The purpose of this manual is to guarantee the fundamental right of Habeas Data to all persons who have provided information subject to such special protection to Ibibo, in performance of its business.
- Information Owner: It is the individual or legal entity to whom the information held in a database refers to and that is subject to the right of habeas data.
- Source of information – Source: It is the person, entity or organization that receives or learns of the Personal Information of the Information Owners, as a result of a business, service or other type of relationship and which, on account of a legal authorization given by the Information Owner, provides such information to an Information Operator, which will in turn deliver it to the end User.
- Information Operator – Operator: The information operator is the person, entity or organization that receives from the Source Personal Information on several Information Owners and manages such information and makes it available to the Users.
- User: The user is the individual or legal entity that has access to the Personal Information of one or several Information Owners provided by the Operator or by the Source, or directly by the Information Owner.
- Personal Information: It is any piece of information associated with one or several determined or determinable persons or that can be associated with an individual or legal entity. The Personal Information may be either public, semi-private or private.
- Public information: It is information classified as such pursuant to law or the Political Constitution and any information not classified as semi-private or private. Public information includes, among others, the information contained in public documents, in duly executed legal rulings that are not subject to confidentiality and information related to the marital status of persons.
- Semi-private information: It is information that is neither intimate nor public in nature, knowledge and disclosure of which may be of interest not only to its owner but also to a certain sector or group of people or society in general, such as financial, credit, business and service information.
- Private information: It is information that because of its intimate or confidential nature is only relevant to its owner.
Capacities in which Ibibo may act:
Ibibo may act in the capacity of Operator, Source or User, as defined in applicable regulations and in this Manual.
When Ibibo acts in the capacity of Source by delivering information directly to Users, rather than through an Operator, Ibibo shall have the dual status of Source and Operator and shall take on the duties and responsibilities of both. When Ibibo acts in the capacity of Source of information, it shall be responsible for the quality of the information provided to the Operator, and since it has access to and supplies third party Personal Information, it shall comply with the established duties and responsibilities to guarantee the protection of the rights of the Owner of the Information.
Whenever Ibibo acts in the capacity of Operator, in that it has access to third party Personal Information, it shall comply with the duties and responsibilities defined by law to guarantee the protection of the rights of the Owner of the Information. If Ibibo acting as operator is itself the Source of the information, and therefore has no business or service relationship with the Owner, it shall not be responsible for the quality of the Information provided to it by the Source.
Whenever Ibibo acts in the capacity of User, in that it has access to third party Personal Information, it shall comply with the established duties and responsibilities to guarantee the protection of the rights of the Owner of the Information. If Ibibo acting in the capacity of user in turn delivers the information directly to an Operator, it shall have the dual status of both User and Source, and shall take on the duties and responsibilities of both.
Personal Information management principles
- Principle of truthfulness or quality of the records or information: The information contained in the databases managed by Ibibo must be truthful, complete, accurate, updated, verifiable and understandable. Ibibo shall refrain from recording or disseminating partial, incomplete, fractioned or misleading information.
- Principle of purpose: Ibibo shall disclose to the Information Owner the purpose for which it collects the information before or at the same time it receives the respective authorization.
- Principle of restricted circulation: In managing Personal Information, Ibibo shall abide by the limitations derived from the nature of the Information, the legal provisions and the Personal Information management principles, particularly the principles of the purpose and timeliness of the information.
- Principle of timeliness of the information: Ibibo will not provide information to Users or third parties when it no longer serves the purpose for which it was gathered.
- Principle of comprehensive interpretation of constitutional rights: In managing Personal Information, Ibibo will interpret applicable regulations to the effect of adequately protecting constitutional rights, such as habeas data, the right to a good name, the right to honor, the right to intimacy and the right to information. Ibibo shall interpret the rights of the Owners in a consistent and balanced manner with the right to information defined in the Constitution and other applicable constitutional rights.
- Principle of security: Ibibo will manage the Personal Information it collects or provides using the technical means required to guarantee the security of the records, preventing their adulteration, loss or unauthorized inquiry or use.
- Principle of confidentiality. Ibibo will ensure that all its staff and employees, advisors and related parties involved in managing non-public Personal Information guarantee the confidentiality of the information, even after their involvement in any information management activity has ended.
Dissemination of the information:
The Personal Information collected or supplied by Ibibo pursuant to the law for Operators may be received orally or in writing, or may be made available to the following persons and in the following terms:
- To the Owners, to the persons duly authorized by the Owners, and their successors by means of the procedure for inquiries established herein.
- To the Users of the information, pursuant to law.
- To any legal authority, subject to a court order.
- To executive branch public entities when knowledge of such information is directly related to fulfillment of any of their duties.
- To control entities and other disciplinary, tax or administrative investigation authorities when such information is required for an ongoing investigation.
- To other Operators, subject to authorization from the Owner, or when such authorization of the Owner is not required, when the target database serves the same purpose as that of the Operator that delivers the information.
- To other persons authorized by law.
Rights of the Information Owners :
The Owners of the Personal Information collected or provided by Ibibo shall have the following rights:
- With Ibibo acting as Operator:
- To exercise the fundamental right to habeas data by means of the procedure for inquiries or claims, without prejudice for any other constitutional and legal mechanisms.
- Request the respect and protection of other legal or constitutional rights by means of the procedure for claims and petitions.
- Request proof of existence of the authorization issued by the Source or the User.
- Request information about the Users authorized to obtain information.
Without prejudice for the fact that management of public information does not require authorization of the Owner, when managing Personal Information Ibibo shall abide by the information management principles.
- With Ibibo acting as Source of the information:
- To exercise the fundamental rights to habeas data and to petition, which may be fulfilled through the Operator, when one exists, pursuant to the inquiries and claims procedures defined herein.
- To request information or to request updates or corrections of information, which will be performed by the Operator based on the information provided by the Source, pursuant to the inquiries and claims procedures defined herein.
- To request proof of authorization, when authorization is required.
- With Ibibo acting as User:
- To request information on the use given to the information by the User, whenever such information has not been provided by the Operator, or when an Operator is not required.
- To request proof of authorization, when authorization is required.
With Ibibo acting as User:
Ibibo shall have the following duties when it acts in the capacity of Operator for Personal Information:
- To make available at all times to the Information Owner the possibility to fully and effectively exercising the right to habeas data and to petition, i.e. the right to review information about him/her that exists or is stored in the database, and to request that such information be updated or corrected, which shall be carried out through the mechanisms of inquiries or claims, as described herein.
- To ensure that the collection, treatment and dissemination of information respect all other rights of the Owners, according to law.
- To allow access to the information only to persons who, in accordance with legal provisions, are allowed to have access to it.
- To comply with this policies and procedures manual, which ensures adequate fulfillment of the Owners’ fundamental rights to habeas data and to petition.
- To request the Source to provide proof of the authorization granted by the Owner, when such authorization is required.
- To maintain adequate security over stored records to prevent their impairment, loss, alteration or unauthorized or fraudulent use.
- To perform periodic and timely updates and corrections to the Information, each time the Sources report new information.
- To process any petitions, inquiries and claims submitted by the Information Owners, in the terms set forth in this manual.
- To indicate in the respective individual record that certain information has been questioned by the Owner, whenever a request to correct or update the information has been made and the process has not yet been completed.
- To disseminate the information to the Users pursuant to the terms set forth in this manual and to legal requirements.
- To abide by the instructions and requirements issued by the oversight authority regarding legal compliance, in reference to the fundamental right of Habeas data.
Duties of Ibibo acting as Source of information
Ibibo shall fulfill the following duties when acting as Source of information:
- To ensure que the information provided to the Operators of the databases or to the Users is truthful, complete, accurate, updated and verifiable.
- o report in a periodic and timely manner to the Operator any new information it has received and to take all steps required to ensure that the information provided is updated.
- To correct any incorrect information and duly inform the Operators.
- To report the information to the Operator in a timely manner.
- When required, to request and maintain copies of the authorizations granted by the Information Owners, and ensure that no information that has not been previously authorized is provided to the Operators when such authorization is required.
- To certify on a semiannual basis to the Operator that the information provided has been duly authorized, when authorization is required.
- To address any claims and petitions of the Owner pursuant to the provisions of this manual and legal requirements.
- To report to the Operator that certain information has been questioned by the Owner, whenever a request to correct or update the information has been made and the process has not yet been completed, in order for the Operator to include a note in the database to this effect until the process is finalized.
- To abide by the instructions and requirements issued by the oversight authority regarding legal compliance, in reference to the fundamental right of Habeas data.
Duties of Ibibo acting as User of Personal Information
Ibibo shall fulfill the following duties when acting as User of Personal Information:
- To maintain the confidentiality of the information provided by Operators of the databases, by the Sources or by the Information Owners and use the information solely for the purposes for which it as provided.
- To inform the Owners, at their request, of the use given to the information.
- To maintain adequate security over the information received to prevent its impairment, loss, alteration, or unauthorized or fraudulent use.
- To abide by the instructions and requirements issued by the oversight authority regarding legal compliance, in reference to the fundamental right of Habeas data.
The purpose of this policies and procedures manual is to ensure that the treatment of the Personal Information that is received, requested or delivered by Ibibo and that may be subject to treatment according to law is performed in abidance of the legal protection prescribed to this effect, and especially guaranteeing the rights of the Owners of the Information.
- Authorization: Prior, express and informed consent of the Owner to perform the Treatment of Personal Information.
- Privacy notice: A physical, electronic or other type of document issued by the Responsible Party that is made available to the Owner for the treatment of his/her Personal Information. In the Privacy Notice, Ibibo will communicate to the Owner information regarding the existence of the applicable policies on treatment of information, the way in which it is accessed and the characteristics of the intended treatment to be given to the Personal Information.
- Database: Organized set of Personal Information that is subject to Treatment.
- Personal Information: Any information that is or may be linked to one or several determined or determinable individuals.
- Private information: It is information that because of its intimate or confidential nature is only relevant for the Owner.
- Sensitive information: It is defined as information that affects the intimacy of the Owner or whose improper use may cause discrimination, such as data indicating racial or ethnic origin, sexual orientation, religious or philosophical persuasion, membership of unions, social organizations, human rights organizations, or that promotes the interests of any political party or that guarantees the rights of opposition political parties, as well as information related to health, sexual life and biometric data.
- Party in Charge of Treatment: A person who alone or in collaboration with others performs the Treatment of Personal Information on behalf of the Party Responsible for Treatment. Ibibo may perform treatment of its own Personal Information through persons in charge.
- Party Responsible for Treatment: A person who alone or in collaboration with others makes decisions related to the database and/or the Treatment of information. According to law, Ibibo is Responsible for the Treatment of the Personal Information contained in its databases.
- Owner: Individual whose Personal Information is subject to Treatment.
- Treatment: Any operation or set of operations performed on Personal Information, such as their collection, storage, use, dissemination or deletion.
- Responsible Party:
- Name: Ibibo Group Colombia S.A.S.
- City: Bogotá Carrera 7 No. 116-50 Edificio Wework, piso 2, oficina 152.
- E-mail: firstname.lastname@example.org
- Area in charge: Customer Service and Marketing Department.
- Ibibo will communicate to the Owners any changes in its Privacy Policies prior to their implementation.
Principles for the Protection and Treatment of Personal Information
In the implementation, interpretation and performance of the policies on the protection and Treatment of Personal Information, Ibibo shall follow the following principles:
- Principle of rule of law: Treatment is a regulated activity that must abide by legal requirements.
- Principle of purpose: Treatment must be made for legitimate purposes in abidance of the Constitution and the Law, which Ibibo shall inform to the Owner.
- Principle of freedom: Ibibo will only perform Treatment with the prior, express and informed consent of the Owner. Ibibo will not obtain or disclose Personal Information without prior authorization, or without a legal or judicial mandate that waives consent.
- Principle of truthfulness or quality: The information subject to Treatment must be truthful, complete, accurate, updated, verifiable and understandable. Ibibo will not perform Treatment of partial, incomplete, fractioned or misleading information.
- Principle of transparency: During Treatment, Ibibo will guarantee the right of the Owner to obtain from the Party Responsible for Treatment or from the Party in Charge of Treatment, at any time and without restrictions, information on the existence of information concerning the Owner.
- Principle of access and restricted circulation: Treatment by Ibibo will abide by the limits derived from the nature of the Personal Information, legal provisions and the Constitution. In this sense, Treatment by Ibibo will only be performed by persons authorized by the Owner and/or by persons authorized to do so by law.
- Principle of security: The information subject to Treatment by the Party Responsible for Treatment or the Party in Charge of Treatment (depending on the capacity in which the party is acting or the arrangement used), must be managed with all technical, human and administrative means required to maintain the security of the records to avoid their adulteration, loss, or any unauthorized or fraudulent query, use or access.
- Principle of confidentiality: All persons involved in the Treatment of Personal Information that is not public in nature are under the obligation of guaranteeing the confidentiality of the information, even after they are no longer involved in any of the tasks related to Treatment, and must only provide or communicate the Personal Information for performance of the activities authorized by law.
- Pursuant to the principles of purpose and freedom, the information collected by Ibibo will be limited to the Personal Information that is relevant and suitable for the purpose for which it is gathered or required, according to applicable regulations. Except in cases expressly provided for by law, Ibibo will not collect any Personal Information without authorization from the Owner.
Persons to whom information can be provided
Ibibo may provide the Personal Information under its management to the following persons:
- To the Owners, their successors or their legal representatives;
- To public or administrative entities in performance of their legal duties or by court order;
- To the third parties authorized by the Owner or by law.
Treatment of Sensitive Personal Information
Law 1581/2012 prohibits the Treatment of sensitive information except in the following cases: (i) when the Owner grants consent, (ii) the Treatment is required to safeguard the vital interests of the Owner and the Owner is physically or legally disabled, (iii) the treatment is performed in the course of legitimate activities and with proper guarantees by a foundation, NGO, association or any other not-for-profit organization with political, philosophical, religious or trade union purposes, as long as it refers exclusively to their members or persons who are in permanent contact with it in connection with its purpose, (iv) the Treatment involves information that is necessary in order to recognize, exercise or defend a right in legal proceedings, and (v) the Treatment has a historical, statistical or scientific purpose; in the latter case, steps must be taken to suppress the identity of the Owners.
Treatment of the Personal Information of children and adolescents:
It should be noted that even though Law 1581/2012 prohibits the treatment of the Personal Information of children and adolescents, except information that is public in nature, the Constitutional Court has further specified that regardless of the nature of the information, information treatment may be performed “as long as the intended purpose of such treatment is in the higher interests of the children and adolescents and that assurances are provided without exception that their prevailing rights will be respected.”
To such effect, Ibibo, its employees, executives and persons responsible shall take into consideration that the Treatment of the Personal Information of minors must be performed in their higher interests and must guarantee respect for their fundamental rights, such as the promotion, protection and recovery of health.
When the authorization for treatment of information is granted through a representative, the representative shall guarantee the right of the minor to be listened to prior to granting the authorization and shall assess the minor’s opinion taking into consideration his/her level of maturity, autonomy and capacity to understand the matter.
Additionally, the following roles are included in this document:
Personal Information Database Manager: An Ibibo employee or person in charge who performs the Treatment of one or more databases that contain Personal Information.
The Customer Service and Marketing Department will coordinate, process and reply to petitions, complaints and claims related to the law of protection of Personal Information submitted by the Owners to Ibibo.
The Purpose and the Treatment the Personal Information will be Subject to
Ibibo performs treatment on the Personal Information of its customers, users, partners, employees, executives, contractors and suppliers in performance of its business. Such treatment is performed directly through its employees and executives, or through parties that have been contracted to this effect.
It also shares the information with third parties located in Colombia and abroad, with whom it has entered into contracts to transfer and/or transmit Personal Information, as the case may be, with the objective of maintaining the information safe and protected in accordance with applicable rules and standards and in abidance of applicable regulations on this matter.
At any time, the Owners may, at no charge, review, update, amend or correct their Personal Information.
The Treatment of information includes the collection, storage, management, use, transfer, transmission and destruction of information, in the manners allowed by law, and is performed with the following specific purposes:
- To promote and advertise the products and services offered by Ibibo to the public, through:
- Replies to user inquiries;
- Follow-up and assessment of the service provided to each customer, based on each customer’s specific experience;
- Mailing of information and contents of specific interest;
- Offers of personalized services to each user based on the collected information and their specific interests.
- To maintain periodic and effective communications with the users of our platform, customers, members, employees, executives, suppliers and any other person for whom we are authorized to perform Treatment of their Personal Information, by means of:
- Offers and promotions, by any means, of the services offered by Ibibo, by affiliated companies or any other company;
- Mailing of invitations to participate in projects, studies and/or events organized by Ibibo, its affiliated or related parties, as well as any other company with any type of connection with the services provided through the platform.
- To achieve adequate provision of the services offered by Ibibo by means of:
- Enabling access to information on petitions, complaints and claims submitted by users, customers, partners, contractors and suppliers in connection with Ibibo’s business activities.
- Accounting, administrative, business, information, and sales and marketing uses.
- Transmission of Personal Information to those in charge of storage in servers located in and/or outside of Colombia.
- Any other purpose depending on the relationship between the Owners of the Personal Information and the company.
Duties of the Party Responsible for Treatment:
Whenever Ibibo acts in the capacity of Party Responsible for Treatment of Personal Information, it shall be responsible for performing the following duties:
- To assure to the Owner, at all times, the full and effective exercise of the right to habeas data.
- To request and maintain, in the conditions prescribed by law, copies of the respective Authorizations granted by the Owners.
- To duly inform the Owner of the purpose of the collection of Personal Information and of the rights associated with the authorization that is granted.
- To maintain the information under adequate security conditions to prevent its adulteration, loss, or any unauthorized or fraudulent query, use or access.
- To ensure that the information provided to the Party in Charge of Treatment is truthful, complete, accurate, updated, verifiable and understandable.
- To update the information, communicating in a timely manner to the Party in Charge of Treatment any new information related to previously reported information, and to take all steps required to ensure that the information provided remains updated.
- To correct any incorrect information and report the corrections to the Party in Charge of Treatment
- To provide the Party in Charge of Treatment only information whose Treatment has been previously authorized as prescribed by law.
- To require the Party in Charge of Treatment to respect at all times the security and privacy of the Owner’s information.
- To process the inquiries and claims submitted in the terms specified in legal provisions.
- To adopt an internal policies and procedures manual to ensure adequate compliance with the law, and particularly to address any inquiries and claims.
- To inform the Party in Charge of Treatment when any information has been questioned by the Owner, once a claim has been submitted and the respective process has not been finalized.
- To inform the Owner of the use given to his/her information, upon request.
- To report to the information protection authority any breach to the security codes and whenever management of the Owners’ information may be at risk.
- To abide by the instructions and requirements issued by the oversight authority regarding legal compliance, regarding the protection and Treatment of the Personal Information.
Rights of the Owners:
The Owners of Personal Information shall have the following rights:
- To review, update and correct their Personal Information held by the Parties Responsible for Treatment or in Charge of Treatment. This right may be exercised, among other reasons, in connection with information that is partial, inaccurate, incomplete, fractioned, misleading, or information whose Treatment is expressly prohibited or has not been authorized.
- To request proof of the authorization given to the Party Responsible for Treatment, except when no authorization is required for Treatment, as expressly provided for by law.
- To be informed by the Party Responsible for Treatment or the Party in Charge of Treatment, upon request, on the use given to their Personal Information.
- To submit to the oversight and control body complaints for breach of the provisions of the aforementioned law and any other provisions that amend, supplement or complement it.
- To revoke the Authorization and/or request the suppression of information when the Treatment does not abide by the legal and constitutional principles, rights and guarantees. Such revoking and/or suppression shall be performed when the oversight and control entity has determined that the Party Responsible or in Charge of Treatment has incurred in conducts that run counter to the Constitution or the law.
- To have access free of charge to their Personal Information that has been subject to Treatment.
- Ibibo shall maintain proof of the authorization granted by the Owners of Personal Information for its respective Treatment.
Policies adopted by Ibibo for the protection and treatment of Personal Information:
Ibibo has adopted the following policies for the protection and Treatment of Personal Information:
- Compliance with all applicable Colombian regulations containing provisions on the protection of Personal Information.
- Ibibo performs the treatment of Personal Information, to which end it must obtain Authorization by means of a physical, electronic, text message, internet, or website document, or by telephone or verbally or by any other means that provides subsequent unequivocal proof that without the consent of the Owner the information would have never been obtained and stored in electronic or physical media. It may also be obtained through clear and unequivocal behaviors of the Owner that enable to reasonably conclude that the Owner has given consent to manage the Personal Information.
- Ibibo shall request the authorization of the Owners of the Personal Information and shall maintain proof of such authorization.
- Any treatment of Personal Information performed by Ibibo must be related to the purposes indicated in the authorization granted by the Owner, when the situation warrants it.
- The Personal Information submitted to Treatment must be truthful, complete, accurate, updated, verifiable and understandable. Ibibo shall maintain the information in these conditions as long as the Owner reports any new information in a timely manner.
- Treatment of the Personal Information will only be performed by Ibibo staff members who are authorized to do so, or whose assigned responsibilities include performance of such activities, or by the Persons in Charge.
- Ibibo will not make available any Personal Information to be accessed through Internet or any other mass media, except in the case of public information or when technical measures are implemented that enable controlling access and restricting it only to persons authorized by law or by the Owner.
- Any Personal Information that is not Public information will be treated as confidential by Ibibo, even when the contractual relationship or the relationship between the Owner of the Personal Information and Ibibo has ended.
- The Owner, directly or through duly authorized persons, may review his/her Personal Information at any time, and especially each time amendments are made to the Privacy Policies.
- Ibibo will provide, update, ratify or suppress the Personal Information at the request of the Owner in order to correct information that is partial, inaccurate, incomplete, fractioned or misleading, or that has been treated prior to the enactment of the law and which has not been Authorized or that is prohibited.
- When a request for information is made, either by a petition, inquiry or claim by the Owner, on the manner in which the Personal Information is used, Ibibo must provide such information.
- At the Owner’s request, and when no legal or contractual obligation exists for it to remain in the databases of Ibibo, the Personal Information must be deleted. In the event partial revoking of the Authorization for Treatment of Personal Information is ordered for certain purposes, Ibibo may continue to use the information for other purposes to which such revoking does not apply.
- The policies established by Ibibo on Treatment of Personal Information may be amended at any time. All amendments shall abide by applicable regulations and shall become effective as of the date of publication through the means made available by Ibibo for Owners to learn of the policy on treatment of the information and the changes made to the policy.
- The Personal Information will only be Treated during the time and as long as the purpose for such treatment warrants it.
- Ibibo will be even more rigorous in applying the policies on treatment of the information in the case of the Personal Information of children and adolescents, to ensure the protection of their fundamental rights.
- The Personal Information subject to Treatment must be managed providing all the human and technical means required for its protection, providing security to ensure that it cannot be copied, adulterated, deleted, queried or used in any way without authorization or for fraudulent uses.
- When any task related to the Treatment of Personal Information by third parties, contractors or Parties in Charge of Treatment is completed, and even after their contractual relationship with Ibibo has ended, they shall be under the obligation of maintaining the confidentiality of the information, in accordance with applicable legislation.
- Ibibo shall not transfer Personal Information to countries that do not have adequate information protection standards, according to the standards published by the SIC.
- The Owner of the Personal Information may exercise his/her rights primarily through the submission of inquiries and claims to Ibibo, through the e-mail address: email@example.com
- When a Party in Charge of Treatment of Personal Information exists, Ibibo must ensure that the information provided to it is truthful, complete, accurate, updated, verifiable and understandable. Additionally, it will report any appropriate new information in a timely manner to ensure that the information is always updated.
- f a Party in Charge of Treatment of Personal Information exists, Ibibo shall provide, if appropriate, only Personal Information whose Treatment has been authorized by the Owner, when such authorization is required.
- Ibibo will report to the Party in Charge of Treatment of Personal Information, if one exists, when certain information has been questioned by an Owner, once a claim has been submitted and the respective process has not yet finalized.
- When a Party in Charge of Treatment of Personal Information exists, it will be required to respect at all times the conditions of security and confidentiality of the information of the Owner established by Ibibo.
Time Limits to the treatment of Personal Information:
Ibibo will only gather, store, use or disseminate the Personal Information during the time it is reasonable and necessary to do so, depending on the purposes of treatment, pursuant to legal provisions on the matter and administrative, accounting, tax, legal and historical aspects of the information.
Once the purpose of treatment has been fulfilled, Ibibo or the Party in Charge of Treatment, as appropriate, shall suppress the Personal Information in their power. Notwithstanding the above, the Personal Information must be preserved, when required, to fulfill legal or contractual obligations.
Ibibo Group Colombia SAS, without prejudice for the exceptions provided for by law, for the effects of performing the Treatment of Personal Information, shall obtain from the Owner prior and informed consent, which must be obtained by any means that may be subsequently verified.
Ibibo, in its capacity of Party Responsible for Treatment of Personal Information, shall establish mechanisms to obtain the authorization of the owners or other parties authorized by law that ensure the possibility of verification. Such mechanisms may be pre-established through technical means that facilitate an automated statement by the Owner.
The authorization must be given: (i) in writing, (ii) orally, or (iii) by means of unequivocal conducts of the Owner that enable reasonably concluding that Authorization was granted.
Ibibo shall maintain proof of the Authorization granted by the Owners for Treatment of their Personal Information.
- Cases in which authorization is not required
Ibibo does not require Authorization of the Owner for the Treatment of Personal Information in the following cases:
- Information required by a public or administrative entity in performance of its legal duties or by court order;
- Information of a public nature;
- Cases of medical or health emergencies;
- Treatment of information authorized by law for historic, statistical or scientific purposes;
- Information related to the Civil Registration of persons.
- Information to the Owner
When Ibibo acts in the capacity of Party Responsible for Treatment, whenever it requests the Owner’s Authorization, it must clearly and expressly inform the following:
- The Treatment to be given to the Personal Information and its purpose;
- The voluntary nature of the responses given to the questions that are made, when they are related to sensitive information or information on children and adolescents;
- The rights of the Owner;
- The identification, physical or e-mail address and telephone number of the Party Responsible for Treatment.
Ibibo shall maintain proof of fulfillment of the items in this section and will provide the Owner copy of such information upon request.
Procedure for Owners to exercise their rights
The Owners de Personal Information should address their inquiries, requests or claims in writing to the e-mail address firstname.lastname@example.org. To this effect, they may use the Requests and Claims on Treatment of Personal Information Form attached hereto (See Annex I).
- Procedure for requests and inquiries:
The Owners or their successors may review the Personal Information of the Owner that is held in any database managed by Ibibo. The Party Responsible for Treatment or the Party in Charge of Treatment must provide them all the information contained in the individual records or information that is linked to the identification of the Owner.
Ibibo must address the requests and inquiries within a term of ten (10) business days from the date of receipt of the request. If such deadline cannot be met, the interested party must be informed, indicating the reasons for the delay and the date on which a reply will be given to the request or inquiry, which must not be later than five (5) business days from the expiration of the initial term.
- Procedure for claims
Any Owner or his/her successor who considers that the information contained in a database must be corrected, updated or suppressed, or who claims non-compliance with any of the duties prescribed by law or in this policy, may submit a claim to Ibibo, which shall be processed in accordance with the following rules:
A request for correction must include as a minimum the following information:
- The name and address of the Owner, or any other means to receive the reply, and the name and address of the Owner’s legal representative, if acting through one.
- The documents that demonstrate the identity of the owner or the power of his/her representative.
- A clear and precise description of the Personal Information regarding which the Owner seeks to exercise his/her rights.
- If appropriate, any other attachments or documents that facilitate the identification of the Personal Information.
The claim should be addressed to the Office for the Protection and Treatment of Personal Information, through the Customer Service and Marketing Department. If the claim is incomplete, the interested party will be requested to correct the claim within five (5) days from its reception. If the interested party fails to provide the requested information within two (2) months from the date of the request, it shall be deemed that he/she has desisted from the claim.
Once the complete claim has been received, a note will be included in the database stating "claim in progress" and its reason, no later than within two (2) business days. Such note shall remain in place until the claim is resolved.
The maximum term for addressing the claim shall be fifteen (15) business days from the date of its receipt. If the claim cannot be addressed within such term, Ibibo will inform the interested party of the reasons for the delay and the date on which the claim will be addressed, which under no circumstance shall be later than eight (8) business days from the expiration of the initial term.
- Procedure to revoke an Authorization and/or a request to suppress information:
The Owners may request Ibibo at any time to suppress their Personal Information and/or to revoke the authorization granted for Treatment, by means of submission of a claim, as described in this manual.
If Ibibo should fail to delete the Personal Information within the specified term, the Owner shall be entitled to request the oversight and control authority to order revoking the authorization and/or to suppress the Personal Information.
Notwithstanding the above, a request to suppress information or to revoke authorization shall not apply when the Owner has a legal or contractual duty to remain in the database.
Amendments and Effectiveness
Any amendments made to this policy shall be published on the website and shall become effective in five (5) business from the date of publication.