General Data Processing Policy – Habeas Data PASAR EXPRESS SAS
The company PASAR EXPRESS SAS, headquartered in Bogotá with a physical address at Avenida Eldorado No. 103 – 09 Edif. CISA, second floor, entrance 14, Bogotá D.C.; electronic address pqr@pasar.net and phone number (601) 2916505, hereby informs data subjects of this personal data protection policy, which is implemented in accordance with Statutory Law 1581 of 2012 and Decree 1377 of 2013. The purpose is to ensure that the data subjects whose personal data is managed by the company are aware of their rights, the procedures and mechanisms provided by PASAR EXPRESS SAS to enforce those rights, as well as the scope and purpose of the processing to which personal data will be subjected, in case the data subject grants their express, prior, and informed authorization.
- GENERAL PROVISIONS
- Justification
This personal data protection policy is implemented in accordance with Statutory Law 1581 of 2012, Decree 1377 of 2013, the ruling in Judgment C-784 of 2011, and other related and complementary regulations. Its purpose is to ensure the constitutional right of habeas data by PASAR EXPRESS SAS, its employees, and collaborators, with regard to the databases of its clients, suppliers, and employees.
With this policy, the aim is to define the processing that will be applied to the company’s databases, their purpose and classification, as well as the rights of the data subjects, the procedure for their deletion, and the duties and obligations of PASAR EXPRESS SAS for the proper use of information and its correct protection.
PASAR EXPRESS SAS is directly responsible for the use and protection of personal data; however, it reserves the right to delegate the processing of its databases to a third party in accordance with the commercial activities of PASAR EXPRESS SAS. The third party is obligated to follow and apply appropriate procedures for the protection of personal data and to maintain strict confidentiality.
- Definitions
DATABASE. An organized set of personal data that is subject to processing; in the case of PASAR EXPRESS SAS, this refers to its databases of clients, suppliers, and employees.
CLIENTS. All individuals who use the service of PASAR EXPRESS SAS, registering with the company by making an express service request through the channels established by PASAR EXPRESS SAS, such as by phone, through the website, or by written request.
PERSONAL DATA. Any information linked or that can be associated with one or more identified or identifiable natural persons.
PUBLIC DATA. Data that is neither semi-private, private, nor sensitive. Public data includes, among others, information related to a person’s marital status, profession or trade, and status as a merchant or public servant. By nature, public data can be found in public records, public documents, gazettes and official bulletins, and final court rulings that are not subject to confidentiality.
PRIVATE DATA. Any personal information that is restricted in knowledge and is, in principle, private to the general public.
SEMI-PRIVATE DATA. Data that is neither intimate, reserved, nor public, and whose knowledge or disclosure may be of interest not only to the data subject but also to a certain sector or group of people or to society in general.
SENSITIVE DATA. Sensitive data refers to information that affects the privacy of the data subject or whose improper use may lead to discrimination. This includes information that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human rights organizations, or any political party, or that ensures the rights and guarantees of opposition political parties. It also includes health-related data, sexual life information, and biometric data.
CASES WHERE AUTHORIZATION IS NOT REQUIRED These are specific cases described in Article 10 of Statutory Law 1581 of 2012, where PASAR EXPRESS SAS does not require authorization to process the information it holds. These specific cases include:
a) Information required by a public or administrative entity in the exercise of its legal functions or by court order;
b) Public data;
c)Cases of medical or sanitary urgency;
d) Processing of information authorized by law for historical, statistical, or scientific purposes;
e) Data related to the Civil Registry of Persons.
Anyone who accesses personal data without prior authorization must, in any case, comply with the provisions contained in this law.
EMPLOYEES. An employee or worker is someone who provides a service to another through an employment contract, which is an agreement whereby a natural person undertakes to provide a personal service to another natural or legal person, under the continuous dependence or subordination of the latter and for remuneration.
DATA PROCESSOR. A natural or legal person, public or private, who, either independently or in association with others, carries out the processing of personal data on behalf of the data controller, which in this case is PASAR EXPRESS SAS.
GENERAL DATA PROCESSING POLICY This is the regulatory framework adopted by PASAR EXPRESS SAS, through which it processes its databases and defines the data controller, the processing to which the data will be subjected and its purpose, the rights of the data subject, and the person or area responsible for addressing requests, inquiries, and complaints, before which the data subject can exercise their rights to know, update, rectify, and delete their data, and revoke their authorization and its procedures.
SUPPLIERS. A natural or legal person who has a civil or commercial contractual relationship with PASAR EXPRESS SAS.
DATA CONTROLLER. A natural or legal person, public or private, who, independently or in association with others, decides on the database and/or the processing of the data; in this case, PASAR EXPRESS SAS.
COMPLAINT.The right of the data subject to request PASAR EXPRESS SAS to know, update, rectify, and delete their data and revoke their authorization.
DATA SUBJECT. A natural person whose personal data is subject to processing.
PROCESSING. Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
TRANSFERA. LThe transfer of data occurs when the data controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient who, in turn, is responsible for it and is located inside or outside the country.
TRANSMISSION. Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when it aims to carry out processing by the data processor on behalf of the data controller.
- Principles of Personal Data Processing
PRINCIPLE OF LEGALITY IN PERSONAL DATA PROCESSING. The processing referred to in this policy is a regulated activity that must comply with what is established herein and in other provisions that develop it. The processing of personal data will be carried out in accordance with Law 1581 of 2012 and its regulatory decrees and other norms that add to, complement, or replace it.
PRINCIPLE OF PURPOSE. The processing must serve a legitimate purpose in accordance with the Constitution and the Law, which must be communicated to the data subject regarding the use, purpose, and manner of exercising their rights to know, update, rectify, and delete their data and revoke their authorization.
PRINCIPLE OF FREEDOM.Processing can only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that relieves the need for consent.
PRINCIPLE OF TRUTH OR QUALITY. The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented data, or data that induces error is not permitted.
PRINCIPLE OF TRANSPARENCY.The processing must guarantee the data subject’s right to obtain from PASAR EXPRESS SAS, at any time and without restrictions, information about the existence of data concerning them.
PRINCIPLE OF RESTRICTED ACCESS AND CIRCULATION. The processing is subject to the limits arising from the nature of the personal data, the provisions of this law, and the Constitution. In this sense, processing may only be carried out by individuals authorized by the data subject and/or by PASAR EXPRESS SAS in accordance with this policy and the authorities authorized by Law;
The personal data, except for public information, shall not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the data subjects or authorized third parties in accordance with this law.
PRINCIPLE OF SECURITY.The information subject to processing by PASAR EXPRESS SAS must be managed with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, consultation, use, or unauthorized or fraudulent access, in accordance with this law.
PRINCIPLE OF CONFIDENTIALITY. All individuals involved in the processing of personal data that are not public in nature are obliged to ensure the confidentiality of the information, even after their relationship with any of the activities included in the processing has ended. They may only supply or communicate personal data when it corresponds to the development of activities authorized by this law and in accordance with its terms.
PRINCIPLE OF CONFIDENTIALITY. All individuals involved in the processing of personal data that are not public in nature are obliged to ensure the confidentiality of the information, even after their relationship with any of the activities included in the processing has ended. They may only supply or communicate personal data when it corresponds to the development of activities authorized by this law and in accordance with its terms.
2-PERSONAL DATA PROCESSING
- Purpose of this policy
The purpose of this database processing policy is to establish the processing of the databases of PASAR EXPRESS SAS, as well as to define the Data Controller, the use to which the data will be subjected and its purpose; to establish the rights of the data subject, the person or area responsible for attending to petitions, inquiries and claims to which the data subject may exercise their rights to know, update, rectify and delete the data and revoke the authorization and the procedure.
With the foregoing, PASAR EXPRESS SAS exercises the constitutional right of Habeas Data and the regulations that develop it, and is aligned with the protection and guarantee that as a company it provides to its clients, employees and suppliers to keep the information that it has about them under strict security measures and responsibility in the handling and use of such information.
The personal data processed by PASAR EXPRESS SAS shall be subject only to the following purposes, and likewise, the processors or third parties who have access to the personal databases by virtue of the Law or contract shall maintain the processing within the following purposes:
- To manage all the information necessary to comply with the tax, contractual, commercial, corporate and accounting obligations of PASAR EXPRESS SAS.
- To comply with the requirements imposed by the administrative authority in customs matters, including the duty to report commercial transactions and domestic and international shipments.
- To fulfill the corporate purpose of PASAR EXPRESS SAS and the services offered to its clients, which include the collection, transportation of cargo, and delivery of documents, packages, and freight in various modalities using its own means or by utilizing legally established operators in Colombia or abroad, provision of urban, national, or international postal services, specialized messaging, and other services developed within the corporate purpose of the company.
- To comply with contracts entered into with clients.
- The control and prevention of fraud and money laundering, including all necessary information required for the SARLAFT (System for the Management of the Risk of Money Laundering and Terrorist Financing).
- Processes for archiving, updating protection systems, and safeguarding information and databases of PASAR EXPRESS SAS.
- To comply with internal processes regarding the management of suppliers and contractors.
- To comply with all social security requirements, occupational safety regulations, and other legal rights and guarantees for its workers.
- The transmission of data to third parties in order to fulfill the corporate purpose of the company, internal processes with contractors and employees of PASAR EXPRESS SAS.
- Other purposes determined by PASAR EXPRESS SAS in the processes of obtaining personal data for processing, in order to comply with legal and regulatory obligations, as well as the firm’s policies.
Considering that the commercial activity of PASAR EXPRESS SAS involves the exchange of information with third countries, PASAR EXPRESS SAS warns that it does not transfer unauthorized information from the holders to third countries and, if necessary, it warns or requests prior authorization from its clients for the shared use of information to achieve the execution of the service contract.
The information shared with third countries serves the purpose established herein, to comply with the special regulations for international transportation and to provide information on international transactions to the relevant administrative and commercial authorities.
- Public Datas
According to the definition, public data is any data that is not semi-private, private, or sensitive. Public data includes, among others, information related to a person’s marital status, profession or trade, and their status as a merchant or public servant. By nature, public data may be found in public records, public documents, official gazettes and bulletins, and judicial rulings that have been duly executed and are not subject to confidentiality.
The public data handled by PASAR EXPRESS SAS is primarily due to the ordinary course of its business, mainly in the development of logistics services.
2.2 Sensitive Data/strong>
PASAR EXPRESS SAS, in the management and processing of its databases, has identified sensitive personal data, for which it assumes the commitment to safeguard, maintain confidentiality, ensure security, and provide restricted access.
To this end, PASAR EXPRESS SAS guarantees the holders of sensitive information that both digital and physical filing systems have strict security management and restricted access.
PASAR EXPRESS SAS requires its employees and officials to adhere to confidentiality clauses regarding the handling, use, and processing of sensitive information belonging to its clients, suppliers, and employees.
2.3 Processing of Data of Minors
PASAR EXPRESS SAS prioritizes the respect for the rights of children and adolescents.
At PASAR EXPRESS SAS, no processing of personal data of children or adolescents is conducted, except for public data and to ensure their rights under the employment contract of their parents, in accordance with the regulations governing labor rights and social security.
3- DATA CLASSIFICATION
- Customer Database
These are the lists of customers or consumers, whether potential or for services rendered, collected by PASAR EXPRESS SAS in the course of its economic activity.
Customers of PASAR EXPRESS SAS, when acquiring the services provided, supply personal and commercial information to enable PASAR EXPRESS SAS to effectively deliver the offered services; PASAR EXPRESS SAS requests this information within the service contract, where the information holders are informed of the purpose of the use of their personal data.
Through its various commercial strategies, PASAR EXPRESS SAS may collect personal information from potential customers, to whom this personal data processing policy will be made available, so that they are aware of their rights and the purpose of the use of the information.
3.2 Employee Database
PASAR EXPRESS SAS requests information from its employees and collaborators within the employment contract to ensure the purposes of the contractual relationship and to fulfill its obligations as an employer regarding labor matters, social security, occupational safety, and other legal obligations.
As it contains personal information, PASAR EXPRESS SAS guarantees the proper confidentiality, security, and restricted circulation of information concerning its employees and their immediate family.
3.2 Contractor and Supplier Database
This is the database of natural and legal persons that have a civil or commercial contractual relationship with PASAR EXPRESS SAS.
These contractors and suppliers provide PASAR EXPRESS SAS with personal and commercial information to fulfill the contractual relationship; PASAR EXPRESS SAS uses this information to comply with its legal, tax, and contractual obligations, for its internal administrative and financial processes, and to request new products and services from them.
3.4Inactive Databasea
The inactive database refers to the database of PASAR EXPRESS SAS containing information about clients who have ended their commercial relationship with PASAR EXPRESS SAS or who have undergone the established process for the deletion of their personal data. However, according to customs regulations, particularly Decree 2685 of 1999 and other regulations that add to and complement it, PASAR EXPRESS SAS is required to safeguard the information regarding clients’ commercial transactions, primarily for the transportation of goods internationally.
The purpose of safeguarding this information is for the objectives described in Decree 2685 of 1999 and other regulations that add to and complement it, and it will only be used to respond to requests from administrative or judicial authorities.
4- RIGHTS OF THE DATA SUBJECTS
4.1 Rights of Data Subjects
The data subject shall have the following rights:
a) To know, update, and rectify their personal data held by PASAR EXPRESS SAS. This right may be exercised, among other instances, regarding partial, inaccurate, incomplete, fragmented data, data that may lead to error, or those whose processing is expressly prohibited or has not been authorized.
b) To request proof of the authorization granted to the data controller, unless expressly exempted as a requirement for processing, in accordance with Article 10 of Law 1581 of 2012.
c) To be informed by PASAR EXPRESS SAS, upon request, about the use that has been given to their personal data.
d) To file complaints with the competent authorities regarding the misuse of their personal data or the non-application of this personal data processing policy and the norms for the protection of habeas data.
e) To revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights, and guarantees. The revocation and/or deletion shall proceed when administrative or judicial authorities have determined that PASAR EXPRESS SAS has engaged in conduct contrary to this personal data processing policy, the law, and the Constitution.
f) To access their personal data that has been processed, for which they may request PASAR EXPRESS SAS through the suitable means provided for submitting petitions, complaints, and claims.
g)To have their personal data processed and protected based on the principles of security and restricted access.
4.2 Rules for Authorization
In accordance with Article 7 of Decree 1377 of 2013, PASAR EXPRESS SAS and its corporate group will obtain authorization from the data subjects or from those who are legally entitled through technical means that facilitate the data subject’s automated expression of consent, meeting the requirements when expressed: (i) in writing, (ii) orally, or (iii) through unequivocal conduct of the data subject that reasonably allows concluding that consent was granted.
To this end, PASAR EXPRESS SAS and its corporate group utilize one or more of the following means as necessary:
- Express authorization form with the service request
- Recorded telephone call
- Email to the data subject
- Request for authorization for data handling
- Visitor form and request for authorization for data handling
- Through a privacy notice
Informing that, since it concerns sensitive data, the data subject is not obliged to authorize its processing.
To inform explicitly and in advance, in addition to the general requirements for authorization for the collection of any type of personal data, which of the data that will be subject to processing is sensitive and the purpose of the processing, as well as to obtain their express consent.
4.3 Privacy Notice
PASAR EXPRESS SAS may use the privacy notice in cases where it is not possible to provide the data subject with the information processing policies.
PASAR EXPRESS SAS will inform the data subject through a privacy notice about the existence of these data processing policies and how to access them, in a timely manner and, in any case, no later than at the time of collecting personal data.
Notwithstanding the above, PASAR EXPRESS SAS acknowledges that the disclosure of the Privacy Notice does not exempt the obligation to inform data subjects about this information processing policy.
4.4 Procedure for Deletion or Correction of Information
PASAR EXPRESS SAS provides the email address pqr@pasar.net for handling requests, complaints, or claims, as well as the following link on its website, https://clientes.pasarex.com/, for data subjects to submit their requests at Avenida Eldorado No. 103 – 09, Edificio CISA, second floor, entrance 14, Bogotá D.C.; and at the phone number (601) 291-6505.
Data subjects or their heirs may consult the personal information of the data subject stored in the databases of PASAR EXPRESS SAS by submitting a formal request and proving their capacity to obtain information about the data subject.
The inquiry submitted to PASAR EXPRESS SAS will be addressed within a maximum term of ten (10) business days from the date of receipt. If it is not possible to respond to the inquiry within that period, the interested party will be informed of the reasons for the delay and the date when their inquiry will be addressed, which may not exceed five (5) business days following the expiration of the initial term.
To file complaints, data subjects or their heirs who believe that the information contained in a database should be corrected, updated, or deleted, or who notice a presumed non-compliance with any of the obligations contained in this law, may submit a complaint to PASAR EXPRESS SAS, which will be processed under the following rules:
Data subjects or their heirs will submit a complaint by means of a request addressed to PASAR EXPRESS SAS, including the identification of the data subject, a description of the facts giving rise to the complaint, the address, and any documents they wish to present. If the complaint is incomplete, the interested party will be required to correct the deficiencies within five (5) days following receipt of the complaint. If two (2) months elapse from the date of the request without the applicant presenting the required information, it will be understood that they have withdrawn the complaint.
Once the complete complaint is received, a note stating “complaint in process” and the reason for it will be included in the database within no more than two (2) business days. This note must be maintained until the complaint is resolved.
The maximum term for addressing the complaint will be fifteen (15) business days from the day following the date of its receipt. If it is not possible to address the complaint within that period, the interested party will be informed of the reasons for the delay and the date when their complaint will be addressed, which may not exceed eight (8) business days following the expiration of the initial term.
The request for deletion of information and the revocation of authorization will not proceed when the data subject has a legal or contractual obligation to remain in the database.
5-DUTIES OF THE COMPANY
5.1 Duties of the Company
- Adopt this personal data processing policy and procedures to ensure adequate compliance with this law and, in particular, to address inquiries and complaints from data subjects.
- Ensure the full and effective exercise of the right to habeas data for the data subjects at all times;
- Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access;
- Timely update, rectify, or delete data in accordance with the request of the data subject.
- Update the information reported by the data controllers within five (5) business days from its receipt.
- Update the information reported by the data controllers within five (5) business days from its receipt.
- Record the note “complaint in process” in the database;
- Insert the note “information under judicial discussion” in the database once notified by the competent authority regarding judicial processes related to the quality of the personal data.
- Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce or by a competent administrative or judicial authority.
- Allow access to the information only to those who are entitled to it;
- Inform the Superintendence of Industry and Commerce when violations of security codes occur and there are risks in the administration of the data subjects’ information;
- Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce and other administrative or judicial authorities:
PASAR EXPRESS SAS, as the data processor, must comply with the following duties:
- Adopt this personal data processing policy and procedures to ensure adequate compliance with this law and, in particular, to address inquiries and complaints;
- Ensure the full and effective exercise of the right to habeas data for the data subjects at all times;
- Request and retain, under the conditions set forth in this law, a copy of the respective authorization granted by the data subject;
- Properly inform the data subject about the purpose of the collection and the rights that they hold by virtue of the granted authorization;
- Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access;
- Ensure that the information provided to the data processor is truthful, complete, accurate, updated, verifiable, and understandable;
- Update the information and adopt the necessary measures to maintain it up to date;
- Rectify the information when it is incorrect;
- Process inquiries and complaints filed in accordance with the terms set forth in this law;
- Inform, upon request, the data subject about the use given to their data;
- Inform the data protection authority when violations of security codes occur and there are risks in the administration of the data subjects’ information.
- Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce and other administrative or judicial authorities.
6-APPLICABLE REGULATIONS
For the protection of personal data, PASAR EXPRESS SAS is governed by this General Data Processing Policy, its internal information handling manuals, the Political Constitution of Colombia, Statutory Law 1581 of 2012, and any other regulations that complement, add to, or replace those governing the right to habeas data, as well as Decree 1377 of 2013.
For the dissemination of the privacy notice and the information processing policy, PASAR EXPRESS SAS may use documents, electronic formats, verbal means, or any other technology, ensuring the obligation to inform the data subject.
ny person may consult this General Data Processing Policy at the following link: https://clientes.pasarex.com/
7-CONTACT INFORMATION FOR THE COMPANY
For more information and to submit complaints, claims, or inquiries, you can contact PASAR EXPRESS SAS at the following contacts:
Name: PASAR EXPRESS SAS
Address: Avenida Eldorado No. 103 – 09, Edificio CISA, second floor, entrance 14, Bogotá D.C.
Phone: (601) 2916505.
Email: pqr@pasar.net
Web: https://clientes.pasarex.com/
8- VALIDITY
This General Data Processing Policy has been in effect since July 1, 2017, and must be published and communicated through all the means established herein and in accordance with the internal information handling guidelines or manuals, which you can consult at the Company’s headquarters or at the following link: https://clientes.pasarex.com/
- Client Database Management Guide
- Employee Database Management Guide
- Supplier Database Management Guide
- Guide for the Deletion or Correction of Information