BlogContactEmployee portal
ES
ES
ES
ES

Personal Data Processing Policy Manual - Colarquim S.A.S.

1. INTRODUCTION
The guidelines and regulations defined by the enacted laws outline the processing requirements for the personal information of all individuals associated with the company, whether as a customer, supplier, or employee. Consequently, in compliance with these laws and regulatory decrees, this Personal Data Processing Policy Manual is hereby established. It encompasses the procedures for processing consent requests, inquiries, and claims related to the management of such information."

2. OBJECTIVE
This document establishes the Personal Data Processing Policy of Colarquim S.A.S., hereinafter referred to as THE COMPANY This policy has been drafted in accordance with the guidelines set forth by current applicable regulations on the subject. Its scope covers all databases containing personal information that are subject to processing by THE COMPANY

3. SCOPE
These policies apply to the processing of personal information of all individuals associated with THE COMPANY, whether they are third parties (including customers and suppliers) or employees, in accordance with the provisions of the law.

4. APPLICABLE REGULATIONS
The most critical aspects to consider regarding data protection laws in Colombia are Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, and any other regulations that modify, add to, or complement them, all of which must be implemented by Colarquim S.A.S.,

Law 1581 of 2012 constitutes the general framework for personal data protection in Colombia. Consequently, as new decrees are issued to modify the aforementioned laws, this manual will be updated accordingly to reflect those changes.

5. PERSONAL DATA PROCESSING POLICIES
5.1. GENERAL DATA OF COLARQUIM S.A.S., AS THE DATA CONTROLLER

Corporate Purpose. The corporate purpose of THE COMPANY is the production, manufacture, processing, transformation, marketing, distribution, purchase, sale, import, and export of chemicals, dyes, chemical auxiliaries, textiles, supplies, and raw materials, among others.
Tax ID. 800.226.277-6.
Registered Office. Calle 110 # 75A – 620, Bodega 14, Barranquilla.
City. Barranquilla, Atlántico.
Telephone. +57 (605) 377 3010, extensions 103 and 121.
Website. www.colarquim.com

5.2. OBJECTIVE
The purpose of this manual is to protect the constitutional right of all individuals to access, update, and rectify information collected about them in databases or archives owned by Colarquim S.A.S., This is established in the development and fulfillment of its corporate purpose, as well as in accordance with other constitutional rights, freedoms, and guarantees referred to in Articles 15 (Right to Privacy) and 20 (Right to Information) of the Political Constitution of Colombia.

Consequently, this manual contains the legal and corporate guidelines under which Colarquim S.A.S., processes data, the purpose of such processing, and your rights as a Data Subject. Additionally, it establishes the internal and external procedures available for exercising these rights. 

In this regard, data protection is understood as all physical, technical, and legal measures taken to ensure that the information of Data Subjects—natural persons—(suppliers, THE COMPANY, personnel, employees, former employees, customers, etc.) registered in the Colarquim S.A.S.,database is secure from any attack or unauthorized access attempt. It also ensures that the use and retention of data are appropriate for the established purpose of its collection.

Accordingly, this manual aims to comply with current data protection legislation, specifically Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, Resolution 886 of 2014, and any other regulations that modify, add to, complement, or develop them.

5.3. TO WHOM THE PERSONAL DATA PROCESSING POLICY IS ADDRESSED
This Personal Data Processing Policy manual is addressed to all natural persons who have or have had a relationship with Colarquim S.A.S.,namely: employees, former employees, customers, and suppliers—both active and inactive—or any third party whose personal data is included in THE THE COMPANY

5.4. SCOPE OF APPLICATION
In accordance with Law 1581 of 2012, the scope of this manual shall be the data of natural persons registered in all databases owned THE COMPANY or those whose processing has been commissioned to it.

Furthermore, this manual shall apply to the processing of personal data carried out within Colombian territory, or when THE COMPANY, in its capacity as controller or processor of the data, is no longer domiciled in the national territory but Colombian legislation remains applicable by virtue of international standards and treaties.

The established personal data protection regime shall not apply to:

  1. Databases or files maintained in an exclusively personal or domestic sphere. If these databases or files are to be provided to third parties, the data subject must be informed in advance and their authorization must be requested. In this case, the controllers and processors of the databases and files shall be subject to the provisions contained in the Habeas Data Law.
  2. Databases and files intended for national security and defense, as well as the prevention, detection, monitoring, and control of money laundering and the financing of terrorism.
  3. Databases intended for and containing intelligence and counterintelligence information.
  4. Databases and files of journalistic information and other editorial content.
  5. Databases and files regulated by Law 1266 of 2008.
  6. Databases and files regulated by Law 79 of 1993.

5.5. IMPORTANT DEFINITIONS IN PERSONAL DATA PROCESSING
For the interpretation and application of these policies, please consider the following definitions:

  • Authorization. Prior, express, and informed consent of the Data Subject to carry out the processing of personal data.
  • Privacy Notice. Verbal or written communication generated by the Controller ( Colarquim S.A.S.,), addressed to the Data Subject, informing them about the existence of the applicable data processing policies, how to access them, and the intended purposes.
  • Database. Organized set of personal data subject to processing.
  • Successors in Interest. A person who has succeeded another due to the latter's death (heir).
  • Personal Data. Any information linked to or associated with one or more specific or identifiable natural persons.
  • Private Data. Data that, due to its intimate or reserved nature, is only relevant to the Data Subject.
  • Semi-private Data. Data that is not of an intimate, reserved, or public nature, and whose knowledge or disclosure may interest not only the Data Subject but also a certain sector of people or society in general (e.g., financial or credit data).
  • Public Data. Data that is not semi-private, private, or sensitive. Public data includes, among others, information regarding an individual's civil status, profession or occupation, and their status as a merchant or public servant. By their nature, public data may be contained, among other sources, in public registries, public documents, official gazettes and bulletins, and duly enforceable court rulings that are not subject to confidentiality.
  • Sensitive Data. Data that affects the Data Subject's privacy or whose misuse may lead to discrimination (e.g., racial/ethnic origin, political orientation, religious/philosophical beliefs, trade union membership, health, sexual life, and biometric data).
  • Biometric Data. Physical, biological, or behavioral traits that uniquely identify an individual (e.g., fingerprints, DNA analysis).
  • Employee. A natural person obligated by an employment contract to provide personal services to another natural or legal person under continued subordination and for remuneration.
  • Former Employee. A natural person previously employed by THE COMPANY
  • Data Processor. A natural or legal person who, individually or jointly, processes personal data on behalf of the Controller.
  • Data Controller. A natural or legal person who, individually or jointly, decides on the database and/or its processing.
  • Processing Policy. Refers to this Personal Data Processing Policy manual applied by THE COMPANY.
  • Supplier/Brand. Refers to this Personal Data Processing Policy manual applied by THE COMPANY virtue of a contractual relationship.
  • Data Subject. The natural person whose data is processed (employees, former employees, suppliers, and/or active/inactive customers). THE COMPANY o cualquiera que suministre datos personales a THE COMPANY
  • Processing. Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
  • Transfer: Occurs when the Controller or Processor sends personal data to a recipient (who is also a Controller) located inside or outside of Colombia.
  • Transmission. Data processing involving the communication of data inside or outside Colombia for processing on behalf of the Controller.
  • Visitor. Person(s) remaining in a location for less than eight (8) hours without performing a remunerated activity.

5.6. GUIDING PRINCIPLES FOR PERSONAL DATA PROCESSING
In accordance with Article 4 of Law 1581, THE COMPANY adheres to the following principles:

  • Principle of Legality. Data processing is a regulated activity subject to Law 1581 of 2012 and Decree 1377 of 2013.
  • Principle of Purpose Processing must serve a legitimate purpose, which must be disclosed to the Data Subject.
  • Principle of Freedom Processing may only be exercised with the prior, express, and informed consent of the Data Subject.
  • Principle of Truthfulness or Quality. Information must be truthful, complete, accurate, updated, verifiable, and understandable.
  • Principle of Transparency. The Data Subject’s right to obtain information about their data from the Controller or Processor at any time must be guaranteed.
  • Principle of Restricted Access and Circulation. Processing is subject to limits derived from the nature of the data and the law. Data (except public information) shall not be available on the Internet or mass media unless access is technically restricted to authorized parties.
  • Principle of Data Temporality. Once the purpose for collection is fulfilled, the Controller or Processor shall cease its use.
  • Principio de seguridad. Information must be managed with the technical, human, and administrative measures necessary to prevent loss, unauthorized access, or fraudulent use.
  • Principio de confidencialidad. All persons involved in processing non-public data are obliged to guarantee professional secrecy, even after their relationship with the activity has ended.
  • Duty to Inform: THE COMPANY will inform Data Subjects about the protection regime, purposes, and existence of databases, proceeding with the legal registration as required. THE COMPANY will provide information regarding the existence of personal databases that safeguard these rights and the exercise of habeas data by the data subjects, proceeding with the registration required by law.

5.7. DATABASES
5.7.1. DATABASES WHERE COLARQUIM S.A.S. ACTS AS CONTROLLER AND PROCESSOR

THE COMPANY acts as both Controller (as it collects information and makes processing decisions) and Processor (as it performs the actual processing) for the following: THE COMPANY acts both as a Controller, since it is the entity that collects the information and makes decisions regarding data processing, and as a Processor, to the extent that it is the entity that performs the actual processing of said data. 

The following are the databases for which THE COMPANY performs personal data processing:

1. Supplier database.
2. Worker database.
3. Customer database.
4. Security camera database.

5.8. DATA SUBJECT AUTHORIZATION FOR DATA PROCESSINGIn accordance with Article 5 of Decree 1377 of 2013, THE COMPANY, as the data controller, has developed a 'Personal Data Processing Authorization' form and has adopted procedures to request, at the latest at the time of collection, your authorization for the processing of your personal data and to notify you of the information to be collected, as well as all the specific purposes of the processing for which your consent is obtained.

On the other hand, personal data found in public access sources, regardless of the medium through which they are accessed, may be processed by THE COMPANY, provided that, by their nature, they are public data. THE COMPANYprovided that, by their nature, they are public data.

In this regard, it shall be understood that the authorization granted by the Data Subject to THE COMPANY complies with the requirements set forth by current applicable legislation, provided it is expressed:

  • In writing.
  • Orally.
  • Through unequivocal conduct of the Data Subject that allows for the reasonable conclusion that such subject granted authorization to THE COMPANY

"Furthermore, under no circumstances shall your silence be interpreted by THE COMPANY as unequivocal conduct. THE COMPANY, therefore, has established channels so that you, as the data subject, may at any time request the deletion, modification, and/or revocation of the authorization granted to us for its processing.

5.9. DATA SUBJECT AUTHORIZATION FOR THE PROCESSING OF SENSITIVE DATA
In the processing of sensitive personal data, whenever possible and in accordance with Article 6 of Law 1581 of 2012, THE COMPANY shall comply with the following obligations:

  • To inform the Data Subject that, given the sensitive nature of the data, they are not balance to authorize its processing.
  • To explicitly and previously inform the Data Subject—in addition to the general authorization requirements for any personal data collection—which of the data being processed are sensitive and the purpose thereof. Additionally, their express consent must be obtained.

Note. None of the activities carried out by THE COMPANY are, or will be, conditioned upon the Data Subject providing their sensitive personal data.

5.10. USE AND PURPOSE OF PERSONAL DATA PROCESSING
THE COMPANY As an entity that respects individual privacy, THE COMPANY recognizes that the Data Subject has the right to have adequate elements that guarantee such privacy, taking into account their responsibilities, rights, and obligations.

Indeed, by virtue of the relationship established or to be established between the data subject and THE COMPANY, it is important for the subject to be aware that THE COMPANY collects, records, stores, and uses their personal data for its own use, for the purposes for which it was requested, or due to requirements from public entities.

The personal data of the subjects are used by THE COMPANY to:

  • Execute THE COMPANY's own activities to fulfill its corporate purpose, based on the database where the subjects' personal data resides.
  • Manage customer relationships, provide personalized service, perform targeted marketing activities, and improve customer satisfaction and loyalty, which may be done through physical, digital, and/or mobile means.
  • Create content for social media.
  • Send information to government entities due to legal requirements.
  • Consult information in control lists (national and international), consult and report to credit bureaus, information centers, the Clinton List, the Attorney General's Office, the Comptroller's Office, the National Police, DIJIN, among other entities, in order to preserve trust and transparency. THE COMPANY
  • Support external and internal audit processes.
  • Execute judicial and extrajudicial processes in cases permitted by the statutes and regulations THE COMPANY
  • Record the information of employees, former employees, suppliers, and customers (active and inactive) in THE COMPANY's databases for the delivery of contractual, commercial, and obligatory information as required.
  • Efficiently manage THE COMPANY's human resources, including hiring, performance management, payroll administration, regulatory compliance, and workforce planning.
  • Verify references of employees, former employees, suppliers, and customers (active and inactive) in the databases.
  • Efficiently manage supplier relationships, ensure supply availability, and facilitate decision-making related to the acquisition of goods and services.
  • Regarding the collection and processing of data performed through automated mechanisms to generate visitor activity and audience records, THE COMPANY may only use such information to prepare reports that meet the stated objectives. Under no circumstances may it perform operations that involve associating such information with an identified or identifiable user.

Personal data will be used by THE COMPANY only for the purposes stated herein; therefore, THE COMPANY will not sell, license, transmit, or disclose personal data unless:

  • The Data Subject expressly authorizes it.
  • The information is related to a merger, consolidation, acquisition, divestiture, or other restructuring process of THE COMPANY.
  • proceso de restructuración de THE COMPANY
  •  It is permitted by law.
  •  It is in compliance with a court order issued by a competent authority in the exercise of its functions.

Consequently, for the internal management of data, these may be accessed by the authorized personnel of THE COMPANY, which includes the General Assembly of Shareholders, the Board of Directors, the Statutory Auditor, the Presidency, the Vice Presidencies, and the General Management.

Consequently, THE COMPANY may subcontract third parties for the processing of certain functions or information. When this occurs, said third parties shall be obliged to protect personal data under the terms required by law and in their capacity as data processors of THE COMPANY's databases

In the case of personal data transmission, THE COMPANY shall enter into the corresponding transmission agreement under the terms of Decree 1377 of 2013.

THE COMPANY may transfer or transmit (as applicable), maintaining due security measures, personal data to other entities in Colombia or abroad for the provision of a better service, in accordance with the authorizations granted by the data subjects.

Once the need for personal data processing ceases, the data will be deleted from the databases under secure terms.

5.11. PRIVACY NOTICE
This legend is printed on all forms or documents through which information is collected from suppliers, workers, customers, and other data subjects managed by THE COMPANY. When collected verbally, this legend is communicated to the data subject in the same manner, maintaining record of the authorization through the technical means provided for such purpose.

PRIVACY NOTICE

In compliance with the provisions of Law 1581 of 2012 'By which general provisions are issued for the protection of personal data' and in accordance with Decree 1377 of 2013, by signing this document, I manifest that I have been informed by THE COMPANY Colarquim S.A.S. of the following:

  • Colarquim S.A.S. shall act as the controller of the personal data of which I am the subject and, jointly or separately, may collect, use, and process my personal data in accordance with the Personal Data Processing Policy Manual available in the company's database, and physical and digital archives. Likewise, these data shall remain stored in accordance with the provisions set forth in said manual."
  • That I have been informed of the purposes for collecting personal data, which are stipulated in the Personal Data Processing Policy Manual of Colarquim S.A.S. and can be consulted at the following link: https://colarquim.com/politica-de-tratamiento-de-datos/
  • It is of a facultative or voluntary nature to answer questions regarding sensitive data or concerning minors.
  • My rights as a data subject are those provided for in the Constitution and the law, especially the right to access, update, rectify, and delete my personal information, as well as the right to revoke the consent granted for the processing of personal data.
  • The rights may be exercised through the channels established by THE COMPANY, as well as through its Personal Data Processing Policy Manual.
  • Any type of request regarding the processing of personal data may be submitted through corporate emails or via WhatsApp.
  • THE COMPANY shall guarantee the confidentiality, freedom, security, truthfulness, transparency, access, and restricted circulation of data, and reserves the right to modify its Personal Data Processing Policy Manual at any time. In this regard, any changes will be promptly informed and published through the channels established for this purpose.
  • Taking the foregoing into account, I voluntarily, previously, explicitly, informatively, and unequivocally authorize THE COMPANY to process my personal data and take my fingerprint and photograph, if applicable, in accordance with its Personal Data Processing Policy Manual, for purposes related to its corporate object and, especially, for the legal, contractual, and institutional purposes described in this manual.
  • The information provided for the processing of personal data has been supplied voluntarily and is true and accurate.

The person in charge shall be:
Name: Geraldine Vergara.
Phone: +57 (605) 377 3010, extension 103.
Email: servicioalclientebq@colarquim.com
Address: Calle 110 # 75A – 620, Bodega 14, Barranquilla, Atlántico, Colombia.
Website: https://colarquim.com/contacto/"

Finally, and there being no other purpose, this copy is signed in the city of ________________ on the ____ day of the month of _______________ of the year ______.

Name
Signature
ID Number

AUTHORIZATION FOR THE WEBSITE

Colarquim S.A.S. declares that it protects the personal data provided by its customers and end users, in accordance with the provisions of Law 1581 of 2012.

In this order of ideas, by signing this authorization, you declare that all data contained herein are accurate and true. Furthermore, Colarquim S.A.S. has previously and expressly informed you of your rights, as well as the purpose, processing, and term of validity that will be applied to your personal data.

Likewise, the personal data provided by you is used by us for the sale and provision of our services, to address requests, evaluate the quality of our products and services, provide commercial information on new products or services, and carry out advertising campaigns, promotions, or contests, in accordance with our Personal Data Processing Policy Manual, which can be consulted at the following link: https://colarquim.com/manual-de-politicas-para-el-tratamiento-de-datos-personales-de-colarquim-s-a-s/

Consequently, by clicking here, you expressly authorize and acknowledge that you have read and understood our Personal Data Processing Policy Manual in a free, prior, voluntary, and duly informed manner. Therefore, you freely accept the processing that Colarquim S.A.S. will perform on your personal data, which includes storing, processing, disposing of, and transferring such data to natural persons or legal entities, in accordance with the purposes and conditions set forth in said manual.

Name
Signature
ID Number

TELEMARKETING SCRIPT

This call will be recorded to ensure quality of service.

Dear customer, the personal data provided by you will be used in accordance with our Personal Data Processing Policy Manual, which can be found on our website: https://colarquim.com/manual-de-politicas-para-el-tratamiento-de-datos-personales-de-colarquim-s-a-s/In accordance with our policies, do you authorize THE COMPANY to process your personal data?

Answer: Yes. (Data collection may proceed)

Answer: No. (Data collection may not proceed).

Revocation of authorization and/or deletion of data. In accordance with Article 8 of Decree 1377, THE COMPANY has established a free and agile mechanism through which the data subject may, at any time—provided there is no legal or contractual duty preventing it—request from THE COMPANY the deletion of their personal data and/or revoke the authorization granted for their processing, by submitting a request (see Chapter 14 of this manual).

If, upon expiration of the respective legal term, THE COMPANY does not delete the personal data from the databases, the data subject shall have the right to request the Superintendency of Industry and Commerce to order the revocation of the authorization and/or the deletion of the personal data.

5.12. RIGHTS OF THE DATA SUBJECTS
Law 1581 of 2012, in its 8th Article, establishes the following rights granted to the data subject regarding their personal data:

a) To access, update, cancel, and rectify their personal data before the controllers or processors. This right may be exercised, among others, regarding partial, inaccurate, incomplete, or fragmented data that may lead to error, or data whose processing is expressly prohibited or has not been authorized.

b) To request proof of the authorization granted to the data controller, except when expressly exempted as a requirement.

c) To be informed by the data controller or the data processor, upon request, regarding the use that has been given to their personal data.

d) To file complaints before the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and any other regulations that may modify, add to, or complement it.

e) To revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights, and guarantees.

f) To access free of charge their personal data that has been subject to processing.

The channels available within THE COMPANY for the exercise of rights as a data subject are provided for in Chapter 14 of this manual.

5.13. PROCEDURE FOR THE EXERCISE OF DATA SUBJECTS' RIGHTS
According to Article 20 of Decree 1377, the rights of data subjects established in Law 1581 may be exercised before THE COMPANY by the following persons:

a) By the data subject, who must sufficiently prove their identity before THE COMPANY through the various means or mechanisms available to them."

b) By the data subject's successors-in-title, who must prove such status before THE COMPANY.

c) By the representative and/or attorney-in-fact of the data subject, upon prior accreditation of the representation or power of attorney before THE COMPANY.

d) By stipulation in favor of another or for another.

Now then, in accordance with the provisions of Articles 14 and 15 of Law 1581 of 2012, to exercise any of the rights you hold as a data subject, you may use any of the mechanisms established below before THE COMPANY:

5.13. PROCEDURE FOR THE EXERCISE OF DATA SUBJECTS' RIGHTS
According to Article 20 of Decree 1377, the rights of data subjects established in Law 1581 may be exercised before THE COMPANY by the following persons:

  • THE COMPANY As the controller and/or processor, shall provide the requested information contained in the database or that which is linked to the identity of the data subject. The data subject shall, therefore, prove their status by providing a copy of the relevant document and their identity document, which may be supplied in physical or digital format. However, should the data subject be represented by a third party, the respective power of attorney must be provided, which shall be notarized. The attorney-in-fact must, likewise, prove their identity under the indicated terms.
  • The inquiry shall be formulated through the channels enabled for such purpose by THE COMPANY and, especially, through written or electronic communication addressed to the department and person indicated in Chapter 18 of this manual. The inquiry shall be addressed by THE COMPANY within a maximum term of ten (10) business days from the date of receipt thereof.
  • "When it is not possible for THE COMPANY to address the inquiry within said term, it shall inform the interested party, stating the reasons for the delay and indicating the date on which the inquiry will be addressed, which in no case shall exceed five (05) business days following the expiration of the first term.
  • Personal data may be consulted free of charge at least once (01) each calendar month, and whenever there are substantial modifications to the policies established in this manual that, naturally, prompt new inquiries.
  • For inquiries made more than once per calendar month, THE COMPANY may charge the data subject for shipping, reproduction, and, where applicable, document certification costs.

5.13.2. PROCEDURE FOR CLAIMS
Data subjects, their successors-in-title, their representatives, or attorneys-in-fact who consider that the information contained in THE COMPANYs databases should be subject to correction, update, or deletion, or even when they notice an alleged breach of any of the duties contained in the law, may file a claim before THE COMPANY as the controller and/or processor, which shall be processed under the following rules:

  • The claim shall be formulated through a written request addressed to THE COMPANY, including the data subject's identification, a description of the facts giving rise to the claim, the address, and accompanying the documents intended to be used as evidence.
  • Al reclamo deberá adjuntarse fotocopia del documento de identificación del titular de los datos y del poder debidamente autenticado ante un notario público, cuando se actúe por medio de apoderado. El reclamo se formulará a través de los canales que para dicho efecto han sido habilitados por THE COMPANY y se dirigirá a la dependencia, y a la persona indicada en el Capítulo 18 del presente manual. Si el reclamo resulta incompleto, THE COMPANY requerirá al interesado dentro de los A photocopy of the data subject's identification document and the power of attorney duly notarized before a public notary must be attached to the claim when acting through an attorney-in-fact. The claim shall be formulated through the channels enabled for such purpose by THE COMPANY and shall be addressed to the department and person indicated in Chapter 18 of this manual. If the claim is incomplete, THE COMPANY shall require the interested party, within five (05) business days following the receipt of the claim, to remedy the deficiencies. siguientes a la recepción del reclamo para que subsane las fallas.
  • Once two (02) months have elapsed from the date of the request made by THE COMPANY without the applicant presenting the required information, it shall be understood that the claim has been withdrawn
  • In the event that the party receiving the claim is not competent to resolve it, they shall transfer it to the appropriate party within a maximum term of two (02) business days and shall inform the interested party of the situation.
  • Once THE COMPANY receives the complete claim, it shall include a legend in the database stating: 'Claim in progress' and the reason thereof, within a term not exceeding two (02) business days. Said legend must be maintained until the claim has been decided.
  • The maximum term for THE COMPANY to address the claim shall be fifteen (15) business days from the day following the date of its receipt.
  • "When it is not possible for THE COMPANY to address the inquiry within said term, it shall inform the interested party, stating the reasons for the delay and indicating the date on which the inquiry will be addressed, which in no case shall exceed five (05) business days following the expiration of the first term.

5.13.3. ENABLED CHANNELS
The rights of the holders may be exercised by the persons indicated above through the channels that have been enabled by THE COMPANY for this purpose, which are available to them free of charge, as follows:

  • Via the email address. servicioalclientebq@colarquim.com. This email address is being protected from spam bots; you need JavaScript enabled to view it.
  • Through THE COMPANY's website. https://colarquim.com/contacto/
  • Customer Service Department. From Monday to Friday, between 8:00 a.m. and 12:00 p.m., and from 2:00 p.m. to 5:00 p.m., which shall only be enabled for the inquiry process.
  • Área de Servicio al Cliente. En el horario de lunes a viernes entre de 8:00 a.m. a 12:00 p.m. y de 2:00 p.m. a 5:00 p.m., el cual solo estará habilitado para el trámite de consulta.
  • At the following address of THE COMPANY: Calle 110 # 75A – 620, Bodega 14, Barranquilla, Atlántico, Colombia.

5.14. DUTIES OF THE COMPANY AS CONTROLLER AND PROCESSOR
Article 17 of Law 1581 establishes the following duties for THE COMPANY, as the controller of personal data processing:

  1. To guarantee the data subject, at all times, the full and effective exercise of the right to habeas data.
  2. Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the holder.
  3. Properly inform the data subject about the purpose of the collection and the rights they have by virtue of the authorization granted.
  4. Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use or unauthorized or fraudulent access.
  5. Ensure that the information provided to the data controller is truthful, complete, accurate, up-to-date, verifiable and understandable.
  6. Update the information, promptly communicating to the data controller all changes regarding the data previously provided, taking all other necessary measures to ensure that the information provided to the controller remains up-to-date.
  7. Correct the information when it is incorrect and communicate the relevant information to the data controller.
  8. Provide the data processor, as applicable, only with data whose processing has been previously authorized, in accordance with the provisions of the law.
  9. Require the data controller, at all times, to respect the security and privacy conditions of the data subject's information.
  10. Process inquiries and complaints submitted in accordance with the terms established by law.
  11. Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, for handling inquiries and complaints.
  12. Inform the data controller when certain information is under discussion by the data subject, once the complaint has been filed and the respective process has not yet been completed.
  13. Inform the data subject, upon request, about the use given to their data.
  14. Inform the data protection authority when security code violations occur and there are risks in the management of data subjects' information.
  15. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

Article 18 of Law 1581 of 2012 establishes the following duties for THE COMPANY, as the entity responsible for processing the personal data of the data subject, without prejudice to the other provisions provided for in said law and in others that govern its activity:

  1. To guarantee the data subject, at all times, the full and effective exercise of the right to habeas data.
  2. Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use or unauthorized or fraudulent access.
  3. Perform timely updating, rectification or deletion of data.
  4. Update the information reported by the data controllers within five(05) business days from receipt.
  5. Process inquiries and complaints made by the owners in accordance with the terms set out in the law and in this manual.
  6. Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to address inquiries and complaints from data subjects.
  7. Register the phrase “Claim in process” in the database in the manner regulated by law.
  8. Insert the legend “Information under judicial discussion” into the database once notified by the competent authority about legal proceedings related to the quality of the personal data.
  9. Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.
  10. Allow access to information only to people who are authorized to access it.
  11. Report to the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the management of the information of the holders.
  12. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

5.15. SECURITY MEASURES APPLIED TO DATABASE PROCESSING
Information is protected through mechanisms that preserve security, confidentiality, integrity, and availability, in order to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access, using the following mechanisms:"

  • Maintain information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use, and access.
  • Data access protection through passwords and roles with different levels of authority.
  • Integrity protection through the implementation of data signatures.
  • Password protection via encryption and bit salting.
  • Ensuring the level of complexity of user passwords.
  • Tracking of all activities performed within the platforms and their data through a detailed log.
  • Recovery and redundancy procedures.
  • Encrypted storage of backup copies.
  • Encryption and password protection for computers used for data handling.
  • Other specific mechanisms.

5.16. PROHIBITIONS
In furtherance of this personal information security regulation, the following prohibitions and sanctions are established as a consequence of their breach:

  • THE COMPANY prohibits the access, use, management, assignment, communication, storage, and any other processing of sensitive personal data without the data subject's authorization.
  • Any employee of THE COMPANY who violates this prohibition shall be subject to the applicable sanctions in accordance with the law.
  • THE COMPANY The assignment, communication, or circulation of personal data is prohibited without the prior, written, and express consent of the data subject. The assignment or communication of personal data must be registered in the central registry of personal data and have the authorization of the database custodian.
  • THE COMPANY prohibits the access, use, assignment, communication, processing, storage, and any other processing of sensitive personal data that may be identified during an auditing procedure in application of the policy on the proper use of IT resources for such purposes. Any sensitive data identified during the auditing process shall be reported to the user of the IT resource. This is for the purpose of having the user proceed to delete them. Should this option not be possible, THE COMPANY shall proceed to delete them in a secure manner.
  • THE COMPANY prohibits the processing of personal data of children and adolescents under the age of majority. Any processing that may be carried out regarding the data of minors must ensure the prevailing rights recognized to them by the Political Constitution, in harmony with the Childhood and Adolescence Code. In cases where such data is processed, authorization must be granted by the minor's legal representatives.
  • THE COMPANY The processing of personal data of children and adolescents under the age of majority is prohibited. Any processing carried out regarding the data of minors must ensure the prevailing rights recognized to them by the Political Constitution, in harmony with the Code of Childhood and Adolescence. In cases where such data is processed, authorization must be granted by the minor's legal representatives.

5.17. DESIGNATION OF THE DEPARTMENT OR PERSON IN CHARGE OF PROCEDURES FOR THE DATA SUBJECT TO EXERCISE THEIR RIGHTS TO PETITIONS, INQUIRIES, AND CLAIMS The responsibility for the proper processing of personal data within THE COMPANY lies with all employees. Consequently, within each area that manages business processes involving personal data processing, they must adopt the rules and procedures for the application and compliance of this regulation, given their status as custodians of the personal information contained in THE COMPANY'S information systems.

Accordingly, the department in charge of processing inquiries, complaints, claims, and petitions related to the processing and protection of personal data of workers, customers, suppliers, and other data subjects managed by THE COMPANY in its databases, shall be the Customer Service Department.

The person in charge shall be:
Name: Geraldine Vergara.
Phone: +57 (605) 377 3010, extension 103.
Email: servicioalclientebq@colarquim.com
Address: Calle 110 # 75A – 620, Bodega 14, Barranquilla, Atlántico, Colombia.
Website: https://colarquim.com/contacto/"

5.18. MODIFICATION OF THE PROCESSING POLICY
THE COMPANY shall inform data subjects in the event of substantial changes to the content of this Personal Data Processing Policy Manual regarding the identification of the controller and/or processor and the purpose of the personal data processing, which may affect the content of the authorization granted by the subjects to THE COMPANY. Likewise, it shall communicate such changes to the data subjects before or, at the latest, at the time of implementation of the new policies.

Furthermore, when the change refers to the purpose of the personal data processing, THE COMPANY shall obtain a new authorization from the data subjects. For this purpose, we have provided a section on the website: https://colarquim.com/manual-de-politicas-para-el-tratamiento-de-datos-personales-de-colarquim-s-a-s/ through which you will be informed about the change, and the latest version of this manual or the mechanisms enabled by THE COMPANY to obtain a copy thereof will be made available to you.

5.19. ENTRY INTO FORCE OF THE PROCESSING POLICYThe present Personal Data Processing Policy Manual was updated on October first (1st), two thousand twenty-four (2024), and shall take effect as of the same date.