PERSONAL DATA PROTECTION POLICY
1. Scope
This Personal Data Protection Policy shall apply to all databases and/or files containing personal data that are subject to processing by JAH Insurance Brokers Corp, responsible for the processing of personal data, (hereinafter, "THE COMPANY").
2. Identification of the person responsible for the processing of personal data
JAH Insurance Brokers Corp. 7950 NW 53rd Street, Suite 228/230, Doral, FL 33166 in the city of Miami - USA. E-mail info@jahinsurance.com Phone +57 (1) 4325000
3. Definitions
- Authorization: Prior, express and informed consent of the holder to carry out the processing of personal data.
- Privacy Notice: Verbal or written communication generated by the responsible, addressed to the holder for the processing of personal data, by which he is informed about the existence of the policies of treatment of information that will be applicable, how to access them and the purposes of the treatment that is intended to give to personal data.
- Database: Organized set of personal data that is subject to processing.
- Clients: Natural or legal person, public or private, with whom THE COMPANY has a business relationship.
- Consumers: Natural person who consumes the goods produced by THE COMPANY.
- Personal Data: Any information linked or that can be associated to one or several determined or determinable natural persons. Some examples of personal data are
the following: name, citizenship card, address, e-mail address, telephone number, marital status, health data, fingerprint, salary, assets, financial statements, etc.
- Sensitive data: Information that affects the privacy of the holder or whose improper use may generate their discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, of human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data, among others, the capture of still or moving images, fingerprints, photographs, iris, voice, facial or palm recognition, etc.
- Data processor: Natural or legal person, public or private, who by himself or in association with others, performs the processing of personal data on behalf of the controller. In the events in which the data controller does not act as data processor, the person in charge shall be expressly identified.
- Data controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and / or the processing of data.
- Claim: Request of the Data Subject or of the persons authorized by him/her or by law to correct, update or delete his/her personal data or to revoke the authorization in the cases established by law.
- Terms and Conditions: general framework in which the conditions for participants of promotional or related activities are established.
- Data subject: Natural person whose personal data is the object of processing.
- Transfer: The transfer of data takes place when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.
- Transmission: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose of the processing is to be carried out by the processor on behalf of the controller.
- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
4. Principles applicable to the processing of personal data
For the treatment of personal data, THE COMPANY will apply the principles mentioned below, which constitute the rules to be followed in the collection, handling, use, treatment, storage and exchange of personal data:
- Legality: The processing of personal data will be carried out in accordance with the applicable legal provisions (Statutory Law 1581 of 2012 and its regulatory decrees).
- Purpose: The personal data collected will be used for a specific and explicit purpose which must be informed to the holder or permitted by law. The holder will be informed in a clear, sufficient and prior manner about the purpose of the information provided.
- Freedom: The collection of personal data may only be exercised with the prior, express and informed authorization of the owner.
- Truthfulness or Quality: The information subject to the processing of personal data must be truthful, complete, accurate, current, verifiable and understandable.
- Transparency: In the processing of personal data, the holder's right to obtain at any time and without restrictions, information about the existence of data concerning him/her is guaranteed.
- Restricted access and circulation: The processing of personal data may only be carried out by persons authorized by the owner and/or by the persons provided for in the Law.
- Security: The personal data subject to treatment will be handled adopting all the necessary security measures to avoid its loss, adulteration, consultation, use or unauthorized or fraudulent access.
- Confidentiality: All employees working at THE COMPANY are obliged to keep confidential all personal information to which they have access in the course of their work at THE COMPANY.
5. Processing and purposes to which the personal data processed by THE COMPANY will be submitted
THE COMPANY, acting as Responsible for the Processing of Personal Data, for the proper development of its commercial activities, as well as for the strengthening of its relationships with third parties, collects, stores, uses, circulates and deletes personal data corresponding to natural persons with whom it has or has had a relationship, such as, but not limited to, employees and their relatives, shareholders, consumers, customers, distributors, suppliers, creditors and debtors, for the following purposes or purposes:
5.1. General purposes for the processing of personal data
- To allow the participation of Data Subjects in marketing and promotional activities (including participation in contests, raffles and sweepstakes) carried out by THE COMPANY;
- Evaluate the quality of service, carry out market research on consumer habits and statistical analysis for internal use;
- Control access to COMPANY offices and establish security measures, including the establishment of video-monitored areas;
- To respond to queries, petitions, complaints and claims that are made by the owners and control bodies and transmit the personal data to other authorities that by virtue of the applicable law must receive the personal data;
- To eventually contact, via e-mail, or by any other means, natural persons with whom it has or has had a relationship, such as, but not limited to, employees and their families, shareholders, consumers, customers, clients, distributors, suppliers, creditors and debtors, for the aforementioned purposes.
- Transfer the information collected to different areas of THE COMPANY and its related companies in Colombia and abroad when necessary for the development of its operations (portfolio collection and administrative collections, treasury, accounting, among others);
- For the attention of judicial or administrative requirements and compliance with judicial or legal mandates;
- Register your personal data in the information systems of THE COMPANY and in its commercial and operational databases;
- Any other activity of a similar nature to those described above that are necessary to carry out the corporate purpose of THE COMPANY.
5.2. Regarding the personal data of our customers and users:
- To fulfill the obligations contracted by THE COMPANY with its Clients and Consumers at the moment of acquiring our products;
- Send information about changes in the conditions of the products offered by THE COMPANY;
- Send information about offers related to our Clients offered by THE COMPANY and its related companies;
- To strengthen the relationship with its Users and Clients, by sending relevant information, information about the companies and their changes in job offers;
- For the determination of outstanding obligations, the consultation of financial information and credit history and the report to information centers of unfulfilled obligations, with respect to its debtors;
- Allow companies related to THE COMPANY, with which it has entered into contracts that include provisions to ensure the security and proper processing of personal data processed, to contact the Data Subject for the purpose of offering goods or services of interest;
- Control access to COMPANY offices and establish security measures, including the establishment of video-monitored areas;
- Use the different services through THE COMPANY's websites and mobile app, including content downloads and formats;
5.3. Regarding the personal data of our employees:
- Manage and operate, directly or through third parties, the processes of selection and recruitment of personnel, including the evaluation and qualification of participants and the verification of work and personal references, and the performance of security studies;
- Develop the activities of Human Resources management within the COMPANY, such as payroll, affiliations to entities of the general social security system, welfare and occupational health activities, exercise of the employer's sanctioning authority, among others;
- Make the necessary payments arising from the execution of the employment contract and/or its termination, and other social benefits that may be due in accordance with applicable law;
- Contract labor benefits with third parties, such as life insurance, medical expenses, among others;
- Notify authorized contacts in case of emergencies during working hours or in the course of work;
- Coordinate employee professional development, employee access to and support the use of the employer's IT resources;
- Plan business activities;
5.4. Regarding Supplier Data:
- To invite them to participate in selection processes and events organized or sponsored by THE COMPANY;
- To evaluate the fulfillment of your obligations; - To register in the COMPANY's systems; - To process your payments and verify outstanding balances;
5.5. Regarding the personal data of our shareholders:
- For the recognition, protection and exercise of the rights of the shareholders of THE COMPANY;
- For the payment of dividends;
- To eventually contact, via email, or by any other means, the shareholders for the aforementioned purposes;
6. Rights of Personal Data Holders The natural persons whose Personal Data is subject to Processing by THE COMPANY have the following rights, which they may exercise at any time:
6.1 To know the Personal Data on which THE COMPANY is processing. Similarly, the Data Subject may request at any time that their data be updated or rectified, for example, if they find that their data is partial, inaccurate, incomplete, fractioned, misleading, or those whose processing is expressly prohibited or has not been authorized.
6.2 Request proof of the authorization granted to THE COMPANY for the Processing of your Personal Data.
6.3 Be informed by THE COMPANY, upon request, regarding its use of your Personal Data.
6.4 File complaints before the Superintendence of Industry and Commerce for violations of the provisions of the Personal Data Protection Law.
6.5 Request to THE COMPANY the deletion of your Personal Data and/or revoke the authorization granted for the Processing thereof, by filing a claim, in accordance with the procedures set forth in paragraph 13 of this Policy. However, the request for deletion of the information and the revocation of the authorization will not proceed when the Data Subject has a legal or contractual duty to remain in the Database and/or Files, nor while the relationship between the Data Subject and the COMPANY, by virtue of which the data was collected, is still in force.
6.6 Access free of charge to their Personal Data that have been subject to Processing. The rights of the Data Controllers may be exercised by the following persons:
- By the Holder;
- By their successors in title, who must prove such capacity;
- By the representative and/or attorney-in-fact of the Holder, upon accreditation of the representation or power of attorney;
- By stipulation in favor of or for another.
7. Duties of THE COMPANY as Responsible for the Processing of Personal Data
THE COMPANY is aware that Personal Data are the property of the persons to whom they refer and only they can decide about them. In this sense, THE COMPANY will use the Personal Data collected only for the purposes for which it is duly authorized and respecting, in any case, the current regulations on the Protection of Personal Data.THE COMPANY will comply with the duties provided for the Data Controllers, contained in Article 17 of Law 1581 of 2012 and other rules that regulate, modify or replace it.
8. Area Responsible for the Implementation and Observance of this Policy
The Compliance area of Jah Insurance Brokers Corp. is responsible for the development, implementation, training and enforcement of this Policy. For this purpose, all officers who process Personal Data in the different areas of the COMPANY are obliged to report these databases to the Compliance area and to immediately inform the latter of all requests, complaints or claims received from the Personal Data Owners.
The Compliance area of Jah Insurance Brokers Corp. has also been designated by THE COMPANY as the area responsible for the attention of requests, queries, complaints and claims before which the Data Subject may exercise his/her rights to know, update, rectify and delete the data and revoke the authorization. This area is located at the address: Calle 26 No. 69 - 76 Office 603 Torre 3 Edificio Elemento in the city of Bogotá D.C., Colombia, and can be contacted through the following email: info@jahinsurance.com
9. Authorization
THE COMPANY will request prior, express and informed authorization from the Data Controllers of the Personal Data on which the Processing is required to be carried out, through different mechanisms made available by THE COMPANY, such as:
- In writing, by filling out an authorization form for the Processing of Personal Data determined by THE COMPANY.
- Orally, through a telephone conversation or videoconference.
- Through unequivocal conducts that allow concluding that he/she granted his/her authorization, through his/her express acceptance to the Terms and Conditions of an activity within which the authorization of the participants is required for the Processing of his/her Personal Data.
IMPORTANT: In no case will THE COMPANY assimilate the silence of the Holder to an unequivocal conduct.
10. Special Provisions for the Processing of Personal Data.
10.1 Processing of Sensitive Personal Data
The Processing of Personal Data of a sensitive nature is prohibited by law, except with the express, prior and informed authorization of the Data Subject, among other exceptions enshrined in Article 6o of Law 1581 of 2012.In this case, in addition to complying with the requirements established for authorization, THE COMPANY will inform the Data Subject:
- That being sensitive data is not obliged to authorize its treatment.
- Which of the data to be processed are sensitive and the purpose of the processing.
Additionally, THE COMPANY will treat the sensitive data collected under security and confidentiality standards corresponding to its nature. For this purpose, THE COMPANY has implemented administrative, technical and legal measures contained in its Policies and Procedures Manual, which are mandatory for its employees and, as applicable, for its suppliers, related companies and business partners.
10.2 Processing of Children and Adolescents' Personal Data
Pursuant to the provisions of Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013, THE COMPANY shall only carry out Processing, corresponding to children and adolescents, provided that this Processing responds to and respects the best interests of children and adolescents and ensures respect for their fundamental rights.Once the above requirements have been met, THE COMPANY must obtain the Authorization of the legal representative of the child or adolescent, after the minor has exercised his or her right to be heard, an opinion that will be assessed taking into account the maturity, autonomy and ability to understand the matter.
11. Procedure for Attention and Response to Petitions, Inquiries, Complaints and Claims of Personal Data Owners
The Owners of Personal Data processed by THE COMPANY have the right to access their Personal Data and the details of such Processing, as well as to rectify and update them in case they are inaccurate or to request their deletion when they consider that they are excessive or unnecessary for the purposes that justified their collection or to oppose the Processing thereof for specific purposes:
- Communication addressed to Jah Insurance Brokers Corp, Calle 26 No. 69 - 76 Office 603 Tower 3 Building Element Bogotá D.C. Colombia.
- Request submitted by e-mail: info@jahinsurance.com
- Request submitted via telephone +57 (1) 4325000 to the Compliance area.
These channels may be used by Data Controllers, or third parties authorized by law to act on their behalf, in order to exercise the following rights:
11.1 Procedure for making requests and enquiries
(i) The Data Subject may consult his/her personal data at any time. For this purpose, he/she may submit a request indicating the information he/she wishes to know, through any of the mechanisms indicated above.
(ii) The Registrant or its assignees must prove their identity, that of their representative, the representation or stipulation in favor of another or for another. When the request is made by a person other than the Data Subject and it is not accredited that the person is acting on behalf of the Data Subject, the request shall be deemed not to have been filed.
(iii) The consultation and/or request must contain at least the name and contact address of the Data Subject or any other means to receive the response, as well as a clear and precise description of the personal data with respect to which the Data Subject seeks to exercise the right of consultation and/or request.
(iv) If the consultation and/or request made by the Data Subject is incomplete, THE COMPANY will require the interested party within five (5) days following receipt of the consultation and/or request to correct the faults. After two (2) months from the date of the requirement, if the applicant does not submit the required information, it will be understood that he/she has abandoned his/her request.
(v) The requests and/or inquiries will be answered by THE COMPANY within a maximum term of ten (10) business days from the date of receipt thereof. When it is not possible to respond to the request or inquiry within such term, the applicant will be informed of this fact, stating the reasons for the delay and indicating the date on which the request or inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.
11.2 Procedure for making complaints and grievances
In accordance with the provisions of Article 14 of Law 1581 of 2012, when the Data Subject or their assignees consider that the information processed by THE COMPANY should be corrected, updated or deleted, or when it should be revoked due to the alleged breach of any of the duties contained in the Law, they may submit a request to THE COMPANY, which will be processed under the following rules:
(i) The Registrant or its assignees must prove their identity, that of their representative, the representation or stipulation in favor of another or for another. When the request is made by a person other than the Data Subject and it is not accredited that such person is acting on behalf of the Data Subject, it shall be deemed not to have been filed.
(ii) The request for rectification, updating, deletion or revocation must be submitted through the means provided by THE COMPANY indicated in this document and must contain, at least, the following information:
- The name and address of the Holder or any other means to receive the response.
- Documents proving the identity of the applicant and, if applicable, that of his representative with the respective authorization.
- The clear and precise description of the personal data in respect of which the Data Subject seeks to exercise any of the rights and the specific request.
- (iii) If the request is incomplete, THE COMPANY shall require the interested party within five (5) days of receipt thereof to correct the deficiencies. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the request has been withdrawn.
- (iv) In case the person who receives the request is not competent to resolve it, he/she will transfer it to the Legal area of Jah Insurance Brokers Corp. within a maximum term of two (2) business days and will inform the interested party of the situation.
- (v) Once the request is received, a legend will be included in the Data Base stating "claim in process" and the reason for the claim, within a term no longer than two (2) business days. Said legend shall be maintained until it is decided.
- (vi) The maximum term to respond to this request will be fifteen (15) business days from the day following the date of receipt. When it is not possible to respond within that period, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
12. Passively Obtained Information
When using the services contained within the COMPANY's websites, the COMPANY may passively collect information through information management technologies, such as "cookies", through which information is collected about the hardware and software of the equipment, IP address, browser type, operating system, domain name, access time and the addresses of the websites of origin; through the use of these tools Personal Data of the users is not collected directly. Information about the pages that the person visits most frequently on these websites will also be collected in order to learn about their browsing habits. However, the user of THE COMPANY's websites has the possibility of configuring the functioning of cookies, according to the options of his or her Internet browser.
13. Security of Personal Data
THE COMPANY, in strict application of the Principle of Security in the Processing of Personal Data, will provide the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. The obligation and responsibility of THE COMPANY is limited to having the appropriate means for this purpose. THE COMPANY does not guarantee the total security of your information nor is it responsible for any consequences arising from technical failures or improper access by third parties to the Database or file in which the Personal Data subject to Processing is stored by THE COMPANY and its Agents. THE COMPANY will require the service providers it hires to adopt and comply with the appropriate technical, human and administrative measures for the protection of the Personal Data in relation to which such providers act as Data Processors.
14. Transfer, Transmission and Disclosure of Personal Data
THE COMPANY may disclose to its related companies worldwide, the Personal Data on which it carries out the Processing, for its use and Processing in accordance with this Personal Data Protection Policy.
Likewise, THE COMPANY may provide Personal Data to third parties not related to THE COMPANY when:
o They are contractors in the execution of contracts for the development of the activities of THE COMPANY;
o By transfer in any capacity whatsoever of any line of business to which the information relates.
In any case, when THE COMPANY wishes to send or transmit data to one or more Data Processors located within or outside the territory of the Republic of Colombia, it shall establish contractual clauses or enter into a contract for the transmission of personal data in which, among others, the following is agreed upon: (i) The scope and purposes of the processing.
(ii) The activities that the Data Processor will carry out on behalf of THE COMPANY.
(iii) The obligations to be fulfilled by the Data Processor with respect to the Data Subject and THE COMPANY.
COMPANY.
(iv) The duty of the Data Processor to process the data in accordance with the purpose authorized for the same and observing the principles established in the Colombian Law and the present policy.
(v) The obligation of the Data Processor to adequately protect the personal data and databases as well as to maintain confidentiality with respect to the processing of the transmitted data.(vi) A description of the specific security measures that will be adopted by both THE COMPANY and the Data Processor at the place of destination.THE COMPANY will not request authorization when the international transfer of data is covered by any of the exceptions set forth in the Law and its Regulatory Decrees.
15. Applicable Legislation
This Personal Data Protection Policy, the Privacy Notice, and the Authorization Format Annex that is part of this Policy, are governed by the provisions of the current legislation on the protection of Personal Data referred to in Article 15 of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013, Decree 1727 of 2009 and other regulations that modify, repeal or replace them.
16. Validity
This Personal Data Protection Policy is effective as of February 20, 2016.