The purpose of this manual is to guarantee the fundamental right of Habeas Data to all persons who haveprovided information subject to such special protection to Ibibo, in performance of its business.
- Information Owner: It is the individual or legal entity to whom the information heldin a database refers to and that is subject to the right of habeas data.
- Source of information – Source: It is the person, entity or organization that receivesor learns of the Personal Information of the Information Owners, as a result of a business, service orother type of relationship and which, on account of a legal authorization given by the InformationOwner, provides such information to an Information Operator, which will in turn deliver it to the endUser.
- Information Operator – Operator: The information operator is the person, entity ororganization that receives from the Source Personal Information on several Information Owners andmanages such information and makes it available to the Users.
- User: The user is the individual or legal entity that has access to the PersonalInformation of one or several Information Owners provided by the Operator or by the Source, or directlyby the Information Owner.
- Personal Information: It is any piece of information associated with one or severaldetermined or determinable persons or that can be associated with an individual or legal entity. ThePersonal Information may be either public, semi-private or private.
- Public information: It is information classified as such pursuant to law or thePolitical Constitution and any information not classified as semi-private or private. Public informationincludes, among others, the information contained in public documents, in duly executed legal rulingsthat are not subject to confidentiality and information related to the marital status of persons.
- Semi-private information: It is information that is neither intimate nor public innature, knowledge and disclosure of which may be of interest not only to its owner but also to a certainsector or group of people or society in general, such as financial, credit, business and serviceinformation.
- Private information: It is information that because of its intimate or confidentialnature is only relevant to its owner.
Capacities in which Ibibo may act:
Ibibo may act in the capacity of Operator, Source or User, as defined in applicable regulations and in thisManual.
When Ibibo acts in the capacity of Source by delivering information directly to Users, rather than through anOperator, Ibibo shall have the dual status of Source and Operator and shall take on the duties andresponsibilities of both. When Ibibo acts in the capacity of Source of information, it shall be responsiblefor the quality of the information provided to the Operator, and since it has access to and supplies thirdparty Personal Information, it shall comply with the established duties and responsibilities to guaranteethe protection of the rights of the Owner of the Information.
Whenever Ibibo acts in the capacity of Operator, in that it has access to third party Personal Information,it shall comply with the duties and responsibilities defined by law to guarantee the protection of therights of the Owner of the Information. If Ibibo acting as operator is itself the Source of the information,and therefore has no business or service relationship with the Owner, it shall not be responsible for thequality of the Information provided to it by the Source.
Whenever Ibibo acts in the capacity of User, in that it has access to third party Personal Information, itshall comply with the established duties and responsibilities to guarantee the protection of the rights ofthe Owner of the Information. If Ibibo acting in the capacity of user in turn delivers the informationdirectly to an Operator, it shall have the dual status of both User and Source, and shall take on the dutiesand responsibilities of both.
Personal Information management principles
- Principle of truthfulness or quality of the records or information: The informationcontained in the databases managed by Ibibo must be truthful, complete, accurate, updated, verifiableand understandable. Ibibo shall refrain from recording or disseminating partial, incomplete, fractionedor misleading information.
- Principle of purpose: Ibibo shall disclose to the Information Owner the purpose forwhich it collects the information before or at the same time it receives the respective authorization.
- Principle of restricted circulation: In managing Personal Information, Ibibo shallabide by the limitations derived from the nature of the Information, the legal provisions and thePersonal Information management principles, particularly the principles of the purpose and timeliness ofthe information.
- Principle of timeliness of the information: Ibibo will not provide information toUsers or third parties when it no longer serves the purpose for which it was gathered.
- Principle of comprehensive interpretation of constitutional rights: In managingPersonal Information, Ibibo will interpret applicable regulations to the effect of adequately protectingconstitutional rights, such as habeas data, the right to a good name, the right to honor, the right tointimacy and the right to information. Ibibo shall interpret the rights of the Owners in a consistentand balanced manner with the right to information defined in the Constitution and other applicableconstitutional rights.
- Principle of security: Ibibo will manage the Personal Information it collects orprovides using the technical means required to guarantee the security of the records, preventing theiradulteration, loss or unauthorized inquiry or use.
- Principle of confidentiality. Ibibo will ensure that all its staff and employees,advisors and related parties involved in managing non-public Personal Information guarantee theconfidentiality of the information, even after their involvement in any information management activityhas ended.
Dissemination of the information:
The Personal Information collected or supplied by Ibibo pursuant to the law for Operators may be receivedorally or in writing, or may be made available to the following persons and in the following terms:
- To the Owners, to the persons duly authorized by the Owners, and their successors by means of theprocedure for inquiries established herein.
- To the Users of the information, pursuant to law.
- To any legal authority, subject to a court order.
- To executive branch public entities when knowledge of such information is directly related tofulfillment of any of their duties.
- To control entities and other disciplinary, tax or administrative investigation authorities when suchinformation is required for an ongoing investigation.
- To other Operators, subject to authorization from the Owner, or when such authorization of the Owner isnot required, when the target database serves the same purpose as that of the Operator that delivers theinformation.
- To other persons authorized by law.
Rights of the Information Owners :
The Owners of the Personal Information collected or provided by Ibibo shall have the following rights:
- With Ibibo acting as Operator:
- To exercise the fundamental right to habeas data by means of the procedure for inquiries orclaims, without prejudice for any other constitutional and legal mechanisms.
- Request the respect and protection of other legal or constitutional rights by means of theprocedure for claims and petitions.
- Request proof of existence of the authorization issued by the Source or the User.
- Request information about the Users authorized to obtain information.
Without prejudice for the fact that management of public information does not require authorizationof the Owner, when managing Personal Information Ibibo shall abide by the information managementprinciples.
- With Ibibo acting as Source of the information:
- To exercise the fundamental rights to habeas data and to petition, which may be fulfilledthrough the Operator, when one exists, pursuant to the inquiries and claims procedures definedherein.
- To request information or to request updates or corrections of information, which will beperformed by the Operator based on the information provided by the Source, pursuant to theinquiries and claims procedures defined herein.
- To request proof of authorization, when authorization is required.
- With Ibibo acting as User:
- To request information on the use given to the information by the User, whenever suchinformation has not been provided by the Operator, or when an Operator is not required.
- To request proof of authorization, when authorization is required.
With Ibibo acting as User:
Ibibo shall have the following duties when it acts in the capacity of Operator for Personal Information:
- To make available at all times to the Information Owner the possibility to fully and effectivelyexercising the right to habeas data and to petition, i.e. the right to review information about him/herthat exists or is stored in the database, and to request that such information be updated or corrected,which shall be carried out through the mechanisms of inquiries or claims, as described herein.
- To ensure that the collection, treatment and dissemination of information respect all other rights ofthe Owners, according to law.
- To allow access to the information only to persons who, in accordance with legal provisions, are allowedto have access to it.
- To comply with this policies and procedures manual, which ensures adequate fulfillment of the Owners’fundamental rights to habeas data and to petition.
- To request the Source to provide proof of the authorization granted by the Owner, when suchauthorization is required.
- To maintain adequate security over stored records to prevent their impairment, loss, alteration orunauthorized or fraudulent use.
- To perform periodic and timely updates and corrections to the Information, each time the Sources reportnew information.
- To process any petitions, inquiries and claims submitted by the Information Owners, in the terms setforth in this manual.
- To indicate in the respective individual record that certain information has been questioned by theOwner, whenever a request to correct or update the information has been made and the process has not yetbeen completed.
- To disseminate the information to the Users pursuant to the terms set forth in this manual and to legalrequirements.
- To abide by the instructions and requirements issued by the oversight authority regarding legalcompliance, in reference to the fundamental right of Habeas data.
Duties of Ibibo acting as Source of information
Ibibo shall fulfill the following duties when acting as Source of information:
- To ensure que the information provided to the Operators of the databases or to the Users is truthful,complete, accurate, updated and verifiable.
- o report in a periodic and timely manner to the Operator any new information it has received and to takeall steps required to ensure that the information provided is updated.
- To correct any incorrect information and duly inform the Operators.
- To report the information to the Operator in a timely manner.
- When required, to request and maintain copies of the authorizations granted by the Information Owners,and ensure that no information that has not been previously authorized is provided to the Operators whensuch authorization is required.
- To certify on a semiannual basis to the Operator that the information provided has been duly authorized,when authorization is required.
- To address any claims and petitions of the Owner pursuant to the provisions of this manual and legalrequirements.
- To report to the Operator that certain information has been questioned by the Owner, whenever a requestto correct or update the information has been made and the process has not yet been completed, in orderfor the Operator to include a note in the database to this effect until the process is finalized.
- To abide by the instructions and requirements issued by the oversight authority regarding legalcompliance, in reference to the fundamental right of Habeas data.
Duties of Ibibo acting as User of Personal Information
Ibibo shall fulfill the following duties when acting as User of Personal Information:
- To maintain the confidentiality of the information provided by Operators of the databases, by theSources or by the Information Owners and use the information solely for the purposes for which it asprovided.
- To inform the Owners, at their request, of the use given to the information.
- To maintain adequate security over the information received to prevent its impairment, loss, alteration,or unauthorized or fraudulent use.
- To abide by the instructions and requirements issued by the oversight authority regarding legalcompliance, in reference to the fundamental right of Habeas data.
The purpose of this policies and procedures manual is to ensure that the treatment of the PersonalInformation that is received, requested or delivered by Ibibo and that may be subject to treatment accordingto law is performed in abidance of the legal protection prescribed to this effect, and especiallyguaranteeing the rights of the Owners of the Information.
- Authorization: Prior, express and informed consent of the Owner to perform theTreatment of Personal Information.
- Privacy notice: A physical, electronic or other type of document issued by theResponsible Party that is made available to the Owner for the treatment of his/her Personal Information.In the Privacy Notice, Ibibo will communicate to the Owner information regarding the existence of theapplicable policies on treatment of information, the way in which it is accessed and the characteristicsof the intended treatment to be given to the Personal Information.
- Database: Organized set of Personal Information that is subject to Treatment.
- Personal Information: Any information that is or may be linked to one or severaldetermined or determinable individuals.
- Private information: It is information that because of its intimate or confidentialnature is only relevant for the Owner.
- Sensitive information: It is defined as information that affects the intimacy of theOwner or whose improper use may cause discrimination, such as data indicating racial or ethnic origin,sexual orientation, religious or philosophical persuasion, membership of unions, social organizations,human rights organizations, or that promotes the interests of any political party or that guarantees therights of opposition political parties, as well as information related to health, sexual life andbiometric data.
- Party in Charge of Treatment: A person who alone or in collaboration with othersperforms the Treatment of Personal Information on behalf of the Party Responsible for Treatment. Ibibomay perform treatment of its own Personal Information through persons in charge.
- Party Responsible for Treatment: A person who alone or in collaboration with othersmakes decisions related to the database and/or the Treatment of information. According to law, Ibibo isResponsible for the Treatment of the Personal Information contained in its databases.
- Owner: Individual whose Personal Information is subject to Treatment.
- Treatment: Any operation or set of operations performed on Personal Information, suchas their collection, storage, use, dissemination or deletion.
- Responsible Party:
- Name: Ibibo Group Colombia S.A.S.
- City: Cl 118 # 19 52 Of 204 Ed Acocentro, Bogotá.
- E-mail: firstname.lastname@example.org
- Area in charge: Customer Service and Marketing Department.
- Ibibo will communicate to the Owners any changes in its Privacy Policies prior to theirimplementation.
Principles for the Protection and Treatment of Personal Information
In the implementation, interpretation and performance of the policies on the protection and Treatment ofPersonal Information, Ibibo shall follow the following principles:
- Principle of rule of law: Treatment is a regulated activity that must abide by legalrequirements.
- Principle of purpose: Treatment must be made for legitimate purposes in abidance ofthe Constitution and the Law, which Ibibo shall inform to the Owner.
- Principle of freedom: Ibibo will only perform Treatment with the prior, express andinformed consent of the Owner. Ibibo will not obtain or disclose Personal Information without priorauthorization, or without a legal or judicial mandate that waives consent.
- Principle of truthfulness or quality: The information subject to Treatment must betruthful, complete, accurate, updated, verifiable and understandable. Ibibo will not perform Treatmentof partial, incomplete, fractioned or misleading information.
- Principle of transparency: During Treatment, Ibibo will guarantee the right of theOwner to obtain from the Party Responsible for Treatment or from the Party in Charge of Treatment, atany time and without restrictions, information on the existence of information concerning the Owner.
- Principle of access and restricted circulation: Treatment by Ibibo will abide by thelimits derived from the nature of the Personal Information, legal provisions and the Constitution. Inthis sense, Treatment by Ibibo will only be performed by persons authorized by the Owner and/or bypersons authorized to do so by law.
- Principle of security: The information subject to Treatment by the Party Responsiblefor Treatment or the Party in Charge of Treatment (depending on the capacity in which the party isacting or the arrangement used), must be managed with all technical, human and administrative meansrequired to maintain the security of the records to avoid their adulteration, loss, or any unauthorizedor fraudulent query, use or access.
- Principle of confidentiality: All persons involved in the Treatment of PersonalInformation that is not public in nature are under the obligation of guaranteeing the confidentiality ofthe information, even after they are no longer involved in any of the tasks related to Treatment, andmust only provide or communicate the Personal Information for performance of the activities authorizedby law.
- Pursuant to the principles of purpose and freedom, the information collected by Ibibo will be limited to thePersonal Information that is relevant and suitable for the purpose for which it is gathered or required,according to applicable regulations. Except in cases expressly provided for by law, Ibibo will not collect anyPersonal Information without authorization from the Owner.
Persons to whom information can be provided
Ibibo may provide the Personal Information under its management to the following persons:
- To the Owners, their successors or their legal representatives;
- To public or administrative entities in performance of their legal duties or by court order;
- To the third parties authorized by the Owner or by law.
Treatment of Sensitive Personal Information
Law 1581/2012 prohibits the Treatment of sensitive information except in the following cases: (i) when theOwner grants consent, (ii) the Treatment is required to safeguard the vital interests of the Owner and theOwner is physically or legally disabled, (iii) the treatment is performed in the course of legitimateactivities and with proper guarantees by a foundation, NGO, association or any other not-for-profitorganization with political, philosophical, religious or trade union purposes, as long as it refersexclusively to their members or persons who are in permanent contact with it in connection with its purpose,(iv) the Treatment involves information that is necessary in order to recognize, exercise or defend a rightin legal proceedings, and (v) the Treatment has a historical, statistical or scientific purpose; in thelatter case, steps must be taken to suppress the identity of the Owners.
Treatment of the Personal Information of children and adolescents:
It should be noted that even though Law 1581/2012 prohibits the treatment of the Personal Information ofchildren and adolescents, except information that is public in nature, the Constitutional Court has furtherspecified that regardless of the nature of the information, information treatment may be performed “as longas the intended purpose of such treatment is in the higher interests of the children and adolescents andthat assurances are provided without exception that their prevailing rights will be respected.”
To such effect, Ibibo, its employees, executives and persons responsible shall take into consideration thatthe Treatment of the Personal Information of minors must be performed in their higher interests and mustguarantee respect for their fundamental rights, such as the promotion, protection and recovery of health.
When the authorization for treatment of information is granted through a representative, the representativeshall guarantee the right of the minor to be listened to prior to granting the authorization and shallassess the minor’s opinion taking into consideration his/her level of maturity, autonomy and capacity tounderstand the matter.
Additionally, the following roles are included in this document:
Personal Information Database Manager: An Ibibo employee or person in charge who performs the Treatment ofone or more databases that contain Personal Information.
The Customer Service and Marketing Department will coordinate, process and reply to petitions, complaints andclaims related to the law of protection of Personal Information submitted by the Owners to Ibibo.
The Purpose and the Treatment the Personal Information will be Subject to
Ibibo performs treatment on the Personal Information of its customers, users, partners, employees,executives, contractors and suppliers in performance of its business. Such treatment is performed directlythrough its employees and executives, or through parties that have been contracted to this effect.
It also shares the information with third parties located in Colombia and abroad, with whom it has enteredinto contracts to transfer and/or transmit Personal Information, as the case may be, with the objective ofmaintaining the information safe and protected in accordance with applicable rules and standards and inabidance of applicable regulations on this matter.
At any time, the Owners may, at no charge, review, update, amend or correct their Personal Information.
The Treatment of information includes the collection, storage, management, use, transfer, transmission anddestruction of information, in the manners allowed by law, and is performed with the following specificpurposes:
- To promote and advertise the products and services offered by Ibibo to the public, through:
- Replies to user inquiries;
- Follow-up and assessment of the service provided to each customer, based on each customer’sspecific experience;
- Mailing of information and contents of specific interest;
- Offers of personalized services to each user based on the collected information and theirspecific interests.
- To maintain periodic and effective communications with the users of our platform, customers, members,employees, executives, suppliers and any other person for whom we are authorized to perform Treatment oftheir Personal Information, by means of:
- Offers and promotions, by any means, of the services offered by Ibibo, by affiliated companiesor any other company;
- Mailing of invitations to participate in projects, studies and/or events organized by Ibibo, itsaffiliated or related parties, as well as any other company with any type of connection with theservices provided through the platform.
- To achieve adequate provision of the services offered by Ibibo by means of:
- Enabling access to information on petitions, complaints and claims submitted by users,customers, partners, contractors and suppliers in connection with Ibibo’s business activities.
- Accounting, administrative, business, information, and sales and marketing uses.
- Transmission of Personal Information to those in charge of storage in servers located in and/oroutside of Colombia.
- Any other purpose depending on the relationship between the Owners of the Personal Informationand the company.
Duties of the Party Responsible for Treatment:
Whenever Ibibo acts in the capacity of Party Responsible for Treatment of Personal Information, it shall beresponsible for performing the following duties:
- To assure to the Owner, at all times, the full and effective exercise of the right to habeas data.
- To request and maintain, in the conditions prescribed by law, copies of the respective Authorizationsgranted by the Owners.
- To duly inform the Owner of the purpose of the collection of Personal Information and of the rightsassociated with the authorization that is granted.
- To maintain the information under adequate security conditions to prevent its adulteration, loss, or anyunauthorized or fraudulent query, use or access.
- To ensure that the information provided to the Party in Charge of Treatment is truthful, complete,accurate, updated, verifiable and understandable.
- To update the information, communicating in a timely manner to the Party in Charge of Treatment any newinformation related to previously reported information, and to take all steps required to ensure thatthe information provided remains updated.
- To correct any incorrect information and report the corrections to the Party in Charge of Treatment
- To provide the Party in Charge of Treatment only information whose Treatment has been previouslyauthorized as prescribed by law.
- To require the Party in Charge of Treatment to respect at all times the security and privacy of theOwner’s information.
- To process the inquiries and claims submitted in the terms specified in legal provisions.
- To adopt an internal policies and procedures manual to ensure adequate compliance with the law, andparticularly to address any inquiries and claims.
- To inform the Party in Charge of Treatment when any information has been questioned by the Owner, once aclaim has been submitted and the respective process has not been finalized.
- To inform the Owner of the use given to his/her information, upon request.
- To report to the information protection authority any breach to the security codes and whenevermanagement of the Owners’ information may be at risk.
- To abide by the instructions and requirements issued by the oversight authority regarding legalcompliance, regarding the protection and Treatment of the Personal Information.
Rights of the Owners:
The Owners of Personal Information shall have the following rights:
- To review, update and correct their Personal Information held by the Parties Responsible for Treatmentor in Charge of Treatment. This right may be exercised, among other reasons, in connection withinformation that is partial, inaccurate, incomplete, fractioned, misleading, or information whoseTreatment is expressly prohibited or has not been authorized.
- To request proof of the authorization given to the Party Responsible for Treatment, except when noauthorization is required for Treatment, as expressly provided for by law.
- To be informed by the Party Responsible for Treatment or the Party in Charge of Treatment, upon request,on the use given to their Personal Information.
- To submit to the oversight and control body complaints for breach of the provisions of theaforementioned law and any other provisions that amend, supplement or complement it.
- To revoke the Authorization and/or request the suppression of information when the Treatment does notabide by the legal and constitutional principles, rights and guarantees. Such revoking and/orsuppression shall be performed when the oversight and control entity has determined that the PartyResponsible or in Charge of Treatment has incurred in conducts that run counter to the Constitution orthe law.
- To have access free of charge to their Personal Information that has been subject to Treatment.
- Ibibo shall maintain proof of the authorization granted by the Owners of Personal Information for itsrespective Treatment.
Policies adopted by Ibibo for the protection and treatment of Personal Information:
Ibibo has adopted the following policies for the protection and Treatment of Personal Information:
- Compliance with all applicable Colombian regulations containing provisions on the protection of PersonalInformation.
- Ibibo performs the treatment of Personal Information, to which end it must obtain Authorization by meansof a physical, electronic, text message, internet, or website document, or by telephone or verbally orby any other means that provides subsequent unequivocal proof that without the consent of the Owner theinformation would have never been obtained and stored in electronic or physical media. It may also beobtained through clear and unequivocal behaviors of the Owner that enable to reasonably conclude thatthe Owner has given consent to manage the Personal Information.
- Ibibo shall request the authorization of the Owners of the Personal Information and shall maintain proofof such authorization.
- Any treatment of Personal Information performed by Ibibo must be related to the purposes indicated inthe authorization granted by the Owner, when the situation warrants it.
- The Personal Information submitted to Treatment must be truthful, complete, accurate, updated,verifiable and understandable. Ibibo shall maintain the information in these conditions as long as theOwner reports any new information in a timely manner.
- Treatment of the Personal Information will only be performed by Ibibo staff members who are authorizedto do so, or whose assigned responsibilities include performance of such activities, or by the Personsin Charge.
- Ibibo will not make available any Personal Information to be accessed through Internet or any other massmedia, except in the case of public information or when technical measures are implemented that enablecontrolling access and restricting it only to persons authorized by law or by the Owner.
- Any Personal Information that is not Public information will be treated as confidential by Ibibo, evenwhen the contractual relationship or the relationship between the Owner of the Personal Information andIbibo has ended.
- The Owner, directly or through duly authorized persons, may review his/her Personal Information at anytime, and especially each time amendments are made to the Privacy Policies.
- Ibibo will provide, update, ratify or suppress the Personal Information at the request of the Owner inorder to correct information that is partial, inaccurate, incomplete, fractioned or misleading, or thathas been treated prior to the enactment of the law and which has not been Authorized or that isprohibited.
- When a request for information is made, either by a petition, inquiry or claim by the Owner, on themanner in which the Personal Information is used, Ibibo must provide such information.
- At the Owner’s request, and when no legal or contractual obligation exists for it to remain in thedatabases of Ibibo, the Personal Information must be deleted. In the event partial revoking of theAuthorization for Treatment of Personal Information is ordered for certain purposes, Ibibo may continueto use the information for other purposes to which such revoking does not apply.
- The policies established by Ibibo on Treatment of Personal Information may be amended at any time. Allamendments shall abide by applicable regulations and shall become effective as of the date ofpublication through the means made available by Ibibo for Owners to learn of the policy on treatment ofthe information and the changes made to the policy.
- The Personal Information will only be Treated during the time and as long as the purpose for suchtreatment warrants it.
- Ibibo will be even more rigorous in applying the policies on treatment of the information in the case ofthe Personal Information of children and adolescents, to ensure the protection of their fundamentalrights.
- The Personal Information subject to Treatment must be managed providing all the human and technicalmeans required for its protection, providing security to ensure that it cannot be copied, adulterated,deleted, queried or used in any way without authorization or for fraudulent uses.
- When any task related to the Treatment of Personal Information by third parties, contractors or Partiesin Charge of Treatment is completed, and even after their contractual relationship with Ibibo has ended,they shall be under the obligation of maintaining the confidentiality of the information, in accordancewith applicable legislation.
- Ibibo shall not transfer Personal Information to countries that do not have adequate informationprotection standards, according to the standards published by the SIC.
- The Owner of the Personal Information may exercise his/her rights primarily through the submission ofinquiries and claims to Ibibo, through the e-mail address: email@example.com
- When a Party in Charge of Treatment of Personal Information exists, Ibibo must ensure that theinformation provided to it is truthful, complete, accurate, updated, verifiable and understandable.Additionally, it will report any appropriate new information in a timely manner to ensure that theinformation is always updated.
- f a Party in Charge of Treatment of Personal Information exists, Ibibo shall provide, if appropriate,only Personal Information whose Treatment has been authorized by the Owner, when such authorization isrequired.
- Ibibo will report to the Party in Charge of Treatment of Personal Information, if one exists, whencertain information has been questioned by an Owner, once a claim has been submitted and the respectiveprocess has not yet finalized.
- When a Party in Charge of Treatment of Personal Information exists, it will be required to respect atall times the conditions of security and confidentiality of the information of the Owner established byIbibo.
Time Limits to the treatment of Personal Information:
Ibibo will only gather, store, use or disseminate the Personal Information during the time it is reasonableand necessary to do so, depending on the purposes of treatment, pursuant to legal provisions on the matterand administrative, accounting, tax, legal and historical aspects of the information.
Once the purpose of treatment has been fulfilled, Ibibo or the Party in Charge of Treatment, as appropriate,shall suppress the Personal Information in their power. Notwithstanding the above, the Personal Informationmust be preserved, when required, to fulfill legal or contractual obligations.
Ibibo Group Colombia SAS, without prejudice for the exceptions provided for by law, for the effects ofperforming the Treatment of Personal Information, shall obtain from the Owner prior and informed consent,which must be obtained by any means that may be subsequently verified.
Ibibo, in its capacity of Party Responsible for Treatment of Personal Information, shall establish mechanismsto obtain the authorization of the owners or other parties authorized by law that ensure the possibility ofverification. Such mechanisms may be pre-established through technical means that facilitate an automatedstatement by the Owner.
The authorization must be given: (i) in writing, (ii) orally, or (iii) by means of unequivocal conducts ofthe Owner that enable reasonably concluding that Authorization was granted.
Ibibo shall maintain proof of the Authorization granted by the Owners for Treatment of their PersonalInformation.
- Cases in which authorization is not required
Ibibo does not require Authorization of the Owner forthe Treatment of Personal Information in the following cases:
- Information required by a public or administrative entity in performance of its legal duties orby court order;
- Information of a public nature;
- Cases of medical or health emergencies;
- Treatment of information authorized by law for historic, statistical or scientific purposes;
- Information related to the Civil Registration of persons.
- Information to the Owner
When Ibibo acts in the capacity of Party Responsible for Treatment,whenever it requests the Owner’s Authorization, it must clearly and expressly inform the following:
- The Treatment to be given to the Personal Information and its purpose;
- The voluntary nature of the responses given to the questions that are made, when they arerelated to sensitive information or information on children and adolescents;
- The rights of the Owner;
- The identification, physical or e-mail address and telephone number of the Party Responsible forTreatment.
Ibibo shall maintain proof of fulfillment of the items in this section and will provide the Ownercopy of such information upon request.
Procedure for Owners to exercise their rights
The Owners de Personal Information should address their inquiries, requests or claims in writing to thee-mail address firstname.lastname@example.org. To this effect, they may use theRequests and Claims on Treatment of Personal Information Form attached hereto (See Annex I).
- Procedure for requests and inquiries:
The Owners or their successors may review the PersonalInformation of the Owner that is held in any database managed by Ibibo. The Party Responsible forTreatment or the Party in Charge of Treatment must provide them all the information contained in theindividual records or information that is linked to the identification of the Owner.
Ibibo must address the requests and inquiries within a term of ten (10) business days from the dateof receipt of the request. If such deadline cannot be met, the interested party must be informed,indicating the reasons for the delay and the date on which a reply will be given to the request orinquiry, which must not be later than five (5) business days from the expiration of the initialterm.
- Procedure for claims
Any Owner or his/her successor who considers that the information contained ina database must be corrected, updated or suppressed, or who claims non-compliance with any of theduties prescribed by law or in this policy, may submit a claim to Ibibo, which shall be processed inaccordance with the following rules:
A request for correction must include as a minimum the following information:
- The name and address of the Owner, or any other means to receive the reply, and the name andaddress of the Owner’s legal representative, if acting through one.
- The documents that demonstrate the identity of the owner or the power of his/her representative.
- A clear and precise description of the Personal Information regarding which the Owner seeks toexercise his/her rights.
- If appropriate, any other attachments or documents that facilitate the identification of thePersonal Information.
The claim should be addressed to the Office for the Protection and Treatment of Personal Information,through the Customer Service and Marketing Department. If the claim is incomplete, the interestedparty will be requested to correct the claim within five (5) days from its reception. If theinterested party fails to provide the requested information within two (2) months from the date ofthe request, it shall be deemed that he/she has desisted from the claim.
Once the complete claim has been received, a note will be included in the database stating "claim inprogress" and its reason, no later than within two (2) business days. Such note shall remain inplace until the claim is resolved.
The maximum term for addressing the claim shall be fifteen (15) business days from the date of itsreceipt. If the claim cannot be addressed within such term, Ibibo will inform the interested partyof the reasons for the delay and the date on which the claim will be addressed, which under nocircumstance shall be later than eight (8) business days from the expiration of the initial term.
- Procedure to revoke an Authorization and/or a request to suppress information:
The Owners mayrequest Ibibo at any time to suppress their Personal Information and/or to revoke the authorizationgranted for Treatment, by means of submission of a claim, as described in this manual.
If Ibibo should fail to delete the Personal Information within the specified term, the Owner shall beentitled to request the oversight and control authority to order revoking the authorization and/orto suppress the Personal Information.
Notwithstanding the above, a request to suppress information or to revoke authorization shall notapply when the Owner has a legal or contractual duty to remain in the database.
Amendments and Effectiveness
Any amendments made to this policy shall be published on the website and shall become effective in five (5)business from the date of publication.