PERSONAL DATA PROCESSING POLICY
1. COMPANY INFORMATION
Company name |
Editorial Santillana S.A.S., Distribuidora y Editora Richmond S.A. las cuales se denominarán las Sociedad. |
Head Office | Bogotá D.C. |
Address | Carrera 11 No. 98 - 50 Oficina 501 |
2. LEGAL FRAMEWORK
a) Article 15 of Colombia's Political Constitution
b) Law 1266 of 2008
c) Law 1581 of 2012
d) Regulatory Decrees 1727 of 2009, 2952 of 2010 and 1377 of 2013
e) Constitutional Court Rulings C-1018 of 2008 and C-748 of 2011
3. OVERVIEW
The Corporations are companies committed to the protection of private and confidential information that is obtained within the ordinary course of business in development of their respective corporate purpose.
Our policies and procedures are based on the aforementioned legal framework, which purpose is the protection of information that has been entrusted to us. Our intention resides exclusively in the collection of information that has been voluntarily provided by our Customers, Contractors, Suppliers, Employees, Former Employees, Visitors, among other stakeholders.
This information may be obtained, not exclusively, through any of the following channels or means: i) commercial, contractual or professional relationship with the respective Client, Supplier or other third parties; ii) employment relationship with the Employees and Former Employees; iii) through personnel selection processes; iv) registration forms for trainings, competitions, seminars or courses; v) registration and access to educational platforms, pedagogical content, among others, and vi) referral of emails or electronic information requesting information.
We must point out that, when providing, delivering or sending any kind of personal information to the Corporations, the Personal Data Subject accepts that such information will be used in accordance with this Personal Data Processing policy.
This document establishes the Personal Data Processing policy of Corporations, in compliance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013, and describes the mechanisms through which companies guarantee the adequate management of Personal Data collected in its Databases. This allows Subjects to exercise the right of habeas data. Likewise, the main purpose of this policy is to inform the Personal Data Subjects of their rights, the procedures and mechanisms provided by the Corporations to render these rights effective, and to make them aware of the scope and purpose of Processing and to which the Personal Data will be submitted in the event that the Subject grants his express, prior, informed and facultative Authorization.
4. MAIN DEFINITIONS
In order to ease a better understanding of this Personal Data Processing policy, the terms used in this document will have the meaning given to them here, or the meaning that the applicable law and jurisprudence shall give them, and however it may be modified from time to time.
a) “Authorization”: it is the prior, express, informed and facultative consent of the Subject to carry out the Processing of his Personal Data.
b) “Authorized” Entity: refers to the Corporations and all the people under the responsibility of the Corporations, that by virtue of the Authorization and of this policy have legitimacy to process the Personal Data of the Subject.
c) “Clearance”: refers to legitimacy that is granted expressly and in writing by means of a contract or document that grants the Corporations permission to disclose information to third parties, in compliance with the applicable law, for Personal Data Processing, turning such third parties into Data Processors tasked with the processing of Personal Data that was delivered or made available.
d) “Client”: refers to a natural or legal person to whom the Corporations sell products or services to, by virtue of a pre-existing commercial or contractual relationship.
e) “Database”: refers to the organized set of Personal Data that is subject to Processing, via electronic means or otherwise, and referring to any means by which it was established, stored, organized and accessed.
f) Data “Controller”: natural or legal person, public or private, that by itself or in association with others, decides on the Database and / or the Processing of Personal Data.
g) Data “Processor”: refers to the natural or legal person, public or private, that by itself or in association with others, performs the processing of Personal Data on behalf of the Controller.
h) “Employee”: refers to a natural person who provides personal services to any of the Corporations by virtue of a pre-existing employment relationship.
i) “Financial Data”: any Personal Data referring to the setting-up, execution and extinction of monetary obligations, independently of the nature of the contract that gives rise to them, whose Processing is governed by Law 1266 of 2008 or the regulations that may complement, modify or add to said law.
j) “Former Employee”: natural person who was formerly employed by the Corporations.
k) “Personal Data”: pertains to information of any kind, linked or that may be associated with one or several determined or determinable natural or legal persons.
l) Personal Data “Processing”: pertains to any operation and systematic procedure, electronic or otherwise, that allows the collection, conservation, ordering, storage, modification, use, circulation, evaluation, blocking, destruction, or, in general terms, the processing of Personal Data. This includes its transfer to third parties through communications, consultations, interconnections, assignments, and data messages.
m) Personal Data “Subject”: refers the natural or legal person to whom the information that rests in a Database refers to, and who is the subject of the right of habeas data.
n) “Privacy Notice”: refers to a verbal or written communication generated by the Controller, addressed to the Subject, for the Processing of their Personal Data, by which he is informed about the existence of the information Processing policies that will be applicable, the way to access them and the purposes of the Processing that is intended to be given to said Personal Data.
o) “Private Data”: data that is private or reserved by its nature. It only holds relevance to the Subject.
p) “Public Data”: refers to Personal Data qualified as such according to the mandates of the law or the Political Constitution of Colombia, and that is not semi-private, private or sensitive. Public Data is, among other provisions, such data as it pertains to the marital status of individuals, their profession or trade, their status as a merchant or public servant and those that can be obtained without any reservation. By its nature, Public Data may be stored, among other places, in public records, public documents, gazettes and official bulletins, or duly executed judicial sentences that are not subject to reservation.
q) “Semiprivate Data”: refers to data which has no private, reserved, or public nature and which knowledge or disclosure may be of interest not only to the Subject but to a certain sector or group of people or to society in general. Such data includes Financial Data and credit information of commercial activity, or of services.
r) “Sensitive Data”: refers to Personal Data that affects the privacy of the Subject, on which improper use can lead to their discrimination, such as information that reveals union affiliations, racial or ethnic origin, political or religious orientation, moral or philosophical convictions, social organizations, human rights organizations or those that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, biometric data and data about minors.
s) “Supplier”: natural or legal person who supplies goods or services to any of the Corporations by virtue of a pre-existing commercial or contractual relationship.
t) “Transfer”: refers to Personal Data Processing that implies the communication of such data inside or outside the territory of the Republic of Colombia when it pertains to the Processing of data by the Data Processor On behalf of the Controller.
u) “Transmission”: refers to Personal Data Processing activity through which they are communicated, either internally or with third parties, within or outside the territory of the Republic of Colombia, when said communication is intended to perform any activity associated with Processing by the Processor of Personal Data.
v) “User”: natural or legal person who uses any good or service offered by the Corporations.
w) “Visitor”: Any person who enters the Corporation's facilities, who does not have an employment relationship with the Corporations.
5. PRINCIPLES
The Corporations, in the development of their commercial activities, will collect, use, store, transmit, transfer and carry out various operations on the Subject´s Personal Data. In all Personal Data Processing carried out by the Corporations, the Controllers, the Processors and / or third parties to whom Personal Data is transferred to must comply with the principles and rules established within the law and within this policy, in order to guarantee the right to habeas data and privacy of the Subjects, and to comply with the legal obligations of the Corporations.
These principles are:
a) Prior authorization: all Personal Data Processing will be carried out once the prior, express, informed and facultative Authorization of the Subject has been obtained, unless the law establishes an exception to this rule. In the event that the Personal Data has been obtained prior to the law, the Corporations will seek the appropriate ordinary and alternative means to summon the Subject and obtain their retroactive Authorization, following the provisions of Decree 1377 of 2013 and the corresponding norms.
b) Authorized purpose: all Personal Data Processing must comply with the purposes mentioned in this policy or in the Authorization granted by the Personal Data Subject, or in the specific documents where each type or process of Personal Data Processing is regulated. The purpose of Processing any particular Personal Data must be informed to the Personal Data Subject at the moment of obtaining his or her Authorization. Such Personal Data cannot be processed outside of the purposes informed and consented by the Subjects.
c) Data quality: the Personal Data submitted for Processing must be truthful, complete, accurate, updated, verifiable and understandable. Should the Processor be in the possession of partial, incomplete, fragmented or misleading Personal Data, the Corporations must refrain from Processing said data, or request the Subject to complete or correct the information.
d) Delivery of information to the Subject: upon Subject request, the Corporations must provide information about the existence of Personal Data that concerns the petitioner. This delivery of information will be carried out by the corresponding department within the Corporations that is responsible for the protection of Personal Data.
e) Restricted circulation: Personal Data can only be processed by such personnel inside the Corporations that have Authorization to do so, or those who within their functions are in charge of carrying out such activities. Personal Data can not be delivered to those who do not have Authorization or have not been authorized by the Corporations to carry out Processing.
f) Temporality: the Corporations will not use the information of the Subject beyond the reasonable term required for the purposes of fulfilling the task that was informed to the Personal Data Subject.
g) Restricted access: except for the data expressly authorized, the Corporations will not be able to make Personal Data available for access through the internet or other means of mass communication, unless technical and security measures are established to control access and restrict it only to Authorized persons.
h) Confidentiality: the Corporations must always perform the Processing of Data by providing the technical, human and administrative measures that are necessary to maintain the confidentiality of said Personal Data and to prevent it from being adulterated, modified, viewed, used, accessed, deleted, lost or known by unauthorized persons, or by authorized and unauthorized persons in a fraudulent manner. For the undertaking of any new project involving Personal Data Processing, this Data Processing policy should be consulted.
i) Confidentiality and subsequent Processing: all Personal Data that is not Public Data must be processed and handled by the Controller as confidential, even when the contractual relationship or the link between the Personal Data Subject and the Corporations has ended. Upon termination of such link, all Personal Data must continue to be processed in accordance with this policy and with the law.
j) Individuality: the Corporations will keep Databases in which they are acting as the Processor, and for which they are acting as the Controller, separate.
k) Necessity: Personal Data can only be processed during the time and to the extent that the purpose of it´s Processing justifies.
6. DATABASE CONTENTS
General information is stored in the Databases of the Corporations, such as full name, number and type of identification, gender and contact data (email, physical address, landline and mobile phone). In addition to these, and depending on the nature of the Database, the Corporations may have specific data required for Data Processing. Databases of Employees and contractors includes information on employment and academic history, as well as Sensitive Data required by the nature of the employment relationship (personal photo, number of family members and biometric data).
Sensitive information may be stored within the Databases with the prior Authorization of the Subject, in compliance with the provisions of articles 5 and 7 of Law 1581 of 2012.
7. DATA PROCESSING AND PURPOSES
The information contained within the Databases of the Corporations is subject to different forms of Processing, such as collection, exchange, updating, processing, reproduction, compilation, storage, use, systematization and organization, all partially or totally in compliance with the purposes established here. The information may be delivered, transmitted or transferred to public entities, commercial partners, contractors, affiliates, subsidiaries, third parties, or members of the corporate group worldwide, solely for the purpose of complying with the purposes of the corresponding Data Base. In any case, the delivery, Transmission or Transfer will be made prior subscription of the commitments that are necessary to safeguard the confidentiality of the information, and must have express consent and Authorization before sharing such information.
The Personal Data processed by the Corporations are subject to the purposes indicated below. Likewise, the Processors or third parties who have access to the Personal Data by virtue of the law or contract, will perform Data Processing only for the following purposes:
a) Execute all existing commercial or contractual relationship with Customers, Suppliers, Employees and Former Employees, including the payment of contractual obligations and the exercise of the rights derived from them.
b) Consult, request, supply, report, and disclose all the information that refers to the credit, financial and commercial behavior of Clients in the credit bureaus: CIFIN (BANK ASSOCIATION) and DATACREDITO (COMPUTEC), as well as to financial entities of Colombia that lend the same service or whoever represents their rights;
c) Provide the services and / or products required by its Users;
d) Inform about new products or services and / or about changes regarding such products or services;
e) Conduct internal research on consumer habits;
f) Send commercial, advertising or promotional information about products and / or services, events and / or promotions, in order to promote, invite, direct, execute, inform and in general, carry out campaigns, promotions or contests of a commercial or advertising nature, developed by the Corporations and / or third parties;
g) Provide tools for the improvement of all educational process of its Users;
h) Develop selection, evaluation, and employment relationship processes, and the processes required to fully comply with the employment relationship. This includes the granting of employment benefits;
i) Partake in internal or external audit processes;
j) Manage all necessary information for the fulfillment of tax obligations and commercial, corporate and accounting records of the Corporations;
k) Comply with the internal processes of the Corporations as it relates to the of administration of Suppliers, Clients, Employees, Former Employees, Users and Visitors;
l) Execute archiving processes, and perform system updates, protection, and custody of information and Databases of the Corporations;
m) Carry out processes within the Corporations for the development, operation and / or administration of their own or third-party systems;
n) Transmit or transfer data to third parties with which contracts have been executed for commercial, contractual, administrative, marketing and / or operational purposes;
o) Determine, with absolute certainty, the identity of the people who shall enter the Corporation's facilities. This shall ensure Employee safety, and safeguarding assets of the Corporations and Visitors. This information may be shared with the company that provides private security services to the Corporations, with the aim of ensuring the safety of Employees, Visitors and assets of the Corporations;
p) Carry out an adequate risk management assessment that allows for the timely and adequate response in emergencies that may affect the physical integrity of Employees and Visitors, as well as the facilities and assets of the Corporations;
q) Facilitate access the Corporations´ facilities;
r) Control, monitor and record the historical information of movement of people, personnel, Visitors and assets that shall enter the facilities of the Corporations;
s) Any other purposes determined by the Controllers that are tasked with obtaining Personal Data for Processing, and that are communicated to the Subjects at the time of the collection of Personal Data.
8. USE OF SENSITIVE DATA
Should the Controller request, or the Subject considers that it is necessary to provide this type of data, it is necessary that the Subject submits said data together with the due Authorization, and thus be able to allow its Processing for the legitimate purposes of the business and the purposes established by the present policy.
a) Obtaining Sensitive Data. The Corporations will obtain information known under the pertinent regulations as Sensitive Data in the following events, when:
(i) The Subjects are minors;
(ii) The Subjects provide their express and prior Authorization as it relates to the collected data. The above applies unless one of the events falls under a circumstance in which by law Authorization is not required;
(iii) The Processing of such data is necessary to safeguard any vital interest of the Subject, in which case the prior Authorization of the person exercising the legal representation of the Subject will be required;
(iv) Any data that is deemed necessary for the recognition, exercise or defense of a right in a judicial process;
(v) Any data that has a historical, statistical or scientific purpose, for which all measures must be taken leading to the elimination of the identity of the Subjects.
(vi) Any data necessary to comply with employment duties, including the payment of contractual obligations and the granting of benefits.
(vii) Any data used to guarantee the safety of the Employees, the assets of the Corporations and the Visitors within the facilities of the Corporations.
b) Exceptions to the prior and express Authorization of the Subject. Notwithstanding the foregoing, and in accordance with the law, the Corporations may proceed with Data Processing, without requiring prior Authorization, when:
(i) Information is required by a public or administrative entity in the exercise of its legal functions or by court order;(ii) Dealing with data of a public nature (in accordance with the legal definition of the term);
(iii) Cases of medical or sanitary emergency;
(iv) Any Processing of information authorized by law for historical, statistical or scientific purposes;
(v) Data related to the Civil Registry of Persons.
Except for the aforementioned exceptions, and within the legitimate purposes of the social purpose of the Corporations, in no case shall the Corporations supply, distribute, market, share, exchange with third parties and, in general, perform any activity in which the confidentiality and protection of the information collected is compromised.
However, the data collected by the Corporations may, if necessary, be delivered, transmitted or transferred to public entities, business partners, contractors, affiliates, subsidiaries, third parties, or members of the corporate group worldwide, with the sole purpose of complying with the purposes of the corresponding Database. In any case, the delivery, Transmission or Transfer of such data will be made prior subscription of the commitments that are necessary to safeguard the confidentiality of the information, and must have prior consent and Authorization before sharing this information.
9. AUTHORIZATION
In order to carry out the aforementioned purposes, the Corporations require prior, express and duly informed Authorization by the Subjects. In order to achieve this, the Corporations have provided suitable mechanisms guaranteeing the ability to verify the granting of said Authorization in each case. Such data may be recorded via any mean, be it a physical document, electronic or in any format that guarantees its subsequent consultation through technical tools, technology and properly secured computer devices.
The Authorization shall be a declaration that informs the Subject of the following information:
a) The Controller or Processor in charge of collecting the information.
b) The Personal Data that will be collected.
c) The purposes of Processing.
d) The procedure for exercising the rights of access, correction, updating or deletion of data.
10. PRIVACY NOTICE
In the event the Corporations cannot make this Personal Data Processing Policy available to the Subject, the Corporations will publish the Privacy Notice that is attached to this document, the text of which will be kept for subsequent consultation by the Data Subject and / or of the Superintendence of Industry and Commerce of Colombia.
11. MINORS AND ADOLESCENTS DATA PROTECTION
In accordance with the provisions of Statutory Law 1581 of 2012, Regulatory Decree 1377 of 2013 and in Court Ruling C-748 of 2011, the Corporations ensure that Personal Data Processing of children and adolescents will be made only when the following criteria are met:
a) The purpose of Processing responds to the best interests of children and adolescents.
b) Respect for fundamental rights of children and adolescents are assured.
c) Depending on age of the child or adolescent, their opinion is to be taken into account.
In any case, in educational and pedagogical activities, as well as in any commercial and marketing activities carried out, prior, express, informed and facultative Authorization of the father, mother or the legal representative of the minor or adolescent is required.
12. INTERNATIONAL TRANSFER OF PERSONAL DATA
In accordance with the provisions of article 26 of Law 1581 of 2012, Corporations are committed not to transfer data to third countries that do not comply with the standards of protection of Personal Data required by the Superintendence of Industry and Commerce of Colombia, except for exceptions indicated below:
a) Information for which the Subject has granted his express and unequivocal Authorization for Transfer of data;
b) Exchange of medical data, when so required by the Subject's Data Processing for reasons of health or public hygiene;
c) Bank or stock transfers, according to the legislation that is applicable to them;
d) Transfers agreed upon in the framework of international treaties in which the Republic of Colombia is a party, based on the principle of reciprocity;
e) Transfers necessary for the execution of a contract between the Subject and the Controller, or for the execution of pre-contractual measures, provided that the Subject has provided Authorization;
f) Transfers legally required for the safeguarding of the public interest, or for the recognition, exercise or defense of a right in a judicial process.
13. INTERNATIONAL TRANSMISSION OF PERSONAL DATA
All international Transmissions of Personal Data that the Processor shall carry out on behalf of the Corporations must be informed to the Subject at the moment of signing the Authorization document.
Likewise, the Corporations must sign the corresponding international data Transmission contracts with the Processors tasked with Personal Data Processing under their control and responsibility, indicating the scope of Processing, the activities that the Processor will perform on behalf of the Corporations and the obligations of the Processor vis a vis the Subject and the Corporations.
Through said contract, the Processors must commit themselves to apply the obligations that arise for the Corporations regarding their Personal Data Processing policy and to carry out the Data Processing in accordance with the purpose that the Subjects have authorized and with the applicable laws.
In addition to the obligations imposed by the applicable regulations within the aforementioned contract, the following obligations must be included as responsibility of the respective Processor:
a) Process data on behalf of the Corporations according to the principles that protect such data.
b) Safeguard the security of the Databases in which Personal Data are stored.
c) Keep confidentiality regarding the Processing of Personal Data.
14. SECURITY
In accordance with the provisions of article 19 of Decree 1377 of 2013, the Corporations shall adopt the technical, human and administrative measures that are necessary to grant security to the stored records. Notwithstanding the foregoing, the Corporations declare that they have information security policies and a technological infrastructure in place that reasonably protects all collected personal information, limiting access to third parties as far as reasonably possible. However, the Corporations will make continuous efforts to improve the security standards that protect the collected personal information.
15. COOKIES
The Corporations acknowledge the possibility that "cookies" may be used on their websites. "Cookie" is defined as a small file with a string of characters that is sent to the computer of the person who enters a website, that in turn allows it to store, among other things, the browsing preferences defined by the User as it pertains to the website in question. Although it is possible for the User to access the Corporation's websites even if it does not allow the use of cookies, in order to properly administer the websites, it is possible that the Corporations, anonymously, feed their operational systems with the information derived from cookies, and as such identify and segment categories of Visitors by areas such as domains and type of "browsers". All this information may be stored by the Corporations in their servers, in order to provide a better experience to those who use the Corporations' websites.
16. PERSONAL DATA SUBJECT RIGHTS
According to the law, the Personal Data Subjects have the following rights:
a) Have knowledge, update and rectify Personal Data delivered to the Corporations or the Processors in charge of Processing the information. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or data which Processing is expressly prohibited or has not been authorized.
b) Request proof of Authorization granted to the Corporations, unless the law indicates that such Authorization is not necessary.
c) Submit requests to the Corporations or the Processor responsible for Processing regarding the use that has been given to the Personal Data, and such parties are obliged to deliver the requested information.
d) Submit complaints to the Superintendence of Industry and Commerce of Colombia for infractions of the law.
e) Revoke Authorization and / or request the deletion of Personal Data from the Databases of the Corporations, when the Superintendence of Industry and Commerce of Colombia has determined through a final administrative act that in the act of Data Processing, the Corporations or the Processor has incurred in conduct contrary to the law or when there is no legal or contractual obligation to maintain the Personal Data in the Database of the Controller.
f) Request and obtains access, free of charge, to Personal Data that has been subject to Processing in accordance with article 21 of Decree 1377 of 2013.
g) Gain knowledge of modifications to the terms of this policy in advance to the implementation of the new modifications, in an efficient way, or gain knowledge of the new policy of Processing of information.
h) Have easy access to the text of this policy and its modifications.
i) Gain access in an easy and simple way to the Personal Data that is under control of the Corporations to effectively exercise the rights that the law grants the Subjects.
j) Have knowledge of which department or person is empowered by the Corporations to whom the Subject can submit complaints, queries, claims and any other request regarding Personal Data.
The Subjects may exercise their rights of law and perform the procedures established in this policy, by presenting their citizenship card or original identification document. Minors may exercise their rights personally, or through their parents or adults who have parental authority, which in turn must provide corresponding proof through relevant documentation. Likewise, the rights of the Subject may be exercised by successors, representatives and/or attorneys who accordingly provide proof of corresponding status, and those who have made a stipulation in favor of another party or for another party.
17. DUTIES OF THE CONTROLLERS AND PROCESSORS RESPONSIBLE FOR PERSONAL DATA PROCESSING
All those obliged to comply with this policy must bear in mind that the Corporations are obliged to comply with the duties imposed by law. Consequently, the following obligations must be met:
a) Duties when acting as the Controller:
(i) Request and keep a copy of the respective Authorization granted by the Subject, under the conditions provided in this policy.
(ii) Clearly and sufficiently inform the Subject about the purpose of data collection and the rights that assist him/her by virtue of the Authorization granted.
(iii) Inform the Subject, upon their request, about any use given to their Personal Data.
(iv) Process all queries and claims, in accordance with the terms set forth in this policy.
(v) Ensure compliance with the principles of truthfulness, quality, security and confidentiality set forth within the terms of this policy.
(vi) Safekeep the information under the necessary security conditions to prevent its adulteration, loss, unauthorized consultation, use or fraudulent access.
(vii) Update information when necessary.
(viii) Rectify Personal Data when appropriate.
b) Duties with regards to the Superintendence of Industry and Commerce of Colombia:
(i) Report possible violations of the security codes and the existence of risks in the handling of information of Subjects.
(ii) Propersely register in the National Register of Databases, administered by the Superintendence of Industry and Commerce of Colombia.
(iii) Update the registered information of the Databases belonging to the Corporations within ten (10) business days at the beginning of each month when there are substantial changes. This update must be performed at least once a year, between January 2nd and March 31st.
(iv) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce of Colombia.
18. AREA RESPONSIBLE FOR PROCESSING INQUIRIES, PETITIONS, COMPLAINTS OR CLAIMS
The Corporations have designated the administrative and financial departments as the responsible parties for the reception and caretaking of petitions, complaints, claims and consultations of all kinds that are related to Personal Data. The person in charge will process inquiries and complaints regarding Personal Data in accordance with the law and this policy.
Some of the particular functions of this departments as they relate to Personal Data are:
a) Receive requests from Personal Data Subjects, process and respond to those requests that are within the law or these policies, such as: requests for updating Personal Data; requests to review Personal Data; requests for deletion of Personal Data when the Subject submits a copy of the decision of the Superintendence of Industry and Commerce of Colombia in accordance with the provisions of the law, requests for information on the use given to their Personal Data, requests for updating of Personal Data, requests for proof of the Authorization granted, in such cases when it has proceeded according to the law.
b) Respond to Personal Data Subjects on those requests that do not proceed in accordance with the law. The contact information of the administrative and dinancial departments are:
(i) Physical Address: carrera 11A No. 98 – 50 Office 501, Bogotá D.C., Colombia
(ii) Email: servclient@santillana.com
(iii) Telephone: nationwide hotline 01 8000 978 978, or within Bogotá +57(1)7057777.
19. PROCEDURES TO EXERCISE THE RIGHTS OF PERSONAL DATA SUBJECTS
a) Consultations
The Corporations shall have mechanisms in place for the Subject, his successors in title, his representatives and / or attorneys, those who have been stipulated to act on behalf of the Subject, and / or the representatives of minors who are Subjects, to make inquiries regarding their Personal Data that is stored in the Databases of the Corporations.
These mechanisms may be: electronic, via the email address servclient@santillana.com; via physical address, at carrera 11A No. 98 – 50 Office 501, Bogotá D.C., Colombia; or via telephone on the nationwide hotline 01 8000 978 978, or within Bogotá +57(1)7057777. These contact points are responsible for receiving petitions, complaints and claims. By whichever appropriate means, the Corporations will keep proof of the query and its response.
(i) If the applicant has the capacity to formulate the query, in accordance with the accreditation criteria established in Law 1581 of 2012 and Decree 1377 of 2013, the Corporations will collect all the information on the Subject that is contained in the individual record of that person or that is linked to the identification of the Subject within the Databases of the Corporations and will make it known to the petitioner.
(ii) The responsible person for attending the query will respond to the petitioner as long as he/she has the right to do so as the Personal Data Subject, his successors in title, his representatives and / or attorneys, those who have been stipulated to act on behalf of the Subject, and / or the representatives of minors. This response will be sent within ten (10) business days from the date on which the request was received by the Corporations.
(iii) In the event that the request can not be answered within ten (10) business days, the petitioner will be contacted to communicate the reasons why the status of the application is pending. For this purpose, the same means or one similar to that used by the Subject will be used to communicate this request.
(iv) The final response to all requests will not take more than fifteen (15) business days from the date on which the initial request was received by the Corporations.
b) Claims
The Corporations have mechanisms in place so that the Subject, his successors in title, his representatives and / or attorneys, those who have been stipulated to act on behalf of the Subject, and / or the representatives of minors who are Subjects, can make claims regarding: (i) Personal Data processed by the Corporations that must be corrected, updated or deleted, or (ii) the alleged breach by the Corporations of the duties stipulated by the law.
These mechanisms may be: electronic, via the email address servclient@santillana.com; via physical address, at carrera 11A No. 98 – 50 Office 501, Bogotá D.C., Colombia; or via telephone on the nationwide hotline 01 8000 978 978, or within Bogotá +57(1)7057777. These contact points are responsible for receiving petitions, complaints and claims.
(i) The claim must be presented by the Subject, his successors or representatives in accordance with Law 1581 of 2012 and Decree 1377 of 2013, as follows:
Before attending the claim, the Corporations will verify the identity of the Personal Data Subject, their representative and/or attorney, and those who have been stipulated to act on behalf of the Subject. For this purpose, they can demand the citizenship card or the original identification document of the Subject, and the special or general powers or documents that are required for representation of a third party, as the case may be.
(ii) If the claim or supporting documentation is incomplete, the Corporations will require the claimant only once within five (5) days after receipt of the claim to correct any errors. If the claimant does not submit the required documentation and information within two (2) months following the date of the initial claim, it will be understood that the claim has been abandoned.
(iii) If for any reason the person tasked with handling the claim at the Corporations is not in capacity to handle it, he/she will take such claim to the administrative and financial department within two (2) business days after receiving the claim. He/she will also inform of said referral to the claimant.
(iv) Once the claim with the complete documentation has been received, it will be included in the Database of the Corporations where the data of the Subject subject to the claim rests. It will include a caption that says "claim in process" and the reason behind the claim within Two (2) business days. This caption must be maintained until the claim is resolved.
(v) The maximum term to tend to the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to tend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be handled, which in no case may exceed eight (8) business days following the expiration of the first stipulated term.
20. CHANGES TO THE PERSONAL DATA PROCESSING POLICY
The Corporations reserve the right to modify this policy as required for its operation and regulatory compliance. Notwithstanding the foregoing, if there are substantial changes in the content of the Personal Data Processing policy, the latest version will be released through physical or electronic means.
21. VALIDITY
This policy applies as of January 29, 2018. All Personal Data that is stored, used or transmitted will remain in our Database, based on the criteria of temporality and necessity, for as long as necessary for the purposes mentioned in this policy, and purposes for which they were collected.