I. INTRODUCCIÓN
BEHAVIORAL INSIGHTS (LAC) S.A.S, hereinafter “BEHAVIORAL INSIGHTS” dedicated to the performance of all types of activities, especially management consulting activities, having as its main services’ organizational development, talent management consulting and market research.
In the course of its activity, BEHAVIORAL INSIGHTS learns personal information of its direct customers, users, employees, suppliers, contractors, former employees, former customers, former users, former suppliers, former contractors. The purpose of this policy is to ensure that in the processing of personal data that is processed by BEHAVIORAL INSIGHTS, the constitutional right of all people to know, update and rectify the information that has been collected about them in databases or files is guaranteed, and the other rights, constitutional freedoms and guarantees referred to in Article 15 of the Political Constitution; as well as the right to information enshrined in Article 20 of the same.
Likewise, BEHAVIORAL INSIGHTS will ensure that information of a sensitive nature, such as biometric data (e.g photos) and data related to health, provided by customers, employees and users, are used exclusively for the intended purposes, so that third parties may only access it if authorized by law.
The biometric data that may be requested is intended to guarantee the identity of the customer, supplier and employee in front of BEHAVIORAL INSIGHTS, to prevent situations of fraud due to identity theft and to guarantee the protection of the owner’s data. BEHAVIORAL INSIGHTS is respectful of the personal data of the Data Subjects, so it will seek to sufficiently inform people about the rights they have in their capacity as Data Subjects. Consequently, it will make available to the data subjects the necessary channels and means so that they can exercise their rights.
II. APPLICABLE REGULATIONS
- Right of Habeas Data: Article 15 of the Constitution establishes the right of all persons to know, update and rectify the information that has been collected about them in databases or archives, both of public and private entities. Likewise, this right includes other powers such as those to authorize processing, include new data, exclude or delete them from a database or file.
- LAW 1581 of 2012, “General Law on the Protection of Personal Data”, which develops the right of Habeas Data, defines that any owner of personal data has the power to control the information that has been collected from him or herself in any database or file, whether managed by private or public entities. Under this General Law, any natural person is a Holder and only in exceptional occasions, provided for by the Constitutional Court in Judgment C-748 of 2011, could a legal person become a legal person, if the rights of the natural persons that make them up are affected.
- Decree 1377 of 2013 that partially regulated Law 1581 of 2012, General Law on the Protection of Personal Data.
III. DEFINITIONS
In order for the recipients of this policy to be clear about the terms used throughout it, the definitions provided by Law 1581 of 2012 are included below.
- Authorization: Prior, express and informed consent of the Owner to carry out the Processing of Personal Data.
- Privacy Notice: Verbal or written communication generated by the Responsible Party, addressed to the Owner for the Processing of their Personal Data, through which they are informed about the existence of the Information Processing Policies that will be applicable to them, the way to access them and the purposes of the Processing that is intended to be given to the personal data.
- Database: Organized set of Personal Data that is subject to Processing.
- Clients: Natural or legal person, public or private, with whom BEHAVIORAL INSIGHTS has a commercial relationship.
- Personal Data: Any information linked to or that can be associated with one or more specific or determinable natural persons. Some examples of personal data are the following: name, citizenship card, address, email, telephone number, marital status, health data, biometrics, salary, assets, financial statements, etc.
- Public Data: Public data are considered to be, among others, data relating to the marital status of persons, their profession or trade and their status as a merchant or public servant. By their nature, public data may be contained, inter alia, in public registers, public documents, official gazettes and gazettes, and duly enforceable court judgments that are not subject to confidentiality.
- Public Personal Data: All personal information that is freely and open to the general public.
- Semi-private personal data: These are data that are not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest not only to the owner but also to a certain sector or society in general.
- Private Personal Data: Any personal information that has a restricted knowledge, and in principle private for the general public, for the purpose of identifying customers, prospects, suppliers, employees, allies and other people related to any of our services, and/or to our organization, for the purposes of security of people and things, or for the security of processes and information itself.
- Sensitive data: Information that affects the privacy of the Owner or whose improper use may lead to discrimination, such as information that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social or human rights organizations or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data, among others, still or moving image capture, fingerprints, photographs, iris, voice, facial or palm recognition, etc.
- Data Processor: Natural or legal person, public or private, that by itself or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller. In the event that the Responsible Party does not act as the Person in Charge of the Database, the Person in Charge will be expressly identified.
- Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the Database and/or the Processing of the data.
- Claim: Request by the Data Subject or by the persons authorized by the Data Subject or by the Law to correct, update or delete their personal data or to revoke the authorization in the cases established by Law.
- Terms and Conditions: general framework in which the activities of visitors or users of the website are governed.
- Owner: Natural person whose Personal Data is subject to Processing.
- Transfer: Data transfer takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is the Controller and is located inside or outside the country.
- Transmission: Processing of Personal Data that involves the communication of these within or outside the Colombian territory when it is intended to carry out a Processing by the Processor on behalf of the Responsible Party.
- Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.
IV. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
For the Processing of Personal Data, BEHAVIORAL INSIGHTS will apply the principles mentioned below, which constitute the rules to be followed in the collection, handling, use, treatment, storage and exchange of personal data:
- Legality: The Processing of personal data will be carried out in accordance with the applicable legal provisions (Statutory Law 1581 of 2012 and its regulatory decrees).
- Purpose: The personal data collected will be used for a specific and explicit purpose which must be informed to the Owner or permitted by Law. The Owner will be informed in a clear, sufficient and prior manner about the purpose of the information provided.
- Freedom: The collection of Personal Data may only be exercised with the prior, express and informed authorization of the Owner.
- Veracity or Quality: The information subject to the Processing of Personal Data must be truthful, complete, accurate, updated, verifiable and understandable.
- Transparency: In the Processing of Personal Data, the right of the Owner to obtain at any time and without restrictions, information about the existence of data concerning him/her, is guaranteed.
- Access and restricted circulation: The Processing of personal data may only be carried out by persons authorized by the Owner and/or by the persons provided for by Law.
- Security: The Personal Data subject to Processing will be handled by adopting all the security measures that are necessary to prevent its loss, adulteration, consultation, use or unauthorized or fraudulent access.
- Confidentiality: All employees who work at BEHAVIORAL INSIGHTS are obliged to keep confidential the personal information to which they have access in the course of their work at BEHAVIORAL INSIGHTS, additionally third parties who access personal information of other people by virtue of their relationship with BEHAVIORAL INSIGHTS must keep the due confidentiality of that information and comply with this Policy when they do so in their capacity as processors
V. PROCESSING AND PURPOSES TO WHICH THE PERSONAL DATA PROCESSED BY BEHAVIORAL INSIGHTS WILL BE SUBJECTED
BEHAVIORAL INSIGHTS, acting in its capacity as Responsible for the Processing of Personal Data, for the proper development of its commercial activities, as well as for the strengthening of its relationships with third parties, collects, stores, uses, circulates and deletes Personal Data corresponding to natural persons with whom it has or has had a relationship, such as, without the enumeration implying limitation, workers and their families, shareholders, consumers, customers, distributors, suppliers, creditors and debtors, for the following purposes or purposes:
Personal data | Purpose | |
Clients |
|
its current and future partners or suppliers
|
Suppliers |
|
|
Workers/Prospects |
|
|
Miscellaneous creditors (social security, parafiscal and other creditors) |
|
|
VI. General purposes for the processing of Personal Data
- To allow the participation of the Account Holders in marketing and promotional activities carried out by BEHAVIORAL INSIGHTS.
- BEHAVIORAL INSIGHTS uses the information for marketing purposes, such as to send you our newsletter or other promotional emails.
- Control access to BEHAVIORAL INSIGHTS offices and establish security measures, including the establishment of video surveillance areas;
- Respond to queries, requests, complaints and claims made by the Owners and control bodies and transmit the Personal Data to the other authorities that by virtue of the applicable law must receive the Personal Data;
- To eventually contact, via e-mail, or by any other means, natural persons with whom it has or has had a relationship, such as, without the enumeration implying limitation, workers and their relatives, shareholders, consumers, customers, distributors, suppliers, creditors and debtors, for the aforementioned purposes.
- Transfer the information collected to different areas of BEHAVIORAL INSIGHTS and to its related companies in Colombia and abroad when necessary for the development of its operations
- To attend to judicial or administrative requirements and compliance with judicial or legal mandates;
- Register your personal data in BEHAVIORAL INSIGHTS’ information systems and in its commercial and operational databases;
- Any other activity of a similar nature to those described above that are necessary to develop the corporate purpose of BEHAVIORAL INSIGHTS.
- For the transmission of personal data under the terms of articles 24 and 25 of Decree 1377 of 2013, for the same purposes previously indicated.
- For the transfer of personal data to third parties, under the terms of articles 24 and 25 of Decree 1377 of 2013, for the same purposes previously indicated
RIGHTS OF THE OWNERS OF PERSONAL DATA
The natural persons whose Personal Data are subject to Processing by BEHAVIORAL INSIGHTS, have the following rights, which they can exercise at any time:
- Know the Personal Data on which BEHAVIORAL INSIGHTS is carrying out the Processing. Similarly, the Owner may request at any time that their data be updated or rectified, for example, if they find that their data are partial, inaccurate, incomplete, fragmented, misleading, or those whose Processing is expressly prohibited or has not been authorized.
- Request proof of the authorization granted to BEHAVIORAL INSIGHTS for the Processing of your Personal Data.
- To be informed by BEHAVIORAL INSIGHTS, upon request, regarding the use that it has given to your Personal Data.
- Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of the Personal Data Protection Law.
- Request BEHAVIORAL INSIGHTS to delete your Personal Data and/or revoke the authorization granted for the Processing of these, by filing a complaint, in accordance with the procedures established in numeral 13 of this Policy. However, the request for the deletion of the information and the revocation of the authorization will not proceed when the Owner of the information has a legal or contractual duty to remain in the Database and/or Files, nor while the relationship between the Owner and BEHAVIORAL INSIGHTS, by virtue of which their data was collected, is in force.
- To access your Personal Data that has been subject to Processing free of charge.
- The rights of the Holders may be exercised by the following persons:
- By the Owner;
- By their successors, who must prove such status;
- By the representative and/or attorney-in-fact of the Owner, after accreditation of the representation or power of attorney;
- By stipulation in favor of another or for another. (Clients)
VII. BEHAVIORAL INSIGHTS DUTIES AS A CONTROLLER OF PERSONAL DATA
BEHAVIORAL INSIGHTS is aware that Personal Data is the property of the people to whom it refers and only they can decide on it. In this sense, BEHAVIORAL INSIGHTS will make use of the Personal Data collected only for the purposes for which it is duly authorized and respecting, in any case, the current regulations on the Protection of Personal Data.
BEHAVIORAL INSIGHTS will comply with the duties provided for the Data Controllers, contained in Article 17 of Law 1581 of 2012 and the other rules that regulate, modify or replace it.
In addition, BEHAVIORAL INSIGHTS will guarantee compliance with the obligations of the Processor of personal data, even when the Processor is a third party, it will guarantee that it complies with all the provisions.
VIII. AREA RESPONSIBLE FOR THE IMPLEMENTATION AND OBSERVANCE OF THIS POLICY
The area of Alejandro Musi, Operations Manager, is in charge of the work of development, implementation, training and observance of this Policy. For this purpose, all officials who carry out the Processing of Personal Data in the different areas of BEHAVIORAL INSIGHTS, are obliged to report these Databases to the Accounting and Finance area and to immediately transfer to it all requests, complaints or claims they receive from the Owners of Personal Data.
The Operations Manager area has also been designated by BEHAVIORAL INSIGHTS as the area responsible for dealing with requests, queries, complaints and claims before which the Information Owner may exercise their rights to know, update, rectify and delete the data and revoke the authorization. This area is located at the address: Cr 16 No 97 – 46 P 8 in the city of Bogotá D.C., Colombia, and can be contacted through the email: alejandro.musi@bi.team
IX. AUTHORIZATION
BEHAVIORAL INSIGHTS will request prior, express and informed authorization from the Owners of the Personal Data on which it requires to carry out the Processing.
This expression of the Owner’s will can occur through different mechanisms made available by BEHAVIORAL INSIGHTS, such as:
- In writing, by filling out an authorization form for the Processing of Personal Data determined by BEHAVIORAL INSIGHTS.
- Orally, through a telephone conversation or videoconference.
- By means of unequivocal conduct that allows the conclusion that the holder granted his authorization and that said authorization can be consulted subsequently. Under no circumstances will BEHAVIORAL INSIGHTS assimilate the Owner’s silence to unequivocal conduct.
X. SPECIAL PROVISIONS FOR THE PROCESSING OF PERSONAL DATA.
Processing of Sensitive Personal Data
The Processing of Personal Data classified as Sensitive is prohibited by law, unless there is express, prior and informed authorization from the Owner, among other exceptions enshrined in Article 6 of Law 1581 of 2012.
In this case, in addition to complying with the requirements established for authorization, BEHAVIOURAL INSIGHTS will inform the Owner:
- That because it is sensitive data, it is not obliged to authorise its Processing.
- Which of the data that will be subject to Processing are sensitive and the purpose of the Processing.
In addition, BEHAVIORAL INSIGHTS will treat the sensitive data collected under security and confidentiality standards corresponding to its nature. To this end, BEHAVIORAL INSIGHTS has implemented administrative, technical and legal measures contained in its Policies and Procedures Manual, which are mandatory for its employees and, as applicable, for its suppliers, related companies and business partners.
Processing of Personal Data of Children and Adolescents
In accordance with the provisions of Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013, BEHAVIORAL INSIGHTS will only carry out the Processing of Personal Data corresponding to children and adolescents, as long as this Processing responds to and respects the best interests of children and adolescents and ensures respect for their fundamental rights.
Once the above requirements have been met, BEHAVIORAL INSIGHTS must obtain the authorization of the legal representative of the child or adolescent, after the minor has exercised his or her right to be heard, an opinion that will be assessed taking into account the maturity, autonomy and capacity to understand the matter.
XI. PROCEDURE FOR EXERCISING RIGHTS AS A DATA SUBJECT
The rights of the Data Controllers established in the Law may be exercised before BEHAVIORAL INSIGHTS by the following persons:
- By the Data Owner, who must sufficiently prove their identity to BEHAVIORAL INSIGHTS.
- By the successors of the Data Owner, who must accredit such quality to BEHAVIORAL INSIGHTS.
- By the representative and/or representative of the Data Subject, after accreditation to BEHAVIORAL INSIGHTS of the representation or power of attorney.
- By stipulation in favor of another or for another.
In accordance with the provisions of the applicable legislation in force, for the exercise of any of the rights that assist the Data Subjects, any of the mechanisms established below may be used before BEHAVIORAL INSIGHTS:
11.1. Consultations:
- The Owners or their successors may consult the personal information of the Owner that is stored in the BEHAVIORAL INSIGHTS databases.
- BEHAVIORAL INSIGHTS, as Data Controller, will provide the Data Controllers or their successors with all the information contained in the individual record or that is linked to the identification of the Data Controller.
- The consultation will be made through the channels that have been enabled for this purpose by BEHAVIORAL INSIGHTS, which are described in Numeral 3 of this chapter.
- The query will be answered by BEHAVIORAL INSIGHTS within a maximum term of ten (10) business days from the date of receipt of the same.
- When it is not possible for BEHAVIORAL INSIGHTS to respond to the query within said term, it will inform the interested party, expressing the reasons for the delay and indicating the date on which it will respond to their query, which in no case will exceed five (5) business days following the expiration of the first term.
Claims:
- The Owners or successors who consider that the information contained in the BEHAVIORAL INSIGHTS databases should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a claim with BEHAVIORAL INSIGHTS as the Data Controller. which will be processed under the following rules:
- The claim will be made by means of a written request addressed to BEHAVIORAL INSIGHTS, with the identification of the Owner, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert.
- A photocopy of the identification document of the Data Owner must be attached to the claim.
- The claim will be made through the channels that have been enabled for this purpose by BEHAVIORAL INSIGHTS, which are described in Numeral 3 of this chapter.
- If the complaint is incomplete, BEHAVIORAL INSIGHTS will require the interested party within five (5) business days following receipt of the complaint to correct the defects.
- If two (2) months have elapsed from the date of the request made by BEHAVIORAL INSIGHTS, without the applicant submitting the required information, the Company will understand that the claim has been withdrawn.
- In the event that the person receiving the complaint is not competent to resolve it, he or she shall notify the appropriate party within a maximum period of two (2) business days and shall inform the interested party of the situation.
- Once BEHAVIORAL INSIGHTS receives the complete claim, it will include in the database a legend that indicates: “claim in process” and the reason for it, within a term of no more than two (2) business days. This legend must be maintained until the claim is decided.
- The maximum term for BEHAVIORAL INSIGHTS to attend to the claim will be fifteen (15) business days from the day following the date of receipt.
- When it is not possible for BEHAVIORAL INSIGHTS to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
Enabled Channels:
The rights of the owners may be exercised by the aforementioned persons through the channels that have been enabled by BEHAVIORAL INSIGHTS for this purpose, which are available free of charge, as follows:
- Communication addressed to BEHAVIORAL INSIGHTS, located at Cr 16 No 97 – 46 P 8, Bogotá D.C.
- Request submitted to email: alejandro.musi@bi.team
- Application submitted by phone +52 2225 05 05 58
XII. PASSIVELY OBTAINED INFORMATION – COOKIES.
When using the services contained within BEHAVIORAL INSIGHTS’ websites, BEHAVIORAL INSIGHTS may passively collect information through information management technologies, such as “cookies,” through which information is collected about the hardware and software of the equipment, IP address, browser type, operating system, domain name, access time and addresses of the referring websites; through the use of these tools, no Personal Data of users is directly collected. Information will also be collected about the pages that the person visits most frequently on these websites in order to know their browsing habits. However, the user of the BEHAVIORAL INSIGHTS websites has the possibility of configuring the operation of the “cookies”, according to the options of their internet browser.
XIII. SECURITY OF PERSONAL DATA
BEHAVIORAL INSIGHTS, in strict application of the Principle of Security in the Processing of Personal Data, will provide the technical, human and administrative measures that are necessary to provide security to the records by preventing their adulteration, loss, consultation, use or unauthorized or fraudulent access. The obligation and responsibility of BEHAVIORAL INSIGHTS is limited to having the appropriate means for this purpose. BEHAVIORAL INSIGHTS does not guarantee the total security of your information nor is it responsible for any consequences derived from technical failures or improper entry by third parties to the Database or file in which the Personal Data subject to Processing by BEHAVIORAL INSIGHTS and its Processors are based. BEHAVIORAL INSIGHTS will require the service providers it hires to adopt and comply with the appropriate technical, human and administrative measures for the protection of Personal Data in relation to which said providers act as Processors.
XIV. TRANSFER, TRANSMISSION AND DISCLOSURE OF PERSONAL DATA
BEHAVIORAL INSIGHTS may disclose to its related companies worldwide, the Personal Data on which it carries out the Processing, for its use and Processing in accordance with this Personal Data Protection Policy.
Likewise, BEHAVIORAL INSIGHTS may deliver Personal Data to third parties not related to BEHAVIORAL INSIGHTS when:
- They are contractors in execution of contracts for the development of BEHAVIORAL INSIGHTS’ activities;
- By transfer in any capacity of any line of business to which the information relates.
In any case, when BEHAVIORAL INSIGHTS chooses to send, transmit data to one or more Processors located inside or outside the territory of the Republic of Colombia, if required by law, BEHAVIORAL INSIGHTS will establish contractual clauses or enter into a contract for the transmission of personal data in which, among others, the following is agreed:
- The scope and purposes of the processing.
- The activities that the Processor will perform on behalf of BEHAVIORAL INSIGHTS.
- The obligations that the Processor must comply with with respect to the Data Subject and BEHAVIORAL INSIGHTS.
- The duty of the Processor to process the data in accordance with the purpose authorized for the same and observing the principles established in Colombian Law and this policy.
- The obligation of the Processor to adequately protect personal data and databases, as well as to maintain confidentiality with respect to the processing of the data transmitted.
- A description of the specific security measures that will be adopted by both BEHAVIORAL INSIGHTS and the Data Processor at your destination.
Compliance with the specific security measures that will be adopted by both BEHAVIORAL INSIGHTS and the person in charge in accordance with the documents that make up the BEHAVIORAL INSIGHTS personal data protection program.
In any case, in its capacity as responsible party, BEHAVIORAL INSIGHTS will require the Data Processor at all times, to respect the security and privacy conditions of the Owner’s information and to comply with its duties as a processor in accordance with Article 18 of Law 1581 of 2012.
XV. MODIFICATION OF THE TREATMENT POLICY
In the event of substantial changes in the content of this Personal Data Processing Policy, they will be communicated before or at the latest at the time of implementation of the new policies. In addition, when the change refers to the purpose of the Processing of personal data, BEHAVIORAL INSIGHTS must obtain a new authorization from the owners.
In any case, we invite you to regularly or periodically review our website bi.team through which you will be informed about the change and the latest version of this Policy or the mechanisms enabled by BEHAVIORAL INSIGHTS will be made available to you to obtain a copy of it.
XVI. APPLICABLE LEGISLATION
This Personal Data Protection Policy, the Privacy Notice, and the Authorization Form Annex that is part of this Policy, are governed by the provisions of current legislation on the Protection of Personal Data referred to in Article 15 of the Political Constitution of Colombia, Law 1581 of 2012, Decree 1377 of 2013 and other regulations that modify, repeal or replace them.
XVII. VALIDITY
This Personal Data Protection Policy is in force from 15 August of 2024.
The databases in which personal data will be recorded will be valid for the time in which the information is maintained and used for the purposes described in this policy. Once these purposes are fulfilled and provided that there is no legal or contractual duty to keep your information, your data will be deleted from our databases.