1. IDENTIFICATION OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF THE INFORMATION.
2 GENERAL DISPOSITION
2.1. objective
MASAYA OPERATIONS SAS It develops a hotel activity in Colombian territory in a plurality of commercial establishments under the MASAYA brand.
As an MASAYA OPERATIONS SAS For the proper development of its corporate purpose, it requires the implementation of procedures from its various areas and departments involving the collection, storage, and processing of personal information of both clients and suppliers and company employees. Taking into account the fundamental right to Habeas Data, not only constitutional but also legal, it is important for the company to implement an internal policy for the processing of personal data that guarantees the proper handling of information and, in particular, develops the security and custody measures applied to protect this constitutional right.
In view of the above, MASAYA OPERATIONS SAS, presents the following Personal Data Processing and Protection Policy, which will be presented and discussed within the company by all its members to ensure its proper implementation.
2.2. Legal Framework
In order to comply with the provisions of Article 15 of the Colombian Political Constitution, this internal policy for the processing of personal data is developed, which is supported by the provisions of Law 1581 of 2012, National Decree 1377 of 2013 and other related regulations, without prejudice to the guidelines provided by the Superintendency of Industry and Commerce.
2.3. Legal Definitions
In accordance with the provisions of Article 3 of Law 1581 of 2012 and Article 3 of Decree 1337 of 2013, the following terms shall be defined throughout this document:
- Personal data: Information linked to one or more specific or determinable natural persons.
- Public data: This is data that is not semi-private, private, or sensitive. For example, data relating to a person's marital status, profession, or occupation. It may be contained in public records, public documents, gazettes, official bulletins, and court rulings.
- Semi-private data: Semi-private is data that is neither intimate, reserved, nor public in nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or to society in general.
- Private data: It is the data that, due to its intimate or reserved nature, is only relevant to the owner.
- Sensitive data: Sensitive data is defined as data that affects the data subject's privacy or whose misuse could lead to discrimination. For example, data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, or human rights organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
- Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.
- Headline: Natural person whose personal data is processed.
- Authorization: Prior, express and informed consent of the owner to carry out the processing of personal data.
- Database: Organized set of personal data that is subject to treatment.
- Responsible for the Treatment: A natural or legal person, public or private, who, either alone or in association with others, decides on the database and/or the processing of data.
- Treatment Manager: Natural or legal person, public or private, who, by itself or in association with others, processes personal data on behalf of the data controller.
2.4. Principles
MASAYA OPERATIONS SAS will adapt the processing of personal information as appropriate, following the following principles in all cases:
- Principle of legality regarding data processing: The processing of personal information is a regulated activity that must be subject to the provisions of the law that regulates it.
- Purpose principle: The processing of personal information must serve a specific and legal purpose, of which the data subject must always be informed.
- Principle of freedom: Information processing may only be carried out with the prior, express, and informed consent of the data subject.
- Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
- Principle of transparency: The data subject's right to obtain information about the existence of data concerning him or her at any time and without restrictions must be guaranteed during processing.
- Principle of access and restricted circulation: Processing may only be carried out by persons authorized by the data subject. Private personal data may not be made available on the internet or other means of dissemination or mass communication, unless access is technically controllable.
- Safety Principle: Information subject to processing must be handled with the technical, human, and administrative measures necessary to ensure the security of records, preventing their alteration, loss, unauthorized or fraudulent access, or access.
- Principle of confidentiality: All persons involved in the processing of private personal data are required to ensure the confidentiality of the information, even after the relationship that supported the processing has ended.
3. RIGHTS OF THE INFORMATION HOLDER
In accordance with the provisions of Article 8 of Law 1581 of 2012, every owner will have and may enforce the following rights:
- To know, update, and rectify your personal data with the data controller or data processor. This right may be exercised with respect to data that is partial, inaccurate, incomplete, fragmented, or whose processing has not been authorized.
- Request proof of the authorization granted to the data controller unless such authorization is not necessary for the processing.
- To be informed by the data controller or the data processor, upon request, regarding the use that has been given to your personal data.
- Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other related regulations.
- Revoke the authorization and / or request the deletion of the data when the treatment does not respect the principles, rights and constitutional and legal guarantees.
- Free access to your personal data that has been processed.
The above list should be understood as illustrative and not exhaustive, since the rights of the holder are understood to include all those conferred by Colombian legislation and international standards applicable in the country.
4. DUTIES AND OBLIGATIONS OF MASAYA OPERATIONS SAS
In accordance with the provisions of Article 17 of Law 1581 of 2012, the company is responsible for the following duties and obligations:
4.1 Duties as data controller
- Guarantee the holder, on a permanent basis, the exercise of the right to habeas data.
- Request and keep a copy of the respective authorization granted by the owner.
- Inform the data subject about the purpose of collecting their information and their rights.
- Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Guarantee that the information provided to the person in charge of the treatment is truthful, complete, exact, updated, verifiable and understandable.
- Update and rectify the information, informing the data controller of any changes regarding the data you have previously provided.
- Rectify information when it is incorrect and notify the data controller accordingly.
- Provide the data controller only with data whose processing has been previously authorized.
- Demand that the data controller respect the security and privacy conditions of the data subject at all times.
- Process inquiries and complaints submitted in accordance with the terms set forth in Law 1581 of 2012.
- Adopt an internal manual of policies and procedures to ensure proper compliance with the provisions of Law 1581 of 2012.
- Inform the Data Controller when certain information is being disputed by the Data Subject, once the claim has been filed and the respective process has not been completed.
- Inform at the request of the owner about the use given to their data.
- Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the holders.
- Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
4.2 Duties as data controller
- Guarantee the holder, at all times, the full and effective exercise of the right to habeas data.
- Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Timely update, rectify or delete data under the terms of Law 1581 of 2012.
- Update the information reported by those responsible for treatment within five (5) business days from its receipt.
- Process queries and complaints submitted by the owners in accordance with the terms set forth in this law.
- Adopt an internal manual to ensure proper compliance with this law and, in particular, to handle inquiries and complaints from owners.
- Register in the database the legend “claim in process” in the manner regulated by Law 1581 of 2012.
- Insert into the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
- Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.
- Allow access to information only to people who can have access to it.
- Inform the Superintendency of Industry and Commerce when security code violations occur and risks arise in the management of data subjects' information.
- Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
5. DATA COLLECTED AND PURPOSES OF PROCESSING
MASAYA OPERATIONS SAS will primarily manage the data indicated below according to the interest group, which will be collected, used, stored, updated, transmitted and/or transferred for the purposes or ends indicated in this policy and in the authorization granted by the Owner.
5.1 customers
We primarily collect and process general information such as identification, nationality, contact information, payment methods (bank accounts, etc.), and any other information required to properly provide the service requested by the client.
The above data will be processed for the following purposes:
- Prepare quotes, sign contracts, and comply with the contractual relationships established with the data subject.
- Carry out all necessary internal procedures related to the contractual relationship between the parties, such as advancing reservation and billing processes, validating credits and payments, and any other required procedures.
- Record your data in the company's information systems.
- Send any type of commercial information, primarily regarding the services offered by the company and its affiliates or subsidiaries, as well as offers and promotions.
- Evaluate service quality, conduct market research on consumer habits, and conduct statistical analysis for internal use.
- Transfer and/or transmit information to the company's affiliates or subsidiaries.
- Prepare information reports specific to tour operators (reporting to Colombian Immigration through the Information System for Reporting Foreigners (SIRE) and to the Ministry of Commerce and Tourism through the Accommodation Registration Card (TRA), as well as transmitting tax, accounting, fiscal, and any other information required by current regulations to the authorities.
- Access control and surveillance in the company's commercial establishments.
- Any other activity of a similar nature that is necessary to develop the company's corporate purpose.
5.2. providers
The main information collected and processed is general identification information, contact information, tax identification number (RUT), certificates of existence and legal representation, shareholder and beneficial owner information, information on foreign currency transactions, commitments to corporate ethics and transparency, declarations of source of funds, payment methods (bank accounts, etc.), and any other information required to complete the corresponding purchase.
The above data will be processed for the following purposes:
- Obtain general information about the company's suppliers and enter it into the company's internal records to facilitate future business agreements.
- Request and manage quotes, enter into contracts, and comply with the contractual relationships established with the data subject.
- Carry out all necessary internal procedures related to the contractual relationship between the parties, such as advancing billing processes, validating credits and payments, and any other required procedures.
- Send any type of commercial information, primarily regarding the services offered by the company and its affiliates or subsidiaries, as well as offers and promotions.
- Evaluate the quality of service.
- Transfer and/or transmit information to the company's affiliates or subsidiaries.
- Transmit tax, accounting, fiscal, and any other information required by current regulations to the authorities.
- Access control and surveillance in the company's commercial establishments.
- Any other activity of a similar nature that is necessary to develop the company's corporate purpose.
5.3. Candidates, employees, contractors and other personnel
We primarily collect and process general identification information, contact information, socioeconomic data, academic and employment information, and, if necessary, sensitive information. We will also request any other information necessary to complete the selection process and/or establish an employment relationship with the company.
The above data will be processed for the following purposes:
- Participation in the personnel selection process, confirmation of work and personal references, verification of academic history, performance of psychotechnical tests, interviews, medical entrance examinations and other activities established by the company for the selection of personnel.
- Carry out all procedures related to employment contracts or as a service provider, as well as for affiliation to social security: Professional Risks (ARL), Family Compensation Fund (CCF), Health Provider (EPS), Pension Fund (AFP), Severance Fund (FC), for which it will be necessary to deliver and communicate them to the areas in charge of said procedures and to the corresponding entities.
- Record this information in the employer's databases and information systems for the purpose of managing employee time or evaluating the management of human resources or other related departments.
- Be contacted by any means (SMS, email, WhatsApp, calls, writing) for any matter related to the employment or contractual relationship with the company.
- Send general or interesting information, as well as commercial information regarding products, services, alliances, promotions and offers, among others.
- Consult and know the disciplinary, fiscal and union history related to your profession.
- Carry out induction, re-induction or staff training processes.
- Payroll management, social security, and occupational health and safety.
- Access control and surveillance in the company's commercial establishments.
- Any other activity concerning the employment relationship between the parties.
6. AUTHORIZATION AND ACCESS TO INFORMATION BY THE OWNERS
6.1 Authorization and consent
All processes and departments in which any type of procedure or process is carried out that includes any type of information processing, regardless of how it is obtained or collected, the company strictly adheres to the provisions of Law 1581 of 2012 and Decree 1377.
Therefore, authorization for the collection and subsequent processing of information, and since digital media (reservation or supplier forms) are the company's primary communication channel, is requested from the data subject through this medium. The data subject is informed clearly and completely in all cases of the precise uses to which the information provided will be put. For this purpose, the form requires the acceptance and/or signature of the data subject, thereby guaranteeing the authorization granted to the company to process the information.
Regarding the exceptional collection of information conducted by telephone or virtual means, company personnel must, in each case, first explain the need for the information being requested, the purposes for which it will be used, and request the corresponding authorization. The same applies when the information request is made in person and directly.
6.2. Data collected before the validity of this policy
For personal data collected before the effective date of this policy, MASAYA OPERATIONS SAS, will request, when necessary, the authorization of the information holders in order to continue processing their data, which may be done by using the means of communication indicated in this policy, or by sending mass circulars or informative notices to the holders, where in addition to their consent and authorization, they will be informed of the rights they have as holders regarding the management and conservation of their data, and the existence and implementation of this personal information processing policy.
If within thirty (30) business days, counted from the request for authorization to continue with the processing of the personal information already collected, the owner of the same has not contacted MASAYA OPERATIONS SAS To request the deletion of your information, the company may continue processing the data contained in its databases for the purposes determined in each area or department under the terms of Article 10 of Decree 1377 of 2013.
6.3. Situations that do not require authorization from the owner
In terms of Article 10 of Law 1581 of 2012, it is not necessary to have the authorization of the owner in the following cases:
- Information required by a public or administrative entity in the exercise of its legal functions or by court order.
- Data of a public nature.
- Cases of medical or health emergency.
- Processing of information authorized by law for historical, statistical or scientific purposes.
- Data related to the Civil Registry of persons.
7. ATTENTION TO REQUESTS, COMPLAINTS AND QUERIES FROM INFORMATION OWNERS
7.1. Responsible for responding to requests, complaints or queries from information holders
The area responsible for handling requests, complaints, and inquiries from information holders will be primarily responsible for the area that handled the information of the holder filing the complaint, claim, or petition. In this particular case, these areas are the commercial and administrative areas. These areas generally collect and further process the information of the holders. Therefore, since each area is responsible for the proper handling of the personal information provided for the purposes of providing the required service, these same areas will be able to handle any type of claim, complaint, or request from clients, suppliers, or employees, whether due to issues related to the provision of a specific service or due to any type of disagreement due to improper handling of the information or documents provided.
After the response from the area that carried out the treatment, if the dissatisfaction persists, Management must process the complaint or claim.
7.2. Procedure for handling complaints and any type of request related to the processing of personal data
Any data subject who believes that the information contained in a database should be corrected, updated, or deleted, or who becomes aware of a presumed breach of any of the obligations contained in Law 1581 of 2012 and its implementing decree, may file a claim with the Data Controller or Data Processor, which will be processed in the following manner:
7.2.1. The claim shall be submitted by means of a request addressed to the Data Controller or the Data Processor, including the Data Subject's identification, a description of the facts giving rise to the claim, the address, and the accompanying documents to be asserted. If the claim is incomplete, the interested party shall be required within five (5) business days following receipt of the claim to rectify the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, it shall be deemed that the claim has been withdrawn.
In the event that the person who receives the claim is not competent to resolve it, he will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.
7.2.2. Once the complete claim has been received, a legend stating "Claim in Process" and the reason for the claim will be included in the database within a period of no more than two (2) business days. This legend will remain in effect until the claim is decided.
7.2.3. The maximum term for addressing the claim, once it is completed, will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case will exceed eight (8) business days following the expiration of the first term.
7.3. Channels for customer service
Pursuant to the provisions of the preceding paragraph, MASAYA OPERATIONS SAS has the following channels or means of attention for queries, complaints, requests, claims or any other requests related to the processing of personal data:
8. RISKS AND INFORMATION SECURITY MEASURES
8.1. Tentative risks
The risks identified regarding the processing of personal information of data subjects, whether customers, suppliers or employees, can be summarized as two:
8.1.1. Loss or disappearance of information:
This risk is present both in the information that is stored physically or electronically and can materialize in tangible damage due to situations such as fire or flood in the case of physical files and documents, as well as damage or failures of the system or the company's server or situations of hack of the same and that do not allow the recovery of the information.
8.1.2 Misuse of information:
This risk also occurs in both the information stored physically or electronically by the company and can be materialized by external factors such as situations of hack of the company's system or servers for criminal purposes or that go against the right to Habeas Data of its owner, as well as for internal factors, such as, for example, the improper use of information handled by a company employee and that goes beyond the functions assigned to their position for the same purposes stated above.
8.2 Information security systems and behaviors aimed at reducing risk
To avoid the realization of any of the risks identified above, or others that may arise, MASAYA OPERATIONS SAS has implemented a series of security measures that are not limited exclusively to adequate protection of the system or its server, but extend to the basic, everyday procedures carried out by the various areas and departments on a daily basis. These security measures and behaviors that promote the security of personal information can be summarized as follows:
- All equipment used by the company's employees and service providers has an active and current antivirus license.
- The server is external to the facilities of MASAYA OPERATIONS SAS, and is located in an optimal location, ensuring the existence of redundant sources and additional protection for the entry and exit of information (proxy).
- The creation of a backup of the information is carried out periodically.
- The installation of software by company officials or users is prohibited unless prior authorization is obtained from the company.
- The access profile to the company's information system granted to each of the company's employees or service providers has restrictions and is configured in terms of access to information, which varies according to the area and the needs of their functions.
- All employment or service contracts include a confidentiality clause that requires the proper use of information accessed by virtue of the position held. For contracts signed prior to the effective date of this policy, a separate confidentiality clause will be signed in each case.
- Access to the systems area MASAYA OPERATIONS SAS It is restricted and the entry of officials who perform their duties in different areas or departments is prohibited without express authorization, thus reducing the exposure of the servers and systems where the personal information of the owners is supported or stored.
- There is an implemented policy to keep drawers locked and avoid leaving documents with important information on tables or desks, thus preventing the loss or improper exposure of information physically.
9 MODIFICATIONS
Any modification to this policy, whether substantial or not, will require dissemination and training by the responsible department within the company.
10. VALIDITY
This Internal Policy for the Processing of Personal Data is effective as of July 12, 2024.
The databases in which personal data will be stored will be valid for the same period as the information is maintained and used for the purposes described in this policy. Once that purpose has been fulfilled, and provided there is no legal or contractual obligation to retain your information, your data will be deleted from our databases.
Jean Sebastian Botet de Lacaze
Legal representative
MASAYA OPERATIONS SAS
NIT. 901.713.003-0
