1. Objective
The purpose of this Privacy and Personal Data Protection Policy, (hereinafter “Privacy Policy”), is to comply with current regulations on the Protection of Personal Data.
2. Scope
This Privacy Policy is applicable both to Palomma S.A.S. (hereinafter “Palomma”), in its capacity as data controller, to its direct and indirect employees, and to all those third natural or legal persons to whom they transmit personal data of the owners who comprise the interest groups of the data controller, when they carry out any processing on them on behalf of the data controller.
3. Identification of the person responsible for the treatment
Company Name:
Palomma S.A.S.
Address:
Medellin
Address:
Carrera 23 # 10 B 120
Email:
info@palomma.com
4. Definitions
For the purposes of this Privacy Policy, it shall be understood as “Teenager” means people between 12 and 18 years of age.
“Authorization” means the prior, express and informed consent of the owner of personal data to carry out the processing of their personal data, which can be collected in (i) written form, (ii) orally or (iii) through unambiguous conduct, which allows us to reasonably conclude that the authorization was granted.
“Privacy Notice” means the physical document, electronic or in any other format generated by the data controller, which is made available to the owner for the processing of their personal data. The privacy notice communicates the following information to the owner: i) Name or company name and contact details of the person responsible for the treatment; ii) the Treatment to which the data will be submitted and the purpose of the same; iii) the rights that the owner has; and iv) the mechanisms provided by the person responsible for making the owner aware of the information processing policy and the substantial changes that occur in it or in the corresponding Privacy Notice.
“Database” means the organized set of physical or electronic (digital) personal data that is subject to manual or automated processing, established in one or more locations.
“Personal Data” means any information linked to or that can be associated with one or more specific or determinable natural or physical persons. The nature of personal data can be public, semi-private, private or sensitive. The data may be collected by the data controller directly from the owner, by third parties who send it to them and/or by publicly accessible sources (including, but not limited to: social networks, web pages and/or platforms of public or private entities), guaranteeing at all times the rights that the owners have. The personal data that may be collected and processed are, among others, identification, personal contact data, personal location data, academic data, personal work data, data fiscal personnel, financial and/or property personal data.
“Private data” means data that, due to its intimate or reserved nature, is only relevant to the Owner.
“Public data” means data qualified as such according to the mandates of the law or the Political Constitution and that which is not semi-private, private or sensitive.
“Sensitive Data” they mean those that affect the privacy of the owner of personal data or whose misuse may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data (fingerprint, iris of the eye, voice, way of walking, palm of the hand or facial features, photographs, videos, among others). The same rules and procedures will apply to the personal data of children and/or adolescents as to sensitive data, and no treatment will be given that could violate or threaten their physical, mental and emotional development.
“Semi-private data” they mean those that do not have an intimate, reserved, or public nature and whose knowledge or disclosure may interest not only their owner, but a group of people or society in general. Semi-private data is understood to mean, among others, information related to social security and financial and credit behavior.
“Data processor” means any natural or legal person, public or private, who, on their own or in association with others, processes personal data on behalf of the data controller.
“Boy or Girl” mean people between 0 and 12 years of age.
“Personal Data Protection Officer” is the person or area responsible for ensuring that the PQRSD that arise in terms of the protection of personal data are met and for ensuring that the policies, guidelines and procedures that make up the Personal Data Protection Program are complied with.
“Platform” means the website implemented by Palomma for the acquisition of the services offered by Palomma, as well as apps and/or any other channel implemented in the future by the data controller. The current Platform Terms and Conditions form an integral part of this Privacy Policy.
“PQRSD” mean Requests, complaints, inquiries, suggestions, complaints and complaints regarding the protection of personal data.
“Data Protection” are all the technical, human and administrative measures that are necessary to provide security to records, avoiding adulteration, loss, unauthorized or fraudulent consultation, use or access.
“Responsible for the treatment” means the natural or legal person, public or private, who, on his own or in association with others, decides on the database and/or the processing of data.
“Owner” means the natural or natural person whose personal data is being processed.
“Transfer” The transfer of data takes place when the person responsible and/or person in charge of the processing of personal data sends the information or personal data to a recipient, who in turn is responsible for the treatment and is located inside or outside the country.
“Transmission” corresponds to the processing of personal data that involves the communication of such data inside or outside the country of residence of the data controller, when its purpose is to carry out a processing by the processor on behalf of the person responsible.
“Treatment” means any operation or set of operations on personal data, such as collection, storage, updating, use, circulation, transfer, transmission or deletion.
“User” they mean the people who use the Website, Apps or the channels available to Palomma.
5. Guiding Principles
The following are the guiding principles for the protection of personal data, and will apply to the processing carried out by the data controller, its employees and all those third natural or legal persons to whom they transmit or transfer personal data of the owners who comprise their interest groups, when they carry out any processing on them.
Principle of legality in the processing of personal data: The processing of personal data referred to in Statutory Law 1581 of 2012 is a regulated activity that must be subject to what is established in it and in the other provisions that implement it.
Principle of purpose: The processing of personal data must be for a legitimate purpose in accordance with the Constitution and the law, which must be informed to the Data Controller.
Principle of freedom: The processing of personal data can only be exercised with the prior, express and informed consent of the Data Controller. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate to relieve consent. The treatment can only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate to relieve consent. Public data are excluded from this principle, which may be processed without requiring authorization from the owner, in accordance with the provisions of current regulations.
Principle of veracity or quality: The information subject to processing must be true, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractional or misleading data is prohibited.
Principle of transparency: In the processing, the right of the owner to obtain, at any time and without restrictions, information about the existence of data concerning him must be guaranteed.
Principle of restricted access and movement: Personal data, with the exception of public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to owners or authorized third parties.
Safety principle: The information subject to treatment must be protected through the use of technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.
Principle of confidentiality: All persons involved in the processing of personal data are obliged to guarantee the confidentiality of information, even after the end of their relationship with any of the tasks that include the processing.
6. Treatments to which personal data will be subject and their purposes
For the purposes of this Privacy Policy, the data controller, directly or through data processors, may collect, store, use, circulate, update, delete or carry out any other type of processing on the personal data of their interest groups, complying at all times with the provisions of current regulations and for the purposes described below.
1. General purposes for the processing of personal data of different interest groups
Fulfill the corporate purpose of Palomma.
Manage, manage and use all the information necessary to comply with Palomma's legal and contractual obligations, as well as tax, commercial, corporate and accounting obligations.
Identification of the owners.
National and international transmission and transfer and storage and custody of information and/or personal data in physical files or servers of its own and/or third parties, located inside or outside the country, in countries that are secure in terms of data protection or those that are not, whenever it is required for the development of the organization's own activities and relations with the owner, its employer or contractor.
Implementation of security measures and restriction of access to databases and information in general.
Preservation of information for historical, scientific and statistical purposes.
Guarantee the exercise of any right of the owners, their employers or contractors.
Registration and control of the entry and exit of documents.
Information systems administration, key management, user administration, etc.
Planning, controlling, measuring and monitoring the impact of decisions taken within the organization and analysis of the impact of external factors.
Design, elaboration and implementation of strategies and goals to optimize economic, technological and human resources.
Sending communications related to the purposes contained in this privacy policy, the activities of the data controller, through the professional, business and/or personal contact details of the owners, including, but not limited to, landline and/or mobile phone, physical and/or electronic mail, text messages, sms and/or mms, chats, RCS, push notifications, electronic media and/or any other means of communication.
Convocation and execution of programs, meetings, training and events, as well as the preservation of documentary records of them, such as attendance lists, photographs, voice recordings and/or videos.
Marketing and remarketing.
Offer of goods and/or services by the data controller and/or its strategic partners.
Campaigns to update the data of the owner, their employer or contractor.
Controls, statistics and histories of the relationships maintained with the owners of the different interest groups.
Support in internal and/or external auditing processes, fiscal reviews, consulting and implementation of improvement plans.
Fraud control and prevention, control and prevention of money/money laundering and terrorist financing.
Reports to competent administrative and judicial authorities.
Responding to requests made by competent administrative and judicial authorities.
Preparation and submission of lawsuits and complaints to the competent authorities, as well as exercising the right of defense in any administrative and/or judicial process.
Compliance with obligations deriving from contracts signed between the data controller and the data controllers, or with their contractors or employers, or by legal or judicial order.
Administrative, financial and accounting management, creation of third parties, and registration in the data controller's databases.
Preparation, recording and control of financial and accounting information, financial statements, management indicators, cost system, budgets and cash flow, among others.
Tax management and generation of tax information.
PQRSD Care.
Contracting insurance policies and applying for protection.
Request for credit or financial services.
Other purposes indicated in this Privacy Policy, in the authorization granted by the owner and/or in the privacy notices.
2. General purposes for the processing of personal data of Users and Businesses.
Behavioral analysis, consumer habits, profiles and market segmentation.
Marketing and remarketing.
Offer of goods and/or services by the data controller and/or its strategic partners.
Managing registration as a user of our services.
Transfer of Personal Data to merchants and other suppliers, payment companies, financial institutions, insurance companies, subsidiaries, controllers and affiliates, among others, who need to know such information to effectively provide services or make decisions.
Prove the identity and verify the information provided through the Platform.
Manage the request and search for the requested services.
Contact for clarification and follow-up on the use of the Platform, such as complaints or comments about it.
Carry out the activities necessary for the provision of services.
Evaluate, monitor and record the activity and use of the Platform and the services of Palomma or its partners.
Prevent fraud or possible illegal conduct.
Manage payments through the various payment methods allowed by the Palomma Platform.
Carry out billing and collection activities.
Manage activities aimed at promoting, maintaining and improving the services of Palomma or its allies.
Evaluate the level of satisfaction with products and services.
Management of warranty claims for products or services.
Transmission and transfer of contact data to data processors, any of their affiliates, controllers or subsidiaries, contractors and suppliers and/or strategic partners, to process the owner's personal data, for the purposes indicated in this privacy policy.
User loyalty and recognition of benefits and after-sales service.
7. Rights of the owners
The rights of the holders of personal data are:
1. Know, update and rectify your personal data vis-a-vis those responsible for the treatment or processing. This right may be exercised, among others, against partial, inaccurate, incomplete, fractional, misleading, or data whose processing is expressly prohibited or has not been authorized.
2. Request proof of the authorization granted to the person responsible for the treatment, unless it is expressly excluded as a requirement for the treatment.
3. To be informed by the data controller or processor, upon request, regarding the use you have given to your personal data.
4. Submit complaints for violations of the provisions of current regulations to the Superintendency of Industry and Commerce.
5. Revoke the authorization and/or request the deletion of the data when the treatment does not respect constitutional and legal principles, rights and guarantees.
6. Free access to personal data that has been processed.
The request to delete the information and the revocation of the authorization will not proceed when the owner has a legal or contractual duty to remain in the database.
8. Duties of the person responsible for the treatment
It is the duty of the person responsible for the treatment
1. Guarantee the holder, at all times, the full and effective exercise of the right to habeas data.
2. Request and keep by any means and under the conditions provided for in current regulations, a copy of the respective authorization granted by the owner.
3. Duly inform the owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.
4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
5. Ensure that the information provided to the data processor is true, complete, accurate, updated, verifiable and understandable.
6. Update the information, informing the data processor in a timely manner, of all the news regarding the data you have previously provided and take the other necessary measures to keep the information provided to the data controller up to date.
7. Rectify the information when it is incorrect and communicate the pertinent thing to the person in charge of the treatment.
8. Provide the data processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of current regulations.
9. Require the data processor, at all times, to respect the security and privacy conditions of the owner's information.
10. Process PQRSD formulated in the terms indicated in current regulations.
11. Adopt an internal manual of policies and procedures to ensure adequate compliance with current regulations and, in particular, for the care of PQRSD.
12. Inform the data processor when certain information is under discussion by the owner, once the complaint has been submitted and the respective procedure has not been completed.
13. Inform at the request of the owner about the use given to their data.
14. Inform the data protection authority when there are violations of security codes and there are risks in the management of the information of the owners.
15. Comply with the instructions and requirements issued by the competent authorities in the matter.
9. Duties of those responsible for the treatment
It is the duty of the person in charge of the treatment
1. In carrying out the contracted activities, comply with the Privacy and Personal Data Protection Policy, as well as with all those procedures, guidelines and/or guidelines issued by the data controller regarding the protection of personal data.
2. Adopt, as instructed by the data controller, all necessary technical, human and administrative measures to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.
3. Implement a personal data protection policy that complies with the provisions of the regulations that regulate the matter.
4. Process personal data in accordance with the instructions you receive expressly from the data controller, refraining from using them for purposes other than those contracted.
5. Refrain from providing, transferring or commercializing personal data with third natural or legal persons, public or private, unless the same is of a public nature without reservation, or is required by a competent authority in the exercise of its legal functions.
6. To keep strict confidentiality with respect to the personal data to which they had access in the exercise of the contracted activities, as well as to diligently fulfill the duty of custody and custody over them throughout the term of the contract and even after the termination occurred.
7. Access or consult the information or personal data contained in the data controller's databases only when it is strictly necessary for the exercise of the contracted activities.
8. Report to the data controller immediately upon its materialization or when they come to their attention, through the channels and means established by the latter, any incident or threat of incident that affects or may directly or indirectly affect the protection of personal data.
9. Guarantee at all times, the full and effective exercise of the right to habeas data of the holders, as well as due process in the event of a PQRSD in the area of personal data protection.
10. Update, rectify or delete the data in a timely manner in the terms established in the regulations in force.
11. Update the information reported by the data controller, within five (5) business days from its receipt.
12. Adopt an internal manual of policies and procedures to ensure adequate compliance with current regulations and, in particular, for the care of PQRSD by owners.
13. Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by a competent authority.
14. Allow access to information only to people who can access it.
15. Comply with instructions and requirements issued by a competent authority.
16. In case of collecting data on behalf of the data controller, require the authorization of the owners, in cases where it is required, in accordance with the provisions of current regulations.
10. Personal Data Protection Officer
The area or person who will exercise the functions of personal data protection officer will be the customer service area who, among others, will ensure the adequate guarantee of the rights of the owners, especially the care of PQRSD.
11. Procedure for information holders to exercise their rights
Holders or those who are legitimate by current regulations can submit PQRSD through the following channel:
Email:
info@palomma.com
The following are the people eligible to file PQRSD:
The owner, who must prove his identity sufficiently.
The claimants of the owner, who must prove such quality.
The representative and/or agent of the owner, after accreditation of the representation or power of attorney.
By stipulation in favor of another or for another, provided that there is acceptance by the owner, of which, a record must be provided in the application.
The rights of children or adolescents shall be exercised by those who are empowered to represent them.
The PQRSD must contain at least: i) name and address or other means to communicate the response to your request; ii) documents that prove your identity (voting credential, passport or military card) or, where appropriate, legal representation (in addition to documents that prove the identity of the holder, power of attorney or special power of attorney and documents that prove the identity of the representative); iv) the clear and precise description of the personal data with respect to which it is requested to exercise any of the rights; v) if appropriate, the express statement to revoke your consent to the processing of your personal data and, therefore, so that they are not used; and vi) any other element that facilitates the location of personal data.
Requests, complaints, claims and complaints will be resolved within fifteen (15) business days following their submission by the owner or legitimate person. The terms set out here will begin to count the business day following the filing. Inquiries must be resolved within ten (10) business days following their submission by the owner or legitimate person. The terms established here will begin to count on the same day of filing, unless submitted on non-business days. In the latter case, the terms will take effect on the first business day following the filing.
12. Validity
This Privacy and Personal Data Protection Policy applies as of February 1, 2023. The databases subject to processing by the data controller will be valid as long as the purposes for which the data were collected and/or the term established by law persist. The data controller reserves the right to modify this privacy policy at any time. If there are substantial changes in the content of the authorization, in relation to the identification of the data controller and the purpose of the processing of personal data, which may affect the content of the authorization, the data controller will communicate these changes to the owner before or at the latest when implementing the new policies and will require a new authorization when the change relates to the purpose of the treatment.
Follow us on
