Privacy Policy

  1. Legal basis and scope of application

The treatment policy of information is developed abiding the legislation correspondent to the protection of personal data.

This policy will be applied to all the personal data registered in databases that will undergo treatment by the person responsible for the process.

  1. Definitions
  • Authorization: Previous consent, explicit and informed by the holder to carry out the treatment of personal data.
  • Database: Organized ensemble of personal data that will be subject to treatment.
  • Personal Data: Any information that is linked or that can be associated to one or various appointed or to be determined natural persons.
  • Public Data: It is data that is not semi-private, private or sensitive. Public data is considered to be, amongst other things, data related to people’s marital status, their profession or trait, and their quality of merchant or public employee. By its own nature, public data can be contained, amongst other places, in public registries, public documents, official gazettes and bulletins and court judgments dully executed that aren’t subject to reservation.
  • Sensible Data: Sensible data is understood as data that affects the intimacy of its holder or whose misuse can create discrimination, such as data that reveals ethnical or racial origin, political orientation, religious or philosophical convictions, belonging to syndicates, social organizations, of human rights or that promote any political party’s interests or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex lives and biometric data.
  • In charge of treatment: Natural or legal person, public or private, that by itself or associated to others, decides about the database and/or about the treatment of the data.
  • Responsible for the treatment: Natural or legal person, public or private, that by itself or associated to others, decides about the database and/or about the treatment of the data.
  • Holder: Natural person whose personal data is subject of treatment.
  • Processing: Any operation or ensemble of operations about personal data, such as recollection, storing, use, circulation or suppression.
  • Notice of Privacy: Verbal or written communication created by the person responsible, aimed towards the holder for the treatment of their personal data, through which they are informed about the existence of information treatment policies that will be applied to them, the way in which to access said policies and the purpose of the treatment that is intended for their personal data.
  • Transfer: The transfer of data has its place when the responsible and/or the person in charge of treating the personal data, located in Colombia, sends the information or personal data to a receptor, that is also responsible for treating it and finds themselves inside or outside of the country.
  • Broadcasting: Treatment of personal data that implies its communication within or outside of the Republic of Colombia territory when its purpose is to carry out the treatment for the person in charge on behalf of the person responsible.
  1. Authorization of treatment policy

It is required for the treatment of personal data previous authorization informed by the Holder. Through the acceptance of the present policy, every Holder that supplies information related to their personal data is consenting to the treatment of their data by the Fundacion Capital under the terms and conditions contained therein.

The Holder’s authorization will not be necessary when:

  1. Information is required by a public or administrative entity in the exercise of their legal functions or by court order.
  2. The data is of public nature.
  3. In cases of medical or sanitary urgency.
  4. The treatment of information is authorized by law for historic, statistic or scientific purposes.
  5. The data is related to the person’s Civil Status.

  6. The person responsible for the treatment

The person responsible for the treatment of the databases under this policy is Fundación Capital, whose contact information is the following:

  • Administrative office number: +57 1 3847500 Ext 1179, Bogotá, Colombia.
  1. Treatment and purpose of the databases

Fundación Capital in developing its business activity, carries out the treatment of personal data relative to natural persons that are contained and are treated in databases intended for legitimate purposes, abiding by the pertinent legislation.

The following chart (Chart 1) shows the different databases that handle the company and the purposes assigned to each of them.

Chart I. Databases and purposes

Database

Purpose

Supplier Base

To keep track of the contracts of service delivery that the consultors have with the foundation, to be able to follow up on all of them.

Human Resources Base -(Roster)

The purpose of this base is to be able to have possible candidates for future hiring that have already passed through all the filters and ended up in second or third in the selection processes.

LBM Platform Database

Database of donors and organizations that seek financing/ Platform for collection of donations for projects.

Rural Women Database

A list of assistance to later be able to contact, is used for the use of images, information is shared with third parties.

Assistance list rural youth database (physical)

Is used to follow up the participant authorization of images for each event (youth).

Mothers or Voluntary Facilitators Database

To have an updated registry of the people that support in a voluntary way, the establishment of a LIST in national territory

Application LIST Users Database

To have an updated registry that they have abled themselves with LIST via application

Newsletter Subscribers Database

List of people and contact data that are interested in receiving news of Fundación Capital through any digital media.

  1. Navigation Data

The navigation system and the necessary software for the running of this website collect some personal data, those whose transmission be implied in the use of the internet’s protocols of communication.

By its own nature, the information gathered could allow the identification of users through its association with third party data even if it hasn’t been obtained for that purpose. In this data category, you can find the IP address or the domain name of the device used by the user to access the website, the URL address, the date and hour and other parameters relative to the user’s operative system.

This data is used with the sole purpose of obtaining anonymous statistics information about the use of the websites or to control its proper technical functioning, and it is canceled immediately after it is verified.

  1. Cookies or Web Bugs

This website does not use cookies or web bugs to collect the user’s personal data, instead, its use is limited to facilitating the user’ access to the website. The use of session cookies, not memorized in a permanent way in the user’s device and that disappear when the browser is closed, are limited solely to gather technical information to identify the session with the purpose of facilitating the safe and efficient access to the website. If you do not want to allow the use of cookies you can reject them or delete the already existing ones setting up your browser, and disabling the Java Script code of your browser in the security setup.

  1. The Holder’s Rights

The data Holders can exercise a series of rights in regards to the treatment of their personal data. These rights can be exercised by the following people.

  1. By the Holder, who will have to validate their identity enough by the different means that the person responsible can provide.
  2. By their legal successors, who will have to demonstrate such a quality.
  3. By the Holder’s representative and/or attorney*, with previous accreditation of the representation or seizure.
  4. By requirement in favor of another and for another.

Boys, girls and teenagers’ rights are exercised by the people that are empowered to represent them.

The Holder’s rights are the following:

  • Right to access or consult: It is about the Holder’s right to be informed by the person responsible of the treatment, previous request, about the origin, use and purpose that has been given to their personal data.
  • Right to complain and claims. The law distinguishes four types of claims:

- Claim of correction: the holder’s right to have updated, verified or modified that partial, inexact, incomplete, fractioned data that induces to error, or the data whose treatment is expressly forbidden or hasn’t been authorized. 

- Claim of suppression: the holder’s right to have the data that results inadequate, excessive or that doesn’t respect the principals, rights, legal and constitutional guarantees, suppressed.

- Claim of repeal: the holder’s right to leave without effect the previous authorization given for the treatment of their personal data.

- Claim of infringement: the holder’s right to request the correction of the breach of the normative in matter of Protection of Data be.

  • Right to request proof of the authorization given to the person responsible for the treatment: except when expressly excepted as requirement for the treatment.
  • Right to submit complaints for infractions before the control and surveillance entities: the holder or legal succesors will only be able to raise this complaint once they have exhausted the consult or claim procedure before the person responsible for the treatment or the person in charge of the treatment.
  1. Attention to data Holders

The channel to answer petitions, consultations and claims where the data Holder can exercise their rights is:

  • Administrative office number: +57 1 3847500 Ext 1179, Bogotá, Colombia.
  1. Procedures to exercise the Holder’s rights

10.1 Right to access or consult

The Holder can consult freely about his personal data in two cases:

  1. At least once a month
  1. Each time that there are substantial modifications of the information treatment policies that can motivate new consultations.

For consultations whose periodicity is more than once a month by calendar, the Fundación Capital can only charge the Holder with the costs of sending, reproducing and if the case, document certification. The costs of reproduction can not be higher than the costs of recovery of the corresponding material. For this effect, the person responsible must demonstrate before the pertinent vigilance and control entity, when it is required by such, the backup of said costs.

The Holder of rights can exercise the right to access or consults about his data through a written request addressed to Fundación Capital, sent, through e-mail address legal@fundacioncapital.org, indicating as subject “Exercise of the right to access or consult”, the request must contain the following information:

  • The Holder’s name and last name.
  • Photocopy of the holder’s Identification Document, and, in the necessary case, of the person that represents them, as well as the document that credits them with said representation.
  • Petition that concretizes the request of access or consultation.
  • Address to be notified, date and signature of the solicitant.
  • Documents that credit the formulated petition, when it be correspondent.

The Holder can choose one of the following ways of consultation from the database to receive the requested information:

  • Visualizing on screen.
  • Written, with a copy or photocopy sent through certified mail or not.
  • E-mail or another electronic medium.
  • Another adequate system to the database setup or to the nature of the treatment, offered by the Fundación Capital.

Once the request is received, Fundación Capital, will solve the petition of consultation in a time limit of maximum ten (10) business days starting from the date the request is received. When it is not possible to answer the consultation within said term, the interested party will be informed, being told the motives of the delay and signaling a date in which their consultation will be answered, that in no case can go over five (5) business days following the expiration of the first term.

Once the consultation process is exhausted, the Holder or legal succesors will be able to put forth their complaint before the correspondent vigilance and control entity.

10.2. Right to complaints and claims

The data Holder can exercise their rights to complain about their data through written request addressed to Fundación Capital, through the e-mail address legal@fundacioncapital.org, indicating the subject “Exercise of complaints and/or claims”, the request must contain the following information:

  • The Holder’s name and last name.
  • Photocopy of the holder’s Identification Document, and, in the necessary case, of the person that represents them, as well as the document that credits them with said representation.
  • A description of the facts and petition that concretizes the correction, suppression, repeal or inflation request.
  • Address to be notified, date and signature of the solicitant.
  • Documents that credit the formulated petition that wants to be made valid, when correspondent.

If the claim appears incomplete, it will be requested of the interested party within the following five (5) days from the reception of said claim that they correct the corresponding faults. Having passed two (2) months from the date of the requirement, without the solicitant showing the required information, it will be understood that they have given up on the claim.

Once the complete claim is received, a caption will be added to the database that states “claim in process” and the reason of said claim, in a time limit no longer than two (2) days. Said caption must be maintained until the claim is decided.

Fundación Capital, will solve the petition of consultation in a time limit of maximum fifteen (15) business days starting from the date the claim was received. When it is not possible to answer the claim within said term, the third party will be informed of the reasons for the delay and the date that their claim will be answered, that in no case can go over five (5) business days following the expiration of the first term.

Once the claim process is exhausted, the Holder or legal succesors can bring forth their claim before the Superintendency of Industry and Commerce.

  1. Security Measures

Fundación Capital has implemented the technical, human and administrative measures necessary to guarantee safety to the records avoiding their non-authorized or fraudulent adulteration, loss, consultation, use or access.

Moreover, Fundación Capital, through the subscription of the corresponding transmission contracts, has required the people in charge of the treatment that work with the implementation of the safety measures necessary to guarantee the safety and confidentiality of the information in the personal data treatment.

In the following, the safety measures implemented by Fundación Capital will be displayed, those that are collected and developed in its Internal Safety Manual (Charts II, III, IV and V).

Chart II. Common safety measures for all types of data (public, semiprivate, private, sensitive) and databases (automated, not automated)

Audit

  1. Ordinary audit (internal or external) each year
  2. Eventual audits extraordinary because of substantial modifications in the information syst
  3. Report of detection of deficiencies and corrections proposal.
  4. Analyses and conclusions of the person responsible of safety and the person responsible for treatment.
  5. Preservation of the report disposed to authorities.

Management of documents and supports

  1. Measures such as, paper shredder that avoids the improper access or the recovery of data that has been discarded, erased or destroyed.
  2. Restricted Access to the place where the data is stored.
  3. Authorization of the person responsible for the output of documents or supports via physical medium or electronic.
  4. System of labeling or identification of the type of information.
  5. Inventory of the supports in which the databases are stored.

Access control

  1. Users’ limited access to the necessary data for the development of their functions, according to the role they play.
  2. Updated list of users and authorized access.
  3. Written authorization from the Holder of the information for the delivery of his data to third parties, to avoid the access to data with different right than the ones authorized.
  4. Concession, alteration or annulment of the permits by the authorized personal.  

Occurrences

  1. Record of occurrences: type of occurrence, time when it happened, transmitter of the notification, receptor of the notification, effects and corrective measures.
  2. Notification and management of occurrence procedure. 

Personal

  1. Definition of the functions and obligations of the users with access to data.
  2. Definition of the functions and control and authorizations delegated to the person responsible for the treatment.
  3.   Disclosure between the norms personal and the consequences of infringement of said norms.

Internal Safety Manual

  1. Elaboration and implementation of the mandatory compliance Manual for the personal.
  2. Minimum content: scope of application, safety measures and procedures, personal functions and obligations, description of the databases, procedure for occurrences, procedure of copies and recovery of data, safety measures for the transportation, destruction and reuse of documents, identification of the people in charge of the treatment.

 

Chart III. Common safety measures for all type of data (public, semiprivate, private, sensitive) according to the type of database

Not automated databases

Archive

  1. Archive of documentation following procedures that guarantee a correct preservation, localization and consultation and exercise of the Holder’s rights.

Storage of documents

  1. Storage devices with mechanisms that prevent access to the non-authorized personal.

Document custody

  1. Duty of diligence and custody of the person in charge of the documents during the revision of the processing of said documents.
Automated databases

Identification and authentication

  1. Personalized identification for users to access the systems of information and verification of their authorization.
  2. Mechanisms of identification and authentication; Passwords: assigning, expiration, and encrypted storage.

Telecommunications

  1. Access to data through secure networks.

 

Chart IV. Safety measures for private data according to the type of database

Automated and not automated databases

Audit

  1. Ordinary audit (internal or external) each year
  2. Eventual audits extraordinary because of substantial modifications in the informationsystems.
  3. Report of detection of deficiencies and corrections proposal.
  4. Analyses and conclusions of the person responsible of safety and the person responsible for the treatment.
  5. Preservation of the report disposed to authorities.

Person responsible for safet

  1. Appointment of one or several people responsible for safety.
  2. Appointment of one or several people in charge of the controlling and coordinating the measures from the Internal Safety Manual.
  3. Prohibition of appointing the responsibility of the person responsible for the treatment onto the person responsible for safety.

Internal Safety Manual

  1. Check-ups at least once a year of compliance, consistency in annual audit as well as the personal training at least once a year.
Automated databases

Document and supports management

  1. Record of entry and exit of documents and supports: date, transmitter and receptor, number, type of information, way of sending, the person responsible of the reception or delivery.

Access control

  1. Control de acceso al lugar o lugares donde se ubican los sistemas de información.

Identification and authentication

  1. Mechanism that limits the number of reiterated tries of non-authorized access.

Occurrences

  1. Record of the procedures of data recovery, the person who runs them, restores data and data recorded manually.
  2. Authorization of the person responsible for the treatment to run the recovery procedures.

 

Chart V. Safety measure for sensitive data according to the type of database

Not automated databases

Access contro

  1. Access only for authorized personal.
  2. Mechanism of access identification.
  3. Access record of non-authorized users.

Storage of documents

  1. Archivers, lockers and others located in areas of protected access with keys and other measures.

Copy or reproduction

  1. Only for authorized users.
  2. Destruction that prevents the access or recovery of data.

Transport of documentation

  1. Measures that prevent the access to or manipulation of documents.
Automated databases

Management of documents and supports

  1. Confidential labeling system.
  2. Encryption of data.
  3. Encryption of portable devices when taken outside.

Access control

  1. Record of accesses: user, time, database they accessed, type of access, record of the person who accesses it.
  2. Record of accesses control by the person responsible of safety. Monthly report.
  3. Data preservation: for the period imposed by the law.

Telecommunication

  1. Data transmission through encrypted electronic networks.
  1. Data transfer to third countries

The transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. This prohibition will not withstand when it comes to:

  • Information that the Holder has granted his express and unmistakable authorization for the transfer.
  • Exchange of medical type of data, when it is requires by the Holder’s treatment because of health of public hygiene reasons.
  • Bank or stock transfers, according to the legislation that becomes applicable.
  • Transfers according to the framework of international treaties of which the Republic of Colombia is a part of, based in the principle of reciprocity.
  • Necessary transfers to run a contract between the Holder and the person responsible of the treatment, or to run the pre-contractual measures always and when the Holder gives his authorization.
  • Legal transfers required to safeguard the public interest, or to recognize, exercise or defend a right in a judicial process.

The international transmissions of personal data that happen between a personal responsible and a person in charge to allow the person in charge to carry out the treatment on behalf of the person responsible, are not required to be informed to the Holder or have his consent, as long as there a contract of personal data transmission exists.

  1. Validity

The databases that are from Fundación Capital responsibility, will be subject to treatment during the time is reasonable and necessary for the purpose that the data has been collected for. Once the purpose or purposes of the treatment are served, and without damage to legal norms that dispose of the contrary, Fundación Capital will proceed to suppress the personal data in its possession, except when a legal or contractual obligation exists that requires its preservation. Because of all this, said database has been created without a definite validity period.

The present manual remains valid since the 1st of August of 2018.

 

Get in touch with us!