Data protection policy

Introduction

The purpose of this manual is compliance with the legal, constitutional and jurisprudential provisions concerning the development of the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files related to article 15 of the Political Constitution, as well as the right to information enshrined in article 20 of the same.


Law 1581 of 2012 developed “the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files, and the other rights, freedoms and constitutional guarantees referred to in article 15 of the Political Constitution; as well as the right to information enshrined in article 20 of the same.” This constitutional right, known as habeas data, gives citizens the possibility of deciding and controlling the information that others have about them and, in that order of ideas, Law 1581 of 2012 establishes mechanisms and guarantees that allow the full exercise of the aforementioned right.


In compliance with the provisions of Law 1581 of 2012, CALIENTE TOURS S.A.S., as responsible for the processing of personal data and sensitive personal data of its affiliates, providers, suppliers and collaborators, has adopted the following Information Processing Policies, to guarantee that the processing of personal data and sensitive personal data complies with current legal provisions.


In summary, this manual establishes the policies and procedures through which the owner of personal data can exercise their rights related to the processing of their data and, in turn, the treatment that the controller must give to third-party data, as well as the mechanisms to enforce compliance with the duties of the controller. Likewise, some definitions are given regarding terms necessary for the correct application of the aforementioned policies, along with the principles on which the collection and processing of personal data is based


Purpose

To regulate the policies and procedures applicable to the handling of personal data information by CALIENTE TOURS S.A.S., in accordance with the provisions contained in Law 1581 of 2012 and Decree 1377 of 2013.


Data Processing Controllers – CALIENTE TOURS S.A.S.

CALIENTE TOURS S.A.S. is responsible for the processing of personal data and sensitive personal data of its affiliates, service providers, suppliers, and collaborators, over which it decides directly and autonomously.


Scope

This manual applies to the personal data of natural persons registered in databases related to Employees, Potential Employees, Former Employees, Shareholders, Suppliers, Potential Suppliers, Clients, and Users (where applicable) of CALIENTE TOURS S.A.S., which may be subject to processing. It shall apply to personal data collected and managed by CALIENTE TOURS S.A.S. If, in the future, other legal entities become part of CALIENTE TOURS S.A.S., this manual shall also apply to them.


This manual shall not apply to:

  • a. Data for exclusively personal or domestic use.
  • b. Data intended for national security and defense purposes, as well as for the prevention, detection, monitoring, and control of money laundering and terrorism financing.
  • c. Data containing intelligence and counterintelligence information of the State.
  • d. Databases and files regulated by Statutory Law 1266 of 2008.
  • e. Databases and files regulated by Law 79 of 1993.

Definitions

For the application of the rules and procedures established in this manual, and in accordance with the provisions of Article 3 of Statutory Law 1581 of 2012, the following definitions shall apply:

  • a. Authorization: Prior, express, and informed consent granted by the Data Subject for the processing of personal data.
  • b. Database: An organized set of personal data subject to processing.
  • c. Privacy Notice: A physical, electronic, or any other format document generated by the Data Controller and made available to the Data Subject for the processing of their personal data. Through this notice, the Data Subject is informed about the existence of the policies applicable to the processing of their personal data, how to access them, and the characteristics of such processing.
  • d. Personal Data: Any information linked to or that may be associated with one or more identified or identifiable natural persons, such as first and last name, identification document, age, address, region, country, city, postal code, landline number, mobile phone number, address, email address, advertising preferences, consumption preferences, channel preferences, complaints and claims, service updates, basic and personal data, contact data, demographic data, tastes, preferences, and habits.
  • e. Sensitive Data: Sensitive data refers to data that affects the privacy of the Data Subject or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or organizations promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
  • f. Data Processor: A natural or legal person, public or private, who by itself or in association with others processes personal data on behalf of the Data Controller.
  • g. Data Controller: A natural or legal person, public or private, who by itself or in association with others decides on the database and/or the processing of the data.
  • h. Data Subject: A natural person whose personal data is subject to processing.
  • i. Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion of data, using any known or future technology.

Principles

The principles set forth below constitute the general parameters through which the provisions established in this manual regarding the personal data of individuals subject to data processing shall be applied:

  • a. Purpose Principle: The processing of personal data by CALIENTE TOURS S.A.S. must comply with a legitimate purpose, which must be informed to the Data Subject.
  • b. Freedom Principle: The processing of personal data may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives consent.
  • c. Truthfulness or Quality Principle: The information subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
  • d. Transparency Principle: In data processing, the right of the Data Subject to obtain from CALIENTE TOURS S.A.S., at any time and without restrictions, information regarding the existence of data concerning them must be guaranteed.
  • e. Restricted Access and Circulation Principle: Personal data, except for public information, may not be made available on the Internet or other mass communication or disclosure media, unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties.
  • f. Security Principle: The information subject to processing by CALIENTE TOURS S.A.S. must be handled with the technical, human, and administrative measures necessary to ensure the security of records, preventing their alteration, loss, consultation, unauthorized or fraudulent use, or access.
  • g. Confidentiality Principle: All persons involved in the processing of personal data that is not public in nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the activities comprising the processing.

Processing to Which Data Will Be Subject and Purpose of the Processing

Processing refers to any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion. The information collected by CALIENTE TOURS S.A.S. in the provision of its services and, in general, in the development of its corporate purpose, is mainly used to identify, maintain records, and control Employees, Potential Employees, Former Employees, Shareholders, Suppliers, Potential Suppliers, Clients, and Users of CALIENTE TOURS S.A.S.

General Information Processing Activities:

  • • Process
  • • Confirm
  • • Fulfill
  • • Provide services and/or products acquired directly or with the participation of third parties
  • • Promote and advertise our activities, products, and services
  • • Carry out transactions
  • • Submit reports to various national administrative control and surveillance authorities, police or judicial authorities, financial institutions, and/or insurance companies
  • • Internal administrative and/or commercial purposes such as: market research, audits, accounting reports, statistical analysis, or billing
  • • Collection
  • • Storage
  • • Recording
  • • Use
  • • Circulation
  • • Processing
  • • Deletion
  • • Transmission and/or transfer of the provided data to foreign countries for the execution of activities related to the acquired services and products
  • • Accounting records
  • • Correspondence
  • • Carry out transactions
  • • Fraud identification and prevention of money laundering and other criminal activities

General Processing of Shareholders' Information:

  • • Dividend payments.
  • • Compliance with judicial decisions and administrative and legal provisions.
  • • Contacts.
  • • Compliance with judicial decisions and administrative, legal, tax, and regulatory provisions.

General Processing of Suppliers' Information:

  • • For commercial purposes.
  • • Accounting purposes.
  • • Compliance with judicial decisions and administrative, legal, tax, and regulatory provisions.
  • • Compliance with contractual obligations, for which the information may be transferred to third parties such as financial institutions, notary offices, OFAC and terrorism watchlists, lawyers, etc.
  • • To carry out the processes in which suppliers are involved.
  • • Any other use authorized in writing by the supplier for the use of their information.
  • • Transmission of information and personal data during audit processes.

General Processing of Clients' Information:

  • • For commercial purposes.
  • • Offering goods and services.
  • • Advertising and marketing.
  • • Commercial partnerships.
  • • Accounting purposes.
  • • Compliance with contractual obligations, for which the information may be transferred to third parties such as financial institutions, notary offices, OFAC and terrorism watchlists, lawyers, etc.
  • • Compliance with judicial decisions and administrative, legal, tax, and regulatory provisions.
  • • Transmission of information and personal data during audit processes.
  • • Billing.

General Processing of Information for employees, retired workers, pensioners, and job candidates:

  • • For purposes relevant to the employment relationship (Health Insurance, Occupational Risk Insurance, pension and severance funds, family compensation funds, etc.)
  • • In the case of employees, the signing of the employment contract constitutes express authorization for the Processing of information.
  • • In the case of judicial and legal requirements.
  • • Payroll accounting and payment.
  • • Recruitment and selection of personnel to fill vacancies.
  • • Process, confirm, and comply with legal and extra-legal labor obligations derived from the employment contract.
  • • Carry out transactions.
  • • Payment of extra-legal benefits.
  • • Audits.
  • • Statistical analysis.
  • • Maintain a database of candidates.
  • • Training and education.
  • • Share personal data with banking entities, companies that offer benefits to our active workers, among others.

Authorization.

The collection, storage, consultation, use, exchange, transmission, transfer, and processing of personal data requires the free, express, and informed consent of the Data Subject. Based on the above and through this manual, mechanisms are implemented to allow subsequent consultation by the data subject.

Mechanisms for Granting Authorization.

The authorization by the data subject may be contained in a physical or electronic document, or any other format that allows for a reasonable conclusion that the Data Subject granted authorization.

In view of the above, CALIENTE TOURS S.A.S. states that authorization will, in all cases, be provided through a physical and/or digital document, which must include the signature of the Data Subject. This does not preclude the later establishment of different mechanisms for granting authorization.

CALIENTE TOURS S.A.S. will ensure respect for and compliance with the fundamental rights of children and adolescents, observing the special requirements established for the processing of their personal data and sensitive personal data.

Through the authorization, the Data Subject or their representative (in the case of infants, children, and adolescents) will be informed that the information will be collected, including the purpose, modifications, storage, and the specific use that will be given to it, as well as:

  • • The person collecting the information (specifying whether they are the Controller or the Processor).
  • • The data that will be collected, including whether Sensitive Data is being collected.
  • • The purpose of the data processing.
  • • The mechanisms through which they can exercise their rights as Data Subjects (access, correction, updating, or deletion of data).

Proof of Authorization.

CALIENTE TOURS S.A.S., in its capacity as Controller and Processor, will have the necessary means to maintain technical and technological records of when and how authorization was obtained from the Data Subject for the processing of their information.

Privacy Notice.

The privacy notice is a physical, electronic, or any other format document, through which the data subject is informed about the existence of the policies that will apply to them, as well as how they can access them and the characteristics of the processing that will be given to the personal data.

Privacy Notice.

The privacy notice is a physical, electronic, or any other format document, through which the data subject is informed about the existence of the policies that will apply to them, as well as how they can access them and the characteristics of the processing that will be given to the personal data.

Content of the Privacy Notice.

  • a. The identity, address, and contact details of the Controller or Processor.
  • b. The Processing to which the data will be subjected and its purpose.
  • c. The mechanisms provided by CALIENTE TOURS S.A.S. so that the Subject can know the information processing policy and any substantial changes that occur in it or in the corresponding privacy notice. In all cases, the Subject must be informed how to access or consult the information processing policy.

The model of the privacy notice transmitted to the Data Subjects will be kept as long as the processing of personal data is carried out and the obligations derived from it persist. For the storage of the model, computer, electronic, or any other technology at the choice of CALIENTE TOURS S.A.S. may be used.

Depending on the group of people whose personal data is collected, there will be a single privacy notice model, which will specify in detail the points described above for each of them.

Rights of the Data Subjects.

In accordance with Article 8 of Statutory Law 1581 of 2012, the Data Subject has the following rights:

  • a. To know, update, and rectify their personal data with CALIENTE TOURS S.A.S. in its capacity as Controller and Processor.
  • b. To request proof of the authorization granted to CALIENTE TOURS S.A.S.
  • c. To be informed by CALIENTE TOURS S.A.S. regarding the use that has been given to their personal data.
  • d. To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of Statutory Law 1581 of 2012, once the consultation or claim process indicated in said Law has been exhausted.
  • e. To revoke the authorization and/or request the deletion of data when the Processing does not respect constitutional and legal principles, rights, and guarantees.
  • f. To access their processed personal data free of charge.

Duties of CALIENTE TOURS S.A.S. regarding the processing of personal data in its capacity as Controller and Processor.

It is hereby stated that the personal data subject to processing is the property of the persons to whom it refers, and they are the ones authorized to dispose of it. Based on the above, personal data will only be used according to the purposes established by Law and respecting the provisions of Statutory Law 1581 of 2012:

In accordance with Article 17 of Statutory Law 1581 of 2012, the company commits to fulfilling the following duties:

  • a. To guarantee the Subject, at all times, the full and effective exercise of the right to habeas data.
  • b. To request and keep a copy of the respective authorization granted by the Subject.
  • c. To perform the updating, rectification, or deletion of data under the terms provided in Articles 14 and 15 of Statutory Law 1581 of 2012.
  • d. To process inquiries and claims made by the subjects under the terms set forth in Article 14 of Statutory Law 1581 of 2012.
  • e. To store information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.
  • f. To insert the legend "information under judicial discussion" into the databases once notified by the competent authority regarding judicial processes related to the quality or details of the personal data.
  • g. To inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the administration of the subjects' information.
  • h. To process inquiries and claims formulated by the data subjects.
  • i. To comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
  • j. To apply the regulations governing Statutory Law 1581 of 2012.

Duties regarding the Processing of Data of Infants and Adolescents.

CALIENTE TOURS S.A.S., in its capacity as Controller and Processor of personal data for the aforementioned groups, must take special care to ensure compliance with the Law regarding these groups and respect for their rights, especially concerning personal data that does not fall under the category of public data (name, gender, date of birth, etc.).

The Processing of personal data of children and/or adolescents that is of a public nature shall comply with the following parameters and requirements:

  • a) That it responds to and respects the best interests of children and adolescents.
  • b) That respect for their fundamental rights is ensured.
  • c) Assessment of the minor's opinion when they possess the maturity, autonomy, and capacity to understand the matter.

Once the above requirements are met, the legal representative of the child or adolescent may grant authorization for the Processing, following the minor's exercise of their right to be heard—an opinion that must be assessed taking into account maturity, autonomy, and capacity to understand the matter.

Procedures for access, consultation, and claims.

Points applicable to all Procedures:

(l) For the exercise of the rights indicated in this point by successors, and also to prevent access to information by persons not legally authorized, documentation must be previously verified in accordance with the Law to conclude that the person requesting the information is indeed a successor of the Data Subject.

(ll) In case of any doubt regarding the application of the procedures indicated herein, it shall be reported by the area responsible for the database subject to the procedure and resolved by the Legal Department, which will resolve the issue taking into account the Law, Decrees, and other regulatory or instructive norms, as well as the jurisprudence issued on the matter.

Access.

Considering that the authority to dispose of or decide on personal data rests with the Data Subject, this authority necessarily implies the subject's right to access and know the personal information being processed, including the scope, conditions, and generalities of the processing.

In view of the above, this right is guaranteed to the Subject, which includes:

  • • Knowledge of the existence of the processing of their personal data.
  • • Access to their personal data.
  • • The circumstances of the processing of the personal data.

Consultation.

In accordance with Article 14 of Statutory Law 1581 of 2012, Data Subjects or their successors may consult the Subject's personal information stored in any database. Based on this, this right is guaranteed by providing them with all the information contained in the individual record or linked to the identification of the Subject.

Depending on the nature of the personal database, the consultation will be managed by the area responsible for its handling within CALIENTE TOURS S.A.S.

Consultations will be addressed within a maximum term of ten (10) business days from the date of receipt. When it is not possible to address the consultation within said term, the interested party will be informed within the first term granted, stating the reasons for the delay and indicating the date on which the consultation will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.

Claims.

In accordance with Article 15 of Statutory Law 1581 of 2012, the Data Subject or their successors who consider that the information contained in a database should be subject to correction, updating, or deletion, or when they notice an alleged breach of any of the duties contained in Statutory Law 1581 of 2012, may file a claim which will be processed under the following rules:

  • 1. The claim shall be made through a communication by the subject or their successors addressed to CALIENTE TOURS S.A.S. as controller or processor, which must include the information indicated in Article 15 of Statutory Law 1581 of 2012. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to remedy the faults. After two (2) months from the date of the request, without the applicant providing the required information, it will be understood that the claim has been abandoned. In any case, if the communication is addressed to CALIENTE TOURS S.A.S. and it does not have the standing to respond, CALIENTE TOURS S.A.S., without needing to notify the person making the claim, will inform the company that must provide the response.
  • In the event that CALIENTE TOURS S.A.S. receives a claim that it is not competent to resolve, it will transfer it to the appropriate party within a maximum term of two (2) business days and inform the interested party of the situation.
  • 2. Once the complete claim is received, a legend saying "claim in progress" and the reason for it will be included in the database within a term not exceeding two (2) business days. This legend must be maintained until the claim is decided.
  • 3. The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

At any time and free of charge, the natural person who is the Data Subject or their representative may request the rectification, updating, or deletion of their personal data after proving their identity.

The request for rectification, updating, or deletion of personal data must be submitted through the means provided in the privacy notice and must contain at least the following information:

  • 1. The name and address of the Subject or representative or any other means to receive the response to their request.
  • 2. Documents proving the identity or representation of the Personal Data Subject.
  • 3. A clear and precise description of the personal data and the facts giving rise to the claim.
  • 3. A clear and precise description of the personal data and the facts giving rise to the claim.
  • 4. The documents intended to be asserted in the claim.

Deletion implies the total or partial removal of personal information as requested by the Subject from the records, archives, databases, or processing activities carried out by CALIENTE TOURS S.A.S.

Depending on the nature of the personal database, the claim will be managed by the area responsible for its handling within CALIENTE TOURS S.A.S.

Requirement of Procedurability.

The Subject or successor may only file a complaint with the Superintendency of Industry and Commerce once they have exhausted the consultation or claim process before CALIENTE TOURS S.A.S.

Revocation of Authorization.

In accordance with the Law, in the event that the Processing does not respect constitutional and legal principles, rights, and guarantees, the Subjects or their representatives (such as parents exercising parental authority over an infant or adolescent) may request the revocation of the authorization granted for the Processing of their data, unless a legal or contractual provision prevents such revocation, indicating in that case the specific reasons why they consider that the situation of non-compliance with the aforementioned scope is occurring.

CALIENTE TOURS S.A.S., as controller or processor, as the case may be, must confirm receipt of the revocation request, including its date of receipt. The request may be objected to if, in the judgment of CALIENTE TOURS S.A.S., the grounds indicated by the Subject are not present or if such revocation implies an impact on the tracking or fulfillment of rights or obligations by the entity regarding the Subject, in which case it must inform the Subject in writing so they may take appropriate measures before the relevant authorities.

The request for revocation of authorization may be total or partial. It will be total when the revocation of all the purposes consented to through the authorization is requested; it will be partial when the revocation of some purposes is requested depending on the revocation request. This classification must be clearly expressed in the authorization revocation request.

Information Security.

Information Security Measures.

In compliance with the principle of security established in Statutory Law 1581 of 2012, CALIENTE TOURS S.A.S. will implement additional technical, human, and administrative measures if required, which are necessary to provide security to the records, thereby preventing their alteration, loss, consultation, use, or unauthorized or fraudulent access. The development of this online store carried out by the web design agency Distecnoweb was tested in different scenarios and CALIENTE TOURS S.A.S. performs the necessary technical updates over time to maintain information security.

Registration of Databases.

CALIENTE TOURS S.A.S., in its capacity as Controller and Processor, must proceed with the registration of databases under the terms indicated by Colombian regulations.

Acceptance.

Information Subjects accept the processing of their personal data according to the terms of this Manual at the time of providing their data.

Validity.

This General Privacy Policy is effective from the date of its publication, and its validity will be subject to the purpose of the processing of personal data inherent to the legal nature of CALIENTE TOURS S.A.S.

Chat with Us

Hotel Isla del Sol
4.5
Based on 1182 reviews
x