COSTEÑO BEACH offers accommodation services, Food, and Beverages, recreation, Tours, among others.
In the development of its activity, COSTEÑO BEACH gets to know personal information about its direct customers, users, employees, suppliers, contractors, former employees, former customers, former users, former suppliers, former contractors.
Likewise, COSTEÑO BEACH will ensure that the information of a sensitive nature, such as biometric data (photos) and those related to health, provided by guests, employees, and users, is used exclusively for foreseen purposes, so that third parties may only access it if they are authorized by law.
The biometric data that gets to be requested will have a purpose to guarantee the identity of the guest, customer, supplier, and employee before COSTEÑO BEACH, prevent situations of fraud due to identity theft and guarantee the protection of the Owner’s data.
COSTEÑO BEACH is respectful of the personal data of the Owners, therefore it will seek to sufficiently inform people about the rights they have in their capacity as Owners of the information. Consequently, it will make available the channels and means necessary for the Owners of the data to exercise their rights.
Habeas Data Right
Article 15 of the Constitution establishes the right that all people have to know, update and rectify the information that has been collected about them in databases or files, both from public and private entities. Likewise, this right includes other faculties such as those to authorize the data treatment, exclude, delete, or include new data from a database or file.
In 2008, Law 1266 of 2008, Special of Habeas Data, was issued, which regulates what has been called “financial habeas data”, that is, the right that every individual has to know, update and rectify their personal, commercial, credit, and financial information contained in public or private information centers, whose function is to collect, process and circulate this data in order to determine the level of financial risk of its Owner. This law considers both natural and legal persons as Owners of the information.
Afterward, in October 2012, Law 1581 was issued, “General Law on Protection of Personal Data”, which develops the right of Habeas Data from a broader perspective than the financial and credit one. Thus, any Owner of personal data has the power to control the information that has been collected from themself in any database or file, whether administered by private or public entities. Under this General Law, every natural person is an Owner and only on exceptional occasions provided for by the Constitutional Court in Sentence C – 748 of 2011, if the rights of the natural persons that comprise a legal person are affected, could a legal person become a data Owner as such.
On June 27, 2013, Decree 1377 of 2013 was issued, which partially regulated Law 1581 of 2012.
In order for the recipients of this policy to be clear about the terms used throughout it, below are the definitions provided by Law 1581 of 2012, as well as those referring to the classification of data according to Law 1266 of 2008.
Authorization: Prior, express, and informed consent of the Owner to carry out the processing of personal data.
Database: Organized set of personal data that is subject to treatment, both by public and private entities. It includes those data repositories that are contained in documents and that have the quality of archives.
Personal data: Any information linked or that may be associated with one or more determined or determinable natural persons.
Classification of data under Law 1266 of 2008: private, semi-private, and public.
The private data: is the data that due to its intimate or reserved nature is only relevant for the Owner.
The semi-private data: it is the one that does not have an intimate, reserved, or public nature and whose knowledge or disclosure may interest not only its Owner but also a certain sector or group of people or society in general, such as financial data and commercial activity credit data, or data of services referred to in the Special Law.
The public data: it is the data classified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private or private in accordance with the Special Law. The Special Law included as an example of this type of data those related to the civil status of people, those that appear in public documents, and enforceable final sentences. Decree 1377 of 2013, regulatory of Law 1581 of 2012, included in addition to the previous ones those referring to the profession or trade, to the qualities of a public servant or merchant
Data classification under the General Law: Sensitive and Public.
Sensitive data: is one that affects the privacy of the Owner or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social organizations, organizations of human rights, that promote the interests of any political party or that seek to guarantee the rights of opposition political parties, as well as data related to health, sexual life, and biometric data.
Public data: it is defined in a residual way, as that which is not semi-private, private, or sensitive.
For its part, Decree 1377 of 2013 regulatory of Law 1581, added to the examples already mentioned by the Special Law, those referring to the profession or trade, the quality of merchant or public servant, and those that can be obtained without any reservation. Likewise, he pointed out that these data by their nature may be contained in public registers, gazettes, and official bulletins, among others.
Person in charge of the Treatment: Natural or legal person, public or private, that by themself or in association with others carries out the processing of personal data on behalf of the person responsible for the treatment.
Responsible for the Treatment: Natural or legal person, public or private, that by themself or in association with others decide about the database and/or the treatment of the data.
Owner: Natural person whose personal data are subject to treatment.
Treatment: Any operation or set of operations on personal data, such as collection, storage, use, and circulation.
RIGHTS OF THE OWNER AND IDENTIFICATION OF THE DATABASES
Rights of the Owner
Address to COSTEÑO BEACH, through the channels established by this manual, to know, update, and rectify their personal data. This right can be exercised to know the information about the Owner that rests in COSTEÑO BEACH, and against partial, inaccurate, incomplete, fractioned, data, that misleading to error, or those whose treatment is expressly prohibited or has not been authorized.
Request proof of the authorization granted to COSTEÑO BEACH, except when, in accordance with the law, the Treatment being carried out does not require it.
Be informed by COSTEÑO BEACH, upon request made through the channels provided by it, about the use that has been given to their personal data.
Submit before the Superintendency of Industry and Commerce complaints about infractions to the General Law and its regulatory decrees.
Revoke the authorization in cases that do not refer to essential or proprietary data for the provision of the service. Likewise, request the deletion of the data when in the treatment there are not respected the principles, rights, and constitutional and legal guarantees.
Know, free of charge, through the channels provided by COSTEÑO BEACH, the personal data that have been processed.
COSTEÑO BEACH, through this Manual, informs about the channels and procedures provided so that the Owner can exercise their rights effectively.
Without prejudice to the exceptions provided in the law, in the Treatment, it is requested the prior and informed authorization of the Owner, which must be obtained by any means that may afterward be subject to consultation.
The authorization of the Owner is not necessary in the case of:
Information required by a public or administrative entity in the exercise of its legal functions or by court order.
Data of a public nature.
Cases of medical or sanitary emergency.
Treatment of information authorized by law for historical, statistical, or scientific purposes.
Data related to the civil registration of people.
When faced with any of these situations, COSTEÑO BEACH will leave it clearly disclosed and, in any case, will comply with the other provisions contained in the law.
The authorizations to be made available to the Data Owners must have clear texts and indicate the requirements established by Law 1581 of 2012 and Decree 1377 of 2013. Therefore, it will be reviewed separately what is relevant to both regulations, in such a way that there is no room for confusion on the Owner about the rights that assist him under each of them.
In the section of the Authorization corresponding to the inclusion of the aspects indicated by the mentioned Law, it will be indicated:
The purpose that is sought with the treatment of the data.
The type of treatment that they will have.
The identification and the address (physical or electronic) to which the Owner may address.
The existence of the policy that develops the rights that assist the Owner.
In such a way that, in the case of the use of personal data that do not specifically correspond to the development of the binding relationship between COSTEÑO BEACH and its customers or users but refer to the sending of commercial or advertising information, the Owner may express in a simple and expeditious manner their desire not to be contacted for said purposes through written communication addressed to the address:
FCA KEYS BEACH VIA RIOHACHA KM 39 in the city of Santa Marta (Mendihuaca sector), or to the email [email protected]
Identification of databases
COSTEÑO BEACH has identified the following databases:
Direct customers (Guests)
- Former employees
- Former clients (Direct)
- Former Suppliers.
- Former Contractors.
- Candidates for employees.
The purpose of the direct customers’ databases (guests) is to use this information for the proper provision of the service by COSTEÑO BEACH, as well as to send them information that may be of their interest. To keep its customers and/or potential customers informed, and interact with them, social networks will be used.
The database of suppliers and contractors seeks to have up-to-date, solid, and sufficient information about the people who have the quality of suppliers and contractors or those who would like to have it.
The employee database keeps the information of the workers updated so that the employment relationship develops properly. The database of candidates in the recruitment process collects the information from the resumes, certificates, and personal references of those who apply to recruitment processes in COSTEÑO BEACH, it seeks to identify the most suitable candidates to be linked, in no case these data are shared with any other company. The data corresponding to former employees is stored in order to comply with the corresponding legal duties and those of potential candidates to contact them for new opportunities.
The data are kept in accordance with the principles of necessity and reasonability, expiration, and temporality, according to the provisions of Decree 1377 of 2013 and the rules that regulate the conservation of documents.
Channels for the provision of the Information
COSTEÑO BEACH establishes as communication channels with the Owners:
Physical address: FCA KEYS BEACH VIA RIOHACHA KM 39 in the city of Santa Marta, Magdalena (Vereda Mendihuaca)
Email: [email protected]
Telephone: 310 368 1191
Duties of the responsible for the treatment
The General Law defines as responsible the natural or legal person, public or private, who by themself or in association with others, decides on the database and/or the processing of the data.
In accordance with Sentence C-748 of 2011, the responsibility for the treatment is “the one that defines the purposes and essential means for the treatment of the data, including those who act as source and user”, being able to put the data in circulation or use them in a certain way. Their duties are:
Guarantee for the data Owners, through the service channels established in this Manual, the full and effective exercise of the right of Habeas Data.
COSTEÑO BEACH keeps the authorizations granted by the Owners under the security measures corresponding to the type of information obtained.
COSTEÑO BEACH will inform about the purpose of the collection, both in the text used to obtain the authorization of the Owner and in the Privacy Notice. The Owner will always know the type of treatment that will be given to their data, if they will circulate or be shared, for what purpose, and how to express their will in relation to that scope of treatment.
COSTEÑO BEACH will inform that the use they make of the data corresponds to the development of the provision of services with their clients and users. Likewise, when deemed appropriate and in accordance with the authorizations obtained, they will request the consent of customers and users to send them commercial information regarding the services offered by COSTEÑO BEACH.
The rights that assist the Owner of the information will be included in the Privacy Notice that will be published on the COSTEÑO BEACH website, and so will be indicated at the time of obtaining the consent of the latter.
The effective collaboration of the Owners regarding the updating of their information in the data known by them is essential for the optimal compliance of the duty of informing the person in charge of all the novelties of the data that has been provided.
This Manual establishes the procedures to answer the queries and claims made by the Owners.
Security incidents that may endanger the administration of the information of the Owners will be reported to the Superintendency of Industry and Commerce, based on the procedure established in this manual.
The instructions and requests formulated by the Superintendency of Industry and Commerce will be listed in a special system under the responsibility of the COSTEÑO BEACH Data Protection Committee, responsible for monitoring the adoption and compliance of these policies.
Duties of the person in charge of the treatment
The law indicates that the person in charge of the treatment is the natural or legal person, public or private, that by themself or in association with others, carries out the processing of personal data on behalf of the person in charge of the treatment.
Given that most of the obligations established as person in charge, coincide with those indicated as Responsible, only express reference will be made in this manual to those that were not listed in this document. Their duties are:
There will be efficient channels that allow the information updates made by the Responsible to be received and processed within the term of five (5) business days provided by law. These will be referred to an email and the telephone contact generated from the competent Area.
When there is information that is controverted by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce, the corresponding instructions will be given by the area or official in charge so that it does not circulate.
Access to the information will only be allowed to persons authorized by law. For this, the requirements that the judicial and administrative authorities that request this type of information must meet will be established, which refer to the identification of the functions that allow them to carry out the request, in addition to the number of the investigation being carried out; likewise, the requirements to be met by the Owners, attorneys or successors in title, in particular the accreditation of their quality and the proper supports.
COSTEÑO BEACH has internal regulations and protocols on information security, to ensure compliance with the information security requirements.
This manual will be supported by technical tools that guarantee adequate conservation, authorized access, and document recovery, among others.
It has been established that the contracts entered into with the persons in charge include clauses that clearly establish their duty to guarantee the security and privacy of the Owner’s information.
Contracts with employees and suppliers include clauses that establish their duty to guarantee the security and privacy of the Owner’s information.
PROCEDURES TO GUARANTEE THE EXERCISE OF THE RIGHTS OF THE OWNERS
In the development of article 14 of the Law called “Consultations”
The Owners or their successors in title can consult the information of them that is held in COSTEÑO BEACH’s databases. For consultation requests, they must prove their identity, as follows:
If they present it by means of a written document, they must attach a copy of the identity card.
Requests submitted through phone calls will be validated by the person who consults to verify the veracity of it and corroborate their identity
Requests submitted through email will be validated by the person who consults to verify the veracity of it and corroborate their identity
The successors in the title must prove the kinship by attaching a copy of the civil death record and their identity document or a copy of the deed that opens the succession and a copy of their identity document.
The attorneys must present an authentic copy of the power of attorney and their identity document.
Once COSTEÑO BEACH receives the request to consult the information, they review the individual record corresponding to the name of the Owner and the identity document provided; If they find any difference between these documents, they will inform it within the next five (5) business days from the receipt of the communication, in order for the petitioner to clarify it.
If COSTEÑO BEACH finds accordance in the documents, it will give its answer within a term of ten (10) business days.
If COSTEÑO BEACH requires a longer time to answer the consultation, they will inform the Owner and it will give their answer within a term that will not exceed five (5) business days following the expiration of the term.
The Owner or his successors in title who considers that the information contained in a database managed by COSTEÑO BEACH should be corrected, updated, or deleted, or who notices a breach by it or one of its people in charge, may file a claim with COSTEÑO BEACH or the person in charge, in the following terms:
The claim is made before COSTEÑO BEACH or the Person in Charge of Treatment, accompanied by the document that identifies the Owner, the clear description of the facts that originate the claim, the documents that are intended to enforce, and the address where the requester wishes to receive notifications (physical or electronic).
If the claim is incomplete, the interested party will be called within five (5) business days following its receipt to correct the failure, this request will be made through the channel through which the claim was received.
If two (2) months elapse from the date of the request without the applicant submitting the required information, it will be understood that they have withdrawn the claim.
If COSTEÑO BEACH or the Person in Charge to whom the request is directed cannot or are not competent to resolve it, they will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party.
COSTEÑO BEACH uses the email address indicated in this manual for these purposes so that it can be identified when the transfer is made and the corresponding response or confirmation of receipt. If COSTEÑO BEACH does not know the person to whom the matter should be transferred, it will immediately inform the Owner with a copy to the Superintendency of Industry and Commerce.
Once the complete claim is received, the legend “Claim in process” and the reason for it must be included in the corresponding database, within a maximum term of two (2) business days.
Complaints before the Superintendency of Industry and Commerce
The Owner, successor, or attorney-in-fact must terminate the previous consultation or claim process before addressing the Superintendency of Industry and Commerce to formulate a complaint.
Person or unit responsible for handling requests, inquiries, and claims
The area of Administration is responsible for ensuring compliance with these provisions and has direct communication with the other employees, in order to guarantee that all aspects are duly collected and that the duties stipulated by law are fulfilled. Likewise, COSTEÑO BEACH will rely on the Personal Data Protection Committee composed of responsible areas.
National legislation is currently in force.
It is important to reiterate that the activities carried out by COSTEÑO BEACH are regulated, their exercise is subject to the supervision of the Ministry of Commerce, Industry and Tourism and the Superintendency of Industry and Commerce, in compliance with the Consumer Protection Law, Law 1480 of 2011 Likewise, regarding the administration of personal data, General Law 1581 of 2012, Decree 1377 of 2013 and, where applicable, Law 1266 of 2008, referent to financial and credit data and consultation and reporting to risk centrals, will be applied. And others that modify, complement, or regulate it.