BRILLIANT DIGITAL NETWORK S.A.S., is responsible for the processing of personal data to which it has access through the development of its activity. Likewise, it is guarantor of the administration of the databases in which said information is stored.
This DATA PROCESSING POLICY (hereinafter PTD) is made known to BRILLIANT DIGITAL NETWORK S.A.S. (hereinafter BRILLIANT), to its employees, contractors, suppliers, users and other people who provide personal information to this company, in order to effectively comply with legal and regulatory obligations related to the protection and proper treatment of information. personnel that the company manages from third parties.
This policy is mandatory for BRILLIANT as the person responsible for the processing of personal data, as well as for those in charge of data processing on behalf of the company. Both the person in charge and those in charge must safeguard the security of the databases that contain personal data and keep the confidentiality regarding their treatment.
BRILLIANT restricts the processing of sensitive personal data to strictly essential personnel. In the same way, it requests prior and express consent from the owners of the personal data, informing about the exclusive purpose of its treatment.
CHAPTER I
GENERAL
ARTICLE I. CONSIDERATIONS: Article 15 of the Political Constitution of Colombia establishes in favor of all people the right to know, update and rectify the information that has been collected about them, in data banks and in files of public entities and private.
In attention to the current provisions regarding Habeas Data, in particular Statutory Law 1581 of 2012 and its Regulatory Decree 1377
of 2013, BRILLIANT informs its policies for the treatment of the information collected and the mechanisms adopted for its protection.
Statutory Law 1581 of 2012, which establishes general provisions for the protection of personal data, establishes the minimum conditions that BRILLIANT must guarantee, for the legitimate treatment of personal data of members, users, customers, suppliers, employees and any other person.
Law 1273 of 2009, by means of which the Criminal Code is modified, a new protected legal right is created – called “information and data protection” – and the systems that use information technologies are fully preserved. information and communications, among other provisions.
BRILLIANT is directly in charge of the processing of personal data and reserves the right to delegate such treatment to a third party, also demanding that these managers, understood as employees, contractors and third parties, must observe and respect these policies in the performance of their duties. and/or activities even after the legal, commercial, labor or any kind of ties have ended. In the same way, they must keep strict confidentiality in relation to the data processed.
ARTICLE II. OBJECT: The purpose of creating this PTD is to fully comply with the adoption of a policy and procedures to guarantee the adequate attention to claims or queries and the adequate treatment of information in accordance with the purposes established for it, as set forth in this PTD.
Likewise, the purpose of BRILLIANT is to ensure the preservation and confidentiality of the information of clients, suppliers, employed contractors and other users; which is collected for the purpose of developing the company’s corporate purpose, in accordance with the provisions of article 15 of the National Constitution, Law 23 of 1981, Decree 1377 of 2013.
Our information treatment policy defines, among others, the principles that we will comply with when collecting, storing and using the personal data of clients, suppliers, contractors, employees, among others, which translates into acting responsibly when collecting personal information and protecting your privacy, guarantee the confidentiality of the information as indicated in the law.
ARTICLE III. SCOPE: This PTD will be applicable solely and exclusively to the processing of personal data that BRILLIANT currently possesses and those that it collects later in compliance with the legal requirements established by law for obtaining personal data from third parties.
ARTICLE IV. DEFINITIONS: For the purposes of a full understanding of this PTD, the definitions included in article 3 of Law 1581 of 2012 and Regulatory Decree 1377 of 2013 are presented below, which must be taken into account by the holders of the information, as well as by BRILLIANT:
1. Privacy Notice: Verbal or written communication granted by the person in charge, addressed to the owner of their personal data, through which they are informed about the information treatment policies, their applicability, the way to access them and the purposes of the treatment that is intended to be given to personal data.
2. Authorization of the Owner: Prior, express and informed consent of the owner of the data to carry out the processing of their personal information. Said authorization must be obtained and preserved by any means that can be subject to subsequent consultation.
3. Database: Organized set of personal data that is subject to treatment.
4. Personal data: Any piece of information linked or that can be associated with one or several determined or determinable persons, whether natural or legal. Personal data can be public, semi-private or private.
5. Public personal data: Qualified by law as such, it is not private or semi-private data. It is unreserved data contained in documents and public records, official gazettes and bulletins, and duly executed court rulings that are not subject to reservation and those relating to the civil status of individuals. This data can be obtained and offered without any reservation and regardless of whether it refers to general, private or personal information.
6. Private personal data: Information that, due to its intimate or reserved nature, is only of interest to its owner.
7. Semi-private personal data: Information that is not of an intimate, reserved or public nature and its knowledge or disclosure may be of interest not only to its owner but also to a sector or group of people or to society in general. Example: Financial and credit data, commercial or service activity or data related to relations with social security entities.
8. Sensitive personal data: It is that which affects the privacy of the owner or whose improper use may generate discrimination, such as that which reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations , human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data (fingerprints, photos, videos).
9. Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the treatment of the data.
10. Person in charge of the treatment: Natural or legal person, public or private, that by itself or in association with others, performs the data processing on behalf of the person in charge of the Treatment.
11. Owner of the data: It is the natural or legal person whose personal data is processed.
12. Data processing: Any operation or set of operations carried out on personal data, such as collection, storage, use, circulation or deletion.
13. Claim: Request from the data owner or the person or persons authorized by him or by law to correct, update or delete his personal data or to revoke the authorization in the cases established by law.
14. Transfer: Operation by which the person in charge or in charge of personal data sends to another person in charge or person in charge who is inside (national transfer) or outside the country (international transfer).
15. Transmission: Treatment of personal data that implies the communication of these within (national transmission) or outside Colombia (international transmission) and whose purpose is to carry out a treatment by the person in charge on behalf of the person in charge.
ARTICLE V. PRINCIPLES FOR THE TREATMENT OF PERSONAL DATA: BRILLIANT will apply the following specific principles, which constitute the rules to follow in the collection, management, use, treatment, storage and exchange of personal data:
1. Principle of access and restricted circulation. In accordance with the legal provisions, the data operated by BRILLIANT, its access and circulation will be restricted according to the nature of the data and with the authorizations given by the owner or other persons provided for in current regulations.
The treatment is subject to the limits that derive from the nature of the personal data, from the constitutional and legal provisions, limits included in this policy. The treatment can only be done by persons authorized by the Owner and/or by persons provided by law.
Personal data, except those of a public nature, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge to the Holders or authorized third parties. For these purposes, BRILLIANT’s obligation shall be of means and not of result.
2. Principle of confidentiality. All persons involved in the processing of personal data, which are not public in nature, are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks included in the treatment, and may only supply or Communicate personal data when it corresponds to the development of the activities authorized by the Law and in its terms.
BRILLIANT undertakes to preserve and maintain strictly confidential and not disclose to third parties the personal, accounting, technical, commercial or any other type of information provided by the owners.
All BRILLIANT people who currently work or are linked in the future for this purpose, in the administration and management of databases, must sign an additional document or another to their employment contract or service provision in order to ensure such commitment. . This obligation persists and is maintained even after the end of your relationship with any of the tasks that comprise the treatment.
3. Principle of purpose. The Processing of personal data that BRILLIANT carries out obeys the legitimate, informed, temporary and material purpose in accordance with the Political Constitution, Law 1581 of 2012 and Decree 1377 of 2013.
4. It also guarantees the right to informative self-determination of the owners who provide personal data.
5. Principle of legality. The Processing of Personal Data is a regulated activity governed by Statutory Law 1581 of 2012, Decree 1377 of 2013 and other regulations that complement, modify or repeal them.
6. Principle of freedom. BRILLIANT can process and transfer the personal data stored in its databases, only with the prior, express and informed consent of the owner at the time of processing their personal data.
7. Safety principle. BRILLIANT as responsible and/or person in charge of the processing of personal data, provides the technical, human and administrative measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
8. Principle of transparency. BRILLIANT guarantees natural or legal persons who are holders of personal data, that they may obtain at any time, without restrictions, information about the existence of data that concerns them and that are stored in their databases under the parameters established in article 21. of Regulatory Decree 1377 of 2013.
9. Principle of veracity or quality. The veracity and quality of the personal data that have been captured is guaranteed by each of its holders, leaving BRILLIANT exempt from any type of responsibility regarding its quality.
CHAPTER II
RIGHTS OF THE HOLDERS OF THE INFORMATION
ARTICLE VI. RIGHTS OF THE HOLDERS OF THE INFORMATION: BRILLIANT undertakes to respect and guarantee the following rights of the data holders:
1. Access, know, update and rectify personal data.
2. For this purpose, it is necessary to previously establish the identification of the person to prevent unauthorized third parties from accessing the data of the data owner.
3. Obtain a copy of the authorization granted by them as data owners.
4. Know the use that BRILLIANT has given to the owner’s personal data.
5. Consult your personal data and make claims to safeguard your right to the protection of your personal data following the guidelines established by law and in this policy.
6. Delete personal data when the Superintendence of Industry and Commerce has determined that in the treatment by BRILLIANT, conduct contrary to the Constitution or Law 1581 of 2012 has been incurred.
7. In no case may the owner of the data revoke the authorization and request the deletion of the data, when there is a legal or contractual duty that imposes the duty to remain in the database or file of the person in charge or in charge.
8. Submit complaints for violations of the provisions of the law before the Superintendence of Industry and Commerce.
BRILLIANT, in compliance with the regulations on the protection of personal data, will indicate the procedure and minimum requirements for the exercise of the rights of the holders of the information.
CHAPTER III
DUTIES OF BRILLIANT
ARTICLE VII. DUTIES OF THE RESPONSIBLE FOR THE INFORMATION. Throughout
BRILLIANT, in its capacity as data controller, knows the importance of observing the policies and protocols aimed at protecting the personal data of the owners, since they are the property of the people to whom they refer and that only they themselves can decide on the use that will be given to said data.
In a strict manner, BRILLIANT will only use the personal data for the purposes expressed by it to the owner and authorized by the owner, guaranteeing at all times compliance with the legal provisions concerning the protection of personal data. Below are the duties that they have regarding the treatment of the information that rests in their databases.
1. Obtain and use the personal data that is actually required for the development of its object and to duly attend to the relationship established with the data owner, so that it will avoid requesting information unrelated to said purposes.
Such personal data corresponds to clients, contractor suppliers, employees and in general those natural or legal persons with whom BRILLIANT is related.
2. By requesting the required authorization from the owner of the personal data, BRILLIANT:
2.1. It will clearly and sufficiently inform the holders of the information about the purpose of the collection and the rights that assist them by virtue of the authorization granted.
2.2. You will obtain authorization prior to the processing of personal data, at the latest at the time of collection of such information.
3. Guarantee the user, at all times, the full and effective exercise of the right of habeas data, that is, to know, update or rectify their personal data.
4. Inform at the user’s request about the use given to their personal data.
5. Obtain new authorization from the owner, in the events in which BRILLIANT requires the use of personal data for a purpose other than that previously informed to the owner and authorized by him. This obligation is exempted if, according to the law, the new use is reasonably foreseeable by the owner of the data, within the framework of their relationship with BRILLIANT.
6. Adopt and incorporate into its processes, the mechanisms so that the owners of the personal data to which it treats can know, consult, update, rectify and delete their data, as well as can exercise their rights to revoke the authorization, when necessary. appropriate, all according to the terms indicated in this policy.
7. Observe the principles of veracity, quality, security and confidentiality in the terms indicated in this policy manual.
8. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
9. Provide the Data Processor only with the personal data that it is authorized to provide to third parties.
10. Guarantee that the information provided to the person in charge of the treatment is true, complete, exact, updated, verifiable and understandable.
11. Communicate in a timely manner to the person in charge of the treatment all the news regarding the data that he has previously provided.
12. Demand from the person in charge of the treatment, at all times, respect for the security and privacy conditions of the owner’s information.
13. Inform the person in charge of the treatment when certain information is under discussion by the owner.
14. Ensure the confidentiality of personal data. Said information must be known and handled exclusively by collaborators authorized by BRILLIANT, for this. The confidentiality duty of the collaborators regarding the personal data to which they have access extends after the activity carried out by the latter in relation to the treatment has finished.
15. Guarantee the owner of the personal data that third parties (suppliers or contractors) who access confidential information ensure their security and are also responsible for it.
16. Inform the competent authorities, in the terms indicated by the Law, of the relevant situations related to the administration of personal data that are subject to treatment by it.
17. Keep the files or databases that contain personal data for the period that the current regulations so require or allow, and the validity of the databases will be tied to the exercise of the corporate purpose of BRILLIANT.
Notwithstanding the foregoing, the minimum period of conservation of the owner’s personal data will correspond to the term of their legal or contractual relationship with it, or that which is required to
that BRILLIANT complies with its obligations or what is necessary so that the rights can be exercised by the data owner within the framework of the nature of the relationship that binds them.
18. Ensure that the databases containing personal data subject to processing by you are registered under the terms of current regulations.
19. Guarantee the implementation so that the policies and procedures established by BRILLIANT in this policy are disclosed, including their modifications in an appropriate and timely manner.
20. Adjust the procedures in such a way that the queries or claims of the owners are attended to in a clear, simple and timely manner, and in any case, in a term that may not exceed that provided for in the current regulations. BRILLIANT will ensure the sufficiency and clarity of the responses to such inquiries or claims.
21. The Administration is responsible for the implementation of these policies.
ARTICLE VIII. DUTIES OF BRILLIANT AS INFORMATION PROCESSOR: For the events in which BRILLIANT performs data processing on behalf of another entity or organization (data controller) it must comply with the following duties:
1. Verify that the data controller is authorized to provide BRILLIANT with the personal data that it will process as manager.
2. Guarantee the owner, at all times, the full and effective exercise of the right of habeas data.
3. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
4. Refrain from circulating information that is being controversial by the user and whose blocking has been ordered by the Superintendence of Industry and Commerce.
5. Allow access to information only to persons authorized by the user or empowered by law for that purpose.
6. Inform the Superintendence of Industry and Commerce when there are violations of security codes and there are risks in the administration of user information.
7. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
ARTICLE XIX. DUTIES OF THOSE IN CHARGE OF THE PROCESSING OF PERSONAL DATA: Those in Charge of Treatment must comply with the following duties:
1. Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data.
2. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
3. Timely update, rectify or delete data under the terms of this law.
4. Update the information reported by those responsible for the Treatment within five (5) business days from its receipt.
5. Process the queries and claims made by the Holders in the terms indicated in this law.
6. Adopt and comply with the policies, manuals and procedures that, in compliance with the regulations on data protection, have been established by the national government and have been implemented by BRILLIANT to process the corresponding queries and claims by the Holders for attention of inquiries and claims.
7. Register in the database the legend “claim in process” in the manner regulated by this law.
ARTICLE XIV. MEANS TO OBTAIN AND GRANT THE AUTHORIZATION: In order to comply with the provisions of Law 1581 of 2012, prior to the processing of personal data, BRILLIANT will obtain the authorization of the owners or of those who are legitimated to do so through of different mechanisms such as: Authorization form for the collection and processing of personal data, email, web page, data message, Intranet or any other mechanism that makes it possible to unequivocally conclude that the authorization was granted.
ARTICLE XV. PROOF OF AUTHORIZATION: Respecting the rights of the holders, BRILLIANT will put into operation all the appropriate mechanisms in order to allow the holders access to the evidence leading to verify the authorization issued for the processing of their personal data.
ARTICLE XVI. PRIVACY NOTICE: The privacy notice is the physical or electronic document that will be made available to the owner in which he is made aware of the existence of the information treatment policies that will be applied to his personal data, the how to access them and the type of treatment that will be carried out.
CHAPTER VI
USE OF IMAGES AND VIDEO
ARTICLE XVII. VIDEO SURVEILLANCE: BRILLIANT reports on the existence of security mechanisms adopted through the dissemination of video surveillance announcements on visible sites.
In accordance with the foregoing, BRILLIANT has a video surveillance system installed in different places within its facilities and offices, which is used for security purposes such as the rights of each of the visitors, employees and any other natural person. , as well as goods and facilities.
This information may be used as evidence before any authority or organization; and will be stored by BRILLIANT, temporarily.
ARTICLE XVIII. IMAGES AND/OR VIDEOS: BRILLIANT may, during its activities, collect images, videos, photographs, recordings, voice recognition, facial recognition, etc. The above are classified as sensitive data, therefore, it has the potential to affect the privacy of the owner or whose improper use can generate discrimination.
Your treatment will be carried out based on criteria of respect, understanding of the difference, prohibition of discrimination and protection of privacy, as established in article XVIII of this Policy.
BRILLIANT, in the Processing of personal data of children and adolescents, ensures respect for the prevailing rights of minors. BRILLIANT may use the data of minors in order to carry out activities dedicated to them or in the ordinary course of activities and programs of BRILLIANT. Among other data, BRILLIANT may process images, photographs and videos of minors within projects that it develops, they may also be published on the website of this organization, as well as be used in presentations, documents, publications, etc. . to fulfill the purposes of BRILLIANT.
Regarding the principle of freedom, he recalled that it is a fundamental pillar of the personal data protection regulations and implies that the activity requires the prior authorization of the owner. In this case, that ownership belongs to the legal representative, relying, where possible, on the opinion of the minor.
CHAPTER VII
CONSULTATION AND CLAIM PROCEDURES
ARTICLE XIX. PROCEDURE: The holders of the information have procedures for the protection of their personal data with respect to the treatment that BRILLIANT carries out thereof. The service channel provided by BRILLIANT to carry out said procedures is the email datospersonales@gobrilliant.com
The BRILLIANT Data Holder may access and carry out their personal request through the following means that they have provided:
• Web portal https://gobrilliant.com/
• Email datospersonales@gobrilliant.com
• Calle 97 Bis No. 19-20 Of 602, Bogotá DC
In order to access said information, BRILLIANT will carry out, prior to the request, the verification of the user’s identity by requesting confirmation of certain personal data that rests in the database. Once the identity of the owner is verified, all the information about their personal data will be provided and any procedure related to them can be carried out.
In the event that the owner needs to make an additional query or requests that the information contained in the BRILLIANT database be
updated, rectified, modified or deleted, or considers that there is an alleged breach in the protection of your data, you may submit a query/claim through the means provided for this purpose.
The query/claim raised by a holder must, in all cases, be submitted in writing and must contain, at least, the following points:
1. Complete identification (name, notification address, identification document).
2. Description of the facts that give rise to the query/claim.
3. Documents supporting the facts.
4. Way by which you want to receive the response to your query/claim
The query will be answered within a maximum term of ten (10) business days from the date of receipt, at BRILLIANT when it is a physical medium or by email datospersonales@gobrilliant.com when it is through a electronic medium. When it is not possible to respond to the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.
Paragraph. The provisions contained in special laws or regulations issued by the National Government may establish lower terms, based on the nature of the personal data.
1. Consultations. The Holders or their successors in title may consult the personal information of the Holder that rests in any BRILLIANT database. The person in charge of the Treatment or in charge of the Treatment must provide them with all the information contained in the individual record or that is linked to the identification of the Holder.
2. Claims. The Owner or his successors in title who consider that the information contained in a database must be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, may file a claim before the person in charge of the Treatment or the Treatment Manager, which will be processed under the following rules:
2.1. The claim will be made through a request addressed to BRILLIANT, either by physical or electronic means datospersonales@gobrilliant.com with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert. . If the claim is incomplete, the interested party will be required within five (5) business days following receipt of the claim to correct the failures. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.
In the event that the person receiving the claim is not competent to resolve it, they will transfer it to the appropriate person within a maximum term of two (2) business days and inform the interested party of the situation.
2.2. Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the database, within a term of no more than two (2) business days. Said legend must be maintained until the claim is decided.
23. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first finished.
Note: In the subject of the request, it must be indicated that it is personal data and specify whether it is patient, collaborator, pensioner, student, applicant, contractor or supplier data, or user in general.
ARTICLE XX. REQUEST FOR UPDATE AND/OR RECTIFICATION: BRILLIANT, will rectify and update, at the request of the owner, the information that is inaccurate or incomplete, according to the procedure and the terms indicated above, for which the Owner must submit the request according to the channels arranged by BRILLIANT, indicating the update and rectification of the data and in turn must provide the documentation that supports such request.
ARTICLE XXI. REVOCATION OF THE AUTHORIZATION AND/OR DELETION OF THE DATA: The Owner may revoke the consent or authorization given for the processing of their personal data at any time, as long as there is no impediment enshrined in a legal or contractual provision.
The Owner has the right to request BRILLIANT at any time to delete or delete their personal data when:
1. Consider that they are not being treated in accordance with the principles, duties and obligations provided for in current regulations.
2. They have ceased to be necessary or pertinent for the purpose for which they were obtained.
3. The time necessary for the fulfillment of the purposes for which they were obtained has been fulfilled.
Such deletion implies the elimination, either totally or partially, of the personal information, in accordance with what is requested by the owner in the records, files, databases or treatments carried out by BRILLIANT.
The right to cancel is not absolute and therefore BRILLIANT may deny revocation of authorization or deletion of personal data in the following cases:
1. The owner has a legal or contractual duty to remain in the database.
2. The deletion of data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.