INTERNAL DOCUMENT OF POLICIES AND PROCEDURES (TREATMENT POLICIES)

Content

  1. Legal basis and scope

  2. Definitions

  3. Authorization of the treatment policy

  4. Treatment Manager

  5. Treatment and purposes of the databases

  6. Rights of the Owners

  7. Attention to Data Holders

  8. Procedures to exercise the rights of the Holder

    1. Right of access or consultation

    2. Rights of complaints and claims

  9. Security measures

  10. Data transfer to third countries

  11. Validity

1. Legal basis and scope

The information processing policy is developed in compliance with articles 15 and 20 of the Political Constitution; of articles 17 literal k) and 18 literal f) of the Statutory Law 1581 of 2.012, which dictates general provisions for the Protection of Personal Data (LEPD); and of article 13 of Decree 1377 of 2013, by which the previous Law is partially regulated.

This policy will be applicable to all personal data registered in databases that are subject to treatment by the data controller.

2. Definitions

Established in article 3 of Law 1581 of 2012 and in article 3 of Decree 1377 of 2013.

  • Authorization: Prior, express and informed consent of the Holder to carry out the processing of personal data.

  • Privacy notice: Verbal or written communication generated by the person in charge, addressed to the Holder for the processing of their personal data, by means of which they are informed about the existence of the information processing policies that will be applicable to them, how to access to them and the purposes of the treatment that is intended to give personal data.

  • Database: Organized set of personal data that is subject to processing.

  • Personal data: Any information linked or that may be associated with one or more specific or determinable natural persons.

  • Public data : It is the data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade and their status as merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official gazettes and duly enforced judicial sentences that are not subject to reservation.
  • Sensitive data: Sensitive data means those that affect the privacy of the Holder or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social, human rights organizations or those that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

  • Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of the person responsible for the treatment.

  • Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the basis of data and / or data processing.

  • Owner: Natural person whose personal data is subject to processing.

  • Transfer: The transfer of data takes place when the person in charge and / or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is inside or outside from the country.

  • Transmission: Treatment of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a treatment by the person in charge of the person responsible.

  • Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.

3. Authorization of the treatment policy

According to article 9 of the LEPD, the prior and informed authorization of the Holder is required for the processing of personal data. By accepting this policy, any Owner who provides information regarding their personal data is consenting to the processing of their data by SARAI CLOTHING SA in the terms and conditions contained therein.

The authorization of the Holder will not be necessary in the case of:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.

  • Data of a public nature.

  • Cases of medical or sanitary urgency.

  • Treatment of information authorized by law for historical, statistical or scientific purposes.

  • Data related to the Civil Registry of people.

4. Responsible for the treatment

The responsible for the treatment of the databases object of this policy is SARAI CLOTHING SA, whose contact details are the following:

5. Treatment and purposes of the databases

SARAI CLOTHING SA, in the development of its business activity, carries out the processing of personal data related to natural persons that are contained and are treated in databases intended for legitimate purposes, complying with the Constitution and the Law.

In “Annex 1. Information of Databases” the different databases that manage the company, the information and characteristics of each one of them are presented.

6. Rights of the Owners

In accordance with Article 8 of the LEPD and Articles 21 and 22 of Decree 1377 of 2013, Data Holders may exercise a series of rights in relation to the processing of their personal data. These rights may be exercised by the following persons.

  1. By the Holder, who must prove his identity sufficiently by the different means made available to him by the person in charge.

  2. For their successors, who must prove such quality.

  3. By the representative and / or proxy of the Holder, prior accreditation of the representation or empowerment.

  4. By stipulation in favor of another and for another.

The rights of children or adolescents will be exercised by the people who are empowered to represent them.

The rights of the Holder are the following:

  • Right of access or consultation: This is the right of the Holder to be informed by the person in charge of the treatment, upon request, regarding the origin, use and purpose that they have given to their personal data.

  • Right of access or consultation: This is the right of the Holder to be informed by the person in charge of the treatment, upon request, regarding the origin, use and purpose that they have given to their personal data.

  • Rights of complaints and claims: The Law distinguishes four types of claims:

    • Claim for correction: It is the right of the Holder to update, rectify or modify those partial, inaccurate, incomplete, fractionated, error-inducing data, or those whose treatment is expressly prohibited or has not been authorized.

    • Claim for deletion: It is the right of the Holder to delete data that is inappropriate, excessive or does not respect the principles, rights and constitutional and legal guarantees.

    • Revocation claim: It is the right of the Holder to void the authorization previously given for the processing of their personal data.

    • Infringement claim: It is the right of the Holder to request that the breach of the data protection regulations be rectified.

  • Right to request proof of authorization granted to the controller: Except when expressly excepted as a requirement for treatment in accordance with the provisions of article 10 of the LEPD.

  • Right to file complaints with infringements before the Superintendence of Industry and Commerce: The Holder or Candidate may only raise this complaint once the consultation or claim process has been exhausted before the person in charge of the treatment or in charge of the treatment.

7. Attention to Data Holders

The ADMINISTRATIVE AND FINANCIAL COORDINATOR of SARAI CLOTHING SA will be the Data Protection Officer for the attention of requests, queries and claims before which the Data Holder can exercise their rights, in accordance with “Annex 3. Roles and Responsibilities. "

8. Procedures to exercise the rights of the Holder

8.1. Right of access or consultation

According to article 21 of Decree 1377 of 2013, the Holder may consult his personal data for free in two cases:

  1. At least once every calendar month.

  2. Whenever there are substantial changes in the information processing policies that motivate further consultations.

For inquiries whose periodicity is greater than one for each calendar month, SARAI CLOTHING SA may only charge the Holder shipping, reproduction and, where appropriate, certification of documents. Reproduction costs may not be greater than the recovery costs of the corresponding material. For this purpose, the person in charge must demonstrate to the Superintendence of Industry and Commerce, when it so requires, the support of said expenses.

The Data Holder may exercise the right of access or consultation of their data by means of a letter addressed to SARAI CLOTHING SA sent, by email to: PROTECCIONDATOS@PLAYMODEL.COM.CO , indicating in the Subject “Exercise of the right of access or consultation ”, or through postal mail sent to CARRERA 52 # 46 68 OFFICE 1704 MEDELLÍN, ANTIOQUIA. The request must contain the following information:

  • Name and surname of the principal.
  • Photocopy of the Certificate of Citizenship of the Holder and, where appropriate, of the person representing him, as well as the document proving such representation.
  • Request that specifies the request for access or consultation.
  • Address for notifications, date and signature of the applicant.
  • Documents accrediting the request made, when applicable.

The Holder may choose one of the following forms of consultation of the database to receive the requested information:

  • On screen display
  • In writing, with copy or photocopy sent by certified mail or not.
  • Fax
  • Email or other electronic means
  • Another system suitable to the configuration of the database or the nature of the treatment, offered by SARAI CLOTHING SA

Once the request is received, SARAI CLOTHING SA will resolve the request for consultation within a maximum period of ten (10) business days from the date of receipt of the request. When it is not possible to attend the query within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which his query will be attended, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are set in article 14 of the LEPD.

Once the consultation process has been exhausted, the Holder or Candidate may file a complaint with the Superintendence of Industry and Commerce.

8.2. Rights of complaints and claims

The Holder of the data can exercise the rights of claim on their data by writing to SARAI CLOTHING SA sent, by email to PROTECCIONDATOS@PLAYMODEL.COM.CO , indicating in the Subject “Exercise of the right of access or consultation”, or by mail sent to CARRERA 52 # 46 68 OFFICE 1704 MEDELLÍN, ANTIOQUIA. The request must contain the following information:

  • Name and surname of the principal.
  • Photocopy of the Certificate of Citizenship of the Holder and, where appropriate, of the person representing him, as well as the document proving such representation.
  • Description of the facts and request in which the request for correction, deletion, revocation or infraction is specified.
  • Address for notifications, date and signature of the applicant.
  • Documents accrediting the request made that they want to enforce, when appropriate.

If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the failures. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has given up the claim.

Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the database, in a term not exceeding two (2) business days. This legend must be maintained until the claim is decided.

SARAI CLOTHING SA will resolve the request for consultation within a maximum period of fifteen (15) business days counted from the date of receipt thereof. When it is not possible to respond to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first finished.

Once the claim process has been exhausted, the Holder or successor may file a complaint with the Superintendence of Industry and Commerce.

9. Security measures

SARAI CLOTHING SA , in order to comply with the security principle enshrined in Article 4 literal g) of the LEPD, has implemented the necessary technical, human and administrative measures to guarantee the security of the records avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.

On the other hand, SARAI CLOTHING SA , by signing the corresponding transmission contracts, has required those in charge of the treatment with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the treatment of Personal information.

The following are the security measures implemented by SARAI CLOTHING SA that are collected and developed in its Internal Security Manual (Tables I, II, III and IV).

TABLE I: Common security measures for all types of data (public, semi-private, private, sensitive) and databases (automated, non-automated)

Document management Access control Incidents Personal Internal Security Manual
1. Measures that prevent improper access or recovery of data that has been discarded, deleted or destroyed.
2. Restricted access to the place where the data is stored. 3. Authorization of the person responsible for the output of documents or media by physical or electronic means.
4. Labeling system or identification of the type of information.
5. Inventory of supports.
1. Limited user access to the data necessary for the development of its functions.
2. Updated list of authorized users and accesses.
3. Mechanisms to prevent access to data with rights other than those authorized.
4. Granting, alteration or cancellation of permits by authorized personnel
1. Definition of the functions and obligations of users with access to data.
2. Definition of control functions and authorizations delegated by the controller.
1. Preparation and implementation of the Mandatory Compliance Manual for personnel.
2. Minimum content: scope, security measures and procedures, functions and obligations of the personnel, description of the databases, procedure before incidents, procedure of copies and recovery of data, security measures for transport, destruction and reuse of documents, identification of those in charge of the treatment.
3. Disclosure among staff of the rules and the consequences of non-compliance with them.
1. Preparation and implementation of the Mandatory Compliance Manual for personnel.
2. Minimum content: scope, security measures and procedures, functions and obligations of the personnel, description of the databases, procedure before incidents, procedure of copies and recovery of data, security measures for transport, destruction and reuse of documents, identification of those in charge of the treatment.

TABLE II: Common security measures for all types of data (public, semi-private, private, sensitive) according to the type of databases

Non-automated databases
Archive Document storage Custody of documents
1. Documentation file following procedures that guarantee proper conservation, location and consultation and allow the exercise of the rights of the Owners. 1. Storage devices with mechanisms that prevent access to unauthorized persons. 1. Duty of diligence and custody of the person in charge of documents during their review or processing.
Automated Databases
Identification and authentication Telecommunications
1. Personalized identification of users to access information systems and verification of their authorization.
2. Identification and authentication mechanisms; Passwords: allocation, expiration and encrypted storage.
1. Access to data through secure networks.

TABLE III: Security measures for private data according to the type of databases

Automated and non-automated databases
Audit Security Manager Internal Security Manual
1. Ordinary audit (internal or external) every two months.
2. Extraordinary audit for substantial changes in information systems.
3. Deficiency detection report and corrections proposal.
4. Analysis and conclusions of the security officer and the controller.
5. Retention of the Report available to the authority.
1. Appointment of one or more security officers.
2. Appointment of one or more persons in charge of the control and coordination of the measures of the Internal Security Manual.
3. Prohibition of delegation of responsibility for the person responsible for the treatment to the person responsible for security.
1. Periodic compliance checks
Automated Databases
Document and media management Access control Identification and authentication Incidents
1. Record of entry and exit of documents and media: date, sender and receiver, number, type of information, method of delivery, responsible for receipt or delivery. 1. Control access to the place or places where information systems are located. 1. Mechanism that limits the number of repeated unauthorized access attempts. 1. Record of data recovery procedures, person who executes them, restored data and manually recorded data.
2. Authorization of the person responsible for the treatment for the execution of the recovery procedures.

TABLE IV: Security measures for sensitive data according to the type of databases

Non-automated databases
Access control Document storage Copy or reproduction Documentation transfer
1. Access only for authorized personnel.
2. Access identification mechanism.
3. Registration of unauthorized user access.
1. Filing cabinets, cabinets or others located in access areas protected with keys or other measures. 1. Only by authorized users.
2. Destruction that prevents access or recovery of data.
1. Measures that prevent access or manipulation of documents.
Automated Databases
Document and media management Access control Telecommunications
1. Confidential labeling system.
2. Data encryption.
3. Encryption of portable devices when outside.
1. Access log: user, time, database accessed, type of access, record accessed.
2. Control of the access registry by the security officer. Monthly report.
3. Data retention: 2 years.
1. Data transmission through encrypted electronic networks.

10. Transfer of data to third countries

In accordance with Title VIII of the LEPD, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it meets the standards set by the Superintendence of Industry and Commerce on the subject, which in no case may be lower than those required by this law to its recipients. This prohibition shall not apply in the case of:

  • Information regarding which the Holder has granted his express and unequivocal authorization for the transfer.
  • Exchange of medical data, when required by the Holder's treatment for reasons of health or public hygiene.
  • Bank or stock transfers, in accordance with the applicable legislation.
  • Transfers agreed in the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
  • Transfers necessary for the execution of a contract between the Holder and the person responsible for the treatment, or for the execution of pre-contractual measures as long as the authorization of the Holder is available.
  • Transfers legally required for the safeguarding of the public interest, or for the recognition, exercise or defense of a right in a judicial process.

In cases not considered as an exception, it will be the responsibility of the Superintendence of Industry and Commerce to issue the declaration of conformity regarding the international transfer of personal data. The Superintendent is empowered to request information and to proceed with the efforts to establish compliance with the budgets required by the viability of the operation.

The international transmissions of personal data that are made between a person in charge and a person in charge to allow the person in charge to carry out the processing on behalf of the person in charge, will not need to be informed to the Holder or have their consent, provided there is a contract for the transmission of personal data . "

11. Validity

The databases under the responsibility of SARAI CLOTHING SA will be processed for as long as is reasonable and necessary for the purpose for which the data is collected. Once the purpose or purposes of the treatment have been fulfilled, and without prejudice to legal regulations that provide otherwise. SARAI CLOTHING SA will proceed to the deletion of personal data in its possession unless there is a legal or contractual obligation that requires its conservation. Therefore, this database has been created without a defined period of validity.

“This treatment policy remains in force since 2016-11-01.”

WEB POLICY MANUAL (WEB TREATMENT POLICIES)

Date: 2016-11-01

Content

  • Legal basis and scope
  • Definitions
  • Authorization of the treatment policy
  • Treatment Manager
  • Treatment and purposes of the databases
  • Navigation data
  • Cookies or Web bugs
  • Rights of the Owners
  • Attention to Data Holders
  • Procedures to exercise the rights of the Owner 10.1. Right of access or consultation
    1. Rights of complaints and claims
  • Security measures
  • Data transfer to third countries
  • Validity

1. Legal basis and scope

The information treatment policy is developed in compliance with articles 15 and 20 of the Political Constitution; of articles 17 literal k) and 18 literal f) of the Statutory Law 1581 of 2.012, which dictates general provisions for the Protection of Personal Data (LEPD); and of article 13 of Decree 1377 of 2013, by which the previous Law is partially regulated.

This policy will be applicable to all personal data registered in databases that are subject to treatment by the data controller.

Definitions

Established in article 3 of Statutory Law 1581 of 2012 and article 3 of Decree 1377 of 2013.

  • Authorization: Prior, express and informed consent of the Holder to carry out the processing of personal data.
  • Privacy notice: Verbal or written communication generated by the person in charge, addressed to the Holder for the processing of their personal data, by means of which they are informed about the existence of the information processing policies that will be applicable to them, how to access the same and the purposes of the treatment that is intended to give personal data.
  • Database: Organized set of personal data that is subject to processing.
  • Personal data: Any information linked or that can be associated with one or several determined or determinable natural persons.
  • Public data : It is the data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade and their status as merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, gazettes and official gazettes and duly enforced judicial sentences that are not subject to reservation.
  • Sensitive data: Sensitive data means those that affect the privacy of the Holder or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, organizations social, human rights or that promotes interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
  • Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of the person responsible for the treatment.
  • Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the basis of data and / or data processing.
  • Owner: Natural person whose personal data is subject to processing
  • Transfer: Data transfer takes place when the person in charge and / or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is inside or outside the country.
  • Transmission: Treatment of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a treatment by the person in charge of the person responsible.
  • Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

3. Authorization of the treatment policy

According to article 9 of the LEPD, the prior and informed authorization of the Holder is required for the processing of personal data. By accepting this policy, any Owner who provides information regarding their personal data is consenting to the processing of their data by SARAI CLOTHING SA in the terms and conditions contained therein.

The authorization of the Holder will not be necessary in the case of:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Data of a public nature.
  • Cases of medical or sanitary urgency.
  • Treatment of information authorized by law for historical, statistical or scientific purposes.
  • Data related to the Civil Registry of people.

4. Responsible for the treatment

The responsible for the treatment of the databases object of this policy is SARAI CLOTHING SA, whose contact details are the following:

5. Treatment and purposes of the databases

SARAI CLOTHING SA , in the development of its business activity, carries out the processing of personal data relating to natural persons that are contained and are treated in databases intended for legitimate purposes, complying with the Constitution and the Law.

In "Annex 1. Information of Databases" it is presented the different databases that manage the company, the information and characteristics of each one of them.

6. Navigation data

The navigation system and the software necessary for the operation of this website collect some personal data, whose transmission has been implicit in the use of Internet communication protocols.

By its very nature, the information collected could allow the identification of users through their association with third-party data even if it is not obtained for that purpose. This category of data includes the IP address or domain name of the equipment used by the user to access the website, the URL, the date and time and other parameters related to the user's operating system.

This data is used for the sole purpose of obtaining anonymous statistical information on the use of the website or controlling its correct technical operation, and is canceled immediately after being verified.

7. Cookies or Web bugs

This website does not use cookies or web bugs to collect personal data of the user, but its use is limited to providing the user with access to the website. The use of session cookies, not permanently memorized on the user's computer and that disappear when the browser is closed, is only limited to collecting technical information to identify the session in order to facilitate the safe and efficient access of the website . If you do not want to allow the use of cookies, you can reject them or delete existing ones by configuring your browser, and disabling the browser's Java Script code in the security settings.

8. Rights of the Owners

In accordance with Article 8 of the LEPD and Articles 21 and 22 of Decree 1377 of 2013, Data Holders may exercise a series of rights in relation to the processing of their personal data. These rights may be exercised by the following persons.

  1. By the Holder, who must prove his identity sufficiently by the different means made available to him by the person in charge.
  2. For their successors, who must prove such quality.
  3. By the representative and / or proxy of the Holder, prior accreditation of the representation or empowerment.
  4. By stipulation in favor of another and for another.

The rights of children or adolescents will be exercised by the people who are empowered to represent them.

The rights of the Holder are the following:

Right of access or consultation: This is the right of the Holder to be informed by the person responsible for the treatment, upon request, regarding the origin, use and purpose that they have given to their personal data.

Rights of complaints and claims: The Law distinguishes four types of claims:

  • Claim for correction: It is the right of the Holder to update, rectify or modify those partial, inaccurate, incomplete, fractionated, misleading, or those whose treatment is expressly prohibited or has not been authorized.
  • Claim of deletion: It is the right of the Holder to delete the data that are inadequate, excessive or that do not respect the principles, rights and constitutional and legal guarantees.
  • Revocation claim: It is the right of the Holder to leave without effect the previously prescribed authorization for the processing of their personal data.
  • Claim of infringement: It is the right of the Holder to request that the breach of the law regarding Data Protection be corrected.

Right to request proof of authorization granted to the controller: Except when expressly excepted as a requirement for treatment in accordance with the provisions of article 10 of the LEPD.

Right to file complaints with infringements before the Superintendence of Industry and Commerce: The Holder or Candidate may only raise this complaint once the consultation or claim process has been exhausted before the person in charge of the treatment or in charge of the treatment.

9. Attention to Data Holders

The ADMINISTRATIVE AND FINANCIAL COORDINATOR of SARAI CLOTHING SA will be in charge of the attention of requests, queries and claims before which the Data Holder can exercise their rights, in accordance with "Annex 3. Roles and Responsibilities".

10. Procedures to exercise the rights of the Holder

10.1. Right of access or consultation

According to article 21 of Decree 1377 of 2013, the Holder may consult his personal data free of charge in two cases:

  1. At least once every calendar month.
  2. Whenever there are substantial changes in the information processing policies that motivate further consultations.

For inquiries whose periodicity is greater than one for each calendar month, SARAI CLOTHING SA may only charge the Holder for shipping, reproduction and, where appropriate, certification of documents. Reproduction costs may not be greater than the recovery costs of the corresponding material. For this purpose, the person in charge must demonstrate to the Superintendence of Industry and Commerce, when it so requires, the support of said expenses.

The Holder of the data can exercise the right of access or consultation of their data by means of a written writing

to SARAI CLOTHING SA sent, by email to: PROTECCIONDATOS@PLAYMODEL.COM.CO , indicating in the Subject "Exercise of the right of access or consultation", or through postal mail sent to CARRERA 52 # 46 68 OFFICE 1704 MEDELLíN, ANTIOQUIA . The request must contain the following information:

  • Name and surname of the principal.
  • Photocopy of the Certificate of Citizenship of the Holder and, where appropriate, of the person representing him, as well as the document proving such representation.
  • Request that specifies the request for access or consultation.
  • Address for notifications, date and signature of the applicant.
  • Documents accrediting the request made, when applicable.

The Holder may choose one of the following forms of consultation of the database to receive the requested information:

  • On screen display.
  • In writing, with copy or photocopy sent by certified mail or not.
  • Telecopy
  • Email or other electronic means.

Another system suitable to the configuration of the database or the nature of the treatment, offered by SARAI CLOTHING SA

Upon receipt of the request, SARAI CLOTHING SA will resolve the request for consultation within a maximum period of ten (10) business days from the date of receipt of the request. When it is not possible to attend the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be attended, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are set in article 14 of the LEPD.

Once the consultation process has been exhausted, the Holder or Candidate may file a complaint with the Superintendence of Industry and Commerce.

10.2. Rights of complaints and claims

The Holder of the data can exercise the rights to claim their data by writing to SARAI CLOTHING SA Sent, by email PROTECCIONDATOS@PLAYMODEL.COM.CO indicating in the Subject "Exercise of the right of access or consultation", or through of postal mail sent to CARRERA 52 # 46 68 OFFICE 1704 MEDELLíN, ANTIOQUIA. The request must contain the following information:

  • Name and surname of the principal.
  • Photocopy of the Certificate of Citizenship of the Holder and, where appropriate, of the person representing him, as well as the document proving such representation.
  • Description of the facts and request in which the request for correction, deletion, revocation or inflation is specified.
  • Address for notifications, date and signature of the applicant.
  • Documents accrediting the request made that they want to enforce, when appropriate.

If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the failures. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has given up the claim.

Once the complete claim has been received, a legend that says "claim in process" and the reason for it will be included in the database, in a term not exceeding two (2) business days. This legend must be maintained until the claim is decided.

SARAI CLOTHING SA will resolve the request for consultation within a maximum period of fifteen (15) business days from the date of receipt of the same. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first finished.

Once the claim process has been exhausted, the Holder or successor may file a complaint with the Superintendence of Industry and Commerce.

11. Security measures

SARAI CLOTHING SA , in order to comply with the security principle enshrined in Article 4 literal g) of the LEPD, has implemented the necessary technical, human and administrative measures to guarantee the security of the records avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.

On the other hand, SARAI CLOTHING SA , by signing the corresponding transmission contracts, has required those in charge of the treatment with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the treatment of Personal information.

The following are the security measures implemented by SARAI CLOTHING SA , which are collected and developed in its Internal Security Manual (I, II, III, IV).

TABLE I: Common security measures for all types of data (public, semi-private, private, sensitive) and databases (automated, non-automated)

Document and media management Access control Incidents Personal Internal Security Manual
1. Measures that prevent improper access or recovery of data that has been discarded, deleted or destroyed.
2. Restricted access to the place where the data is stored.
3. Authorization of the person responsible for the output of documents or media by physical or electronic means.
4. Labeling system or identification of the type of information.
5. Inventory of supports.
1. Limited user access to the data necessary for the development of its functions.
2. Updated list of authorized users and accesses.
3. Mechanisms to prevent access to data with rights other than those authorized.
4. Granting, alteration or cancellation of permits by authorized personnel.
1. Record of incidents: type of incident, moment in which it occurred, issuer of the notification, recipient of the notification, effects and corrective measures.
2. Procedure for notification and incident management.
1. Definition of the functions and obligations of users with access to data.
2. Definition of control functions and authorizations delegated by the controller.
3. Disclosure among staff of the rules and the consequences of non-compliance with them.
1. Preparation and implementation of the Mandatory Compliance Manual for personnel.
2. Minimum content: scope, security measures and procedures, functions and obligations of the personnel, description of the databases, procedure before incidents, procedure of copies and recovery of data, security measures for transport, destruction and reuse of documents, identification of those in charge of the treatment.

TABLE II: Common security measures for all types of data (public, semi-private, private, sensitive) according to the type of databases

Non-automated databases
Archive Document storage Custody of documents
1. Documentation file following procedures that guarantee proper conservation, location and consultation and allow the exercise of the rights of the Owners. 1. Storage devices with mechanisms that prevent access to unauthorized persons. 1. Duty of diligence and custody of the person in charge of documents during their review or processing.
Automated Databases
Identification and authentication Telecommunications
1. Personalized identification of users to access information systems and verification of their authorization.
2. Identification and authentication mechanisms; Passwords: allocation, expiration and encrypted storage.
1. Access to data through secure networks.

TABLE III: Security measures for private data according to the type of databases

Automated and non-automated databases
Audit Security Manager Internal Security Manual
1. Ordinary audit (internal or external) every two months.
2. Extraordinary audit for substantial changes in information systems.
3. Deficiency detection report and corrections proposal.
4. Analysis and conclusions of the security officer and the controller.
5. Retention of the Report available to the authority.
1. Appointment of one or more security officers.
2. Appointment of one or more persons in charge of the control and coordination of the measures of the Internal Security Manual.
3. Prohibition of delegation of responsibility for the person responsible for the treatment to the person responsible for security.
1. Periodic compliance checks.
Automated Databases
Document and media management Access control Identification and authentication Incidents
1. Record of entry and exit of documents and media: date, sender and receiver, number, type of information, method of delivery, responsible for receipt or delivery. 1. Control access to the place or places where information systems are located. 1. Mechanism that limits the number of repeated unauthorized access attempts. 1. Record of data recovery procedures, person who executes them, restored data and manually recorded data.
2. Authorization of the person responsible for the treatment for the execution of the recovery procedures.

TABLE IV: Security measures for sensitive data according to the type of databases

Non-automated databases
Access control Document storage Copy or reproduction Documentation transfer
1. Access only for authorized personnel.
2. Access identification mechanism.
3. Registration of unauthorized user access.
1. Filing cabinets, cabinets or others located in access areas protected with keys or other measures. 1. Only by authorized users.
2. Destruction that prevents access or recovery of data.
1. Measures that prevent access or manipulation of documents.
Automated Databases
Document and media management Access control Telecommunications
1. Confidential labeling system.
2. Data encryption.
3. Encryption of portable devices when outside.
1. Access log: user, time, database accessed, type of access, record accessed.
2. Control of the access registry by the security officer. Monthly report.
3. Data retention: 2 years.
1. Data transmission through encrypted electronic networks.

12. Transfer of data to third countries

In accordance with Title VIII of the LEPD, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it meets the standards set by the Superintendence of Industry and Commerce on the subject, which in no case may be lower than those required by this law to its recipients. This prohibition shall not apply in the case of:

  • Information regarding which the Holder has granted his express and unequivocal authorization for the transfer.
  • Exchange of medical data, when required by the Holder's treatment for reasons of health or public hygiene.
  • Bank or stock transfers, in accordance with the applicable legislation.
  • Transfers agreed in the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
  • Transfers necessary for the execution of a contract between the Holder and the person responsible for the treatment, or for the execution of pre-contractual measures as long as the authorization of the Holder is available.
  • Transfers legally required for the safeguarding of the public interest, or for the recognition, exercise or defense of a right in a judicial process.

In cases not considered as an exception, it will be the responsibility of the Superintendence of Industry and Commerce to issue the declaration of conformity regarding the international transfer of personal data. The Superintendent is empowered to request information and to proceed with the efforts to establish compliance with the budgets required by the viability of the operation.

The international transmissions of personal data that are made between a person in charge and a person in charge to allow the person in charge to carry out the processing on behalf of the person in charge, will not need to be informed to the Holder or have their consent, provided there is a contract for the transmission of personal data .

13. Validity

The databases under the responsibility of SARAI CLOTHING SA , will be subject to processing for as long as is reasonable and necessary for the purpose for which the data is collected. Once the purpose or purposes of the treatment have been fulfilled, and without prejudice to legal regulations that provide otherwise. SARAI CLOTHING SA , will proceed to the deletion of personal data in its possession unless there is a legal or contractual obligation that requires its conservation. Therefore, this database has been created without a defined period of validity.

This treatment policy remains in force since 2016-11-01.

Register

New Account Register

Already have an account?
Log in instead Or Reset password