Policy for the treatment of personal data of users of Latimpacto's information
This Personal Data Protection Policy (hereinafter the "Policy"), regulates the collection, storage, use, circulation and deletion (hereinafter the "Processing") of Personal Data carried out by [the Latin American Network for Social Investment and Strategic Philanthropy] (hereinafter "Latimpacto"), identified with NIT [901.367.590-8], in accordance with the provisions contained in the Statutory Law 1581 of 2012, Decree 1074 of 2015 and other applicable regulations, through which general provisions for the protection of Personal Data are issued.
This Personal Data Processing Policy is mandatory and strictly complied with by all employees of Latimpacto and contractors and third parties acting on behalf of Latimpacto. All Latimpacto employees must observe and respect this Policy in the performance of their duties. In cases where there is no employment relationship, a contractual clause must be included so that those working on behalf of Latimpacto are obliged to comply with this Policy.
Failure to comply with this Policy will result in labor sanctions or contractual liability as appropriate. The foregoing without prejudice to the duty to respond patrimonially for the damages caused to the Data Owners and/or Latimpacto for the breach of the Policy or the improper Processing of Personal Data.
currently has more than 1,000 members.
1. Information of the Person Responsible for the Processing of Personal Information
The Responsible for the Processing of Personal Data is:
- Corporate Name: [Red Latinoamericana de Inversión Social y Filantropía Estratégica] [Latin American Network for Social Investment and Strategic Philanthropy] [Red Latinoamericana de Inversión Social y Filantropía Estratégica].
- Address: [_Bogotá, Colombia___].
- Address: [cl 123 7 07 of 403, Bogotá, Colombia].
- Phone: ,
- E-mail: [firstname.lastname@example.org]
Latimpacto, as Data Controller, will comply with the duties established by Article 17 of Law 1581 of 2012.
The following are the defined terms that will be used in this Personal Data Protection Policy, in accordance with the provisions of Law 1581 of 2012, Decree 1074 of 2015 and other applicable regulations:
- Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of Personal Data.
- Data Base: Organized set of Personal Data that is subject to Processing.
- Personal Data: Any information linked or that can be associated to one or several determined or determinable natural persons.
- Public Data: Public Data are considered Public Data, among others, the data related to the civil status of persons, their profession and trade and their status as merchant or public servant. Due to their nature, Public Data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality.
- Data Processor: Natural or legal person, public or private, that by itself or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller. Natural or legal person, public or private, that by itself or in association with others, carries out the Processing of Personal Data on behalf of the Controller.
- Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of the data.
- Data Subject: Natural person whose Personal Data is the object of Processing.
- Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.
- Transfer: The Transfer of data takes place when the Controller and/or Processor of Personal Data, located in Colombia, sends the information or Personal Data to a recipient, which in turn is the Data Controller and is located inside or outside the country.
- Transmission: Processing of Personal Data that involves the communication of such data within or outside the territory of the Republic of Colombia when the purpose is the performance of a Processing by the Processor on behalf of the Controller.
3. Principles for the Processing of Personal Data
- Principle of legality: Processing is a regulated activity that must be subject to the provisions of Law 1581 of 2012 and other provisions that develop it.
- Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the law, which must be informed to the Data Subject.
- Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves consent.
- Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
- Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed.
- Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. Processing may only be carried out by persons authorized by the Data Controller and/or by the persons provided for by law. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or third parties authorized by law.
- Security Principle: The information subject to Processing by the Data Controller or Data Processor referred to in the law, shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law and under the terms of the same.
4. Processing to which the Personal Data will be submitted
Customer Personal Data is collected, stored, organized, used, circulated, transmitted, transferred, updated, rectified, deleted, erased and managed in accordance with the nature of such data and in accordance with the purposes set forth in this Policy.
4.1. Purposes of Data Processing by Latimpacto
The purposes of the Personal Data Processing carried out by Latimpacto are the following:
- Sending of monthly/weekly newsletters
- Marketing and advertising of events, webinars and trainings organized by Latimpacto
- Data update.
- Market or satisfaction surveys.
- Production of photographs, videos, videos with voice, graphic material, etc. within the framework of the events held by Latimpacto, especially its conference, to be shared with other participants.
4.1.1. Transmission of Personal Data
Latimpacto may perform the Transmission of Personal Data of the Data Controllers to third parties located in Colombia, as Agents, to perform the Processing of Personal Data on behalf of Latimpacto in order to develop the purposes indicated above in section 4.1.1.
For such purposes, Latimpacto shall implement the Authorizations or contracts for the Transmission of Data that are necessary to comply with the obligations under the Colombian regime for the protection of Personal Data.
5. Rights of the Holders
In accordance with the provisions of Article 8 of Law 1581 of 2012 and Decree 1074 of 2015 (Chapter 25), the Personal Data Subject has the following rights:
- To know, update and rectify your Personal Data before Latimpacto, in its capacity as Data Controller. This right may be exercised against partial, inaccurate, incomplete, fractioned, misleading data, or those whose processing is expressly prohibited or has not been authorized.
- Request proof of the authorization granted to Latimpacto.
- Be informed by Latimpacto, upon request, regarding the use that has been made of your Personal Data.
- File before the Superintendence of Industry and Commerce (hereinafter "SIC"), complaints for violations of the provisions of Law 1581 of 2012, once the consultation or complaint process has been exhausted before Latimpacto, in accordance with the provisions of this Policy.
- To revoke the authorization and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the SIC has determined that, in the Processing, the Controller or Processor has incurred in conduct contrary to the law and the Constitution.
- Access free of charge to the Personal Data that have been processed by Latimpacto.
These rights may be exercised only by the following persons:
- By the Holder, who must provide sufficient proof of identity.
- By their successors in title, who must prove their status as such.
- By the representative and/or attorney-in-fact of the Holder, upon accreditation of the representation or power of attorney.
- By stipulation in favor of or for another.
6. Area Responsible for Handling Requests, Inquiries and Complaints
The area of [Programs of] Latimpacto will be responsible for the attention of requests, queries, claims, complaints or for the exercise of the rights of the Data Subject of the Personal Data subject to Processing. This may be contacted through the e-mail address [email@example.com]
7. Procedure for exercising the rights and queries and claims of the Personal Data Controller
7.1 Procedure for access and consultation of Personal Data
The Owner of the Personal Data, or any of the authorized persons in accordance with the provisions of chapter 5 of this Policy, may consult the information contained in the databases of Latimpacto, for which purpose they must communicate the corresponding request to the e-mail address [firstname.lastname@example.org
In order to prevent unauthorized third parties from accessing the personal information of the Data Subject, it will be necessary to previously establish the identification of the Data Subject. When the request is made by a person other than the Data Subject and it is not accredited that such person is acting on behalf of the Data Subject, it shall be considered as not submitted.
The consultation shall be answered within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.
7.2. Procedure to request updating, correction, deletion, revocation of authorization or to file claims
The Holder, or any of the authorized persons in accordance with the provisions of Chapter 5, who considers that the information contained in Latimpacto's databases should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, Decree 1074 of 2015 or other complementary rules, may file a claim with Latimpacto, which will be processed in accordance with the following rules:
- The claim will be formulated by means of a request that can be sent to [email@example.com]
- In order to prevent unauthorized third parties from accessing the personal information of the Data Subject, it will be necessary to previously establish the identification of the Data Subject. When the request is made by a person other than the Data Subject and it is not accredited that the person is acting on behalf of the Data Subject, it will be considered as not submitted.
- The application must contain the following information:
- Identification of the Holder.
- Contact information (physical and/or electronic address and contact telephone numbers).
- The documents proving the identity of the Holder, or the representation of its representative.
- The clear and precise description of the Personal Data with respect to which the Data Subject seeks to exercise any of the rights.
- The description of the facts giving rise to the claim.
- The documents to be asserted.
- Signature and identification number.
- Filing in original.
- If the claim is incomplete, Latimpacto will require the interested party within five (5) days of receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.
- If the area that receives the complaint is not competent to resolve it, it will transfer the complaint to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.
- Once the complete claim has been received, a legend will be included in the database stating "claim in process" and the reason for the claim, within a term no longer than two (2) business days. Said legend shall be maintained until the claim is decided.
- The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
7.3. Deletion of Data
The Data Subject has the right, at any time, to request Latimpacto to delete (erase) his/her Personal Data when:
- Consider that they are not being treated in accordance with the principles, duties and obligations set forth in Law 1581 of 2012, Decree 1074 of 2015 and other rules that complement or modify them.
- Are no longer necessary or relevant for the purpose for which they were collected.
- The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.
This deletion implies the total or partial elimination of the Personal Data as requested by the Data Subject in the records, files, databases or Processing carried out by Latimpacto.
The right of deletion is not absolute and the Data Controller may deny the exercise thereof when:
- The Data Subject has a legal or contractual duty to remain in Latimpacto's database.
- The suppression of Personal Data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
- The Personal Data is necessary to protect the legally protected interests of the Data Subject, to carry out an action in the public interest, or to comply with an obligation legally acquired by the Data Subject.
7.4. Revocation of the Authorization.
The Personal Data Subject may revoke consent to the Processing of his/her Personal Data at any time, as long as it is not prevented by a legal provision.
8. Information Security.
In development of the security principle, Latimpacto has adopted reasonable technical, administrative and human measures to protect the information of the Holders and prevent adulteration, loss, consultation, use or unauthorized or fraudulent access. Access to Personal Data is restricted to its Holders and Latimpacto will not allow access to this information by third parties under conditions different from those set forth in this Policy, except for an express request from the Holder or persons legitimized in accordance with national regulations.
9. Period of Validity of the Personal Database
The Personal Data collected by Latimpacto will be kept for a period of time necessary and proportional to the purposes of the Processing indicated in this Policy. The term of the Authorizations on the use of personal data is understood as the term of the contractual relationship and during the exercise of Latimpacto's corporate purpose, except in those cases in which the law provides a different term.
Additionally, Latimpacto will proceed to delete Personal Data when so required by the Data Controllers, in accordance with the provisions of Law 1581 of 2012 and its regulatory decrees, as well as with the provisions of this Policy.
10. Validity of the Policy.
This Policy is effective as of February 14, 2020.