Privacy Policy

  • OBJECT AND SCOPE

This policy establishes the parameters for compliance with Statutory Law 1581 of 2012, which seeks to protect personal data registered in any database that is subject to processing, as well as Decree 1074 of 2015, which partially regulates the aforementioned law, and any other provision that modifies, regulates, replaces, or repeals the aforementioned rules.

This policy applies to the data subjects whose personal data are processed by Mateus Carlier S.A.S. or by third parties acting on behalf of the former, as appropriate.

  • DEFINITIONS

For the purposes of this Policy and in accordance with legal standards, the following definitions will apply for the protection of personal data:

  1. Authorization: The prior, express, and informed consent of the Data Subject to carry out the Processing of personal data. 
  2. Database: An organized set of personal data that is subject to Processing. 
  3. Personal Data: Any information linked to or that can be associated with one or more specific or determinable natural persons.
  4. Private Data: Data that, due to its intimate or confidential nature, is only relevant to the Data Subject. 
  5. Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, information about a person’s marital status, profession or occupation, and their status as a merchant or public servant. By its nature, public data may be found in public records, public documents, gazettes and official bulletins, and legally enforceable court judgments that are not subject to confidentiality. 
  6. Semi-Private Data: Semi-private data is data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to the Data Subject but also to a certain sector or group of people or to society in general, such as financial and credit data related to commercial or service activity as referred to in Title IV of Law 1266 of 2008. 
  7. Sensitive Data: Sensitive data is understood to be data that affects the privacy of the Data Subject or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, philosophical or religious beliefs, membership in unions, social organizations, human rights organizations, or which promotes the interests of any political party, or guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data. 
  8. Processor: A natural or legal person, whether public or private, who, either by themselves or in association with others, processes personal data on behalf of the Data Controller. 
  9. Data Controller: A natural or legal person, whether public or private, who, either by themselves or in association with others, decides on the database and/or the Processing of data.
  10. Data Subject: A natural person whose personal data is subject to Processing.
  11. Transfer: Data transfer occurs when the Data Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is also the Data Controller of the Processing, whether located within or outside the country.
  12. Transmission: The Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia, with the aim of Processing by the Processor on behalf of the Data Controller.
  13. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
  1. PRINCIPLES

The guiding principles for the Processing of personal data are as follows:

  1. Principles of Purpose, Freedom, and Prior Authorization: The Processing of data is based on legitimate purposes in accordance with the Constitution and the Law, as established in this policy, which is communicated to the Data Subject. All Processing is carried out with the prior, express, and informed authorization of the Data Subject, except as provided by law.
  2. Principle of Truth or Quality: The information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and comprehensible. The Data Controller shall not process partial, incomplete, fragmented, or misleading data, unless the Data Subject is asked to complete the data.
  3. Principle of Transparency: The right of the Data Subject to obtain information about the existence of data concerning them from the Data Controller or the Data Processor must be guaranteed at all times and without restrictions.
  4. Principle of Access and Restricted Circulation: The Processing is subject to the limitations arising from the nature of personal data, the provisions of Law 1581 of 2012 and the Constitution. Processing can only be carried out by individuals authorized by the Data Subject and/or those provided for in the aforementioned law. Personal data, except public information, may not be available on the Internet or other mass communication or disclosure media unless access can be technically controlled to provide restricted knowledge to Data Subjects or third parties authorized by Law 1581 of 2012.
  5. Principle of Security: Information subject to Processing by the Data Controller or Data Processor must be handled with the technical, human, and administrative measures necessary to provide security to the records and prevent their alteration, loss, consultation, use, or unauthorized or fraudulent access.
  6. Principle of Confidentiality: All persons involved in the Processing of personal data that does not have a public nature are obliged to ensure the confidentiality of the information, even after their relationship with the tasks involving the Processing has ended. They may only provide or communicate personal data when this corresponds to the development of activities authorized by law.
  • AUTHORIZATION, PROCESSING, AND STORAGE OF PERSONAL DATA

Mateus Carlier S.A.S., as the Data Controller, will process the data provided, requesting prior authorization from the Data Subjects and informing them of the purpose of such Processing. The Data Controller will collect, use, store, transmit, circulate, and transfer the personal data subject to Processing, which may be used by the Data Controller, its employees or contractors, consultants or collaborators, and business partners expressly authorized by the Data Controller who need access to this information.

 

  • PURPOSE OF PERSONAL DATA PROCESSING

The Data Controller and the Processors or third parties with access to personal data under the law or a contractual relationship will process data for the following purposes, or for the purposes communicated at the time of collection. Therefore, as a Data Subject, I understand and accept that, by granting this authorization, I authorize the Data Controller to:

  1. Provide the services offered by the Data Controller in accordance with customer needs and carry out monitoring and follow-up activities.
  2. Fulfill contractual and legal obligations with customers, employees, contractors, suppliers, or collaborators.
  3. Understand, store, and process the information collected in one or more databases.
  4. Carry out activities for the offer, marketing, promotion, and commercialization of new services or products.
  5. Develop the Data Controller’s corporate purpose. This includes maintaining and processing information related to the customer’s business.
  6. Carry out actions related to the control and prevention of illegal activities such as fraud, money laundering, terrorism financing, and the financing of the proliferation of weapons of mass destruction. These actions include, among others, checking lists, providing data to national or international supervisory and control authorities, administrative or judicial authorities under legal or regulatory orders, as well as access to internal or external audits related to the commercial activities of the Data Controller.
  7. Perform operational, financial, accounting, administrative, and logistical processes of the Data Controller, including the archiving, protection, custody, and updating of the information and databases of the Data Controller.
  8. Transfer and transmit data to third parties based on a contractual relationship for administrative, operational, accounting, marketing, or comercial purposes.
  9. Comply with contractual and legal obligations such as tax obligations and perform accounting activities.
  10. Comply with information requirements made by administrative and judicial authorities.
  11. Evaluate risks arising from legal provisions or contractual relationships, verify commercial and reputational backgrounds, and consult databases or risk centers regarding compliance or non-compliance with credit obligations, legal duties, or other financial or administrative obligations related to the data subject.
  12. Promote services provided by the Data Controller or by a third party with whom there is a contractual relationship and make cross-selling offers of the Data Controller’s or third party’s services, as well as sending newsletters.
  13. Compile and disclose general statistical information (not specific data) for marketing campaigns, promotion of services, compliance with legal provisions, and conducting surveys of all kinds, including knowledge and satisfaction surveys.
  14. Carry out all those actions aimed at developing commercial activities between the Data Controller and its customers, employees, contractors, suppliers, collaborators, which are typical of this type of activities.

 

  • RIGHTS OF PERSONAL DATA SUBJECTS

In accordance with current regulations, data subjects have the following rights:

  1. Know, update, and rectify their personal data against the Data Controllers or Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or data whose Processing is expressly prohibited or has not been authorized.
  2. Request proof of the authorization granted to the Data Controller for the Processing, except when expressly exempted as a requirement for Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012 or in the situation presented in paragraph 4 of Article 10 of Decree 1377 of 2013.
  3. Be informed by the Data Controller or Data Processor, upon request, regarding the use made of their personal data.
  4. File complaints with the Superintendency of Industry and Commerce for breaches of the provisions of Law 1581 of 2012 and other regulations that modify, add to, or complement it.
  5. Revoke the authorization and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that the Data Controller or Processor have engaged in conduct contrary to this law and the Constitution.
  6. Access their personal data that has been subject to Processing free of charge.
  7. Request the deletion of their personal data from databases, provided there is no contractual obligation or legal duty that prevents access to the requested deletion.
  • DATA CONTROLLER AND REQUESTS

Mateus Carlier S.A.S., identified with TIN 901.316.968-1, is a commercial company established under the laws of the Republic of Colombia and headquartered in Bogotá D.C., Colombia.

Address: Calle 138 57 76 AP 504 TO B, Bogotá D.C.

Website: www.mateuscarlier.com 

Contact pone numbers: (+57) 315 294 44 48 y (+57) 300 486 39 73. 

E-mail: contacto@mateuscarlier.com 

Any inquiries or complaints related to the Processing of personal data must be made in writing to the Data Controller’s email address, and a final response will be provided no later than fifteen (15) business days after receiving the inquiry or complaint. The inquiry or complaint should contain the minimum information that allows the applicant to be identified, such as name and surnames, identification, contact information, as well as information regarding how they prefer to receive a response to the request and the reasons and facts that support the request.

 

  • DUTIES OF THE DATA CONTROLLER

Mateus Carlier S.A.S., as the Data Controller for the Processing of personal data, must comply with the duties established in Article 17 of Law 1581 of 2012:

  1. Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.
  2. Request and keep, under the conditions provided in this law, a copy of the respective authorization granted by the Data Subject.
  3. Properly inform the Data Subject about the purpose of the collection and the rights conferred by virtue of the granted authorization.
  4. Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use, or access.
  5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and comprehensible.
  6. Update the information by promptly communicating to the Data Processor any news regarding the data that was previously provided and taking other necessary measures to keep the information supplied to the latter up-to-date.
  7. Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor.
  8. Provide the Data Processor, as appropriate, only with data whose Processing has been previously authorized in accordance with the provisions of this law.
  9. Demand that the Data Processor at all times respect the conditions of security and privacy of the Data Subject’s information.
  10. Process queries and complaints made in the terms set out in this law.
  11. Adopt an internal manual of policies and procedures to ensure compliance with this law and, in particular, to handle queries and complaints.
  12. Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been submitted and the respective process has not yet been concluded.
  13. Inform the data protection authority when security codes are violated and there are risks in the administration of Data Subjects’ information.
  14. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

 

  • VALIDITY

This policy takes effect as of August 1, 2023.

This policy may be modified by Mateus Carlier S.A.S. when required, without the obligation of notification, as long as the modifications are not substantial.