JT TECH INC and its team, in compliance with the current regulations regarding the protection of personal data in Colombia, especially Law 1581 of 2012, hereby establish the policies for the processing and protection of personal data. These policies apply to any act of collection, processing, transfer, transmission, updating, rectification, or any other action related to the processing of data for CLIENTS, SUPPLIERS, HUMAN RESOURCES, and any other individuals associated with JT TECH INC.
JT TECH INC, identified with Tax ID No. XXXXXXXXX in Medellín, is located in the municipality of Medellín.
Address: XXXXX in the Municipality of Medellín – Antioquia Department.
I. Purpose of the Data Processing Policy
II. Definitions for the Purposes of the Data Processing Policy
III. Principles for the Processing of Personal Data
IV. Scope of Application
V. Recipients and/or Data Controllers
VII. Data Processing
VIII. Purposes of Processing
IX. Rights of Data Subjects
X. Duties of Data Controllers
XI. Procedure for Queries, Updates, and Rectifications
XII. Duration of Validity
XIII. Effective Date
1. OBJECTIVE OF THE DATA PROCESSING POLICY
JT TECH INC, with the aim of ensuring that its CLIENTS, SUPPLIERS, HUMAN RESOURCES, and any other individuals associated with it and its workforce are properly informed and treated in compliance with current regulations on the protection of Personal Data (Law 1266 of 2008, Law 1581 of 2012, and Decree 1377 of 2013), hereby presents the Data Processing Policies (hereinafter the “Policy”) regarding the collection, use, transfer, and processing of such data, pursuant to the authorization granted by the data subjects.
Through this policy, JT TECH INC outlines the general guidelines adopted for the proper use and protection of personal data of data subjects, as well as the purpose of collecting the information, the rights of data subjects, the department responsible for handling complaints and claims, and the procedures to be followed to access, update, rectify, and delete the information.
In compliance with the constitutional right to Habeas Data, JT TECH INC only collects Personal Data and sensitive data when previously authorized by the data subject, implementing clear measures regarding the confidentiality and privacy of Personal Data.
2. DEFINITIONS FOR THE PURPOSES OF THE DATA PROCESSING POLICY
In accordance with Article 15 of the National Constitution, Law 1581 of 2012, and Decree 1377 of 2013, the following definitions will be considered:
Data Subject: Natural or legal person whose Personal Data are subject to Processing.
Data Controller: Natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the Processing of the data.
Data Processor: Natural or legal person, public or private, who, alone or in association with others, carries out the Processing of personal data on behalf of the Data Controller.
Authorization: Prior, express, and informed consent of the data subject to carry out the Processing of Personal Data.
Personal Data: Any information linked or that can be associated with one or more specific or identifiable natural persons.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
Sensitive Data: Those that can affect the privacy of the Data Subject or whose misuse can lead to discrimination, such as data related to health, sex, political affiliation, among others.
Semiprivate Data: Data that is not intimate, reserved, or public and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector of people or society in general.
Public Data: Data qualified as such according to the mandates of the law or the Political Constitution of Colombia and data that is not semiprivate, private, or sensitive.
Database: Organized set of personal data that is subject to processing.
Transmission: Processing of personal data that involves the communication of these data within or outside the territory of Colombia when its purpose is the realization of processing by the processor on behalf of the controller.
Privacy Notice: Verbal or written communication generated by the Data Controller, addressed to the data subject for the Processing of their personal data, through which they are informed about the existence of the information processing policies that will apply to them, how to access them, and the purposes of the Processing intended for the personal data.
Data Transfer: Processing of data that involves its disclosure, either for free or for consideration, to a person other than the data subject or different from the controller authorized by the data subject.
Habeas Data: Fundamental right of every person to know, update, rectify, and/or delete the information and personal data that have been collected and/or are being processed in public or private databases, in accordance with the provisions of the law and other applicable regulations.
Disassociation Procedure: Refers to any processing of personal data in such a way that the information obtained cannot be associated with an identified or identifiable person.
Principles for Data Processing: Fundamental rules, of a legal and/or jurisprudential nature, that inspire and guide the Processing of personal data, from which actions and criteria are determined to resolve the possible collision between the right to privacy, habeas data, and protection of personal data with the right to information.
3. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
In accordance with Article 4 of Law 1581 of 2013, Law 1266 of 2008, and the Jurisprudence of the Constitutional Court, the principles governing the Processing of Personal Data are as follows:
a) Principle of legality in data processing: The Processing referred to in Law 1581 is a regulated activity that must comply with what is established in the law and in other provisions that develop it.
b) Principle of purpose: The processing of data carried out by JT TECH INC is implemented with a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject prior to the collection of personal or sensitive data.
c) Principle of freedom or informed consent: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
d) Principle of truthfulness or quality: Data subject to Processing must correspond to real, truthful situations; they must be understandable, accurate, and complete, as per the information provided by the data owner.
e) Principle of incorporation: When the collection of personal information in databases implies advantageous situations for the owner, the database operator must incorporate them.
f) Principle of restricted access and circulation: The Processing of personal and/or sensitive data is subject to specific limits determined by the purpose of each database, the authorization of the owner, and the principle of purpose.
g) Principle of security: Information subject to Processing by the Data Controller or Data Processor under this law must be handled with the technical, human, and administrative measures necessary to provide security to the records, avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access.
i) Principle of expiration or temporality: Adverse information about the owner must be permanently removed from the databases, based on criteria of reasonableness and opportunity; likewise, once the reasons that justified the collection and management of the owner’s information disappear, its use must cease.
j) Principle of utility: The collection, compilation, processing, and information of personal data must serve a specific function, in line with the legitimate exercise of their administration.
k) Principle of necessity: The personal information concerned must be strictly necessary for the fulfillment of the purposes of the database.
l) Principle of Individuality: Databases collected independently must be kept that way.
m) Principle of Transparency: The right of the Data Subject to obtain and know, from the Data Controller and/or Data Processor, at any time and without restrictions, information about the existence of data concerning them will be guaranteed.
n) Confidentiality: JT TECH INC and all individuals involved in the processing of personal and/or sensitive data have a professional obligation to keep and maintain the confidentiality of this data, an obligation that persists even after the contractual relationship or commercial or any other kind of bond has ended.
Special Protection of Sensitive Data: Sensitive personal data will only be collected by JT TECH INC when necessary for the development of its professional activity.
4. SCOPE OF APPLICATION
The policies outlined in this document will apply to the processing of personal data, whether carried out within Colombian territory or abroad, pursuant to international treaties, contractual relationships, alliances, or any other form of affiliation.
5. RECIPIENTS AND/OR RESPONSIBLE PARTIES
The policies outlined will apply and obligate the following individuals:
a. Legal representative
b. Auditor and/or accountant
c. Internal personnel of JT TECH INC, whether directors or not, who oversee, process, have access, or engage in any other form of interaction with the company’s databases.
d. Contractors, natural persons, legal entities, consortia, temporary unions, or any others who provide services to JT TECH INC under any form of affiliation or commercial relationship, in the context of which any processing of personal or sensitive data occurs.
e. Any person with whom there exists a legal relationship of statutory, contractual, service, or any other kind.
f. Third parties from whom JT TECH INC has legally obtained information.
g. Company users.
h. Other individuals stipulated by law.
6. AUTHORIZATION FOR THE USE OF INFORMATION
JT TECH INC requires, in order to carry out the appropriate processing of the data of the RECIPIENTS described in the previous section, the free and express authorization from the data subject or their representative to use the data.
This authorization may be documented through any means, such as physical documents, electronic forms, or any format allowing subsequent consultation.
Authorization will be understood as the informed consent given freely and consciously by the data subject or their representative, in which JT TECH INC provides the following information:
- The processing to which their personal data will be subjected and its specific purpose.
- The duration for which their personal data will be processed.
- The rights they have as data subjects.
- The different channels of communication through which they can make inquiries and/or complaints to the data controller or data processor.
JT TECH INC or the party responsible for the data collected and processed by JT TECH INC must retain proof of the authorization issued by the DATA SUBJECT and/or their representative, which must be available at all times for their consultation.
7. PROCESSING OF PERSONAL DATA WHEN THERE ARE NO PRIVACY NOTICES
The operations constituting the processing of personal data by JT TECH INC, as the controller or processor, will be governed by the following parameters.
a. PERSONAL DATA RELATED TO HUMAN RESOURCE MANAGEMENT
JT TECH INC will process the personal data of its employees, contractors, suppliers, interns, apprentices, and individuals applying for vacancies in the following manner:
i. Processing before the employment relationship:
JT TECH INC will inform individuals interested in participating in a selection process in advance about the rules applicable to the processing of the personal data provided by the interested party, as well as those obtained during the selection process. The company will obtain the required authorization to disclose this information to third parties and for any other purpose other than participating in this process.
Upon completion of the selection process, JT TECH INC will inform unsuccessful candidates of the negative outcome and will return the personal data provided by them. If returning the data is not possible, it will be destroyed, and the individuals will be informed in advance.
Information obtained by JT TECH INC regarding non-selected candidates, specifically the results of psychometric tests and interviews, if applicable, will be deleted from its information systems, thereby complying with the principle of purpose.
7.1.2. Processing of Data During Employment Relationships, Service Provision, or Commissioned Work
JT TECH INC will store personal data and information obtained from the selection process of employees, contractors, agents, or any other form of engagement with the company in a virtual and/or physical folder identified with the name of each individual. Relevant documentation for each person will be stored in these folders.
7.1.3. Processing of Data After Termination of Contractual Relationship
After the employment relationship ends, regardless of the cause, JT TECH INC will proceed to store the personal data obtained from the selection process and documentation generated during the employment relationship in a secure physical or virtual file.
7.1.4. Processing of Personal Data of Suppliers
JT TECH INC will protect and ensure appropriate processing of data obtained from its suppliers. The data will only be used for necessary and specified purposes in each specific case.
7.1.5. Processing of Personal Data in Contracting Processes
Third parties involved in contracting processes, alliances, cooperation agreements, or any other form of engagement with JT TECH INC, who access, use, process, and/or store personal data of employees, users, customers, potential customers, or any other third party related to JT TECH INC, must adhere to the guidelines outlined in this Policy. They are also required to implement appropriate security measures to ensure data security.
7.1.6. Processing of Personal Data of Users
Personal data of users and potential users of JT TECH INC will be collected and processed for the purposes outlined in this document.
8. Purposes of Processing When There Are No Privacy Notices
Personal data of the data subjects is collected by JT TECH INC S.A.S in the course of its corporate activities, for the following purposes, without limitation:
8.1. Conduct advertising and marketing campaigns to promote its services, seminars, products, or any other offerings, whether owned by JT TECH INC or third parties.
8.2. Implement loyalty programs.
8.3. Conduct market research.
8.4. Establish commercial agreements, events, or institutional programs directly or in collaboration with third parties.
8.5. Verify data through consultation with public databases or credit bureaus.
8.6. Perform georeferencing activities and statistical studies.
8.7. Send information about activities and/or consultations conducted by the Company or send information deemed of interest through various means.
8.8. Fulfill legal obligations to provide information to administrative entities, as well as competent authorities that require such information.
8.9. Share information with third parties collaborating with the Company who, to fulfill their functions, may need to access the information to some extent, such as –without limitation– messaging service providers, advertising agencies, debt collection agencies, pension and severance funds, banks, among others.
8.10. Ensure the security and proper provision of services and products of JT TECH INC or any other third party directly or indirectly linked to JT TECH INC.
8.11. Execute contracts entered into by the company.
8.12. Establish, approach, and/or create future business relationships.
8.13. Support and conduct audit processes and monitoring of the Company.
8.14. Any other purpose that may arise in the course of the contract or business relationship or any other nature between JT TECH INC and the Data Subject.
8.15. Issue certifications, diplomas, or similar documents.
8.16. Issue invoices, vouchers, credit notes, or any equivalent, similar, or related documents.
8.17. Verify the legal status of SUPPLIERS, CONTRACTORS, and HUMAN RESOURCES.
First Paragraph: The information provided by the Data Subject will be used for the purposes stated herein, without limitation. Once the need for the processing of Personal Data ceases, JT TECH INC may delete or archive the data according to its capabilities.
9. DATA SUBJECT RIGHTS
Data subjects whose personal data are stored in the databases within JT TECH INC’s information systems have the rights described in this section, in compliance with the fundamental guarantees established in the Political Constitution and the law.
The exercise of these rights will be free of charge and unlimited for the data subject, without prejudice to legal provisions regulating their exercise.
The exercise of Habeas Data, expressed in the following rights, constitutes a highly personal power and shall primarily belong to the data subject, except for legal exceptions. Accordingly, data subjects shall have the right to:
9.1. Right to obtain all information, update, rectify, modify, and consult their personal data held by JT TECH INC at any time, which they consider partial, inaccurate, incomplete, fragmented, or misleading.
9.2. Right to obtain information about the processing applied to their personal data, the purpose of the processing, the location of the databases, and the transfers and general uses made of them.
9.3. Right to delete their personal data or suppress it when they consider it excessive, not relevant, or when the processing is contrary to regulations, except in cases contemplated as exceptions by law or contractually agreed otherwise.
9.4. Right to request proof of the authorization granted to JT TECH INC at any time.
9.5. Right to revoke the consent or authorization that enables the processing of their data, except in cases contemplated as exceptions by law or contractually agreed otherwise.
9.6. Access their personal data that have been subject to processing free of charge.
9.7. Right to lodge complaints and claims with the Superintendence of Industry and Commerce, or with the competent authority, prior to exhausting their rights against JT TECH INC.
9.8. Right to be represented by any person with absolute capacity for it, which must be proven in writing.
10. RESPONSIBILITIES OF DATA CONTROLLERS AND PROCESSORS
JT TECH INC or any of the recipients of these policies, when assuming the role of data controllers and/or processors, must fulfill the following duties:
a) Ensure the Data Subject’s full and effective exercise of the right to habeas data at all times.
b) Request and retain, under the conditions established in this law, a copy of the respective authorization granted by the Data Subject.
c) Properly inform the Data Subject about the purpose of the collection and the rights conferred by virtue of the granted authorization.
d) Maintain the information under necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.
e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, current, verifiable, and understandable, in accordance with the data provided by the DATA SUBJECT.
f) Update the information, timely informing the Data Processor of any changes regarding the data previously provided and take other necessary measures to keep the information provided by the DATA SUBJECT up-to-date.
g) Rectify the information when it is incorrect and communicate the relevant changes to the Data Processor.
h) Provide the Data Processor, as appropriate, only with data whose processing has been previously authorized in accordance with the provisions of this law.
i) Demand from the Data Processor at all times respect for the security and privacy conditions of the Data Subject’s information.
j) Process inquiries and complaints submitted in the terms indicated in this law.
k) Adopt an internal manual of policies and procedures to ensure compliance with this law, especially for handling inquiries and complaints.
l) Inform the Data Processor when certain information is under discussion by the Data Subject, once a complaint has been filed and the respective process has not yet concluded.
m) Inform, upon the Data Subject’s request, about the use of their data.
n) Report to the data protection authority when violations of security codes occur and there are risks in the administration of Data Subject information.
o) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
p) Keep a record of modified data and the respective modifications, data transfers, and transmissions.
q) Refrain from using data that is being contested by the DATA SUBJECT or their representative or that the competent judicial or administrative entity has ordered not to use.
r) Allow access to the information only to designated individuals.
s) Maintain a central record of databases containing personal data, including the history from their creation, information processing, and database cancellation.
t) Create a log of inactive data, which must also be safeguarded.
u) Maintain an organized record of requests made by DATA SUBJECTS or their representatives and the responses provided to them.
11. PROCEDURES FOR INQUIRIES, UPDATES, CORRECTIONS, AND DELETIONS
Data Subjects or their representatives can, at any time, inquire, update, correct, or request the deletion of the data held by JT TECH INC, following the procedure outlined below:
a) The data subject and/or their representative interested in exercising their rights must prove such a status by providing a copy of the relevant document. For data subjects, this must be verified through a national ID card, passport, foreign ID card, or birth certificate. Representatives must prove their status through a special power of attorney and/or a general power of attorney duly recognized by a notary, a certificate of existence and representation (for partners), a birth certificate, or a court order confirming their representation.
These documents can be submitted to JT TECH INC physically or digitally.
The data subject or their representative must submit a request for inquiry, update, correction, or deletion of their data through a physical or digital document sent to the email address firstname.lastname@example.org
b) CLAIMS PROCEDURE: The request to exercise any of the aforementioned rights must contain at least the following:
- Name and identification of the data subject and their representatives if applicable, supported by the documents indicated in section a of this document.
- Clear and specific request specifying the reason and content of the request, whether it is an inquiry, information update, correction, or request for deletion of personal data. The request should include the reasoning or justifications for the petition.
- Physical and/or email address for receiving notifications.
- Documents supporting the request.
c) Once JT TECH INC receives the request and determines that it constitutes a claim, it will be marked as “claim in process,” which will be maintained until a decision is made.
d) If any of the requirements mentioned in section c or any other necessary information required to respond to the request is missing, JT TECH INC will notify the interested party within ten (10) business days after receiving the request, allowing the DATA SUBJECT or their representative to rectify the omission.
e) If, after a period of two (02) months from the date of the request made by JT TECH INC, the DATA SUBJECT or their representative does not provide the required information or rectify the deficiencies, it will be deemed that they withdrew their initial request.
f) JT TECH INC will have a period of ten (10) business days to respond to the request made by the DATA SUBJECT or their representatives if it is an inquiry or fifteen (15) business days if it is a claim. These periods will be counted from the request made by JT TECH INC for the DATA SUBJECT or their representative to rectify the requirements or provide the information requested by JT TECH INC.
If the aforementioned deadlines cannot be met, this situation will be communicated to the applicant before the deadline expires.
FIRST PARAGRAPH: JT TECH INC informs the DATA SUBJECTS that the request for deletion of information and revocation of authorization will not be processed when the DATA SUBJECT has an existing contractual or non-contractual obligation with JT TECH INC and when there is a judicial or administrative requirement related to the DATA SUBJECT’s personal data.
SECOND PARAGRAPH: It is pertinent to clarify that DATA SUBJECTS, their representatives, or successors can only file a complaint with the Superintendence of Industry and Commerce once they have gone through the consultation or complaint process outlined in these policies with JT TECH INC and the response has not been satisfactory.
12. Period of Validity of Databases
The databases mentioned in this document will have a duration of twenty (20) years, starting from the acquisition of the respective personal data. Except in cases where the data subject has a legal or contractual obligation that justifies their presence in the database for a later term.
13. Effective Date of the Personal Data Processing Policy
These policies for the processing of personal data come into effect on November 1, 2023.