Information processing policy

Complying with the provisions of Law 1581 of 2012, Decrees 1377 of 2013, Decree 1074 of 2015 and Decree 1759 of 2016 and to the circulars issued by the Superintendency of Industry and Commerce TELEFÉRICO A MONSERRATE S.A adopts the policy for the processing of personal data, to regulate the collection, storage, use, circulation and deletion of personal data , this policy will be informed to all holders of the data collected or obtained in the future within the Company's own activities.

The main purpose of this Policy is to inform the Holders of Personal Data their rights, the procedures and mechanisms defined by TELEFÉRICO A MONSERRATE S.A to make effective those rights of the Holders, and to make them known the scope and purpose of the Processing to which the Personal Data will be submitted in case the Owner grants his express authorization Prior.

Reach

The Policy of TELEFÉRICO A MONSERRATE S.A covers the administrative, operational, organizational and control technical aspects that must be complied with by managers, officials, contractors and third parties who work or have direct relationship with the Company.

POLITICAL POLICY FRAMEWORK

• Law 1581 of 2012 which issued the General Regime for the Protection of Personal Data. 
• Circular 002 3 November 2015 
• Decree 1759 of 2016 
• Single Decree 1074 of 2015 
• Decree 886 of 2014 
• Decree 1377 of 2013 
• Law 1581 Oct 17, 2012 
• Resolution 35315 
• Political Constitution, Article 15. Law 1266 of 2008 Regulatory Decrees 1727 of 2009 and 2952 of 2010, Judgments C – 1011 of 2008, and C – 748 of 2011, of the Constitutional Court 
• Constitutional Judgment C–748 of 2011 declaring the Statutory Bill on the Protection of Personal Data exequible.

IDENTIFICATION OF DATA MANAGEMENT

NAME OR TRADE MARK: TELEFERICO A MONSERRATE S.A 

ADDRESS: CR 2 EAST 21 48 PS BOLIVAR STATION 

FUNICULAR BOGOTA ADDRESSBogota 

TELEPHONE: 57(1) 2845700 Ext: 107 EMAIL: INFO@cerromonserrate.com 

Treatment under which the data and purpose of the same will be submitted when it has not been informed about the privacy notice. 

For the proper development of business activities, as well as to strengthen your relationships with third parties, request, collect, store, use, circulate and delete personal data. The personal data contained in databases may be processed in an automated or manual manner. Manual databases are files whose information is organized and physically stored and automated databases that are stored and managed with the help of computer tools.

PURPOSE IN THE CAPTURE, USE AND PROCESSING OF PERSONAL DATA

The personal data that TELEFÉRICO A MONSERRATE S.A collects, stores, uses, circulates and deletes, will be used for one of the following purposes: 

• For the linkage, performance of functions or provision of services, withdrawal or termination, depending on the type of legal relationship entered into with the SFC (including, but not limited to, officials, ex-officials, judges, practitioners and aspiring charges). 

The processing of the data will be carried out for the purposes related to the development the process of contractual management of products or services that the SFC requires for its operation in accordance with the current regulations. 

Registration of Company suppliers. 

• Company Customer Registration. 
• Sending emails and/or text messages informing the status of the application process for products and services requested by TELEFERICO A MONSERRATE S.A. 
• Sending emails and/or text messages to develop marketing activities, statistics, research and other commercial purposes that do not contravene the legislation in force in Colombia. 
• Attention of injunctions or administrative requests. 
• Compliance with injunctions or legal mandates. 

IDENTIFICATION OF THE MANAGEMENT RESPONSIBLE  

Responsible for the processing of the database. When the responsible of the database is a legal entity, he/she must indicate his/her name or trade name and his/her tax identification number, as well as his/her location and contact details. When the responsible of the database is a natural person, he/she will record his/her identification, location and contact details. 

Data Processor. Where the Data Processor or Data Processors are or are a legal person, the Data Controller shall indicate in the National Register of Databases the full name or business name and tax identification number of said Processor or Processors, as well as his/her location and contact details. Where the Data Processors are or are a natural person, their identification, location and contact details shall be entered. 

Identification, location and contact details of the data processors of the database.

ENSITIVE DATA

The Owner has the right not to provide any sensitive information requested by TELEFERICO A MONSERRATE S.A related, among others, to data on its racial or ethnic origin, membership of trade unions, social or human rights organizations, political, religious, sexual life, biometric or health data. 

UNDERAGE DATA: 

The provision of the personal data of minors is optional and must be carried out with the authorization of the parents or legal representatives of the minor. 

OWNER AUTHORIZATION: 

In order to carry out the aforementioned purposes, TELEFERICO A MONSERRATE S.A requires freely, prior, express and duly informed of the authorization by the holders of the data and for this purpose has arranged suitable mechanisms guaranteeing for each case that it is possible to verify the granting of such authorization. It may be contained in any method, whether a physical document, electronic or in any format that guarantees its subsequent consultation through technical, technological tools and public computer security developments on our website www.cerromonserrate.com. 

Without prejudice to the exceptions provided for in the law, the Processing requires the prior, express and informed authorization of the Owner, which must be obtained by any means that may be subject to further consultation and verification. 

CASES WHERE AUTHORIZATION IS NOT REQUIRED:

The authorization of the Holder shall not be necessary in the case of: 

7.1. Information required by the SFC in the exercise of its legal functions or by court order. 7.2. Data of a public nature. 7.3. Medical or health emergency cases. 7.4. Processing of information authorized by law for historical, statistical or scientific purposes. 7.5. Data related to the Civil Registry of Persons. 

1 Main definitions 

Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data; 

Database: Organized set of personal data that is processed; 

Personal Data: Any information linked to or that may be associated with one or more natural persons determined or determinable; 

Data Controller: Natural or legal person, public or private, who by herself or in partnership with others, performs the Processing of personal data on behalf of the Data Controller; 

Data Controller: Natural or legal person, public or private, who by herself or in partnership with others, decides on the basis of data and / or the processing of the data; 

Owner: Natural person whose personal data are processed; 

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. 

Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Holder for the Processing of his/her personal data, through which he/she is informed about the existence of the information processing policies that will be applicable to him/her, the way to access them and the purposes of the Processing that is intended to be given to personal data. 

Public fact: This is the data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of persons, their profession or profession and their status as a trader or public servant. By their nature, public data may be contained, among others, in public registers, public documents, gazettes and official gazettes and duly enforced court judgments that are not subject to reservation. 

Sensitive data: Sensitive data means data that affect the privacy of the Holder or whose misuse may result in its discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of trade unions, social organizations, human rights organizations or that promotes the interests of any political party or that guarantee the rights and guarantees of opposition political parties , as well as data on health, sex life, and biometric data. 

Transfer: The transfer of data takes place when the Data Controller and/or Data Processor, located in Colombia, sends the information or personal data to a recipient, who in turn is Data Controller and is located inside or outside the country. 

Transmission: Processing of personal data involving the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a Processing by the Processor on behalf of the Responsible. 

Information stored in the database: It is the classification of personal data stored in each database, grouped by categories and subcategories, according to the nature of the same. 

Information security measures: Corresponds to the controls implemented by the Data Controller to ensure the security of the databases that you are registering, taking into account the questions prepared for the purpose in the GNI. 

Origin of personal data: The origin of the data refers to whether they are collected from the owner of the information or provided by third parties and whether the authorization for the processing is available or if there is a cause of exoneration, in accordance with the provisions of Article 10 of Law 1581 of 2012. 

International Transfer of Personal Data: Includes the identification of the recipient as Data Controller, the country in which it is located and whether the transaction is covered by a declaration of conformity issued by the Delegate for the protection of personal data of the SIC or by a cause of exception in the terms referred to in Article 26 of Law 1581 of 2012 

International Transmission of Personal Data: Includes the identification of the recipient as processor, the country in which you are located, if you have a data transmission contract under the terms referred to in Article 2.2.2.25.5.2 of Section 5 of Chapter 25 of Single Decree 1074 of 2015 or if the transaction is referred to by a declaration of conformity issued by the Deegature for the protection of personal data of the SIC. 

National transfer or transfer of the database: Information relating to the transfer or national transfer of data includes the identification of the assignee, who shall be deemed responsible for the processing of the database transferred from the time the transfer is perfected. It is not mandatory for the transferor to register the transfer of the database. However, the assignee, as the controller, must comply with the registration of the database that has been assigned to him. 

Principles 

Principle of legality in the field of data processing: The processing referred to in this law is a regulated activity that must be subject to the provisions of it and the other provisions that develop it; 

Principle of purpose: The Treatment must follow a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Owner; 

Principle of freedom: The Treatment can only be exercised with the prior, express and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent; 

Principle of veracity or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractional or misleading data is prohibited; 

Principle of transparency: In the Processing, the right of the Data Controller to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/ 

Principle of access and restricted circulation: The Processing is subject to the limits that derive from the nature of personal data, the provisions of this law and the Constitution. 

In this sense, the Treatment may only be done by people authorized by the Owner and/or by the persons provided for in this law; 

Personal data, except for public information, may not be available on the Internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to Holders or third parties authorized under this law; 

Security Principle: The information subject to Processing by the Data Controller or Data Processor referred to in this law, must be handled with the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access; 

Principle of confidentiality: All persons involved in the Processing of personal data that are not public in nature are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks understood by the Processing, being able only to provide or communicate personal data when this corresponds to the development of the activities authorized in this law and in the terms thereof. 

Treatment and Purposes of use 

The Personal Data processed by TELEFÉRICO A MONSERRATE S.A must be subject only to the purposes indicated below. Likewise, The Processors or third parties who have access to the Personal Data by virtue of law or contract, will keep the Processing within the following purposes: 

Manage all the information necessary for compliance with the tax and business, corporate and accounting records obligations of TELEFÉRICO A MONSERRATE S.A. 

Comply with the internal processes of TELEFÉRICO A MONSERRATE S.A in the field of supplier and contractor administration. 

Comply with the contracts for the provision of services concluded with the different customers. (private, public, multilateral agencies among others) . 

Provide its services according to the needs of customers, in order to comply with the contracts of services concluded. 

The execution and performance of the contracts they conclude. 

The other purposes determined by the Data Controllers in processes of obtaining Personal Data for their Processing and that are communicated to the Holders at the time of the collection of personal data. 

The process of archiving, updating systems, protecting and guarding information and databases of the Firm. 

Processes within the Firm, for development or operational and/or system administration purposes. 

The transmission of data to third parties with whom contracts have been concluded for this purpose, for commercial, administrative, and/or operational purposes, including but not limited to the issuance of licenses, personalized certificates and certifications to third parties, in accordance with the legal provisions in force. 

Maintain and process by computer or other means, any information related to the customer's business in order to provide the relevant services and products. 

The other purposes determined by the Data Controllers in processes of obtaining Personal Data for their Processing, in order to comply with legal and regulatory obligations, as well as the policies of the Firm. 

Personal Data Subject's Rights 

According to the Law, Personal Data Subjects have the following rights: 

1. a) Know, update and rectify your Personal Data against the Firm or the Processors thereof. This right may be exercised, among others against partial, inaccurate, incomplete, fractional, misleading data, or those whose processing is expressly prohibited or has not been authorized. 
2. b) Request proof of the Authorization granted to the Signature, unless the Law indicates that such Authorization is not necessary. 
3. c) Submit requests to the Firm or Data Processor regarding your use of your Personal Data, and for your Personal Data to be provided with such information. 
4. d) File complaints with the Superintendency of Industry and Commerce for violations of the Act. 
5. e) Revoke your Authorization and/or request the deletion of your Personal Data from the signature databases, when the Superintendency of Industry and Commerce has determined by final administrative act that in the Processing the Firm or the Data Processor has engaged in conduct contrary to the Law or when there is no legal or contractual obligation to keep the Personal Data in the Data Controller's database. 
6. (f) Request free access to and access to your Personal Data that has been processed in accordance with Article 21 of Decree 1377 of 2013. 
7. (g) To know the modifications to the terms of this Policy prior and efficiently to the implementation of the new modifications or, failing that, of the new information processing policy. 
8. (h) Have easy access to the text of this Policy and its modifications. 
9. (i) Easily and easily access personal data under the control of the Firm to effectively exercise the rights that the Law grants to the Holders. 
10. (j) To know the unit or person empowered by the Firm to whom you may file complaints, queries, claims and any other requests about your Personal Data. 

Holders may exercise their rights of law and perform the procedures established in this Policy, by submitting their citizenship card or original identification document. Minors may exercise their rights personally, or through their parents or 

adults who hold parental authority, who must demonstrate it through the relevant documentation. Likewise, the rights of the Owner may be exercised by the successors who prove such quality, the representative and / or representative of the holder with the corresponding accreditation and those who have made a stipulation in favor of another or for another. 

ATTENTION TO INQUIRIES, COMPLAINTS AND/OR CLAIMS 

Personal Data Protection Officer 

The person in charge of Customer Service as Responsible for the reception and attention of requests, complaints, complaints and queries of all kinds related to Personal Data. The customer service person will process inquiries and complaints regarding Personal Data in accordance with the Law and this policy. 

1. (a) Receive requests from Personal Data Subjects, process and respond to those based on the Law or these Policies, such as: requests to update Personal Data; requests to know Personal Data; requests for the deletion of Personal Data when the Owner submits a copy of the decision of the Superintendency of Industry and Commerce in accordance with the provisions of the Law, requests for information about the use given to his Personal Data, requests to update the Personal Data, requests for proof of the Authorization granted, when it has proceeded according to the Law. 
2. b) Respond to Personal Data Subjects for requests that do not proceed in accordance with the Law. 

Customer Service contact details are: 

NAME OR TRADE MARK:TELEFERICO A MONSERRATE S.A 

ADDRESS: CR 2 EAST 21 48 PS BOLÍVAR STATION 

FUNICULAR BOGOTÁ ADDRESSBogotá 

TELEPHON: 57(1) 2845700 EMAIL: INFO@cerromonserrate.com 

Procedures for exercising the rights of Personal Data Subjects 

Consultations 

Holders or their successors may consult the Personal Information of the Holder that rests in any database, whether public or private sector. The Data Controller or Data Processor must provide them with all the information contained in the individual registration or that is linked to the identification of the Owner. 

The consultation will be made by the means enabled by the Data Controller or Data Processor, provided that proof of this can be maintained. 

The consultation will be attended within a maximum period of ten (10) working days from the date of receipt of the same. Where it is not possible to attend the consultation within that term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which his consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term. 

Paragraph. Provisions contained in special laws or regulations issued by the National Government may lay down lower terms, taking into account the nature of personal data. 

These mechanisms may be physical as a window, electronic through the mail info@cerromonserrate.com or by telephone at the 57(1) 2845700 Ext hotline: 107 in charge of receiving requests, complaints and complaints on the phones. 

Whatever the method, proof of the query and its response will be saved. 

Claims. 

The Owner or its successors who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in this law, may file a claim with the Data Controller or the Data Processor which will be processed under the following rules : 

1. The claim will be made by request addressed to the Data Controller or the Data Processor, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert. If the claim is incomplete, the data subject will be required within five (5) days of receipt of the claim to remedy the failures. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has dismissed the claim. 

In the event that the person who receives the claim is not competent to resolve it, he/she will transfer to the appropriate person within a maximum period of two (2) working days and inform the interested party of the situation. 

2. Once the complete claim is received, a legend that says "claim in process" and the reason for it will be included in the database, in a term no more than two (2) business days. Such legend must be maintained until the claim is decided. 
3. The maximum term for the claim shall be fifteen (15) business days from the day following the date of receipt. Where it is not possible to address the claim within that term, the interested party shall be informed of the reasons for the delay and the date on which his claim will be addressed, which in no case may exceed eight (8) working days following the expiration of the first term. 

The mechanisms may be electronic physical through customer service mail info@cerromonserrate.com or by telephone on the hotline (+57-1) 4787934, responsible for receiving requests, complaints and complaints on the phones. 

The claim must be filed by the Holder, its successors or representatives or accredited in accordance with Law 1581 and Decree 1377, as follows: 

• TELEFERICO A MONSERRATE S.A must be addressed electronically to the info@cerromonserrate.com; physically the address CR 2 ESTE 21 48 PS BOL-VAR FUNICULAR STATION BOGOTÁ; or by phone at 57(1) 2845700. 
• You must bear the name and identification document of the Holder. 
• A description of the facts that give rise to the claim and the objective pursued (update, correction or deletion, or fulfillment of duties). 
• You must provide the address and contact details and identification of the claimant. 
• It must be accompanied by all documentation that the claimant wants to assert. 

Security measures and/or controls implemented in the database to minimize the risks of improper use of the personal data processed. 

7 Term 

This Policy applies as of January 1, 2016. Personal Data that is stored, used or transmitted will remain in our Database, based on the criterion of temporality and necessity, for as long as necessary for the purposes mentioned in this Policy, for which they were collected.