Politics of
Data treatment
1. DEFINITIONS
For the purposes of applying the rules contained in this policy and in accordance with the provisions of article 3 of Law 1581 of 2012, the following concepts are disclosed:
to. Privacy Notice: Verbal or written communication generated by the person in charge, addressed to the Owner for the Treatment of their personal data, through which they are informed about the existence of the information Treatment policies that will be applicable, the way to access to them and the purposes of the treatment that is intended to give personal data.
b. Public data: It is the data that is not semi-private, private or sensitive. Data relating to the marital status of individuals, their profession or trade and their quality as a merchant or public servant are considered public data. By its nature, public data may be
contained, among others, in public records, public documents, official gazettes and bulletins and duly executed judicial decisions that are not subject to reservation.
c. Sensitive data: Sensitive data is understood to be that which affects the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of
trade unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
d. Transfer: The transfer of data takes place when the person in charge and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a receiver, who in turn is Responsible for the Treatment and is inside or outside from the country.
and. Transmission: Treatment of personal data that implies the communication of the same inside or outside the territory of the Republic of Colombia when its purpose is to carry out a treatment by the person in charge on behalf of the person in charge.
F. Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data.
g. Database: Organized set of personal data that is subject to Treatment.
h. Personal data: Any information linked or that can be associated with one or more specific or determinable natural persons.
i. Semi-private data: It is data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or to society in general, such as financial and credit activity data. business or services.
J. Person in charge of the Treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of personal data on behalf of the person in charge of the Treatment. The Person in Charge of the Treatment must be naturally and legally independent of the person in charge of the Treatment.
k. Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data.
l. Owner of the information: Natural person whose personal data is subject to Treatment; for THE NEXT SHOT SAS, the holder of the information will be understood as the associates and/or clients, workers and suppliers.
m. Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
1.1. Acronyms and Abbreviations
The following acronyms and abbreviations will apply in this Personal Data Protection Policy:
SIC: Superintendence of Industry and Commerce
THE NEXT SHOT SAS: “G Lounge” or the “Company”
Policy: THE NEXT SHOT SAS Personal Data Protection Policy
Law 1581 of October 17, 2012: “Data Protection Statute” or “Law 1581 of 2012.
2 PURPOSE AND SCOPE OF THE POLICY
This Personal Data Protection Policy (hereinafter the "Policy") will apply to all Databases that contain Personal Data that are subject to Treatment by THE NEXT SHOT SAS, a legally constituted and existing company in accordance with the Laws of the Republic of Colombia, and identified with NIT 901.400.632-1 (hereinafter the "Company") and/or its agents or branches. The purpose of this Policy is: (i) to inform the Holders of the scope and purpose of the Treatment to which the Personal Data will be subjected, in the event that the Holder grants his express, prior and informed Authorization; and (ii) inform the Holders of the Personal Data of the rights that assist them and the procedures designed by the Company to make those rights effective.
In this sense, the scope of the Policy is, in compliance with the current Data Protection Statute, as well as the regulations on the matter, it applies to all administrators, legal representatives, employees, contractors, or persons who, on the occasion of their functions, have a relationship, contact, know, treat or handle, regardless of its form, the personal data collected by G Lounge, in the exercise of its commercial, corporate, economic, advertising activities, entry to the venues, among others. In this sense, this Policy is an integral part of the contractual relationship that the person maintains with G Lounge, and its breach or non-compliance may generate the applicable sanctions, the termination of the contractual relationship, this, without prejudice to the processes and measures applicable by part of the competent judicial or administrative authorities.
3 PRINCIPLES
In all the Processing of Personal Data carried out by the Company, the Managers and/or third parties to whom the Personal Data is transferred must strictly comply with the principles and rules established by Law and in this Policy, in order to guarantee the right fundamental to the habeas data of the Holders and to comply with the obligations established by the Law. These principles are:
to. Access: The Company, unless expressly Authorized by the Owner, may not make Personal Data available for access through the Internet or other means of mass communication, unless technical and security measures are established to control access and
restrict it to Authorized people only.
b. Prior Authorization: All Processing of Personal Data will only be carried out once the prior, express and informed Authorization of the Owner has been obtained, unless the Law establishes an exception to this rule.
c. Data Quality: The Personal Data subject to Treatment by the Company must be truthful, complete, exact, updated, verifiable and understandable. When the Company realizes that it has partial, incomplete, fragmented Personal Data or that leads to
error, the Company will refrain from Processing them and will request the Owner to correct said Data.
d. Confidentiality: The Company must carry out the Treatment having all the necessary measures to maintain the confidentiality of the Personal Data and prevent it from being consulted, modified or used by unauthorized persons or by Authorized and Non-Authorized persons in a fraudulent manner. Similarly, all Personal Data must be treated as confidential, even when the contractual relationship or the link between the Owner of the Personal Data and the Company has ended.
and. Purpose: All activities and operations of Personal Data Processing carried out by the Company must obey and correspond to the purposes established in this Policy or in the Authorization granted by the Owner of the Personal Data. The Company must inform the Owner of the Personal Data of the purpose of the Treatment at the time of obtaining their Authorization.
F. Legality: The Company must carry out the Processing of Personal Data in accordance with the provisions of Statutory Law 1581 of 2012, Decree 1074 of 2015 ("Single Regulatory Decree of the Commerce, Industry and Commerce Sector"), and other regulations that complement them. , modify or repeal.
g. Necessity and Temporality: Personal Data can only be Processed by the during the time and to the extent that the purpose of its Treatment justifies it.
h. Transparency: The Company guarantees the Holders of Personal Data, the right of access and knowledge of the personal information that is being Processed.
4 APPLICABLE LEGISLATION AND REGULATIONS
Within the framework of this Policy, its interpretation and scope must be interpreted in light of the current applicable regulations regarding personal data, among which, it is highlighted:
● Statutory Law No. 1581 of 2012 "By which general provisions are issued for the protection of personal data"
● Regulatory Decree No. 1377 of 2013 "By which Law 1581 of 2012 is partially regulated"
● Sole Regulatory Decree No. 1074 of 2015 of the Trade, Industry and Tourism Sector.
● Title V of the Single Circular of the Superintendency of Industry and Commerce.
5 IDENTIFICATION OF THE RESPONSIBLE AND IN CHARGE OF THE PROCESSING OF PERSONAL DATA
5.1. Responsible for the treatment
THE NEXT SHOT SAS, a company legally constituted and existing in accordance with the Laws of the Republic of Colombia, and identified with NIT 901.400.632-1, with physical address at Calle 140 no 11-45 Piso M de Bogotá DC
Website: www.glounge.co
Email:
jorge.ortiz@glounge.co
contacto@glounge.co
5.2. Data Processor/ Compliance Officer
Marketing Manager – Jorge Alejandro Ortiz
6 TREATMENT AND PURPOSES
The Company, as the person responsible for the Treatment of Personal Data, informs that it will collect, use, store, transmit and carry out various operations on the Personal Data of the Holders corresponding to natural persons with whom it has or has had a relationship, such as workers and relatives of these, shareholders, consumers, customers, distributors, suppliers, creditors and debtors.
The Personal Data Processed by the Company will be submitted only to the purposes indicated below. Likewise, Managers or third parties who have access to Personal Data must maintain the Treatment within the following purposes:
to. To manage all the information necessary to comply with the Company's tax obligations and commercial, corporate and accounting records.
b. For the provision of services and/or the sending of information to its workers and relatives.
c. For the provision of its services in accordance with the particular needs of the Company's clients, in order to fulfill the contracts entered into.
d. To strengthen relationships with its customers, by sending relevant information, taking orders and handling Requests, Complaints and Claims (PQR).
and. To consolidate a timely and quality supply with its Suppliers, through the invitation to participate in selection processes, the evaluation of compliance with their obligations and the invitation to events organized or sponsored by the Company, among others.
F. To comply with the internal processes of the Company regarding the administration of suppliers and contractors.
g. To improve, promote and develop new services or products.
h. For marketing, statistical, research and other commercial purposes.
i. For the attention of judicial or administrative requirements and the fulfillment of judicial or legal mandates.
J. To eventually contact, by any appropriate means, the natural persons with whom you have or have had a commercial or contractual relationship.
k. The other purposes determined by the Company, in order to comply with its contractual, legal or regulatory obligations.
l. The other purposes determined by the Company in the process of obtaining Personal Data for its Treatment and that are communicated to the Holders at the time of the collection of personal data.
7 RIGHTS OF PERSONAL DATA HOLDERS
In accordance with the Law, the Holders of the Personal Data that are subject to Treatment by the Company, have the following rights, which they can exercise at any time:
to. Request access and free, easy and simple access to the Personal Data that have been subject to Treatment by the Company and/or by the Person in Charge of the Treatment.
b. Submit requests to the Company and/or the Person in Charge of the Treatment regarding the use that has been given to your Personal Data, and that they deliver such information.
c. Request proof of the Authorization granted to the Company for the Treatment of your Personal Data, unless the Law indicates that said Authorization is not necessary.
d. Revoke your Authorization and/or request the deletion of your Personal Data from the Company's databases, when the Superintendence of Industry and Commerce has determined by
executed administrative act that the Company or the Person in Charge of the Treatment incurred in conduct contrary to the Law or when there is no legal, regulatory or contractual obligation to maintain the Personal Data in the Company's Database.
and. Update and rectify your Personal Data before the Company and/or those in charge of their Treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or those whose Treatment is expressly
prohibited or has not been authorized.
F. Know the dependency or person empowered by the Company and/or by the Person in Charge of the Treatment to whom you can submit queries, complaints, claims and any other request about your Personal Data.
g. Have easy access to this Policy and to know the modifications to the terms of this Policy prior to the implementation of said modifications.
h. Go before the Superintendence of Industry and Commerce to file complaints for violations of the Law, after consulting or requesting the Company.
The Holders may exercise these Rights and carry out any other procedure established in this Policy, by presenting their citizenship card or any other suitable means of identification. Minors may exercise their rights personally, or through their parents or adults who have parental authority, who must prove it through the relevant documentation. Likewise, the rights of the Holder may be exercised by successors in title who prove said quality, the representative and/or proxy of the holder with the corresponding accreditation and those who have made a stipulation in favor of another or for another.
8 RESPONSIBILITY IN THE IMPLEMENTATION AND COMPLIANCE WITH THIS POLICY
The Company has designated the Compliance Officer as responsible for developing, implementing and ensuring compliance with this Policy. In the same way, it will be responsible for the attention of requests, queries, complaints and claims before which the Owner of the information may exercise their rights to know, update, rectify and delete the data and revoke the authorization. The Compliance Officer will process queries and claims regarding Personal Data in accordance with the Law and this policy.
The contact details are:
Email:
jorge.ortiz@glounge.co
contacto@glounge.co
9 SPECIAL PROVISIONS
9.1 Processing of personal data of a sensitive nature
The Company, in accordance with the prohibition established in the Law, does not carry out any activity or operation of Sensitive Data Processing, unless one of the following exceptions is configured:
to. Existence of the express Authorization of the Owner of the Sensitive Data.
b. The Treatment is necessary to protect a vital interest of the Holder. In this case, the Company must verify that: (i) the Holder is incapacitated, physically or legally, and (ii) there is express Authorization from the legal representative of the Holder.
c. The Treatment is carried out for the recognition, exercise or defense of a right in a judicial process.
d. The Treatment is carried out with a historical, statistical or scientific purpose. In this case, the Company will ensure that sufficient measures are taken to suppress the identities of the Holders.
In the cases in which the Company carries out activities or operations of Sensitive Data Processing, it must: (i) inform the owner that, since it is sensitive data, it is not obliged to authorize its Treatment; and (ii) inform the owner explicitly and in advance which of the data that will be subject to Treatment are sensitive and the purpose of the Treatment.
The Company will not condition any activity to the Holder providing Sensitive Data.
9.2 Treatment of personal data of children and adolescents
The Company will only carry out the Processing of Personal Data of children and adolescents when the Processing is about Public Data and/or the following requirements are met:
to. Respond to and respect the best interests of children and adolescents.
b. Ensure respect for their fundamental rights.
c. Have the authorization of the legal representative of the child or adolescent prior to the exercise of the minor's right to be heard, an opinion that will be valued taking into account the maturity, autonomy and ability to understand the matter.
10 PROCEDURES FOR THE EXERCISE OF THE RIGHTS BY THE
HOLDERS OF PERSONAL DATA
10.1. Query
The Company has mechanisms so that the Holder, their successors in title, their representatives and/or attorneys-in-fact, those who have been stipulated in favor of another or for another, and/or the representatives of minor Holders, formulate queries regarding: (i) what are the Personal Data of the Holder that rest in the Company's Databases; (ii) what is the use that has been given to your Personal Data; and (iii) what Authorization was granted to the Company for the Processing of Personal Data.
These procedures may be through email: jorge.ortiz@glounge.co
contacto@glounge.co
Whatever the means used by the Holder, the Company will keep proof of the query and its respective response. The procedure to answer the query is:
to. The Company will verify that the applicant has the capacity to formulate the query in accordance with this Policy and in accordance with the provisions of the Law.
b. In the event that the applicant has the capacity to formulate the query, the Company will collect, in accordance with the request: (i) all the information about the Holder that is contained in the individual record of that person or that is linked to the identification of the Holder within the Company's databases; (ii) the use that has been given to the Personal Data of the Holder; and/or (iii) the Authorization granted by the Owner to the Company for the Processing of their personal data or the cause for exemption from the Authorization requirement.
c. The Company will respond to the request within ten (10) business days from the date it was received by the Company.
d. In the event that the request cannot be answered within ten (10) business days, the applicant will be contacted, through a suitable means, to inform them of the reasons why no response has been given to their request and the date on which which the answer will be given. In any case, the final response to requests may not, for any reason, take more than fifteen (15) business days from the date on which the request was initially received by the Company.
10.2. claims
The Company has mechanisms so that the Holder, his successors in title, his representatives and/or attorneys-in-fact, those who have been stipulated in favor of another or for another, and/or the presenters of minor Holders, make claims in order to: (i) correct or update the information; (ii) delete your Personal Data or revoke the authorization granted for the Treatment of the same; and (iii) rectify or correct the alleged breach of any of the duties contained in the Law.
These procedures may be through email:
jorge.ortiz@glounge.co
contacto@glounge.co
Whatever the means used by the Holder, the Company will keep proof of the claim and its respective response.
The claim must be presented by the Holder, his successors in title or representatives or accredited and must contain:
to. The name and identification document of the Holder.
b. A description of the facts that give rise to the claim and the objective pursued (update, correction, deletion or fulfillment of duties).
c. Indicate the applicant's address and contact information.
d. The documentation that the claimant wants to assert.
The Company, before attending to the claim, will verify the identity of the Owner of the Personal Data, his representative and/or proxy, or the accreditation that there was a stipulation by another or for another.
In the event that the complaint or claim is incomplete, the Company will require the Holder, his successors in title or representatives or accredited, within five (5) days following receipt of the request to correct the failures. If the claimant does not submit the required documentation and information within two (2) months following the initial claim, it will be understood that the applicant has withdrawn the complaint or claim.
If the person within the Company that receives the complaint or claim is not competent to resolve it, it will be transferred to the administrative area within two (2) business days after receiving the claim, and the applicant will be informed of said referral.
Once the Company receives the complaint or claim with the complete documentation, an annotation will be included in the Database where the Personal Data of the Holder resides, the legend "Claim in Process" and the reason for this, within two (2) business days after receiving the request. This entry must be kept until the complaint or claim is resolved.
The Company will resolve the complaint or claim within a maximum term of fifteen (15) business days from the day following the date of receipt. When it is impossible to resolve the complaint or claim within said term, the applicant will be informed of the reasons for the delay and the date on which their claim will be addressed, which may not exceed eight (8) business days following the expiration of the first term.
11 VALIDITY AND REVISIONS
The Policy is in force from July 15, 2021 with the respective approval by the competent corporate bodies and must be reviewed by the legal representation and the Compliance Officer within a period
no more than two (2) years from its promulgation, or in the event that a substantial modification to the applicable regulations is proposed.