Terms and Policies
Information Handling Policy
“INTERNAL MANUAL OF POLICIES AND PROCEDURES FOR INFORMATION HANDLING AND PERSONAL DATA PROTECTION (THE “MANUAL”)”
INTRODUCTION
PDC Vinos y Licores S.A.S. (Hereinafter referred to as “THE COMPANY”) has always framed the execution of its business, its corporate purpose, and each and every one of its actions within the current legislation, always seeking to act within the Colombian Legal Framework.
Since its foundation, the policies of THE COMPANY have been focused on having, guaranteeing, and providing great respect for its employees, clients, suppliers, users, contractors, and, in general, all those individuals who, in one way or another, have direct or indirect contact with THE COMPANY, aiming at constantly ensuring and protecting the fundamental rights that people have to their family and personal privacy, to the right to know where their data are stored and the treatment being given to them, as well as the possibility of requesting the modification of such data when they do not correspond to reality, are inaccurate, or lead to error. As a consequence of the above, THE COMPANY adopts this “INTERNAL MANUAL OF POLICIES AND PROCEDURES FOR THE TREATMENT OF INFORMATION AND PROTECTION OF PERSONAL DATA,” in accordance with the provisions of Law 1581 of 2012, Decree 1377 of 2013, and other regulations modifying, adding, complementing, or developing them, through which the collection, use, transfer, storage, circulation, treatment, transmission, and all activities constituting the processing of personal data are regulated.
In this regard, the principles and provisions contained in the aforementioned laws are applicable to the personal data collected and managed by THE COMPANY, and registered in any of its databases.
- DEFINITIONS.
To facilitate the understanding of this Manual, it is necessary to include the definitions provided in Article 3 of Law 1581 of 2012 and Decree 1377 of 2013, which THE COMPANY will take into account for the processing of personal data:
- Authorization: Prior, express, and informed consent of the Owner to carry out the Processing of personal data;
- Database: Organized set of personal data that is subject to Processing;
- Personal data: Any information linked or that can be associated with one or more specific or determinable natural persons;
- Processor: Natural or legal person, public or private, who, alone or in association with others, carries out the Processing of personal data on behalf of the Data Controller;
- Data Controller: Natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the Processing of data;
- Owner: Natural person whose personal data are subject to Processing;
- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
- Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Owner for the Processing of their personal data, through which they are informed about the existence of the information Processing policies that will be applicable to them, how to access them, and the purposes of the Processing intended for the personal data.
- Public data: It is data that is not semi-private, private, or sensitive. Public data include, among others, data relating to the civil status of individuals, their profession or occupation, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins, and duly executed judicial decisions that are not subject to confidentiality.
- Sensitive data: Sensitive data are those that affect the privacy of the Owner or whose improper use may lead to their discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of unions, social organizations, human rights organizations, or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data concerning health, sexual life, and biometric data.
- Transfer: Data transfer occurs when the Data Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is the Data Controller and is located inside or outside the country.
- Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when it has the purpose of carrying out Processing by the Processor on behalf of the Controller.
- PRINCIPLES
The processing of personal data by THE COMPANY shall be governed by the following principles:
- Principle of legality in the processing of data: THE COMPANY complies with the processing established by law to protect personal data.
- Purpose principle: The data protection processing by THE COMPANY is based on a legitimate purpose in accordance with the Constitution and the Law, which will be informed to the Owner.
- Freedom principle: The processing carried out by THE COMPANY will only be exercised with the prior, express, and informed consent of the Owner. Personal data will not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that exempts consent.
- Principle of truthfulness or quality: The information subject to processing by THE COMPANY will be truthful, complete, accurate, up-to-date, verifiable, and understandable. No partial, incomplete, fragmented, or misleading data will be processed.
- Transparency principle: In processing, THE COMPANY guarantees the Owner the right to obtain information about the existence of data concerning them at any time and without restrictions.
- Principle of access and restricted circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of this law, and the Constitution. In this sense, processing may only be carried out by persons authorized by the Owner and/or by persons provided for in this law; Personal data, except for public information, will not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to Owners or third parties authorized by law.
- Security principle: The information subject to processing by THE COMPANY will be managed with the technical, human, and administrative measures necessary to provide security to the records, avoiding their alteration, loss, consultation, use, or unauthorized or fraudulent access.
- Confidentiality principle: THE COMPANY will guarantee the confidentiality of the information, even after its relationship with any of the tasks comprising the processing has ended, and may only provide or communicate personal data when it corresponds to the development of the activities authorized in this law and in the terms thereof.
- RIGHTS OF DATA SUBJECTS
THE COMPANY guarantees the following rights to the owners of its databases:
- Know, update, and rectify their personal data in relation to THE COMPANY. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented, misleading data, or those whose processing is expressly prohibited or has not been authorized.
- Request proof of the authorization granted to THE COMPANY for the processing of their data, except for the data indicated in Article 10 of Law 1581 of 2012.
- Upon request by the owner, be informed by THE COMPANY about the use that has been made of their personal data.
- Lodge complaints with the Superintendence of Industry and Commerce for violations of Law 1581 of 2012 and other regulations that modify, add to, or complement it, prior to having exhausted the respective procedural requirement.
- Revoke the authorization and/or request the deletion of the data when the principles, rights, and constitutional and legal guarantees are not respected in the processing. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that THE COMPANY has engaged in conduct contrary to Law 1581 of 2012 and the Constitution.
- Access, free of charge, the personal data that have been subject to processing.
- AUTHORIZATION, OBLIGATION TO INFORM THE DATA SUBJECT, AND TYPES OF DATA
4.1. AUTHORIZATION, DUTY TO INFORM
Once THE COMPANY requests the data subject’s consent for processing, it will inform them clearly and expressly of the following:
- The processing to which their personal data will be subjected and the purpose for which it will be done.
- The voluntary nature of the response to questions asked, when they concern sensitive data or data about children and adolescents.
- The rights that they, as data subjects, are entitled to.
- The identification, physical or electronic address, and telephone number of THE COMPANY as the data controller.
- THE COMPANY’s commitment not to disclose, commercialize, or sell the personal information provided by the data subject.
Paragraph: Once the data subject provides their consent for the processing of their personal data to THE COMPANY, it may, through its various channels, send and provide information about its products and services, any possible changes that may be introduced to them, and likewise, there will be a space where the data subject can evaluate their quality.
4.2. TYPES OF INFORMATION REQUIRED
THE COMPANY may request personal information such as name, surnames, identification number, marital status, contact number, residential and email address, credit card number, or bank account number depending on the payment method used, and in general, any other information required to register them in its databases, provided that it is linked to the contractual relationship they have with THE COMPANY. In the event that a customer cancels the products or services requested, there will be a link where they can communicate with the websites of the respective financial entities to which the payment is made, and they will be directly responsible for handling the personal information of these individuals.
At all times, the processing of data by THE COMPANY will require the prior and informed authorization and information of the data subject, except in the following cases:
- When the information is required by a public or administrative entity exercising its legal functions or by court order.
- When it concerns public data.
- In cases of medical or health emergencies.
- In the case of information processing authorized by law for historical, statistical, or scientific purposes.
- For data related to the Civil Registry of Persons.
4.4. SENSITIVE DATA
Sensitive data is considered to be those that affect the personal or family privacy of the data subject, or those whose improper use reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, socio-economic data, human rights data, or that promote interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data relating to health and sexual life.
4.3.1.1.1 EXCEPTION TO THE PROCESSING OF SENSITIVE DATA
THE COMPANY will restrict the processing of sensitive personal data, except when:
4.3.1.1.2 ADDITION TO SENSITIVE DATA
In addition to the above, THE COMPANY complies with the following obligations:
4.3. CASES WHERE THE DATA SUBJECT’S AUTHORIZATION IS NOT REQUIRED FOR DATA PROCESSING
The processing has been expressly authorized by the data subject, except in cases where, by Law, such authorization is not required.
The processing is necessary to safeguard the vital interests of the data subject and they are physically or legally incapacitated. In these cases, legal representatives must grant authorization.
The processing relates to data that is necessary for the recognition, exercise, or defense of a right in a judicial process.
4.5. PROCESSING OF MINORS’ DATA
Inform the data subject that, being sensitive data, they are not obligated to authorize its processing.
Explicitly and priorly inform the data subject, in addition to the general requirements of authorization for the collection of any type of personal data, which data subject to processing are of a sensitive nature and the purpose of the processing, and obtain express consent.
Not condition any activity on the data subject providing sensitive personal data (unless there is a legal or contractual cause to do so).
As established by article 7 of Law 1581 of 2012, the processing of personal data of children and adolescents is prohibited except when it concerns data of a public nature and when the prevalence of their fundamental rights is not at risk, always protecting the constitutional principle of the best interest of the child.
In cases where the child or adolescent does not have full capacity to give their consent, THE COMPANY will require the prior authorization of their parents or guardians in order to give appropriate treatment to their personal data.
- RESPONSIBILITIES OF THE INFORMATION CONTROLLERS
THE COMPANY, as the Data Controller, shall have the following duties, through the Accounting, Human Resources, Commercial, and Administrative departments:
- Ensure the data subject’s full and effective right to Habeas Data at all times.
- Request and retain a copy of the authorization granted by the Data Subject.
- Properly inform the Data Subject about the purpose of the data collection and the rights granted by the authorization.
- Preserve the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.
- Rectify the information when it is incorrect and communicate the relevant information to each data processor.
- Process queries and complaints as indicated in Law 1581 of 2012.
- Inform the data subject, upon request, about the use made of their data.
- Inform the data protection authority of security breaches and risks in the management of the data subjects’ information.
- Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
- RESPONSIBILITIES OF THE INFORMATION PROCESSORS
The Accounting, Human Resources, Commercial, and Administrative departments of THE COMPANY shall be responsible for the information, and shall at all times have the following duties:
- Guarantee the data subject’s full and effective right to Habeas Data at all times.
- Preserve the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.
- Timely update, rectify, or delete the data as indicated in Law 1581 of 2012.
- Update the information reported by the data subjects within (5) business days counted from its receipt.
- Process queries and complaints filed by data subjects in accordance with this law.
- Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
- Allow access to the information only to those authorized to access it.
- Inform the Superintendence of Industry and Commerce of security breaches and risks in the management of the data subjects’ information.
- Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
- INFORMATION CONTROLLERS AND PROCESSORS IN THE COMPANY
THE COMPANY, as a Legal Entity, shall assign joint responsibility for the processing of the information contained in each of its databases to the Accounting, Human Resources, Commercial, and Administrative departments.
- PROCEDURES FOR HANDLING INQUIRIES, REQUESTS, AND COMPLAINTS
8.1. INQUIRIES
Data subjects or their successors may inquire about the personal information held by THE COMPANY in any database, and THE COMPANY, as the Data Controller, must provide them with all the information contained therein related to the identification of the Data Subject.
This inquiry can be made via email to the following address: domecq@domecq.com.co, or by phone by calling the following number (+57 1) 254 1000 ext. 160, and it will be attended to within a maximum period of ten (10) business days counted from the date of receipt. If it is not possible to address the inquiry within this period, THE COMPANY will inform the interested party of the reasons for the delay and indicate the date on which their inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the initial term.
8.2. REQUESTS AND COMPLAINTS
The Data Subject or their successors who believe that the information contained in a database should be corrected, updated, or deleted, or who notice the alleged breach of any of the duties contained in this law, may submit a complaint to THE COMPANY, which will be processed under the following rules:
- THE COMPANY has established the following channels and addresses to which the data subject can submit requests and complaints:
ADDRESS: AVENIDA AMÉRICAS # 50 – 80 IN THE CITY OF BOGOTÁ D.C.
EMAIL: domecq@domecq.com.co – PBX: +57(1) 254-1000 Ext.160.
- The complaint shall be made by means of a request addressed to THE COMPANY, including the name of the data subject, their identification number, a description of the facts giving rise to the complaint, the address, and accompanying documents to be relied upon. If the complaint is incomplete, the interested party will be required to remedy the deficiencies within five (5) days following the receipt of the complaint. If two (2) months have elapsed since the date of the request without the applicant providing the requested information, it will be considered that they have withdrawn the complaint.
- If the recipient of the complaint is not competent to resolve it, they will transfer it to the appropriate party within a maximum period of two (2) business days and inform the interested party of the situation.
- Once the complete complaint is received, a note stating “complaint in process” and the reason for it will be included in the database within a period not exceeding two (2) business days. This note must be maintained until the complaint is resolved.
- The maximum period for addressing the complaint by THE COMPANY shall be fifteen (15) business days counted from the day following the date of receipt. If it is not possible to address the complaint within this period, the interested party will be informed of the reasons for the delay and the date on which their complaint will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial term.
- In the event that the purpose of the request made by the data subject is the deletion of their data from THE COMPANY’s databases, once the deadline mentioned in the previous paragraph has elapsed, PDC undertakes to delete the data in order to fully comply with the fundamental right of Habeas Data.
- As a procedural requirement, the Data Subject or their successor may only lodge a complaint with the Superintendence of Industry and Commerce once they have completed the consultation or complaint process with THE COMPANY.
- AMENDMENTS
PDC VINOS Y LICORES S.A.S. may modify the privacy policies set forth in this manual at any time, and the content thereof. Such modifications shall not require prior notice and shall enter into force once they have been published on our website. Accordingly, users accessing THE COMPANY’s website shall be obliged to periodically review any changes therein, which implies tacit acceptance of the modifications incorporated into this manual.
- EFFECTIVE DATE
This Manual shall come into effect at THE COMPANY from its issuance, and the databases subject to this Manual shall remain valid as long as necessary for the established purposes.