NEW STETIC SA, adopts this Data Protection policy in order to comply with the provisions of Statutory Law 1581 of 2012, its Regulatory Decree 1377 of 2013 and other concordant regulations, in order to guarantee the right to intimacy, privacy and the good name of individuals in the processing of their personal data, which will be carried out taking into account the principles of legality, purpose, freedom, veracity or quality, transparency, restricted access and circulation, security and confidentiality.
The company is committed to safeguarding information and complying with data protection regulations and the obligations arising therefrom, processing data responsibly and in accordance with the consent of the owner, to act with prudence and confidentiality.
This policy applies to all databases and/or files of NEW STETIC that contain Personal Data and that are processed by the controller and/or processor.
The company processes personal data under the terms, conditions and scope authorized by the owner of the information, except for special regulations when a legal exception is applicable to doing so.
Personal information: This is any information that is linked to or can be associated with a specific person, such as their name or identification number, or that can make them identifiable, such as their physical characteristics.
Public data: Public data includes, among others, data relating to the civil status of persons, their profession or occupation, and their status as merchants or public servants. By their nature, public data may be contained in, among others, public registers, public documents, official gazettes, and bulletins, and duly executed court decisions that are not subject to confidentiality.
Semi-private data: These are data that are not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to the owner but also to a certain sector or to society in general. Financial and credit data from commercial or service activities are some examples.
Private data: This is data that, due to its intimate or reserved nature, is only relevant to the data subject. The tastes or preferences of individuals, for example, correspond to classified data.
Sensitive data: These are those that affect the privacy of the holder or may lead to discrimination, that is, those that reveal his or her racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, as well as data relating to health, sexual life, and biometric data, among others.
Authorization: It is the consent given by any person so that companies or persons responsible for processing information can use their personal data. Database Organized set of personal data that are subject to processing.
Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
Data controller: It is the natural or legal person who carries out the processing of personal data, based on a delegation made by the person responsible, receiving instructions about the way in which the data should be managed.
Data controller: The natural or legal person, public or private, who decides on the purpose of the databases and/or their processing. Owner: The natural person whose personal data is being processed.
Privacy Notice: It is one of the verbal or written communication options provided by law to inform the holders of the information of the existence and the ways to access the information processing policies and the purpose of its collection and use.
Transfer: This is the operation carried out by the person responsible for or in charge of processing personal data, when he sends the information to another recipient, who, in turn, becomes responsible for the processing of said data and is located within or outside the country.
Transmission: processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the person in charge on behalf of the person responsible.
NEW STETIC, carries out the processing of your personal and sensitive data, which includes the collection, storage, use, circulation, transmission, updating, rectification, and deletion, for the following purposes:
The company will collect, store, and use the personal data of its customers for the following purposes:
through electronic means including; email, SMS, and WhatsApp, or by telephone to carry out campaigns, promotions or contests of a commercial or advertising nature, as well as to inform you about events organized by the company, about the products, manage procedures (requests, complaints and claims) and to ask you to evaluate the quality of our products and/or services.
NEW STETIC SA will be responsible for the collection, storage, and use of the personal data of its suppliers for the following purposes:
Comply with the obligations arising from the legal relationship established with the supplier.
Within the personnel selection processes, personal data is processed in the collection, storage, use, circulation, transmission, updating, rectification, and deletion.
When visitors access the company, we seek to maintain a record and control of entries where personal data may be collected, stored, and used.
For an appropriate application of the law, compliance with the following principles will be fundamental:
Principle of purpose: The purpose of the Treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be communicated to the Owner of the information.
Principle of legality in data processing: The Treatment referred to in this law is a regulated activity that must be subject to the provisions established therein and in other provisions that develop it.
Principle of Freedom: Data processing may only be carried out with the prior, express, and informed consent of the Data Subject. Furthermore, the collection and disclosure of personal data may not be carried out without prior authorization and will only be permitted through a legal or judicial order that waives consent.
Principle of truthfulness or quality: Data that are subject to processing must be true, complete, accurate, up-to-date, verifiable, and understandable. Partial, incomplete, fragmented, or misleading data may not be processed.
Transparency principle: The controller or processor must guarantee without restrictions the right to obtain information about the existence of data that concerns him/her.
appropriate, reporting clearly and expressly and keeping proof of compliance with this duty:
Principle of restricted access and circulation: The processing of personal data may only be carried out by persons authorized by the owner and/or by persons provided for in Law 1581 of 2012. The processing is subject to the limits arising from the nature of the personal data, the provisions of this law and the Constitution. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties in accordance with this law.
Safety principle: The information subject to processing by NEW STETIC SA or the Data Processor is processed under the technical, human, and administrative measures necessary to ensure the security of the records, avoiding their alteration, loss, consultation, unauthorized or rapid access or use. The company will ensure that it has all the corresponding security measures and that they are made known to all persons who have direct or indirect access to the data. Users who access the NEW STETIC SA information systems must be aware of and comply with the security rules and measures that correspond to their functions. These security rules and measures are included in the Internal Security Manual, which is mandatory for all users and company personnel. Any modification of the rules and measures regarding the security of personal data by the data controller must be made known to users.
Confidentiality principle: All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks that comprise the processing has ended, and may only provide or communicate personal data when this corresponds to the development of the activities authorized in this law and under the terms thereof.
The following are the rights of the holders of personal data, which can be exercised at any time as stipulated in Law 1581 of 2012:
The processing of personal data of children and adolescents is not permitted, except when it involves data of a public nature, and when such processing complies with the following parameters and/or requirements:
The legal representative of the children or adolescents will grant the authorization, after the minor has exercised his or her right to be heard, an opinion that will be assessed considering the maturity, autonomy, and ability to understand the matter, after having fulfilled the previous requirements.
To properly process personal data, NEW STETIC will require the prior and informed authorization of the Owner, which must be obtained by any means that can be subject to subsequent consultation, without prejudice to the exceptions provided for in the law. These mechanisms may be predetermined through technical means that facilitate the Owner’s automated manifestation.
A record will be kept of the delivery of the requested personal information, indicating the obligation to guarantee the rights of the Holder, both to the official who makes the request, to the person who receives it, as well as to the requesting entity.
Anyone who accesses personal data without prior authorization must in all cases comply with the provisions contained in this law.
When requesting authorization to process data, NEW STETIC, as the party responsible for said processing, will be responsible for clearly and expressly indicating the following:
In all cases it will be essential to keep proof of compliance with the provisions of the paragraph above, and in cases where the owner so requests, provide a copy of this.
NEW STETIC may provide information to others when the conditions established in Law 1581 of 2012 are met:
When it is considered that the information contained in a database should be corrected, updated, or deleted, or when they notice the alleged non-compliance, the Owner or his successors may file a claim with NEW STETIC, which will be processed under the following rules:
(2) months from the date of the request, if the applicant does not submit the required information, it will be understood that he has withdrawn the claim.
Only the Owner or successor in title may file a complaint with the Superintendency of Industry and Commerce once he or she has exhausted the consultation or claim process with the Data Controller or Data Processor.
NEW STETIC will maintain mechanisms that are always available and that are simple and agile when accessing your personal data information so that you can exercise your rights over it. In addition, you may consult your personal data free of charge in two cases:
For queries that are more frequent than once per calendar month, NEW STETIC SA may only charge the holder the costs of shipping, reproduction and, where applicable, certification of documents. Reproduction costs may not be greater than the costs of recovering the corresponding material. For this purpose, the person responsible must demonstrate to the Superintendence of Industry and Commerce, when required, the support for said expenses.
The requested information may be provided by any means, including electronic means, as required by the Owner. The information must be easy to read, without technical barriers that impede access and must correspond in all respects to that which is stored in the database.
NEW STETIC and/or the Managers, guarantee the holders of personal data contained in their databases, their successors in title or authorized persons, the right to consult all the information contained in their individual record or all that is linked to their identification as established in this Personal Data Processing Policy.
11.2. RESPONSIBLE FOR HANDLING INQUIRIES:
The company’s Personal Data Protection Officer will be responsible for receiving and processing the requests submitted, under the terms, deadlines and conditions established in Law 1581 of 2012 and in this policy.
Minimum information that must be contained in queries addressed to the company:
Once the request for INFORMATION CONSULTATION is received by the Data Owner or his/her representative or duly authorized third party, through the channels established by NEW STETIC, the Personal Data Protection Officer will verify that the request contains all the specifications required in order to assess whether the right is exercised by an interested party or by a representative thereof, thereby proving that there is legal legitimacy to do so.
Requests received through the above means will be attended to within a maximum period of ten (10) business days from the date of receipt.
In the event of impossibility to respond to the query within said term, NEW STETIC will inform the interested party before the expiration of ten (10) days, stating the reasons for the delay and indicating the date on which the query will be responded to, which in no case may exceed five (5) business days following the expiration of the first term.
Correction or Update: NEW STETIC and/or the Data Processors will guarantee the owners of personal data contained in their databases or their successors in title the right to correct or update the personal data contained in their databases, by submitting a claim, when they consider that the parameters established by law or those indicated in this Personal Data Processing Policy are met so that the request for Correction or Update is admissible.
Revocation of authorization or Deletion of Personal Data: NEW STETIC and/or the Data Processors shall guarantee the owners of personal data contained in their databases or their successors in title the right to request the revocation of the authorization or to request the deletion of the information contained in their individual record or any information linked to their identification when they consider that the parameters established by law or those indicated in this Personal Data Processing Policy have been met. Likewise, the right to file complaints is guaranteed when they notice the alleged non-compliance with Law 1581 of 2012 or this Personal Data Processing Policy.
Claims Attention: The company’s Personal Data Protection Officer will be responsible for receiving and processing the requests submitted, under the terms, deadlines and conditions established in Law 1581 of 2012 and in these policies.
Once the request for information CLAIM is received by the Data Owner or his/her representative or duly authorized third party, through the channels established by NEW STETIC, the Personal Data Protection Officer will verify that the request contains all the required specifications in order to assess whether the right is exercised by an interested party or by a representative thereof, thereby proving that there is legal legitimacy to do so.
Claims without compliance with legal requirements: If the claim is submitted without compliance with the above legal requirements, the company will request the claimant within the following five (5) days from receipt of the claim, to correct the deficiencies and present the missing information or documents.
Withdrawal of Claim: After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that he has withdrawn the claim.
Reception of claims that do not correspond to the Entity: If the company receives a claim addressed to another organization, it will forward it to the appropriate party within a maximum period of two (2) business days and will inform the claimant of the situation.
Inclusion of legend in the database: Within a maximum of two (2) business days from receipt, the company will include in the database where the personal data of the Holder is located, a legend that says “claim in process” and the reason for it. This legend must be maintained until the claim is decided.
Response Deadlines for Claims: The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt.
Extension of the Response Deadline: When for any reason it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
Procedure for Deletion of Personal Data: When the Deletion of the personal data of the owner of the database is appropriate according to the claim presented, the company must operationally carry out the deletion in such a way that the elimination does not allow the recovery of the information; however, the Owner must take into account that in some cases certain information must remain in historical records due to compliance with the legal duties of the organization, so its deletion will be in response to the active processing of the same and in accordance with the request of the owner.
In compliance with the principle of truthfulness or quality, in the processing of personal data, reasonable measures must be adopted to ensure that the personal data contained in the databases are accurate and sufficient and, when requested by the Owner or when the controller has been able to notice it, they are updated, rectified or deleted, in such a way that they satisfy the purposes of the processing.
Sensitive data is data that affects the privacy of the data subject or whose misuse may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data.
Cases in which NEW STETIC may process sensitive data:
In any case, NEW STETIC SA will adhere to the provisions of current data protection regulations in accordance with the guidelines established in the cases provided for as exceptions to the processing of data.
Sensitive biometric data related to videos and photographic images, fingerprints or data that may be collected will be used for company events, communications and for identification, security, internal and external monitoring and to be published in print media, cards, audiovisual media, social networks or websites of our own or of third parties, including family members and minors.
Sensitive data concerning the health status will be used for employee monitoring and/or procedures with competent occupational medical personnel and/or ARL physicians and to safeguard medical concepts, laboratory test results, medical studies, general or specialized medical, psychological, or psychiatric diagnoses.
Sensitive biometric data related to videos and photographic images that may be collected will be used for advertising purposes, internal and external company events, communications, and social networks of NEW STETIC SA
The company has video surveillance cameras where it processes biometric data, and therefore collects, stores, uses, distributes, and deletes sensitive information.
Biometric data stored in the company’s databases are collected and processed strictly for identification, security, internal and external control and monitoring of assets and people, and to control access to employees, customers, visitors, and others. Biometric identification mechanisms capture, process and store information related to the physical features of people (fingerprints and facial features) to establish or “authenticate” the identity of each subject.
The management of databases containing biometric data is carried out with technical security measures that guarantee due compliance with the principles and obligations derived from the Statutory Law on Data Protection, also ensuring the confidentiality and confidentiality of the information of the owners.
NEW STETIC SA, has designated a Data Protection Officer who will be responsible for handling requests, queries, and complaints before which the Data Owner can exercise his/her rights, through the following channels:
Digital channel: The holders of the information may exercise their rights via email at the address[email protected].
Physical channel: Holders may go to the address Carrera 53 # 50 – 09 in Guarne, Antioquia, to submit requests, queries, and complaints by means of a letter addressed to the company, in accordance with the terms of section 10.1 of this policy.
The company, as the Data Controller, must comply with the following duties, without prejudice to other provisions provided for in the law and in others that govern its activity:
Data Processors must comply with the following duties, without prejudice to other provisions provided for in the law and in others that govern their activity:
Law 1581 of 2012 and other concordant and current regulations.
NEW STETIC manages the information stored in its databases with the technical, human, and administrative measures necessary to ensure the security of the records, avoiding their adulteration, loss, consultation, use or unauthorized or rapid access.
In addition, the company, when signing the transmission contracts, has requested that those in charge of the treatment implement security measures that guarantee the security and confidentiality of the information in the processing of personal data. All security measures are contemplated in the Data Protection System Manual.
NEW STETIC will ensure compliance with due process in the event of security incidents that may occur in the organization and that may put at risk the confidentiality, availability and integrity of the information contained in the databases. Therefore, there is a security incident protocol included in the Data Protection System Manual, to mitigate the impact that may be generated by the materialization of a risk with personal data.
NEW STETIC, has implemented within this policy the processes and procedures to manage risks to mitigate their causes through internal security policies contained within the manual.
The company considers the tools, indicators and resources necessary for its administration, taking into account its organizational structure; the internal processes and procedures, the amount of databases and types of personal data processed by the organization that could be exposed to frequent or high-impact events or situations that affect the proper provision of the service or threaten the information of the owners.
The policy considers sources such as technology, human resources, infrastructure, and processes that require protection, their vulnerabilities, and threats, to assess their level of risk. Therefore, to ensure the protection of personal data, the type or group of internal and external persons, the different levels of access authorization will be taken into account. Likewise, the possibility of occurrence of any type of event or action that may cause damage (material or immaterial) will be observed, such as:
Criminality: Understood as actions, caused by human intervention, which violate the law and are penalized by it.
Events of physical origin: Understood as natural and technical events, as well as events indirectly caused by human intervention.
Negligence and institutional decisions: Understood as actions, decisions or omissions by people who have power and influence over the system. At the same time, they are the least predictable threats because they are directly related to human behavior.
Within its policy, the company establishes protective measures to avoid or minimize damage if a threat materializes.
According to article 26 of Law 1581 of 2012, the transfer of personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. A country is deemed to offer an adequate level of data protection when it complies with the standards set by the Superintendency of Industry and Commerce on the subject, which in no case may be lower than those required by this law for its recipients.
NEW STETIC SA registers its databases together with this Personal Data Processing Policy in the National Registry of databases administered by the Superintendency of Industry and Commerce, as established in the regulations and makes updates to the changes that may occur in it, as contemplated in article 25 of Law 1581 and its regulatory decrees.
The company has established policies, guidelines, procedures, and processes focused on data protection, which may vary if there are changes in regulations or if any changes are required as determined by the company to safeguard the information, always focusing on security, confidentiality and privacy.
Furthermore, NEW STETIC guarantees that the collection, storage, use, processing, destruction, or elimination of the information provided is carried out using technological tools focused on secure mechanisms in transmission and storage, as well as on the restriction of access to information and backup.
In cases where it is necessary to transfer the information to a Data Processor due to a contractual relationship, NEW STETIC signs data transmission contracts, with the aim of always guaranteeing the security, confidentiality and reserve of the information, thus complying with the regulatory guidelines, policies, information security manuals and protocols for attention to the owners.
The data processing policy will be applicable to all interested parties of the organization, this includes employees, clients, suppliers, and others.
The databases held by NEW STETIC SA are processed for as long as is reasonable and necessary for the defined purpose. Once the purposes of the processing have been fulfilled, and without prejudice to legal regulations that provide otherwise, the personal information is deleted, unless there is a legal or contractual obligation that requires its conservation. These databases have been created without a defined period of validity.
When substantial changes occur in the personal data processing policies, the owners will be informed so that they can consult them through the different means enabled by the company for this purpose, or through open notices at the NEW STETIC headquarters.
“This processing policy has been in effect since November 2, 2016, and was updated on August 15, 2024.