asesorias@legalaw.co

POLICIES

Personal data processing policy

PERSONAL DATA PROCESSING POLICY

1. Introduction:

In accordance with Article 15 of the Political Constitution of Colombia, which establishes the right of all individuals to know, update, and rectify information collected in databases and files of public and private entities, and Article 20 of the same Constitution, which establishes the right to information, including the right to access, consult, rectify, or delete their information, it is necessary for LEGALAW to implement this policy, which outlines its responsibilities in this matter.

2. Objective:

The objective of our policy is to ensure the protection and respect of the personal data of our clients, suppliers, employees, and partners. We are committed to processing personal data in accordance with the law, establishing criteria for the collection, storage, use, circulation, deletion, and general disposal of personal data processed by LEGALAW.

3. Recipients:

This policy is aimed at LEGALAW‘s clients, providing them with the necessary and sufficient information regarding the processing and applicable purposes of the information contained in the databases, as well as the rights they have as data holders, which they may exercise at any time with LEGALAW when it is responsible for the processing of such data.

4. Responsible for Personal Data Processing:

5. Obligations of the Responsible Party:

LEGALAW is responsible for the processing of personal data contained in the company’s information databases. It is obligated to ensure that this information is processed lawfully, fairly, and transparently, in accordance with the purposes and specifications that must be previously informed to the data holder.

6. Validity of Databases:

LEGALAW will apply the contents of this document to the databases for as long as necessary to fulfill the purposes mentioned in the respective authorizations granted by the data holders and as long as it is necessary to comply with legal and/or contractual obligations.

7. Definitions:

For the purposes of this policy and in accordance with current regulations on personal data protection, the following definitions shall apply:

  • Authorization: Prior, express, and informed consent of the data holder to carry out the processing of personal data.

  • Privacy Notice: Verbal or written communication generated by the responsible party, addressed to the data holder, informing them about the existence of the information processing policies applicable to them, how to access them, and the purposes of the processing intended for the personal data.

  • Database: An organized set of personal data that is subject to processing.

  • Successor: A person who has succeeded another due to the latter’s death (heir).

  • Processor: A natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the data controller.

  • Controller: A natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the processing of the data.

  • Data Holder: A natural person whose personal data is subject to processing.

  • Source of Information: The person, entity, or organization that receives or becomes aware of personal data from the data holders, by virtue of a commercial or service relationship or any other type of relationship, and that, by legal authorization or authorization from the data holder, provides such data to an information operator, who in turn delivers it to the end user.

  • Information Operator: The person, entity, or organization that receives personal data from the source about several data holders, manages it, and makes it known to users.

  • User: A natural or legal person who can access personal information of one or more data holders provided by the operator or the source, or directly by the data holder.

  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

  • Transfer: The transfer of data occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is located inside or outside the country.

  • Transmission: The processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when it is intended for processing by the processor on behalf of the controller.

8. Processing and Purpose:

The processing that LEGALAW will carry out, or whoever represents its rights or holds the status of creditor in the future, with the personal information contained in its databases, will be for the collection, storage, use, and circulation in applicable cases, and will have the following purposes:

  • Use personal data to offer, manage, and execute the legal services requested by the user, such as consultations, advice, and legal representation.

  • Carry out administrative management related to the services offered, including billing, collection, and payment tracking, as well as contract management.

  • Contact the user by electronic or physical means for informational purposes regarding the progress of the requested services, legal notifications, or any aspect related to their request.

  • Send information related to additional services or products related to the legal field, newsletters, legal updates, or promotions, provided that the user has given explicit consent.

  • Use personal data to comply with any applicable legal or regulatory obligations, including those related to fraud prevention, taxation, and auditing.

  • Conduct statistical analyses and studies on the use of the website and the services offered to improve their quality and personalization.

  • Use the data to protect the rights and interests of the website, the user, and third parties, in cases of disputes or to defend potential legal claims.

  • Collect and analyze personal data to prevent fraud or illicit activities in the use of the services offered.

  • Collect data for analysis and improvement of the user experience on the website, including the personalization of content and functionalities.

  • If necessary, share the data with other legal professionals or entities related to the services, always within the framework of the established purposes and in accordance with applicable regulations.

9. Rights of Data Holders:

  • Access free of charge to the data provided that has been processed.

  • Know, update, and rectify their information in the case of partial, inaccurate, incomplete, fragmented, or misleading data, or data whose processing is prohibited or unauthorized.

  • Request proof of the authorization granted for the processing of data, through any valid means, except in cases where authorization is not required.

  • Be informed by the Controller and Processor of the personal data, upon request, about the use that has been given to their data.

  • File complaints with the Superintendence of Industry and Commerce, or the entity that replaces it, for violations of the current regulations and other norms that modify, add, or complement them, after a consultation or request process.

  • Revoke the authorization and/or request the deletion of the data, provided that there is no legal or contractual obligation that makes it imperative to retain the information.

  • Access free of charge to their personal data that has been processed, at least once every calendar month, and whenever there are substantial modifications to this policy that motivate new consultations.

The aforementioned rights may be exercised by:

  • The data holder, who must sufficiently prove their identity through the various means made available to them.

  • The successors of the data holder, who must prove such status.

  • The representative and/or attorney of the data holder, upon proof of representation or power of attorney.

  • Another person in favor of or for whom the data holder has stipulated.

10. Duties of Controllers and Processors:

  • Guarantee the data holder, at all times, the full and effective exercise of the right to habeas data.

  • Request and retain a copy of the respective authorization granted by the data holder for the processing of personal data.

  • Properly inform the data holder about the purpose of the collection and the rights they have by virtue of the authorization granted.

  • Retain the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.

  • Ensure that the information is truthful, complete, accurate, up-to-date, verifiable, and understandable.

  • Update the information in a timely manner, thus addressing all new developments regarding the data holder’s information. Additionally, all necessary measures must be implemented to ensure that the information remains up-to-date.

  • Rectify the information when it is incorrect and communicate the relevant changes.

  • Respect the security and privacy conditions of the data holder’s information.

  • Process queries and complaints filed in the terms indicated by the law.

  • Identify when certain information is under dispute by the data holder.

  • Inform the data holder, upon request, about the use given to their data.

  • Inform the data protection authority when there are violations of security codes and risks in the management of the data holders’ information.

  • Comply with the requirements and instructions issued by the Superintendence of Industry and Commerce on the subject.

  • Use only data whose processing has been previously authorized in accordance with the provisions of Law 1581 of 2012.

  • Ensure the proper use of personal data of children and adolescents, in cases where the processing of their data is authorized.

  • Record in the database the legend “claim in process” in the manner regulated by law.

  • Insert in the database the legend “information under judicial dispute” once notified by the competent authority about judicial processes related to the quality of the personal data.

  • Refrain from circulating information that is being contested by the data holder and whose blocking has been ordered by the Superintendence of Industry and Commerce.

  • Allow access to the information only to persons who are authorized to access it.

  • Use the data holder’s personal data only for the purposes for which they are duly authorized and always respecting current regulations on personal data protection.

11. Procedure for Handling Queries, Complaints, Requests for Rectification, Updating, and Deletion of Data:

The channels for handling queries, complaints, requests for rectification, updating, and deletion of data are the email asesorias@legalaw.co or the cell phone number 3102504296. The requests of the data holders to exercise their rights will be processed as follows:

i) Queries: Data holders or their successors may query the personal information of the data holder. With respect to the handling of personal data query requests, the following is guaranteed:

  • Enable electronic communication channels or others deemed appropriate.

  • Use the customer service or claims services that are in operation.

  • In any case, regardless of the mechanism implemented for handling query requests, they will be addressed within a maximum term of 10 business days from the date of receipt. When it is not possible to address the query within this term, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the query will be addressed, which in no case may exceed 5 business days following the expiration of the first term.

  • Queries may be submitted to the email asesorias@legalaw.co.

ii) Complaints: The data holder or their successors who consider that the information contained in a database should be corrected, updated, or deleted, or who notice the alleged non-compliance with any of the duties contained in the law, may file a complaint with LEGALAW at the email asesorias@legalaw.co, identifying the data holder, describing the facts that give rise to the complaint, providing the address, and attaching the documents they wish to assert. If the complaint is incomplete, the interested party will be required within 5 days following receipt of the complaint to correct the deficiencies.

After 2 months from the date of the requirement, without the applicant submitting the required information, it will be understood that they have withdrawn the complaint. If the recipient of the complaint is not competent to resolve it, they will refer it to the competent party within a maximum term of 2 business days and will inform the interested party of the situation. Once the complete complaint is received, it will be labeled as “claim in process” and the reason for it, within a term not exceeding 2 business days. This label will remain until the complaint is resolved.

The maximum term for addressing the complaint will be 15 business days from the day following the date of receipt. When it is not possible to address the complaint within this term, the interested party will be informed of the reasons for the delay and the date on which the complaint will be addressed, which in no case may exceed 8 business days following the expiration of the first term.

iii) Requests for Updating and/or Rectification:

LEGALAW will rectify and update, at the request of the data holder, the information that is incomplete or inaccurate, in accordance with the procedure and terms indicated above, for which it will be considered that the data holder must submit the request to the email asesorias@legalaw.co or in physical form, indicating the updating and/or rectification to be made and providing the documentation that supports their request.

iv) Request for Deletion of Data:

The data holder has the right to request LEGALAW to delete their personal data from the databases in any of the following events:

  • When they consider that the data is not being processed in accordance with the principles, duties, and obligations established in the current regulations.

  • The data is no longer necessary or relevant for the purpose for which it was collected.

  • The period necessary for the fulfillment of the purposes for which it was collected has been exceeded.

12. Minimum Requirements for Exercising the Right to Habeas Data:

In compliance with the regulations on personal data protection, the minimum requirements that must be informed for the filing and handling of requests are the following:

  • Full name and surname

  • Contact details

  • Means to receive a response to the request

  • Reason(s) or fact(s) that give rise to the complaint with a brief description of the right to be exercised (know, update, rectify, request proof of the authorization granted, revoke it, delete, access the information)

  • Signature and identification number

It is important to mention that the data holder who is totally or partially denied the exercise of the rights of access, updating, rectification, deletion, and revocation may bring their case to the attention of the Superintendence of Industry and Commerce.

13. Modification and/or Updating of the Data Protection and Information Management Policy:

Any substantial change in this policy will be communicated in a timely manner to the data holders through the usual contact channels and/or through posters, QR codes, or the LEGALAW website.

Contact us

Language