Política de privacidade
1. Considerations
Article 15 of the Constitution of the Republic of Colombia establishes the right of any person to know, update and rectify existing personal data about them stored in the data bases or files of public or private entities. Likewise, it orders those who have personal data of third parties to respect the rights and guarantees provided in the Constitution when this type of information is collected, processed, and circulated. Statutory Law 1581 of October 17 of 2012 establishes the minimum conditions to carry out the legitimate treatment of personal data of customers, employees, and any other natural person. Paragraph k) of article 18 of said law obliges those responsible for the processing of personal data to "adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and especially, to attend to queries and claims" . Article 25 of the same law orders that data processing policies are mandatory, and that non-compliance will lead to sanctions. These policies cannot guarantee a level of treatment lower than that established in Law 1581 of 2012. Chapter III of Decree 1377 of June 27, 2013, regulates some aspects related to the content and requirements of the Treatment of Information Policies and Privacy Notices. THERMOS SAS is committed to respecting the rights of its customers, employees and third parties in general. For this reason, it adopts the following personal mandatory policy for the Treatment of Information to be applied in all activities that involve the processing of personal data.
2. Mandatory compliance
These policies are mandatory and of strict compliance by all THERMOS SAS employees, contractors and third parties acting on behalf of THERMOS SAS. All employees must observe and comply with these policies in the fulfillment of their functions (In accordance with numeral 1 of article 58 of the Substantive Labor Code, it is a special obligation to "observe the precepts of the regulation and to abide by and comply with the orders that are given in a particular way by the employer or his/her representatives "). In cases where there is no employer/employee relationship, a contractual clause must be included so that they act on behalf of THERMOS S.A.S in which they are bound to comply with these policies. The same will give rise to labor penalties or responsibilities. The foregoing without prejudice to the duty to respond for the damages caused to the bearers of the data to S.A.S. for the breach of these policies or the improper treatment of personnel. In the labor case, in accordance with the Substantive Labor Code, the serious or repeated violation of these policies will be considered a breach in contract and just cause to terminate the employment contract (This is derived from numeral 6 of articles 62 and 6 of the. Amended by Decree 2351 of 1965 (Article 7. Termination of the contract for cause).
3. Definitions
Authorization: Prior, express, and informed consent of the bearer of personal data to carry out the treatment: Request from the bearer or persons authorized by it or by law to be aware of the information that rests on it in databases or files. Personal: Any information that directly or indirectly refers to a natural one and that allows it to be identified. Some examples of personal data include name, citizen identification number, postal address, email address, telephone number, marital status, health data. Data is classified as sensitive, public, private and semi-private; sensitive personal: Information that affects the privacy of the person or whose use may generate discrimination, such as those that reveal racial ethnic origin, political orientation, religious or philosophical convictions , membership in social, human rights organizations or that promote political party interests or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and data (fingerprints, among others). Public personal: Refers to data classified as such according to the mandates of the law or the Policy and all those that are not semi-private or private. The data contained in public documents, public records, gazettes and officials and duly executed judicial decisions that are not reserved are public, those related to the civil status of the people, their profession or trade and the quality of merchant or servant public. Personal data is public in the commercial register of the Chambers of Commerce (Article 26 of the C.Co). data can be obtained and offered without reservation and regardless of whether they are general, private, or personal information. Private personal: Data that due to its intimate or reserved nature is intended only for the person who owns the data. Examples: merchants' books, private ones, information extracted from the home inspection. semi-private personal: Data that is not intimate, or public, and whose knowledge or disclosure may interest not only you, but also a certain sector or group of people or society in general is considered semi-private, such as data referring to compliance and breach of financial obligations data relating to relationships with social security entities. Treatment: Individual who performs data treatment: Request from the bearer of the data or individuals authorized by it or by law to correct, update or delete their personal data. Treatment: Person who decides on, among others, the collection and treatment. It may be, by way of example, the company that owns the databases or information system that contains personal data. About the data: Refers to a natural person to whom the data refers : Any operation or set of operations on personal data, among others, the collection, storage, use, circulation, or deletion of information. Processing of personal data that implies the communication of the inside (national transmission) or outside of Colombia (international transmission) and is intended to carry out a treatment by the Manager on behalf of the: Treatment of personal data that implies the communication or sending of the same within (national transfer) or outside of Colombia (transfer) and whose purpose is to carry out a treatment by another of the Treatment.
4. Principles for management of personal information
The processing of personal data must be carried out respecting the general rules and, on the matter, and for activities permitted by law. In the development and application of this policy, the following principles will be applied in a harmonious manner: Principles related to the collection of freedom of information: Except for legal regulations to the contrary, data collection will only be exercised with prior express and informed authorization by the bearer. Data may not be obtained or disclosed without the prior consent of the bearer, in the absence of a legal or judicial mandate that waives the consent. There will be no deceptive or fraudulent means to collect and carry out data processing. Tacit consent by the bearer of the information is not allowed, and it can only be given by express legal mandate or by order of a judicial authority. The Bearer´s silence could never be inferred as authorization for the collection or its use. The Data Bearer must be informed clearly, sufficiently and in advance of the purpose of the information provided and, therefore, it may not be collected without a clear specification about its purpose. Collection limitation: Only personal data that is strictly necessary for the fulfillment of the purposes of the treatment should be collected, so that registration and disclosure of data that are not related to the purpose of the treatment is prohibited. Consequently, every effort should be made to limit processing of personal data to a minimum. That is, data must be: (i) adequate, (ii) relevant and (iii) consistent with the purposes for which it was intended. Principles related to its use and purpose: Personal data must be processed for an explicit purpose authorized by the bearer or permitted by law. Data should be only in the form that the bearer can reasonably foresee from the uses. If, over time, the use of personal data changes in ways that it does not reasonably expect, it is necessary to obtain the consent of the bearer again. About temporality: Personal data will be stored only for the time necessary to fulfill the purpose of the treatment and the legal requirements or the surveillance and control by authorities or other competent authorities including administrative, accounting, fiscal, legal and historical. Once the purpose (s) has been fulfilled, non-discrimination data will be deleted: It is forbidden to carry out any act based on the information collected in the databases or files. Regarding repair: It is an obligation to compensate damages caused by those possible in the treatment of personal data. Principles related to the quality of truthfulness or quality: information subject to treatment must be truthful, accurate, up-to-date, verifiable, and understandable. Treatment of partial, incomplete, fractioned or misleading is prohibited. Reasonable reasons must be adopted to ensure that data is accurate and sufficient and, when so requested by the Bearer or when the Data Controller determines, they are rectified or deleted when appropriate. Principles consistent with the purposes for which they were intended. Principles related to the use and purpose of data: Personal data must be processed for an explicit purpose authorized by the bearer or permitted by law. Data should be only in the form that the bearer can reasonably foresee from its use. If, over time, the use of personal data changes in ways that not reasonably expected, it is necessary to obtain the consent of the bearer again. Regarding temporality: Personal data will be stored only for the time necessary to fulfill the purpose of the treatment and the legal requirements or of the surveillance by control authorities or other competent authorities including administrative, accounting, fiscal, legal, and historical aspects. Once the purpose (s) has been fulfilled, non-discrimination data will be deleted: It is forbidden to carry out any act based on the information collected in the databases or files. Regarding repair: It is an obligation to compensate damages caused by the possible ones in the treatment of personal data. Principles related to the quality of truthfulness or quality: the information subject to treatment must be truthful, accurate, up-to-date, verifiable, and understandable. Treatment of partial, incomplete, fractioned or misleading is prohibited. Reasonable measures must be adopted to ensure that data is accurate and sufficient and, when so requested by the Holder or those Responsible.
5. Management of personal information and purpose
Personal information will be treated in a fair and lawful manner with the main purpose (s) of: Commercial and marketing, especially the maintenance, development or control of the commercial relationship between the DATA HOLDER and THERMOS S.A.S. Management procedures, complaints, claims); Carry out satisfaction surveys regarding the goods and THERMOS S.A.S. or companies related to it; Supply and evaluate Financial, Commercial, Legal, Reputational and Marketing of companies and to increase the knowledge of clients and suppliers and minimize financial and commercial ones; Contracting, execution and commercialization of goods and services by THERMOS S.A.S. or companies related to it and its commercial allies in Colombia or any other country. Regarding data (i) collected at the security points, (ii) taken from the documents that people provide to security personnel and (iii) obtained from video recordings that are inside or outside the facilities of those managing the data, for security purposes of people, goods and facilities and may be used as evidence.
6. Rights of the data holders
Individuals obliged to comply with these policies must respect and guarantee the following rights of the bearers of the data: update and rectify personal data. For this purpose, it is necessary to previously identify the person to prevent third parties from accessing data of the bearer; copyright authorization given to THERMOS S.A.S. by data bearer. Processing of inquiries and claims following the guidelines established by law and policy. Upon the request for revocation and / or suppression of the authorization of personal data, the Superintendency of Industry and Commerce has determined that in it by THERMOS S.A.S. Conduct contrary to the 2012 law or the Constitution has been incurred. The Holder may also revoke the authorization and the deletion of the data when there is no legal or contractual duty to remain in the database or file of the Responsible. Request for the deletion of information and revocation of the authorization not when the bearer has a legal or contractual duty to remain in the database of the Responsible Person or Person in Charge free of charge. The information requested by the bearer will be provided by any means, including electronic ones, according to the Bearer. The information must be easy to read, without technical barriers to access, and must correspond fully to the information in the database. The rights of the Holders may be exercised by the following individuals: the Holder, who must prove his/her identity sufficiently through the different options made available by the Data Controller to his/her representatives, who must prove their identity, the representative and / or attorney-in-fact of the Holder, prior accreditation of the power of attorney. Stipulation in favor of another or for another. The rights of children or will be exercised by those individuals empowered to represent them.
7. Duties of THERMOS S.A.S.
when acting as responsible for managing data. All those obliged to comply with this policy must bear in mind that S.A.S. it is obliged to fulfill duties imposed by law. Therefore, they must comply with the following obligations: Regarding THERMOS S.A.S. Regarding the bearer of the data and keep, under the conditions provided in this policy, a copy of the respective one granted by the Bearer. clearly and sufficiently to the Holder regarding the purpose of the collection and those who assist by virtue of authorization granted. to the Holder, always, the full and effective exercise of the right to habeas, that is, to know, update or rectify their personal data. At the request of the Holder about the use given to his personal data. Queries and claims formulated in the terms indicated herein of THERMOS S.A.S. regarding the quality, security and confidentiality of personnel, the principles of veracity, quality, security, and confidentiality established in this policy. The information under the security conditions necessary to prevent its loss, consultation, use or unauthorized or fraudulent access. Information when necessary. Personal data when appropriate. of THERMOS S.A.S. When you carry out the treatment through a Person in Charge of the Treatment, only personal data for which it is previously authorized. In the case of national transmissions, a contract for the transmission of personal data or contractual clauses that contain the provisions of article 25 of the 2013 decree must be signed stating that the information provided to the Person in Charge of Treatment is truthful, accurate, up-to-date, verifiable, and understandable. In a timely manner to the Person in Charge of Treatment, all the news of data that you have previously provided and adopted the other measures so that the information provided is kept up to date in a timely manner to the Person in Charge of Treatment the rectifications made to the personal data so that he/she may proceed to make the pertinent adjustments. to the Person in Charge of Treatment always, respecting the conditions of and privacy of the Bearer's information. to the Person in Charge of Treatment when certain information is discussed by the Holder once the claim has been submitted and there is no corresponding procedure. of THERMOS S.A.S. Regarding the Superintendent of Industry and Commerce, possible violations of the security codes and the risks in the information for the Holders. the instructions and requirements issued by the Superintendent of Industry and Commerce.
8. Duties of THERMOS S.A.S.
When acting as data processor if THERMOS S.A.S. performs the data processing on behalf of another entity or (Data Controller) it must fulfill the following duties: that the Data Controller is authorized to supply S.A.S. the personal data that you will treat as Manager. to the Holder, the full and effective exercise of the habeas right. The information under the security conditions necessary to prevent its loss, consultation, use or unauthorized or fraudulent access. Timely updating, rectification, or deletion of the data. Reporting information, the Data Controllers within (5) business days from reception. Queries and claims made by Holders in the terms of this policy. in the database the legend "claim in process" in the form in which it is in the present regulation. in the database the legend "information in judicial discussion" once by the competent authority on judicial processes related to the quality of personal data. to circulate information that is being controversial by the Holder, and which has been ordered by the Superintendent of Industry and Commerce. Access to information only to persons authorized by the Holder empowered by law for this purpose. To the Superintendent of Industry and Commerce when there are violations of the security codes and there are risks in the administration of information. Instructions and requirements issued by the Superintendent of Commerce Industry.
9. Authorization
Those obliged to comply with this policy must obtain prior, express, and informed authorization to collect and process their data. This obligation is not necessary when it comes to data of nature, information processing for historical, statistical, or scientific purposes in which the information is not linked to a specific person and data related to the Civil Situation of People. To obtain authorization, the following must be followed first, before the person authorizes, it is necessary to clearly inform them and the Treatment to which their personal data and the purpose will be subjected to. Optional nature to answer to the questions regarding sensitive data or data of girls, boys, and adolescents. Rights that assist you as Holder provided for in Article 8 of Law 1581. Identification, physical or electronic address and telephone number of THERMOS S.A.S. Second, the consent of the Bearer must be obtained through anyone that may be subject of subsequent consultation. For this purpose, the link designed by THERMOS S.A.S. for data collection must be used. Proof of compliance with the obligation to inform. If the bearer requests a copy of these, they must be provided. It may also be obtained from unequivocal acts of the bearer that allows it to reasonably conclude that he/she granted their consent for the processing of his information. Said act (s) must be very clear (s) that they do not admit doubt or mistake regarding the will to authorize it and in no case may the Bearer´s silence be considered as an act. The following are legitimized to grant consent: The Bearer, who must sufficiently prove his/her identity through the different options made available the Treatment Manager. The bearer´s successors, who must prove such condition. (the) representative and / or attorney-in-fact of the bearer, prior accreditation of power of attorney. Authorization may also be granted when there are cases of stipulation in favor of or for another. Authorization for the treatment of sensitive data: Regarding sensitive data, the following requirements must be met: authorization must be explicit, it must inform the Bearer that it is not obliged to authorize the treatment of said data, it must explicitly and previously inform the Bearer which data that will be processed is sensitive and the purpose thereof. Authorization for the processing of data of children and adolescents (NNA). Regarding the latter, authorization must be granted by individuals empowered to represent them, who must guarantee the right to be heard and their opinion of the treatment, considering their maturity, autonomy, and capacity to understand the matter, and must inform that it is optional to answer questions about the data of the children treatment must respect their best interest and ensure respect for their fundamentals. The Bearer must be explicitly and previously be informed which data to be processed is sensitive and the purpose of the same. Classification and special treatment of certain personal data. Individuals obliged to comply with this policy must identify the sensitive data of children and adolescents that they intend to collect or store with the purpose of: reinforcing responsibility in the treatment of said data that translates a higher demand in terms of compliance with principles and duties. Increasing the security levels of said information. Restriction of access and use by THERMOS S.A.S. personnel from third parties. Present the legal requirements and this policy for collection
10. Classification and Management of certain personal information
Individuals obliged to comply with this policy must identify the sensitive data of the children and adolescents that they eventually collect or store with a view to:
* Reinforcing responsibility in the treatment of said data that translates a higher demand in terms of compliance with principles and duties.
* Increasing the security levels of said information.
* Increase access and restrictions of use by THERMOS S.A.S. personnel from third parties.
* Present the legal requirements and this policy for its collection
11. International transfer of personal information
When data is sent or transferred to another country, it is essential to have the authorization of the bearer of the information being transferred. Unless the law states otherwise, said authorization to carry out the international circulation of data is a premise and presupposition. In this, before sending personal data to Treatment Managers located in the country, those obliged to comply with this policy must verify that they have the prior, express, and unequivocal authorization of the bearer that allows transmitting their data.
12. International and national data transfers to Managers
When the data manager wishes to send or transmit data to one or more persons in charge within the territory of the Republic of Colombia, it must do so through contracts or through a contract for the transmission of personal data in which, among others, the following is agreed: scope of the treatment; activities that the Person in Charge will carry out on behalf of the Person Responsible for Treatment, obligations that the Person in Charge must fulfill with respect to the Bearer of the data and the Treatment Manager. Obligation of the Person in Charge to comply with the obligations of the Person in charge of this policy, the duty of the Person in Charge to treat said data in accordance with the purpose authorized for it and observing the principles established in Colombian law and this policy, the obligation of the Person in Charge to adequately protect personal data and databases as well as to keep confidentiality regarding the treatment of the transmitted data. Procedures that ensure bearers can exercise their rights. The following are the procedures that ensure the bearers have the right to know, update, rectify and delete information or revoke it. The rights of bearers may be exercised by the following persons in accordance with article 20 of decree 1377 of 2013: the bearer, who must sufficiently prove their identity by the different options offered by the Data Manager to their successors, and who must prove such condition. The representative and / or attorney-in-fact of the Bearer, prior accreditation of the power of attorney. Stipulation in favor of another or for another. The rights of children will be exercised by the individuals empowered to represent them. The person or area of the Data Manager will be in charge of complying with data protection and processing the requests of the data bearers to the Clients of THERMOS S.A.S.
13. Consultations
All queries made by the bearer or his successors in title to find out personal data that rest in THERMOS S.A.S. will be channeled through@thermos.com.co. It is necessary to leave proof of the following: receipt of the request from the applicant. Once the identity of the bearer has been verified, all information on personal data that is required will be provided. The answer to the query will be communicated to the applicant within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend to the request within said term, the interested party will be informed, stating the reasons for the delay, and indicating the date on which their query will be attended, which in no case will exceed five (5) business days following the expiration of the initial term.
14. Claims
Claims are intended to correct, update, or delete data or raise a complaint for the alleged breach of any of the duties contained in the 1581 of 2012 and in this policy. Claims will be channeled through info@thermos.com.co, who will send the same to the competent person to resolve it. If the competent person is a third party, it will be transferred within a maximum term of two (2) business days and the interested party will be informed of it. THERMOS S.A.S. will have an information system or database to keep a record of all the actions carried out with respect to each in which the following will be noted, among others: of receipt of the claim from the person of THERMOS S.A.S. Person responsible for responding to the claim and address of the bearer or whoever makes the claim of the facts that give rise to the claim that the Bearer attaches so that they are taken into account in the claim (optional). The system will have an automatic alert mechanism that informs to whom to respond so that they are addressed as soon as possible and if within the terms established in this policy. For the attention of data it is necessary that the Bearer submit a request indicating: address of the Bearer with the facts that give rise to the claim that the Bearer attaches so that they are taken into account in the claim (optional) If the bearer's claim is incomplete, the interested party will be required within five) days after receiving the claim to correct the faults, two (2) months from the date of the request. If the applicant does provide the required information, it will be understood that the claim has been withdrawn. When the claim is complete, a note that reads "claim in process" will be included in the database or information system and the reason for the same; in a term not exceeding (2) business days, the note must be maintained until the claim is decided. The term to address the claim will be fifteen (15) business days from the day of receipt. If it is not possible to attend the claim within said term, the reasons for the delay and the date on which your claim will be attended will be informed, which may exceed eight (8) business days following the expiration of the initial term.
15. Date of entry
in force of this policy and period of validity of the database This policy was approved after the issuance of law 1581 of 2012 and modified to incorporate some aspects established by decree of June 27, 2013, reason for which it will enter effective as of May 1, 2013.
16. Person or area responsible for the protection of personal data
Data will be valid during the reasonable and necessary time to fulfill the purposes of considering the provisions of article 11 of decree 1377 of 2013. Data management will be managed the Customer Service area of THERMOS SAS, which can be contacted through: Name or company name: THERMOS SAS with NIT: 900363191-0 or address: Carrera 25A #1-31 Of. 1711 Medellín - Antioquia (Colombia) Email: digital@thermos.com.co Telephone: +576044017686 Website: thm.com.co