Personal Data

Treatment Policy

OBJECT:

This document is established as the Personal Data Processing Policy of GRUPO MAKRO S.A.S., in compliance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013, provisions that establish and describe the mechanisms through which must ensure the proper handling and in accordance with law, of personal data processed by GRUPO MAKRO S.A.S., which are in their databases, this, in order to guarantee the holders of the same an adequate exercise of their right to Habeas Data.

RESPONSIBLE:

GRUPO MAKRO S.A.S. is a Sociedad por Acciones Simplificadas, is responsible for the processing of personal data contained in their databases and physical or digital files, is domiciled in the city of Valledupar and identified with the NIT: 901.125.641-7, whose contact details are:

Address: Manzana 44 Casa 16. Bellavista Neighborhood.
Telephone: (5) 5623081
Cellular: 3016724532
E-mail: tratamientodedatos@grupomakro.org

It is important to keep in mind that any area, collaborator, employee, supplier and/or contractor of GRUPO MAKRO S.A.S., who by its functions is in charge of the processing of databases containing personal information, must comply with the provisions of this Processing Policy.

DEFINITIONS:

For the purposes of the following Processing Policy and as established in the regulations governing the matter, the following shall be understood as:

  1. Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.
    2. Database: Organized set of personal data that is subject to processing.
    3. Personal data: Any information linked or that may be associated to one or several determined or determinable natural persons.
    4. Data Processor: Natural or legal person, public or private, who by himself or in association with others, performs the processing of personal data on behalf of the data controller.
    5. Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of data.
    6. Data Subject: Natural person whose personal data is the object of processing.
    7. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
    8. Principle of legality in data processing: Processing is a regulated activity that must be subject to the provisions of the law and other provisions that develop it.
    9. Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
    10. Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.
    11. Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
    12. Principle of transparency: The right of the Data Subject to obtain from the data controller or data processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the processing.
    13. Principle of restricted access and circulation: The processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the processing may only be carried out by persons authorized by the Holder and/or by the persons provided for by law.
    14. Security Principle: The information subject to processing by the data controller or data processor shall be handled with the necessary technical, human and administrative measures to ensure the security of the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
    15. Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when this corresponds to the development of the activities authorized by law.

CONTENT OF THE DATABASES:

As a general rule, the databases of GRUPO MAKRO S.A.S., which are subject to processing, store personal information of the owners, such as name, number and type of identification, gender and contact information:

physical and electronic address, landline and cell phone, etc.

Depending on the purpose and nature of the databases, other specific data are also subject to processing, i.e., for example, in the database of employees and contractors, information on work and academic history, as well as family, personal and possibly banking information.

In turn, taking into account the nature and services provided by GRUPO MAKRO S.A.S., sensitive and private data may be stored in its databases with prior authorization of the holder.

TREATMENT:

The information contained in the databases of GRUPO MAKRO S.A.S., is subject to different forms of treatment, such as: collection, exchange, updating, processing, reproduction, correction, use, organization, storage, circulation or suppression, among others, all of the above in compliance with the purposes and objectives set forth in this Policy for the treatment of personal data.

The referenced information may be delivered, transmitted or transferred to public entities, business partners, contractors, employees, affiliates, and/or affiliated, subsidiary or related companies, solely and exclusively for the purpose of complying with the purposes of the corresponding database.

It may also be transmitted or transferred to the owners, their successors in title and legal representatives. In any case, the delivery, transmission or transfer will be made after signing the necessary commitments to safeguard the confidentiality and privacy of the information authorized to be processed. In turn, in compliance with legal duties, GRUPO MAKRO S.A.S. may provide personal information to judicial or administrative entities.

GRUPO MAKRO S.A.S., will ensure the correct use of personal data of minors, ensuring compliance with applicable legal requirements and that all treatment is previously authorized and is justified in the best interests of minors.

PURPOSE:

The information that rests in the databases of GRUPO MAKRO S.A.S., is intended to allow the proper development of its corporate purpose, and allow the proper fulfillment of the duties imposed by law, mainly in accounting, tax, administrative, operational, corporate, training, labor, contractual, commercial and marketing matters, etc.

Information about customers, suppliers, partners and employees, current or past, is kept in order to facilitate, promote, enable or maintain labor, civil and commercial relationships.

GRUPO MAKRO S.A.S., deletes the personal data collected when they are no longer necessary, relevant and adequate for the purpose and purpose for which they were collected.

With regard to the recording of videos and photographic taking these are exclusively for educational, safety and/or advertising purposes for promotion of other events.

AUTHORIZATION:

GRUPO MAKRO S.A.S. requests written authorization from any supplier, customer, partner, employee or collaborator of which it carries out the processing of personal data, so that their data can be processed in accordance with the purpose established for each case, and in compliance with the rules that regulate the matter, but, mainly, seeking the protection and guarantee of the constitutional right to Habeas Data.

RIGHTS OF THE OWNERS:

As set forth in art. 8 of Law 1581 of 2012 the holder of personal data shall have the following rights:

  1. To know, update and rectify their personal data against the data controllers or data processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
    2. Request proof of the authorization granted to the data controller, except when expressly exempted as a requirement for the processing.
    3. To be informed by the data controller or the person in charge of the processing, upon request, regarding the use given to their personal data.
    4. File complaints before the Superintendence of Industry and Commerce for violations of the provisions of this law and other rules that modify, add or complement it.
    5. To revoke the authorization and/or request the deletion of the data when the processing does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or suppression will proceed when the Superintendence of Industry and Commerce has determined that in the treatment the responsible or in charge have incurred in conduct contrary to this law and the Constitution.
    6. Access free of charge to your personal data that have been subject to processing.

DUTIES OF THE DATA CONTROLLER:

According to Article 17 of Law 1567 of 2012, the data controller must comply with the following duties:

1- Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
2. Request and keep, under the conditions provided for in this law, a copy of the respective authorization granted by the Data Subject.
3. Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
4. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
5. Guarantee that the information provided to the data processor is truthful, complete, accurate, updated, verifiable and understandable.
6. Update the information, communicating in a timely manner to the data processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date.
7. Rectify the information when it is incorrect and communicate the pertinent to the data processor.
8. To provide the data processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this law.
9. To require the data processor at all times to respect the security and privacy conditions of the data subject’s information.
10. To process the queries and claims formulated in the terms set forth in this law.
11. Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the handling of queries and claims.
12. Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.
13. Inform at the request of the Data Subject about the use given to his/her data.
14.  Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Subject.
15. Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.

DUTIES OF THE DATA PROCESSOR:

According to Article 18 of Law 1567 of 2012, the data processor must comply with the following duties:

  1. Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
  2. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  3. Timely update, rectify or delete data in accordance with the terms of this law.
  4. Update the information reported by the data controllers within five (5) working days from its receipt.
  5. To process the queries and claims formulated by the Data Controllers under the terms set forth in this law.
  6. Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the handling of queries and claims by the Holders.
  7. Register in the database the legend “claim in process” in the manner regulated by this law.
  8. Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial proceedings related to the quality of the personal data.

9- Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.

  1. Allow access to the information only to the persons who may have access to it.
  2. Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Holders.
  3. Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.

PROCEDURE FOR SUBMITTING AND RESPONDING TO INQUIRIES AND COMPLAINTS:

Consultations:

The holders of the personal data that make up the databases of GRUPO MAKRO S.A.S., or their assignees and representatives, may consult them. Any request for consultation, correction, updating or deletion must be submitted in writing or by e-mail. Consultations will be answered within ten (10) working days from the date of receipt of the respective request.

When it is not possible to attend to the consultation within said term, the interested party shall be informed, expressing the reasons for the delay and indicating the date on which their consultation will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.

Claims:

When it comes to claims these must be formulated in writing physically or by email, which must contain at least the following: identification of the holder, description of the facts that give rise to the claim, address of the holder and documents that serve as evidence.

If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned.

In the event that the person receiving the claim is not competent to resolve it, he/she will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation. Once the complete claim has been received, a legend will be included in the database stating “claim in process” and the reason for the claim, within a term not exceeding two (2) business days. Said legend shall be maintained until the claim is decided.

The maximum term to address the claim shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

VALIDITY OF THE TREATMENT POLICY AND THE DATABASE:

The Personal Data Treatment Policy of GRUPO MAKRO S.A.S. will be in force as of May 22, 2019. GRUPO MAKRO S.A.S. reserves the right to modify it, under the terms and with the limitations provided in the Constitution and the law.

The databases managed and treated by GRUPO MAKRO S.A.S. will be kept indefinitely, while they serve to develop its purpose, and while they are necessary to ensure compliance with legal obligations, but as mentioned above, the data may be deleted when they are no longer necessary or relevant to fulfill the purpose and purpose in force at the time of collection, they will also be deleted at the request of the owner, as long as this request does not contravene a legal obligation of GRUPO MAKRO S. A.S. or an obligation contained in a contract between GRUPO MAKRO S.A.S. and the holder.

PERSON OR AREA RESPONSIBLE:

Any request, complaint or claim related to the handling of personal data, in application of the provisions of Law 1581 of 2012 and Decree 1377 of 2013, should be sent to:

Entity: GRUPO MAKRO S.A.S.

Unit: Administrative and Financial Management

Address: Manzana 44 Casa 16 Barrio Bellavista

E-mail: tratamientodedatos@grupomakro.org

Telephone: (5) 5623081

Cellular: 3017624532

LIDUVINA DEL CARMEN LOPEZ CASTELLANO

Legal Representative Makro Group Colombia

 

Grupo Makro® 2019 Derechos Reservados