanism through which it can be enforced.
Next, INFRAPOL SAS presents the rights that they can assert, in their capacity as owner of the information database, and the mechanisms that we have at their disposal for this.
- RIGHT OF ACCESS:
The power of disposition or decision that the owner of the database has about the information of which he is the owner implies the right to access and know if his personal information is being processed, as well as its scope. INFRAPOL SAS. guarantees the owner of the database the right of access as follows:- You will be able to know, if requested, if your data (s) is (are) being processed by INFRAPOL, SAS.
- You can have access to your personal data that are in possession of INFRAPOL SAS.
- INFRAPOL SAS. They will inform the owner about the type of personal data processed and each and every one of the purposes that justify the treatment.
- INFRAPOL SAS. will guarantee the right of access, after accreditation of the identity of the owner of the database or the personality of its representative, making available to him, free of charge, the details of his personal data through physical or electronic means that allow the direct access of the database owner to them, so that they can exercise their right to rectify, correct or request the deletion of all or part of their data.
- INQUIRIES:
In accordance with the provisions of article 14 of Law 1581 of 2012, the registrants or their successors in title may consult the personal information of the registrant that resides in any database. The person in charge of the treatment or person in charge of the treatment must provide them with all the information contained in the individual registry or that is linked to the identification of the registered person. The consultation will be enabled by the means authorized by the person in charge of the treatment or in charge of the treatment as long as proof of this can be maintained. For the attention of requests for consultation of personal data INFRAPOL SAS. guarantees: To have enabled its consumer service cell line 322 392 6222, as well as the email account hola@servispa.com and others that it deems pertinent at the time and that will be effectively announced through modifications to its Privacy Notice. In this case, regardless of the mechanism implemented for the attention of consultation requests, these will be attended within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed before the expiration of 10 days, stating the reasons for the delay and indicating the date on which the query will be attended, which in no case may exceed five (5) business days following the expiration of the first term. - CLAIMS:
In accordance with the provisions of article 14 of Law 1581 of 2012, the owner of the database or his successors in title who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice The alleged breach of any of the duties contained in Law 1581 of 2012, may file a claim with the person responsible for the treatment, which will be processed under the following rules:- The claim will be formulated by means of a request addressed to the person responsible for the treatment or the person in charge of the treatment, with the identification of the owner of the database, the description of the facts that give rise to the claim, the address, and including the supporting documents. the claim. If the claim is incomplete, the interested party will be required within five (5) days after receiving the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn the claim. In the event that INFRAPOL, SAS. is not competent to resolve it, it will transfer to whoever corresponds within a maximum term of two (2) business days and will inform the interested party of the situation.
- Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the database within a term of no more than two (2) business days. Said legend must be kept until the claim is decided.
- The maximum term to attend the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend to it within said term, the interested party will be informed before the expiration of the aforementioned period of the reasons for the delay and the date on which their claim will be attended, which in no case may exceed the following eight (8) business days at the expiration of the first term.
INSTRUCTION FOR PERSONAL DATA TREATMENT CLAIM
The following is the document that will allow you to view the complaints procedure made by registrants and holders of personal data for the treatment of their information in accordance with the disclosure of the Habeas Data law, by which INFRAPOL SAS is governed. according to law 1581 of 2012.
WHAT IS THE PERSONAL DATA PROCESSING CLAIM BOOKLET?
The personal data processing claim booklet is a booklet that will be available to registrants and holders of personal data so that they can know, update, rectify or withdraw their personal information from our database.
MANAGEMENT OF DATA PROCESSING REQUESTS
- All INFRAPOL SAS headquarters. will have at the disposal of those registered and holders of personal data, the claim booklet for the processing of personal data. Anyone who has a commercial relationship with INFRAPOL SAS. You can request this format and make your complaint in writing.
- The form must be completed in its entirety, writing the identification data to locate it in our database.
- In the body of the claim must be the exact data that you want to be removed from the database or that you want to include for commercial and administrative purposes.
- The claim must be signed by the registrant or owner of the data and by the person who receives said claim.
4.6. VALIDITY
This document is effective as of July 13, 2015 and until such time as it is expressly revoked or modified.
4.7. DURATION
INFRAPOL SAS. will make use of previously authorized personal information and without any request to revoke it for 200 years, having complied with the personal data processing policies in accordance with article 1581 of 2012.
5. AUTHORIZATION PROCESS FOR THE HANDLING OF PERSONAL DATA INFRAPOL SAS.
5.1. AUTHORIZATION PROCESS IN PHYSICAL FORMATS FOR NEW USERS
Our new registrants will authorize the handling of their personal data, directly in the INFRAPOL SA product or service purchase format.
6. INFORMATION SECURITY
SECURITY MEASURES.
In development of the security principle established in Law 1581 of 2012, INFRAPOL SAS. will adopt the technical, human resource and administrative measures that are necessary to grant security to the data avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access.
IMPLEMENTATION OF SECURITY MEASURES INFRAPOL SAS.
It will maintain mandatory security protocols for its collaborators with access to personal data and information systems. The procedure must consider, as a minimum, the following aspects:
- Detailed specification of the databases to which it applies.
- Measures, norms, procedures, rules and standards aimed at guarantee the level of security required in Law 1581 of 2012.
- Functions and obligations of the personnel.
- Structure of the personal databases and description of the information systems that process them.
- Notification, management and response procedure for incidents.
- Procedures that guarantee the conservation of the authorizations issued by the holders of the information.
- Periodic controls that must be carried out to verify compliance with the provisions of the security procedure that is implemented.
- Measures to be taken when a support or document is to be transported, discarded or reused.
- The procedure must be kept up to date at all times and must be reviewed whenever relevant changes occur in the information system or in its organization.
- The content of the procedure must be adapted at all times to the current provisions on the security of personal data.
PERSONNEL SAFETY
Politics
Every user of IT goods and services must sign the document called: “receipt and delivery of the car” in which they accept the conditions of confidentiality, appropriate use of the IT and information resources of INFRAPOL SAS. The user must comply with the regulations established in the additional clauses to the INFRAPOL SAS employment contract. and the one not contained in the manual, the one that governs the higher standard.
PHYSICAL AND ENVIRONMENTAL SECURITY
Politics
Prevent and prevent unauthorized access, damage and interference to the Agency’s headquarters, facilities and information.
Network security
Any activity not authorized by the management, in which users carry out the exploration of computer resources in the company network, as well as the applications on said network, will be considered as an attack on Computer Security and a serious offense. operate, in order to detect a possible vulnerability.
BACKUP COPIES OF INFORMATION
Data backups are intended to maintain the ability to recover data lost after an incident. INFRAPOL SAS. has established a security and backup protocol for the information contained in the different databases used by the company and they are guarded by the administration as follows:
Controls for the generation and restoration of backup copies (Backups):
- Procedure for generating and restoring backup copies to safeguard critical information from significant company processes.
- Backup Copies of the Information System Database and user document information:
- A weekly copy is made of the databases of the information system that stores the sensitive data of the CORE of the business, on an external hard drive.
- Each copy is transferred to the safe daily with its respective signed support.
- Every fifteen days a data restoration test is carried out where it is verified that the data is consistent and that the copies are genuine.
- Backup Copies of the Information System Database and user document information:
Use of E-mail
The e-mail service is a free service offered by the company to officials. You must make use of it, complying with all the security provisions designed for its use and avoiding the use or introduction of malicious software to the business network.
Users should not use email accounts assigned to other people, or receive messages on other people’s accounts. If it is necessary to read someone else’s email (while this person is away or on vacation), the absent user must redirect the email to another internal email account, being prohibited from doing so to an email address external to the companies, to Unless it has the authorization of the Subdirectorate of secondment.
Users should not access personal email accounts on company premises or during business hours. Users should know that the information in emails and attachments are the property of the company.
The company reserves the right to access and reveal all messages sent by this means for any purpose and to review communications via email from personnel who have compromised security and have violated security policies or performed unauthorized actions.
The official must use the business email only and exclusively to the resources assigned to him and the powers that have been attributed to him for the performance of his job, position or commission, being prohibited any other use.
The assignment of an email account must be requested by the manager of the area corresponding to the IT area, indicating the reasons why the service is desired, as well as their personal data and the assigned area that requests it.
Controls against malicious code and viruses To prevent computer virus infections, employees should not make use of any kind of software that has not been provided and validated by the Systems Department.
Employees must verify that the information and external storage media are free of any type of malicious code, for which they must run the antivirus software authorized by the IT department.
All computer files that are provided by external or internal personnel considering at least software programs, databases, documents and spreadsheets that have to be decompressed, the user must verify that they are free of viruses using authorized antivirus software before to run. Because some viruses are extremely complex, no employee should attempt to erase them from computers.
Unattended equipment
Users have screen savers (screensaver) on the corresponding server to which they enter and it is automatically activated after 5 minutes of inactivity and you must enter your password again to be able to reestablish it. Users cannot disable or modify this security feature.
Administration and use of Passwords
The assignment of the password must be carried out individually, so the use of shared passwords is prohibited according to number 5 of the first clause of the addendum document to the employment contract.
When a user forgets, blocks or misplaces his password, he must make a request to the IT department for a new password to be provided and once he receives it, he must change it the moment he accesses the technological infrastructure again. Obtaining or changing a password must be done safely, the user must be accredited before the arera as an employee of the company.
It is forbidden for passwords to be legibly found in any printed medium and to leave them in a place where unauthorized persons can discover them. Regardless of the circumstances, passwords should never be shared or revealed. Doing this makes the user who lent his password responsible for all actions carried out with it.
All users must observe the following guidelines for the construction of their passwords:
- They must be composed of at least six (6) characters and a maximum of ten (10), these characters must be alphanumeric, that is, numbers or letters or a combination of both.
- They must be difficult to guess, this implies that passwords must not be related to the user’s work or personal life, and must not contain characters that express sequential lists and control characters.
- They should not be identical or similar to the password they have previously used. Any user who suspects that his password is known to another person, must change it immediately.
Users should not store passwords in any program or system that provides this facility.
The changes or unlocking of the password requested by the user to the Systems Department will be notified later by email to the applicant with a copy to the corresponding immediate manager, in such a way that any unsolicited change can be detected and reported.
COMPUTER SECURITY COMPLIANCE
Politics
Intellectual property rights It is prohibited by copyright law and by the company, to make unauthorized copies of software, whether acquired or developed by the company.
The systems developed by internal or external personnel who control the IT Area are the intellectual property of INFRAPOL SAS. and they must be backed by the corresponding confidentiality clauses.
Compliance reviews
Management will carry out actions to verify compliance with the standards established in this document.
The administration may implement control mechanisms that allow the identification of trends in the use of computer resources by internal or external personnel, to review the activity of the processes that it executes and the structure of the files that are processed. The misuse of computer resources that is detected will be reported in accordance with what is indicated in the Personnel Security Policy. Users must support reviews of systems compliance with appropriate IT Security policies and standards and any other security requirements.
Computer Security Breaches
The use of hardware or software tools to violate the Computer Security controls is prohibited, as well as testing the controls of the different elements of Information Technology. No person can test or attempt to compromise internal controls.
No official should test or attempt to prove identified or known Computer Security flaws, unless these tests are controlled and approved by the administration.
You must not intentionally write, generate, compile, copy, collect, propagate, execute or attempt to introduce any type of code (program) known as viruses, malware, worms or toyans, designed to self-replicate, damage or affect the performance or access to computers, servers, networks or company information.
APPLICATIONS AND COMPUTER SOFWARE THAT USE PERSONAL DATA
EXCEL application
INFRAPOL SAS customer and user information management.
7. RESPONSIBLE FOR THE INFORMATION
INFRAPOL SAS. designates as the person responsible for the processing of personal data of INFRAPOL SAS. to the Legal Representation.
8. PUBLICATION PROCEDURE
In line with the guidelines established in law 1581 of 2012 on the protection of personal data, we allow ourselves to publish the compliance notice in accordance with the Habeas Data law by different internal and external communication media, so that it is known, read and understood, by the owners of the database that are included in our databases and who have provided personal information for their registration process and connection to INFRAPOL SAS.