The present document establishes the Policies of Personal Data Processing of the Federación Nacional de Cafeteros de Colombia, acting as a private union association and as Administrator of the Fondo Nacional del Café (hereinafter, the ENTITY), pursuant to the provisions under Law 1581 of 2012 and Decree 1377 of 2013, and therein, the mechanisms through which the ENTITY guarantees a proper handling of the personal data collected in its data bases, so as to allow holders to exercise the right of Habeas Data.
The ENTITY is a non-profit, private legal person, domiciled in Bogota, with legal capacity recognized by the National Government by means of executive decision No. 33 of 2 September, 1927, published in the Official Journal No. 20.894 of 1928, with NIT [Tax Identification Number] 860.007.538-2, whose contact data are as follows: Address: Calle 73 No. 8 – 13, Bogota D.C., Colombia Telephone: 3136600 Email: email@example.com
- Authorization: Previous, expressed and informed consent of the Holder to carry personal data Processing;
- Data Bases: Organized set of personal data that is object of Processing;
- Personal data: Any information that is related or that could be associated to one or several determined or determinable natural persons;
- Person in charge: Natural or legal, public or private person, who by themselves or in association with others, performs personal data Processing on behalf of that one Responsible for the Processing;
- Responsible Party: Natural or legal, public or private person, who by themselves or in association with others, takes decisions regarding the data base and/or data Processing;
- Holder: Natural person whose personal data are object of Processing;
- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
- Principle of legality: Personal data Processing is a regulated activity that must be subject to what is established by the law and in the remaining provisions therein that account for them;
- Principle of purpose: The Processing must obey to a legitimate purpose in agreement with the Constitution and the Law, which must be informed to the Holder;
- Principle of freedom: The Processing can only be exerted with the Holder’s previous, expressed and informed consent. The personal data shall not be obtained or spread without prior authorization, or in the absence of a legal or juridical mandate that replaces the consent;
- Principle of authenticity or quality: The information subject to Processing shall be truthful, complete, exact, updated, verifiable and understandable. Partial, incomplete, fractioned, or error-inducing Processing of data is forbidden;
- Principle of transparency: The Processing shall guarantee the Holder’s right to obtain from that one Responsible for the Processing or that one in Charge of the Processing, at any time and with no restrictions, information regarding the existence of data of relevance;
- Principle of access and restricted circulation: The Processing is subject to the limits that derive from the nature of the personal data, from the provisions of the law and the Constitution. In this sense, the Processing shall only be made by persons authorized by the Holder and/or by the persons set forth by the law. The personal data, except the public information, shall not be available on the Internet or other dissemination means or mass communication means, except that access is technically controllable to offer restricted knowledge only to the Holders or third parties authorized pursuant to the law;
- Principle of safety: The information subject to Processing by that one Responsible of the Processing or that one in Charge of the Processing shall be handled with the technical, human and administrative measures that are necessary to guarantee safety to the records, preventing their unauthorized or fraudulent use, access, adulteration, loss orconsultation;
- Principle of confidentiality: Every person that intervenes in the Processing of personal data that does not have the nature of public shall be obliged to guarantee reservation in the information, even after concluding their relation with any of the tasks encompassed by the Processing, just being able to provide or communicate personal data when that corresponds to the development of the activities authorized by law and under the terms therein.
Content of the data bases
At the ENTITY’s data bases, general information is stored with full name, identification number and type, sex and contact information (email, physical address, line phone, and mobile phone). In addition to these, and depending on the nature of the data base, the ENTITY can have specific data required for the processing to which the data will be submitted. In the data bases of staff and contractors, the following information is additionally included: job and academic background, sensitive data required by the nature of the job relation (photo, family members, biometric data).
The data base shall be able to store sensitive information with prior authorization by their holder, pursuant to what is established under articles 5 and 7 of law 1581 of 2012.
The information that is recorded on the entity’s data bases is subjected to several forms of processing, like collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization and organization, all of them partially or totally, pursuant to purposes herein set forth. The information can be delivered, transmitted or transferred to public bodies, trade partners, contractors, affiliates, subsidiaries, just to the aim of complying with the purposes of the corresponding data bases. In any case, the delivery, transmission or transfer shall be made prior undersigning of the commitments that are necessary to safeguard the confidentiality of the information. The personal information, including sensitive information, may be transferred, transmitted or delivered to third countries, notwithstanding the level of safety of the standards that regulate the handling of personal information. In compliance with the legal duties, the ENTITY shall be able to provide the personal information to juridical or administrative entities.
The ENTITY shall protect the correct use of personal data of children under legal age, guaranteeing that the applicable legal demands are complied with and that all processing is previously authorized and is justified in the higher interest of children under legal age.
The information regarding clients, suppliers, partners and employees, present or past, is kept so as to facilitate, promote, allow or maintain job, civil and commercial relationships.
The information regarding actors in the coffee market is stored so as to comply with the needs typical of its object, particularly those related to the development, design and implementation of programmes, projects, plans, policies, contracts or agreements necessary to promote coffee growing in Colombia.
Rights of the holders
In accordance with what is set forth in article 8 of law 1581 of 2012, the holders shall be able:
- To know, to update and to rectify their personal data before the ENTITY or the ones in Charge. This right shall be exerted, among others, in the case of partial, inexact, incomplete, fractioned or error-inducing data, or those whose Processing is expressly forbidden or has not been authorized.
- To demand proof of authorization issued to the ENTITY, except when it is expressly exempt as a requisite for the Processing, pursuant to what is set forth under article 10 of the present law.
- To be informed by the ENTITY or the one in Charge, prior request, regarding the use given to their personal data.
- To submit before the Superintendence of Industry and Commerce claims against infringements to what is set forth in the present law and remaining regulations that modify it, add to it or complement it.
- To revoke authorization and/or request deletion of the data when the constitutional and legal principles, rights and guarantees are not respected in the Processing. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the ENTITY or the one in Charge has incurred in conducts contrary to this law and the Constitution. • To have free access to their personal data that have been object of the Processing.
Obligations of the entity
The ENTITY shall:
- Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
- Request and keep, in the conditions set forth in the present law, a copy of the respective authorization granted by the Holder.
- Duly inform the Holder of the purpose of the collection and the rights that assist them by virtue of the authorization issued.
- Keep the information under the safety conditions necessary to prevent its unauthorized or fraudulent use, access, adulteration, loss, consultation.
- Guarantee that the information that is provided to the one in Charge is truthful, complete, exact, updated, verifiable and understandable.
- Update the information, communicating in timely manner to the one in Charge of the Processing, all the news regarding the data that have previously been provided and adopt the other necessary measures so that the information provided to them is kept up to date.
- Rectify the information when it is incorrect and communicate what is pertinent to the one in Charge.
- Provide to the one in Charge, according to the case, only the data whose Processing is previously authorized pursuant to what is set forth in the present law.
- At any moment, demand from the one in Charge, respect for the safety and privacy conditions of the Holder’s information. • Process the consultations and claims made under the terms set forth under the present law.
- Adopt an internal manual of policies and procedures to guarantee the proper compliance with the present law and, in special, to care for consultations and claims.
- Inform the one in Charge when certain information is under discussion by the Holder, once the claim has been submitted and the respective proceeding has not been completed.
- Inform at request of the Holder on the use given to their data;
- Inform the authority of data protection when there appear violations to the safety codes and when there are risks in the administration of the Holders’ information.
- Comply with the instructions and requests handed out by the Superintendence of Industry and Commerce.
Responsible person or area
All requests, complaints or claims related to the handling of personal data, pursuant to what is set forth in Law 1581 of 2012 and Decree 1377 of 2013, shall be sent to:
Entity: Federación Nacional de Cafeteros de Colombia
Office: Legal address
Address: Calle 73 No. 8-13 Bogota D.C., Colombia
Email address: firstname.lastname@example.org
Presentation procedures and response to consultations
The holders of personal data that appear on the data bases of the ENTITY, or their assignees, shall be able to consult the data that shall submit the information under the terms set forth in the applicable legislation. All requests of consultation, correction, updating or deletion shall be submitted in written or via email, pursuant to the information contained in this document.
The consultations shall be answered within a term of ten (10) working days counted as of the date of receipt of the respective request. When responding to the consultation within such term is not possible, the interested party shall be informed, with the reasons for the delay and the date when their consultation will be heard, which in no case shall exceed five (5) working days following expiry of the first term.
Presentation procedures and response to consultations, complaints and claims
Claims shall be made in written or via email, pursuant to the information contained in this document, and shall have, at least, the following information:
- identification of Holder
- description of the facts that give rise to the claim
- Address of holder
- documentation that can be presented as proof
If the claim is incomplete, the interested party shall be required to amend the errors within five (5) days following receipt of the claim. After two (2) months from the date of the request, without the applicant presenting the information asked for, it shall be understood that they have withdrawn from the claim.
In case that the one receiving the claim is not competent to solve it, they shall transfer it to whom it may concern within a maximum term of two (2) working days and inform of the situation to the interested party.
Once the complete claim is received, an inscription reading “claim under course” and the reason thereof shall be included in the data base, within a term no longer than two (2) working days. Said inscription shall be kept until the claim is decided upon.
The maximum term to respond to a claim shall be fifteen (15) working days as of the day following the date of receipt. When responding to the claim within such term were not possible, the interested party shall be informed, expressing the reasons for the delay and stating the date when their claim will be heard, which in no case shall exceed eight (8) working days following expiry of the first term.
Validity of the data base
The ENTITY’s Policies of Personal Information Processing shall be effective as of the twenty-seventh day (27) of July, 2013. The ENTITY keeps its right to modify them, under the terms of the law and with the limitations set forth by it.
The data bases administered by the ENTITY shall be indefinitely kept, as long as their object is developed, and as long as it is necessary to guarantee compliance with obligations of legal nature, particularly in labour and accountant matters, but the data can be eliminated at any time and at request of their holder, as long as this request is not against any legal obligation of the ENTITY or an obligation contained under a contract between the ENTIDAD and the Holder.