PERSONAL DATA PRIVACY POLICY
A FONDO VIAJES Y TURISMO S.A.S.
1. LEGAL FRAMEWORK AND SCOPE OF APPLICATION: This Personal Data Treatment Policy is written in accordance with the provisions of the Colombian Constitution, Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other complementary regulations. It shall be applied by A FONDO VIAJES Y TURISMO S.A.S. regarding the collection, storage, use, circulation, deletion, and all activities constituting personal data processing.
2. DEFINITIONS: For the execution of this policy and in accordance with the law, the following definitions shall apply:
a) Authorization: Prior, express, and informed consent from the Data Subject for the processing of personal data;
b) Database: Organized collection of personal data subject to processing;
c) Personal Data: Any information linked to one or more identified or identifiable natural persons;
d) Public Data: Data classified as such according to legal mandates or the Political Constitution, and those not semi-private, private, or sensitive; Public data includes, among others, information regarding the marital status of individuals, their profession or occupation, their status as traders or public servers, and those that can be obtained without any reservation. By their nature, public data may be found, among other places, in public records, public documents, gazettes, and official bulletins.
e) Private Data: Data of an intimate or reserved nature relevant only to the Data Subject;
f) Sensitive Data: Data affecting the privacy of the Data Subject or whose misuse could lead to discrimination, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or data concerning health, sexual life, and biometric data;
g) Data Processor: Natural or legal person, public or private, who performs personal data processing on behalf of the Data Controller;
h) Data Controller: Natural or legal person, public or private, who alone or jointly with others decides on the database and/or the processing of data;
i) Data Subject: Natural person whose personal data is processed;
j) Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
3. PURPOSE OF PERSONAL DATA COLLECTION AND PROCESSING: A FONDO VIAJES Y TURISMO S.A.S. may use personal data for: a) Executing existing contractual relationships with clients, operators, suppliers, and employees, including payment of contractual obligations; b) Providing services and/or products requested by clients; c) Notifying about new products or services and/or changes thereto; d) Evaluating service quality; e) Conducting internal studies on consumption habits; f) Sending commercial, advertising, or promotional information via physical mail, email, SMS/MMS, or any other analog or digital means, regarding commercial or non-commercial products/services, events, or promotions, for purposes of promoting, inviting, directing, executing, informing, and generally conducting commercial or advertising campaigns or contests, conducted by A FONDO VIAJES Y TURISMO S.A.S. and/or third parties; g) Conducting selection, evaluation, and hiring processes; h) Supporting internal or external audit processes; i) Registering information of employees and/or retirees (active and inactive) in the databases of A FONDO VIAJES Y TURISMO S.A.S.; j) Sharing, transferring, sending, or delivering personal data to affiliated, linked, allied, or subsidiary companies of A FONDO VIAJES Y TURISMO S.A.S. located in Colombia or any other country, if such companies require information for the aforementioned purposes. In each case, these purposes shall be disclosed to the Data Subjects beforehand through a PRIVACY NOTICE outlining clearly the data processing and whether it will be shared with third parties for commercial and market purposes as communicated and informed beforehand.
Regarding data (i) collected directly at security points, (ii) taken from documents provided by individuals to security personnel, and (iii) obtained from video recordings made within or outside the premises of A FONDO VIAJES Y TURISMO S.A.S., these shall be used for purposes of security of persons, property, and facilities of A FONDO VIAJES Y TURISMO S.A.S. and may be used as evidence in any type of legal process.
If personal data is provided, such information will be used solely for the purposes stated herein, and thus, A FONDO VIAJES Y TURISMO S.A.S. will not sell, license, transmit, or disclose it, except where: (i) express authorization exists to do so; (ii) it is necessary to allow contractors or agents to provide the services entrusted; (iii) it is necessary to provide our services and/or products; (iv) it is necessary to disclose it to entities providing marketing services on behalf of A FONDO VIAJES Y TURISMO S.A.S. or to other entities with which joint marketing agreements exist; (v) the information is related to a merger, consolidation, acquisition, divestiture, or other corporate restructuring process; (vi) it is required or permitted by law.
A FONDO VIAJES Y TURISMO S.A.S. may subcontract third parties for the processing of certain functions or information. When personal information processing is subcontracted to third parties or personal information is provided to third-party service providers, A FONDO VIAJES Y TURISMO S.A.S. informs such third parties of the need to protect such personal information with appropriate security measures, prohibit the use of the information for their own purposes, and requests that the personal information is not disclosed to others.
4. PRINCIPLES APPLICABLE TO PERSONAL DATA PROCESSING: The processing of personal data at A FONDO VIAJES Y TURISMO S.A.S. shall be governed by the following principles: a) Purpose Principle: The processing of collected personal data must be for a legitimate purpose, which must be informed to the Data Subject; b) Freedom Principle: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, except as required by legal or judicial mandate relieving the need for consent; c) Truthfulness or Quality Principle: Information subject to processing must be truthful, complete, accurate, current, verifiable, and understandable. Partial, incomplete, fragmented, or misleading data shall not be processed; d) Transparency Principle: Data Subjects have the right to obtain information from A FONDO VIAJES Y TURISMO S.A.S. at any time and without restrictions, regarding the existence of data concerning them; e) Access and Restricted Circulation Principle: Processing is subject to limits arising from the nature of personal data, legal and constitutional provisions regulating the matter. Personal data, except for public information and as stipulated in the authorization granted by the data subject, may not be available on the Internet or other mass communication media, unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties; f) Security Principle: Information processed by A FONDO VIAJES Y TURISMO S.A.S. must be protected using technical, human, and administrative measures necessary to provide security to records, preventing their alteration, loss, consultation, unauthorized use, or fraudulent access; g) Confidentiality Principle: All persons involved in the processing of personal data are obliged to ensure the confidentiality of the information, even after their relationship with any of the tasks comprising the processing has ended.
5. RIGHTS OF DATA SUBJECTS WHOSE PERSONAL DATA IS PROCESSED BY A FONDO VIAJES Y TURISMO S.A.S.: Data Subjects have the following rights: a) Right to know, update, and rectify their personal data: Right to request A FONDO VIAJES Y TURISMO S.A.S. to update or rectify their data. This right may be exercised, among others, concerning partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized; b) Right to access their personal data that has been processed, free of charge; c) Right to request proof of authorization, except in cases where, according to current legal norms, authorization is not required to perform the processing; d) Right to be informed about the use of personal data; e) Right to file complaints with the Superintendence of Industry and Commerce for violations of the current regulations on personal data processing; f) Right to revoke authorization and/or request the deletion of data when processing does not comply with constitutional and legal principles, rights, and guarantees. Revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce determines that A FONDO VIAJES Y TURISMO S.A.S. has engaged in conduct contrary to this law and the Constitution. FIRST PARAGRAPH: For the exercise of the aforementioned rights, both the Data Subject and the person representing them must demonstrate their identity and, if applicable, the capacity under which they represent the Data Subject. SECOND PARAGRAPH: The rights of minors shall be exercised by individuals authorized to represent them.
6. DUTIES OF A FONDO VIAJES Y TURISMO S.A.S.: All obligated to comply with this policy must bear in mind that A FONDO VIAJES Y TURISMO S.A.S. is obligated to fulfill the duties imposed by law. Consequently, the following obligations must be met: A. Duties when acting as Data Controller: (i) Request and retain, under the conditions set forth in this policy, a copy of the respective authorization granted by the Data Subject. (ii) Clearly and sufficiently inform the Data Subject about the purpose of data collection and the rights granted by the authorization. (iii) Inform, upon request of the Data Subject, about the use given to their personal data. (iv) Handle inquiries and complaints in the terms indicated in this policy. (v) Ensure that the principles of truthfulness, quality, security, and confidentiality are maintained as established in this policy. (vi) Take precautions to protect the security of the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use, or access. (vii) Update data promptly, taking into account the provisions in this policy. (viii) Rectify information when required, in the terms established by law and this policy. (ix) Inform the Personal Data Protection Officer when certain information is under discussion by the Data Subject, once the respective claim has been submitted and the procedure to resolve it has not been completed. B. Duties when acting as Data Processor: If you process data on behalf of another entity or organization (the Data Controller), you must fulfill the following duties: (i) Ensure that the Data Controller is authorized to provide the personal data that you will process as the Data Processor. (ii) Guarantee the Data Subject’s full and effective exercise of their data protection rights at all times. (iii) Maintain the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access. (iv) Timely update, rectify, or delete data as required. (v) Update the information reported by the Data Controllers within five (5) business days from receipt. (vi) Address inquiries and complaints from Data Subjects as specified in this policy. (vii) Record the legend “claim in process” in the database in the manner established by this policy.(viii) Insert the legend “information under judicial review” in the database once notified by the competent authority about judicial proceedings related to the quality of the personal data. (ix) Refrain from circulating information that is under dispute by the Data Subject and whose blocking has been ordered by the Superintendency of Industry and Commerce. (x) Allow access to information only to individuals authorized by the Data Subject or as permitted by law. (xi) Inform the Superintendency of Industry and Commerce when there are security breaches and risks in the management of Data Subjects’ information. (xii) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. Top of Form
Bottom of Form
C. Duties when processing data through the Data Processor Processor: (i) Provide the Data Processor with only the personal data for which processing has been previously authorized. For the purposes of national or international data transfer, a data transfer agreement or contractual clauses must be executed as established in Article 25 of Decree 1377 of 2013. (ii) Ensure that the information provided to the Processor is truthful, complete, accurate, updated, verifiable, and comprehensible.(iii) Timely communicate to the Processor any updates regarding the data previously provided and take other necessary measures to keep the information provided to the Processor updated. (iv) Promptly inform the Processor of any corrections made to the personal data so that the Processor can make the necessary adjustments. (v) Require the Data Processor to always respect the security and privacy conditions of the data subject’s information. (vi) Notify the Data Processor when certain information is under dispute by the data subject, once a complaint has been filed and the respective process has not been concluded. D. Duties regarding the Superintendence of Industry and Commerce: (i) Inform the Superintendence of any potential breaches of security codes and the existence of risks in the management of the data subject’s information. (ii) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
7. REQUEST FOR AUTHORIZATION FROM THE DATA SUBJECT: Prior to and/or at the time of collecting the personal data, A FONDO VIAJES Y TURISMO S.A.S. will seek the data subject’s authorization for the collection and processing of their data. This request will specify the purpose for which the data is being collected, using automated technical means, written documents, or oral communications that provide proof of the authorization and/or the unequivocal conduct described in Article 7 of Decree 1377 of 2013. Such authorization will be requested for a period that is reasonable and necessary to meet the needs that led to the data request, and in all cases, in compliance with the legal provisions governing the matter.
8. TEMPORARY LIMITATIONS ON THE PROCESSING OF PERSONAL DATA: A FONDO VIAJES Y TURISMO S.A.S. may only collect, store, use, or circulate personal data for a period that is reasonable and necessary, based on the purposes that justified the processing. This must be in accordance with applicable regulations and the administrative, accounting, fiscal, legal, and historical aspects of the information. Once the purpose(s) of the processing have been fulfilled, and unless otherwise required by legal provisions, A FONDO VIAJES Y TURISMO S.A.S. will proceed to delete the personal data in its possession. However, notwithstanding the above, personal data must be retained when required for compliance with a legal or contractual obligation.
9. CASES WHERE AUTHORIZATION FROM THE DATA SUBJECT IS NOT REQUIRED: Authorization from the data subject is not required in the following cases: a) Information requested by a public or administrative entity in the exercise of its legal functions or by court order; b) Data of a public nature; c) Medical or health emergency situations; d) Processing of information authorized by law for historical, statistical, or scientific purposes; e) Data related to the Civil Registry of Persons.
10. RESPONSIBLE AREA AND PROCEDURE FOR THE DATA SUBJECTS TO EXERCISE THEIR RIGHTS: The Marketing Coordinator of A FONDO VIAJES Y TURISMO S.A.S. will be responsible for addressing requests, complaints, and claims submitted by the data subject in the exercise of the rights outlined in Section 5 of this policy. For this purpose, the data subject or their representative may submit their request, complaint, or claim from Monday to Friday, between 8:00 a.m. and 5:00 p.m., via email at info@afondo.com.co, by calling A FONDO VIAJES Y TURISMO S.A.S. at Medellín, phone number (604) 3220889, or by delivering it to the following address: OFFICE ADDRESS: Cra. 43 A # 16 A sur – 38, Edificio Danzas, Office 1508.
The request, complaint, or claim must include the identification of the data subject, a description of the facts giving rise to the claim, the address, and any supporting documents intended to be used. If the claim is incomplete, the interested party will be requested within five (5) days of receipt of the claim to rectify the deficiencies. If the requested information is not provided within two (2) months from the date of the request, it will be deemed that the claimant has withdrawn the claim. If the recipient of the claim is not competent to resolve it, the claim will be forwarded to the appropriate party within a maximum of two (2) business days, and the interested party will be informed of the situation. Once the complete claim is received, a note stating “claim in process” and the reason for the claim will be added to the database within no more than two (2) business days. This note must remain until the claim is resolved. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. If it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date by which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial term.
11. DATA COLLECTED PRIOR TO THE ENACTMENT OF DECREE 1377 OF 2013: In accordance with the provisions of Section 3 of Article 10 of Regulatory Decree 1377 of 2013, A FONDO VIAJES Y TURISMO S.A.S. will proceed to send an email to its clients and employees, and publish a notice on its intranet directed to data subjects, to inform them of this data processing policy and the manner in which they may exercise their rights as data subjects whose personal data is held in the databases of A FONDO VIAJES Y TURISMO S.A.S.
ADDRESS: Cra. 43 A # 16 A sur – 38, Edificio Danzas, Office 1508.
MUNICIPALITY – DEPARTMENT: Medellín – Antioquia
12. SECURITY MEASURES: In accordance with the principle of security established by Law 1581 of 2012, A FONDO VIAJES Y TURISMO S.A.S. will implement the technical, human, and administrative measures necessary to ensure the security of records, preventing their alteration, loss, consultation, use, or unauthorized or fraudulent access. Personnel involved in the processing of personal data will follow established protocols to ensure the security of the information.
13. EFFECTIVE DATE: This Personal Data Policy shall become effective as of March 7, 2024. Any changes to this policy will be communicated through the following electronic address: https://viajarafondo.com/
