The purpose of this Privacy Policy is to comply with Statutory Law 1581 of 2012, its Regulatory Decree 1074 of 2015 (Chapter 25), and other applicable regulations governing the Protection of Personal Data, including any that may complement, replace, amend, or repeal them. In particular, it seeks to guarantee the right of Habeas Data of the Holders of Personal Data.
This Privacy Policy applies to Arrubla Devis Asociados S.A.S. (hereinafter “Arrubla Devis”) in its capacity as Data Controller and to its employees, as well as to all third-party individuals or legal entities to whom it transfers Personal Data of the Data Subjects comprising the Stakeholder Groups of the Data Controller when such parties carry out any Processing of said data.
Company Name : Arrubla Devis Asociados SAS
Address: Medellín, Antioquia
Address: Carrera 37 No. 2 sur - 34
Email: info@arrubladevis.com [AD1]
Telephone: (604) 3229884
For this Privacy Policy, the following definitions shall apply:
Adolescent: individuals between 12 and 18 years of age.
Authorization: prior, express, and informed consent of the Data Subject to carry out the Processing of their Personal Data, which may be obtained (i) in writing, (ii) orally, or (iii) through unequivocal conduct that reasonably allows the conclusion that the authorization was granted.
Privacy Notice: a physical, electronic, or any other format document generated by the Data Controller, made available to the Data Subject for the Processing of their Personal Data. The Privacy Notice informs the Data Subject about the existence of applicable data processing policies, how to access them, and the characteristics of the intended Processing.
Database: an organized set of Personal Data subject to Processing.
Personal Data: any information linked or that may be associated with one or more identified or identifiable natural persons. Personal Data may be public, semi-private, private, or sensitive.
Private Data: data that, due to its intimate or reserved nature, is only relevant to the Data Subject.
Public Data: data classified as such by law or the Political Constitution, and any data that is not semi-private, private, or sensitive. Public data includes, among others, information related to a person’s marital status, profession or occupation, status as a merchant or public servant, and any data that can be obtained without restriction. By nature, public data can be found in public records, official documents, gazettes, and bulletins, which are subject to confidentiality.
Sensitive Data: data that affect the privacy of the Data Subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human rights organizations, or political parties, as well as data related to health, sexual life, and biometric data (fingerprints, iris, voice, gait, palm print, facial features, photographs, videos, among others).
Personal Data of Children and Adolescents shall be subject to the same rules and procedures as Sensitive Data. They shall not be processed in any way that may endanger or threaten their physical, mental, or emotional development.
Semi-private Data: data that is not intimate, reserved, or public and whose knowledge or disclosure may be of interest not only to the Data Subject but also to a group of people or society in general. Examples include information related to social security and financial or credit behavior.
Habeas Data Right: According to Article 15 of the Colombian Constitution and Statutory Laws 1266 of 2008 and 1581 of 2012 and their regulatory decrees, this is the right of all individuals to know, update, and rectify the information collected about them in databases and files held by public or private entities, and to request the inclusion, deletion, or revocation of authorization for the Processing of their Personal Data.
Data Processor: a natural or legal person, public or private, who, alone or in association with others, processes Personal Data on behalf of the Data Controller.
Stakeholder Groups: groups of natural persons whose Personal Data is processed by the Data Controller and/or its Data Processors.
Law 1266 of 2008: Statutory Law regulating the management of commercial, financial, credit, service-related, and foreign-sourced information contained in Databases.
Law 1581 of 2012: Statutory Law establishing general provisions for the Protection of Personal Data, distinct from those regulated by Law 1266 of 2008.
Child: a person between 0 and 12 years of age.
Personal Data Protection Officer: the person or area responsible for ensuring that inquiries and complaints related to Personal Data Protection are properly addressed, as designated in the Privacy Policy, and for ensuring that the Data Controller, its Operators, and/or Data Processors comply with applicable data protection regulations.
PQR: petitions, inquiries, and complaints submitted by Data Subjects or authorized individuals regarding Personal Data Protection.
Data Protection: all technical, human, and administrative measures necessary to ensure the security of records and prevent their alteration, loss, consultation, unauthorized or fraudulent use or access.
Data Controller: a natural or legal person, public or private, who, alone or in association with others, decides on the Database and/or the Processing of the data. For this Privacy Policy, Arrubla Devis is understood to be the Data Controller.
Data Subject: for the purposes of Law 1266 of 2008, the natural or legal person to whom the information in a database refers and who is the subject of the Habeas Data Right and other rights and guarantees established in said Law and its complementary, modifying, substituting, or repealing regulations. For the purposes of Law 1581 of 2012, the natural person whose Personal Data is subject to Processing.
Transfer: The Transfer of Personal Data occurs when the Data Controller and/or its Data Processor, located in Colombia, sends the information or Personal Data to a recipient who is also a Data Controller and is located within or outside the country.
Transmission: the Processing of Personal Data that involves the communication of such data within or outside the territory of the Republic of Colombia, when carried out by the Data Processor on behalf of the Data Controller.
Processing: any operation or set of operations on Personal Data, such as collection, storage, updating, use, circulation, Transfer, Transmission, or deletion.
The following are the Guiding Principles on Personal Data Protection, and will apply to the Processing carried out by the Data Controller, its employees and all third parties, natural or legal persons, to whom it transmits or transfers Personal Data of the Data Subjects that comprise its Interest Groups, when they carry out any Processing on them:
Principle of legality: The processing of personal data will be carried out in accordance with the legal requirements established in Statutory Law 1581 of 2012 and its regulatory decrees.
Principle of purpose: The processing of personal data must comply with a legitimate purpose in accordance with the constitution and the law, which must be communicated to the data subject.
Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial order that waives consent. Public Data is exempt from this principle and may be processed without requiring authorization from the Data Subject, in accordance with Law 1581 of 2012 and its Regulatory Decree 1074 of 2015.
Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
Transparency Principle: Data Processing must guarantee the Data Subject's right to obtain, at any time and without restrictions, information about the existence of data concerning him or her.
Principle of restricted access and circulation: Personal data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties.
Security Principle: Information subject to Processing must be protected through the use of technical, human, and administrative measures necessary to ensure the security of records, preventing their adulteration, loss, unauthorized or fraudulent access, use, or consultation.
Confidentiality Principle: All persons involved in the processing of personal data are required to ensure the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended.
Principle of necessity: Only data that is strictly necessary for the fulfillment of the purposes established in this Privacy Policy and/or those that are communicated to the Data Subjects through Privacy Notices will be collected.
The personal data held by Arrubla Devis, in its capacity as Data Controller and/or Data Processor, as applicable, shall be processed in compliance with current national legislation and best practices related to the personal data protection regime.
For this Privacy Policy, the Data Controller, either directly or through Data Processors, may collect, store, use, circulate, update, delete, or carry out any other type of Processing of the Personal Data of its Stakeholder Groups, for the purposes described below.
6.1. General Purposes for the Processing of Personal Data Applicable to All Stakeholder Groups
6.1.1. National and international transmission and transfer, storage, and safekeeping of information and/or Personal Data in physical files or on proprietary and/or third-party servers, located within or outside the country, in jurisdictions deemed secure or otherwise by the Superintendence of Industry and Commerce, whenever required for the company’s operations and its relationships with various Stakeholder Groups.
6.1.2. Registration and control of incoming and outgoing documents.
6.1.3. Organization and execution of programs, meetings, drills, training sessions, and events, as well as the preservation of documentary records such as attendance lists, photographs, voice recordings, and/or videos, which may be used for internal and/or external publications by the company and/or its strategic partners, including but not limited to: bulletin boards, website, social media, reports, and emails.
6.1.4. Design and implementation of surveys and interviews.
6.1.5. Sending communications related to the purposes outlined in this Privacy Policy, the activities of the Data Controller or its strategic partners, advertising, marketing, promotions, events, commercialization and promotion of products and/or services, website content updates, partnerships, and benefits, through professional, business, and/or personal contact details of the Data Subjects, including but not limited to landline and/or mobile phone, physical and/or email address, SMS and/or MMS text messages, social media, electronic media, and/or any other communication channel.
6.1.6. Controls, statistics, and historical records of relationships with Data Subjects from various Stakeholder Groups.
6.1.7. Internal performance indicators.
6.1.8. Decision-making support.
6.1.9. Registration and control of access to the Data Controller’s facilities.
6.1.10. Monitoring through video surveillance.
6.1.11. Security of facilities and individuals entering them.
6.1.12. Emergency response.
6.1.13. Support for internal and/or external audits, statutory audits, consulting, and implementation of improvement plans.
6.1.14. Implementation and compliance with the Self-Control and Comprehensive Risk Management System for Money Laundering and Terrorism Financing (SAGRILAFT) and other applicable regulations for the prevention of money laundering, terrorism financing, corruption, and proliferation of weapons of mass destruction, among other crimes.
6.1.15. Reporting to competent administrative and judicial authorities.
6.1.16. Response to requests from competent administrative and judicial authorities.
6.1.17. Preparation and filing of lawsuits and complaints before competent authorities, as well as exercising the right of defense in any administrative and/or judicial proceeding.
6.1.18. Fulfillment of obligations arising from contracts signed between the Data Controller and the Data Subjects, or with their contractors or employers.
6.1.19. Internal or external communications.
6.1.20. Financial and accounting management, creation of third-party records, and registration in the Data Controller’s databases.
6.1.21. Handling of PQRs (petitions, inquiries, and complaints).
6.1.22. Issuance of insurance policies and/or bank guarantees.
6.1.23. Purposes indicated in the authorization granted by the Data Subject and/or in the Privacy Notices, as well as those established by applicable regulations.
6.2. Purposes for the Processing of Personal Data of Shareholders
6.2.1. Convening and holding of ordinary and/or extraordinary shareholders’ meetings.
6.2.2. Preparation of meeting minutes.
6.2.3. Registration and preservation of minute books and shareholder registries.
6.2.4. Issuance and/or cancellation of share certificates.
6.2.5. Disclosure of shareholder status, including but not limited to onboarding forms for clients, insurers, financial institutions, contractors, and/or suppliers.
6.2.6. Declaration and payment of dividends.
6.2.7. Use of information for advertising and media purposes.
6.3. Purposes for the Processing of Personal Data of Applicants, Employees, Interns, and/or Active and Inactive Trainees and Their Families
6.3.1. Collection of résumés directly from the Data Subject or from third-party individuals or legal entities, either independently or on behalf of the Data Controller.
6.3.2. Execution of the recruitment process, including analysis and processing of résumés, validation of employment and/or personal references, verification of judicial and/or disciplinary records, interviews, and required occupational, psychotechnical, and/or competency assessments.
6.3.3. Retention of résumés and selection process results for future hiring processes and/or to comply with applicable legal requirements.
6.3.4. Employment or apprenticeship onboarding and contract execution.
6.3.5. ID badge issuance process.
6.3.6. Monitoring of contract renewal and/or termination.
6.3.7. Work scheduling and assignment of duties, roles, and profiles associated with the position held.
6.3.8. Registration of information for active and inactive employees, retirees, and their families and/or beneficiaries for social security and parafiscal contributions, payroll, bonuses, vacation, pension entitlements, and applicable settlements.
6.3.9. Activities related to organizational climate, culture, psychosocial risk management, and employee well-being for both direct and indirect employees and their families and/or beneficiaries.
6.3.10. Management of permits, leaves, and authorizations.
6.3.11. Execution of disciplinary proceedings.
6.3.12. Management of sanctions, warnings, reprimands, hearings, and dismissals with or without just cause.
6.3.13. Recording of disciplinary history.
6.3.14. Training and development.
6.3.15. Competency and performance evaluations.
6.3.16. Salary deductions permitted by current regulations and registration of garnishments ordered by competent authorities.
6.3.17. Issuance of employment certificates and/or references.
6.3.18. Delivery of uniforms and personal protective equipment.
6.3.19. Contracting of third-party services that benefit direct and indirect employees and their families and/or beneficiaries.
6.3.20. Compliance with current occupational health and safety regulations (SG-SST), including but not limited to: collection and analysis of health and sociodemographic data of direct and indirect, active and inactive employees; investigation and indicators of absenteeism, incidents, and accidents; occupational medical evaluations; road safety; reporting and investigation of workplace incidents and accidents; inspections and workstation assessments; verification of protective equipment use; hazard identification and unsafe behavior assessment; observation of safe behaviors and follow-up on commitments; formation and management of the Workplace Coexistence Committee, among others.
6.3.21. Activation of communication with the contact person designated by the Data Subject in case of accident, illness, and/or any other eventuality.
6.3.22. Hotel bookings, air or ground transportation tickets, provision of fuel and toll vouchers, per diems, travel allowances, and vehicle requests, among others.
6.3.23. Provision of information to clients, contractors, suppliers, and/or strategic partners for the execution of contracts signed with the Data Controller.
6.3.24. Time tracking and verification of hours worked.
6.3.25. Creation and management of usernames and passwords for access to various applications, software, technological and computing equipment, email accounts, and websites as required.
6.3.26. Creation and control of access and modification permissions for documents stored in work tools.
6.3.27. Transfer of proof of payment of social security and parafiscal contributions and training certificates to the Data Controller’s clients, when required for contract execution and/or payment for goods and/or services provided by the Data Controller as contractor and/or supplier.
6.4. Purposes for the Processing of Personal Data of Prospective, Current, and Former Clients, and Individuals Who Have Provided Their Contact Information via the Website and/or Social Media, and Their Collaborators
6.4.1. Behavioral analysis and market segmentation.
6.4.2. Offering of goods and/or services by the Data Controller and/or its strategic partners.
6.4.3. Inquiries and positive or negative reports of commercial, financial, and credit information to Database Operators or Administrators, Financial and Credit Institutions, Commercial Information Agencies, and legally established Credit Bureaus.
6.4.4. Sending of service proposals.
6.4.5. Execution of contracted legal advisory and judicial representation services, where applicable.
6.4.6. Response to received communications.
6.4.7. Billing processes.
6.4.8. Sending of advertisements, commercial and marketing information, legal updates, newsletters, and other relevant content.
6.4.9. Debt recovery management through persuasive, extrajudicial, and/or judicial collection.
6.4.10. Identification of debtors and co-debtors.
6.4.11. Client loyalty programs.
6.4.12. Transmission and transfer of contact data to data processors, contractors, suppliers, and/or strategic partners, so they may process the Data Subject’s Personal Data for the purposes outlined in this Privacy Policy.
6.5. Purposes for the Processing of Personal Data of Suppliers, Contractors, and Their Collaborators
6.5.1. Request, collection, and analysis of quotations and/or offers.
6.5.2. Invitations to participate in procurement processes.
6.5.3. Execution of procurement processes.
6.5.4. Request for references and third-party certificates.
6.5.5. Issuance of experience and contractual relationship certificates and references.
6.5.6. Execution of contracts and/or issuance of purchase and/or service orders for the acquisition of goods and/or services.
6.5.7. Contract administration.
6.5.8. Compliance with legal and contractual obligations.
6.5.9. Payment management.
6.5.10. Evaluation of contractors and suppliers.
6.5.11. Communication with suppliers, contractors, or their collaborators for the execution of signed contracts or issued service and/or purchase orders.
6.5.12. Verification of compliance with legal, technical, and/or financial requirements.
6.5.13. Verification of payment of salaries and social benefits of contractors, suppliers, and their collaborators, and their affiliation with the Occupational Risk Administrator (ARL).
6.5.14. Verification of compliance with occupational health and safety regulations (SG-SST) and/or any that complements, amend, replace, or repeal them.
6.5.15. Verification of compliance with regulations governing Personal Data Protection, and/or any that complement, amend, replace, or repeal them.
6.5.16. Scheduling of technical activities and confirmation of their execution.
6.5.17. Management of product quality claims.
6.5.18. Hotel bookings, air or ground tickets, provision of fuel and toll vouchers, per diems, and vehicle requests, among others, in the event of travel by contractors, suppliers, and/or their collaborators, when such obligations are stipulated in contracts under the responsibility of the Data Controller.
6.5.19. Loyalty programs for contractors and suppliers.
6.5.20. Transfer of proof of payment of social security and parafiscal contributions and training certificates to the Data Controller’s clients, when required for contract execution and/or payment processing for services rendered.
Medellín
Phone: (+57) 604 322 9884
Address: Carrera 37 #2 Sur – 34, El Poblado, Medellín, Antioquia, Colombia
Postal Code: 050022Bogotá
Phone: (+57) 601 482 4084
Address: Calle 70bis #4 – 54, Bogotá, Colombia
Postal Code: 110231Manage the information necessary for the proper development of Arrubla Devis’s corporate purpose and to fulfill its corporate, tax, accounting, and other obligations.
To achieve the aforementioned purposes, Arrubla Devis may collect, retain, and store, either directly or through a third party, one or more databases, whether physical or electronic. By granting authorization for the processing of personal data, it is understood that Arrubla Devis is granted the broadest powers to carry out such processing by the law and the provisions of this policy, without prejudice to the rights of the Data Subjects.
The following are the rights of Personal Data Holders:
8.1. To know, update, and rectify your personal data with the Data Controllers or Data Processors. This right may be exercised, among other things, with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or unauthorized.
8.2. Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
8.3. Be informed by the Data Controller or the Data Processor, upon request, regarding the use of your personal data.
8.4. Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and any other regulations that modify, supplement, or complement it.
8.5. Revoke authorization and/or request data deletion when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will be appropriate when the Superintendency of Industry and Commerce has determined that, in the processing, the Controller or Processor has engaged in conduct contrary to Law 1581 of 2012 and the Constitution. However, the request for deletion of information and the revocation of authorization will not be appropriate when the Data Subject has a legal or contractual obligation to remain in the database.
8.6. Access free of charge to the personal data that has been subject to Processing: (i) at least once every calendar month, and (ii) every time there are substantial modifications to the Information Processing Policies that motivate new consultations.
When inquiries and complaints are required, the following procedure must be kept in mind:
9.1. Queries
Inquiries regarding personal data must be submitted in writing by the data subject or by legally authorized persons (demonstrating a legitimate interest) to the email or correspondence address indicated at the end of this Policy. These will be resolved within a maximum of ten (10) business days from the date of receipt.
However, when it is not possible to respond to the query within this period, the interested party will be informed before the expiration of ten (10) days, stating the reasons for the delay and indicating the date on which his/her request will be attended to, which in no case may exceed five (5) business days after the expiration of the first period.
9.2. Claims
Data subjects or legally authorized individuals (demonstrating a legitimate interest) who consider that the information contained in an Arrubla Devis database should be corrected, updated, or deleted, or who notice a presumed breach of any of the obligations contained in Law 1581 of 2012 or any other law that replaces or regulates it, may submit a written complaint through any of the channels provided for this purpose. The complaint must contain the following information:
Name and identification of the owner.
The precise and complete description of the facts giving rise to the claim.
The physical or electronic address to send the response and report on the status of the procedure.
The documents and other evidence that you intend to present.
If the claim is incomplete, Arrubla Devis will require the interested party within five (5) business days following its receipt to correct the requirements. After two (2) months from the date of the request, if the petitioner does not submit the requested information, it will be understood that he or she has withdrawn the claim. Once the complete claim has been received, Arrubla Devis will include in the respective database a legend that accompanies the personal data indicating "claim in process" and the reason for it, within a period of no more than two (2) business days. This legend will remain in effect until the claim is decided.
The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of its receipt, and if it is not possible to respond within said term, Arrubla Devis will inform the interested party of the reasons for the delay and the date on which it will be addressed, without exceeding, in any case, eight (8) business days following the expiration of the first term.
To make requests, inquiries and complaints, or to exercise your rights, you can contact the administrative management of the company at the email address info@arrubladevis.com or by physical mail to our offices located in the city of Medellín at Carrera 37 No. 2 Sur - 34 and in the city of Bogotá at Calle 70 Bis No. 4 - 54. The personal data collected will remain in our databases for as long as necessary for the purposes established herein, without prejudice to the rights that assist the owners.
It is the duty of the Data Controller:
10.1. Guarantee the Holder, at all times, the full and effective exercise of the Right to Habeas Data.
10.2. Request and retain, by any means and under the conditions provided for in Law 1581 of 2012, a copy of the respective authorization granted by the Owner.
10.3. Properly inform the Data Subject about the purpose of the collection and the rights to which he or she is entitled by virtue of the authorization granted.
10.4. Keep information under the security conditions necessary to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.
10.5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
10.6. Update the information, promptly communicating to the Data Processor any new developments regarding the data previously provided and adopting any other measures necessary to ensure that the information provided to the Data Processor remains up-to-date.
10.7. Rectify information when it is incorrect and notify the Data Processor accordingly.
10.8. Provide the Data Processor, as applicable, only with data whose processing has been previously authorized in accordance with the provisions of Law 1581 of 2012.
10.9. Demand that the Data Processor respect the security and privacy conditions of the Data Subject's information at all times.
10.10. Process inquiries and complaints submitted in accordance with the terms set forth in Law 1581 of 2012.
10.11. Adopt an internal policies and procedures manual to ensure proper compliance with Law 1581 of 2012, especially for handling inquiries and complaints.
10.12. Inform the Data Processor when certain information is being disputed by the Data Subject, once the claim has been submitted and the respective process has not been completed.
10.13. Inform the Data Subject, upon request, about the use given to their data.
10.14. Inform the data protection authority when security code violations occur and when there are risks in the management of Data Subjects' information.
10.15. Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.