Personal data processing policy

BURIL MARROQUINERIA, a commercial establishment whose commercial activity includes the manufacture of travel items, handbags and similar items made of leather, and the manufacture of articles of saddlery and harness, as well as the retail trade of all types of leather articles, duly constituted and registered in the Cali Chamber of Commerce, identified with the Company Register No. 966555, with principal address in Carrera 4 Oeste, Trans 16-22 El Mameyal, Cali – Colombia, they are committed to compliance with the regulation on the protection of Personal Data  and with respect for the rights of Information Subject. For this reason, we adopt this Personal Data Processing Policy (hereinafter, “The Policy”) mandatory to apply in all activities involving the Processing of Personal Data and mandatory compliance by the merchant, its Administrators, Collaborators and the third parties with whom the company relates contractually or commercially.

 

The merchant, within the development of his/her social object, daily receives, transmits and processes Personal Data so it is essential to have this policy and give it strict compliance.

 

  1. Definitions

The following concepts are a result of the above-stated by Law 1581 of 2012. Therefore, it must be interpreted in a comprehensive way and in assonance with the fundamental right it develops:

    1. Privacy Notice Disclosure: Verbal or written communication generated by the responsible, addressed to the Subject for the processing of his/her personal data, by which he/she is informed about the existence of the information processing policies that will be applicable to him/her, the way of accessing them and the purposes of the processing that is intended to be given to personal data.
    1. Authorization: means the prior, express and informed consent of the Data Subject to carry out the Processing. This may be (i) written; (ii) verbal or; (iii) unequivocal conduct that allows reasonable conclusion that the Subject accepted the processing of their data.
    1. Database: means the organized set of Personal Data that are processed, electronic or not, whatever the modality of its processing, storage, organization and access.
    1. Inquiry: means the request of the Subject of Personal Data, the persons authorized by him/her, or those authorized by law, to know the information that rests on him/her in the Merchant’s Databases.
    1. Personal Data: means any information linked to or that may be associated with one or more natural persons, determined or determinable.
    1. Private Personal Data: means the data that by its intimate or reserved nature is only relevant to the Subject. For example: merchant papers or books and private documents.
    1. Public Personal Data: means the data qualified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private, private or sensitive. For example: data contained in public documents, public records and official gazettes and duly enforceable court judgments that are not subject to reservation, those relating to the marital status of persons, their civil status or profession and their status as a merchant or public servant. Personal Data existing in the company register of the Chambers of Commerce (Article 26 of the C.Co.) is public.

Thus, it is public data, which, by virtue of a decision of the Subject or a legal mandate, are in files of free access and consultation. This data may be obtained and offered without reservation and regardless of whether they refer to general, private or personal information.

    1. Semi-private personal data: means data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest not only to its Subject but to a certain sector or group of people, or to society in general. For example: the data regarding compliance and non-compliance with financial obligations or data relating to relations with social security entities.
    1. Sensitive Personal Data: means the data that affects the privacy of the person or whose misuse may lead to discrimination. For example: those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations or that promotes the interests of any political party or that guarantee the rights and guarantees of opposition political parties, data relating to health, sex life and biometric data (fingerprints), among others.
    1. Controller: means the natural or legal person who performs the Data Processing on behalf of the Responsible of Processing.
    1. Authorized: Means all persons under the responsibility of the Merchant or its Controller may perform Processing of Personal Data under the Authorization granted by the Subject.
    1. Claim: means the request of the Data Subject or the persons authorized by the Data Subject or by law to correct, update or delete your Personal Data or when they notice that there is a suspected breach of the data protection regime, according to Article 15 of Law 1581 of 2012.
    1. Responsible: Natural or legal person, public or private, who by itself or in partnership with others, decides on the basis of data and/or the processing of the data.
    1. Data subject: means the natural person whose personal data are processed.
    1. Processing: means any operation or set of operations on Personal Data such as the collection, storage, use, circulation, transfer, transmission, updating or deletion of Personal Data, among others.

The Processing may be national (within Colombia) or international (outside Colombia).

    1. Transmission: means the Processing of Personal Data that involves the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a Processing by the Controller on behalf of the Responsible.
    1. Transfer: means the Processing of Personal Data that takes place when the Data Controller and/or Data Responsible sends the Personal Data to a recipient, who in turn is Responsible for the Processing and is located in or out of the country.
    1. Procedural requirement: a preliminary step that must be taken by the Subject before bringing a complaint with the Superintendency of Industry and Commerce. This consists of a direct complaint to the Data Controller or Responsible for your Personal Data.
  1. Principles for the processing of personal data:

In any case, the processing of personal data carried out on the occasion of this Processing Policy, must be strictly governed by the following principles:

    1. Legality: The Processing must be subject to the provisions of the Law.
    1. Purpose: The purpose of the Processing must be legitimate, temporary and informed to the Subject.
    1. Reasonable Limit: The storage and processing of personal data shall be limited to what is essentially necessary to fulfill the previously specified purposes of the business relationship, as well as the performance of the purposes authorized by the Subject.
    1. Freedom: The data can be processed only with the prior consent, express, informed and self-determined by the Subject or by legal or judicial order.
    1. Veracity or quality: The information must be truthful, complete, accurate, up-to-date, verifiable and understandable.
    1. Transparency: The right of the Subject to obtain information about his/her data at any time without restrictions must be guaranteed.
    1. Access and restricted circulation: The Processing may only be done by persons authorized by the Subject or by the persons provided for in the Law.
    1. Security: Information must be handled with the necessary measures to grant security to the records and prevent their adulteration, loss, consultation, use or unauthorized or fraudulent access.
    1. Confidentiality: Personal data that are not of the nature of the public are reserved and can only be provided under the terms of the Law. Any person involved in the processing of the information shall ensure its reserved nature.
    1. Systematic incorporation: The principles of Personal Data Protection will be implemented in all business processes and procedures.
  1. Purposes of processing:

 

In its capacity as the responsible of the processing data, the Company declares that they will be processed on the occasion of one or more of the following purpose(s):

    1. Exercise your right to know sufficiently the Subject with whom you intend to enter into relationships, provide services, and assess the present or future risk of the same relationships and services.
    2. Carry out the relevant actions for the development of the pre-contractual, contractual and post-contractual stage with the Merchant, in respect of any of the products or services offered by the Merchant, which it has acquired or in respect of any underlying business relationship with it, as well as complying with Colombian or foreign law and the orders of judicial or administrative authorities;
    3. Carry out marketing, sales and promotional activities, telemarketing, customer service, brand activation activities, awards and promotions, directly or through third parties derived from commercial alliances or any link;
    4. Implement relationship strategies with customers, suppliers, share Subjects and other third parties with whom the Company has contractual or legal relationships;
    5. Make invitations to events, improve products and services or offer new products, and all those activities associated with the existing business relationship or link with the Merchant, or which may have;
    6. Manage formalities (requests, complaints, claims), conduct satisfaction surveys with respect to the goods and services offered by the Merchant, or affiliated companies and its commercial partners;
    7. Make known, transfer and/or transmit Personal Data within and outside the country or to third parties as a result of a law or lawful link that requires it or to implement cloud computing services.
    8. The data that is collected or stored on the employees of Buril Marroquineria through the diligence of formats, by telephone, or with the delivery of documents (life sheets, annexes) will be treated for everything related to legal or contractual labor issues. Pursuant to the foregoing, the merchant will use the Personal Data for the following purposes: (1) Complying with laws such as, but not limited to, labour law, social security, pensions, occupational risks, family compensation funds (Integral Social Security System) and taxes; (2) Comply with the instructions of the competent judicial and administrative authorities; (3) Implement labour and organizational policies and strategies.
    9. For security purposes, improvement of our service and the shopping experience, Personal Data may be used, among others, as evidence in any type of process, with respect to the data (i) collected directly in electronic and/or digital media, (ii) taken from the documents provided by individuals to the seller and (iii) the different media intended for this purpose.
    10. Know, store and process all the information provided by the Data Subjects in one or more databases, in the format that it deems most convenient.
    11. Perform all tax, accounting, tax and billing order procedures.
  1. Processing:
    1. Processing of public data:

BURIL MARROQUINERIA, warns that, without prior authorization of the Subject, personal data of a public nature and the contents in public registers. This situation does not imply that the necessary measures are not taken to ensure compliance with the other principles and obligations provided for in Law 1581 of 2012 and other standards governing this matter by BURIL MARROQUINERIA.

    1. Processing sensitive data

BURIL MARROQUINERIA only processes sensitive personal data for what is strictly necessary, requesting prior and express consent from the Subjects (legal representatives, agents, successors) and informing them about the exclusive purpose for their processing.

    1. Processing under-age data

BURIL MARROQUINERIA only processes personal data of under-age when they are of a public nature or come from the information provided by employees or contractors, at the time of their employment relationship or the provision of services. The foregoing, in accordance with article 7 of Law 1581 of 2012 and, where the processing complies with the following parameters and requirements:

  • That it responds and respects the best interests of children and adolescents.
  • Ensure respect for their fundamental rights.

With the above requirements, BURIL MARROQUINERIA, will require the legal representative or guardian of the child or adolescent, the authorization of the under-age, before the under-age give his/her opinion about the processing that will be given to his/her data, opinion that will be assessed taking into account the maturity, autonomy and ability to understand the matter, as indicated by the Law.

BURIL MARROQUINERIA, and anyone involved in the processing of the personal data of children and adolescents, will ensure the proper use of them. In compliance with the above, the principles and obligations set out in Law 1581 of 2012 and Decree 1377 of 2013 are applied and developed. 

 

  1. Data Subject’s Rights

 

Personal Data Subjects have the right to:

    1. Know fully and free of charge his/her personal data that are being processed, as well as to update, supplement and rectify it in front of the Merchant or the controllers.
    2. Know how his/her personal data has been used, upon request.
    3. Request proof of authorization granted to the Merchant, except where expressly exempted as a requirement for processing, in accordance with the law.
    4. Revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the processing.
    5. File complaints with the Superintendency of Industry and Commerce for violations of Law 1581 of 2012.
    6. Be informed about the non-mandatory answers to the questions that are asked, when these are about sensitive data.
    7. Know our processing policy, and the substantial changes that occur in processing policies.
  1. Duties of The Merchant when he/she works as responsible.

 

BURIL MARROQUINERIA, it is aware that personal data are Subject by the people to which they refer and only they can decide on them. Likewise, BURIL MARROQUINERIA clarifies that it will make use of such data, only in compliance with the purposes for which it is duly empowered and authorized previously by the Subject, or by the Law in compliance with its regulated public functions; and at all times respects the current regulations on the Protection of Personal Data.

BURIL MARROQUINERIA, as Data Controller or Data Responsible, fulfills the duties and obligations provided for in article 17 and 18 of Law 1581 of 2012, and rules that regulate or modify it, namely:

    1. Guarantee to the Subject, at all times, the full and effective exercise of the right of habeas data;
    2. Request and retain, under the conditions provided for in this law, a copy of the respective authorization granted by the Subject;
    3. Properly inform the Subject about the purpose of the collection and the rights that assist it by virtue of the authorization granted;
    4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
    5. Ensure that the information provided to the Data Controller is truthful, complete, accurate, up-to-date, verifiable and comprehensible;
    6. Update the information, communicating in a timely manner to the Data Collector, all the news regarding the data previously provided to him/her and take the other necessary measures to keep the information provided to it updated;
    7. Rectify the information when it is incorrect and communicate the relevant to the Data Collector;
    8. Provide the Data Collector, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this law;
    9. To require the Data Collector at all times, respect for the security and privacy conditions of the Information of the Subject;
    10. Process inquiries and claims made in the terms set out in this law;
    11. Adopt an Internal Manual of Policies and Procedures to ensure proper compliance with this law and in particular for the care of inquiries and claims;
    12. Form to the Data Collector when certain information is under discussion by the Subject, once the claim has been submitted and the respective procedure has not been completed;
    13. Inform at the request of the Subject about the use given to its data;
    14. Inform the data protection authority (Superintendency of Industry and Commerce – Data Protection Delegation -) when security code violations occur and there are risks in the administration of the information of the Subjects.
    15. Comply with the instructions and requirements given by the Superintendency of Industry and Commerce.
    16. Duty of Secrecy and Confidentiality: BURIL MARROQUINERIA, guarantees and requires every person to intervene in any phase of the processing of private, sensitive or under-age personal data, professional secrecy, with respect to them and the duty to keep them, obligations that will survive even after finalizing their contractual relations with BURIL MARROQUINERIA.
  1. From authorization
    1. Authorization for Data Processing.

 

Those required to comply with this policy must obtain from the Subject their prior, express and informed authorization to collect and process their Personal Data. This obligation is not necessary in the case of data of a public nature.

 

To obtain the authorization, it is necessary to inform the Subject of the Personal Data in a clear and express way the following:

 

  • The processing to which their Personal Data will be subject and the purpose thereof;
  • The optional nature of the answer to the questions asked about the Subject, when it is on sensitive data or on the data of children and adolescents;
  • The rights that assist him/her as Subject provided for in Article 8 of Law 1581 of 2012;
  • The identification, physical or electronic address of the Merchant.

 

The Authorization of the Subject must be obtained through any media that may be the subject of subsequent consultation, such as the website, forms, formats, activities, contests, face-to-face or social networks, PQR format, data messages or Apps.

 

In all cases, proof of compliance with the above points should be left.

The authorization may also be obtained from unequivocal conduct of the Data Subject that allows reasonable conclusion that the Data Subject granted his/her consent to the Processing. Such conduct(s) must be very clear in such a way that it does not admit doubt or mistake about the willingness to authorize the Processing.

 

    1. Authorization for Processing sensitive data.

 

In the case of sensitive data collection, the following requirements must be met:

 

  • Authorization must be explicit;
  • The Subject should be informed that he/she is not obliged to authorize the processing of such information;
  • It must inform the Subject explicitly and in advance which of the data that will be subject to Processing are sensitive and the purpose of the same.

 

    1. Authorization for the Processing of Data of Children and Adolescents.

 

In the case of the collection and processing of data of children and adolescents, the following requirements must be met:

 

  • The authorization must be granted by persons who are entitled to represent the children and adolescents. The representative of the children and adolescents shall guarantee them the right to be heard and assess their opinion of the Processing taking into account the maturity, autonomy and ability of the children and adolescents to understand the matter.
  • It should be reported that it is optional to answer questions about children and adolescent’s data.
  • The merchant must ensure that the Processing of the Personal Data of the children and adolescents will be carried out in compliance with their rights, which is why, in the commercial and marketing activities carried out, must have the prior, express and informed authorization of the parent or the legal representative of the children and adolescents.

 

  1. Domestic or international transfers of Personal Data

 

The Merchant may make data transfers to other processing when authorized by the Information Subject, by law or by an administrative or judicial order.

  1. National or international transmissions of Personal Data

 

The Merchant may send or transmit data to one or more Collectors located within or outside the territory of the Republic of Colombia in the following cases:

 

    1. When authorized by Subject.
    1. When without the authorization there is a contract for the transmission of data between the controller and the responsible.

 

  1. Procedure for Subjects to exercise their rights

 

For the full and effective exercise of the rights that assist the Subjects of Personal Data, or to persons entitled by law for this purpose, the Merchant has the e-mail info@buril.com.co through which they may submit all queries, complaints and/or claims associated with the right of Habeas Data.

 

All requests made by the persons entitled to know the Personal Data that rest in the Merchant will be channeled through the aforementioned email in which the date of receipt of the consultation and the identity of the applicant will be recorded.

 

The claim must be addressed to BURIL MARROQUINERIA, and contain at least the following information:

 

  • Name and identification of the Data Subject or the legitimized person.
  • Accurate and complete description of the facts that give rise to the claim.
  • Physical or electronic address to send the response and report on the status of the procedure.
  • Documents and other relevant evidence the person want to assert.

 

The request shall be verified by the identity of the petitioner or the legitimacy of the petitioner for that purpose. The response to the consultation shall be communicated to the applicant within a maximum period of ten (10) working days from the date of receipt of the consultation. Where it is not possible to attend the consultation within that term, the interested party shall be informed of the reasons for the delay and the date on which his/her consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

 

If the application or claim is incomplete, the data subject will be required within five (5) days of receipt for the failures to be fixed. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he/she has given up the claim.

 

The maximum term for the claim shall be fifteen (15) working days from the day following the date of receipt. Where it is not possible to address the claim within that term, the interested party shall be informed of the reasons for the delay and the date on which his/her claim will be addressed, which in any case may exceed eight (8) working days following the expiration of the first term.

  1. Data of the responsible of Processing

 

Social reason: BURIL MARROQUINERIA

NIT: 1,151,940.268-9

Address: Cali – Colombia

Email: info@buril.com.co

Phone: 315 – 485 -2605

Website: www.buril.com.co

 

  1. Information of security policies

 

The merchant shall take the necessary technical, administrative and humane measures to ensure the security of the Personal Data to which he/she gives Processing, protecting the confidentiality, integrity, use, unauthorized and/or fraudulent access to them. For this, it has implemented mandatory security protocols for all Personnel who have access to this data and/or information systems.

  

The processing of Personal Data will be from the beginning of the Event until the day in BURIL MARROQUINERIA is dissolved and liquidated or until the purpose for which the Personal Data was collected is finalized.

 

  1. Adjustments to The Personal Data Processing Policy

 

In order to maintain the validity of the policy, the Merchant may adjust and modify it, indicating the date of the update on the website or by using other media, such as data messages, physical materials at the points of sale, etc.

Adjusted policies will take effect from its publication on the website.

  1. Legal framework applicable to processing

Under this policy, the following regulatory references and the procedures/guidelines issued by THE COMPANY for the processing of personal data will apply.

  • Colombian Constitution.
  • Law 1581 of 2012.
  • Single Decree 1074 of 2015.
  • Regulatory Decrees.
  • Applicable case law.
  • This Personal Data Processing Policy.

AUTHORIZATION FOR DATA PROCESSING

I have been informed (a) by BURIL MARROQUINERIA (Responsible for the Processing) of the following: (i) The data provided on this page will be processed for the following purposes: Send or use the information for contractual purposes, customer service, marketing (such as consumer analysis, brand traceability among others), Commercial, (such as benefits, promotions, discounts, current campaigns, promotional events, writings, images, data messages, allied brands and programs of own brands or partners among others), update data and provide relevant information; To consult to answer the queries about products and services offered, the realization of studies for statistical purposes, customer knowledge. Information, to inform the Subjects of the data about news, products, services and special offers, for the development of activities related to telephone service, collections or others of a similar nature. Allowing them to transfer or transmit data or information in whole or in part to their subsidiaries, merchants, companies and/or affiliated entities and strategic or commercial partners operating or not in another Colombian jurisdiction or territory. (ii) It is optional to answer questions about sensitive or under-age data; (iii) As the Subject of the data and/or representative of the under-age, I have the rights to know, update, rectify or delete my information or revoke the authorization granted; (iv) If my request is not resolved directly, and alternatively, I have the right to file claims with the Superintendency of Industry and Commerce, in accordance with Law 1581 of 2012, Decree 1377 of 2013 and other supplementary rules; (v) My rights and obligations, I can exercise them strictly in compliance with the Data Processing Policy of BURIL MARROQUINERIA Available in www.buril.com.co. and by contacting at info@buril.com.co Consult Personal Data Processing Policy.

I declare that the provision of data of third parties, I have done so with my unequivocal and express authorization.

PRIVACY NOTICE DISCLOSURE

BURIL MARROQUINERIA, is committed to the fair, lawful, legitimate and secure processing of the personal data contained in its information systems. As the responsible, they communicate that the personal data of customers, and third parties, is carried out in accordance with the Personal Data Processing Policy, the content of which is available on the page www.buril.com.co. Therefore, the information provided is treated for the purposes and scopes provided in the aforementioned policy, which indicates your rights as the Subject of the information to know, update or rectify your data and the other rights provided for in the current regulations, which can be exercised through the email info@buril.com.co