(+57) 322 380 6085
Choose language:

RNBD - DATA PROTECTION POLICY - UNIKA HOTELS
VERSION: 01
DATE: JANUARY 2023
VALIDITY: UNTIL MODIFIED OR UPDATED


1. GENERAL OBJECTIVE

To regulate the procedures for the collection, handling, storage, and administration of personal data, in accordance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013, which govern the protection of personal data, ensuring the fundamental right to habeas data of the holders.

2. SCOPE

This policy applies to all databases and/or files that contain personal data collected by UNIKA HOTELS, who acts as the data controller.

3. LEGAL FRAMEWORK

Political Constitution of Colombia, Article 15

Law 1266 of 2008

Law 1581 of 2012

Regulatory Decree 1727 of 2009

Regulatory Decree 2952 of 2010

Partial Regulatory Decree 1377 of 2013

Ruling C – 748 of 2011 by the Constitutional Court

4. DEFINITIONS

For the purposes of applying the rules established in this policy and in accordance with current regulations on the matter, the following definitions shall apply:

Authorization: Prior, express, and informed consent of the data subject to carry out the processing of personal data.

Database: Organized set of personal data that is subject to processing.

Personal Data: Any information linked or that can be associated with one or more identified or identifiable natural persons.

Data Processor: Natural or legal person, public or private, who by themselves or in association with others, processes personal data on behalf of the data controller.

Data Controller: Natural or legal person, public or private, who by themselves or in association with others, decides on the database and/or the processing of data.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

Sensitive Data: Data that affects the privacy of the data subject or whose improper use may lead to discrimination (e.g., racial or ethnic origin, political orientation, religious or philosophical beliefs, health data, sexual life, biometric data).

5. PRINCIPLES

In the development, interpretation, and application of this policy, the following principles will be applied harmoniously and integrally:

Legality: The processing of personal data will be carried out in accordance with the applicable legal provisions.

Purpose: The processing must have a legitimate purpose, which must be informed to the data subject.

Freedom: The processing can only be carried out with the prior, express, and informed consent of the data subject.

Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable.

Transparency: The data subject has the right to obtain information about the existence of data concerning them at any time and without restrictions.

Restricted Access and Circulation: Personal data can only be processed by persons authorized by the data subject or by those responsible or in charge of the data.

Security: Information subject to processing must be protected through the use of technical, human, and administrative measures necessary to ensure the security of the records and prevent their adulteration, loss, consultation, use, or unauthorized access.

Confidentiality: All persons involved in the processing of personal data are obliged to guarantee the confidentiality of the information.

6. RIGHTS OF DATA SUBJECTS

In accordance with the provisions of the regulations in force on data protection, the data subjects have the following rights:

To know, update, and rectify their personal data. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fragmented data, or data that leads to error, as well as data whose processing is expressly prohibited or has not been authorized.

To request proof of the granted authorization, except when expressly exempted as a requirement for processing, in accordance with current legal provisions.

To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been given to their personal data.

To file complaints before the Superintendence of Industry and Commerce for violations of the provisions of the law and other regulations that modify, add, or complement it.

To revoke the authorization and/or request the deletion of the data when the principles, rights, and constitutional and legal guarantees are not respected in the processing.

To access their personal data that has been subject to processing, free of charge.

7. DUTIES OF THE DATA CONTROLLER

When acting as the Data Controller, UNIKA HOTELS will comply with the following duties:

Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.

Request and retain, under the conditions provided by law, a copy of the authorization granted by the Data Subject.

Properly inform the Data Subject of the purpose of the data collection and their rights by virtue of the granted authorization.

Maintain the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.

Update the information, communicating in a timely manner to the Data Processor all developments regarding the data previously provided, and take the necessary measures to ensure the information remains up-to-date.

Rectify the information when it is incorrect and communicate the relevant updates to the Data Processor.

Provide the Data Processor, as appropriate, only with data whose Processing is previously authorized in accordance with the provisions of the law.

Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.

Process the inquiries and complaints formulated under the terms established by law.

Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, for addressing inquiries and complaints.

Inform the Data Processor when certain information is under dispute by the Data Subject, once a complaint has been submitted and has not been resolved.

At the request of the Data Subject and within the time established by law, inform them about the use of their data.

Inform the data protection authority when there are security breaches and risks in the management of the Data Subjects' information.

Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

8. DUTIES OF THE DATA PROCESSOR

When acting as the Data Processor, UNIKA HOTELS, or any third party acting on its behalf, will comply with the following duties:

Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.

Maintain the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

Timely update, rectify, or delete the data in accordance with the law or upon request by the Data Controller or the Data Subject.

Update the information reported by the Data Controllers within five (5) business days from receipt.

Process inquiries and complaints submitted by the Data Subjects under the terms established by law.

Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, for addressing inquiries and complaints.

Register in the database the legend "claim in process" in the manner regulated by law.

Insert in the database the legend "information under judicial discussion" once notified by the competent authority about legal proceedings related to the data's quality.

Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.

Allow access to the information only to individuals authorized by the Data Subject or entitled by law to access such information.

Inform the Superintendence of Industry and Commerce when there are violations of security codes and risks in the administration of the Data Subjects’ information.

Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

9. INFORMATION PROCESSING POLICY

This Information Processing Policy is mandatory and strictly enforced by UNIKA HOTELS. All individuals involved in the processing of personal data must adhere to and comply with these regulations. The lack of knowledge of this policy does not exempt any individual from the obligations and responsibilities established herein.

The processing of personal data must always comply with the following principles:

Legality: The processing of personal data must be conducted in accordance with the law and applicable regulations.

Purpose: The processing of personal data must obey a legitimate purpose, which must be informed to the Data Subject.

Freedom: The processing of data can only be carried out with the prior, express, and informed consent of the Data Subject.

Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, current, verifiable, and understandable. Processing of partial, incomplete, fragmented, or misleading data is prohibited.

Transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor information about the existence of data concerning them must be guaranteed at all times.

Access and Restricted Circulation: Personal data, except for public information, may not be available on the internet or other means of mass communication, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or authorized third parties.

Security: The information subject to processing must be handled with the necessary technical, human, and administrative measures to ensure the security of the records and prevent their adulteration, loss, consultation, unauthorized or fraudulent use or access.

Confidentiality: All individuals involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involving the processing.

10. VALIDITY

This policy is effective as of March 1, 2024, and remains in force for the duration of UNIKA HOTELS’ operations. Any substantial changes in the content of the policies will be communicated in a timely manner through the usual means of contact and/or through our website.