PRIVACY POLICY & COMPREHENSIVE DATA MANAGEMENT PROGRAM
1. OBJECTIVE OF THE PROGRAM.
Through the implementation and monitoring of the Comprehensive Personal
Data Management Program (hereinafter "CPDMP") in the Company, policies,
procedures and processes are established that must be observed by the
areas and persons in charge of the processing of the different existing
or future personal databases. These policies and procedures not only
seek to ensure compliance with Colombian data protection regulations,
but also to align with international standards, particularly those
established in Regulation (EU) 2016/679 General Data Protection
Regulation or (GDPR), which protects the rights of natural persons
regarding the processing of their personal data and ensures their free
movement within the European Union.
Consequently, the policies, procedures and processes defined in the
CPDMP are aimed at:
-
To guarantee the effective protection of the constitutional right to
habeas data, which, according to the Constitutional Court of Colombia,
is understood as "... a guarantee of the right to privacy, (...) a
manifestation of the free development of the personality (...) an
autonomous right, whose core is composed of computer
self-determination and freedom – including economic freedom";
and
-
Implement the principle of demonstrated responsibility
(accountability), established in both Colombian regulations and the
GDPR, regarding the processing of personal data collected, which
implies that the organization must be able to demonstrate that the
personal data is processed in accordance with the applicable legal
requirements.
-
In line with compliance with Regulation (EU) 2016/679, the CPDMP will
adopt the minimum contents of the right to habeas data, which include
the following fundamental rights of data subjects: A) Right of access:
Individuals have the right to know or access their own information
that has been captured and stored in any database. B) Right of
inclusion: The owner may include new data to reflect a complete and
accurate image of their identity. C) Right to update: The owner
has the right to update the information, ensuring that the content of
the databases is accurate and up to date. D) Right of rectification:
The owners may demand the rectification or correction of the
information so that it is in accordance with reality. E) Right of
deletion: Owners have the right to request the exclusion of
information from a database, either because it is being used
improperly or of their own volition, except in cases where the law
provides for exceptions.
-
In addition, the CPDMP will ensure that the personal data processing
practices not only guarantee respect for the rights of data subjects,
but also incorporate the protection and security obligations
established by the GDPR, such as the principle of data minimization,
the limitation of the retention period and the adoption of appropriate
technical and organizational measures to protect personal data against
security risks.
-
In this way, the implementation of the CPDMP will allow the company to
comply with both the Colombian legal framework and the international
requirements imposed by the GDPR, promoting responsible, transparent
and secure treatment of personal data
2. SCOPE AND SCOPE OF THE CPDMP.
The Comprehensive Personal Data Management Program (CPDMP) has been
adopted by "the Company" and is mandatory for all natural and legal
persons who, by virtue of a contractual, financial, commercial, labour,
accounting, tax, administrative, private security or control
relationship, carry out any type of personal data processing in the name
or under the direction of the Company.
This scope includes, explicitly, all related companies, business
partners, trademark licensees, and any other third party that interacts
with the Company in the management of personal data. All of them must
adhere to the policies and procedures established in the CPDMP, thus
ensuring regulatory compliance both nationally and internationally in
terms of data protection, including the requirements established by Law
1581 of 2012, its regulatory decrees, the Single Circular of the
Superintendence of Industry and Commerce, as well as the regulations
applicable in the jurisdictions where the Company and its allies
operate.
3. DEFINITIONS.
For the proper application and understanding of the CPDMP, the following
expressions will have the meaning given to them herein or the meaning
given to them by the applicable law or jurisprudence, as such law or
jurisprudence may be amended from time to time.
-
The Company: will be
PIXIE META DEVELOPMENT SAS
901563712-1., hereinafter "PIXIE", domiciled in Bogota D.C., with physical address at Cl 99 No. 7 A 77
Office 405, with email address
[email protected].
-
Delegated administrators: Delegated
administrators will be considered those employees or collaborators
designated by the Company who, by virtue of their position or role,
have access to the databases and assume direct responsibility for
their correct administration and processing. These delegated
administrators must ensure that all activities related to the handling
of personal data in their respective areas or departments are in
accordance with the principles and policies established in the
Comprehensive Personal Data Management Program (CPDMP). In this
regard, delegated administrators must: Implement the policies defined
to ensure the protection of personal data. 2. Comply
with and enforce the guidelines of the CPDMP in their area of
responsibility. 3. Timely warn
the Privacy Officer and the data processing team about any
risks or incidents related to the handling of personal information.
-
Authorization: it is the prior, express and informed
consent of the owner to carry out the processing of their personal
data.
-
Privacy Notice: verbal or written communication
generated by the Company in its capacity as Data Controller, addressed
to the data subject, for the processing of their personal data, by
means of which they are informed about the existence of the
information processing policies that will be applicable to them, the
way to access them and the purposes of the processing that is intended
to be given to the personal data.
-
Database: is the organized set of personal data that
is subject to processing, electronic or not, regardless of the
modality of its formation, storage, organization and access.
-
Personal data: is any information linked to one or
more specific or determinable persons or that can be associated with a
natural or legal person.
-
Data Processor: will be the one who, by itself or in
association with others, will carry out the processing of personal
data on behalf of the data controller (the Company). These people will
oversee verifying and controlling the archiving of the information
provided by the data subjects, in matters such as internal processes
of a contractual, commercial, financial, corporate, administrative,
accounting, fiscal and/or tax nature such as, labour, industrial
safety, private security, among others.
-
Incident: any event in manual or systematized
information systems or databases that violates the security of the
personal data stored therein.
-
Privacy Delegate or Officer: will be the high-level
professional who will be responsible for the development, compliance
and monitoring of the CPDMP, as well as the responsibility of warning
of the risks associated with the processing of personal data.
-
Comprehensive Personal Data Management Program (CPDMP):
strategic instrument that reflects the Company's comprehensive
commitment to the responsible and secure management of personal data
processing, guaranteeing compliance with current legal regulations and
the implementation of best practices in data protection.
-
Data controller: PIXIE will have the power to decide
on the database and/or the processing of the data.
-
Owner of the personal data: is the natural person to
whom the information contained in a database refers and which is
subject to processing. The owner is the subject of the fundamental
right to habeas data, recognized both by Law 1581 of 2012 in Colombia
and by Regulation (EU) 2016/679 (GDPR) at the European level, which
grants them rights over the control and protection of his personal
data. These rights include access, rectification, updating, deletion
and opposition to the processing of your data, guaranteeing your
informational self-determination and respect for your privacy.
-
Transfer: is the processing of personal data that
involves the communication of such data to a recipient, within or
outside the territory of the Republic of Colombia, for the recipient
to carry out processing on its own behalf. The transfer requires the
prior authorization of the data subject and/or must be carried out,
when necessary, in compliance with a legal or judicial requirement by
a competent authority, in line with the provisions of Law 1581 of 2012
and Regulation (EU) 2016/679 (GDPR). In the latter, the principles of
security, adequacy and the existence of mechanisms that ensure
equivalent protection of personal data in the destination countries
are guaranteed.
-
Transmission: is the activity of processing personal
data through which said data is communicated to a data processor,
internally or to third parties, either within or outside the territory
of the Republic of Colombia. In this case, the purpose of the
transmission is to carry out processing on behalf of the person
responsible for the personal data, who delegates certain functions to
the recipient. This activity must have the authorization of the owner
of the data, except in cases where it is required by law or by a
judicial authority. The transfer is carried out under strict
protection standards, in compliance with the provisions of Law 1581 of
2012 and Regulation (EU) 2016/679, which requires the adoption of
adequate security measures for the protection of the rights of the
owner.
-
Processing of personal data: is any systematic
operation and procedure, electronic or not, on personal data, such as:
the collection, conservation, ordering, storage, modification,
relationship, use, circulation, evaluation, blocking, destruction,
deletion and, in general, the processing of personal data.
4. GLOBAL POLICIES ESTABLISHED FOR THE PROCESSING OF PERSONAL DATA
AND INFORMATION STORED IN THE COMPANY'S DATABASES.
PRIVACY POLICIES APPLICABLE TO OUR GAMES AND PRODUCTS AVAILABLE ON
WEBSITES, MOBILE APPLICATIONS, AND OTHER DIGITAL PLATFORMS.
The privacy policies described in this section apply to all our games
and products accessible through
websites, mobile applications, and any other digital or
similar platforms, including computer applications available for mobile
devices, video game consoles, and online gaming platforms. These
policies govern the processing of users' personal data in all the ways
in which our services are accessed or interacted with, ensuring the
protection of privacy in accordance with applicable local and
international regulations.
DATA OF DATA CONTROLLERS.
The persons responsible for the processing of personal data will be:
PIXIE META DEVELOPMENT SAS
NIT. 901563712-1., hereinafter "PIXIE",
domiciled in Bogota D.C., with physical address at Cl 99 No. 7 A 77
Office 405, with electronic address [email protected].
PIXIE META LTD. Email: [email protected].
Address: 19 The Circle, Queen Elizabeth Street, London,
SE1 2JE, United Kingdom.
PURPOSES OF PROCESSING APPLICABLE TO OUR GAMES AND PRODUCTS AVAILABLE
ON WEBSITES, MOBILE APPLICATIONS AND OTHER DIGITAL PLATFORMS.
Our commitment is to use the personal data strictly necessary to comply
with the legitimate interests of the company, within the framework of
our corporate purpose, and always in accordance with the principles
established in the Political Constitution of Colombia, Law 1581 of 2012,
and Regulation (EU) 2016/679 General Data Protection Regulation (GDPR).
The company's legitimate interests include, among others, improving the
user experience, personalizing offers, and optimizing our services to
maximize the value of each customer, always respecting the highest
standards of data protection.
The company undertakes to process personal data in accordance with the
purposes described in this document, including the possible
international transfer of data between Colombia and other countries, in
compliance with international regulations and agreements on the
protection of personal data. The information collected, such as email
address and other data provided, will be used to respond to inquiries
from data subjects or for the purposes defined in our Policies adopted
under the Comprehensive Personal Data Management Program (CPDMP).
Below, we describe in detail how and for what purpose we use our users'
personal data:
Advertising and Commercial Prospecting / Own Advertising / Customer
and User Loyalty
-
Link and retain users interested in the products and services offered
through our games and digital platforms.
-
Geo-reference users to adapt and personalise the experience based on
their location and preferences, allowing the optimisation of our
commercial and marketing campaigns.
-
Carry out marketing, advertising and promotion activities of products
and services, both directly and through third parties, using various
means, including electronic ones, to offer users relevant content
based on their interests.
Improvement of Services and Customer Service:
-
Carry out market intelligence analyses, evaluate the quality of the
services offered and carry out verifications and consultations to
ensure the authorization of safe and effective means of payment.
-
Contact users to invite them to participate in satisfaction surveys,
in order to improve our products and services. Responses to these
surveys will be anonymised and used exclusively for statistical
purposes.
-
Contact users to inform them about new products, services, promotions
or relevant changes related to the products or services offered by the
company.
Compliance with Contractual Obligations and Attention to
PCSI:
-
Comply with the obligations arising from the contractual relationship
with users, facilitating the correct execution of purchases of
products or services offered through our platforms.
-
Attend to Petitions, Complaints, Suggestions and Inquiries (PCSI)
related to our products and services, ensuring adequate and timely
attention.
Authorization for Use of Images and Advertising:
-
Manage the use of images and photographs of users, with prior
authorisation, for information or advertising purposes in its own or
third-party campaigns, always in compliance with applicable
regulations.
Communications and Promotions:
-
Send users, physically or electronically, information related to the
company's products and services, as well as important changes or
updates regarding them.
-
Share user information with business partners or suppliers, in order
to offer them commercial options for products or services that may be
of interest to them.
Information Management and Security:
-
Safeguard and manage the personal information and databases of our
users, guaranteeing their security, integrity and confidentiality at
all times.
-
Comply with legal or contractual obligations arising from our
commercial activity and to ensure that our users' data is managed in
accordance with current data protection regulations.
Accounting, tax and administrative management:
-
Comply with the commitments, obligations and/or requirements in
accounting, tax and/or fiscal matters of the company.
-
Manage the company's information, commercial, corporate, accounting
and billing records.
-
Handle the information for the preparation, issuance, collection,
payment and remittance of the respective invoices and/or documents
that are issued by virtue of the development of the corporate purpose
and the commercial activity of the company.
- Record and consult accounting movements, sales and purchases.
-
File and update the systems for the protection and custody of
information in tax, commercial, corporate, accounting and invoicing
matters; and the operational development and/or administration of
computer systems in accounting and tax matters, through specialized
software or any other that may be adopted by the company.
-
Transmit and transfer data to third parties with whom contracts have
been entered into for this purpose, for commercial, administrative,
marketing and/or operational purposes, in accordance with the legal
provisions in force.
International Data Transfer and Transmission:
-
Carry out the local and international transfer and transmission of
personal data to third parties, including other companies, government
entities, foundations or non-profit entities, located inside or
outside Colombia, for the purpose of promoting activities related to
advertising, marketing, and statistical and informative communication
of our products and services. We may share the personal data provided
by the data subjects to fulfil the purposes established herein, such
as improving the personalization of the service and optimizing
performance for users. This data may be transferred outside the
country of residence of the data subject, including to jurisdictions
that do not have an equivalent level of data protection. However, any
international transfer will be carried out under mechanisms that
ensure adequate data protection, such as the use of standard
contractual clauses or international cross-border data protection
agreements, in accordance with the provisions of Law 1581 of 2012 and
the General Data Protection Regulation (GDPR). Likewise, the company
may share personal data with external service providers that have been
hired to support the execution of the purposes described, such as
cloud storage services, data analysis platforms and personalized
advertising. These third parties are contractually obliged to use
personal data exclusively for the agreed purposes and under the
instructions of the company, guaranteeing at all times the adequate
protection of the data transferred.
LIMITATIONS ON THE USE OF PERSONAL DATA.
The personal data of the owners will not be used for purposes other than
those established in our Policies adopted under the Comprehensive
Personal Data Management Program (CPDMP), nor will they be sold or
transferred to third parties that are dedicated to the commercialization
of databases or any activity unrelated to the purpose authorized for the
processing of the data. The company assures that the use of personal
data will always be in strict accordance with the legitimate purposes
defined in this document and that the rights of the owners will be fully
respected, in compliance with the provisions of Law 1581 of 2012 and the
General Data Protection Regulation (GDPR).
COLLECTION AND STORAGE OF PERSONAL DATA.
Personal data is stored based on the information provided directly by
the owner. In accordance with Article 7 of Regulatory Decree 1377 of
2013, the provision of personal data to the company, whether through
survey processes, events or any other manifestation of will, will be
considered an unequivocal conduct that allows it to reasonably conclude
that the owner has granted his authorization for the processing of his
personal data in accordance with the provisions of Law 1581 of 2012.
TYPES OF DATA COLLECTED BY THE COMPANY APPLICABLE TO OUR GAMES AND
PRODUCTS AVAILABLE ON WEBSITES, MOBILE APPLICATIONS, AND OTHER DIGITAL
PLATFORMS.
The owner of personal data has the power to decide the data that he or
she provides to the company. For this reason, provided that there is
authorization from the owner, the company collects the following types
of personal data:
Non-sensitive data includes, but is not limited to:
general and specific identification and/or location data (such as names,
surnames, address, and e-mail address); information related to personal
activity; financial and credit data, as well as economic rights; tax
data and technical data such as the user's IP address, connection
sessions to the application, session durations, in-app events
(such as purchases or process terminations), and cookies used to
personalize the user experience and improve service performance.
Data of minors: Access to and use of the game by minors
must be strictly supervised and authorized by parents or legal
guardians. The company is not responsible for the use that minors make
of the platform without due parental controls. It is the responsibility
of parents or legal guardians to monitor and control access, use and
settings of the game, ensuring that the game is suitable for the child
and that it complies with the age restrictions set forth in the
service's policies. In accordance with Law 1581 of 2012 in Colombia and
the General Data Protection Regulation (GDPR) in Europe, the provision
of information and personal data of minors is not mandatory. For this
reason, registration on our platform must be carried out exclusively by
persons of legal age and legally capable. By registering, the user
guarantees that he/she is of the required legal age and the ability to
provide the requested personal data, thus ensuring compliance with
applicable data protection regulations.
INVENTORY OF DATABASES APPLICABLE TO OUR GAMES AND PRODUCTS AVAILABLE
ON WEBSITES, MOBILE APPLICATIONS AND OTHER DIGITAL PLATFORMS.
The company has the following databases, which include information and
data according to the purpose of the processing.
-
Tools used: Firebase Analytics, Firebase Messaging
(Push), Crashlytics. User Data: Device (Device ID). Events: Data about the user's interaction
with the app, including crashes. Use: User
behaviour analysis, push notification management, and crash monitoring
in the application.
-
Google Analytics – Receives user data from
Firebase, including events and user
behaviour. Usage: Detailed analysis of user
activity on the app and websites.
-
Google Tag Manager – Centralizes the collection
of browsing data through tags implemented on web
pages. Use: Tag management for data analysis on
web pages.
-
Google Cloud – Shares user data from devices
with PlayFab.com, such as Device ID, email, and real name (if
authorized by the user). Usage: Cloud storage
and cross-platform data sharing to improve user experience.
-
Apple iCloud – Shares user data of devices with
PlayFab.com, such as Device ID, email, and real name (if authorized by
the user). Usage: Cloud data synchronization and
sharing with third parties to optimize the user experience in the
application.
-
Playfab – User Events, In-App Sessions, Daily
Active Users (DAUs). Device ID,
email, real name (if authorized by
the user). Usage: Backend as a Service (BaaS) to
manage and store user events and activities in the application.
-
Microsoft Clarity – User interactions on the
website (heatmaps), click points, and scrolling on the
website. Use: Visualization of user interaction
on the website to improve the usability and design of the website.
-
Singular.net – User Advertising ID, used to
personalize the user experience and optimize acquisition
costs. Use: Marketing platform for optimizing
the cost of user acquisition and personalizing advertising campaigns.
-
Unity – Unity Analytics, Unity
Ads. Usage: Tracking in-game events and
personalizing ads based on user activity.
-
Sendgrid – Use: Sending communications and
newsletters to subscribed users.
The aforementioned databases allow the information to be organized
according to the nature and purpose of the data.
Therefore, any collaborator or person who, in the performance of their
duties, must or may have access to the aforementioned databases must
strictly comply with the policies and procedures established in this
manual, under penalty of incurring serious breaches of their contractual
obligations and the applicable sanctions by virtue of the law.
LOCATION OF DATABASES.
The aforementioned databases are used for automated data processing.
They are located on their own external servers with access through cloud
computing.
PROCESS OF CAPTURING PERSONAL DATA APPLICABLE TO OUR GAMES AND
PRODUCTS AVAILABLE ON WEBSITES, MOBILE APPLICATIONS AND OTHER DIGITAL
PLATFORMS.
Data Capture Process in the Registration and Access to the
Game.
Registration and access to the game are subject to acceptance of the
Terms and Conditions, which include the express authorisation of the
user for the processing of their personal data in accordance with the
purposes specified in our Privacy Notice. The data capture process and
the processing of information are structured according to the following
rules:
1. Registration and Connection Options
The user has two options to access the game:
-
Connecting to Google or Apple Account: When you
choose to connect using your Google or Apple account, PlayFab collects
additional personal data such as name, email, and device ID. This
information allows for a personalized experience and ensures that when
you log back in, you pick up the game from where you left off.
-
Guest Access: If the user chooses to log in as a
guest, minimal data such as geographic location (city
and country), IP address, and in-game events are
collected. However, by not being associated with a Google or Apple
account, in-game progress information cannot be retained, and the user
will not be able to resume from the last point played in future
sessions.
2. Account Storage and Persistence Conditions
-
If the user deletes the app, this does not imply the deletion of their
PlayFab account. The account still exists and can be accessed again if
the user reinstalls the app and reconnects with their associated
Google or Apple account.
3. Data Capture by Third-Party Providers
-
Firebase Analytics, Google Analytics, Microsoft Clarity, Unity
Analytics: These tools are used to capture and analyse user behaviour within
the application. Events such as usage sessions, interactions, and
purchases are collected, allowing game performance to be optimized and
the user experience to be improved. The data is used in aggregate form
for statistical purposes.
-
Firebase Crashlytics: Captures data about unexpected
app crashes. It is not linked to individual user profiles, but is used
to identify and correct technical issues in the app.
4. Advertising and Retargeting
-
Unity Ads and Singular.net: These platforms capture
device identifiers (Advertising IDs) for the management of
personalized advertising campaigns. The MMP (Mobile Measuring Partner)
in this case is Tenjin, which uses the phone's advertiser ID to
perform retargeting and improve user acquisition and optimization
through ad networks.
5. Cloud Data Storage
-
Google Cloud and Apple iCloud: The data collected,
such as the Device ID, email and name (if the user authorizes it), is
stored securely on these platforms. Google Cloud and Apple iCloud
comply with international standards for encryption and data
protection, ensuring the integrity and security of information.
6. Communication and Notifications
-
Firebase Messaging and SendGrid: These services are
used to send push notifications and emails related to updates, game
events, and general communications. The minimum necessary information,
such as email and device tokens, is collected to ensure proper
communication with users.
Important Warnings:
-
Users must explicitly agree to the Terms and Conditions and Privacy
Policy before starting to use the game, which details the processing
of personal data.
-
The provision of additional personal information (name and email) is
optional and will depend on whether the user chooses to connect with
their Google or Apple account.
-
The game progress cannot be stored if the user logs in as a guest, as
a personal profile is not associated with their session.
-
The company will use "Cookies", i.e. files or pieces of information
that are stored by the browser on the computer's hard drive, to obtain
additional information about the holders during their visit to our
pages or websites. Authorisation for the processing of data obtained
through cookies will be granted in accordance with the provisions of
the format that the company has provided under the annexes to this
CPDMP.
JURISDICTIONS.
Within the framework of the services provided by the Company, we may
collect personal data from data subjects residing in countries other
than Colombia, including, but not limited to, North America, South
America, Central America and Europe. The processing of this data will be
carried out in accordance with the purposes described in our Terms and
Conditions and in the Comprehensive Personal Data Management Program
(CPDMP). The personal data collected may be transferred to and from
Colombia, and in such case, it will be treated in accordance with the
legal regulations in force in Colombia, including the provisions of Law
1581 of 2012. Likewise, in cases where data subjects reside in other
jurisdictions, such as the European Union, the company will ensure
compliance with the rules applicable in those jurisdictions, such as the
General Data Protection Regulation (GDPR). In any circumstance, the
Company, in its capacity as data controller, undertakes to comply with
the legal obligations enforceable in relation to the processing of the
personal data of data subjects residing in other countries, always in
accordance with local laws and international data protection agreements.
AUTHORIZED CHANNELS AND CONTACT HOURS.
Under the rules of the CPDMP and with the prior authorization of the
owner, which includes but is not limited to the acceptance of our terms
and conditions and those of the websites and computer applications, the
owner of the personal data authorizes us to contact them through the
different contact channels that we keep active, which include, but
they are not limited to: text messages -SMS-, email, chat, phone calls,
physical mail, virtual conferences, contact forms on websites, social
networks, video messaging applications, user portal. Notwithstanding the
foregoing, in the registration form and/or in our contact channels, the
owner may limit, disable or cancel at any time the receipt of messages
and emails for all or each of the authorized channels, if there is no
contractual duty to remain in the respective database.
Likewise, with the authorization of personal data processing, the
Company may contact the owner through one of the authorized channels
once a day within the same week from Monday to Friday and from 7:00 am
to 7:00 pm, and Saturdays from 8:00 am to 3:00 pm, Colombia time. The
holder will not be contacted on Sundays and holidays.
PERSONAL DATA RETENTION RULES.
We will retain personal data only for previously authorised purposes.
However, the owner has the right to request the deletion of their data,
and we will delete those that are no longer necessary to comply with the
purpose of the processing. However, we reserve the right to retain
certain data in the following cases:
When the processing is necessary to guarantee freedom of expression and
information.
Whether it is mandatory to retain the data to comply with a legal
obligation.
When there are reasons of public interest, such as public health or
scientific and historical research.
If it is necessary to retain the data for the establishment, exercise or
defence of legal claims.
RIGHTS OF PERSONAL DATA OWNERS.
In accordance with Law 1581 of 2012, Decree 1377 of 2013 and in harmony
with the General Data Protection Regulation (GDPR) of the European
Union, the owner of personal data has the following rights:
-
Know, update and rectify your personal data before the data
controllers or data processors. This right may be exercised, among
others, with respect to data that is inaccurate, incomplete, outdated
or whose processing has not been authorised or is prohibited.
-
Request proof of the authorization granted to the data controller,
except in those cases in which authorization is not required, in
accordance with Article 10 of Law 1581 of 2012 or Articles 6 and 9 of
the GDPR.
-
To be informed, upon request, about the use that has been given to
their personal data by the controller or processor, as required by
Article 15 of the GDPR, which regulates the "right of access".
-
File complaints with the Superintendence of Industry and Commerce in
Colombia or with the competent supervisory authority in the European
Union, for violations of the provisions of Law 1581 of 2012, the GDPR,
and other regulations that modify or complement them.
-
Revoke the authorisation and/or request the deletion of the data when
the processing does not respect the principles, rights and guarantees
established in the law and the GDPR.
-
Request access and free access to your processed personal data, in
accordance with Article 21 of Decree 1377 of 2013 and Article 12 of
the GDPR, which establishes the right of free and clear access to
personal information.
-
To be notified efficiently and in advance of any modification to the
terms of the personal data processing manual, in line with the
principle of transparency of Article 12 of the GDPR.
-
Have easy and permanent access to the Privacy and Personal Data
Processing Policies and their modifications, guaranteeing compliance
with the right to information established in both Law 1581 and the
GDPR.
-
To have clear and simple access to your personal data under the
control of the company, to effectively exercise the rights granted by
law and the GDPR, following the principle of transparency.
-
Know the agency or person designated by the company to deal with
petitions, complaints, suggestions and inquires related to the
processing of your personal data, in accordance with the principle of
proactive responsibility of the GDPR.
ATTENTION TO PETITIONS, COMPLAINTS, SUGGESTIONS AND INQUIRES
(PCSI)
The company has appointed the Delegate or Privacy Officer as
the person responsible for receiving and managing petitions, complaints,
suggestions and inquires (PCSI) related to the processing of personal
data. The Privacy Officer or their delegates will be responsible for
processing such requests in accordance with current legislation and the
provisions of this Personal Data Processing Manual, as well as with the
General Data Protection Regulation (GDPR), ensuring compliance with the
principles of transparency, access and rectification of data.
Some of the specific roles of the Privacy Officer and their
delegates in relation to personal data include:
-
Receive, process and respond to requests from the owners of personal
data that are based on the law or on this Personal Data Processing
Manual. These requests include, but are not limited to:
-
Request for updating, rectification or correction of personal data, in
accordance with Article 16 of the GDPR.
-
Request for access to personal data, in accordance with the right of
access provided for in Article 15 of the GDPR.
-
Request for erasure of personal data, where applicable pursuant to
Article 17 of the GDPR (right to be forgotten).
-
Request for information on the use and processing of personal data, in
accordance with the principle of transparency of Article 12 of the
GDPR.
-
Request to update personal data, ensuring that it is kept accurate and
up-to-date, in accordance with Article 5(1)(d) of the GDPR.
-
Request for proof of the authorization granted, when this is required
in accordance with Law 1581 of 2012 or the GDPR.
-
Respond appropriately to the owners of personal data on those requests
that are not appropriate, in accordance with applicable legislation,
providing the relevant legal justifications and ensuring transparency
in the process.
The contact details of the Privacy Officer or Delegate for
queries and requests regarding the processing of personal data are as
follows: [email protected].
PROCEDURE FOR EXERCISING THE RIGHT OF HABEAS DATA.
The following procedure is established so that the owners of personal
data can exercise their rights, as follows:
Consultations: The company has implemented the
appropriate mechanisms so that the owner, his successors,
representatives and/or proxies can make inquiries about the personal
data that rests in the company's databases, in accordance with the
following rules:
-
The query must be made in writing, addressed to the Privacy and
Processing Officer through the email address [email protected].
-
The query will be answered within a maximum period of ten (10)
business days from its receipt. The response will be sent by the same
means by which the request was received, in compliance with the
principle of transparency established in Article 12 of the GDPR.
-
If the applicant is duly accredited in accordance with the criteria
established in Law 1581 of 2012, Decree 1377 of 2013 and the GDPR, the
company will collect all the information related to the owner and that
is contained in its databases, making it available to the applicant in
accordance with Article 15 of the GDPR (right of access).
-
If it is not possible to respond to the inquiry within the initial
deadline, the requestor will be informed of the reasons for the delay
and the new response date, which may not exceed five (5) business days
in addition to the original deadline, as permitted by Article 12(3) of
the GDPR.
Complaints: The company has mechanisms so that the
owner, his successors, representatives and/or proxies can make claims in
case they consider that the information contained in a database should
be corrected, updated, deleted or when there is an alleged breach of the
duties established in Law 1581 of 2012, Decree 1377 of 2013, or
the GDPR, in accordance with the following rules:
-
The complaint must be submitted in writing, addressed to the Privacy
and Treatment Officer at the email address
[email protected].
-
The complaint must include the name and identification number of the
owner, the description of the facts, the purpose (correction,
updating, deletion or fulfilment of duties), the address and contact
details, and any relevant documents.
-
If the claim is incomplete, the claimant will be required to correct
the fault within five (5) business days following receipt. If the
required information is not submitted within two (2) months, it will
be understood that the claimant has withdrawn his or her application.
-
If the recipient of the complaint is not competent to resolve the
complaint, it will be forwarded to the Privacy Officer or Delegate
within two (2) business days, informing the complainant.
-
Once the complete claim is received, a legend will be included that
says "claim in process" within two (2) business days. This legend will
remain until the claim is resolved.
-
The maximum period for dealing with the complaint will be fifteen (15)
business days from the day following its receipt.
-
If it is not possible to address the complaint within this period, the
complainant will be informed of the reasons for the delay and the new
resolution date, which may not exceed eight (8) additional business
days, as permitted under Article 12(3) of the GDPR.
-
Communications related to the complaint will be sent to the owner by
the same means in which the complaint was received.
Requests: The company allows the owner, his successors,
representatives and/or proxies to make requests to update, modify,
revoke the authorization and/or delete the personal data. These requests
will be handled under the following rules:
-
Requests must be submitted in writing to the Privacy Officer or
Delegate via the email address
[email protected]. If the
request is submitted by other means (e.g., physical address), it will
be forwarded to the Privacy Officer or Delegate, if necessary.
-
If the request is linked to a complaint or inquiry, it will be
attended under the terms established for each one.
-
If the request is not linked to other procedures, it will be answered
within a maximum period of ten (10) business days from its receipt,
and the response will be sent by the same means in which it was
formulated.
-
If it is not possible to respond to the request within the established
period, the applicant will be informed of the reasons for the delay
and the new response date, which may not exceed five (5) business days
in addition to the original deadline.
AGREEMENTS WITH MANAGERS. AGREEMENTS WITH SERVICE PROVIDERS FOR THE
PROCESSING OF PERSONAL DATA.
The Company may enter into agreements with service providers who, under
its authorization, process personal data in the name and on behalf of
the Company. These providers will act as Data Processors and may manage
personal data directly or in collaboration with other processors, always
in strict compliance with the company's instructions. In accordance with
Article 28 of the GDPR, the company will ensure that these agreements
include a Processor Clause that stipulates, among other aspects, the
following obligations:
-
The processing of personal data will be carried out only in accordance
with the documented instructions of the company, which acts as the
Data Controller.
-
The processor must guarantee that the persons authorized to process
the personal data under its supervision will maintain confidentiality
and comply with the security measures established by the company and
the applicable regulations.
-
Appropriate technical and organisational measures will be implemented
to ensure data security, in accordance with the provisions of Article
32 of the GDPR.
-
The processor may not subcontract any service related to the
processing of personal data without the prior written authorization,
specific or general, of the company, in accordance with Article 28(2)
of the GDPR.
-
The processor will assist the company in ensuring compliance with the
obligations relating to the rights of data subjects, such as access,
rectification, deletion, and data portability, in accordance with
articles 12 to 23 of the GDPR.
-
Once the service has been provided, the processor must delete or
return all personal data to the company, unless there is a legal
obligation to retain such data, as set out in Article 28(3)(g) of the
GDPR.
-
The processor shall make available to the company all the information
necessary to demonstrate compliance with the obligations set out in
Article 28 of the GDPR, and shall allow audits or inspections to be
carried out by the company or another authorised auditor.
SECURITY MEASURES FOR THE PROCESSING OF PERSONAL DATA.
Principle of Security and Confidentiality in the Processing of
Personal Data:
In compliance with the principle of security enshrined in Law 1581 of
2012 of Colombia and in the European General Data Protection Regulation
(GDPR), the company will adopt the technical, technological, human,
operational and administrative measures necessary to guarantee the
integrity, confidentiality, availability and security of personal data.
These measures will be designed to prevent the adulteration, loss, use,
consultation, unauthorized or fraudulent access of personal data.
Confidentiality Obligations:
The company will enter into confidentiality agreements with all its
employees, suppliers, contractors and any other person who, in the
course of their duties, has access to personal data, thus ensuring
control over the databases. This commitment aligns with both the
requirements of Law 1581 and Articles 5 and 32 of the GDPR, which
establish the obligation to implement appropriate security measures and
to ensure that the persons authorized to process personal data maintain
confidentiality.
Restricted Access and Data Processing:
The data stored in the company's databases will be accessible only by
personnel who are bound by an employment contract and by suppliers or
contractors with whom a data processing agreement is maintained. The
company will apply strict security controls for both physical and
electronic files. Physical data will be locked up and monitored, while
electronic data will be protected by appropriate technical and
organizational measures, as required by Article 32 of the GDPR.
These measures include:
-
Data Encryption: Industry-standard technologies such
as SSL/TLS will be used to encrypt data transmission
between user applications and company servers, ensuring that personal
information is protected from unauthorized access during transmission.
-
Authentication and Access Control: Only authorized
company personnel, specifically those in charge of product development
and data operations, will have access to personal information. This
access will be controlled by secure credentials, complying with the
GDPR's principle of data minimisation.
Security Tools and Platforms:
The company works with a variety of platforms and technology providers
that implement rigorous security controls and comply with international
privacy and data protection regulations, such as GDPR and ISO/IEC 27001.
These platforms include:
-
Firebase: Uses encryption and authentication to
protect information, complying with Google Cloud security standards.
-
Google Analytics,
Google Tag Manager, Google Cloud:
They provide advanced data protection measures and are aligned with
privacy regulations, including GDPR.
-
Apple iCloud: Offers end-to-end encryption for stored
and transmitted data, ensuring information is protected.
-
PlayFab: Implements state-of-the-art security
controls, such as encryption and access control.
-
Microsoft Clarity: Complies with Microsoft privacy
and security standards, such as encryption and access control, and
conforms to GDPR regulations.
-
SendGrid: Protects data through encryption and
authentication, preventing unauthorized access.
SECURE CLOUD STORAGE.
All personal information collected will be stored in secure cloud
infrastructures, such as Google Cloud and Apple iCloud, which have
advanced encryption to protect data both in transit and at rest. These
platforms comply with internationally recognized certifications, such as
ISO/IEC 27001 and SOC 2, guaranteeing high standards of information
security.
ACCESS CONTROL AND MONITORING BY THE PRIVACY OFFICER.
The Privacy and Data Processing Officer or Delegate will be
responsible for supervising access to the databases and ensuring that
any processing carried out by contracted third parties complies with the
confidentiality, security and restricted access measures required by
current legislation.
The company will make its best effort to apply the most advanced and
reasonable measures to ensure the protection of the personal information
of owners, employees, customers, suppliers and contractors, complying
with the requirements established by both Law 1581 of 2012 and the GDPR.
PRIVACY NOTICE AND PROCESSING OF PERSONAL DATA.
The company has adopted a Privacy Notice to transparently inform
personal data subjects about policies and practices related to the
privacy and protection of their data. This notice complies with the
provisions of Law 1581 of 2012 and the General Data Protection
Regulation (GDPR), guaranteeing the exercise of the rights of the
owners.
In order to notify the owners about their inclusion in our databases and
the processing of their information, the company may send a clear and
accessible communication, in accordance with the content of the Privacy
and Personal Data Processing Notice. This notification will be in
accordance with the provisions of the Comprehensive Personal Data
Management Program (CPDMP) and the applicable regulations on data
protection.
INFORMATION SECURITY PARAMETERS.
The Company recognizes that information is one of its most valuable
assets, which has motivated, since its inception, the implementation of
rigorous security policies, including the signing of confidentiality
agreements. All information is classified as Confidential and Restricted
Use and Access. Through this policy, the company establishes clear
guidelines that must be strictly followed by all its employees, as well
as by third parties who, in the exercise of their functions, handle or
manage their own or third parties' information. The policies adopted
herein are supported by the following regulations:
Internal Labor Regulations and the Substantive Labor Code.
Statutory Law 1581 of 2012, which establishes general provisions for the
protection of personal data.
Decree 1377 of 2013, which partially regulates Law 1581 of 2012.
Law 23 of 1982, which regulates the protection of copyright, partially
amended by Law 1915 of 2018.
Decree 1072 of 2015 and its amendments, which consolidate the labour
provisions.
Law 1273 of 2009, which introduces the protected legal right of
information and data.
Decision 486 of the Andean Community of Nations, which establishes the
Common Regime on Industrial Property.
Law 256 of 1996, which establishes rules on unfair competition.
Likewise, any other normative or regulatory provision that complements,
modifies or replaces the previous ones will be mandatory. These policies
ensure legal compliance and protection of rights related to information.
INFORMATION SECURITY POLICY.
The Company recognizes the critical importance of protecting the
confidentiality, integrity, and availability of the information it
manages, regardless of its format, whether electronic, paper, audio,
video, or otherwise. This policy aims to ensure information security and
business continuity, mitigating risks related to unauthorized access,
misuse, or loss of information, in compliance with both Colombian
regulations and the European General Data Protection Regulation (GDPR).
Definitions
-
Information: A set of organized data, contained in
physical or electronic files, which may be transmitted or communicated
to third parties by any means.
-
Confidential Information: Any strategic or sensitive
information that needs to be protected from unauthorized third
parties. This includes, but is not limited to, data about processes,
customers, agreements, contracts, human resources, or any information
that gives a competitive advantage to the Company. All information
that the Company manages, holds, transmits, stores or uses is
considered confidential.
-
Information security: Set of processes, procedures
and technical, administrative and operational measures aimed at
guaranteeing the confidentiality, integrity and availability of
information, ensuring its protection against unauthorised access and
its correct processing.
-
Confidentiality: Obligation of all natural or legal
persons, public or private, who interact with the Company to ensure
that information is only accessible to those formally authorized, in
the context of contractual or commercial relationships.
Special Duties of Confidentiality
Those who have access to the Company's confidential information are
required to:
-
Do not disclose or share it with unauthorized third parties. b.
Refrain from reproducing or disseminating it without the prior
authorisation of the Company. c. Not to reveal, exhibit, communicate
or use it for purposes other than those established in the agreement
or contract signed between the parties.
Compliance and Sanctions
Compliance with this policy is mandatory for all employees, consultants,
contractors and suppliers of the Company. Failure to comply with the
established provisions will be considered a serious misconduct, which
may constitute a just cause for the immediate termination of the
contract, whether labour, commercial or corporate. In addition, the
Company reserves the right to take legal action against those who
violate this policy, considering the damages caused, including
regulatory sanctions, loss of reputation, financial damage, or loss of
trust on the part of customers and shareholders.
Technical and Organizational Security Measures
The Company implements appropriate security measures and in compliance
with Colombian and European regulations, including the GDPR, to protect
personal data and confidential information. These measures include:
-
Data encryption: Use of advanced encryption
technologies (SSL/TLS) to protect the transmission and storage of
information.
-
Access control: Limiting access to confidential
information to authorized personnel only, using secure authentication.
-
Continuous monitoring: Periodic assessments of
security systems to detect and mitigate emerging risks.
Update and Review
This policy will be reviewed and updated periodically to ensure
alignment with technological advances, regulatory changes, and industry
best practices.
SCOPE AND SCOPE OF THE POLICIES.
These policies are mandatory for any collaborator, person or company
that has a contractual, corporate or business relationship with us.
This program must be subject to permanent review and updating whenever
there are changes in the information systems, the data processing
system, the organization or the content of the information in the
databases that may affect the security measures implemented. Likewise,
policies must be adapted at all times to legal regulations on
information security, intellectual property, unfair competition and
personal data protection.
The policies, obligations, processes and procedures established herein
are aimed at protecting the company's information, as well as that of
its contractors, customers, contractors and any other person of a public
or private nature with whom a contractual or business relationship is
maintained, to ensure access and legitimate use, preventing unauthorized
disclosure or destruction.
INFORMATION CLASSIFICATION.
The company has defined the following classification of information,
with the aim of managing it, according to its level of relevance to
business processes.
Public Domain Information.
It is the information that has been declared public knowledge by the
owner of the information. This type of information can be delivered or
published to all types of public (internal or external people of the
company and members of the competition) without restrictions and without
this implying damage to the company's stakeholders, activities and
processes.
Confidential Information.
It is information that can only be known, used and modified by the
company or its collaborators (employees), contractors or contractors,
depending on their work or current contractual relationship, for the
purposes of the agreement or contract to which it is linked. For this
purpose, all information may be marked as confidential.
Confidential information for use and restricted access.
It is considered as such, that in addition to having the quality of
confidential, has been marked as "restricted access" due to its value
for being part of an industrial secret.
Information life cycle.
The information life cycle consists of three stages:
- Generation
- Conservation
- Destruction
Each area or person responsible for the information defines the
retention time and useful life of the information in consideration of
its nature and duty of maintenance to comply with legal obligations.
All information destruction processes must ensure compliance with legal
obligations regarding the protection of personal data. The deletion of
information will be generated when it is not required by the company.
The physical or electronic disposal process will be defined by the
general management.
RULES TO MAINTAIN INFORMATION SECURITY.
-
The company will enter into confidentiality obligations with each and
every one of its employees, contractors, suppliers and other persons
when necessary, adopting the relevant technical, technological, human,
operational and administrative measures to guarantee the security and
control over the information and thus prevent its adulteration, loss,
consultation, use or unauthorized or fraudulent access by third
parties. The validity of confidentiality obligations will be
indefinite, in consideration of the nature of the information.
-
All those who are permitted to access, know, or lawfully process
confidential information shall be responsible for protecting it in
accordance with its classification, ensuring its confidentiality,
integrity, and availability. Servers and information are accessible
only by persons designated and authorized by the company in accordance
with their role.
-
Whoever accesses, knows or uses the information must ensure that they
comply with the security controls established by the company, as well
as propose or suggest controls sufficiently suitable to prevent the
loss or leakage of the information.
-
The Company will keep your information in the physical and electronic
files or repositories available for this purpose. The physical files
will be stored in compliance with the provisions of the company's
document retention tables and subject to strict security and
surveillance controls by the Privacy Officer.
-
The information that resides in electronic files or repositories will
be kept under strict technical, technological and information security
controls with the use of access codes, backups, antivirus,
antimalware, antispyware and other computer security measures, in such
a way that only the company's employees authorized and commissioned
for this purpose can have access. The password or access key is
personal and non-transferable.
-
The organization has defined the Privacy Officer as
responsible for managing access permissions to physical servers and/or
repositories. This person will define the procedure for assigning keys
and/or access keys to guarantee confidentiality, integrity and secure
storage, as well as the frequency with which they are changed.
SPECIAL RULES FOR WORKERS - USE OF EMAIL, INTERNET, MOBILE DEVICES,
INTERNAL SYSTEMS OF THE COMPANY.
-
All employees have a corporate email. Any matter related to the
ordinary course of the company's business should be handled
exclusively by corporate email. Computer equipment and other work
tools where there is access to information from the company or from
third parties with whom it has contractual, commercial or business
ties must be used solely and exclusively to comply with its labour
obligations, having access only and exclusively to the information
necessary for the performance of its functions. Likewise, the
archiving of confidential information in work tools should be avoided.
-
Each corporate email account has a set of storage resources associated
with it. The mail service allows the transfer of files as attachments
to the message or shared through its tools.
-
As long as an employment relationship is not accredited, no person may
request an email account associated with the domains owned by the
company.
-
As long as a contractual or business relationship is not accredited,
no person may be the recipient of an email containing information
owned by the organization. Every employee must verify the existence of
a legitimate and binding contractual or business relationship before
sending or giving access to confidential information. In any case, the
need to implement the confidentiality agreement with third parties,
defined under these policies, will be validated.
-
Therefore, it is forbidden to open personal emails from the company's
computers, as well as to store private information in them. The
company may adopt the security protocols it deems necessary, as well
as establish georeferencing mechanisms, information control mechanisms
and auditing of files stored in work equipment. The company may carry
out direct checks on the work equipment at any time, including file
recovery tasks, whenever it deems it necessary.
-
The company may disable access to social networks such as Facebook,
YouTube, Twitter and any other site it deems necessary to keep the
information safe. Likewise, the technological tools provided by the
company do not allow the storage of music files, videos and any other
format or information of a personal nature; only the use or storage of
information necessary to carry out their work activities is permitted.
-
The company is entitled to access the work tools provided, verify the
stored information and delete files that do not comply with the
defined purposes.
-
The company's network access keys or equipment must not be given to
any visitor without authorization from the Privacy Officer.
-
It is forbidden to share any personal password of any official,
specifically: access keys to information systems and access systems to
physical premises.
-
Cell phones that the company supplies or authorizes as work tools must
be permanently locked with a secure access key.
-
Access to information, including that which can be given remotely to
servers, the telephone system, and information systems, must consider
the role of each employee within the company.
-
Those who are allowed to take out their computers must have secure
access codes and avoid exposing them or using them in public places to
avoid loss due to theft.
-
The connection of removable media to work tools such as USB, CD/DVD
drives, external disks, among others, may be restricted or monitored,
according to the employee's role, to prevent information leakage and
guarantee confidentiality and data protection.
-
In case of requiring physical documents or information on removable
storage devices (such as USB, CD, external hard drives, among others)
for the development of their activity, the employee is responsible for
their custody and preservation. Under no circumstances may you leave
them exposed to unauthorized third parties.
-
Only the people defined by the general management will have a key to
the office.
-
The information that is contained or stored in physical files must be
kept in the company's facilities. Physical files must be kept locked
and in a safe place, according to the role played by the worker.
-
The hardware and software provided by the company for the performance
of tasks specific to each position must be used only to carry out the
assigned work activities. Workers must:
-
Avoid opening emails, downloading or executing files whose origin
is unknown.
-
Avoid opening and running pop-ups, toolbars, programs, unknown
links; These can lead to web spoofing sites to capture data that
can affect the availability, integrity, and confidentiality of
information.
-
Avoid installing programs that are foreign to those authorized by
the company or that do not correspond to the normal development of
the assigned activities.
- Keep the defined antivirus tool up to date.
-
The worker is responsible for the damage caused to the computer
equipment generated by misuse of the same, therefore, they must:
-
Make use of the assigned computer equipment only at the approved
workplace.
-
Maintain proper use of your work tools, avoiding blows and
consuming drinks and food while working.
-
In the event of loss or theft of computer equipment, the employee
must immediately inform the Privacy Officer or his or her
immediate supervisor.
ENTRY TO THE COMPANY'S FACILITIES.
In those events in which it is required to allow the entry of external
personnel to the company's physical facilities, including, but not
limited to: customers, suppliers, auditors, allies, etc. The person who
must attend the visit must inform about the terms and conditions
applicable to the entry to the facilities that are in the annexes of
this CPDMP. These terms and conditions must be known and accepted by
anyone who can or must enter the physical facilities.
AUDITS.
We will implement audit processes regarding the processing of personal
data to warn of the occurrence of contingencies associated with the
processing of personal data within the company. Audits may be carried
out by a third-party specialist in information security and privacy.
DEMONSTRATED RESPONSIBILITY.
In compliance with the provisions of Article 2.2.2.25.6.1. of Decree
1074 of 2015, and in line with the principles of the General Data
Protection Regulation (GDPR) of the European Union, the Company has
implemented a comprehensive management and control system that
guarantees compliance with personal data protection obligations, as well
as the ability to demonstrate such compliance to the competent
authorities.
This management process includes, among others, the following key
activities:
-
Risk assessment and management: Identification and continuous
evaluation of the risks associated with the processing of personal
data, implementing measures to mitigate these risks and ensure the
protection of the rights of the holders.
-
Internal policies and documented procedures: Development and
implementation of privacy policies and clear procedures that regulate
the processing of personal data within the Company, ensuring its
effective compliance.
-
Staff training: Ongoing training of employees, contractors, and
related third parties on data protection regulations, data protection
obligations, and best practices for information protection.
-
Monitoring and auditing: Implementation of periodic internal audit and
oversight mechanisms to verify the effectiveness of security and
compliance measures and adjust processes if necessary.
-
Record of processing activities: Maintenance of up-to-date records of
all personal data processing activities, as required by Law 1581 of
2012 and the GDPR, which allows demonstrating compliance with current
regulations.
-
Responses to security incidents: Establishment of an action protocol
in the event of security incidents that may affect the
confidentiality, integrity or availability of personal data, ensuring
a timely response and notification to authorities and data subjects
when necessary.
-
Data Protection Impact Assessments (DPIAs): In cases where the
processing of personal data involves a high risk to the rights and
freedoms of data subjects, the Company will carry out impact
assessments to foresee and mitigate such risks, as established by the
GDPR.
With these actions, the Company not only ensures compliance with legal
obligations regarding the protection of personal data, but also
proactively and transparently demonstrates its commitment to the
protection of the rights of data subjects and the integrity of the
information it handles.
VALIDITY OF THE COMPREHENSIVE PERSONAL DATA MANAGEMENT PROGRAM.
This program has been updated in November 25th of 2024 and is in
force as of October 07th of two thousand twenty-four (2024); it may
be modified, corrected or extended when the company deems it necessary.
In the event that substantial changes arise that affect the processing
policies, the data controller will notify the owners of the personal
data in a timely manner of such changes. The communication will be made
through the email accounts of the holders or by publication on the
website of the data controller.
In the same way, the personal data that are stored, used or transmitted
will remain in the different personal databases of the company, based on
the criterion of temporality and necessity, for the time that is
necessary for the purposes mentioned in this personal data processing
manual and for which they were collected.