CHAPTER I GENERAL PROVISIONS

 

ARTICLE 1. DEFINITIONS.

 

For the purposes of applying the rules contained in this manual and in accordance with the provisions of Article 3 of Law 1581 of 2012, it is understood as:

 

a) Authorization: Prior, express and informed consent of the Holder to carry out the Processing of personal data.

 

b) Privacy notice: Verbal or written communication generated by the Responsible Party addressed to the Owner for the processing of their personal data, by means of which they are informed about the existence of the information processing policies that will be applicable to them, the form of access them and the purposes of the Treatment that is intended to give personal data.

 

c) Database: Organized set of personal data that is subject to Treatment.

 

d) Personal data: Any information linked to or that may be associated with one or more specific or determinable natural persons.

 

e) Private data: It is the data that due to its intimate or reserved nature is only relevant for the owner.

 

f) Sensitive data: Sensitive data is understood to be those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.

 

g) Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of personal data on behalf of the Responsible for the Treatment.

 

h) Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and / or the Treatment of the data.

 

i) Owner: Natural person whose personal data is subject to Treatment.

 

j) Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion of the same.

 

ARTICLE 2. OBJECT.

 

The purpose of this document is to regulate the procedures for collecting, handling and processing personal data carried out by GRUPO EL VIRREY SAS, in order to guarantee and protect the fundamental right to habeas data of its guests, visitors, clients, users. and suppliers within the framework of what is established by law. All of the above in compliance with the provisions of paragraph (k) of Article 17 of Law 1581 of 2012, which regulates the duties of those responsible for the processing of personal data, among which is to adopt a manual internal policies and procedures to ensure proper compliance with the law and especially for the attention of queries and complaints.

 

ARTICLE 3. SCOPE OF APPLICATION.

 

This manual will be applicable to the personal data registered and to be registered in the different databases managed by GRUPO EL VIRREY SAS, that is, to the databases of our guests, visitors, customers and suppliers, who provide us with their data to commercial purposes.

 

The information that GRUPO EL VIRREY SAS collects may include, in whole or in part, depending on the needs of each product and / or service, among others the following data:

 

• Names and surnames.

• Type and identification number.

• Nationality and country of residence.

• Date of birth and gender.

• Civil status and / or kinship in relation to minors or disabled persons requesting our services.

• Contact landlines and cell phones (personal and / or work).

• Postal and electronic addresses (personal and / or work).

• Profession or occupation

• Company where you work and position.

• Origin and destination

• Reason for your trip

• Information on credit card (s) (number, bank entity, expiration date).

• Personal data of the cardholder (names and surnames, type and identification number).

• Information on the address where the cardholder receives their bank statements.

 

This data may be stored and / or processed on servers located in computer centers, whether owned or contracted with third-party providers, which is authorized by our guests, visitors, customers, users and suppliers by accepting this Privacy Policy.

 

ARTICLE 4. VERACITY OF THE INFORMATION.

 

Our guests, visitors, clients, users and suppliers must provide truthful information about their personal data in order to make possible the provision of services by GRUPO EL VIRREY SAS and under whose condition they agree to deliver the required information.

 

GRUPO EL VIRREY SAS presumes the veracity of the information provided and does not verify, nor does it assume the obligation to verify, the identity of guests, visitors, customers, users and suppliers, nor the veracity, validity, sufficiency and authenticity of the data that each one of them provide. Therefore, it does not assume responsibility for damages and / or damages of any nature that could originate in the lack of veracity, validity, sufficiency or authenticity of the information, including damages that may be due to homonymy or identity theft. .

 

ARTICLE 5. APPLICABLE LEGISLATION.

 

This manual was prepared taking into account the ordinances of Law 1581 of 2012 “By which general provisions are issued for the protection of personal data” and Decree number 1377 of 2013 “By which Law 1581 of 2012 is partially regulated” .

 

ARTICLE 6. INFORMATION ON CHILDREN AND MINOR ADOLESCENTS.

 

GRUPO EL VIRREY SAS will ensure the proper use of the personal data of underage boys, girls and adolescents, guaranteeing that the processing of their data respects their best interests, and their fundamental rights and, as far as possible, having take into account your opinion, as holders of your personal data.

 

ARTICLE 7. PURPOSES OF THE PROCESSING OF PERSONAL DATA

 

The information collected is used to process, confirm, fulfill and provide the services and / or products purchased, directly and / or with the participation of third party providers of products or services, as well as to promote and advertise our activities, products and services, perform transactions, make reports to the different national or international administrative control and surveillance authorities, police authorities or judicial authorities, banking entities and / or insurance companies, for internal administrative and / or commercial purposes such as market research, audits, reports accounting, statistical analysis, billing, and offering and / or recognition of benefits from our loyalty programs.

 

By accepting this Privacy and Treatment Policy, our guests, visitors, clients, users and suppliers, in their capacity as owners of the collected data, authorize GRUPO EL VIRREY SAS to carry out the treatment thereof, partially or totally, including the collection, storage, recording, use, circulation, processing, deletion, for the execution of activities related to the services and products purchased, such as making reservations, modifications, cancellations and changes to the same, refunds, attention to queries, complaints and claims, payment of compensation and compensation, accounting records, correspondence, processing and verification of credit cards, debit cards and other payment instruments, fraud identification and prevention of money laundering and other criminal activities and / or for the operation of the loyalty programs and other purposes indicated in this document.

 

The foregoing, without prejudice to other purposes that have been informed in this document and in the terms and conditions of each of the products and services of each of our business units.

We warn that third party providers (such as reservation system providers, travel agencies, call centers, banks, insurance companies may be involved in these activities.

Additionally, our travelers, clients and users, in their capacity as owners of the data collected, by accepting this privacy policy, authorize us to:

 

• Use the information received from them, for the purposes of marketing their products and services, and the products and services of third parties with whom GRUPO EL VIRREY SAS maintain a business relationship.

 

• Provide personal data to the police or judicial control and surveillance authorities, by virtue of a legal or regulatory requirement and / or use or disclose this information and personal data in defense of their rights and / or their assets as such defense is related to the products and / or services contracted by its travelers, customers and users.

 

• Allow access to information and personal data to auditors or third parties hired to carry out internal or external audit processes specific to the commercial activity we carry out.

 

• Consult and update personal data, at any time, in order to keep said information updated.

 

• Contract with third parties the storage and / or processing of information and personal data for the correct execution of the contracts entered into with us, under the security and confidentiality standards to which we are bound.

 

CHAPTER II AUTHORIZATION

 

ARTICLE 8. AUTHORIZATION.

 

The collection, storage, use, circulation or deletion of personal data by GRUPO EL VIRREY SAS requires the free, prior, express and informed consent of the owner of the same. GRUPO EL VIRREY SAS, in its capacity as the person responsible for the processing of personal data, has provided the necessary mechanisms to obtain the authorization of the holders, guaranteeing in any case that it is possible to verify the granting of said authorization.

 

With the aforementioned authorization, the client accepts the policies and conditions established in this document.

 

ARTICLE 9. FORM AND MECHANISMS TO GRANT THE AUTHORIZATION.

 

The authorization of the owner of the information will appear in each of the data collection channels and mechanisms of GRUPO EL VIRREY SAS

 

Thus, it may be recorded in a physical, electronic document or in any other format that guarantees its subsequent consultation. The authorization will be issued by the owner prior to the processing of their personal data, in accordance with the provisions of Law 1581 of 2102.

 

With the consent authorization procedure, it is guaranteed that the owner of the personal data has been made known, both the fact that their personal information will be collected and used for specific and known purposes, as well as that they have the option of knowing any alternative to them. and the specific use that has been made of them. The foregoing in order for the owner to make informed decisions regarding their personal data and control the use of their personal information.

 

CHAPTER III RIGHTS AND DUTIES

 

ARTICLE 10. RIGHTS OF THE INFORMATION HOLDERS.

 

In accordance with the provisions of article 8 of Law 1581 of 2012, the owner of personal data has the following rights:

 

a) Know, update and rectify your personal data in front of GRUPO EL VIRREY SAS, in its capacity as data controller.

 

b) Request proof of the authorization granted to GRUPO EL VIRREY SAS, in its capacity as Data Controller.

 

c) Be informed by GRUPO EL VIRREY SAS upon request, regarding the use that has been given to your personal data.

 

d) Present before the Superintendency of Industry and Commerce complaints for infractions of the provisions of Law 1581 of 2012, once the consultation or claim process has been exhausted before the Data Controller.

 

e) Revoke the authorization and / or request the deletion of the data when in the Treatment the principles, rights and constitutional and legal guarantees are not respected.

 

f) Free access to your personal data that have been subject to Treatment.

 

ARTICLE 11. DUTIES OF GRUPO EL VIRREY SAS IN RELATION TO THE TREATMENT OF PERSONAL DATA.

 

GRUPO EL VIRREY SAS. will keep in mind, at all times, that personal data are the property of the people to whom they refer and that only they can decide on them. In this sense, it will use them only for those purposes for which it is duly empowered, and in any case respecting Law 1581 of 2012 on the protection of personal data.

 

In accordance with the provisions of article 17 of Law 1581 of 2012, GRUPO EL VIRREY SAS undertakes to permanently comply with the following duties:

 

a) Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.

 

b) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

 

c) Carry out in a timely manner, this is in the terms provided in articles 14 and 15 of Law 1581 of 2012, the updating, rectification or deletion of the data.

 

d) Process the queries and claims made by the Holders in the terms indicated in article 14 of Law 1581 of 2012.

 

e) Insert in the database the legend "information in judicial discussion" once notified by the competent authority about judicial processes related to the quality or details of personal data.

 

f) Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendency of Industry and Commerce.

 

g) Allow access to information only to people who can have access to it.

 

h) Inform the Superintendence of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders.

 

i) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

 

CHAPTER IV PROCEDURES FOR ACCESS, CONSULTATION AND CLAIM

 

ARTICLE 13. RIGHT OF ACCESS:

 

The power of disposition or decision that the owner has about the information that concerns him, necessarily entails the right to access and know if his personal information is being processed, as well as the scope, conditions and generalities of said treatment.

 

Likewise, the owner has the right to request their rectification if they are inaccurate or incomplete and to cancel them when they are not being used in accordance with the purposes and legal or contractual terms or according to the purposes and terms contemplated in this Privacy Policy.

 

GRUPO EL VIRREY SAS will guarantee the right of access when, upon prior accreditation of the identity of the owner or his representative or attorney-in-fact, he requests it as provided in Law 1581 of 2012.

 

Customers and users can exercise their rights to know, update, rectify and delete their personal data by sending their request to the email: reservas@hotelelvirrey.com and by phone 3341150, in accordance with this Privacy Policy.

 

You must include the following information in the request:

 

• Names and surnames.

• Document type.

• Document number.

• Phone.

• Email.

• Country.

• Affair.

 

ARTICLE 13. RESPONSE TO CONSULTATIONS.

 

In any case, regardless of the mechanism implemented to attend to consultation requests, they will be attended to within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed before the expiration of 10 days, stating the reasons for the delay and indicating the date on which the query will be attended, which in no case may exceed five (5) business days following the expiration of the first term.

 

ARTICLE 14. CLAIMS.

 

In accordance with the provisions of article 14 of Law 1581 of 2012, the Holder or his successors in title who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, they may file a claim with the Data Controller, which will be processed under the following rules:

 

1. The claim may be submitted by the Holder in the formats that GRUPO EL VIRREY SAS has for this purpose in its Hotel registry. If the claim received does not have complete information that allows it to be processed, that is, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to enforce, the interested party within five (5) days after receipt to correct the faults. After two (2) months from the date of the request without the applicant submitting the required information, it will be understood that the claim has been withdrawn. If for any circumstance the Company receives a claim that should not actually be directed against it, it will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.

 

2. Once the complete claim has been received, a legend that says “claim in process” and the reason for it will be included in the database maintained by GRUPO EL VIRREY SAS, within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided.

 

3. The maximum term to attend the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend to it within said term, the interested party will be informed before the expiration of the aforementioned period of the reasons for the delay and the date on which their claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first term.

 

ARTICLE 15. IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO SUBMIT CLAIMS.

 

At any time and free of charge, the owner or his representative may request GRUPO EL VIRREY SAS to rectify, update or delete their personal data, after proof of identity. The rights of rectification, updating or deletion can only be exercised by:

 

• The owner or his successors in title, after proof of their identity, or through electronic instruments that allow them to identify themselves.

 

• Your representative, after accreditation of the representation.

 

When the request is made by a person other than the owner and it is not proven that the same is acting on his behalf, it will be deemed not submitted.

 

The request for rectification, update or deletion must be submitted through the means enabled by GRUPO EL VIRREY SAS indicated in the privacy notice and contain, at least, the following information:

 

1. The name and address of the owner or any other means to receive the answer

 

2. The documents that prove the identity or personality of its representative.

 

3. The clear and precise description of the personal data with respect to which the owner seeks to exercise any of the rights.

 

4. Where appropriate, other elements or documents that facilitate the location of personal data.

 

PARAGRAPH 1. RECTIFICATION AND UPDATING OF DATA.

 

GRUPO EL VIRREY SAS has the obligation to rectify and update at the request of the owner, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the procedure and the terms indicated above. In this regard, the following will be taken into account: In requests for rectification and updating of personal data, the owner must indicate the corrections to be made and provide the documentation that supports their request.

 

GRUPO EL VIRREY SAS has full freedom to enable mechanisms that facilitate the exercise of this right, as long as they benefit the owner. Consequently, electronic or other means that it deems pertinent may be enabled.

 

GRUPO EL VIRREY SAS may establish forms, systems and other simplified methods, which must be informed in the privacy notice and which will be made available to interested parties on the website.

 

GRUPO EL VIRREY SAS will use the customer service or attention services that it has in operation, as long as the response times are not greater than those indicated by article 15 of Law 1581 of 2012.

 

Each time GRUPO EL VIRREY SAS makes a new tool available to facilitate the exercise of their rights by the holders of information or modifies existing ones, it will inform you through its website.

 

PARAGRAPH 2. DATA SUPPRESSION.

 

The owner has the right, at all times, to request GRUPO EL VIRREY SAS the deletion (elimination) of their personal data when:

 

a.) Consider that they are not being treated in accordance with the principles, duties and obligations set forth in Law 1581 of 2012.

 

b.) They are no longer necessary or relevant for the purpose for which they were collected.

 

c.) The period necessary for the fulfillment of the purposes for which they were collected has been exceeded

 

This deletion implies the total or partial elimination of personal information in accordance with what is requested by the owner in the records, files, databases or treatments carried out by GRUPO EL VIRREY SAS It is important to bear in mind that the right of cancellation is not absolute and the person in charge can deny the exercise of the same when:

 

• The request to delete the information will not proceed when the owner has a legal or contractual duty to remain in the database.

 

• The elimination of data obstructs judicial or administrative actions linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.

 

• The data is necessary to protect the legally protected interests of the owner; to carry out an action based on the public interest, or to comply with an obligation legally acquired by the owner.

 

If the cancellation of personal data is appropriate, GRUPO EL VIRREY SAS must carry out the deletion in such a way that the deletion does not allow the recovery of the information.

 

ARTICLE 16. REVOCATION OF THE AUTHORIZATION.

 

The owners of personal data can revoke their consent to the processing of their personal data at any time, as long as a legal provision does not prevent it. To do this, they should contact GRUPO EL VIRREY SAS, by email: info@hotelelvirrey.com or by phone 3341150

 

It should be taken into account that there are two ways in which the revocation of consent can be given. The first may be about all the consented purposes, that is, that GRUPO EL VIRREY SAS must completely stop processing the data of the owner; the second can occur on specific types of treatment, such as for advertising or market research purposes. With the second modality, that is, the partial revocation of consent, other purposes of the processing that the person responsible, in accordance with the authorization granted, can carry out and with which the owner agrees are kept safe.

 

Therefore, it will be necessary for the owner at the time to raise the request for revocation of consent to GRUPO EL VIRREY SAS, indicate in it if the revocation he intends to carry out is total or partial. In the second hypothesis, it must be indicated with which treatment the owner is not satisfied. There will be cases in which the consent, due to its necessary nature in the relationship between the owner and the person responsible for the fulfillment of a contract, by legal provision cannot be revoked. The mechanisms or procedures that GRUPO EL VIRREY SAS establishes to respond to requests for revocation of consent may not exceed the deadlines set to address claims as indicated in article 15 of Law 1581 of 2012.

 

CHAPTER V INFORMATION SECURITY

 

ARTICLE 17. SECURITY MEASURES.

 

In development of the security principle established in Law 1581 of 2012, GRUPO EL VIRREY SAS has adopted the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized access or fraudulent.

 

Notwithstanding the foregoing, the client assumes the risks derived from delivering this information in a medium such as the internet, which is subject to various variables - third-party attacks, technical or technological failures, among others. GRUPO EL VIRREY SAS will make its best technological effort to guarantee the security of the personal information of all its clients and / or users, using reasonable and current security methods to prevent unauthorized access, to maintain the accuracy of the data and guarantee the correct use of information.

 

ARTICLE 18. IMPLEMENTATION OF SECURITY MEASURES.

 

GRUPO EL VIRREY SAS will maintain mandatory security protocols for personnel with access to personal data and information systems. The procedure must consider, as a minimum, the following aspects:

 

a) Third parties hired by GRUPO EL VIRREY SAS, will be obliged to adhere to and comply with the information security policies and manuals, as well as the security protocols that we apply to all our processes.

 

b) Every contract of GRUPO EL VIRREY SAS with third parties (contractors, external consultants, temporary collaborators, etc.) that involves the processing of information and personal data, will include a confidentiality agreement that details its commitments for protection, care, security and preservation of the confidentiality, integrity and privacy of the same.

 

c) Scope of the procedure with detailed specification of the protected resources.

 

d) Measures, norms, procedures, rules and standards aimed at guaranteeing the level of security required in Law 1581 of 2012.

 

e) Functions and obligations of the staff.

 

f) Structure of personal databases and description of the information systems that process them.

 

g) Procedure for notification, management and response to incidents.

 

h) Procedures for making backup copies and data recovery.

 

i) Periodic controls that must be carried out to verify compliance with the provisions of the security procedure that is implemented

 

j) Measures to be taken when a support or document is to be transported, discarded or reused.

 

k) The procedure must be kept up to date at all times and must be reviewed whenever there are relevant changes in the information system or in its organization.

 

l) The content of the procedure must be adapted at all times to the current provisions on the security of personal data

 

CHAPTER VI FINAL PROVISIONS

 

ARTICLE 19. MODIFICATIONS TO THE PRIVACY POLICY.

 

GRUPO EL VIRREY SAS reserves the right to make modifications or updates to this Privacy Policy at any time, in order to attend to new legislation, internal policies or new requirements for the provision or offering of its services or products.

 

ARTICLE 20. EFFECTIVENESS OF THE PROCESSING OF THE INFORMATION AND PERSONAL DATA.

 

The information provided by customers and users will remain stored for a period of fifteen (15) years from the date of the last treatment, to allow us to comply with the legal and / or contractual obligations under your charge, especially in accounting matters, fiscal and tributary.