Company name: redBus
E-Mail Address: firstname.lastname@example.org
Responsible Area: Office for the Protection and Processing of the Personal Data of redBus.
- For purposes of the application of the rules set forth herein and as provided for in Article 3 of Law 1581 of 2012, the following words shall have the meanings specified below:
- Authorization: It shall mean the User’s prior, express and informed authorization to carry out the personal data Processing.
- Privacy Notice: It shall mean a physical, electronic or any other form of document created by the Responsible for Personal Data Processing , which is made available to the User for the processing of its personal data. Through the Privacy Notice, the User is provided information related to the existence of the specific data processing policies which shall be applicable to it, the manner for accessing such policies and the processing characteristics intended to be given to personal data.
- Data Base: It shall mean an organized set of personal data that is the subject of Processing.
- Personal Data: It shall mean any information that is linked or may be linked to one or several individuals now or hereafter determined;
- Private Data: It shall mean the data which, due to its confidential or private nature, is relevant only to the User.
- Sensitive Data: It shall be construed as the data which affects the intimacy of its User or whose undue use might cause the latter’s discrimination, such as data which discloses racial or ethnic origin, political orientation, religious or philosophical convictions, affiliation to unions, social organizations, human rights organizations, or which promotes the interests of any political party or which warrants the rights and guaranties of the opposing political parties, as well as data related to health, sexual life, and biometric data.
- Person(s) In Charge of Data Processing: It shall mean a public or private individual or legal entity which by itself or in association with others, shall handle the Processing of personal data on behalf of the Data Processing Responsible.
- Person(s) Responsible for Data Processing: It shall mean a public or private individual or legal entity which by itself or in association with others, shall decide upon the data base and/or the Processing of data.
- Subject of Personal Data: It shall mean an individual or User whose personal data is the subject of Processing.
- Processing: It shall mean any operation or set of operations related to personal data, such as the collection, storage, use, flow or deletion thereof.
Processing of Personal Data of Infants and Teenagers::
In compliance with Article 7 of Law 1581 of 2012, the processing of infants and teenagers’ personal data shall be done within the framework of the aforesaid purposes and in line with the requirements set out in Article 220.127.116.11.2.9 of Decree 1074 of 2015 and Ruling C-748 of 2011 from the Constitutional Court.
To such effect, redBus its employees, officers and responsible individuals shall bear in mind that the processing of the personal data of infants and teenagers shall serve the latter’s best interests and shall ensure respect for their fundamental rights such as the promotion, protection and recovery of health.
When the authorization for the processing of data is granted through a representative, the representative shall guarantee the infants and teenagers’ exercise of its right to be heard prior to the granting of the authorization and shall rate the infants and teenagers’ opinion taking into account its maturity, autonomy and capacity to understand the issue.
The individuals responsible for and in charge of the processing of the infants and teenagers’ personal data shall ensure the proper use of data and shall enforce the principles and obligations embodied in Law 1581 of 2012 and in Unique Decree 1074 of 2015.
Principles for the Processing of Personal Data:
- In the development, interpretation and application of this policy, the following principles will be applied in a harmonious and comprehensive way:
- Principle of Rule of Law in Data Treatment: The treatment of data is regulated by Law 1581 of 2021 and by Decree 1074 of 2015;
- Principle of Legitimate Purpose: The treatment of data should follow a legitimate purpose in accordance with the Constitution and the Law, which must be reported to the Subject of Personal Data.
- Principle of Prior Informed Consent: The treatment of data may only be exercised with the previous, express and informed consent of the User. Personal Data may not be obtained or disclosed without prior authorization, or in its absence, of a legal or judicial mandate that dismisses such consent.
- Principle of Accuracy: The data which undergo of processing must be truthful, complete, accurate, current, verifiable, and understandable. Treatment of partial, incomplete, fragmented or misleading data is prohibited, unless the User has authorized it.
- Principle of Transparency: The User shall be guaranteed its right to access, at any time and without any restrictions, the information related to its personal data stored in the data bases of redBus.
- Principle of Restricted Access and Dissemination: As personal data does not have a public nature, it may also be available at the Internet or other means of massive communication when the access to them is technically controllable by redBus and may be accessed only in a restricted manner by the User, by whoever it may authorize and/or by people specified by the Law;
- Safety Principle: The data subject to processing by those responsible for or in charge of such processing should be handled in accordance with the technical, human and administrative standards required to guarantee the protection of the information, in order to avoid adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Principle of Confidentiality: All individuals involved in the processing of personal data that is not public in nature are obliged to ensure the confidentiality of such data even after their connection with any of the tasks comprised in the data processing; they are only authorized to furnish or communicate personal data when this involves the performance of activities authorized by the Law.
Processing to which Data shall be Subjected:
As part of its activities redBus processes the personal data of its customers, users, partners, employees, officers, contractors and suppliers. It does so directly, through its employees, officers, or through agents who have been entrusted this task.
It also shares the data with third parties located in Colombia and abroad, with whom it enters into contracts for the transfer and/or conveyance of personal data, as applicable, in order to keep the data safe and protected in accordance with the applicable rules and standards.
redBus has the obligation to keep strictly confidential any personal data subject to processing, and shall only disclose such data on an express request from the surveillance and control entities, and from those authorities, which are legally empowered to request same.
At all times, Users shall be authorized to take notice of, update, amend, and correct their personal data free of cost, pursuant to Article 8 of Law 1581 of 2012.
In compliance with the principle of purpose, the collection of personal data by redBus, the latter is restricted to such personal data that is pertinent and appropriate to comply with the purposes expressed in this policy. Except for those cases expressly provided by the Law, no personal data may be collected without the Users’ authorization.
- The processing of data includes the collection, storage, administration, utilization, transfer, transmission and destruction of data in the manner permitted by Law and is accomplished for the following specific purposes:
- Promotion and advertising of the Products and Services offered by redBus to the public:
- Providing responses to the questions made by Users;
- Elaborating on, monitoring and assessing the service provided to each customer, in accordance with the particular experience;
- Submitting information and contents of specific interest.
- Offering customized services to each User, in line with the collected information and the particular interests.
- Keep periodical and effective communications with the Users of the redBus platform; the customers, affiliates, employees, officers, suppliers, and with any individuals whose personal data was authorized to be handled:
- Offering and promoting, by any means, the redBus services rendered by related companies or by any legal entity or firm;
- Sending invitations to take part in projects, studies and/or events organized by redBus, related companies and third parties, with regard to the services rendered through the platform.
- Ensure an adequate provision of the services offered by redBus, including the following:
- Granting access to the information on requests, complaints and claims filed by Users, clients, partners, contractors and vendors, in connection with the activities performed by redBus.
- Providing support with accounting, administrative, commercial, informative, marketing and sales matters.
- Transmitting the personal data to the individuals responsible for its storage in servers located within and/or outside of Colombia.
- Any other purpose that may be pertinent, according to the link created between the Users and the company.
Duties of those responsible for the Processing of Personal Data:
- redBus, in the exercise of its activities as Responsible for the Processing of Personal Data, must comply with the following duties:
- Ensure that the User, at any time, is entitled to the full and effective exercise of the right of habeas data.
- Order and maintain, under the conditions established by the current law, a copy of the respective authorization granted by the User.
- Duly inform the User about the purpose of the data collection and the rights that he or she is entitled to, under the authorization granted by him or her.
- Keep the data under the safety conditions required to prevent its tampering, loss, consultation, use or unauthorized or fraudulent access.
- Ensure that the information supplied to those in charge of Data Processing is truthful, complete, accurate, current, verifiable, and understandable.
- Update the information and report in time to those in charge of Data Processing any relevant developments with respect to the data that was previously provided to them, and adopt other measures necessary in order to keep them updated.
- Correct the information if it is inaccurate and report anything deemed relevant to those in charge of Data Processing.
- Provide those in charge of Data Processing, as applicable, only data which processing has been previously authorized in accordance with the provisions of this policy or the current law.
- Demand from those in charge of Data Processing to at all times that they are obliged by the security and privacy standards applicable to the Users’ data.
- Deal with any inquiries and complaints that may have been filed in accordance with the terms set out in this policy.
- Adopt an internal manual of policies and procedures to ensure due compliance with the la, especially for answering inquiries and complaints.
- Inform those in charge of Data Processing when certain information is under discussion by the User, once the claim has been submitted and the corresponding procedure has not been completed.
- Inform, upon request of the User, about the use given to its data.
- Inform the authority responsible for data protection about any violations made to safety codes and if there are any risks associated with the administration of the User’s data.
- Comply with the instructions and requirements imparted by the Superintendency of Industry and Commerce.
Duties of those In Charge of Personal Data Processing
- Within the normal course of its activities, redBus is In Charge of the Treatment of Personal Data; in other words, it processes personal data on behalf of those who are responsible for the processing and, as a result, it has the following duties:
- Ensure the User, at any time, the full and effective exercise of the right of habeas data.
- Fulfill all safety standards when storing the data so as to prevent tampering, loss, consultation, use or unauthorized or fraudulent access.
- Make proper updates, adjustments or deletion of information under the terms established by the Law.
- Update the information reported by those in charge of Data Processing within five (5) business days from its receipt.
- Deal with the inquiries and complaints put forward by the Users, by following the guidelines set out in the current law.
- Adopt an internal manual of policies and procedures to ensure proper compliance with the current law and, especially, the consultations and complaints made by the Users.
- Register in the database the label “claim in process” in accordance with current legislation.
- Insert into the database the label “information under legal review” once notified by the competent authority about judicial proceedings related to the quality of personal Data.
- Refrain from disseminating information not controverted by the User, and which the Superintendency of Industry and Commerce have ordered its blockage.
- Allow access to information only to individuals who have been granted access to the same.
- Inform the authority responsible for data protection when violations of safety procedures are present and if there are any risks associated with treatment of User’s data.
- Comply with the instructions and requirements imparted by the Superintendency of Industry and Commerce.
Rights of Users
- The Users shall have the following rights:
- Have knowledge, access at no cost, update, and correct their personal data with those responsible for or in charge of data processing. This right may be exercised, among others, if there are partial, inaccurate, incomplete, misleading or fragmented data, or is data which treatment is expressly prohibited or unauthorized.
- Request proof of the authorization granted to those responsible for the processing of Data unless it is expressly excepted as a requirement for such processing, pursuant to the provisions of Article 10 of Law 1581 of 2012.
- Be informed by those responsible or in charge of the processing, upon request, about the use given to their personal data.
- Submit complaints for law infringements before the competent authorities.
- Revoke the authorization and/or request the deletion of data whenever data is processed without any respect for the principles, rights, or the constitutional and legal guarantees. The revocation and/or deletion will apply when the Superintendency of Industry and Commerce has determined that during the Processing, those Responsible or in charge engaged in behaviors contrary to the Constitution and the law.
According to Article 18.104.22.168.2.6 of Unique Decree 1074 of 2015, the request for the deletion of data and the revocation of the authority shall not apply when the User has a legal or contractual duty to remain at the data base.
Procedure for the Exercise of Rights by the Users
- The Users must address their applications or claims to the electronic mail address email@example.com. To such effect, they will use the Application and Claim Form on the Treatment of Personal Data, which is available to be requested directly from redBus (See Annex I).
- Procedure for applications and requests: redBus must handle the applications and consultations within a period of ten (10) business days counted as from the date on which the application or consultation is received. Whenever it is not possible to meet this deadline, the interested party should be informed and provided a detail of the reasons for the delay, as well as the date on which the application or consultation shall be handled within a period that shall not exceed five (5) business days following the expiration of the first period.
- Procedure in the event of claims: The User or his successor who considers that the information contained in a data base must be corrected, updated or deleted, or whenever he notices an alleged breach of any of the duties set forth in the law or in this Policy, must file a claim with redBus, which shall be expedited under the following rules:
- The application for correction, updating or deletion must be filed through the means provided by redBus, including the Application Form for Requests and Claims on the Processing of Personal Data (see Annex I) referred to in the notice of privacy, and shall contain, at a minimum, the following information:
- The name and address of the User or any other means to receive the response, and the name and address of the User or of its legal representative if it is acting through the latter.
- The documents proving the identity or character of its representative.
- A clear and accurate description of the personal data in respect of which the User is seeking to exercise any of the rights.
- If applicable, other items or documents that may facilitate the location of the personal data.
- The claim shall be addressed to the Office for the Protection and Processing of Personal Data, and shall bear the identification of the User, the description of the facts giving rise to the claim, the address, and shall attach the documents whose enforcement is sought. If the claim is incomplete, the incumbent shall be required, within five (5) days following the receipt thereof, to correct the deficiency. Following two (2) months as from the date of the requirement without the applicant having submitted the required information, it shall be understood that the Usero have waived the claim.
- Once the full claim has been received, it shall be included in the data base with a label reading “claim in process”, as well as the reason for the claim, within a period not to exceed two (2) business days. Such label shall be maintained until the claim is decided upon.
- The maximum period to handle a claim shall be fifteen (15) business days counted as from the day following the date of its receipt. Whenever it is not possible to handle the claim within this timeframe, the incumbent shall be informed about the reasons for the delay and the date on which its claim shall be handled, same which in no event shall exceed eight (8) business days following the expiration of the first period.
- Procedure for the revocation of the authorization and/or application for the deletion of data:
The Users may at any time request from redBus the deletion of their personal data and/or revoke the authorization granted for the Processing thereof, through the submission of a claim, as provided for in Article 15 of Law 1581 of 2012, Unique Decree 1074 of 2015 and the Procedure set out in this Policy.
If, upon expiration of the relevant legal term, redBus has not deleted the personal data, the User shall be entitled to request from the Superintendency of Industry and Commerce a order of revocation of the authorization and/or the deletion of the personal data.
Notwithstanding the foregoing, according to Article 22.214.171.124.2.6 and 126.96.36.199.2.8 of Unique Decree 1074 of 2015, the application for deletion of the data and the revocation of the authorization shall not be applicable when the User has a legal or contractual right to remain in the data base.
Temporary Limitations on the Processing of Personal Data
redBus may only collect, store, use or distribute the personal data during a time that is reasonable and necessary, in line with the purposes that justified such a processing, with due regard to the provisions applicable to the underlying matter and to the administrative, accounting, tax, legal and historical aspects of the information.
Upon fulfilling the purposes or purposes of the processing, redBus or those in charge of the processing, as applicable, shall go ahead with the deletion of any personal data in their possession. Notwithstanding this, the personal data must be preserved whenever such is required for complying with a legal or contractual obligation.
redBus shall receive the authorization for the processing of personal data in a written document, through its website and/or mobile application. To that end, the User may provide its consent in written or oral form or through an unambiguous behavior.
The content of the authorization shall be as follows:
redBus shall collect the private and sensitive personal data of the User, such as its name, date of birth, gender and other data that the User himself/herself may wish to provide. As far as sensitive data is concerned, the User is not under the obligation to furnish it, but if it elects to do so, it shall be only the sensitive data that is necessary to fulfill the purposes of the processing hereunder, such as the data related to health, sexual life and/or other related sensitive data that the User may wish to provide.
The User states that has read this Manual of Policies for the Protection and Treatment of Personal Data. Consequently, it acknowledges to have been informed about the specific purposes of the processing and grants its express authorization to the processing of its personal data, including an express authorization for the international transfer and transmission of its personal data within the purposes set forth herein.
TERM OF EFFECTIVENESS OF THE POLICY
This Policy shall become effective as from the ….(day) of the ….. (Month) of 2016.