POLICY AND PROCEDURES MANUAL FOR THE TREATMENT OF PERSONAL DATA FIRE WORK WEAR SAS
Fire Work Wear SAS, hereinafter referred to as the Company, is committed to complying with the right to the protection of personal data and the right that all people have to know, update, and rectify the information that has been collected about them in databases or files, and other constitutional rights, freedoms, and guarantees.
Authorization: Prior, express, and informed consent of the data subject to carry out the processing of personal data. Privacy notice: Verbal or written communication generated by the person responsible, addressed to the Data Subject for the Processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the way to access them and the purposes of the Processing intended for the personal data. Database: An organized set of personal data that is subject to processing. Personal data: Any information linked or that can be associated with one or several identified or identifiable natural persons. Public data: Is the data that is not semi-private, private or sensitive. Public data includes, among others, data related to the marital status of individuals, their profession or trade, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public registers, public documents, gazettes and official bulletins, and judicial decisions duly executed that are not subject to confidentiality. Sensitive data: Refers to those data that affect the privacy of the Data Subject or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social organizations, human rights or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data. Data processor: Natural or legal person, public or private, who by itself or in association with others, carries out the processing of personal data on behalf of the data controller. Data controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of data. Data subject: Natural person whose personal data are subject to processing. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion. Habeas data: Fundamental right of every person to know, update, rectify and/or cancel information and personal data that has been collected and/or processed in public or private databases, in accordance with the provisions of the law and applicable regulations. Transfer: Data transfer takes place when the Data Controller and/or Data Processor, located in Colombia, sends the information or personal data to a recipient, who is in turn responsible for the processing and is located inside or outside the country. Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when it aims to carry out processing by the Processor on behalf of the Controller. Tacit authorization: It will be understood that the Data Subject has granted authorization for the processing of their personal data when their behavior allows to reasonably conclude that they have granted authorization.
- GUIDING PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
The Company will apply the following principles harmoniously and integrally when processing personal data:
Principle of legality in data processing: The processing of personal data
must comply at a minimum with the current laws that regulate the matter and the provisions that develop them. Principle of purpose: The processing must obey a legitimate purpose according to the Constitution and the law, which must be informed to the data subject. Principle of freedom: Processing can only be carried out with the consent, prior, express, and informed of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent. Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. Partial, incomplete, fragmented, or misleading data should not be processed. Principle of transparency: In processing, the right of the data subject to obtain from the data controller or the data processor, at any time and without restrictions, information about the existence of their personal data must be guaranteed. Principle of access and restricted circulation: The processing is subject to the limits derived from the nature of the personal data, the provisions of the Constitution, and the law. In this sense, processing can only be carried out by persons authorized by the data subject and/or by persons enabled by the law or judicial authority. Principle of security: The information subject to processing must be handled with the necessary technical, human, and administrative measures to give security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access. Principle of confidentiality: All those involved in the processing of personal data that do not have the nature of public are obliged to guarantee the reservation of the information, even after ending their relationship with any of the tasks that comprise the processing, being able to only perform the supply or communication of personal data when the law permits it and in the terms that it stipulates.
- RIGHTS OF THE DATA SUBJECTS
The Company in any processing of personal data will respect the rights of the data subjects. For the purposes of this manual, the data subject will have the following rights:
To know, update, and rectify their personal data against the data controllers or data processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented data that leads to error, or those whose processing is expressly prohibited or has not been authorized. To request proof of the authorization granted to the data controller except when expressly exempted by law. To be informed by the data controller or the data processor, upon request, regarding the use given to their personal data. To submit complaints to the Superintendence of Industry and Commerce or the competent authority for violations of the law that regulates the protection of personal data and other norms that modify, add to, or complement it. To revoke the authorization and/or request the deletion of the data when the processing does not respect the principles, rights, and legal and constitutional guarantees. The revocation and/or deletion will proceed when Fire Work Wear SAS, or the competent authority, has determined that in the processing, the controller or processor has incurred conducts contrary to the current regulations. To access their personal data that has been subject to processing for free.
- DUTIES OF THE DATA CONTROLLERS AND DATA PROCESSORS
The data controllers must comply with the following duties, without prejudice to other provisions set forth in this manual and in the regulations that regulate their activity:
4.1. Duties of the data controllers To guarantee the data subject, at all times, the full and effective exercise of the right to the protection of their personal data under the terms established in the current regulations applicable to this matter. To request and keep a copy of the authorization granted by the data subject for the time required according to the current regulations. To inform the data subject about the purpose of the collection and the rights that assist them by virtue of the authorization granted. To conserve the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access. To ensure that the information provided to the
data processor is truthful, complete, accurate, updated, verifiable, and comprehensible, in the form and terms authorized by the Data Subject. To update the information, communicating in a timely manner to the data processor, all the new developments regarding the data that the data subject previously provided and adopt the other necessary measures so that the information provided to this remains up-to-date. To rectify the information when incorrect and communicate the pertinent to the data processor. To provide the data processor only with data whose processing has been previously authorized in accordance with the provisions of the applicable current regulations on this matter. To demand from the data processor at all times, respect for the security and privacy conditions of the data subject’s information. To process the queries and claims made in the terms indicated in this manual and in the applicable current regulations on this matter. To inform the data processor when certain information is under discussion by the data subject, once the claim has been presented and the respective procedure has not been completed. To inform the data subject upon request about the use given to their data. To inform the data protection authority when there are violations of the personal data protection law. To comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
4.2 Duties of the data processors The data processors must comply with the following duties, without prejudice to other provisions set forth in this manual and in the regulations that regulate their activity:
To guarantee the data subject the protection of their personal data at all times, the full and effective exercise of the right of habeas data. To conserve the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access. To carry out timely updating, rectification, or deletion of the data in the terms of this manual or in accordance with what is established in the applicable current regulations. To update the information reported by the data controllers within five (5) business days following the receipt of their request. To process the queries and claims made by the data subjects in the terms indicated in the applicable regulations. To register in the database the legend “claim in process” in the form that is regulated by the applicable regulations. To insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of the personal data. To refrain from circulating information that is being contested by the data subject and whose blocking has been ordered by the SUPERINTENDENCE OF INDUSTRY AND COMMERCE or any other competent authority. To allow access to the information only to people who can have access to it. To inform the SUPERINTENDENCE OF INDUSTRY AND COMMERCE or the competent authority when there are violations of personal data protection. To comply with the instructions and requirements issued by the SUPERINTENDENCE OF INDUSTRY AND COMMERCE or the competent authority in this matter.
- PROCESSING AND PURPOSES OF THE DATA PROVIDED
The personal data collected will be included in a database and will be used directly or through the controllers or processors in the terms established in the applicable regulations on this matter, for direct and indirect purposes related to the object and purposes of the Company. The general purposes are indicated by way of illustration, without prejudice that in each authorization the particular purposes regarding each relationship with the Data Subject are included:
Operational activities and registration. Capturing, recording,
transmission, storage, preservation, or subsequent reproduction of images by video surveillance systems, access controls, closed-circuit television to ensure the security of goods and people in the facilities or premises of the Company. Statistical analysis, referencing, consultation in public databases, verification, and audits. Achieving efficient communication related to our services and other activities associated with the functions of the Company. Maintaining efficient communication of information that is useful in the contractual or commercial links in which the Data Subject is a party. For statistical, control, supervision, and commercial information purposes. As a result of the authorization, the Company may collect information about commercial relationships with other entities, consult financial data in risk centers that manage financial information databases, and the data required to manage the contractual or commercial relationship with the Data Subject. To comply with the obligations undertaken by the Company with the Data Subjects. Use in communication campaigns, dissemination, and promotion of products, activities, or services.
- PROCESSING OF SENSITIVE DATA
For the purposes of this manual and as established by the applicable regulations, sensitive data are understood to be those that affect the privacy of the data subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, union membership, social organizations, human rights, or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
6.1. Processing of sensitive data In general terms, the Company will refrain from processing sensitive data according to the limitations imposed by the applicable current regulations. It is understood that the processing of this type of data may be carried out when one of the following circumstances occurs:
The data subject has given explicit authorization for such processing, except in cases where, in accordance with the provisions of the current regulations, the granting of authorization is not required. The processing is necessary to safeguard the vital interest of the data subject and they are physically or legally incapacitated. In these events, the legal representatives must grant their authorization. The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association, or any other non-profit organization, whose purpose is political, philosophical, religious, or union, provided that they refer exclusively to their members or to people who maintain regular contact for the reason of their purpose. In these events, the data may not be provided to third parties without the authorization of the data subject. The processing refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial process. The processing has a historical, statistical, or scientific purpose. In this event, measures aimed at suppressing the identity of the data subjects must be adopted.
6.2 Processing of personal data of children and adolescents The processing of this type of personal data requires special respect for the prevailing rights of children and adolescents.
The use of personal data of children and adolescents is prohibited in the Company except in cases permitted by the applicable current regulations in this matter.
RESPONSIBLE FOR ATTENDING PETITIONS, CONSULTATIONS, AND CLAIMS
The Data Subject may at any time request the Company to access the personal data registered, as well as request the correction, update, or deletion of their personal data, revoke the authorization granted for the processing of the same, and in general exercise the rights granted by the law through the submission of queries and claims through the following instances or means:
Customers: send a request to the email address firstname.lastname@example.org or through the Contact Us service on our page www.fireworkwear.com or through our website service www.fireworkwear.com, or by calling the number 057 1 3168303447 or through communication addressed to Customer Service Address Calle 40 Sur Nº 52 B 10 Office 201, Bogotá D.C., Colombia.
Data subjects or their successors may consult the personal information of the data subject that is stored in the Company’s database. The person responsible or in charge of processing must provide all the information contained in the individual record or that is linked to the identification of the data subject.
The query will be formulated by email as indicated in the previous point or by the means enabled by the Company for this purpose, provided that it can be proven.
The query will be answered within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend to the query within this term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.
7.2 Claims The data subject who believes that the information contained in a database should be subject to correction, update, or deletion, or when they notice the alleged non-compliance with any of the duties contained in the Constitution and the law, may submit a claim to the data controller or processor designated by the Company, which will be processed under the following rules:
The claim will be formulated through a request addressed with the identification of the data subject, the description of the facts that give rise to the claim, the address, and accompanying the documents that the claimant wishes to assert. If the claim is incomplete, the interested party will be required within five (5) days following the receipt of the claim to remedy the shortcomings. If two (2) months have elapsed from the date of the request, without the applicant presenting the required information, it will be understood that they have withdrawn the claim. In the event that the person who receives the claim is not competent to resolve it, they will transfer it to the appropriate person within a maximum term of two (2) business days and inform the interested party of the situation. Once the complete claim is received, a legend stating “claim in process” and the reason for it will be included in the database within no more than two (2) business days. This legend must be maintained until the claim has been resolved. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
VIDEO SURVEILLANCE AND IMAGES The Company may use video surveillance systems for security purposes of people, goods, and facilities. This information may be used as evidence in any type of internal process and/or before any authority, entity, and/or organization. The Company may also take photographic images for: Recognition of employees in different media, such as a corporate newspaper, internal and/or external web among others. Internal and/or external informative publications. Internal and external corporate presentations for which a privacy notice will be placed in which the conditions under which the processing of the corresponding personal data will be carried out are consulted.
PRIVACY NOTICE The Privacy Notice is a physical, electronic document, or in any other format known or to be known, which is made available to the Data Subject for the processing of their personal and sensitive data. Through this document, the Data Subject is informed of the information regarding the existence of the information processing policies that will be applicable, the way to access them, and the characteristics of the processing that is intended to be given to the personal and sensitive data.
PROCEDURE FOR STORING PERSONAL DATA INFORMATION The Company will adopt all appropriate and sufficient technical and administrative measures to allow the care and preservation of the personal data of the data subjects, avoiding its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
Similarly, the implementation of these measures will allow the preservation of the authorization granted by the data subjects for the processing of their data. The Company will adopt all mechanisms to maintain the confidentiality of the information and will refrain from using the information for purposes other than those expressly authorized by the data subject.
FINAL DISPOSITION AND DATA SECURITY The data managers of each database are responsible for ensuring that only authorized persons have access to the personal databases that the Company possesses. The Company has secure computer protocols, access restrictions, and practices of internal development of secure software that protect the stored information.
At the time the Data Subject requests it or when the Data Subject’s information is not required by the Company according to the processing policies and the purposes established in this Manual
, the information of the Data Subject contained in the respective Databases will be deactivated.
- DATA TRANSFER
Data transfer occurs when the Data Controller and/or Data Processor of personal data, according to the provisions of this Manual, sends the information or personal data to a recipient, who in turn is responsible for the Processing and is located inside or outside the country.
The transfer of personal data is allowed as long as the Data Subject has authorized the transfer by any means and in accordance with what is established in section 3.1 of this Manual. In any case, the recipient of the information must guarantee the security of the information and adequate levels of data protection.
DATA TRANSFER TO THIRD COUNTRIES The transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it meets the standards set by the SUPERINTENDENCE OF INDUSTRY AND COMMERCE on the matter.
The prohibition does not apply when: Information for which the data subject has given their express and unequivocal authorization for the transfer. Exchange of medical data, when required by the treatment of the data subject for health or public hygiene reasons. Banking or stock market transfers, in accordance with the legislation applicable to them. Transfers necessary for the execution of a contract between the data subject and the data controller, or for the execution of pre-contractual measures as long as the authorization of the data subject is available. Transfers legally required for the safeguarding of public interest, or for the recognition, exercise, or defense of a right in a judicial process, as well as other cases determined by law, the SUPERINTENDENCE OF INDUSTRY AND COMMERCE, or the competent authority.
- CONTACT DATA FOR PERSONAL DATA PROCESSING
For the purposes of requesting clarifications, submitting complaints or claims, or generally requesting any information regarding the processing of personal data, the Company has enabled the following instances or means:
Customers: send a request to the email address: email@example.com, or through the service of our website www.fireworkwear.com, or by calling the number 057 1 3168303447, or through communication addressed to the Customer Service Direction, Calle 40 Sur No. 52 B 10 Office 201, Bogotá D.C., Colombia.