top of page
IMG_0439.JPG

INFORMATION SECURITY AND PERSONAL DATA PROTECTION POLICIES

By means of this document, SUMMER C HOTEL & PLAYGROUND, hereinafter referred to as the HOTEL, identified with NIT 900.225.964-6, is allowed to issue the following policies for the protection of personal databases applied within the company, fully complying with the provisions of Law 1581 of 2012, which regulates the collection and processing of personal data, and establishes the legal guarantees that all individuals in Colombia must comply with for the proper treatment of such information, subject to the following:

 

CONSIDERATIONS

​​

  • In accordance with Law 1581 of 2012, which establishes provisions for the protection of personal data, in accordance with Decree 1074 of 2015 modified by Decree 1759 of 2016, the Data Controllers, private legal entities and mixed economy societies registered in the chambers of commerce of the country, must carry out the aforementioned registration of the management of personal databases, in accordance with the instructions issued by the Superintendence of Industry and Commerce.

  • It is the responsibility of both the directives of THE HOTEL, as well as its employees and third-party contractors, to observe, comply with, and follow the orders and instructions that the company issues regarding personal data whose disclosure or misuse may cause harm to the owners thereof, in compliance with the rights contained in Article 15 of the Political Constitution of Colombia, Law 1581 of 2012, and Law 1273 of 2009. 

  • The regulation of information security policies, particularly regarding labor relations and service provision, must include the protection of personal data related to human resources, respecting the minimum rights and guarantees of employees and service providers, under penalty of the stipulations having no effect. 

  • THE HOTEL will take into account the obligations to protect its employees, so it will focus all efforts and resources as required to protect the personal information of its workers; likewise, the latter, by fulfilling their legal and moral obligation as employees, commit to contributing to the secure management of personal information of any type of labor, legal, or commercial relationship they have with their employer.

  • Legal norms related to personal data establish economic, commercial, and privative sanctions, which is why cooperation between THE HOTEL and the recipients of this norm is fundamental in order to guarantee compliance with the rights to privacy, habeas data, and protection of personal data, thereby avoiding harm to any of the parties and/or third parties.

  • These policies have been specially and exclusively designed by THE HOTEL; therefore, all workers, directors, advisors, administrative personnel, allies, third parties, and other individuals who have any type of exchange of personal data information with it must submit to and collaborate with the full compliance with these information protection policies.

  • Having made the above considerations regarding THE HOTEL's personal data protection policies, the following provisions are proposed for compliance and application, these being mandatory for their recipients.

​

1.DEFINITIONS 

 

In order to have an optimal understanding of the stipulations related to these personal data protection policies, the following terms will be interpreted and understood exactly as defined here, without room for exegesis, dualities, or different understanding:

​

  • OWNER: Owner of the personal information. If it is a minor, the legal representative of the minor is considered the owner.

  • PERSONAL DATA: Any information related to natural persons, personal information such as: Name, surname, telephone number, marital status, identification number, email, address, date of birth, age, nationality.

  • SENSITIVE DATA: Information related to natural persons that affects their privacy or can generate discrimination such as: racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, data relating to health, sexual life, and biometric data.

  • PUBLIC DATA: Personal information contained in public records, public documents, official bulletins, and judicial judgments not subject to confidentiality, such as marital status, profession or occupation.

  • DATA PROCESSOR: The natural or legal person, public or private authority, who, by himself or in association with others belonging to THE HOTEL, processes personal data on behalf of the controller.

  • DATA CONTROLLER: The natural or legal person, public or private authority, who, by himself or in association with others belonging to THE HOTEL, collects personal data and decides on the purpose, content, and use of the database for its treatment.

  • DATA PROCESSING: Any operation or set of operations and technical procedures, automated or not, that are carried out on personal data, such as collection, recording, storage, retention, use, circulation, modification, blocking, erasure, among others.

​

2.PRINCIPLES

 

In the development, interpretation, and application of Law 1581 of 2012, the following guiding principles shall be applied harmoniously and comprehensively: 

​

  • PURPOSE PRINCIPLE: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the owner.

  • FREEDOM PRINCIPLE: Processing may only be carried out with the prior, express, and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate relieving consent.

  • TRUTH OR QUALITY PRINCIPLE: Information subject to processing must be truthful, complete, accurate, current, verifiable, and understandable. The processing of partial, incomplete, fragmented data or data leading to error is prohibited.

  • TRANSPARENCY PRINCIPLE: Processing must guarantee the right of the owner to obtain from the controller or the processor, at any time and without restrictions, information about the existence of data concerning him.

  • ACCESS AND RESTRICTED CIRCULATION PRINCIPLE: Processing is subject to the limits derived from the nature of personal data, the provisions of the law, and the Constitution. In this sense, processing may only be carried out by persons authorized by the owner and/or by persons provided for by law.

  • Security principle: Information subject to processing must be handled with the technical, human, and administrative measures necessary to provide security.

  • PRINCIPIO DE CONFIDENCIALIDAD: EL HOTEL está obligado a garantizar la reserva de la información, inclusive después de finalizada su relación con alguna de las labores que comprende el tratamiento, pudiendo sólo realizar suministro o comunicación de datos personales cuando ello corresponda al desarrollo de las actividades autorizadas en la ley.

​

3. DATA PROCESSING:

 

The operations constituting the processing of personal data by THE HOTEL, as responsible or processor thereof, shall be governed by the following parameters

​

3.1 PROCESSING OF PERSONAL INFORMATION 

 

The collection of data from natural persons that THE HOTEL processes in the development of actions related to the community, whether as a result of corporate social responsibility or any other activity, shall be subject to the provisions of this standard. To this end, THE HOTEL will inform and obtain the authorization of the data owners in the documents and instruments it uses for this purpose and related to these activities as follows:

​

  • THE HOTEL processes personal information with the appropriate authorization of the owner, unless it is public personal data, in which case, by express provision of the law, no authorization is required for its processing.

  • THE HOTEL shall communicate, in the authorization request, the destination and purpose to be given to the personal information so that, with the knowledge of the owner, he/she may provide his/her authorization to process the personal information.

  • THE HOTEL processes personal information for as long as necessary to fulfill the purposes of the processing and in any case, until the owner of the personal information indicates it, either in the authorization or in a subsequent document.

  • If THE HOTEL processes personal information through a third party, it shall maintain a valid personal information transmission contract with that third party in order to protect and safeguard such personal information properly and so that the processing of personal information is based on this personal information protection policy and in accordance with Law 1581 of 2012 on the protection of personal data.

​

3.2 SPECIAL PERSONAL INFORMATION PROCESSING

 

THE HOTEL will process sensitive personal information only if the following assumptions are met:

​

  • The owner is informed that, due to being sensitive data, he/she is not obliged to authorize its processing.

  • The owner is explicitly and previously informed about which sensitive data will be subject to processing and the purpose of the processing.

  • Having the proper prior and express authorization of the owner.

​

3.3 PROCESSING OF PERSONAL DATA OF MINORS

​

THE HOTEL will process the personal information of minors only if the following assumptions are met:

​

  • The owner is informed that, due to being sensitive data, he/she is not obliged to authorize its processing.

  • The owner is explicitly and previously informed about which sensitive data will be subject to processing and the purpose of the processing.

  • Having the proper prior and express authorization of the owner.

​

4. SECURITY MEASURES

​​

  • In compliance with the security principle established in Law 1581 of 2012, THE HOTEL will adopt the technical, human, and administrative measures necessary to provide security to the records, avoiding adulteration, loss, consultation, unauthorized or fraudulent use or access.

  • THE HOTEL will adopt measures according to the classification assigned to the data, including high, medium, and low-security measures. This, based on the risk that may arise from the criticality of the Processed Personal Data.

 

Among others, the security measures adopted include, in an illustrative but not exhaustive manner:

​

  • Training its employees regarding Law 1281 of 2012 and verifying that third-party contractors are knowledgeable about the law and apply it.

  • Periodic monitoring of suspicious activities and physical and electronic maintenance of databases.

  • Allowing access to personal data only to authorized personnel.

​

5. AUTHORIZATION FOR THE HANDLING OF PERSONAL DATA

​​

In compliance with the principle of Informed Consent, the data owner has the right to give his/her authorization, by any means that may be subject to subsequent consultation, to process his/her personal data in THE HOTEL. Exceptionally, this authorization will not be required in the following cases:

​

  • When required by a public or administrative entity in compliance with its legal functions, or by court order.

  • When it concerns public data.

  • In cases of medical or health emergency.

  • When it is information processing authorized by law for historical, statistical, or scientific purposes.

  • When it concerns personal data related to the Civil Registry of individuals.

  • In these cases, although the owner's authorization is not required, the other principles and legal provisions regarding the protection of personal data will apply.

​

5.1 MECHANISMS AND FORMS FOR GRANTING AUTHORIZATION

​​

  • The authorization of the information owner will be recorded in each of THE HOTEL's data collection channels and mechanisms. Thus, it may be recorded on a physical, electronic document, or in any other format that allows its subsequent consultation to be guaranteed. The authorization will be issued by the owner prior to the processing of his/her personal data, in accordance with the provisions of Law 1581 of 2012.

  • With the consented authorization procedure, it is guaranteed that the owner of the personal data has been informed, both that his/her personal information will be collected and used for specific and known purposes, and that he/she has the option to know any alteration to them and the specific use that has been made of them. This is to enable the owner to make informed decisions regarding his/her personal data and control the use of his/her personal information.

​

6. OWNER'S RIGHTS TO PERSONAL DATA

​​

The owner of personal data shall have the following rights:

​

  • To know, update, and rectify his/her personal data with THE HOTEL as the data controller. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fractioned, misleading data, or those whose processing is expressly prohibited or has not been authorized.

  • To request proof of the authorization granted to THE HOTEL, except when expressly exempted as a requirement for processing (cases in which authorization is not necessary).

  • To be informed by THE HOTEL, upon request, regarding the use it has given to his/her personal data.

  • To file complaints with the Superintendence of Industry and Commerce for violations of Law 1581 of 2012 and other regulations that modify, add to, or complement it.

  • To revoke the authorization and/or request the deletion of the data when the processing does not comply with the constitutional and legal principles, rights, and guarantees.

  • To access his/her personal data that have been subject to processing free of charge..

​

6.1 PERSONS AUTHORIZED TO EXERCISE THE RIGHTS OF THE OWNERS

​​

The rights of the owners may be exercised by the following persons:

​

  • By the owner, who must prove his/her identity sufficiently by the various means made available by THE HOTEL.

  • By the owner's successors (in cases where the owner is absent due to death or incapacity), who must prove such status.

  • By the representative and/or attorney-in-fact of the owner, upon accreditation of the representation or corresponding power.

  • By stipulation for the benefit of another or for another.

  • The rights of children and adolescents will be exercised by those authorized to represent them.

​

7. THE HOTEL'S DUTIES

​​

Under this policy of processing and protecting personal data, THE HOTEL's duties are as follows:

​

  • To guarantee the owner, at all times, the full and effective exercise of the right to habeas data.

  • To request and keep a copy of the respective authorization granted by the owner.

  • To duly inform the owner about the purpose of the collection and the rights granted to him/her by virtue of the authorization granted.

  • To keep the information under the necessary security conditions.

  • To rectify the information when it is incorrect and communicate the pertinent.

  • To process the inquiries and claims filed by the owners.

  • To inform the data protection authority when security codes are violated and there are risks in the management of the owners' information.

  • To comply with the requirements and instructions issued by the Superintendence of Industry and Commerce on the subject in particular.

  • To inform, upon request of the owner, about the use given to his/her data.

  • To ensure that the information is truthful, complete, accurate, updated, verifiable, and understandable.

  • To update the information, thus attending to all the news regarding the owner's data.

  • To respect the security and privacy conditions of the owner's information.

  • To use only data whose processing has been previously authorized in accordance with the provisions of Law 1581 of 2012.

​

8. PROCEDURES FOR THE HOTEL

​​

  • THE HOTEL will adopt appropriate and sufficient technical and administrative measures that allow for the care and preservation of the personal data of the owners.

  • Likewise, the implementation of these measures will allow for the conservation of the authorization granted by the owners of the personal data for their processing.

  • THE HOTEL will adopt all mechanisms to maintain the confidentiality of the information and will refrain from using the information for purposes other than those expressly authorized by the owner.

​

9. PROCEDURE FOR THE USE OF INFORMATION

​​

  • In the event that third parties outside of THE HOTEL require validation, rectification, or confirmation of information corresponding to the personal data of the owners contained in THE HOTEL's databases, the prior and express authorization of the owner will be required for the provision of the information to operate the transfer.

  • THE HOTEL will refrain from using the information provided by the owners for marketing purposes other than its specific programs and services.

​

10. PROCEDURE FOR ATTENDING CONSULTATIONS

​​

  • Owners may request from THE HOTEL the consultation of their personal data. This request must be made in writing addressed to the email address sales@hotelsummerc.com specifying the type of data to be consulted, name, surname, ID number, telephone, and email address to which the corresponding information will be sent.

  • THE HOTEL will send the consulted information to the owner, which will consist of the list of all the information related to the identification of the owner in the database. The consultation will be handled within a maximum term of fifteen (15) business days, counted from the day following the date of receipt of the same. When it is not possible to attend the consultation within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which his/her consultation will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.

​

11. PROCEDURE FOR DELETION, MODIFICATION, CORRECTION, OR UPDATE OF PERSONAL DATA

​​

Owners may at any time request THE HOTEL to delete, correct, or update their personal data and/or revoke the authorization granted for their processing, by submitting a claim in the following manner:

​

  • The claim will be formulated through communication addressed to the email address: sales@hotelsummerc.com with the identification of the owner, the description of the facts giving rise to the request, the address, and accompanied by the documents supporting the request, if applicable.

  • If the claim is incomplete, THE HOTEL will require the owner within five (5) business days following the receipt of the request to correct the flaws. Two (2) months after the date of the requirement have elapsed without the owner providing the required information, it will be understood that he/she has waived the claim.

  • Once the complete claim is received, a legend stating "claim in process" and the reason for it will be included in the database, an activity that must be carried out within a maximum term of two (2) business days. This legend must be maintained until the claim is decided.

  • The maximum term for handling the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his/her claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.

​

12. COMPLAINTS

​​

In accordance with Law 1581 of 2012, article 16, The owner may file a complaint with the Superintendence of Industry and Commerce - Delegate for the Protection of Personal Data, Carrera 13 No. 27 - 00, PBX (57 1) 587 00 00, Contact center: (57 1) 592 04 00 Bogotá, under the following assumptions:

​

  • When THE HOTEL has not responded within the times indicated in the consultation and claim sections.

  • When THE HOTEL has not provided a satisfactory response to the owner within the consultation and claim procedures.

​

13. RESPONSIBLE AND IN CHARGE OF THE MANAGEMENT OF PERSONAL DATABASES

​​

  • RESPONSIBLE: The person responsible for the processing of personal information to which THE HOTEL has access will be Daniel Ávila identified with citizenship ID 1.020.814.695 performing the position of Director, and he is the one to whom requests, consultations, and claims can be addressed.

  • IN CHARGE: The person in charge of the processing of personal information to which THE HOTEL has access will be Daniel Ávila identified with citizenship ID 1.020.814.695 performing the position of Director, who for the purposes of this policy will have the obligation to communicate within the respective authorization request and maintain permanent communication between the data owner and the company.

​

14. TEMPORALITY OF PERSONAL DATA PROCESSING

  • The information provided by customers and users will be stored for a period of (2) years counted from the date of the last treatment, to allow the fulfillment of legal and/or contractual obligations especially in accounting, fiscal, and tax matters.

​

​

​

bottom of page