This document sets forth the Personal Data Processing Policies of the Colombian Coffee Growers Federation, acting as a private union entity and as Administrator of the National Coffee Fund (hereinafter, the ENTITY), in compliance with provisions of Law 1581 of 2012 and Decree 1377 of 2013. It describes the mechanisms through which the ENTITY guarantees an adequate handling of the personal data collected in its databases, in order to enable data subjects to exercise the habeas data right.
The ENTITY is a private, non-profit legal entity, domiciled in Bogotá, with legal status recognized by the national Government through executive resolution No. 33 of September 2, 1927, published in the Official Gazette No. 20,894 of 1928, with taxpayer ID number (NIT) 860.007.538-2, whose contact details are the following:
Address: Calle 73 No. 8-13, Bogotá DC, Colombia
Phone number: 3136600
Authorization: Prior, express and informed consent by the data subject for personal data processing;
Database: Organized set of personal data that is the object of processing;
Personal data: Any information related or that can be associated with one or several identified or identifiable natural persons;
Processor: Natural or legal person, public or private, that on its own or jointly with others processes personal data on behalf of the Controller;
Controller: Natural or legal person, public or private, that on its own or jointly with others decides on the database and/or data processing;
Data Subject: Natural person whose personal data is subject to processing;
Processing: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.
Principle of legality: Personal data processing is a regulated activity that must conform to provisions of the law and the other ones developing it;
Principle of purpose: Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the data subject;
Principle of freedom: Processing can only be performed with the prior, express and informed consent of the data subject. Personal data shall not be collected or disclosed without prior authorization or in the absence of any legal or judicial mandate excusing the consent;
Principle of veracity or quality: The information subject to processing must be true, complete, accurate, up to date, verifiable and understandable. The processing of partial, incomplete, fractional or error-inducing data is prohibited;
Principle of transparency: In processing, the data subject’s right to obtain from the Controller or the Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed;
Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of personal data, provisions of law and the Constitution. In this sense, the processing shall only be carried out by persons authorized by the data subject and/or by the persons provided by law.
Personal data, except public information, shall not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the data subjects or third parties authorized under the law;
Principle of Security: The information subject to processing by the Controller or Processor must be handled with the technical, human and administrative measures that are necessary to ensure security of the records, preventing their adulteration, loss or authorized or fraudulent consultation, use or access;
Principle of confidentiality: All persons involved in non-public personal data processing are obliged to guarantee confidentiality of the information, even after the end of their relationship with any of the tasks related to processing, being able only to provide or communicate personal data when it corresponds to the development of activities authorized by the law and in its terms.
Content of databases
The ENTITY’s databases store general information such as full name, ID number and type, gender and contact details (email, physical address, landline and mobile phone). In addition, and depending on the nature of the database, the ENTITY may have specific data required for processing. In the databases of employees and contractors, additional information on labor and academic history, sensitive data required by the nature of the employment relationship (photography, family group, biometric data) is included.
Sensitive information may be stored in the databases with prior authorization of its data subject, in compliance with articles 5 and 7 of Law 1581 of 2012.
The information in the ENTITY’s databases is subject to different forms of processing, such as collection, exchange, update, processing, reproduction, compilation, storage, use, systematization and organization, all of them partially or totally in compliance with the purposes set forth herein. The information may be delivered, transmitted or transferred to public entities, business partners, contractors, affiliates, or subsidiaries, solely in order to meet the purposes of the corresponding database. In any case, the delivery, transmission or transfer shall take place prior subscription of the necessary commitments to safeguard confidentiality of the information. Personal information, including sensitive information, may be transferred, transmitted or delivered to third countries, regardless of the level of security of the regulations governing the handling of personal information. In compliance with legal duties, the ENTITY may provide personal information to judicial or administrative entities. The ENTITY will guarantee the correct use of personal data of minors, ensuring that the applicable legal requirements are complied with and that all processing is previously authorized and is justified in the best interests of minors.
The information collected by the ENTITY is intended to allow the proper development of its object as a union entity, as well as the mandates as administrator of the National Coffee Fund, including the national coffee policy. In addition, the ENTITY keeps the information necessary to comply with legal duties, mainly in accounting, corporate, and labor matters.
Information about customers, suppliers, partners and employees, current or past, is stored in order to facilitate, promote, enable or maintain labor, civil and commercial relationships.
Information on coffee market actors is stored in order to perform the activities of its object, particularly those related to the development, planning and implementation of programs, projects, plans, policies, contracts, or agreements necessary to promote coffee growing in Colombia.
Rights of data subjects
In accordance with the provisions of article 8 of Law 1581 of 2012, data subjects may:
- Know, update and rectify their personal data to the ENTITY or the Processors. This right may be exercised, inter alia, regarding partial, inaccurate, incomplete, fractional, or misleading data, or data whose processing is expressly prohibited or has not been authorized.
- Request proof of the authorization granted to the ENTITY, except when expressly excepted as a requirement for processing, in accordance with the provisions of article 10 of this law.
- Be informed by the ENTITY or the Processor, upon request, about the use given to their personal data.
- File complaints before the Superintendence of Industry and Commerce for violations of the provisions in this law and the other regulations that modify, add or complement it.
- Revoke the authorization and/or request deletion of the data when the constitutional and legal principles, rights and guarantees are not respected in processing. The revocation and/or deletion shall proceed when the Superintendence of Industry and Commerce has determined that the ENTITY or the Processor has incurred in a conduct contrary to this law and the Constitution.
- Access free of charge their personal data that have been subject to processing.
Obligations of the entity
The ENTITY shall:
– Guarantee the data subject, at all times, the full and effective exercise of the habeas data right.
– Request and keep, under the conditions provided for in this law, a copy of the respective authorization granted by the data subject.
– Duly inform the data subject about the purpose of collection and their rights by virtue of the authorization granted.
– Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
– Ensure that the information provided to the Processor is true, complete, accurate, up to date, verifiable and understandable.
– Update the information, communicating in a timely manner to the Processor all the news regarding the data previously provided and take the other necessary measures so that the information provided is updated.
– Rectify the information when it is inaccurate and communicate what is relevant to the Processor.
– Provide the Processor, as the case may be, only with data whose processing is previously authorized in accordance with the provisions of this law.
– Require of the Processor at all times respect for the conditions of security and privacy of the data subject’s information.
– Process the inquiries and claims made in the terms provided by this law.
– Adopt an internal manual of policies and procedures to ensure proper compliance with this law and especially for responding to inquiries and complaints.
– Inform the Processor when certain information is under discussion by the data subject, once the claim has been made and the respective handling has not been completed.
– Inform, at the request of the data subject, about the use given to their data;
– Inform the data protection authority about violations of security codes and risks in management of information of the data subjects.
– Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
Person or area responsible (Controller)
Any request, complaint or claim related to personal data processing, pursuant to the provisions of Law 1581 of 2012 and Decree 1377 of 2013, shall be submitted to:
Entity: Colombian Coffee Growers Federation
Area: Legal Directorate
Address: Calle 73 No. 8-13, Bogotá DC, Colombia
Phone number: 3136600
Procedures for submission of and response to inquiries
The subjects of personal data contained in the databases of the ENTITY, or their successors, may consult the data and the ENTITY shall provide the requested information in the terms provided by the applicable legislation. Any request for consultation, correction, update or deletion must be made in writing or by email, according to the information herein. Inquiries will be answered within 10 business days from the date of receipt of the respective request. If it is not possible to respond to the inquiry within said term, the interested party will be informed, explaining the reasons for the delay and indicating the date on which their inquiry shall be answered, which in no case shall exceed five (5) business days following the expiration of the first term.
Procedures for making and responding to inquiries, complaints and claims
Claims shall be made in writing or by email, according to the information described herein, and shall contain at least the following information:
- Data subject’s ID.
- Description of the facts that give rise to the claim.
- Data subject’s address.
- Documentation that may serve as evidence.
If the claim is incomplete, the interested party shall be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that the claim has been given up.
In the event that the person receiving the claim is not competent to resolve it, the claim shall be forwarded to the competent party within a maximum period of two (2) business days, informing the interested party of the situation.
Once the complete claim is received, a legend saying “claim in process” and its motivation will be included in the database, no later than two (2) business days. This legend shall be kept until the claim is decided.
The maximum term to handle the claim shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party shall be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days after the expiration of the first term.
Validity of the database
The ENTITY’s Personal Data Processing Policies will be in force as of July 27, 2013. The ENTITY reserves the right to modify them in the terms and with the limitations provided by law.
The databases managed by the ENTITY shall be maintained indefinitely, while developing its object, and as long as necessary to ensure compliance with legal obligations, particularly labor and accounting ones, but the data may be deleted at any time at the request of the data subject, as long as this request does not contravene any legal obligation of the ENTITY or an obligation contained in a contract between the ENTITY and the data subject.