POLICIES FOR THE PROCESSING OF PERSONAL INFORMATION:
FIRST: GENERAL INFORMATION
We have a special interest in protecting and respecting your information and personal data, which is why we have designed these information processing policies within the framework of Law 1581 of 2012 and Regulatory Decree 1377 of 2013.
1.1.- Introduction.
@@empresa@@ may collect personal data from its users, guests, or visitors through the various means provided for accessing the services offered by them. In any case, the collection will be carried out with the express authorization of the data owner, and the processing of such data will be subject to the provisions of the law.
The personal information subject to the considerations established herein may be collected by @@empresa@@ through the website @@url@@, through visits or the acquisition of services offered on the platform, or directly at the hotels linked or associated with @@empresa@@.
The considerations established herein will be deemed accepted by the Data Owner when they visit or use the website @@url@@ and/or when they enter data or personal information through the functions established for this purpose, regardless of the intended use.
1.2- General Principles.
The collection and processing of personal data, as well as its use, processing, exchange, transfer, and transmission by @@empresa@@ or any of the hotel-operating companies of @@empresa@@, will always be guided by the principles of legality, freedom, accuracy, transparency, security, confidentiality, access, and restricted circulation.
1.3- Legal Definitions.
In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions will govern the personal information processing policies.
1.3.1.- Data Processor: The Data Processor is a natural or legal person, public or private, who alone or in association with others, processes personal data on behalf of the Data Controller;
1.3.2.- Data Controller: The Data Controller is a natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of the data;
1.3.3.- Database: A database is an organized set of personal data that is subject to processing;
1.3.4.- Personal Data: Personal data is any information linked to or that can be associated with one or more identified or identifiable natural persons;
1.3.5.- Sensitive Data: Sensitive data is data that affects the privacy of the Data Subject or whose improper use may result in discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or that promotes the interests of any political party or guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
1.3.6.- Public Data: Public data is data that is not semi-private, private, or sensitive. Public data includes, among others, data related to the civil status of persons, their profession or trade, and their status as a merchant or public servant. By nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly enforced judicial decisions that are not subject to confidentiality.
1.3.7.- Transfer: The transfer of data occurs when the Data Controller and/or Data Processor, located in Colombia, sends the information or personal data to a recipient, who in turn is a Data Controller and is located inside or outside the country.
1.3.8- Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose is to carry out processing by the Processor on behalf of the Data Controller.
SECOND: AUTHORIZATION OF THE DATA SUBJECT:
The data provided will be subject to authorized processing, granted in advance, expressly, and informed by the Data Subject directly to @@empresa@@, or through the hotels @@empresa@@ or the companies that operate them.
However, the visit, entry, or use of the website @@url@@ constitutes in itself prior, express, and informed authorization for the storage, collection, and processing of information in accordance with the data processing policy contained herein.
In any case, the collection of data will be limited to those personal data that are relevant and appropriate for the purpose pursued with this.
THIRD: PROCESSING OF INFORMATION:
3.1- Data collected. The data collection for the development of the Processing and its intended purposes will focus on the personal data received and stored by @@empresa@@ and the companies and hotels linked or associated with @@empresa@@. It will include all the information provided or supplied during the visit to the website @@url@@, as well as any information related to services or reservations made, and the lodging and accommodation data provided to @@empresa@@ or any of its associated hotels.
Without prejudice to the fact that in some cases it may involve public data, the information collected will include the name, ID number, profession, nationality, date of birth, email address, personal preferences and interests, occupation or activity, consumption habits, or travel habits, among others. If a reservation is made through the website @@url@@, the information related to the credit card provided for the purposes of the reservation and stay will be collected.
3.2- Processing to which the data will be subjected and its purpose.
The data and information obtained and collected by @@empresa@@, by the @@empresa@@ hotels, or by the companies operating such hotels will be used in the normal course of their business activities solely for the purpose established in these information processing policies, so as to enable direct and effective communication with the client, leading to a closer relationship.
The processing consists of sending digital information through different communication channels, with the intention of contacting the holder to send service surveys after each stay that allow for the evaluation of the service provided, and to communicate invitations, offers, promotions, service portfolios, or information about the Hotel or the hotels that are part of @@empresa@@, without at any time their data being provided, transferred, or delivered to persons other than or unrelated to the Hotel that collected the information, or to the hotels and activities linked to @@empresa@@ and the activities it carries out. Additionally, data collection aims to: carry out, process, manage, and/or complete hotel night reservations or other services; conduct internal studies on tourism habits; evaluate the quality of our services; send surveys and questionnaires regarding the services provided; promptly respond to your requests, petitions, or needs; communicate invitations, offers, promotions, and general information about the service portfolio offered by natural or legal persons directly linked to hotel operations and specifically with the services provided by @@empresa@@ and the companies and hotels that operate them.
The information or data provided that is collected, gathered, or stored in accordance with these policies may be shared, transmitted, updated, and/or deleted between @@empresa@@, @@empresa@@ hotels, and their operating companies for the purpose defined in these policies, to be used in the manner established herein. By accessing the website @@url@@, you authorize your information and data to be shared with the tourist service providers to whom your reservations and/or requests refer and are processed.
It is assumed that all the information or data provided or deposited through the page @@url@@ is true, accurate, and complete, and may be withdrawn at any time in the event that it is considered harmful or detrimental to your interests or the interests of a third party.
The data and, in general, the information received when accessing the website @@url@@ may pertain to both you and the device from which you are accessing. To optimize and make your experience more efficient while visiting the page @@url@@, cookies and/or web beacons may be used, as well as information about the websites visited, your IP address, and the operating system of the device from which you are accessing may be obtained and stored, through a recognition and tracking process that allows for the identification of your preferences and identification when you visit the page again and store certain records, based on your IP address. The IP address is not associated or linked to your name or your personal data.
3.3.- Sensitive data and data corresponding to children and adolescents. Neither @@empresa@@ nor the companies operating @@empresa@@ hotels will process data considered sensitive, nor is the data collection aimed at collecting sensitive information.
The collection of data corresponding to children and adolescents under age must always be carried out through their legal representative, following the exercise of the minor's right to be heard.
The processing of data corresponding to children and adolescents must respond to and respect the best interests of children and adolescents, as well as their fundamental rights.
In the event that any question may lead to an answer that involves sensitive data or data of children or adolescents, the response to such a question will be optional.
3.4.- Duties of the data controller in the processing of information.
The data controllers and/or those responsible for processing personal data are obliged to: a) Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data; b) Request and retain, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject; c) Properly inform the Data Subject about the purpose of the collection and the rights they have due to the authorization granted; d) Retain the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access; e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable; f) Update the information, promptly informing the Data Processor of all changes to the data previously provided and taking any necessary steps to ensure the information supplied to them remains up-to-date; g) Rectify the information when it is incorrect and communicate the relevant changes to the Data Processor; h) Provide the Data Processor, where applicable, only with data whose processing is authorized in advance according to the provisions of this law; i) Demand that the Data Processor, at all times, respect the security and privacy conditions of the Data Subject's information; j) Process queries and claims submitted under the terms set forth by law; k) Inform the Data Processor when certain information is under dispute by the Data Subject, once the claim has been filed and the relevant procedure has not concluded; l) Inform the Data Subject, upon request, of the use made of their data; m) Notify the data protection authority when breaches of security codes occur and risks to the administration of the Data Subjects' information arise; n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
FOURTH: RIGHTS AND FACULTIES OF THE DATA SUBJECT:
4.1.- Rights of the data subject. Once authorization is granted by the Data Subject for the corresponding processing, they have the right to: a) Know, update, and rectify their personal data. This right may be exercised concerning partial, inaccurate, incomplete, fragmented data that leads to errors or whose processing is expressly prohibited or has not been authorized; b) Request proof of the authorization granted, except when expressly exempted as a requirement for processing, according to the provisions of Article 10 of Law 1581 of 2012; c) Be informed by the data controller and/or processor, upon request, about the use made of their personal data; d) File complaints with the Superintendence of Industry and Commerce for violations of the provisions of the law; e) Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights, and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the processing has engaged in conduct contrary to this law and the Constitution; f) Request, at any time, from the data controller or processor, the deletion of their personal data and/or revoke the authorization granted for its processing, by filing a claim, which will not proceed when the Data Subject has a legal or contractual duty to remain in the database; g) Access their personal data that has been processed free of charge: (i) at least once every calendar month, and (ii) whenever there are substantial changes to the Information Processing Policies that prompt new inquiries. In cases of requests with a frequency greater than one per calendar month, the data controller and/or processor may charge the Data Subject for shipping, reproduction, and, where applicable, document certification costs.
4.2.- Legitimation for the exercise of the rights of the data subject.
The following persons are also entitled to exercise the rights granted to the data subject: a) The data subject themselves, who must sufficiently prove their identity by the means made available by the data controller; b) Their successors, who must prove such status; c) The representative and/or attorney-in-fact of the Data Subject, upon accreditation of representation or power of attorney; d) By stipulation in favor of or for another; e) The rights of children or adolescents will be exercised by those authorized to represent them, upon accreditation of their authority to do so.
4.3.- Responsible area for the attention and support of the data subject.
The attention and response to inquiries, requests, and claims from Data Subjects regarding any aspect of the processing will be handled by the legal department. The Data Subject wishing to know, update, rectify, request proof of the authorization granted; be informed of the use made of their personal data; revoke authorization and/or request deletion of the data(s) and/or access their personal data that has been processed free of charge must request it in writing directly to the email @@email@@ or send the communication to @@direccion@@. In either case, the following should be indicated: a) full name; b) identification document; c) physical address and email address; d) contact phone number; e) Brief description of the information and data to which it refers, expressly indicating the scope and content of the request; and f) attach the documents considered to support the request.
4.4.- Procedure to exercise the rights to know, update, rectify, or delete information and revoke authorization.
The procedures for access, updating, deletion, and rectification of personal data, and for revocation of the authorization, may be carried out through inquiries or claims, directed to the email @@email@@ or to the address @@direccion@@, depending on the purpose they pursue, establishing at a minimum, the legitimacy to make the request and clearly and concretely stating what is intended.
All requests, suggestions, and recommendations related to the processing of information should be sent to the email address @@email@@.
The data subject or the authorized person must attach proof of their capacity to act, and must provide the necessary data and documents to verify their identity and capacity.
The email must specify the reason or purpose of the communication, and it will suffice to indicate in the text that the right to know, update, rectify, delete, or revoke the granted authorization is being exercised.
4.5.- Procedure for the correction, updating, or deletion of data, and for the submission of complaints and claims.
Anyone legally authorized, who considers that the information contained should be corrected, updated, or deleted, or when they believe that the processing of personal data violates legal norms, may submit claims to the email @@email@@, in accordance with Article 15 of Law 1581 of 2012.
Complaints and claims will be processed under the following rules:
4.5.1.- The claim will be made through a request addressed to the Data Controller or the Data Processor, with the identification of the Data Subject, a description of the facts giving rise to the claim, and the address, along with the documents that the claimant wishes to present. If the claim is incomplete, the claimant will be required to correct the deficiencies within five (5) business days following receipt of the claim. If two (2) months have passed from the date of the request without the claimant providing the required information, it will be understood that the claim has been withdrawn.
If the person receiving the claim is not competent to resolve it, it will be forwarded to the appropriate party within a maximum period of two (2) business days, and the claimant will be informed of the situation.
4.5.2.- Once the complete claim is received, a note stating "claim in process" and the reason for it will be included in the database within a maximum period of two (2) business days. This note must be maintained until the claim is resolved.
4.5.3.- The maximum period to resolve the claim will be fifteen (15) business days from the day following its receipt. If it is not possible to resolve the claim within this period, the claimant will be informed of the reasons for the delay and the date on which the claim will be resolved, which may not exceed eight (8) business days following the expiration of the initial period.
4.6.- Consultation and access to information.
Queries regarding personal data contained in the @@empresa@@ database will be addressed by written request through the email @@email@@.
Queries will be answered within a maximum period of ten (10) business days from the date of receipt. If it is not possible to address the query within this period, the interested party will be informed before the expiration of ten (10) business days, stating the reasons for the delay and indicating the date on which the query will be addressed, which may not exceed five (5) business days following the expiration of the first period.
FIFTH: SECURITY.
5.1.- Security in the handling of information.
The data collected will always be treated confidentially and will not be provided, transferred, or delivered to persons outside the Hotel, @@empresa@@, or the @@empresa@@ operating companies, or to anyone not legitimately authorized to do so.
5.2.- Data transfer and transmission.
In the event that a contract is signed with a third party who is a professional with experience in the management and use of databases, the responsible party will sign the personal data transmission contract referred to in Article 25 of Decree 1377 of 2013.
SIXTH: DISSEMINATION AND VALIDITY.
6.1.- Means of dissemination of the information processing policies and the privacy notice.
This document, which establishes the information processing policies for collected personal data, will be permanently published on the link URL of information processing for consultation by anyone interested.
At the time of requesting the Data Subject's express authorization for data processing, the specific purposes for which consent is obtained will be indicated, and the Data Processing Policy and the rights granted to the Data Subject will be made known.
6.2.- Effective date of the information processing policies.
The collection, storage, use, and circulation of personal data, in accordance with the considerations established herein, will be carried out and maintained as long as there is a need for direct communication with the client and no more efficient means exist to do so, in accordance with the purposes proposed by the Processing. If the purpose cannot be achieved through the given processing of personal data, they will be permanently deleted from the database.
This document becomes effective on February 22, 2016.
6.3.- Procedure for modifying the policies.
If modifications are made to the personal data processing policies set forth here, they will be notified and communicated through this same website, prior to their entry into force.
6.4.- Incorporation of the website usage conditions @@url@@.
In accordance with applicable regulations, the information processing policy is an integral part of the terms and conditions of use of the website @@url@@.
6.5.- Responsible for the information.
The company @@empresa@@, with NIT @@cif@@, is the controller and processor of personal data, along with each of the affiliated operating companies that have collected the information. When the information has been received or collected by any of its affiliated companies, with express authorization for it to be transferred, @@empresa@@ will be responsible for the processing.
Any communication may be sent to @@direccion@@, or to the email address @@email@@.