Privacy - VAPIANO CO
ES EN
ES EN

Privacy

INTRODUCTION

In compliance with the provisions of Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013 and Decree 886 of 2014, regulations compiled in the Single National Decree of the Commerce, Industry and Tourism Sector 1074 of 2015 (Articles 2.2.2.25. 1.1 to 2.2.2.26.3.4), INVERSIONES JRC SAS adopts this Personal Data Protection Policy, with the purpose of protecting personal information provided by partners, employees, suppliers, commercial and/or strategic allies and any other natural person. in the different processes of the development of the corporate purpose of INVERSIONES JRC SAS The objective of this document is to establish the necessary procedures for the handling of personal data contained in the databases of INVERSIONES JRC SAS, whether digital or physical, the which will be registered in the National Registry of Databases.

When, in the development of its corporate purpose, INVERSIONES JRC SAS seeks to get closer to people who are not its partners, employees, suppliers, commercial and/or strategic allies, but who could become so, and for this it uses their contact information, it will be acting under the general scenario of protection of personal data in Colombia, governed by Law 1581 of 2012 “General Law of Protection of Personal Data”. Similarly, when requesting, obtaining or managing personal information from Holders with whom you had a financial relationship in the past but it has already expired, you will be under the framework of said Law. As well as, when you collect, manage and circulate information about your suppliers, employees and shareholders.

INVERSIONES JRC SAS through this document defines the policies, establishes the minimum bases for the procedures and offers the mechanisms so that the Holders can exercise their fundamental rights over their personal data collected for their treatment in operations with their clients, suppliers, shareholders employees and any other natural person that has a relationship with INVERSIONES JRC SAS and will also publish in all the means of contact through which personal data is collected, guaranteeing that its stakeholders are clearly aware of the rights they have in relation to the processing of their information.

TABLE OF CONTENTS

CHAPTER I. GENERAL..

1.1 SCOPE OF APPLICATION..

1.2 DEFINITIONS..

1.3 PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA..

CHAPTER II. PROCESSING OF PERSONAL DATA..

2.1 TREATMENT..

2.2 CLASSIFICATION OF DATABASES ..

CHAPTER III. RIGHTS OF THE HOLDERS..

CHAPTER IV. DUTIES OF INVERSIONES JRC SAS IN RELATION TO THE PROCESSING OF PERSONAL DATA.

4.1. DUTY OF SECRECY AND CONFIDENTIALITY..

CHAPTER V. INFORMATION PROCESSING POLICIES ..

5.1 GENERAL INFORMATION ABOUT THE AUTHORIZATION..

5.2 OF THE RIGHT OF THE HOLDERS..

CHAPTER VI. PROCEDURE FOR THE HOLDERS TO KNOW, CLAIM AND REVOKE THE AUTHORIZATION.

6.1 GENERAL..

6.2 PROCEDURES..

CHAPTER VII. PERSONAL DATA PROTECTION FUNCTION WITHIN INVERSIONES JRC SAS

7.1 RESPONSIBLE..

7.2 IN CHARGE..

CHAPTER VIII. APPLICABLE LEGISLATION, CONTACT AND VALIDITY..

8.1 LEGAL FRAMEWORK.

8.2 CONTACT INFORMATION ..

 

CHAPTER I. GENERAL

1.1 SCOPE OF APPLICATION

 This standard will apply to the processing of personal data collected in Colombian territory , as well as when the person in charge or the Treatment Manager does not reside in Colombia but by virtue of international standards or treaties, Colombian legislation is applicable. In the same way, it will be applicable to INVERSIONES JRC SAS when the data collected is likely to be known by it by virtue of the commercial relations developed in commercial alliances, agreements or advertising events.

The principles and provisions contained in this data protection standard will be applied to the basic information security standards through the mechanisms of the computer system and with the implementation of administrative control systems.

All organizational processes that involve the processing of personal data must be subject to the provisions of this rule and the internal rules of mandatory compliance.

1.2 SCOPE

All employees, partners, suppliers, business and/or strategic allies linked to INVERSIONES JRC who have access to the Personal Data of Owners will be required to comply with the Law and this policy. Additionally, INVERSIONES JRC SAS will advance the required educational and training campaigns, so that the areas that have a higher level of interaction with the administration of Personal Data are aware of the General Law and the provisions adopted by the company to ensure its effective compliance.

1.3 DEFINITIONS

 The following definitions are intended to maintain a common understanding and language that allows a correct and appropriate interpretation of the terms used therein, in the Laws, decrees and other regulations related to the Protection of personal data in Colombia.

  • Privacy Notice: Verbal or written communication generated by the person in charge, addressed to the owner for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the way to access to them and the purposes of the treatment that is intended to be given to personal data.
  • Authorization: Prior, express and informed consent of the owner of the personal data to carry out the processing of personal data.
  • Database: Organized set of personal data that is subject to Treatment.
  • Personal data: Any information linked or that can be associated with one or several determined or determinable natural persons. “Personal data” must then be understood as information related to a natural person (person individually considered).
  • Public data: It is the data that is not semi-private, private or sensitive. Public data is considered, among others, the data related to the marital status of people, their profession or trade and their quality as merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins, and duly executed judicial sentences that are not subject to confidentiality.
  • Public personal data: All personal information that is freely and openly known to the general public.
  • Private personal data: All personal information that has restricted knowledge, and in principle private for the general public.
  • Semi-private data: Semi-private data is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or to society in general.
  • Sensitive data: That data that affects the privacy of the Owner or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data, among others, the capture of still images or in movement, fingerprints, photographs, iris, voice, facial or palm recognition, etc.
  • Processor: Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of the controller.
  • Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data.
  • Owner: Natural person whose personal data is subject to Treatment.
  • Transfer: The transfer of data takes place when the person in charge and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is located inside or outside from the country.
  • Transmission: Treatment of personal data that implies the communication of these inside or outside the territory of the Republic of Colombia when its purpose is to carry out a treatment by the person in charge on behalf of the person in charge.
  • Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
  • Data Protection Officer : It is the person appointed by INVERSIONES JRC SAS whose function is to monitor and control the application of the Personal Data Protection Policy, under the guidance and guidelines of the Personal Data Protection Committee.

1.3 PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

The protection of personal data for INVERSIONES JRC SAS is under the following principles, and based on them, internal processes, rules, policies and procedures are developed for the processing of personal data (collection, management, use, storage and exchange , of personal data).

  • Principle of access and restricted circulation

In accordance with the legal provisions, the personal data collected or processed by INVERSIONES JRC SAS are considered to be of a semi-private nature and will be intended to be used only within the scope of the purpose and authorization granted by the owner of the personal data. Access and/or circulation will be restricted according to the nature of the data and with the authorizations given by the Owner, their representatives or those provided for in the Law.

Personal data, except those of a public nature, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge to the Holders or authorized third parties.

  • Principle of confidentiality

In accordance with the previous definition, INVERSIONES JRC SAS guarantees the confidentiality of the data depending on its nature, therefore, the information will be kept confidential during and after the activities that justify the processing of personal data have been completed.

  • principle of purpose

This will be legitimate, informed and material. The purpose corresponds to the functions under which INVERSIONES JRC SAS will treat the personal data that is collected.

The Processing of personal data that INVERSIONES JRC SAS carries out, obeys the legitimate purpose in accordance with the Political Constitution, Law 1581 of 2012 and Decree 1377 of 2013.

  • principle of legality

INVERSIONES JRC SAS will treat the data collected for legitimate purposes to support the registration of commercial, labor and accounting operations of the company and those subject to Law 1581 of 2012.

The Processing of Personal Data will be an activity regulated and governed by Statutory Law 1581 of 2012, Decree 1377 of 2013 and other regulations that complement, modify or repeal them.

  • principle of freedom

INVERSIONES JRC SAS guarantees the right to informative self-determination of authorization by the holders to provide personal data. You can only process and share the personal data that is stored in your databases, only with the prior consent of the owner, as long as these are of the nature of public records or are found in databases excluded by Law (p. .eg journalistic, statistical and research). In all other cases, the prior, express and informed consent of the Owner must be obtained at the time of processing their personal data.

  • safety principle

INVERSIONES JRC SAS as responsible and/or person in charge of the processing of personal data, provides the technical, human and administrative measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. .

  • Principle of transparency

INVERSIONES JRC SAS guarantees the holders of personal data that they may obtain at any time, free of charge and without restrictions, information about the existence of data that concerns them and that are stored in their databases, under the parameters established in Article 21 of Regulatory Decree 1377 of 2013.

  • Principle of veracity or quality

INVERSIONES JRC SAS guarantees that the information contained in the databases that are subject to treatment; They will be true, complete, exact, up-to-date, verifiable and understandable.

The veracity and quality of the personal data that have been captured through the forms or documents is guaranteed by each of the holders of this, being exempt from any type of responsibility INVERSIONES JRC SAS against its quality.

CHAPTER II. PROCESSING OF PERSONAL DATA

2.1 TREATMENT

INVERSIONES JRC SAS will only collect the data that is necessary, pertinent and not excessive for the purposes authorized and informed to the owner and those indicated in this policy, provided that the treatment obeys a legitimate purpose and is proportional in accordance with the relationship maintained with the owner.

INVERSIONES JRC SAS classifies the data collected as follows:

  • Private or Semi-private Data

Semi-private data is data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector, people, or society in general, such as financial and credit data.

INVERSIONES JRC SAS is integrated into the concepts of Private and Semi-Private Data and these are characterized by the information provided by people to give flow to business operations:

It will use and treat the data classified as private or semi-private, when:

  1. The treatment has been expressly authorized by the Owner of the data except in cases where by Law, the granting of said authorization is not required.
  2. The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
  3. The data provided by the owners will have the purpose of attending to the commercial, advertising, accounting, and tax operations of the companies.

In addition to the above, INVERSIONES JRC SAS will inform at the time of data collection that will be treated as semi-private data and must authorize its treatment for the execution of commercial activities.

  • Data sensitive

INVERSIONES JRC SAS will restrict the processing of sensitive personal data to what is strictly essential and will request prior and express consent from the owners (legal representatives, attorneys-in-fact, successors in title) informing about the exclusive purpose of their treatment.

INVERSIONES JRC SAS will use and treat the data classified as sensitive, when:

  1. The treatment has been expressly authorized by the Owner of the sensitive data, except in cases where by Law, the granting of said authorization is not required.
  2. The Treatment is necessary to safeguard the vital interest of the owner and he is physically or legally incapacitated. In these events, the legal representatives must grant the authorization.
  3. The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process;
  4. The Treatment has a historical, statistical or scientific purpose or, within the framework of improvement processes; the latter, as long as the measures leading to the suppression of the identity of the Holders are adopted or the data is dissociated, that is, the sensitive data is separated from the identity of the owner and is not identifiable or the person cannot be identified Owner of the data or sensitive data.

In addition to the above, INVERSIONES JRC SAS complies with the following obligations:

  1. Inform the owner that because it is sensitive data, he is not obliged to authorize its treatment.
  2. Inform the owner explicitly and in advance, in addition to the general authorization requirements for the collection of any type of personal data, which data subject to Treatment are of a sensitive nature and the purpose of the treatment, and obtain express consent.
  3. Not condition any activity to the owner providing sensitive personal data (unless there is a legal or contractual cause to do so).

Likewise, INVERSIONES JRC SAS accepts the general rule according to which the Processing of sensitive data is prohibited by Law, except in the following cases:

  1. When the Owner has expressly authorized the Treatment.
  2. When by law the exhaustion of said authorization is not required.
  3. When the Treatment is necessary to safeguard the vital interest of the Owner.
  4. When the Treatment is carried out by a foundation, NGO, association or any non-profit organization, whose purpose is political, philosophical, religious or union.
  5. The Treatment is necessary for the recognition, exercise or defense of a right in a judicial process.
  6. The Treatment obeys a historical, statistical or scientific purpose. In this case, the identities of the Holders must be suppressed.

Treatment of data of minors.

For INVERSIONES JRC SAS, the data of the children and adolescents that are collected will be in compliance with the Law and the requested data will be expressly authorized by their representative or guardian, who will be a person with a direct employment relationship or through intermediation. , the data collected is public information in nature and the Human Management area is responsible for its collection, treatment and ensuring respect for the rights of minors.

It is the obligation of INVERSIONES JRC SAS through the person in charge of collecting the data to preserve respect for the rights of children and adolescents and to maintain absolute confidentiality of the information provided by the guardians and/or representatives.

2.2 CLASSIFICATION OF DATABASES

INVERSIONES JRC SAS has identified and classified its Databases as follows:

Employees:

They correspond to the information of the officials directly linked to INVERSIONES JRC SAS, labor relationship as support of business processes. The treatment of the personal data of the employees of INVERSIONES JRC SAS, will be subject to the provisions of this policy, and may only be used in compliance with current labor regulations, for the correct development of the obligations derived from the employment contract entered into between the parties, or in the events that have the express authorization of the owner.

Additionally, in accordance with labor legislation, INVERSIONES JRC SAS will protect employee data and this arises from the duty to protect employee information so that they contribute to the safe management of personal information. INVERSIONES JRC SAS will only request, store and process the personal data obtained for what is described in number 1 of the Personal Data Protection Policy for Human Resources.

The integral management of the personal data provided by the employees of INVERSIONES JRC SAS will have as its main purposes:

  • Evaluate the profiles of the candidates for the vacancies offered.
  • Manage the processes corresponding to the payment for labor rights.
  • Manage the processes of selection, hiring and termination of the employment relationship between the parties.
  • Generate the settlement and payment processes for legal and extralegal social benefits to employees.
  • Support the affiliations and activities related to the SST and SISS program.
  • Ask the employee for reference contacts in order to know how to act in emergencies.
  • Request a sociodemographic profile in order to evaluate the psychosocial part of the worker and its repercussions in the work environment.
  • Manage the news requested by employees.
  • Manage and support the disciplinary record of employees.
  • Comply with the requirements of judicial and administrative authorities.
  • Grant references and labor certifications to third parties authorized by employees and former employees.
  • The data provided by those interested in vacancies at INVERSIONES JRC SAS and the personal information obtained from the selection process is limited to that related to their participation in it; therefore, its use for different purposes is prohibited.
  • Manage the registration, creation, modification, temporary suspension and definitive elimination of the different users of the system in the active directory and institutional emails of INVERSIONES JRC SAS in order to manage access and permissions to the different technological tools that INVERSIONES JRC SAS has, by creating users and assigning credentials that allow proper management of the tools.
  • Manage the administration of the computer equipment made available to the different users through the technical file.
  • The data corresponding to people whose employment relationship has ended will continue to be stored for the authorized purposes and under the same conditions and security levels.
  • The collection of photographs and videos of employees by INVERSIONES JRC SAS for publication on the company’s social networks is not exempt from requesting authorization for their data processing, in each collection of this type of material such authorization will be requested.

The information contained in the employee database may be shared with the companies linked to the company, with the authorities or public administrative, judicial or governmental entities, when they request it in the exercise of their functions, with financial entities, authorized entities to grant payroll to employees, with central securities depositories or with their contractors, for the purposes of fulfilling the stated purposes, but always complying with the principles of Law 1581 of 2012 and other regulations that complement and/or replace it.

In the same way, it is understood that the actions of INVERSIONES JRC SAS may be subject to audit and review by public and private entities, in order to verify compliance with their legal and/or contractual obligations, for which reason In the knowledge of the auditing firms or agents, the aforementioned information.

The use to which the information is intended may be given through any existing or future means of communication, whether physical or automated.

Providers:

Correspond to the personal data of the suppliers that are collected for the activities of acquisition of goods and/or provision of services to attend the operations of INVERSIONES JRC SAS

The personal data of the suppliers that are collected by INVERSIONES JRC SAS, will be used in order to select, evaluate and execute the contractual relationship that may arise between the parties, seeking a better knowledge of the supplier, a better management of the information for decision-making, transparency in relationships, and effectiveness and efficiency in processes.

The purposes for which the personal data of the suppliers will be used are the following:

  • Manage the commercial and contractual relationship processes between the parties.
  • Carry out the selection process of suppliers in accordance with the requirement of goods and services by INVERSIONES JRC SAS and according to the portfolio for these offered.
  • Support and record accounting operations derived from the commercial and/or contractual relationship between the parties.
  • Manage the derivative payment processes and withholdings related to the provision of the goods and/or services agreed and supplied.
  • Comply with information reporting requirements by judicial, administrative and civil authorities.

The use to which the information is intended may be given through any existing or future means of communication, be it physical or automated.

Customers:

The personal data and financial information of our clients are collected solely to facilitate the commercial operation and provision of our services according to the corporate purpose of INVERSIONES JRC SAS and only the necessary, pertinent and not excessive data will be obtained for:

  • Issue electronic invoicing, vouchers, credit notes or any other equivalent, similar or related document.
  • corresponding and adjusted to the clients according to the products and/or services provided by INVERSIONES JRC SAS in the development of the commercial link between the parties.
  • Send information on current and future commercial campaigns, advertising and marketing activities, promotion and/or discounts of the products and services offered by the company via phone call, text message, email, Facebook, Twitter, Instagram or any network social integration or instant messaging, among others.
  • Maintain constant communication with the Owner of the Personal Data about the activities, programs and events developed or about to be developed by the Company.
  • Carry out commercial, statistical, risk, market analysis and research, including contacting the client for these purposes.
  • Carry out market studies, business intelligence actions, market trend research and data analytics that allow the establishment of consumer preferences, using Personal Data to generate consolidated information on habits, trends, consumption and behavior
    of the Holders, which is not will be associated with Personal Data in an individualized way.
  • Contact the Owner of the Personal Data by different means to carry out satisfaction surveys regarding the products and services offered by the Company.
  • Develop and implement loyalty programs and/or improvement of products and services for customers.
  • Manage the queries, complaints and claims submitted by the Holders of Personal Data, regarding the services and products offered by the Company.
  • Manage electronic transactions with payment gateways.
  • Comply with requirements by judicial and administrative entities.

For INVERSIONES JRC SAS, the information will be considered as semi-private data, the controls documented in the internal manuals will be established to maintain such condition in the digitalized or physical databases.

Shareholders:

INVERSIONES JRC SAS, using its powers and working for the welfare of each one of those involved in the development of its commercial and legal operations, establishes transparent mechanisms that allow comprehensive knowledge of the real situation of INVERSIONES JRC SAS in order to to protect the shareholders’ equity and the well-being of its collaborators, clients, suppliers and others.

In this way, INVERSIONES JRC SAS seeks to establish adequate channels that converge in the proper achievement of the missionary purpose of INVERSIONES JRC SAS and for this purpose the collection of information from each of its shareholders and owners is established, who will be allowed as stipulated in the bylaws of INVERSIONES JRC SAS know the accounting, legal, fiscal and financial information of this, as well as the other functions that emanate within their capacity as Shareholders of this.

The data and information of natural persons who have the status of shareholders will be considered confidential information, since it is registered in the commercial books and is subject to special protection by legal provision. However, the information will be revealed in the cases established by the regulations that regulate the public stock market or in the events in which there is the express authorization of the holder.

The purposes of holding shareholder information are defined as the following:

  • Allow the exercise of the rights derived from the quality of shareholder, facilitating that they can exercise the economic rights established in the Commercial Code, in Decree 2555 of 2010 and in the other regulations applicable to the matter.
  • Send information from INVERSIONES JRC SAS, including invitations to events, quarterly newsletters (presentation of results), annual report, and those communications related to the activities carried out by INVERSIONES JRC SAS
  • Issue certifications related to the relationship of the data owner with INVERSIONES JRC SAS, such as certificates of income, shareholding, among others.

The use to which the information is intended may be given through any existing or future means of communication, be it physical or automated.

Security and Control:

INVERSIONES JRC SAS may make use of various means of video surveillance, security and access control to its facilities at different internal and external sites of its facilities for security and administrative control purposes. Therefore, we report the existence of these mechanisms through the visible dissemination of surveillance announcements, all strategically located for easy identification. INVERSIONES JRC SAS uses its video surveillance system, guaranteeing that it does not inspect areas in which the owner’s privacy may be violated (such as bathrooms and private areas). The systems may be used to guarantee the safety of the people who are in the locations of INVERSIONES JRC SAS, their goods and properties, as well as to monitor the conduct and development of the tasks of their employees and visitors without incurring in any case harassing conduct . This information can be used as evidence in any type of process before administrative or judicial or police authorities subject to and compliance with the applicable regulations. It may also be used as evidence within internal disciplinary processes and in the surveillance of commercial and civil contracts established by INVERSIONES JRC SAS

CHAPTER III. RIGHTS OF HOLDERS

INVERSIONES JRC SAS, recognizes and guarantees the holders of personal data the following fundamental rights:

  1. Access, know, update and rectify your personal data against INVERSIONES JRC SAS in its capacity as data controller.
  2. Request proof of the existence of the authorization granted to INVERSIONES JRC SAS except in those cases in which the Law exempts the authorization.
  3. Receive information from INVERSIONES JRC SAS upon request, regarding the use that has been given to your personal data.
  4. Submit complaints for violations of the provisions of current regulations before the Superintendence of Industry and Commerce (SIC).
  5. Modify and revoke the authorization and/or request the deletion of personal data, when the current constitutional and legal principles, rights and guarantees are not respected in the Treatment.
  6. Be aware of and have free access to your personal data that has been processed.

In chapter V of this document, you can find the procedures implemented by INVERSIONES JRC SAS, to guarantee the rights of the aforementioned holders.

CHAPTER IV. DUTIES OF INVERSIONES JRC SAS IN RELATION TO THE PROCESSING OF PERSONAL DATA

INVERSIONES JRC SAS is aware that personal data is the property of the people to whom it refers and only they can decide on it. Likewise, INVERSIONES JRC SAS will make use of said data only for the purposes for which it is duly empowered and respecting in any case, the current regulations on the Protection of Personal Data.

INVERSIONES JRC SAS will meet the duties provided for those responsible and in charge of Treatment, contained in article 17 and 18 of Law 1581 of 2012, or regulations that regulate or modify it, namely:

  1. Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data;
  2. Request and keep, under the conditions provided in this law, a copy of the respective authorization granted by the Owner.
  3. Duly inform the Holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted.
  4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  5. Guarantee that the information provided to the Treatment Manager is true, complete, exact, updated, verifiable and understandable.
  6. Update the information, communicating in a timely manner to the Treatment Manager, all the news regarding the data that has previously been provided and adopt the other necessary measures so that the information provided to it is kept up to date.
  7. Rectify the information when it is incorrect and communicate what is pertinent to the Treatment Manager.
  8. Provide the Treatment Manager, as the case may be, only data whose Treatment is previously authorized in accordance with the provisions of this law.
  9. Demand from the Treatment Manager at all times, respect for the security and privacy conditions of the Owner’s information.
  10. Process the queries and claims formulated in the terms indicated in this law.
  11. Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and especially, for the attention of queries and claims.
  12. Inform the Treatment Manager when certain information is under discussion by the Owner, once the claim has been filed and the respective process has not been completed.
  13. Inform at the request of the Owner about the use given to their data.
  14. Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the Holders.
  15. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

4.1. DUTY OF SECRECY AND CONFIDENTIALITY

INVERSIONES JRC SAS guarantees and demands professional secrecy, regarding these and the duty to keep them, obligations that will subsist even after finishing their contractual relationships. Failure to comply with the duty of secrecy will be penalized in accordance with the provisions of the Internal Work Manual and Law 1273 in article 269 F: Violation of personal data.

CHAPTER V. INFORMATION PROCESSING POLICIES

5.1 GENERAL INFORMATION ABOUT THE AUTHORIZATION

When the processing of personal data is required, INVERSIONES JRC SAS will previously request authorization for the processing of personal data by any means that allows it to be used as evidence. Depending on the case, the authorization request will be part of a physical document or a voice and data file and may be explicitly contained therein or as an annex of express acceptance and conditional binding.

When dealing with personal data, the description of the purpose of the data processing will be reported in each of the means used for data collection, be it by means of a physical document, digital means or telephone call. INVERSIONES JRC SAS will inform the holder in its privacy notices at least the following:

  1. The treatment to which your personal data will be submitted and the specific purpose thereof.
  2. The rights that assist you as the owner.
  3. The website, email, address and other communication channels in which you can make queries and / or claims before the person in charge or in charge of the treatment.

Means and manifestations to grant authorization

INVERSIONES JRC SAS establishes that the means to establish the authorization by people in the treatment of their personal data for their employees, clients, suppliers, shareholders and other third parties will be delivered at the time of collecting the personal data in the linking processes or data update.

In addition, INVERSIONES JRC SAS can opt for electronic means such as the website www.vapiano.com.co , social networks such as online forms of social media apps , or through call and video call systems so that the holders can grant authorization in the treatment of the data, with the implementation of mechanisms that allow to express or obtain the consent of the owner.

Proof of authorization

INVERSIONES JRC SAS will use as a mechanism to prove that the authorization has been received from the Holder for data processing, the current systems and methods it has, and will implement and adopt the tending and necessary actions to maintain records or technical or technological mechanisms . when and how authorization was obtained from the holders of personal data for the treatment of these. To comply with the foregoing, physical files or electronic repositories will be established directly or through third parties hired for this purpose.

Cases where authorization is not required

The Owner’s authorization will not be necessary in the case of:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • nature data _ public .
  • Cases of medical or health urgency
  • Treatment of information authorized by law for historical, statistical or scientific purposes.
  • Data related to the Civil Registry of People.

5.2 OF THE RIGHTS OF THE HOLDERS

Of the right of access to the data

INVERSIONES JRC SAS guarantees the right of access to the data in accordance with Law 1581 of 2012 only to previously authorized Holders or Third Parties, who may access the personal data held on it by INVERSIONES JRC SAS, the above prior accreditation of the identity of the owner, legitimacy, or personality of his representative, making available to him, without cost or expense, in a detailed and detailed manner, the respective personal data processed, through any means of communication, including electronic ones that allow the owner’s direct access Said access is subject to the limits established in article 21 of Regulatory Decree 1377 of 2013.

Of the right to consult the data

The holders of personal data may consult the personal information that rests in any database of INVERSIONES JRC SAS Consequently, INVERSIONES JRC SAS guarantees the right of consultation in accordance with the provisions of Law 1581 of 2012 exclusively on personal data. private, sensitive and minors corresponding to natural persons, providing the Holders of these personal data with the information contained in each of the corresponding databases and that are under the control of INVERSIONES JRC SAS

INVERSIONES JRC SAS has authentication measures that allow the identification of the owner of the personal data that makes the query or request.

Regarding the attention to requests for consultation of personal data, INVERSIONES JRC SAS guarantees:

  • Enable personal, electronic or other means of communication that you consider relevant and safe.
  • Establish forms, systems and other methods that will be reported in the Privacy Notice.
  • Use the customer service or claims services that are in operation.

Regardless of the mechanism implemented for the attention of consultation requests, these will be processed within a maximum term of ten (10) business days from the date of receipt. In the event that a query request cannot be answered within the term indicated above, the interested party will be informed before the expiration of the term of the reasons why no response has been given to their query, which in no case may exceed five (5) business days following the expiration of the first term.

The right to complain about the data

The Owner of personal data may claim when they consider that the information contained or stored in a database does not correspond or when they notice the breach of any of the duties and principles contained in the regulations on Protection of Personal Data or the use of their data for purposes not expressly authorized. In this sense, they may file a claim with the person responsible for the treatment of INVERSIONES JRC SAS

INVERSIONES JRC SAS has the necessary authentication measures to identify the owner of the personal data making the claim. The claim may be submitted by the owner, taking into account the information indicated in article 15 of Law 1581 of 2012.

If the claim is incomplete, the owner may complete it within five (5) business days following receipt of the claim, in order to correct the failures or errors.

After two (2) months from the date of the request, without the applicant submitting the requested information, it will be understood that the claim has been withdrawn.

In the event that a claim is received that is not the responsibility of INVERSIONES JRC SAS to resolve it, a response will be given within a maximum term of two (2) business days to the person concerned in the situation.

Once INVERSIONES JRC SAS has received the complete claim, it will be included in the database of the Superintendence of Industry and Commerce with a legend that says “claim in process” and the reason for it, in a term not exceeding two (2 ) business days. Said legend will remain until the claim is decided. The maximum term to resolve the claim is fifteen (15) business days, counted from the day following the date of receipt. When it is not possible to address the claim within said term, INVERSIONES JRC SAS will inform the interested party of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration date. of the first term.

The right to rectify and update data

INVERSIONES JRC SAS undertakes to rectify and update at the request of the Holder, the personal information that corresponds to natural persons, which is incomplete or inaccurate, in accordance with the procedure and the terms indicated above. In this regard, INVERSIONES JRC SAS will take into account the following:

In requests for rectification and updating of personal data, the Owner must indicate the corrections to be made and provide the documentation that supports their request.

  1. INVERSIONES JRC SAS has full freedom to enable the mechanisms that facilitate the exercise of this right, as long as they benefit the Owner of the personal data. Consequently, electronic means or others that INVERSIONES JRC SAS deems appropriate and safe may be enabled.
  2. INVERSIONES JRC SAS may establish forms, formats, systems and other methods, which will be informed in the Privacy Notice and which will be made available to interested parties on the website and offices of INVERSIONES JRC SAS

Of the right to the deletion of data.

The Holder of personal data, has the right at all times, to request INVERSIONES JRC SAS the deletion (elimination) of their personal data, as long as it is not data required within any commercial or contractual relationship or legal requirement.

This deletion can occur with the elimination, secure deletion, total or partial, or the blocking of personal information in accordance with what is requested by the owner in the records, files, databases or treatments carried out by INVERSIONES JRC SAS

The right of deletion is not an absolute right, INVERSIONES JRC SAS as responsible for the processing of personal data, can deny or limit the exercise of this when:

  1. The owner of the data has a legal or contractual duty to remain in the database.
  2. The deletion of data hinders judicial or administrative actions related to fiscal and/or accounting obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
  3. The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.

The right to revoke the authorization

Any owner of personal data can revoke consent for the treatment of these at any time, as long as it is not prevented by a legal or contractual provision. For this, INVERSIONES JRC SAS has established simple and free mechanisms that allow the owner to revoke their consent.

In cases where the revocation of the authorization is possible, it will be handled under the following two modalities:

  1. Total : On all consented purposes, that is, that INVERSIONES JRC SAS must completely stop processing the data of the Personal Data Holder.
  2. Partial : On certain consented purposes such as for advertising or market research purposes. In this case, INVERSIONES JRC SAS must partially suspend the processing of the owner’s data. Other purposes of the treatment are then maintained that the person in charge, in accordance with the authorization granted, can carry out and with which the owner agrees.

The right of revocation is not an absolute right and INVERSIONES JRC SAS, as responsible for the processing of personal data, can deny or limit the exercise of this right when:

  1. The owner of the data has a legal or contractual duty to remain in the database.
  2. The revocation of the authorization of the treatment hinders judicial or administrative actions related to fiscal obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
  3. The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.
  4. The data is data of a public nature and corresponds to public records, which are intended for publicity.

Data protection in contracts.

In the contracts carried out with INVERSIONES JRC SAS, clauses have been included or will be included through the figure of “others”, in order to authorize in advance and generally the processing of personal data related to the execution of the contract, which includes the authorization to collect, modify or correct, at future times, personal data of the Holder corresponding to natural persons. It has also included the authorization for some of the personal data, if necessary, to be delivered or transferred to third parties with whom INVERSIONES JRC SAS has contracts for the provision of services, for the performance of some of its activities. In these clauses, mention is made of this document and its location on the institutional website or the option of being able to request it directly at the facilities of the person in charge to the Personal Data Protection Officer, for proper consultation.

In contracts for the provision of external services, when the contractor requires personal data, INVERSIONES JRC SAS will provide said information as long as there is prior and express authorization from the Owner of the personal data for this transfer, being excluded from this authorization, the personal data of a public nature defined in numeral 2 of article 3 of Regulatory Decree 1377 of 2013 and the contents in public records. Given that, in these cases, the third parties are Data Processors and their contracts include clauses that specify the purposes and treatments authorized by INVERSIONES JRC SAS and precisely delimit the use that these third parties can give to those, as well as the obligations and duties established in Law 1581 of 2012 and Regulatory Decree 1377 of 2013, including the necessary security measures that guarantee at all times the confidentiality, integrity and availability of the personal information entrusted for its treatment.

For its part, INVERSIONES JRC SAS at the time of receiving data from third parties and acting as Personal Data Processor, verifies that the purpose, or purposes, of the treatments authorized by the owner or permitted for legal, contractual or jurisprudential reasons are in force and that the content of the purpose is related to the cause for which said personal information is to be received from the third party, since only in this way will he be empowered to receive and process said personal data.

Transfer of personal data to third countries.

In the cases in which INVERSIONES JRC SAS in the development of any of its functions, such as participating in international programs for economic, cultural and social development, or any other activity that involves the transfer of personal data to third countries will be governed by the following conditions:

  1. The transfer of personal data to third countries will only be carried out when there is the corresponding authorization from the owner and prior authorization from the SIC Personal Data Delegation.
  2. An international transfer is considered any treatment that involves the transmission of data outside Colombian territory, whether a transfer of data is made, or if it had the purpose of providing a service to the person in charge outside of Colombia.
  3. Likewise, prior authorization must be obtained from the delegate of

Protection of Personal Data of the Superintendence of Industry and Commerce, when international data transfers are planned to countries that do not provide a certain level of protection. This authorization may only be granted if adequate guarantees are obtained, such as contracts based on the clauses approved by the SIC, or the Binding Rules.

  1. The international transfer of data may be carried out at the request of INVERSIONES JRC SAS, establishing the purpose, the groups of interested parties or holders of the personal information, the data subject to transfer and the documentation that incorporates the guarantees required to obtain the authorization. ; containing a description of the specific security measures that will be adopted, both by INVERSIONES JRC SAS and by the person in charge or in charge of the data at their destination.
  2. INVERSIONES JRC SAS will not request authorization when the international transfer of data is covered by any of the exceptions provided for in the Law and its Regulatory Decree. An example of this is the consent of the affected party to the transfer; the transfer is necessary to establish the contractual relationship between the affected party and the person responsible for the Database and the transfer refers to a pecuniary transaction.

Applicable general rules.

INVERSIONES JRC SAS has established the following general rules for the protection of personal, sensitive and minor data, such as the care of databases, electronic and physical files and personal information:

  1. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  2. Timely update, rectify or delete data under the terms of the law.
  3. Update the information reported by those responsible for treatment within five (5) business days from its receipt.
  4. Apply security measures in accordance with the classification of personal data processed by law.
  5. Adopt disaster recovery procedures applicable to databases containing personal data.
  6. Adopt procedures for Backup or Back Up of the databases that contain personal data.
  7. Safely manage automated and/or physical databases that contain personal data.
  8. Keep a central record of the databases that contain personal data that includes the history since its creation, treatment of the information and cancellation of the database.
  9. Safely manage access to the personal databases contained in the information systems, in which it acts as the person in charge or in charge of the treatment.
  10. Carry out audits periodically to reinforce compliance with this standard by the recipients of it.

CHAPTER VI. PROCEDURE FOR THE HOLDERS TO KNOW, CLAIM AND REVOKE THE AUTHORIZATION

6.1 GENERAL

  1. Any consultation or claim against the inherent rights of the holders on personal data must be made by means of a letter addressed to the main address of INVERSIONES JRC SAS, by email to the address: habeasdata@vapiano.com.co, attaching a photocopy of the identity document of the interested Holder or any other equivalent document that proves their identity and ownership in accordance with the Law, complying with the minimum requirements established by the SIC for this purpose or by means of a message at our virtual contact point on the website vapiano.com.co
  2. The rights of access, updating, rectification, deletion and revocation of the authorization of personal data are personal and may only be exercised by the Owner. However, the Holder may act through the legal representative or proxy when he is in a situation of incapacity, interdiction or minority, facts that make it impossible for him to exercise them personally, in which case it will be necessary for the legal representative or proxy certifies such condition.
  3. No economic value will be required for the exercise of the rights of access, update, rectification, deletion or revocation of the authorization in the case of personal data of natural persons who are not part of public records. (The provisions of article 21 of Regulatory Decree 1377 of 2013 will be taken into account)
  4. In order to facilitate the exercise of these rights, INVERSIONES JRC SAS has made available to the interested parties the appropriate physical or electronic formats for this purpose.
  5. Once the terms indicated by Law 1581 of 2012 and the other regulations that regulate or complement it have been fulfilled and exhausted, the Owner who is denied, totally or partially, the exercise of the rights of access, updating, rectification, deletion and revocation by

INVERSIONES JRC SAS may notify the National Authority for the Protection of Personal Data (Superintendence of Industry and Commerce – Delegation for the Protection of Personal Data-) of the denial or non-conformity with respect to the right exercised.

6.2 PROCEDURES

  • inquiries

Any holder of personal data can consult INVERSIONES JRC SAS at any time about the information held about him, for this it has established simple and free mechanisms that allow easy access to his information.

  • claims

The Owner or his successors in title who consider that the information contained in a database must be corrected, updated or deleted or when they notice the alleged breach of any of the duties contained in the Personal Data Protection regulations, may file a claim before the data controller.

  • revoke authorization _

Any owner of personal data can revoke, at any time, the consent to the treatment of these as long as it is not prevented by a legal or contractual provision. For this, INVERSIONES JRC SAS has established simple and free mechanisms that allow you to revoke your consent.

Keep in mind that there are two modalities in which the revocation of consent can occur. The first, can be about all the consented purposes, that is, that INVERSIONES JRC SAS must completely stop processing the owner’s data; the second, can occur on certain types of treatment, such as for marketing purposes, campaigns, advertising, among others. With the second modality, that is, the partial revocation of consent, other purposes of the treatment are kept safe that the person responsible in accordance with the authorization granted can carry out and with which the owner agrees.

Requirements for the attention of queries, claims or to revoke the authorization.

  • Requirements generals
  1. A communication must be sent, whether physical or electronic, it must contain at least the application date, photocopy of the identification document, contact address (Physical or Electronic), telephone number for notification purposes; and for the owner’s representative, an authenticated document proving the representation, if applicable.
  2. It is necessary to identify the name of INVERSIONES JRC SAS to which the respective query, claim or authorization revocation is made.
  3. To exercise this right through the owner, his successor in title, authorized third party or proxy may formulate the query through the email sent by INVERSIONES JRC SAS attaching the previously related information. The Holders are also provided with the page: vapiano.com.co, as an alternative means to submit their request through the form established on the microsite, or at the main establishment of INVERSIONES JRC SAS
  4. When the type of request is to update data, consider it important, depending on the case, if you are a client or creditor, to fill out the corresponding forms and consider that you must attach the requested documents.
  5. To exercise this right by physical means, your successor in title, authorized third party or proxy may file the query at the main headquarters of INVERSIONES JRC SAS attaching the previously related information.
  6. The person interested in exercising this right must, in any case, use a means that allows proof of sending and receiving the request. Whatever the means used to exercise this right; INVERSIONES JRC SAS will respond to the request as long as the following requirements are met:
  • Requirements specific claims

The claim may be submitted by the owner taking into account the information indicated in article 15 of Law 1581 of 2012 and these rules:

  1. If the claim is incomplete, the holder can complete it within five (5) business days following receipt of the claim so that the failures can be corrected. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.
  2. In the event that the person receiving the claim is not competent to resolve it, it will be transferred to the corresponding party within a maximum term of two (2) business days and the interested party will be informed of the situation.
  3. Once the complete claim is received, a legend will be included in the database that says “claim in process” and the reason for it,
  4. within a term not exceeding two (2) business days.

Likewise, the owner of the information can exercise these rights at any time, prior compliance with the requirements established for it by INVERSIONES JRC SAS In this regard, INVERSIONES JRC SAS will take into account the following:

  1. In requests for rectification and updating of personal data, the owner must indicate the corrections to be made and provide the documentation that supports their request.
  2. INVERSIONES JRC SAS has full freedom to enable mechanisms that facilitate the exercise of this right, as long as they benefit the owner of the data. Consequently, electronic means or others that INVERSIONES JRC SAS deems appropriate may be enabled.
  3. INVERSIONES JRC SAS may establish forms, systems and other methods, which will be informed in the Privacy Notice and which will be made available to interested parties on the website.
  4. When the request is made by a person other than the owner and it is not proven that it acts in legitimate representation, it will be taken as not submitted.

The owner of personal data has the right, at all times, to request INVERSIONES JRC SAS the deletion (elimination) of their personal data when:

  1. Consider that they are not being treated in accordance with the principles, duties and obligations provided for in current regulations.
  2. They have ceased to be necessary or pertinent for the purpose for which they were collected.
  3. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

This deletion implies the total and/or partial elimination or blocking of personal information in accordance with what is requested by the owner in the records, files, databases or treatments carried out. When a request of this type is submitted, it will be executed without prejudice to the responsibility of companies in compliance with accounting and tax regulations.

Terms for attention to queries, claims or to revoke the authorization:

  • Terms for the attention of queries: Regardless of the mechanism that is implemented for the attention of requests for consultation, these will be attended by INVERSIONES JRC SAS in a maximum term of ten (10) business days from the date of receipt. . In the event that a query request cannot be answered within the term indicated above, the interested party will be informed before the expiration of the term of the reasons why no response has been given to their query, which in no case may exceed five (5) business days following the expiration of the first term.
  • Terms for the attention of Claims or Revocation of Authorization: The maximum term to attend it by INVERSIONES JRC SAS will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

CHAPTER VII. PERSONAL DATA PROTECTION FUNCTION WITHIN INVERSIONES JRC SAS

7.1 RESPONSIBLE.

INVERSIONES JRC SAS has designated a person within the Organization as responsible for the processing of personal data, such as the person who receives, processes and channels the different requests from the Holders, and will send them to the respective unit in charge of processing within INVERSIONES JRC SAS, dependencies that once receive these communications will begin to comply with the function of protection of personal data, and must process the requests of the owners, in the terms, deadlines and conditions established by current regulations, for the exercise of the rights of access, consultation, rectification, updating, deletion and revocation referred to in the current regulations on personal data protection.

In the event that you consider that INVERSIONES JRC SAS gave a use contrary to what was authorized and to the applicable laws, you may contact us through a communication addressed to the person in charge of Protection of Personal Data through the channels established by INVERSIONES JRC SAS for such purposes.

7.2 PERSONS IN CHARGE:

INVERSIONES JRC SAS as an organization, and in the terms established in the current regulations, will act as RESPONSIBLE FOR THE TREATMENT of personal data and, in turn, will act as PRIMARY PROCESSOR OF personal data.

Internal Managers

For INVERSIONES JRC SAS those in charge of the treatment of the personal data of the holders are constituted in all the collaborators in the first instance, who will be in charge of respecting the confidentiality and the rights of the holders, even so it is the responsibility of all the Directors and / or Heads of business area, especially the commercial, marketing, accounting, manufacturing, financial and Human Management area in enforcing the definitions established in this document, as business areas that collect data to attend the needs of administrative, commercial and financial operations.

External Managers

For INVERSIONES JRC SAS, the external managers in the processing of personal data are identified in the technology and service providers where the servers, site and means of storage of the information processed through the software designated by the Management are located to attend the operations. of the business.

These managers are solely responsible for data processing such as custody or storage and availability for processing them in real time according to the definitions in the contract entered into.

CHAPTER VIII. APPLICABLE LEGISLATION, CONTACT AND VALIDITY

8.1 LEGAL FRAMEWORK

 This document of Policies and Procedures for the protection of personal data has been prepared in accordance with the following standards and documents.

  • Constitution , article 15.
  • Law 1581 of 2012
  • Law 1273 of 2009
  • Law 1266 of 2008
  • Regulatory Decrees 1727 of 2009 and 2952 of 2010
  • decree Regulation 1377 of 2013
  • decree Regulatory 886 of 2014
  • decree Regulatory 090 of 2018
  • External Circular 02 of the SIC
  • Rulings of the Constitutional Court C-1011 of 2008, and C-748 of 2011
  • Regulation Work Intern _

8.2 CONTACT INFORMATION

 If you have any questions about this policy, please contact INVERSIONES JRC SAS or send your inquiry directly or through the following communication channels:

Company  : INVESTMENTS JRC SAS         

Home                           : Race 12 #83-11-Bogotá Colombia

Phone                              : 3152550811

Email           : habeasdata@vapiano.com.co

Responsible

Data treatment  : INVESTMENTS JRC SAS         

VALIDITY                          : This Document is effective as of October 10, 2022

 

Policy Updates :

INVERSIONES JRC SAS may modify the terms and conditions of this document of policies and procedures as part of our effort to comply with the obligations established by Law 1581 of 2012, the regulatory decrees and other regulations that complement, modify or repeal what is contained in this document. , in order to reflect any changes in our operations or functions. In cases where this occurs, the new policies and procedures document will be published on the web page and informative sites for massive consultation of INVERSIONES JRC SAS