English English Espanol Spanish
  • Home
  • Data processing policy

Data processing policy

1. LEGAL REGULATIONS AND SCOPE OF APPLICATION
The provisions of the Political Constitution elaborate the present policy of Treatment of personal data, Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other complementary provisions and will be applied by SELLU S.A.S for the collection, storage, use, circulation, suppression, and all those activities that constitute treatment of personal data.

2. DEFINITIONS
For the execution of this policy and by legal regulations, the following definitions shall apply: a) Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data; b) Privacy Notice: Physical, electronic or any other format generated by the Data Subject that is made available to the Data Subject for the processing of his/her personal data. In the Privacy Notice, the Holder is informed about the existence of the information treatment policies that will apply to him/her, the way to access them, and the purpose of the treatment that is intended to be given to the personal data; c) DataBase: c) DataBase: An organized group of personal data that is the object of Processing; d) Personal Data: Any information linked or that may be associated to one or several specific or determinable natural persons; e) Public Data: Data qualified as such according to the mandates of the law or the Political Constitution and that which is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, their status as merchants or public servants, and data that may be obtained without any reservation. Due to its nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins; f) Private data: It is the data that, due to its intimate or reserved nature, is only relevant to the owner; g) Sensitive data: g) Sensitive data: It is the data that affect the privacy of the Data Subject or whose undue use may generate discrimination, such as those revealing the racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of political opposition parties, as well as data relating to health, sex life and biometric data; h) Data Processor Natural or legal person, public or private, who by himself/herself or in association with others, carries out the Processing of personal data on behalf of the Data Controller; i) Data Controller: Natural or legal person, public or private, who by himself/herself or in association with others, decides on the basis of the data and/or the Processing of the data; j) Data owner: Natural person whose personal data are subject to Processing; k) Processing: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or suppression thereof.

3. PURPOSE OF THE TREATMENT OF THE SELLU S.A.S. DATA
may make use of the personal data for: a) Execute the existing contractual relationship with its customers, suppliers and employees, including the payment of contractual obligations; b) Provide the services and/or products required by its users; c) Inform about new products or services and/or about changes in them; d) Evaluate the quality of the service; e) Carry out internal studies on consumption habits; f) Send to the physical, electronic, cellular or mobile device, via text messages (SMS and/or MMS) or through any other analogous and/or digital means of communication created or to be created, commercial, advertising or promotional information about the products and/or services, events and/or promotions of a commercial or non-commercial nature, with the aim of promoting, inviting, directing, executing, informing and in a general manner, carrying out campaigns, promotions or competitions of a commercial or advertising nature, carried out by SELLU S. A.S. and/or by third parties; g) Develop the process of selection, evaluation, and labor bonding; h) Support internal or external auditing processes; i) Register the information of employees and/or pensioners (active and inactive) in the databases of SELLU S.A. S, i) Those indicated in the authorization granted by the owner of the data or described in the respective privacy notice, as the case may be; j) Supply, share, send or deliver their personal data to affiliated, related or subordinate companies of SELLU S.A.S. located in Colombia or any other country in the event that such companies require the information for the purposes indicated herein. For data (i) collected directly at security points, (ii) taken from documents provided by persons to security personnel, and (iii) obtained from video recordings made inside or outside the premises of SELLU S.A.S., these will be used for the security of persons, goods, and facilities of SELLU S.A.S. and may be used as evidence in any process. If personal data is provided, such information will be used only for the purposes stated here. Therefore, SELLU S.A.S will not proceed to sell, license, transmit, or divulge the same unless (i) there is express authorization to do so; (ii) it is necessary to allow contractors or agents to provide the services entrusted; (iii) it is necessary to provide our services and/or products; (iv) it is necessary to disclose it to entities that provide marketing services on behalf of SELLU S.A.S or to other entities with which we have joint market agreements; (v) the information is related to a merger, consolidation, acquisition, disinvestment, or another process of restructuring the company; (vi) it is required or permitted by law. SELLU S.A.S may subcontract to third parties for the processing of certain functions or information. When the processing of personal information is effectively subcontracted to third parties or personal information is provided to third-party service providers, SELLU S.A.S warns such third parties of the need to protect such personal information with appropriate security measures, prohibits the use of the information for its own purposes and requests that personal information not be disclosed to others. These terms and conditions apply to any personal data record made in person and/or virtually to link to the company's product or service. The data registers the owner or provides his information freely and voluntarily and acknowledges that he has read and expressly accepts these terms and conditions.

The processing of personal data at SELLU S.A.S. shall be governed by the following principles: a) Principle of purpose: The processing of personal data collected must obey a legitimate purpose, which must be informed to the Owner; b) Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that relieves the consent; c) Principle of truthfulness or quality: The information subject to Treatment must be true, complete, accurate, updated, verifiable and understandable. Partial, incomplete, fractionated, or misleading data shall not be processed; d) Principle of transparency: Processing must guarantee the right of the Owner to obtain from SELLU S.A.S. at any time and without restrictions, information about the existence of data concerning him; e) Principle of access and restricted circulation: Processing is subject to the limits arising from the nature of the personal data, the provisions of this law and the Constitution. Personal data, except for public information, and the provisions of the authorization granted by the data owner, may not be available on the Internet or other means of dissemination or mass communication unless access is technically controllable to provide restricted knowledge only to the Data Owners or authorized third parties; f) Principle of security: The information subject to Treatment by SELLU S.A. S must be protected by the use of technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access; g) Principle of confidentiality: All persons involved in the treatment of personal data are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the treatment. FIRST PARAGRAPH: If sensitive personal data is collected, the Data Subject may refuse to authorize its processing.

5. RIGHTS OF THE HOLDER OF THE PERSONAL DATA
The holders of personal data by themselves or through their representative and/or proxy or their successor in title may exercise the following rights, with regard to the personal data that is the object of treatment by SELLU S.A.S: a) Right of access: By virtue of which you may access the personal data that is under the control of SELLU S.A. S, for the purpose of consulting them free of charge at least once every calendar month, and each time there are substantial modifications to the Information Treatment Policies that justify new consultations; b) Right to update, rectify and suppress: By virtue of which you may request the updating, rectification and/or suppression of the personal data being treated, in such a way that the purposes of the treatment are satisfied; c) Right to request proof of authorization: c) Right to request proof of authorization: except in those events in which, according to the legal provisions in force, the authorization is not required to carry out the treatment; d) Right to be informed about the use of personal data; e) Right to file complaints before the Superintendence of Industry and Commerce: for violations to the provisions of the regulations in force on the treatment of personal data; f) Right to request compliance with the orders issued by the Superintendence of Industry and Commerce. FIRST PARAGRAPH: For purposes of the exercise of the rights described above, both the data subject and the person representing him/her must prove his/her identity and, if applicable, the capacity in which he/she represents the data subject. PARAGRAPH TWO: The rights of minors shall be exercised through the persons authorized to represent them.

6. DUTIES OF SELLU S.A.S
All those obliged to comply with this policy must bear in mind that SELLU S.A.S is obliged to comply with the law's duties in this respect. Consequently, the following obligations must be complied with: A. Duties when acting as responsible: (i) Request and keep, under the conditions provided for in this policy, a copy of the respective authorization granted by the holder. (ii) Clearly and sufficiently inform the holder about the purpose of the collection and the rights granted by the authorization granted. (iii) Inform at the request of the holder about the use given to his/her personal data (iv) Process queries and claims formulated in the terms outlined in this policy (v) Ensure that the principles of truthfulness, quality, security, and confidentiality in the terms outlined in the following policy (vi) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access. (vii) Update the information when necessary. (viii) To rectify the personal data when it is appropriate. B. Duties when acting as Data Controller: If you perform data processing on behalf of another entity or organization (Data Controller), you shall comply with the following duties: (i) To establish that the Data Controller is authorized to provide the personal data to be processed as Data Controller (ii) To guarantee the holder, at all times, the full and effective exercise of the right of habeas data. (iii) To keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use, or access. (iv) Carry out the updating, rectification, or suppression of the data promptly. (v) To update the information reported by the persons in charge of the treatment within five (5) working days as from its receipt. (vi) To process the queries and complaints made by the owners in the terms indicated in this policy. (vii) To register in the database, the legend "claim in process" in the manner outlined in this policy. (ix) To insert in the database the legend "information under judicial discussion" once notified by the competent authority about judicial processes related to the quality of personal data. (x) Refrain from circulating information disputed by the holder and whose blocking has been ordered by the Superintendence of Industry and Commerce. (xi) Allow access to the information only to persons authorized by the owner or empowered by law for such purpose. (xii) To inform the Superintendence of Industry and Commerce when there are violations of the security codes, there are risks in administering the holders' information. (xiii) To comply with the instructions and requirements given by the Superintendence of Industry and Commerce. C. Duties when processing is carried out through a Data Controller: (i) To provide the Data Controller only with the personal data whose processing is previously authorized. For national or international transmission of the data, a transmission contract must be signed by Decree 1377 of 2013. (ii) Ensure that the Data Controller's information is true, complete, accurate, updated, verifiable, and understandable. (iii) To communicate on time to the Data Controller, all the news regarding the data previously provided and to adopt the other necessary measures so that the information provided to the Data Controller is kept up to date. (iv) Inform on time the Data Controller of any rectifications made to the personal data to proceed to make the appropriate adjustments. (v) To demand from the Data Controller, at all times, respect for the security and privacy conditions of the owner's information. (vi) To inform the Data Controller when certain information is under discussion by the data subject, once the claim has been submitted and the respective procedure has not been completed. D. Duties for the Superintendence of Industry and Commerce: (i) To inform it of the eventual violations to the security codes and the existence of risks in the administration of the information of the holders. (ii) To comply with the instructions and requirements given by the Superintendence of Industry and Commerce.

7. REQUEST FOR AUTHORIZATION TO THE HOLDER OF THE PERSONAL DATA
In advance and/or at the time of collecting personal data, SELLU S.A.S. will ask the owner of the data for authorization to collect and process it, indicating the purpose for which the data is requested, using for these purposes automated technical means, written or oral, that allow proof of authorization and/or the unequivocal conduct described in Article 7 of Decree 1377 of 2013 to be kept. Such authorization shall be requested for the time that is reasonable and necessary to meet the needs that gave rise to the data's request and, in any case, in compliance with the legal provisions governing the matter.

8. PRIVACY NOTICE
If SELLU S.A.S is unable to make available to the owner of the personal data the present policy for the treatment of information, it will publish the privacy notice attached to the present document, the text of which will be kept for later consultation by the owner of the data and/or the Superintendency of Industry and Commerce.

9. TEMPORARY LIMITATIONS TO THE TREATMENT OF THE PERSONAL DATA SELLU S.A.S
You may only collect, store, use or circulate personal data for as long as is reasonable and necessary, by the purposes that justified the treatment, taking into account the provisions applicable to the matter in question and the administrative, accounting, tax, legal and historical aspects of the information. Once the purpose or purposes of the processing have been fulfilled, and without prejudice to any legal rules to the contrary, the personal data in its possession will be deleted. Notwithstanding the foregoing, personal data shall be kept when required to fulfill a legal or contractual obligation.

10. RESPONSIBLE AREA AND PROCEDURE FOR THE EXERCISE OF THE RIGHTS OF THE HOLDERS OF THE PERSONAL DATA
The Commercial Area will be responsible for attending to the requests, complaints, and claims made by the owner of the data in the exercise of the rights contemplated in numeral 5 of this policy, except that described in its literal e). For such effects, the holder of the personal data or who exercises his representation will be able to send his request, complaint, or claim from Monday to Friday of 8:00 am to 1:00 pm and of 2:00 pm to 5:30 pm and/or to the electronic mail contacto@sellu.co, to call to the telephone line of SELLU S.A.S in the city of Bogota telephones (1) 7552072 or to file it in the direction Carrera 15 No. 80-36 Of. 102D. The petition, complaint, or claim must contain the Holder's identification, the description of the facts that give rise to the claim, the address, and accompanying documents that you want to enforce. If the claim is incomplete, the interested party shall be required within five (5) days following the claim's receipt to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claim has been waived. In case the person who receives the claim is not competent to resolve it, he will transfer it to the corresponding person in a maximum term of two (2) working days and inform the interested party of the situation. Once the complete claim has been received, a legend will be included in the database that says "claim in process" and its reason, in a term no longer than two (2) working days. Said legend shall be maintained until the claim is decided. The maximum term to attend the claim will be fifteen (15) working days from the day following the date of its receipt. When it is not possible to attend the claim within such term, the interested party shall be informed of the reasons for the delay and the date in which the claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.

11. SECURITY MEASURES
In the development of the principle of security established in Law 1581 of 2012, SELLU S.A.S will adopt the technical, human, and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access. The personnel that carries out the treatment of personal data will execute the established protocols in order to guarantee the security of the information.

12. EFFECTIVE DATE
This Personal Data Policy was created on January 15, 2017, and becomes effective on February 1, 2017. Any changes to this policy will be notified by e-mail.

Sincerely,

SELLU S.A.S
Nit 901.163.205-0