Submit Inquiry

Submit Inquiry

Colombia Privacy notice

Data Controller

MOVATE S.A.S., a legally constituted company under the laws of Colombia, identified with NIT 901.444.378-3, is responsible for the processing of the information contained in its databases.

The following is the company’s identification information:

  • Calle 90 No. 50- 127 Local 01, segundo piso, Centro Comercial Alkarawi Plaza, Barranquilla – Atlántico.
  • 3218267517
  • Privacy.officer@movate.com

Scope

This Personal Data Processing Policy shall apply to all Databases and/or Files with personal information containing Personal Data that are subject to Processing by MOVATE S.A.S. (hereinafter THE COMPANY).

Objective

The objective of this Personal Data Processing Policy is, together with the technical, human and administrative measures implemented, to guarantee adequate compliance with the applicable Personal Data Protection Law, as well as the definition of the corporate and legal guidelines under which MOVATE S.A.S. performs the processing of data and establishes the procedures for the handling of queries and claims from the Data Subjects on which the COMPANY performs any type of Processing.

Definitions

  • Authorization: It is the consent given by any person so that those responsible for the processing of information can use their personal data. It is given by the Data Subject, for the processing of their data, in particular, to collect, compare, store, update, use, circulate, transmit, transfer (within and outside the Colombian territory) and delete their personal data in the terms expressed in this Policy for the Processing of Personal Information as well as to consult, supplement and update such personal data at any time, with other databases of business partners, subscribers and public records.
  • Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the Processing of his Personal Data, by means of which he is informed about the existence of the Information Processing Policies that will be applicable to him, the way to access them and the purposes of the Processing that is intended to be given to the personal data.
  • Data Base: Organized set of personal data that is subject to Processing.
  • Consultation: Request of the Data Subject, of the persons authorized by them, or those authorized by law, to know the information about them in the company’s Databases.
  • Personal Data: Any information linked or that may be associated to one or several determined or determinable natural persons.
  • Private Data: Data that, due to its intimate or reserved nature, is only relevant to the Data Subject.
  • Public Data: It is the information that, in accordance with the law, is available to the public or is not subject to reserve, for whose collection, storage, processing and supply the authorization of the Data Subject is not required. Due to its nature, public data may be contained, among others, in public records, certificates of existence and legal representation, public documents, gazettes, official gazettes and duly executed court rulings that are not subject to reserve.
  • Semi-private data: Data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as financial and credit data of commercial or service activity.
  • Sensitive Data: Those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data.
  • Right to habeas data: It is the right of the Data Subjects to know, update and rectify their personal information. This right may be exercised in the terms established in Article 15 of the Political Constitution, Law 1581 of 2012, Decree 1081 of 2015 and in this Personal Data Processing Policy.
  • Data Processor: The person who carries out the processing of personal data on behalf of the Data Controller.
  • Data Protection Officer: The person in charge of ensuring compliance with this Policy and the measures necessary to maintain the confidentiality of Personal Data.
  • National Registry of Databases (RNBD): Public directory of databases subject to Processing operating in the country, which shall be freely available for consultation by citizens, in accordance with the regulations issued by the National Government for such purpose.
  • Claim: Request from the owner of the data (Data Subject) or the persons authorized by the owner or by law to correct, update or delete their personal data or when they notice that there is an alleged breach of the data protection regime.
  • Controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of data.
  • Data Controller: For the purposes of this policy, it is the person who knows and processes the personal data of the Data Subjects.
  • Procedural requirement: This is the prior step to be taken by the Data Subject before filing a complaint before the Superintendence of Industry and Commerce. This consists of a direct complaint to the Data Processor or Data Controller for their Personal Data.
  • Subscriber and/or Partner: Legal or natural person with a commercial establishment under public or private law that has a commercial relationship with the company through any of its business units. The subscriber and/or partner must comply with the provisions of this policy.
  • Subject: Natural person whose personal data is subject to processing.
  • Data Subject: Natural person whose personal data is the object of Processing.
  • Transfer: means the Processing of Personal Data that takes place when the person responsible and/or in charge of the Processing of Personal Data, sends the Personal Data to a recipient, which in turn is the Data Controller and is located inside or outside the country.
  • Transmission: means the Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is the performance of a Processing by the Processor on behalf of the Controller.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, transfer, transmission, updating or deletion.

Guiding Principles

  • Principle of legality: The processing of personal data is a regulated activity that must be subject to the provisions of the law and other provisions that develop it.
  • Principle of purpose: Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
  • Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.
  • Principle of collection limitation: Only personal data that are strictly necessary for the fulfillment of the purposes of the processing should be collected, so that the recording and disclosure of data that are not closely related to the purpose of the Processing is prohibited. Consequently, every reasonable effort must be made to limit the processing of personal data to the minimum necessary. In other words, the data must be adequate, relevant and in accordance with the purposes for which they were intended.
  • Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
  • Principle of transparency: The right of the data subject to obtain from the data controller, at any time and without restrictions, information about the existence of data concerning them, must be guaranteed in the processing.
  • Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the processing may only be carried out by persons authorized by the owner and/or by the persons provided by law. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or third parties authorized by law.
  • Security Principle: The information subject to treatment by the responsible party shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Principle of confidentiality: All individuals involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law and under the terms of the same.
  • Principle of temporality: Personal data will be kept only for the reasonable and necessary time to fulfill the purpose of the processing and the legal requirements or instructions of the competent authorities. The data will be kept when it is necessary to comply with a legal or contractual obligation. To determine the term of the processing, the rules applicable to each purpose and the administrative, accounting, fiscal, legal and historical aspects of the information will be considered.

Personal Data Processing

THE COMPANY will perform the Processing of Personal Data in accordance with the conditions established by the Data Subject, the law or public entities for the fulfillment of the activities of its corporate purpose such as the contracting, execution and marketing of the goods and services it offers.

THE COMPANY will carry out activities such as collecting, comparing, storing, updating, using, circulating, transmitting, transferring and deleting your personal data partially or totally in the terms expressed in this Personal Data Processing Policy, as well as to consult, complement and update such personal data, at any time, with other databases of subscribers and/or commercial allies, service providers, public records and public sources of information.

The Processing of Personal Data may be performed through physical, automated or digital means according to the type and form of collection of information.

Any project within THE COMPANY that involves the Processing of Personal Data must be consulted with the Data Protection Officer.

Processing of Sensitive Data

THE COMPANY will process sensitive data in accordance with the provisions of Law 1581 of 2012, informing the Data Subjects that they are not obliged to provide or disclose such data.

The processing of sensitive data shall be prohibited, except when:

  • The Data Subject has given his explicit authorization to such treatment, except in cases whereby law the granting of such authorization is not required.
  • The processing is necessary to safeguard the vital interest of the Data Subject and they are physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
  • The processing is performed in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that it refers exclusively to its members or persons who maintain regular contacts by reason of its purpose. In these events, the data may not be provided to third parties without the authorization of the Data Subject.
  • The processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
  • The processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Subjects must be adopted.

Purposes of Processing

Personal Data are processed by THE COMPANY for the following purposes:

Regarding the development of its corporate purpose and the contractual relationship that connects it with the Data Subject, whether they are customers, suppliers or contractors:

  • Administration of the products or services marketed on behalf of the Data Subject.
    • Improve, promote and develop its products and services and those of its related companies worldwide.
    • Respond to requests, queries and claims made by the Data Subject regarding the Processing of Personal Data performed by THE COMPANY.
    • To manage the necessary information for the due compliance of tax obligations and commercial, corporate and accounting records of THE COMPANY.
    • For marketing activities, statistics, research, sales, telemarketing (telephone marketing), customer service, brand activation activities, prizes and promotions, directly or through third parties derived from commercial alliances or any link and other commercial purposes that do not contravene the legislation in force in Colombia.
    • For the notification of promotions through text messages and email to customers.
    • To evaluate the level of satisfaction of our services, conduct studies on preferences and services of interest to the Data Subject.
    • To strengthen relationships with its customers, by sending relevant information, the handling of Petitions, Complaints, Claims and Requests, the invitation to events organized or sponsored by THE COMPANY, conduct satisfaction surveys regarding the goods and services offered by THE COMPANY, or related companies and commercial partners, among others.
    • For the recognition, protection and exercise of the rights of THE COMPANY’s shareholders.
    • To control and preserve the security of people, goods and information of THE COMPANY.
    • To consolidate a timely and quality supply with its Suppliers, through the invitation to participate in selection processes, the evaluation of compliance with its obligations and the invitation to events organized or sponsored by THE COMPANY, among others.
    • For the payment of contractual obligations and for the verification of balances of its creditors.
    • For the attention of judicial or administrative requirements and compliance with judicial or legal mandates.
    • To respond to queries, complaints, claims, comments or suggestions regarding the services offered by THE COMPANY.
    • To disclose, transfer and/or transmit Personal Data within and outside the country to parent companies, affiliates or subsidiaries of THE COMPANY or to third parties as a result of a contract, law or lawful connection that requires it or to implement cloud computing services.
    • For the determination of outstanding obligations and the reporting to information centers of unfulfilled obligations, with respect to its debtors.

Regarding the processes of personnel selection and recruitment of human talent, as well as in legal or contractual labor relations, THE COMPANY may perform the necessary activities to carry out such activities and will use the personal data for the following purposes:

  • Access, consult, compare, evaluate or corroborate the information that the Data Subjects deliver to THE COMPANY and that is stored in the databases of other employers or any other public or private, national or foreign entity.
  • Contact, via e-mail, or by any other means, third parties with whom the Data Subject has or has had a relationship, to corroborate the information or request personal, labor or professional references.
  • To comply with the laws of labor law, social security, pensions, professional risks, family compensation funds, in general all the Integral System of Social Security, and taxes.
  • For the hiring of personnel; affiliation and payment of social security contributions; sending information to its workers and family members; provision of health services to the family members of the COMPANY’s workers who are beneficiaries of the health service.
  • To validate the identity of the employees in the entrance and permanence in the facilities of THE COMPANY.
  • To transfer the Personal Data of the employees to third party companies, which will carry out training on the functions of the Company.
  • To implement the corporate policies and labor strategies set forth by the parent company of THE COMPANY.
  • To comply with Colombian or foreign law and the orders of judicial or administrative authorities.

When THE COMPANY acts as Data Controller, it may process personal data for the following purposes:

  • To carry out the relevant steps for the development of the pre-contractual, contractual and post-contractual stage with THE COMPANY, with respect to any of the products or services offered by it, whether or not acquired or with respect to any underlying business relationship it has with it, as well as to comply with Colombian or foreign law and the orders of judicial or administrative authorities.
    • Sort, catalog, classify, divide or separate the information provided by Data Subjects. Verify, corroborate, check, validate, investigate or compare the information provided by the Data Subjects, with any information legitimately available to it.
    • Access, consult, compare and evaluate all the information about the Data Subject stored in the databases of any credit, financial, judicial or security risk center, of state or private, national or foreign nature, or any commercial or service database, which allows to establish in a comprehensive and complete historical manner, the behavior of the Data Subject as debtor, user, client, guarantor, endorser, affiliate, beneficiary, subscriber, contributor and/or as a Subject of financial, commercial or any other type of services.
    • To eventually contact, via e-mail, or by any other means, natural persons with whom it has or has had a relationship, such as, but not limited to, employees and their relatives, shareholders, consumers, customers, clients, distributors, suppliers, creditors and debtors, for the aforementioned purposes.

Rights of the Data Subjects

The Data Subjects of the Personal Data have the right to:

  • To know, update and rectify their Personal Data against those responsible for the processing or in charge of the processing. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized. For this purpose, it is necessary to establish the identification of the person in order to prevent unauthorized third parties from accessing the data subject’s data. The procedure to file a complaint is set forth in paragraph 17 of this Policy.
    • To consult the personal information contained in any database of THE COMPANY by means of the consultation procedure set forth in section 17 of this Policy.
    • Request proof of the authorization granted to THE COMPANY, unless it is one of the cases in which authorization is not required, in accordance with the provisions of Article 10 of Law 1581 of 2012.
    • To be informed by THE COMPANY, upon request, regarding the use that has been made of their Personal Data.
    • File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other rules that modify, add or supplement it.
    • To revoke the authorization and/or request the deletion of the data when the Processing does not respect the principles, rights and constitutional and legal guarantees or when they are no longer necessary or relevant for the purpose for which they were collected. The revocation and/or deletion will also proceed when the Superintendence of Industry and Commerce has determined that the data controller or processor has engaged in conduct contrary to this law and the Constitution.
    • The request for deletion of the information and the revocation of the authorization shall not proceed when the Data Subject has a legal or contractual duty to remain in the database of the data controller or processor.
    • Access free of charge to their Personal Data that have been subject to Processing, prior accreditation of their identity and legitimacy, through any means of communication, including electronic means that allow direct access by the Data Subject.

The rights of the Data Subjects may be exercised by the following persons, who must previously prove their identity or capacity:

  • By the Data Subject.
  • By their successors.
  • By the representative and/or Proxy Holder of the Data Subject.
  • By stipulation in favor of another or for another.

Privacy Notice

The controller has the duty to inform the Data Subjects the existence of Information Processing Policies and how to access them, in a timely manner and in any case no later than the time of collection of personal data, while personal data are processed in accordance with the same and endure the obligations arising therefrom.

Therefore, a Privacy Notice will be issued, which is a physical, electronic document or in any other known or to be known format, which is made available to the Data Subject for the processing of his Personal Data.

In accordance with the regulatory provisions, the content of the privacy notice shall have the following elements:

  1. Name or company name and contact details of the data controller.
  2. The processing to which the data will be submitted and the purpose thereof.
  3. The rights of the Data Subject.
  4. The mechanisms provided for the Data Subject to know the Data Processing Policy.
  5. The way to access or consult the Data Processing Policy.

Duties of the Company as the Data Controller

THE COMPANY is obliged to comply with the duties imposed by law. Therefore, it must act in such a way that it complies with the following duties:

  • Guarantee to the Data Subject, at all times, the full and effective exercise of the rights mentioned in this Policy.
  • Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject.
  • To observe the principles of truthfulness, quality, security and confidentiality in the terms established in this Policy.
  • Update or rectify the information when necessary and communicate the relevant information to the Data Processor.
  • Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Data Subjects.
  • Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.
  • To provide to the Data Processor only the Personal Data whose processing is previously authorized and the instructions and scope of the processing.
  • Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.
  • Communicate in a timely manner to the Data Processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to the Data Processor is updated.
  • Inform in a timely manner to the Data Processor the rectifications made on the Personal Data so that it proceeds to make the appropriate adjustments.
  • Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.
  • Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.

Data Processor

If a third party is appointed as Data Processor, it shall have the following duties, as set forth in Article 18 of Law 1581 of 2012:

  • Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
  • Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Timely update, rectification or deletion of data under the terms of the law.
  • Update the information reported by the data controllers within five (5) business days from its receipt.
  • To process the queries and claims made by Data Subjects within the terms indicated.
  • Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the handling of queries and claims by the Data Subjects.
  • Register in the database the legend “claim in process” in the manner regulated by law.
  • Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial proceedings related to the quality of the personal data.
  • Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
  • Allow access to the information only to the persons who may have access to it.
  • Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Data Subjects.
  • Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.

Authorization of the Data Subject

THE COMPANY must request prior, express and informed authorization from the Data Subjects on which it requires to carry out the Processing. In this sense, the authorization must be prior, which means that the consent must be granted by the Data Subject, at the latest at the time of collection of the Personal Data. Likewise, the authorization must be express, which means that the consent of the Data Subject must be explicit and concrete. The Data Subject is required to express their unequivocal will to authorize THE COMPANY to process their Personal Data. For this purpose, THE COMPANY may collect the authorization of the subject by any suitable means, including, but not limited to, by means of the Authorization Form for the Processing of Personal Data provided by THE COMPANY, or in cases of information collected through the website, THE COMPANY may obtain the authorization by the same means.

The authorization must be based on an informed consent, therefore, at the moment of requesting the consent to the Data Subject, they must be clearly informed:

  • The Personal Data that will be collected.
  • The identification and contact details of the data controller and the data processor.
  • The specific purposes of the intended processing, i.e.: how and for what purpose the personal data will be collected, used and circulated.
  • Which are the rights you have as Data Subject.
  • The optional nature of the answer to the questions asked, especially when they deal with sensitive data or data of children and adolescents.

The authorization of the Data Subject shall not be necessary when dealing with:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Data of the public nature.
  • Cases of medical or health emergency.
  • Processing of information authorized by law for historical, statistical or scientific purposes.
  • Data related to the Civil Registry of Persons.

THE COMPANY may also obtain authorization for the processing of data from the Data Subject through unequivocal conduct on his part, such as the submission of his resume to be a participant in selection processes, or the entry of this to the facilities of THE COMPANY prior privacy notice about the existence of video surveillance systems.

Authorization for the Processing of Sensitive Data.

Sensitive data constitute a special category of personal data and therefore require a reinforced protection and some special considerations when requesting authorization for its treatment:

  • Authorization must be explicit.
  • The Data Subject must be informed that he/she is not obliged to authorize the processing of such information.
  • The Data Subject must be informed explicitly and in advance which of the data to be processed is sensitive and the purpose of the processing.

THE COMPANY will inform through the various means to obtain the authorization of the Data Subjects, which under the legal provisions are not required to grant authorization for the processing of their sensitive data.

In the event that THE COMPANY requests the provision of sensitive biometric data, such as fingerprints, these will be used for the identification of persons, security and control of the hours of entry and exit of the facilities of THE COMPANY. THE COMPANY will implement the necessary measures to protect the confidentiality of information.

Authorization for the Processing of data of children and adolescents (CA).

When it comes to the collection and processing of data of children and adolescents, the following requirements must be met:

  • Authorization must be granted by persons who are empowered to represent the CA. The representative of the children and adolescents must guarantee their right to be heard and to assess their opinion of the processing, taking into account the maturity, autonomy and capacity of the children and adolescents to understand the matter.
  • It should be informed that it is optional to answer questions about children’s data.
  • The COMPANY must ensure that the Processing of Personal Data of children and adolescents will be carried out respecting their rights, which is why, in the commercial and marketing activities it carries out, it must have the prior, express and informed authorization of the parent or legal representative of the child.

Revocation of the Authorization to Process Personal Data

THE COMPANY has provided a mechanism through which any Data Subject may revoke at any time the consent to the processing of such data and/or request the deletion of their personal data by submitting a query (See section 17 of this Policy).

The Data Subject must take into account that neither the revocation of the authorization nor the suppression of the information may proceed if there is a legal or contractual provision that prevents it, or if any of the present cases occurs:

  • The revocation of the authorization of the treatment hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
  • The data is necessary to protect the legally protected interests of the owner; to carry out an action in the public interest, or to comply with an obligation legally acquired by the owner.
  • The data are of a public nature and correspond to public records, which are intended to be made public.

Suppression of personal data.

In the event that the deletion of the personal information of the Data Subject of the database of THE COMPANY is appropriate, according to the claim duly filed in accordance with the guidelines set forth in Section 17 of this policy, THE COMPANY shall perform the deletion in such a way that the deletion performed does not allow the recovery of the information. However, the Data Subject must consider that, in specific circumstances, certain information must remain in historical records for the fulfillment of legal duties of THE COMPANY.

National (or) International Transfers of Personal Data

THE COMPANY may transfer data to other data controller when authorized by the Data Subject, by law or by an administrative or judicial mandate.

National (or) International Transmissions of Personal Data

THE COMPANY may send or transmit data to one or more Data Processors located within or outside the territory of the Republic of Colombia in the following cases:

  • When it has authorization from the Data Subject.
  • When, without having the authorization, there is a data transmission contract between the data controller and the data processor.

Procedure for Processing Inquiries and Complaints

  • Procedure for processing queries

Inquiries or requests for revocation of the authorization of the Data Subjects to know their personal information must be submitted to THE COMPANY by submitting a written request through a document that must contain the requirements set forth in the point of common rules for inquiries and claims. Such consultation may be made through the channels enabled for data protection, which are: Privacy.officer@movate.com

The queries formulated in writing shall be resolved within a maximum term of thirty (30) calendar days from the date of receipt. When it is not possible to answer the request or consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the request will be answered, which in no case may exceed three (3) business days following the expiration of the first term.

  • Procedure for processing claims

Claims may be made to THE COMPANY in writing, which shall register the claim in the database and include in the individual record, within a period not exceeding three (3) business days, a phrase that reads “claim in process“. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been withdrawn. The channel enabled for the reception of claims is the e-mail: Privacy.officer@movate.com

In the event that the person who receives the claim is not competent to resolve it, they will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation. Once the complete claim has been received, a legend will be included in the database stating, “claim in process” and the reason for the claim, within a term not exceeding two (2) business days. Such statement shall be maintained until the claim is decided.

The maximum term to attend the request or claim shall be thirty (30) calendar days from the day following the date of its receipt. When it is not possible to attend the request within such term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the request will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

THE COMPANY undertakes to provide a full and thorough response to the claims submitted by the Data Subjects within the terms provided in Law 1581 of 2012 and in this Policy for the Processing of Personal Information.

  • Rules common to queries and claims.

For the realization of consultations or claims by means of writings or electronic mail, the Data Subject will elevate their request by means of a document that must indicate:

  • Full names and surnames of the Data Subject.
  • ID card or identification document number.
  • Precise explanation of the facts that led to the request (consultation or claim) or of the request or intended solution.

If it is in writing, the signature duly authenticated by notary diligence of recognition of content and signature (personal presentation). The above because, due to the nature of the information requested, the confidentiality and security of the data recorded in the database must be protected, ensuring that the person requesting the information is really the Data Subject or the person authorized by them for such purpose. If it is by e-mail, the consultation or claim must be made through the e-mail address of the owner of the information. For this purpose, it will be stated in our database that it is indeed the e-mail address of the owner of the information.

Requests that do not include the aforementioned information will be returned immediately to be completed and resubmitted as a new request.

After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

Security and Confidentiality

THE COMPANY has the necessary security measures to ensure the protection of the Data Subject’s information from modification, disclosure and destruction of its data or unauthorized access to them.

These measures include internal reviews of the security measures adopted, including physical security measures and the performance of secure connections to prevent its violation, alteration, loss, treatment or unauthorized access, in accordance with the provisions of the law.

The Processing of Personal Data shall be from the moment of authorization until the day MOVATE S.A.S. is dissolved and liquidated or until the purpose for which the Personal Data was collected is terminated.

Access Control and Video Surveillance

  • Access Control

The areas where processes related to confidential or restricted information are carried out must have access controls that only allow access to authorized employees and that allow keeping the traceability of income and exits.

  • Video Surveillance

THE COMPANY has surveillance systems, including cameras, which are intended to ensure the physical security of the people who are in the facilities. In this way, THE COMPANY is complying with the parameters established in the Guide for the Protection of Personal Data in Video Surveillance Systems, issued by the Superintendence of Industry and Commerce as the entity that exercises control.

The images captured by the video surveillance system shall be kept by THE COMPANY for a maximum period of ninety (90) days. In the event that a particular image is the object or support of any type of claim, complaint, or judicial process, the image shall be kept until such claim is resolved.

Person (or) Area Responsible for the Protection of Personal Information

The Personal Data Protection Officer is the person in charge of the data protection function and will be responsible for receiving and processing the requests submitted, in accordance with the provisions of Colombian law and this policy, which can be contacted through the email: Privacy.officer@movate.com

The information of the Personal Data Protection Officer is the following:

  • Name: Karthikeyan Chandrasekaran CISA, CISM, CRISC
  • Designation: Associate Vice President – Head Information Security (GRC)

Validity of the Data Processing Policy

The present policy of treatment of personal data will be valid indefinitely from April 9, 2021, and will be maintained while THE COMPANY develops its object and as long as they are necessary to ensure compliance with legal obligations, particularly labor and accounting.

Data may be deleted at any time at the request of the owner, as long as it does not contravene a legal or contractual obligation.

Regarding the databases, these will be in force for the time necessary to fulfill the purposes of the treatment in each case, taking into account the provisions of the principle of temporality.

MOVATE S.A.S. may modify the terms and conditions set forth in this Data Processing Policy in order to ensure adequate compliance with national legislation regarding the Personal Data Protection Regime.