Entry into force and modification of the policy manual for the treatment of personal data and Habeas Data Rymel Ingeniería Eléctrica S.A.S.
- Rights of children and adolescents
- Processing of personal data
- The responsible authority for processing data
- Collection and handling of personal data
- Privacy, confidentiality, and security of personal data
- Scope of application
- Right of Habeas Data
- National registry of policies and/or databases
- Identification of databases
- Authorized databases
- Information supply channels
- Consultations and claims
- Level of security measures applied to data processing
- Applicable legislation
- Entry into force and application
RYMEL INGENIERIA ELECTRICA S.A.S. hereinafter referred to as RYMEL, is committed to the values of respect, legality, reserve, confidentiality, availability, integrity and proper handling of information and especially with the conviction in the guarantee of fundamental rights, using this elaboration and proposal, intends to comply with Law 1266 of 2008 and Law 1581 of 2012, regulated by Decree 1074 of 2015, within which highlights the need to adopt a Manual of policies and procedures to ensure compliance with that law, addressing queries and claims arising from the Holder of personal data.
In paragraphs d) and e) of Article 3 of Law 1581 of 2012, mention is made of the person in charge and responsible for the treatment, RYMEL, complying with these two qualities simultaneously and in many of the databases that are handled, is responsible for all information on personal data and is obliged to guard them in the manner established in that law.
The current technologies must allow the Companies and/or Entities the efficient management, exploitation, and storage of the personal information that is used for the fulfillment of their corporate and business objectives, only for the purposes in which it is linked and for this reason RYMEL, an entity of the private sector; complies with the established in the law that deals with HABEAS DATA and PERSONAL DATA.
On the other hand, the fundamental right to HABEAS DATA must guarantee citizens the power of decision and control they have over the information, use, and destination of their data.
The right to the protection of the personal data of each Data Subject extends from knowing who keeps such data and what use is being made of them, to defining who has the possibility of consulting them.
The law grants the power to each Data Subject to consult, modify, delete, and resume such information and develops the guarantees and instruments to ensure the validity of the fundamental right.
Given the above, the purpose of this Manual is to enshrine the internal policies to be established in compliance with Law 1581 of 2012.1 And that as responsible for processing personal data, we must implement and organize to fully comply with the provisions of the law.
The manual includes the basic aspects of regulatory nature, independent annexes, and procedural schemes allowing authorization.
RYMEL identified with the NIT 890.919.437; has its domicile in the city of Copacabana, Antioquia, Colombia in Autopista Norte Paraje El Noral, 2 kilometers after the entrance to Copacabana; Email: firstname.lastname@example.org – Phone +57 (604) 444 04 30 – Website: www.rymel.com.co
Through this policy, RYMEL formalizes the processing of personal data applicable to activities with managers, customers, users, suppliers, employees, distributors, candidates for vacancies in the entity, and in general, any natural person Holder of personal data that is recorded in our databases. RYMEL will use the personal information obtained, directly or indirectly, from such persons, in general for the fulfillment and development of its corporate purpose and its Company, and specifically to: (i) To comply with the obligations undertaken under contracts and commercial relationships (ii) To comply with the legal duties that correspond to it, among them, for the billing and collection process for services rendered; to include them in the computer systems for the management of suppliers and supplies; to carry out the legal and financial linkage and analysis prior to the initiation of a commercial or contractual relationship; to deliver periodic or eventual information to the tax and governmental authorities of the National, Departmental or Local Order; to carry out the payment procedures to suppliers; to fill out documentation related to procedures before diplomatic authorities; to carry out reservations and legal or commercial formalities inherent to the work as employees; to carry out the legal and credit study prior to the customer’s engagement, which includes activities of financial traceability, analysis of the payment capacity and allocation of credit quota in accordance with the legal regulations; to advance the selection process for internal recruitment, likewise, these data may be used by RYMEL during the employment relationship or provision of services or strategic linkage through contracts and / or agreements in order to enhance the skills of employees, providers, or linked through courses, training, workshops, etc.. , and to incorporate them into the different welfare processes and benefit plans; to provide employee information to social security entities; for internal communication purposes and publicity of information of interest and for risk management; for the storage of filmic records that constitute future evidence; for the development and execution of programs for the promotion and prevention of illnesses in the health of workers; for the management of cellular telephony and procedures before telecommunications and technology services entities; for the development of contracting and subcontracting processes of suppliers of goods and services; to provide or obtain commercial and/or financial references; (iii) To provide information about our products and services; (iv) To carry out commercial, social and informative events or promotions; (v) To carry out campaigns, studies, promotions or contests of a commercial, social, marketing or advertising nature or in the execution of our corporate purpose; (vi) For loyalty programs and updating data of directors, clients, users, providers, suppliers, employees, distributors and other third parties; (vii) To inform about changes in our products, prices or services; (viii) To carry out eventual evaluations that inform us about the quality and satisfaction of our products and/or services through satisfaction surveys.
Likewise, to validate your identity in the handling of the products and/or services that you acquire with the entity, RYMEL may take and manage the fingerprint or use other authorized biometric mechanisms of its directors, clients, users, providers, suppliers, employees, distributors, candidates for vacancies in the entity and other third parties.
RYMEL may deliver the personal data of its directors, clients, users, providers, suppliers, employees, distributors, candidates for vacancies in the company and other third parties, to entities located in Colombia or abroad, whether public or private, as long as they are companies or entities with which RYMEL is related by links of shareholding, or are its parent, subsidiary or operated; o the delivery of personal data is intended for the structuring, design and implementation of product offerings and / or services, benefits and welfare plans or selection or in general additional value propositions to those that RYMEL is able to offer autonomously, or is intended to facilitate the development of the corporate purpose of RYMEL through the outsourcing of its processes, such as physical or digital archiving, collection, risk management, software development, member contact, market research, statistical analysis, elaboration of commercial and/or social strategies, marketing, social impact studies, participation in social programs of state inclusion, establishment of new service channels, and other related and related purposes.
Similarly, the personal data of shareholders, directors, customers, users, providers, suppliers, employees, distributors, candidates for vacancies in the company, and other third parties, specialists, or related parties in general, will be used by RYMEL to properly advance all its credit risk analysis processes and comply with the regulations related to Financial Habeas Data.
The above activities may be carried out through physical mail, email, landline, website, cell phone, mobile device, text message, fax, social networks, surveys, or through any other widely known means of communication, in compliance with the provisions of current regulations.
RYMEL has a closed circuit television system, to ensure personal security in its various offices, warehouses, and other establishments, therefore the data on the personal image will only be used by RYMEL for relevant purposes, and this personal image will be known by RYMEL officials, by providers or contractors that the present matter involves and by the competent authorities, as the case may be; at no time shall the biometric data for personal images be used by RYMEL for any activity other than that outlined in the contract for the provision of the CCTV service.
For this policy, the definitions established by current regulations are listed below:
- Authorization: Prior, express, and informed consent of the Data Subject to process personal data.
- Privacy Notice: Verbal or written communication generated by RYMEL, addressed to the Holder of the personal data, in which he/she is informed of the existence of the information processing policies that will be applicable, how to access them, and the purposes of the processing that is intended to be given to the personal data.
- Data Base: Organized set of personal data that is subject to processing.
- Personal Data: Any information linked or that may be associated with one or several determined or determinable natural persons.
- Public data: Data relating to the marital status of individuals, their profession or trade, and their status as merchants or public servants; those which by their nature are not subject to protection.
- Sensitive data: Sensitive data is understood as that which affects the privacy of the Data Subject or whose improper use may generate discrimination, such as that which reveals the racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promotes the interests of any political party or that guarantees rights, as well as data relating to health, sex life, and biometric data.
- Data Processor: Natural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the data controller.
- Data Protection Officer: It is the person or area within RYMEL, whose function is to monitor and control the application of the Personal Data Protection Policy, under the guidance and guidelines of the Information Security Committee. The Information Security Committee will designate the Data Protection Officer. This definition refers to a role or function to be performed by an official designated by the Information Security Committee of RYMEL.
- Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or data processing.
- Data Subject: Natural person whose personal data is the object of processing.
- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
- Transfer: The transfer of data takes place when RYMEL, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the treatment and is located inside or outside the country.
- Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic RYMEL when its purpose is the performance of a Processing by the Processor on behalf of RYMEL.
Rights of children and adolescents.
Respect for the prevailing rights of children and adolescents shall be ensured.
The processing of personal data of children and adolescents is prohibited, except for data of a public nature.
It is the task of the State and educational entities of all kinds to provide information and train legal representatives and guardians on the possible risks faced by children and adolescents regarding the improper processing of their data, and to provide knowledge about the responsible and safe use by children and adolescents of their data, their right to privacy and protection of their personal information and that of others.
By the law, RYMEL, will act in all collection, handling, and deletion of personal data by the principles that must be followed in all processing of personal data and protection of the law of HABEAS DATA, they are:
Legality: For the processing of personal data, RYMEL will be subject to the provisions of the law and other provisions.
Purpose: RYMEL will inform the Data Subject on the purpose of the processing of personal data, which must be legitimate by the Constitution and the law.
Freedom: The processing of personal data will only be exercised by RYMEL with the prior, express, and informed consent of the Data Subject; or by legal or judicial mandate.
Veracity or Quality: The information subject to the processing of personal data must be truthful, complete, accurate, current, verifiable, and understandable. The processing of partial, incomplete, fractioned, or misleading data is prohibited.
Transparency: RYMEL guarantees the Data Subject the right to obtain at any time and without restrictions, information about the existence of their data.
Access and Restricted Circulation: The treatment that RYMEL will give to personal data, will be subject to the provisions of the law and the Constitution. Personal data may not be available on the Internet or other means of dissemination or mass communication, except those of a public nature or those in which access is technically controllable to provide restricted knowledge to the Holder or authorized third parties.
Security: The information subject to treatment by RYMEL, will be protected using technical, human, and administrative measures that provide security to the records, avoiding its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
Confidentiality: The persons involved in the processing of personal data that are not public are obliged to guarantee the confidentiality of the information provided. Even after the end of their relationship with any of the tasks involved in the processing.
Processing of personal data
PROCESSING OF PUBLIC DATA
RYMEL warns that it treats without prior authorization of the Holder personal data of a public nature and those contained in public records, the latter being a regulated public function recognized by law, this situation does not imply that the necessary measures are not adopted to ensure the other principles and obligations under Law 1581 of 2012 and other rules governing this matter.
TREATMENT OF SENSITIVE DATA
RYMEL only treats sensitive personal data for what is strictly necessary and will request prior and express consent from the Holders (legal representatives, attorneys, assignees, assignees) informing about the exclusive purpose of its treatment.
RYMEL makes use and treatment of data classified as sensitive when:
- The treatment has been expressly authorized by the Holder of the sensitive data, except in cases whereby law, the granting of such authorization is not required.
- The processing is necessary to safeguard the vital interest of the Data Subject and he/she is physically or legally incapacitated. In these events, the legal representatives must grant the authorization.
- Processing refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial process.
- The Processing has a historical, statistical, or scientific purpose or within the framework of improvement processes, the latter if measures are taken to suppress the identity of the Data Subject, or the data is dissociated, i.e., the sensitive data is separated from the identity of the Data Subject and is not identifiable or it is not possible to identify the person who owns the sensitive data or data.
In addition to the above, RYMEL, complies with the following obligations:
- Inform the Holder that because it is sensitive data is not obliged to authorize its treatment.
- Inform the Holder explicitly and in advance, in addition to the general requirements of authorization for the collection of any type of personal data, which of the data to be processed are sensitive and the purpose of the treatment, as well as obtain their express consent.
- Not to condition any activity to the provision of sensitive personal data by the Data Subject (unless there is a legal or contractual cause).
PROCESSING OF PERSONAL DATA IN THIRD COUNTRIES
In cases where RYMEL is in the development of any of its functions, such as participating in international programs for economic, cultural, and social development, or any other activity that involves the transfer of personal data to third countries, or if a foreign branch or headquarters is established, shall be governed by the following conditions:
- The transfer of personal data to third countries will only be made when there is a corresponding authorization from the Data Subject and prior authorization from the Delegation of Personal Data of the Superintendence of Industry and Commerce (SIC).
- It is considered an international transfer any treatment that involves the transmission of data outside the Colombian territory, whether it is a transfer of data or if the purpose is to provide a service to the responsible outside Colombia.
- Likewise, prior authorization must be obtained from the SIC’s Delegate for Personal Data Protection when international data transfers to countries that do not provide a level of protection are planned. This authorization may only be granted if adequate guarantees are obtained, such as contracts based on the standard clauses approved by the SIC, or the Binding Corporate Rules.
- The international transfer of data may be carried out upon request by RYMEL, establishing the purpose, the groups of interested parties or Owners of the personal information, the data to be transferred, and the documentation that incorporates the guarantees required to obtain the authorization, including a description of the specific security measures to be adopted, both by RYMEL and by the Data Controller or Data Processor at the destination.
- RYMEL does not request authorization when the international transfer of data is covered by any of the exceptions provided for in the Law and its Regulatory Decrees.
For this policy, personal data owners shall be understood as managers, customers, users, providers, suppliers, employees, distributors, candidates for vacancies in the entity and other third parties, specialists, or linked and in general, any natural person who is the owner of the personal data recorded in the databases of RYMEL.
In the case of minors (children and adolescents), their legal representatives will have the power to authorize or not the processing of their data. In the treatment of this data, respect for the prevailing rights of minors such as privacy and protection of personal information will be ensured.
For the processing of personal data by RYMEL, the prior, informed, and express authorization of the Holder is required, which must be obtained by any written, physical, or electronic means that may be subject to subsequent consultation, without prejudice to the exceptions provided by law.
RYMEL, at the time of requesting the authorization to the Data Subject, shall clearly and expressly inform him/her of the purpose for which the personal data is collected, the treatment to which his/her data will be subjected, the rights of the Data Subject and the means through which he/she may exercise them.
For the protection of the Habeas Data Law, RYMEL, will have prior authorization and notification to the Holder, to be reported to the entities CIFIN, DATACREDITO, and PROCREDITO or any other existing or to be existing credit risk entity.
The personal data information may be provided by RYMEL to the Holder, its assignees, legal representative and/or attorney-in-fact, or third parties authorized by this or by law, as well as public or administrative entities in the exercise of legal functions or by court order.
RYMEL may continue with the processing of the data contained in its databases for the purpose indicated in this policy, without prejudice to the right of the Data Subject to exercise his right at any time and request the deletion of the data; unless there is a legal duty to keep the information that is essential for the proper provision of the service or product offering and that this due conservation does not cause serious economic or social damage to RYMEL or the Data Subject himself.
The Holder of the personal data and/or, as applicable to the Holder of the credit obligation acquired with RYMEL, shall have the right to:
- Know, update and rectify their data against RYMEL. This right may be exercised, among others against partial, inaccurate, incomplete, incomplete, fractioned, misleading, or those whose treatment is expressly prohibited or has not been authorized.
- Ask RYMEL for proof of the authorization granted for the processing of their data, except for the exceptions provided by law.
- Be informed by RYMEL upon request, on the use given to their data.
- Submit queries to RYMEL, and file complaints with the entity responsible for the protection of personal data.
- Request the revocation and/or deletion of your data when RYMEL incurs conduct contrary to law and the Constitution. Free and unlimited access to personal data that are subject to processing.
- RIGHT OF CONSULTATION
The Holders of personal data may consult the personal information contained in any database of RYMEL guaranteeing the right of consultation by the provisions of Law 1581 of 2012 exclusively on private personal data, sensitive and minors corresponding to natural persons, providing the Holders of these personal data the information contained in each of the corresponding databases and that are under the control of RYMEL.
- To ensure the confidentiality and privacy of personal information and its delivery to the holder of the same, requests for consultation shall be processed using a written2 with recognition of signature and content before a Colombian notary public, in case of being in the Colombian territory, or before a Colombian consul or the competent authority of another country with apostille processing, in case of being in a foreign country.
Said document must be sent to the offices of RYMEL located at Autopista Norte Paraje El Noral Copacabana – Antioquia, Colombia.
The consultations thus formulated will be attended in a maximum term of ten (10) working days counted from the date of its receipt. If a consultation request cannot be answered within the term, the interested party will be informed before the expiration of the term of the reasons for not answering the consultation, which in no case may exceed five (5) business days following the expiration of the first term.
- RIGHT TO FILE A COMPLAINT
The Holder of personal data who considers that the information contained or stored in a database corresponding to the records of RYMEL, should be subject to correction, updating, or deletion, or when they notice the alleged breach of any of the duties and principles contained in the regulations on Protection of Personal Data, may file a complaint with the Responsible or Responsible for the treatment of RYMEL.
The claim may be filed by the Data Subject considering the information indicated in Article 15 of Law 1581 of 2012. To ensure the confidentiality and privacy of personal information and its delivery to the holder of the same, the claims will be processed using a written3 with recognition of signature and content before a Colombian notary public, in case of being in the Colombian territory, or before a Colombian consul or the competent authority of another country with apostille process, in case of being in a foreign country.
Said document must be sent to the RYMEL offices located at Autopista Norte Paraje El Noral 2 kilometers after the entrance to Copacabana- Antioquia, Colombia.
If the claim is incomplete, the Holder may complete it within five (5) working days following the receipt of the claim so that the faults or errors are corrected4. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn. If whoever receives the claim is not competent to resolve it, it will be transferred to the appropriate person within a maximum period of two (2) working days and inform the interested party of the situation. Once RYMEL has received the complete claim, it will include in the database a legend that says, “claim in process” and the reason for it, within a period not exceeding two (2) business days. Said legend will be maintained until the claim is decided and the maximum term to attend it will be fifteen (15) working days from the day following the date of its receipt. When it is not possible to address the claim within that period, RYMEL will inform the interested party of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) working days following the expiration of the first term.
The Holder of the personal data must keep his/her information updated and guarantee, always to RYMEL, the accuracy of the same. RYMEL will not be responsible, in any case, for any liability arising from the inaccuracy of the information provided by the Data Subject.
the responsible authority for processing data
RYMEL’s Management will be the area in charge of monitoring and controlling the application of the Personal Data Protection Policy, under the guidance and guidelines of the Information Security Committee.
The officer in charge of this area will keep a report of the databases and will be responsible for the following functions:
- To be familiar with this policy and apply it to the extent applicable to them.
- Send a communication via e-mail to each manager, employee, or person within the company who handles or has handled some type of personal data of the members of the company, in the sense that they inform the department in charge, the name, and e-mail of the users of whom they have personal data.
- Elaborate, direct, entrust and/or delegate to others the establishment of the measures to be taken in commercial contracts and forms that deal with credits or personal data.
- Elaborate, direct, entrust and/or delegate to others the establishment of the measures to be taken in labor contracts.
- Inform the Holder about the purpose of the data collection and guarantee the exercise of the rights that he/she has by the authorization granted.
- To keep a copy of the respective authorization granted by the Holder of the personal data.
- Guarantee that the information processed is truthful, complete, accurate, updated, verifiable, and understandable.
- Rectify the data subject’s information when it is incorrect.
- Use only the personal data that have been obtained through authorization unless they do not require it.
- Respect the security and privacy conditions of the Holder’s information.
- Allow access to information only to authorized persons.
- Comply with the instructions and requirements issued by the competent administrative authority.
- Sign confidentiality agreements with those who handle the information related to the processing of personal data.
- Process promptly the queries and claims made by the owners of the personal data.
- The others are established by law.
- Ensure that in each incorporation of a new employee is required knowledge of this Policy and the documents that complement it. RYMEL will make all contractual and legal adjustments so that contracts, confidentiality agreements, contractual clauses, and other documents incorporate compliance by employees, members, managers, suppliers, contractors, and other third parties; in addition to seeking express authorization from each holder for the handling of personal data.
- It is the responsibility of RYMEL employees to report any incident of information leakage, computer damage, violation of personal data, data commercialization, use of personal data of children or adolescents without proper authorization, identity theft, or conduct that may violate the privacy of a person, or that has indications that they are being used for criminal purposes and/or unauthorized.
Collection and handling of personal data by Rymel
The present policy will be applicable in the cases in which RYMEL requests the filling out of linking applications, surveys, or forms by telephone, digital or in person, as well as the attendance forms to events, or in other cases in which it is required to obtain personal data, without prejudice to the conditions that apply in each case.
From the moment the Holder of the personal data authorizes RYMEL for the collection and processing of their data, these may be used in the development of their commercial and labor activities.
RYMEL may use the Holder’s data such as e-mail address, physical mailing address, and/or telephone number to send advertising related to its products and services and to contact the Holder for events and other activities.
In any case, depending on the activity to be carried out, RYMEL will communicate to the Holder of the personal data the mechanisms made available to know, update, modify and delete their data, as well as to revoke the authorization granted.
Privacy, confidentiality, and security of personal data
RYMEL will guarantee the privacy, confidentiality, and security of the data provided, avoiding adulteration, loss, consultation, use, or unauthorized or fraudulent access by third parties.
RYMEL, applying the principle of autonomy, reserves the right to maintain and classify as confidential the information contained in its databases.
RYMEL will adopt the technical, human, and administrative measures necessary to provide security to personal data, avoiding its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
RYMEL states that some of its websites may contain links to third-party websites, over which it has no management or control, for this reason, is not responsible for the content, privacy policies, security, and/or handling of personal data that are established in the same, is the obligation of the Holder of the personal data to know in the respective portals, policies related to the protection and treatment of their information.
Scope of application
The policies regulated in this manual shall apply to the databases that are under the administration of RYMEL or are likely to be known by it by business relationships or in the development of its corporate purpose that must be applied to other entities that are part of the company to which it belongs, commercial alliances, agreements, or advertising events, both RYMEL, as well as its commercial establishments. In the first case, RYMEL will act as Responsible, in other cases, it may have the quality of Responsible or Responsible, depending on whether it receives them from a third party or collects them itself.
Likewise, it will be applicable when the data processing is carried out in Colombian territory, and when the data controller or processor does not reside in Colombia but by international standards or treaties, Colombian law is applicable.
Right of Habeas Data
Article 15 of the Political Constitution establishes the right of all persons to know, update and rectify the information collected about them in databases or files of both public and private entities.
Likewise, and according to Ruling C-748 of 2011 of the Constitutional Court, this right includes other powers such as authorizing the processing, including new data, excluding them, or deleting them from a database or file.
This right was developed in case of law from 1991 until 2008, when the Special Law of Habeas Data was issued, which regulates what has been called “financial habeas data”, meaning the right of every individual to know, update and rectify their commercial, credit and financial information contained in public or private information centers, whose function is to collect, process and circulate such data to determine the level of financial risk of the Holder. This Special Law considers both natural and juridical persons as Data Holders.
Subsequently, on October 17, 2012, Law 1581 “General Law on Personal Data Protection” was issued, which develops the right of Habeas Data from a broader perspective than the financial and credit mentioned above. Thus, any holder of personal data has the power to control the information that has been collected about him/herself in any database or file, managed by private or public entities. Under this General Law, the Data Subject is the natural person. Only, in special situations provided by the Constitutional Court in Decision C-748 of 2011, the legal person may become a Data Controller5.
RIGHTS OF THE RIGHTSHOLDERS a) Address RYMEL, through the established channels, which are indicated in the Data Privacy Notice, to know, update and rectify their data. This right may be exercised, among others against partial, inaccurate, incomplete, fractioned, misleading, or those whose treatment is expressly prohibited or has not been authorized. b) Request proof of the authorization granted to RYMEL except when, according to the law, the treatment that is being performed does not require it. c) Be informed by RYMEL regarding the use given to the personal data collected, upon request of the Holder submitted through the channels provided for such purposes. d) File complaints before the Superintendence of Industry and Commerce for violations of Law 1581 of 2012 and its regulatory decrees. e) Revoke, in those cases that are not framed under Law 1266 of 2008, the authorization and/or request for the deletion of the data when the treatment does not respect the principles, rights, and constitutional and legal guarantees. f) Access free of charge, through the channels provided by RYMEL, to their data that have been subject to treatment.
RYMEL through the Data Privacy Notice will inform about the channels and procedures provided for the Data Subject to exercise their rights effectively.
National registry of policies and/or databases
It is the public directory of databases subject to treatment operating in the country and will be freely consulted by citizens.
RYMEL will register its policies and/or databases before the competent administrative authority, at the time and place established by it.
Identification of the databases
RYMEL has identified the following databases:
Database with public information: The data contained in public records come from the fulfillment of a regulated function, whose forms and procedures fulfill a purpose of publicity and opposability. Therefore, it is understood that these data are public by legal provision and do not require the prior authorization of the Holder for their processing. Likewise, it is understood that the records that are subsequently delegated to RYMEL have the same nature as public data.
Databases of users and/or clients: They are manual or automated databases, which are structured, and contain data of public and private nature of legal or natural persons as users of the products and/or services provided by RYMEL, which voluntarily and in the exercise of their right as users and/or customers authorize RYMEL, through clauses in the forms, in the notices in their offices and applications, so that the information they provide to access rights and prerogatives granted by providing services and offering products, is used and handled for the relevant purposes. These databases may contain sensitive information, so they will be used only for the purposes for which it has been entrusted.
RYMEL will comply with the notice of authorization request to continue the management of the databases through email, website, notices in headquarters, clauses in contracts, agreements, or formats, which are included in the databases formed before the entry into force of Law 1581 of 2012.
Databases of employees, managers, distributors, and providers of RYMEL: They are manual or automated databases containing data of natural persons who are linked to work or through the provision of services, partnerships, or contracts, whose treatment is intended to comply with legal and regulatory provisions. This database includes private and public information, sensitive data, and data of minors. The processing of data for the obligations arising from the employment relationship or for the provision of services, alliances, or contracts, will require the prior authorization of the Holder or his legal representative, which will be contained in the clauses stipulated for this purpose in the documents of engagement, provision, or contracts.
RYMEL will give notice of the request for authorization to continue with the right to process the data of natural persons linked as employees or former employees, who are included in databases created before the entry into force of Law 1581 of 2012.
Databases of contractors and suppliers: These are manual or automated databases containing data of natural persons who maintain a contractual and commercial relationship, and whose treatment is intended to comply with the contractual provisions stipulated by RYMEL, for the procurement of services and goods demanded by RYMEL in the development of the corporate purpose and economic activity of the company. This database contains public, private, and sensitive personal data, which are intended for the development of contractual relations. The processing of this data for purposes other than the maintenance of the contractual relationship or the fulfillment of legal duties requires prior authorization from the Holder.
RYMEL, in the exercise of the provisions of Article 220.127.116.11.25.2.7. of Decree 1074 of 2015, will publish the request notice, addressed to persons who are included in databases formed before the entry into force of Law 1581 of 2012.
Personal data are stored in Rymel’s information management systems.
The above-mentioned databases have the necessary security mechanisms to protect the data such as security copies, centralized systems, contingency schemes, and access control by profiles.
Information supply channels
RYMEL establishes channels of communication with the Holders:
Our office: Autopista Norte Paraje El Noral Copacabana, Antioquia, Colombia.
Telephone: +57 (604) 444 04 30
Inquiries and claims
Inquiries and claims made to RYMEL should be addressed by the provisions of section “9 – RIGHTS” clauses “f” and “g” of this manual. In case of additional information, the interested party may call +57 (604) 444 04 30, or write to Autopista Norte Paraje El Noral- Copacabana, Antioquia, Colombia.
Level of security measures applied to the treatment
RYMEL has an “Information Security Policy Manual”, the provisions contained therein ensure compliance with the requirements in terms of information security.
It has been established that the contracts entered with the persons in charge include clauses that establish their duty to ensure the security and privacy of the Holder’s information.
- Political Constitution of Colombia, articles 15 and 20.
- Law 527 of 1999.
- Law 1266 of 2008.
- Law 1273 of 2009.
- Statutory Law 1581 of October 17, 2012.
- Regulatory Decrees 1727 of 2009,2952 of 2010, 1377 of 2013, 886 of May 13, 2014, 1074 of May 26, 2015, and 090 of January 18, 2018.
- Decision C-1011 of 2008 of the Constitutional Court.
- Decision C-748 of 2011 of the Constitutional Court.
Entry into force and modification
This policy shall enter into force on December 1st of 2015 and shall be valid if RYMEL carries out its corporate purpose in Colombia, or until the law provides otherwise or differently.
This policy may be modified at any time and unilaterally by RYMEL, having to inform promptly to the Holders of personal data, and such modifications.
The policies, according to instructions issued by the Superintendence of Industry and Commerce will be published by the provisions of that entity.
- Law 1581 of 2012 “Whereby general provisions are issued for the protection of personal data”. Back
- To ensure that the person inquiring is the owner of the personal data to be consulted, and thus give greater protection of the data contained in our databases. Back
- To ensure that the person who makes the query is the owner of the personal data for which the claim is made, and thus provide greater protection for the data contained in our databases. Back
- In this case, it will not require again recognition of signature and content before a notary public or before a Colombian consul plus apostille. Back
- “The project establishes that the holder is the natural person whose personal data is the object of processing. In the opinion of the Chamber, this definition is by the Charter and does not disregard the jurisprudence of this corporation in which it has been indicated that legal persons are also holders of the right to habeas data because as explained in consideration 18.104.22.168, the protection afforded to legal persons in this respect is by the natural persons that comprise it. Therefore, eventually, the protection of habeas data may be extended to legal entities when the rights of the natural persons that comprise it are affected“. (Emphasis added) Back