The purpose of this Privacy Policy is to comply with Statutory Law 1581 of 2012, its Regulatory Decree 1074 of 2015 (Chapter 25), and other applicable regulations governing the Protection of Personal Data, including any that may complement, replace, amend, or repeal them. In particular, it seeks to guarantee the right of Habeas Data of the Holders of Personal Data.
This Privacy Policy applies to Arrubla Devis Asociados S.A.S. (hereinafter “Arrubla Devis”) in its capacity as Data Controller and to its employees, as well as to all third-party individuals or legal entities to whom it transfers Personal Data of the Data Subjects comprising the Stakeholder Groups of the Data Controller when such parties carry out any Processing of said data.
Company Name : Arrubla Devis Asociados SAS
Address: Medellín, Antioquia
Address: Carrera 37 No. 2 sur - 34
Email: info@arrubladevis.com [AD1]
Telephone: (604) 3229884
For this Privacy Policy, the following definitions shall apply:
Adolescent: individuals between 12 and 18 years of age.
Authorization: prior, express, and informed consent of the Data Subject to carry out the Processing of their Personal Data, which may be obtained (i) in writing, (ii) orally, or (iii) through unequivocal conduct that reasonably allows the conclusion that the authorization was granted.
Privacy Notice: a physical, electronic, or any other format document generated by the Data Controller, made available to the Data Subject for the Processing of their Personal Data. The Privacy Notice informs the Data Subject about the existence of applicable data processing policies, how to access them, and the characteristics of the intended Processing.
Database: an organized set of Personal Data subject to Processing.
Personal Data: any information linked or that may be associated with one or more identified or identifiable natural persons. Personal Data may be public, semi-private, private, or sensitive.
Private Data: data that, due to its intimate or reserved nature, is only relevant to the Data Subject.
Public Data: data classified as such by law or the Political Constitution, and any data that is not semi-private, private, or sensitive. Public data includes, among others, information related to a person’s marital status, profession or occupation, status as a merchant or public servant, and any data that can be obtained without restriction. By nature, public data can be found in public records, official documents, gazettes, and bulletins, which are subject to confidentiality.
Sensitive Data: data that affect the privacy of the Data Subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human rights organizations, or political parties, as well as data related to health, sexual life, and biometric data (fingerprints, iris, voice, gait, palm print, facial features, photographs, videos, among others).
Personal Data of Children and Adolescents shall be subject to the same rules and procedures as Sensitive Data. They shall not be processed in any way that may endanger or threaten their physical, mental, or emotional development.
Semi-private Data: data that is not intimate, reserved, or public and whose knowledge or disclosure may be of interest not only to the Data Subject but also to a group of people or society in general. Examples include information related to social security and financial or credit behavior.
Habeas Data Right: According to Article 15 of the Colombian Constitution and Statutory Laws 1266 of 2008 and 1581 of 2012 and their regulatory decrees, this is the right of all individuals to know, update, and rectify the information collected about them in databases and files held by public or private entities, and to request the inclusion, deletion, or revocation of authorization for the Processing of their Personal Data.
Data Processor: a natural or legal person, public or private, who, alone or in association with others, processes Personal Data on behalf of the Data Controller.
Stakeholder Groups: groups of natural persons whose Personal Data is processed by the Data Controller and/or its Data Processors.
Law 1266 of 2008: Statutory Law regulating the management of commercial, financial, credit, service-related, and foreign-sourced information contained in Databases.
Law 1581 of 2012: Statutory Law establishing general provisions for the Protection of Personal Data, distinct from those regulated by Law 1266 of 2008.
Child: a person between 0 and 12 years of age.
Personal Data Protection Officer: the person or area responsible for ensuring that inquiries and complaints related to Personal Data Protection are properly addressed, as designated in the Privacy Policy, and for ensuring that the Data Controller, its Operators, and/or Data Processors comply with applicable data protection regulations.
PQR: petitions, inquiries, and complaints submitted by Data Subjects or authorized individuals regarding Personal Data Protection.
Data Protection: all technical, human, and administrative measures necessary to ensure the security of records and prevent their alteration, loss, consultation, unauthorized or fraudulent use or access.
Data Controller: a natural or legal person, public or private, who, alone or in association with others, decides on the Database and/or the Processing of the data. For this Privacy Policy, Arrubla Devis is understood to be the Data Controller.
Data Subject: for the purposes of Law 1266 of 2008, the natural or legal person to whom the information in a database refers and who is the subject of the Habeas Data Right and other rights and guarantees established in said Law and its complementary, modifying, substituting, or repealing regulations. For the purposes of Law 1581 of 2012, the natural person whose Personal Data is subject to Processing.
Transfer: The Transfer of Personal Data occurs when the Data Controller and/or its Data Processor, located in Colombia, sends the information or Personal Data to a recipient who is also a Data Controller and is located within or outside the country.
Transmission: the Processing of Personal Data that involves the communication of such data within or outside the territory of the Republic of Colombia, when carried out by the Data Processor on behalf of the Data Controller.
Processing: any operation or set of operations on Personal Data, such as collection, storage, updating, use, circulation, Transfer, Transmission, or deletion.
The following are the Guiding Principles on Personal Data Protection, and will apply to the Processing carried out by the Data Controller, its employees and all third parties, natural or legal persons, to whom it transmits or transfers Personal Data of the Data Subjects that comprise its Interest Groups, when they carry out any Processing on them:
Principle of legality: The processing of personal data will be carried out in accordance with the legal requirements established in Statutory Law 1581 of 2012 and its regulatory decrees.
Principle of purpose: The processing of personal data must comply with a legitimate purpose in accordance with the constitution and the law, which must be communicated to the data subject.
Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial order that waives consent. Public Data is exempt from this principle and may be processed without requiring authorization from the Data Subject, in accordance with Law 1581 of 2012 and its Regulatory Decree 1074 of 2015.
Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
Transparency Principle: Data Processing must guarantee the Data Subject's right to obtain, at any time and without restrictions, information about the existence of data concerning him or her.
Principle of restricted access and circulation: Personal data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties.
Security Principle: Information subject to Processing must be protected through the use of technical, human, and administrative measures necessary to ensure the security of records, preventing their adulteration, loss, unauthorized or fraudulent access, use, or consultation.
Confidentiality Principle: All persons involved in the processing of personal data are required to ensure the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended.
Principle of necessity: Only data that is strictly necessary for the fulfillment of the purposes established in this Privacy Policy and/or those that are communicated to the Data Subjects through Privacy Notices will be collected.
The personal data held by Arrubla Devis, in its capacity as Data Controller and/or Data Processor, as applicable, shall be processed in compliance with current national legislation and best practices related to the personal data protection regime.
For this Privacy Policy, the Data Controller, either directly or through Data Processors, may collect, store, use, circulate, update, delete, or carry out any other type of Processing of the Personal Data of its Stakeholder Groups, for the purposes described below.
6.1. General Purposes for the Processing of Personal Data Applicable to All Stakeholder Groups
6.1.1. National and international transmission and transfer, storage, and safekeeping of information and/or Personal Data in physical files or on proprietary and/or third-party servers, located within or outside the country, in jurisdictions deemed secure or otherwise by the Superintendence of Industry and Commerce, whenever required for the company’s operations and its relationships with various Stakeholder Groups.
6.1.2. Registration and control of incoming and outgoing documents.
6.1.3. Organization and execution of programs, meetings, drills, training sessions, and events, as well as the preservation of documentary records such as attendance lists, photographs, voice recordings, and/or videos, which may be used for internal and/or external publications by the company and/or its strategic partners, including but not limited to: bulletin boards, website, social media, reports, and emails.
6.1.4. Design and implementation of surveys and interviews.
6.1.5. Sending communications related to the purposes outlined in this Privacy Policy, the activities of the Data Controller or its strategic partners, advertising, marketing, promotions, events, commercialization and promotion of products and/or services, website content updates, partnerships, and benefits, through professional, business, and/or personal contact details of the Data Subjects, including but not limited to landline and/or mobile phone, physical and/or email address, SMS and/or MMS text messages, social media, electronic media, and/or any other communication channel.
6.1.6. Controls, statistics, and historical records of relationships with Data Subjects from various Stakeholder Groups.
6.1.7. Internal performance indicators.
6.1.8. Decision-making support.
6.1.9. Registration and control of access to the Data Controller’s facilities.
6.1.10. Monitoring through video surveillance.
6.1.11. Security of facilities and individuals entering them.
6.1.12. Emergency response.
6.1.13. Support for internal and/or external audits, statutory audits, consulting, and implementation of improvement plans.
6.1.14. Implementation and compliance with the Self-Control and Comprehensive Risk Management System for Money Laundering and Terrorism Financing (SAGRILAFT) and other applicable regulations for the prevention of money laundering, terrorism financing, corruption, and proliferation of weapons of mass destruction, among other crimes.
6.1.15. Reporting to competent administrative and judicial authorities.
6.1.16. Response to requests from competent administrative and judicial authorities.
6.1.17. Preparation and filing of lawsuits and complaints before competent authorities, as well as exercising the right of defense in any administrative and/or judicial proceeding.
6.1.18. Fulfillment of obligations arising from contracts signed between the Data Controller and the Data Subjects, or with their contractors or employers.
6.1.19. Internal or external communications.
6.1.20. Financial and accounting management, creation of third-party records, and registration in the Data Controller’s databases.
6.1.21. Handling of PQRs (petitions, inquiries, and complaints).
6.1.22. Issuance of insurance policies and/or bank guarantees.
6.1.23. Purposes indicated in the authorization granted by the Data Subject and/or in the Privacy Notices, as well as those established by applicable regulations.
6.2. Purposes for the Processing of Personal Data of Shareholders
6.2.1. Convening and holding of ordinary and/or extraordinary shareholders’ meetings.
6.2.2. Preparation of meeting minutes.
6.2.3. Registration and preservation of minute books and shareholder registries.
6.2.4. Issuance and/or cancellation of share certificates.
6.2.5. Disclosure of shareholder status, including but not limited to onboarding forms for clients, insurers, financial institutions, contractors, and/or suppliers.
6.2.6. Declaration and payment of dividends.
6.2.7. Use of information for advertising and media purposes.
6.3. Purposes for the Processing of Personal Data of Applicants, Employees, Interns, and/or Active and Inactive Trainees and Their Families
6.3.1. Collection of résumés directly from the Data Subject or from third-party individuals or legal entities, either independently or on behalf of the Data Controller.
6.3.2. Execution of the recruitment process, including analysis and processing of résumés, validation of employment and/or personal references, verification of judicial and/or disciplinary records, interviews, and required occupational, psychotechnical, and/or competency assessments.
6.3.3. Retention of résumés and selection process results for future hiring processes and/or to comply with applicable legal requirements.
6.3.4. Employment or apprenticeship onboarding and contract execution.
6.3.5. ID badge issuance process.
6.3.6. Monitoring of contract renewal and/or termination.
6.3.7. Work scheduling and assignment of duties, roles, and profiles associated with the position held.
6.3.8. Registration of information for active and inactive employees, retirees, and their families and/or beneficiaries for social security and parafiscal contributions, payroll, bonuses, vacation, pension entitlements, and applicable settlements.
6.3.9. Activities related to organizational climate, culture, psychosocial risk management, and employee well-being for both direct and indirect employees and their families and/or beneficiaries.
6.3.10. Management of permits, leaves, and authorizations.
6.3.11. Execution of disciplinary proceedings.
6.3.12. Management of sanctions, warnings, reprimands, hearings, and dismissals with or without just cause.
6.3.13. Recording of disciplinary history.
6.3.14. Training and development.
6.3.15. Competency and performance evaluations.
6.3.16. Salary deductions permitted by current regulations and registration of garnishments ordered by competent authorities.
6.3.17. Issuance of employment certificates and/or references.
6.3.18. Delivery of uniforms and personal protective equipment.
6.3.19. Contracting of third-party services that benefit direct and indirect employees and their families and/or beneficiaries.
6.3.20. Compliance with current occupational health and safety regulations (SG-SST), including but not limited to: collection and analysis of health and sociodemographic data of direct and indirect, active and inactive employees; investigation and indicators of absenteeism, incidents, and accidents; occupational medical evaluations; road safety; reporting and investigation of workplace incidents and accidents; inspections and workstation assessments; verification of protective equipment use; hazard identification and unsafe behavior assessment; observation of safe behaviors and follow-up on commitments; formation and management of the Workplace Coexistence Committee, among others.
6.3.21. Activation of communication with the contact person designated by the Data Subject in case of accident, illness, and/or any other eventuality.
6.3.22. Hotel bookings, air or ground transportation tickets, provision of fuel and toll vouchers, per diems, travel allowances, and vehicle requests, among others.
6.3.23. Provision of information to clients, contractors, suppliers, and/or strategic partners for the execution of contracts signed with the Data Controller.
6.3.24. Time tracking and verification of hours worked.
6.3.25. Creation and management of usernames and passwords for access to various applications, software, technological and computing equipment, email accounts, and websites as required.
6.3.26. Creation and control of access and modification permissions for documents stored in work tools.
6.3.27. Transfer of proof of payment of social security and parafiscal contributions and training certificates to the Data Controller’s clients, when required for contract execution and/or payment for goods and/or services provided by the Data Controller as contractor and/or supplier.
6.4. Purposes for the Processing of Personal Data of Prospective, Current, and Former Clients, and Individuals Who Have Provided Their Contact Information via the Website and/or Social Media, and Their Collaborators
6.4.1. Behavioral analysis and market segmentation.
6.4.2. Offering of goods and/or services by the Data Controller and/or its strategic partners.
6.4.3. Inquiries and positive or negative reports of commercial, financial, and credit information to Database Operators or Administrators, Financial and Credit Institutions, Commercial Information Agencies, and legally established Credit Bureaus.
6.4.4. Sending of service proposals.
6.4.5. Execution of contracted legal advisory and judicial representation services, where applicable.
6.4.6. Response to received communications.
6.4.7. Billing processes.
6.4.8. Sending of advertisements, commercial and marketing information, legal updates, newsletters, and other relevant content.
6.4.9. Debt recovery management through persuasive, extrajudicial, and/or judicial collection.
6.4.10. Identification of debtors and co-debtors.
6.4.11. Client loyalty programs.
6.4.12. Transmission and transfer of contact data to data processors, contractors, suppliers, and/or strategic partners, so they may process the Data Subject’s Personal Data for the purposes outlined in this Privacy Policy.
6.5. Purposes for the Processing of Personal Data of Suppliers, Contractors, and Their Collaborators
6.5.1. Request, collection, and analysis of quotations and/or offers.
6.5.2. Invitations to participate in procurement processes.
6.5.3. Execution of procurement processes.
6.5.4. Request for references and third-party certificates.
6.5.5. Issuance of experience and contractual relationship certificates and references.
6.5.6. Execution of contracts and/or issuance of purchase and/or service orders for the acquisition of goods and/or services.
6.5.7. Contract administration.
6.5.8. Compliance with legal and contractual obligations.
6.5.9. Payment management.
6.5.10. Evaluation of contractors and suppliers.
6.5.11. Communication with suppliers, contractors, or their collaborators for the execution of signed contracts or issued service and/or purchase orders.
6.5.12. Verification of compliance with legal, technical, and/or financial requirements.
6.5.13. Verification of payment of salaries and social benefits of contractors, suppliers, and their collaborators, and their affiliation with the Occupational Risk Administrator (ARL).
6.5.14. Verification of compliance with occupational health and safety regulations (SG-SST) and/or any that complements, amend, replace, or repeal them.
6.5.15. Verification of compliance with regulations governing Personal Data Protection, and/or any that complement, amend, replace, or repeal them.
6.5.16. Scheduling of technical activities and confirmation of their execution.
6.5.17. Management of product quality claims.
6.5.18. Hotel bookings, air or ground tickets, provision of fuel and toll vouchers, per diems, and vehicle requests, among others, in the event of travel by contractors, suppliers, and/or their collaborators, when such obligations are stipulated in contracts under the responsibility of the Data Controller.
6.5.19. Loyalty programs for contractors and suppliers.
6.5.20. Transfer of proof of payment of social security and parafiscal contributions and training certificates to the Data Controller’s clients, when required for contract execution and/or payment processing for services rendered.
Manage the information necessary for the proper development of Arrubla Devis’s corporate purpose and to fulfill its corporate, tax, accounting, and other obligations.
To achieve the aforementioned purposes, Arrubla Devis may collect, retain, and store, either directly or through a third party, one or more databases, whether physical or electronic. By granting authorization for the processing of personal data, it is understood that Arrubla Devis is granted the broadest powers to carry out such processing by the law and the provisions of this policy, without prejudice to the rights of the Data Subjects.
The following are the rights of Personal Data Holders:
8.1. To know, update, and rectify your personal data with the Data Controllers or Data Processors. This right may be exercised, among other things, with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or unauthorized.
8.2. Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
8.3. Be informed by the Data Controller or the Data Processor, upon request, regarding the use of your personal data.
8.4. Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and any other regulations that modify, supplement, or complement it.
8.5. Revoke authorization and/or request data deletion when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will be appropriate when the Superintendency of Industry and Commerce has determined that, in the processing, the Controller or Processor has engaged in conduct contrary to Law 1581 of 2012 and the Constitution. However, the request for deletion of information and the revocation of authorization will not be appropriate when the Data Subject has a legal or contractual obligation to remain in the database.
8.6. Access free of charge to the personal data that has been subject to Processing: (i) at least once every calendar month, and (ii) every time there are substantial modifications to the Information Processing Policies that motivate new consultations.
When inquiries and complaints are required, the following procedure must be kept in mind:
9.1. Queries
Inquiries regarding personal data must be submitted in writing by the data subject or by legally authorized persons (demonstrating a legitimate interest) to the email or correspondence address indicated at the end of this Policy. These will be resolved within a maximum of ten (10) business days from the date of receipt.
However, when it is not possible to respond to the query within this period, the interested party will be informed before the expiration of ten (10) days, stating the reasons for the delay and indicating the date on which his/her request will be attended to, which in no case may exceed five (5) business days after the expiration of the first period.
9.2. Claims
Data subjects or legally authorized individuals (demonstrating a legitimate interest) who consider that the information contained in an Arrubla Devis database should be corrected, updated, or deleted, or who notice a presumed breach of any of the obligations contained in Law 1581 of 2012 or any other law that replaces or regulates it, may submit a written complaint through any of the channels provided for this purpose. The complaint must contain the following information:
-
Name and identification of the owner.
-
The precise and complete description of the facts giving rise to the claim.
-
The physical or electronic address to send the response and report on the status of the procedure.
-
The documents and other evidence that you intend to present.
If the claim is incomplete, Arrubla Devis will require the interested party within five (5) business days following its receipt to correct the requirements. After two (2) months from the date of the request, if the petitioner does not submit the requested information, it will be understood that he or she has withdrawn the claim. Once the complete claim has been received, Arrubla Devis will include in the respective database a legend that accompanies the personal data indicating "claim in process" and the reason for it, within a period of no more than two (2) business days. This legend will remain in effect until the claim is decided.
The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of its receipt, and if it is not possible to respond within said term, Arrubla Devis will inform the interested party of the reasons for the delay and the date on which it will be addressed, without exceeding, in any case, eight (8) business days following the expiration of the first term.
To make requests, inquiries and complaints, or to exercise your rights, you can contact the administrative management of the company at the email address info@arrubladevis.com or by physical mail to our offices located in the city of Medellín at Carrera 37 No. 2 Sur - 34 and in the city of Bogotá at Calle 70 Bis No. 4 - 54. The personal data collected will remain in our databases for as long as necessary for the purposes established herein, without prejudice to the rights that assist the owners.
When inquiries and complaints are required, the following procedure must be kept in mind:
9.1. Queries
Inquiries regarding personal data must be submitted in writing by the data subject or by legally authorized persons (demonstrating a legitimate interest) to the email or correspondence address indicated at the end of this Policy. These will be resolved within a maximum of ten (10) business days from the date of receipt.
However, when it is not possible to respond to the query within this period, the interested party will be informed before the expiration of ten (10) days, stating the reasons for the delay and indicating the date on which his/her request will be attended to, which in no case may exceed five (5) business days after the expiration of the first period.
9.2. Claims
Data subjects or legally authorized individuals (demonstrating a legitimate interest) who consider that the information contained in an Arrubla Devis database should be corrected, updated, or deleted, or who notice a presumed breach of any of the obligations contained in Law 1581 of 2012 or any other law that replaces or regulates it, may submit a written complaint through any of the channels provided for this purpose. The complaint must contain the following information:
-
Name and identification of the owner.
-
The precise and complete description of the facts giving rise to the claim.
-
The physical or electronic address to send the response and report on the status of the procedure.
-
The documents and other evidence that you intend to present.
If the claim is incomplete, Arrubla Devis will require the interested party within five (5) business days following its receipt to correct the requirements. After two (2) months from the date of the request, if the petitioner does not submit the requested information, it will be understood that he or she has withdrawn the claim. Once the complete claim has been received, Arrubla Devis will include in the respective database a legend that accompanies the personal data indicating "claim in process" and the reason for it, within a period of no more than two (2) business days. This legend will remain in effect until the claim is decided.
The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of its receipt, and if it is not possible to respond within said term, Arrubla Devis will inform the interested party of the reasons for the delay and the date on which it will be addressed, without exceeding, in any case, eight (8) business days following the expiration of the first term.
To make requests, inquiries and complaints, or to exercise your rights, you can contact the administrative management of the company at the email address info@arrubladevis.com or by physical mail to our offices located in the city of Medellín at Carrera 37 No. 2 Sur - 34 and in the city of Bogotá at Calle 70 Bis No. 4 - 54. The personal data collected will remain in our databases for as long as necessary for the purposes established herein, without prejudice to the rights that assist the owners.
-
It is the duty of the Data Controller:
10.1. Guarantee the Holder, at all times, the full and effective exercise of the Right to Habeas Data.
10.2. Request and retain, by any means and under the conditions provided for in Law 1581 of 2012, a copy of the respective authorization granted by the Owner.
10.3. Properly inform the Data Subject about the purpose of the collection and the rights to which he or she is entitled by virtue of the authorization granted.
10.4. Keep information under the security conditions necessary to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.
10.5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
10.6. Update the information, promptly communicating to the Data Processor any new developments regarding the data previously provided and adopting any other measures necessary to ensure that the information provided to the Data Processor remains up-to-date.
10.7. Rectify information when it is incorrect and notify the Data Processor accordingly.
10.8. Provide the Data Processor, as applicable, only with data whose processing has been previously authorized in accordance with the provisions of Law 1581 of 2012.
10.9. Demand that the Data Processor respect the security and privacy conditions of the Data Subject's information at all times.
10.10. Process inquiries and complaints submitted in accordance with the terms set forth in Law 1581 of 2012.
10.11. Adopt an internal policies and procedures manual to ensure proper compliance with Law 1581 of 2012, especially for handling inquiries and complaints.
10.12. Inform the Data Processor when certain information is being disputed by the Data Subject, once the claim has been submitted and the respective process has not been completed.
10.13. Inform the Data Subject, upon request, about the use given to their data.
10.14. Inform the data protection authority when security code violations occur and when there are risks in the management of Data Subjects' information.
10.15. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
It is the duty of the Data Processor:
11.1. Comply with the Privacy Policy, as well as all procedures, guides, and/or directives issued by the Data Controller regarding Personal Data Protection, in the performance of contracted activities.
11.2. Adopt, in accordance with the Data Controller's instructions, all necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent access, or access.
11.3. Implement a Personal Data Protection Policy that complies with the regulations governing the subject matter.
11.4. Process Personal Data in accordance with the instructions expressly received from the Data Controller, refraining from using them for purposes other than those contracted.
11.5. Refrain from providing, transferring, or marketing Personal Data to third parties, whether natural or legal, public or private, unless the data is of a public nature without reservation, or is required by a competent authority in the exercise of its legal functions.
11.6. Maintain strict confidentiality regarding personal data to which they have access in the performance of the contracted activities, as well as diligently fulfill the duty of protection and custody of said data throughout the term of the contract and even after its termination.
11.7. Access or consult the information or Personal Data held in the Data Controller's Databases only when strictly necessary for the performance of the contracted activities.
11.8. Report to the Data Controller immediately upon its occurrence or upon becoming aware of it, through the channels and means established by the Data Controller, any incident or threat of incident that directly or indirectly affects or may affect the protection of personal data.
11.9. Ensure at all times the full and effective exercise of the right to habeas data by data subjects, as well as due process in the event of complaints filed regarding personal data protection.
11.10. Promptly update, rectify, or delete data in accordance with Law 1581 of 2012.
11.11. Update the information reported by the Data Controller within five (5) business days from receipt.
11.12. Adopt an internal manual of policies and procedures to ensure proper compliance with Law 1581 of 2012 and, in particular, to address inquiries and complaints from Owners.
11.13. Refrain from circulating information that is being disputed by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.
11.14. Allow access to information only to those who are authorized to do so.
11.15. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
11.16. In the event of collecting data on behalf of the Data Controller, request authorization from the Data Subjects, where required, in accordance with the provisions of Law 1581 of 2012 and other regulations that complement, replace, modify, or repeal it.
Through this Privacy Policy, the person holding the position of Managing Associate is designated as the Personal Data Protection Officer.
This Privacy Policy is effective as of March 31, 2025.
The Databases subject to Processing by the Data Controller will be valid as long as the purposes for which the data were collected and/or the term established by Law persist.
The Data Controller reserves the right to modify this Privacy Policy at any time. In the event of substantial changes to its content, in relation to the identification of the Data Controller and/or the purposes of the processing of personal data, which may affect the content of the Authorization, the Data Controller will communicate these changes to the Data Subject before or at the latest at the time of implementing the new policies and will require a new authorization when the change relates to the purpose of the processing.
14.1. Autorización general. La Firma puede utilizar herramientas tecnológicas, incluyendo sistemas de inteligencia artificial, para apoyar la prestación de los servicios. Estas herramientas pueden emplearse en actividades como investigación jurídica, revisión de documentos, análisis de información y redacción de borradores.
14.2. Responsabilidad de la Firma. El uso de estas herramientas no exime a la Firma de su responsabilidad profesional. Todo producto generado con apoyo tecnológico es revisado y validado por los profesionales de la Firma antes de ser entregado al Cliente.
14.3. Medidas de protección. La Firma adopta medidas razonables para proteger la confidencialidad de la información del Cliente al utilizar herramientas tecnológicas, incluyendo la anonimización de la información y la selección de proveedores que ofrezcan garantías adecuadas de seguridad y privacidad de la información.
14.4. Consentimiento específico. Antes de introducir información confidencial del Cliente en herramientas de inteligencia artificial que operen bajo modelos de aprendizaje continuo o cuyos servidores estén ubicados fuera de Colombia, la Firma obtiene el consentimiento previo del Cliente, salvo que la herramienta ofrezca garantías verificables de que la información no será utilizada para entrenar modelos ni accesible por terceros.
14.5. Prohibición de entrenamiento. La Firma no autoriza a ningún proveedor de herramientas tecnológicas a utilizar la información del Cliente para entrenar, mejorar o desarrollar modelos de inteligencia artificial, bases de datos u otros productos, salvo autorización expresa del Cliente.
14.6. Eficiencia tecnológica y honorarios. Cuando el uso de herramientas tecnológicas genere eficiencias significativas en la prestación de los servicios, la Firma traslada al Cliente el beneficio de dichas eficiencias en la determinación de los honorarios, conforme al principio de razonabilidad.
1.1. Productos propiedad del Cliente. Los productos del trabajo específicos elaborados por la Firma para el Cliente en ejecución de los servicios contratados —contratos, demandas, conceptos, estrategias, memorandos y demás entregables— son propiedad del Cliente una vez pagados los honorarios correspondientes.
1.2. Propiedad de la Firma. Las metodologías, plantillas, modelos, bases de datos, herramientas y demás materiales preexistentes de la Firma que se utilicen en la prestación de los servicios continúan siendo propiedad exclusiva de la Firma. El Cliente recibe el beneficio de su uso, pero no adquiere derechos sobre ellos.
1.3. Experiencia adquirida. La Firma conserva el derecho de utilizar el conocimiento general, la experiencia y la experticia adquirida durante la prestación de los servicios, siempre que dicho uso no implique la divulgación de información confidencial.
1.4. Autorización para fines comerciales. El Cliente autoriza a la Firma a incluir su nombre en la lista de clientes y a hacer referencia general al tipo de servicio prestado, con fines comerciales y de portafolio. Esta autorización no incluye la divulgación de información confidencial ni de los detalles del encargo. El Cliente puede revocar esta autorización en cualquier momento mediante comunicación escrita.
yles.1.1. Responsabilidad por actos de terceros. Las opiniones y actuaciones de la Firma se basan en el conocimiento y la experiencia de sus profesionales y en la información disponible al momento de emitirlas. La Firma no es responsable por interpretaciones u opiniones distintas que adopten autoridades o terceros.
1.2. Responsabilidad por daños directos. La Firma responde por los daños causados al Cliente como consecuencia directa de su negligencia profesional o del incumplimiento de sus obligaciones contractuales. La responsabilidad de la Firma se limita al monto de los honorarios efectivamente pagados por el Cliente durante los doce (12) meses anteriores al hecho generador de la reclamación. Esta limitación no aplica en caso de dolo o culpa grave.
1.3. Eventos excluidos de responsabilidad. La Firma no es responsable por:
-
Daños indirectos, consecuenciales o lucro cesante.
-
Resultados adversos en procesos judiciales o administrativos, siempre que haya actuado con la diligencia debida.
-
Consecuencias derivadas de instrucciones del Cliente contrarias a la recomendación documentada de la Firma.
-
Perjuicios causados por información incompleta, inexacta o tardía suministrada por el Cliente.
1.4. Indemnidad. El Cliente indemniza y mantiene indemne a la Firma frente a reclamaciones de terceros que se deriven de: (i) información falsa, incompleta o inexacta proporcionada por el Cliente; (ii) instrucciones del Cliente contrarias a la recomendación documentada de la Firma; o (iii) el uso por parte del Cliente de los productos del trabajo en contextos distintos a los previstos en el encargo.
1.5. Exoneración personal. Las reclamaciones del Cliente derivadas de la prestación de los servicios solo pueden dirigirse contra la Firma como persona jurídica. El Cliente renuncia irrevocablemente a ejercer acciones contractuales o extracontractuales contra los socios, asociados, empleados o colaboradores de la Firma a título individual, salvo en caso de dolo.
1.6. Notificación de reclamaciones. El Cliente debe informar a la Firma por escrito sobre cualquier reclamación o circunstancia que pueda dar lugar a una reclamación, tan pronto como tenga conocimiento de ella. La notificación oportuna permite a la Firma investigar los hechos, adoptar medidas correctivas y activar la cobertura de cualquier seguro aplicable.
-
17.1. Verificación de conflictos de interés. La Firma verifica la existencia de conflictos de interés antes de aceptar cada encargo y de manera continua durante la prestación de los servicios, conforme al Decreto 196 de 1971 y a la Ley 1123 de 2007.
17.2. Conflicto sobreviniente. Si durante la ejecución de los servicios surge un conflicto de interés, la Firma informa al Cliente de inmediato. Si el conflicto no puede resolverse mediante mecanismos como la constitución de barreras éticas, la Firma puede renunciar al encargo conforme a la cláusula de terminación.
17.3. Deber de información. El Cliente se compromete a informar a la Firma sobre cualquier circunstancia que conozca y que pueda dar lugar a un conflicto de interés.
17.4. Consentimiento anticipado. Con la aceptación de la Propuesta, el Cliente autoriza a la Firma a representar a otros clientes en asuntos no relacionados con el encargo, incluso si dichos clientes tienen intereses adversos al Cliente en esos otros asuntos, siempre que la Firma cumpla con sus obligaciones de confidencialidad y no utilice información privilegiada del Cliente en beneficio de terceros. Esta autorización no se extiende a asuntos sustancialmente relacionados con el encargo del Cliente.
18.1. Revisión por circunstancias extraordinarias. Si se presentan circunstancias extraordinarias o imprevistas que incrementen sustancialmente el alcance de los servicios o su contraprestación, las partes revisan de buena fe las condiciones del encargo.
18.2. Terminación unilateral. Si no llegan a un acuerdo dentro de los treinta días calendario siguientes a la comunicación de la circunstancia, cualquiera de las partes puede dar por terminado el encargo sin que ello genere responsabilidad, quedando a salvo la obligación del Cliente de pagar los honorarios causados y los gastos incurridos hasta la fecha de terminación.
19.1. Aceptación de la Política SAGRILAFT. Con la aceptación de la Propuesta, el Cliente acepta la política SAGRILAFT de la Firma y se obliga a diligenciar el formulario de vinculación de clientes, en cumplimiento del Régimen de Medidas Mínimas para el Autocontrol y la Gestión del Riesgo Integral LA/FT/FPADM.
19.2. Declaración de recursos. El Cliente declara que los recursos destinados al pago de los honorarios provienen de actividades lícitas y que ni él ni sus beneficiarios reales se encuentran en listas restrictivas nacionales o internacionales.
19.3. Terminación por no diligenciar el formulario. La Firma se reserva el derecho de terminar el encargo si el Cliente no diligencia el formulario de vinculación, si la información suministrada resulta inconsistente, o si se identifica una operación sospechosa que deba ser reportada a la UIAF.
20.1. Cumplimiento de sanciones. El Cliente declara que ni él, ni sus beneficiarios reales, ni sus administradores se encuentran incluidos en listas de sanciones emitidas por la Oficina de Control de Activos Extranjeros de los Estados Unidos (OFAC), el Consejo de Seguridad de las Naciones Unidas, la Unión Europea o cualquier otra autoridad competente. Si durante la ejecución del encargo surge una circunstancia que vincule al Cliente con una persona o entidad sancionada, la Firma puede suspender o terminar los servicios de conformidad con la cláusula de terminación.
20.2. Anticorrupción. Las partes se comprometen a actuar de conformidad con todas las leyes anticorrupción aplicables, en la medida en que resulten aplicables al encargo. Ninguna de las partes ofrece, promete, autoriza o realiza pagos o entregas de valor a funcionarios públicos o a terceros con el propósito de obtener o retener una ventaja indebida.
21.1. Terminación por el Cliente. El Cliente puede terminar el encargo en cualquier momento por comunicación escrita a la Firma. La terminación no exime al Cliente del pago de los honorarios causados y los gastos incurridos hasta la terminación.
21.2. Terminación por la Firma. La Firma puede renunciar al encargo mediante comunicación escrita al Cliente con treinta días calendario de antelación, en los siguientes casos:
1. Incumplimiento del Cliente de sus obligaciones de pago o de colaboración.
2. Surgimiento de un conflicto de interés que no pueda resolverse.
3. Instrucción del Cliente de actuar en contra de la ley o de la ética profesional.
4. Pérdida sobreviniente de la confianza que debe existir entre abogado y cliente.
21.3. Terminación en procesos judiciales. En procesos judiciales en curso, la renuncia se somete a las formalidades y plazos de la ley procesal aplicable.
21.4. Efectos de la terminación. A la terminación del encargo, la Firma entrega al Cliente toda la documentación original y las copias que le pertenezcan, así como un informe del estado del asunto. Las obligaciones de confidencialidad, protección de datos e indemnidad sobreviven a la terminación.
21.5. Cesión. Ninguna de las partes puede ceder su posición contractual sin el consentimiento previo y escrito de la otra parte.
1.1. Conservación del expediente. Terminado el encargo, la Firma conserva copia del expediente del Cliente por un plazo de cinco años, salvo que la ley exija un plazo mayor. La conservación se realiza en condiciones que garanticen la seguridad y la confidencialidad de la información.
1.2. Solicitud de documentos. El Cliente puede solicitar la entrega de sus documentos originales en cualquier momento durante el plazo de conservación. Vencido el plazo, la Firma puede destruir la documentación previa notificación escrita al Cliente con treinta días de antelación.
1.3. Derecho de retención. Mientras el Cliente tenga obligaciones de pago pendientes con la Firma, esta puede retener los documentos y productos del trabajo elaborados en ejecución del encargo, hasta el pago completo de los honorarios y gastos adeudados. Esta facultad no se extiende a los documentos originales del Cliente ni a aquellos cuya retención pueda causarle un perjuicio grave e inminente.
1.1. Ley aplicable. Estas Condiciones Generales se rigen por las leyes de Colombia.
1.2. Solución de controversias. Las controversias entre las partes se resuelven de la siguiente manera:
-
Las partes intentan resolver la controversia de manera directa, mediante negociación de buena fe dentro de los treinta días calendario siguientes a la comunicación escrita de la controversia.
-
Si la negociación directa no produce un acuerdo, la controversia debe someterse a la decisión de un tribunal arbitral compuesto por un único árbitro, que decidirá en derecho. El tribunal sesionará en el Centro de Arbitraje y Conciliación de la Cámara de Comercio de Medellín, de acuerdo con su reglamento vigente. El árbitro será designado de común acuerdo entre las partes y, a falta de acuerdo dentro de los quince días siguientes a la solicitud de arbitraje, será designado por el Centro.
-
El tribunal arbitral también será competente para conocer procesos ejecutivos derivados de la relación contractual, incluyendo el cobro de facturas y cualquier otro título ejecutivo, de conformidad con el artículo 2 de la Ley 1563 de 2012, modificado por el artículo 68 de la Ley 2220 de 2022.
-
Los costos del arbitraje serán asumidos por la parte vencida, salvo decisión en contrario del árbitro.
-
1.1. Derecho de reclamación. El Cliente que considere que la Firma ha prestado los servicios de manera deficiente o que ha incumplido sus obligaciones contractuales tiene derecho a presentar una reclamación formal.
1.2. Trámite. La reclamación debe presentarse por escrito al socio responsable del servicio o, si la reclamación involucra a ese socio, al socio director de la Firma. La Firma debe acusar recibo de la reclamación dentro de los cinco días hábiles siguientes, investigar los hechos y comunica al Cliente su respuesta dentro de los treinta días calendario siguientes al acuse de recibo. El procedimiento de reclamación es gratuito y no impide al Cliente ejercer las acciones legales que considere pertinentes.
25.1. Modificaciones. La Firma puede modificar estas Condiciones Generales. Las modificaciones aplican a las Propuestas aceptadas con posterioridad a la fecha de la modificación. Las Propuestas vigentes se rigen por la versión de las Condiciones Generales en vigor al momento de su aceptación, salvo acuerdo en contrario.
25.2. Independencia de las cláusulas. Si alguna disposición de estas Condiciones Generales resulta inválida o inaplicable, las demás disposiciones conservan validez.
25.3. Integridad del acuerdo. La Propuesta aceptada por el Cliente, junto con estas Condiciones Generales y cualquier anexo que las partes acuerden, constituyen la totalidad del acuerdo entre las partes respecto de los servicios contratados y reemplazan cualquier negociación, comunicación o acuerdo previo, oral o escrito, sobre el mismo objeto.
25.4. Protección al consumidor. Si el Cliente es una persona natural que contrata los servicios de la Firma para fines ajenos a su actividad profesional o empresarial, las limitaciones de responsabilidad, las cláusulas de exoneración y las disposiciones sobre jurisdicción contenidas en estas Condiciones Generales se interpretan y aplican de conformidad con el Estatuto del Consumidor (Ley 1480 de 2011) y las normas que lo complementen o modifiquen. En caso de conflicto, prevalecen las normas de protección al consumidor.
25.5. Información regulatoria. Arrubla Devis Asociados S.A.S. es una sociedad colombiana constituida conforme a las leyes de la República de Colombia, identificada con NIT 901.059.985-2, con domicilio principal en Medellín. Los abogados de la Firma están inscritos en el Registro Nacional de Abogados y sujetos al régimen disciplinario de la Ley 1123 de 2007 y demás normas aplicables al ejercicio de la abogacía en Colombia.
25.6. Vigencia. Estas Condiciones Generales, versión 2026.1, rigen a partir del primero (1) de marzo de 2026 y permanecen vigentes hasta su modificación o reemplazo por la Firma. Cada versión se identifica por su número y fecha de expedición.