PERSONAL DATA PROCESSING POLICY

  1. DESCRIPTION

In compliance with provisions set out in Statutory Law 1581 of 2012, Single Decree 1074 of 2015, and other related provisions, we would like to inform all stakeholders that this personal data protection policy shall apply to databases containing personal details that are subject to treatment by CVN Research LLC with Taxpayer ID Number (NIT). 900.186.045-4

  1. GENERAL INFORMATION

CVN Research LLC defines the guidelines to comply with Statutory Law 1581 of 2012, which establishes general provisions for the protection of personal data in order to comply with the constitutional right people have to know, update and rectify the information that has been collected about them in databases or files, and other rights, freedoms and guarantees.

The principles and provisions contained in the above-mentioned law are applicable to personal data on any database that makes them susceptible to treatment by public or private entities.  Therefore, the organization should be governed by the protection of personal data regimen established in the mentioned law, its regulatory decrees and other applicable regulations that the supplement amend or repeal it. 

This policy must be applied by all employees and managers to all processes within organizations that process personal data

  1. DATA CLASSIFICATION

SENSITIVE DATA: “those that affect intimate matters of data holders or whose improper use may generate discrimination; data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade-union, social organizations and human rights entities membership, or membership to organizations that promote the interests of any political party or that ensure the rights and guarantees of political opposition parties, as well as, the data relating to health, sexual life and biometric data.” (Section 5 of Law 1581/12)

Section 6 of the same Law establishes some exceptions:

  1. a) The data holder has given their explicit authorization for data treatment, saved in cases in which granting such authorization is not necessary as established by a law. 
  2. b) The treatment of data is necessary to safeguard the vital interest of the holder and he/she is physically or legally incapacitated. In those events, the corresponding guardians or legal representatives shall give authorization. 
  3. c) The treatment of data is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is a political, philosophical, religious or trade union activity, provided that the treatment is exclusively related to its members or to people who maintain regular contact to develop their purpose. In such events, data cannot be supplied to third parties without the due and prior authorization of the holder.
  4. d) The treatment of data has to do with data necessary for the recognition, exercise or defense of a right in a judicial proceeding. 
  5. e) The treatment of data has a historical, statistical or scientific purpose. In such event, the necessary measures to remove the identity of the holders should be considered.

Likewise, the person in charge of processing the data must inform the holder, as follows:

  1. Inform the holder that since the data is sensitive he/she is not obliged to authorize its treatment. 
  2. Inform the holder in advance and in an explicit manner, in addition to comply with the general requirements to collect any type of personal details, define which of the data to be treated are sensitive and the purpose of the treatment, as well as obtain the express consent of the data holder. 

No activity may be made conditional on the holder to provide sensitive personal data.

PUBLIC DATA: Data available to the public, registered in banks, databases, or other forms of data collection for PUBLIC USE; that is to say that anyone can use them without any meeting any special requirement. The same applies for all personal details registered in that type of sources, which are considered public in nature, respecting the parameters the legislation imposes and the definition above.

  1. PERSONAL DATA COLLECTION PROCEDURE AND PURPOSE 

CVN Research LLC will observe the principle of purpose set out in Section 4, subparagraph b) of Law 1581 of 2012, which describes the data collection procedure, its objective and use according to the law.

Employees.

  • To sign the employment contract 
  • To comply with labor obligations such as a. affiliation to the social security system and payment of contributions; b. affiliation to a family compensation fund and payment of parafiscal contributions; c. ensure safety and health in the workplace; d. implement withholding tax; e. issue labor, income and deductions certificates; f. provide the information required by public or administrative entities; g. pay employees  
  • To notify family members in case of an emergency
  • To issue ID cards for employees
  • To maintain information on compliance with labor obligations
  • To offer and to develop extracurricular activities, sports and cultural events and other activities to strengthen the wellbeing of employees.
  • To provide employees with a quick and effective aid in case of emergency and for medical records when needed
  • In case of offering complimentary transport services
  • For safety reasons at work facilities
  • Collect and treat any sensitive personal data about employees and their families as mandated by the Colombian authorities
  • The collection of personal data of children and adolescents should be done by appealing to the principle of representation by their parents or guardians. This data is collected to develop occupational health and well-being plans for employees and their families exclusively
  • Sensitive personal data related to occupational health and labor conflicts
  • Sensitive personal data for the enforcement of the Labor Code of Conduct and Occupational Health activities and other purposes
  • Any other derived from the labor contract

Customers

  • Identification data such as RUT (Single Taxpayer ID) and chamber of commerce registration.
  • Details of the legal representative or the person authorizing the purchase.
  • Data of users so that we can register them on our platforms.

Contractors and Suppliers of Goods and/or Services.

  • To request quotations, offers, and invite them to participate in acquisition processes 
  • To conclude service provision contracts
  • To assess their obligations compliance
  • To register them in the list of qualified suppliers
  • To process payments and check outstanding balances

Additional Considerations

In contractual relations, companies should include clauses for the prior and general authorization to treat personal data in contracting processes, including authorization to collect, modify or amend the holder’s personal data in the future. Companies shall also include authorization for some personal data, in any given case, to be delivered to third parties with whom the company has contracts for the provision of services, so that they can perform outsourced tasks. 

When the organization retains third parties to perform additional tasks, and they require personal data, the company will provide such data as long as there is a prior and express authorization form the data holder. Given that in those cases in which the third party is responsible for the processing of data, their contracts shall include clauses that define the purposes and treatments authorized by the company and delimit, in a precise manner, how such third parties can use the data provided. In any case, a clause prohibiting a subsequent delivery to other third parties as well as the commercial use of personal data delivered shall be included. 

Transferring of personal data to third countries should only be performed when there is an authorization or request made by the customer and/or the holder and, in any given case, when responding to requests for administrative or public entities in the exercise of their legal functions. 

The company must inform of and train employees on the proper use of personal data.  In addition, information and reflection campaigns and programs must be conducted and addressed to employees to educate them about their rights in terms of their personal data and their proper use, especially in relation to information technologies.  

In accordance with Section 25 of Law 1581 of 2012, the organization responsible for the processing of personal data must register their databases in the National Registry of Databases, which is managed by the Superintendence of Industry and Commerce.

  1. RIGHTS OF PERSONAL DATA HOLDERS.

Natural persons whose personal data are subject to treatment on the part of CVN Research LLC have the following rights, which they can exercise at any time:

  • Know which personal data is being treated by CVN Research LLC
  • Request, at any time, their data to be updated, corrected or removed, and request authorizations to be revoked. 

NOTE. Removal of information and/or revoking authorization will not apply when the data holder has a legal or contractual obligation or while the relationship between the data holder and CVN Research LLC is in effect. 

  • Request a proof of the authorization granted to CVN Research LLC to treat your Personal Data.
  • Be informed by CVN Research LLC about the use given to your personal data 
  • Submit to the Superintendence of Industry and Commerce complaints for infractions against provisions in the Protection of Personal Data Act.
  • Access your personal data: i) at least once each calendar month, and ii) whenever there are substantial modifications of policies for handling information that cause further consultations (Section 2.2.2.25.4.2 Single Decree 1074 of 2015)

  1. DUTIES OF CVN RESEARCH LLCAS A PERSONAL DATA PROCESSING ENTITY.

 CVN Research LLC will use collected Personal Data only for the purposes described in this policy and in the document of authorization. In addition, CVN Research LLC will comply with the duties contained in Section 17, Law 1581 of 2012 and other rules that regulate, modify or replace it.

  1. AUTHORIZATION TO PROCESS PERSONAL DATA.

 CVN Research LLC will request prior, express and informed authorization to Personal Data Holders or their representatives. 

Such authorization shall be given in writing by completing a template developed by CVN Research LLC You can also authorize us by phone call or video call or by unequivocal behaviors that lead to the conclusion that you have granted us with authorization.

Data holders authorization will not be needed in the following cases: 

  • Information required by a public or administrative entity in exercising their legal duties or by a writ. 
  • Public nature data. 
  • Medical emergencies or health care. 
  • Treatment of information authorized by law for historical, statistical or scientific purposes. Data related to the Civil Registry of persons. 

  1. RECEPTION OF REQUESTS, QUERIES, COMPLAINTS AND CLAIMS FROM PERSONAL DATA HOLDERS.

Personal data holders or their representatives may visit one of the following places:

  • Communications to CVN Research LLC: In Bogotá. Address Carrera 57 A Bis # 128-32
  • E-mail: administrativo@cvn.com.co Personal data holders must provide at least their identification, make a brief description of the facts giving rise to the claim, address, and any additional documents they want to enforce.
  • Telephone: +57 304 572 80 77 In the voice mail, data holders should provide at least their identification, a brief description of the facts giving rise to the claim and their address.

  1.  PROCEDURE IN THE EVENT OF A QUERY OR A CLAIM. 

CVN Research LLC will observe the provisions in Sections 14, 15 and 16 of Law 1581 of 2012 

Query:   When the data holder is an employee, the query about the treatment of their personal data should be addressed to their line manager, who, in turn, must escalate the query to Human Management via e-mail at servicio.cliente@cvn.com.co When the company is in charge of the information whose direct responsible is the customer, data holders can request the company to consult their personal data, under the guidance of the customer, by sending an e-mail at administrativo@cvn.com.co Consultation should be treated in a maximum term of ten (10) working days from its date of receipt. When it is not possible to attend the consultation within said term, the data holder must be immediately informed by stating the reasons for the delay and announcing the date on which their request will be attended, which, in no case, shall exceed five (5) working days following the expiry of the first term.

Claims:   When the data holder is an employee, the claim for correction, update or deletion on the treatment of their personal data should be escalated to their line manager or immediate supervisor, who, in turn, must escalate the request to Human Management via e-mail sent at servicio.cliente@cvn.com.co In those cases in which the company is in charge of the information, data holders may request their information to the company, under the guidance of the customer, by sending an e-mail at administrativo@cvn.com.co The claim must contain at least the data holder ID, a brief description of the events giving rise to the claim, address, and the additional documents the customer wants to add as supporting documentation. In case the person who receives the claim does not have the competence to resolve it, the claim must be referred to the actual person in charge within a maximum term of two (2) business days and the person concerned must be informed of the situation. Once the full claim has been received, a note must be entered into the database reading “claim is being processed” and its causes, in a term not exceeding two (2) business days. Such note must appear until the claim has been solved.  The maximum term to process a claim is fifteen (15) working days as of the day following the date of its receipt. When it is not possible to attend a claim within said term, the data holder must be immediately informed by stating the reasons for the delay and announcing the date on which their claim will be attended, which, in no case, shall exceed eight (8) working days following the expiry of the first term.

Data Rectification and Updating: CVN RESEARCH LLC is bound to rectify and update, at the request of the holder, any information proved to be incomplete or inaccurate in accordance with the procedures and the terms outlined above. In such regard, CVN RESEARCH LLC Will consider the following:

In the requests for rectifying and updating personal data, the holder must indicate corrections to be made and provide the documentation supporting the request.

CVN RESEARCH LLC is free to enable mechanisms to facilitate exercising this right, as long as the corrections benefit the owner of the data. Accordingly, it will be possible to enable electronic mechanisms, among others, that CVN RESEARCH LLC considers relevant.

CVN RESEARCH LLC may establish other means, systems and methods, which will be made available to those interested, on its web page or via email atadministrativo@cvn.com.co 

Deletion of Data: Personal data holders have the right, at all times, to request CVN RESEARCH LLC  to delete (remove) their personal data when:

  • They consider that they are not being treated in accordance with the principles, duties and obligations provided for in current regulations.
  • Their personal data has ceased to be necessary or pertinent for the purpose for which it was collected.
  • Their data exceeded the period necessary to fulfill the purposes for which they were collected.
  • The deletion involves the removal of all or part of the personal information in accordance to what was requested by the holder in the records, files, databases or treatments performed by CVN RESEARCH LLC
  • The right of deletion is not an absolute right and the entity responsible for processing the personal data can deny any deletion petition when: 
  • The data holder has a legal or contractual duty to remain in the database.
  • The deletion of data hinders judicial or administrative proceedings related to tax obligations, investigations and prosecution of criminal offenses or the updating of administrative sanctions.
  • The data are necessary to protect the interests of the holder legally protected to perform an action to the public interest or to comply with an obligation legally acquired by the holder.

Revocation of Authorization: Any personal data holder can revoke, at any time, the consent to data treatment as long as the revocation does not prevent any legal or contractual provision. To this end, CVN RESEARCH LLC will establish simple mechanisms that will allow the holder to withdraw his or her consent.

There are two modes in which consent revocation can occur:

  • On the entire consensual purposes, which means that CVN RESEARCH LLC must fully stop treating the holder’s data.
  • On certain consensual purposes such as for the purposes of advertising or market research. In such case, CVN RESEARCH LLC must partially stop treating the holder’s data. Other treatment purposes remain in accordance with the permission granted and agreed by the data holder.

  1. LEGITIMATION TO EXERCISE THE RIGHTS OF THE HOLDER.

The rights of holders may be exercised by the following people: 

  • By the holder
  • By the successors of the holder, who must provide proof of such quality
  • By the representative and/or agent of the holder, prior accreditation of the representation or seizure 
  • By the persons empowered to represent the rights of children and adolescents under age

  1.   PERSONAL DATA SECURITY.

 CVN Research LLC will have the appropriate means to provide security to personal information databases and will report to the Superintendence of Industry and Commerce of any incident involving the security of such databases

  1.   VALIDITY.

This Personal Data Protection Policy was approved and has been in force since the first day of February 2018). Databases subject to treatment will be valid as long as necessary for the purposes outlined in paragraph four (4) of this policy or by legal provision