Personal Data Protection Policy

PERSONAL DATA PROTECTION POLICY DRAGONJAR S.A.S

In compliance with the provisions of Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, DRAGONJAR S.A.S adopts this policy for the processing of personal data, which will be informed to all owners of the data collected or that may be obtained in the future in the course of academic, cultural, commercial, or labor activities.

In this way, DRAGONJAR S.A.S states that it guarantees the rights to privacy, intimacy, and a good name in the processing of personal data, and consequently, all its actions will be governed by the principles of legality, purpose, freedom, veracity or quality, transparency, restricted access and circulation, security, and confidentiality.

All persons who, in the development of different cultural, academic, contractual, commercial, labor, among other activities, whether permanent or occasional, come to supply DRAGONJAR S.A.S with any type of information or personal data, may know, update, and rectify it.

 
1. IDENTIFICATION OF THE DATA CONTROLLER

DRAGONJAR S.A.S
DOMICILE AND ADDRESS: DRAGONJAR S.A.S has its domicile in the city of Manizales, Caldas, located at the address Carrera 23 C # 62-72 Office 705
EMAIL: datospersonales@dragonjar.org
PHONE: (0 57) 304 676 8721

 
1. LEGAL FRAMEWORK

Political Constitution, Article 15.
Law 1266 of 2008
Law 1581 of 2012
Regulatory Decrees 1727 of 2009 and 2952 of 2010,
Partial Regulatory Decree 1377 of 2013
Judgments C – 1011 of 2008, and C - 748 of 2011, of the Constitutional Court

III. SCOPE OF APPLICATION

This policy will be applicable to the personal data registered in any database of DRAGONJAR S.A.S whose owner is a natural person.

IV. DEFINITIONS

For the purposes of this policy and in accordance with current regulations on personal data protection, the following definitions will be taken into account:

Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of personal data.

Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the way to access them, and the purposes of the processing that is intended for the personal data.

Database: Organized set of personal data that is subject to processing.

Successor: a person who has succeeded another due to the death of the latter (heir).

Personal data: Any information linked or that can be associated with one or more specific or determinable natural persons.

Public data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data related to the civil status of people, their profession or trade, and their quality as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial sentences that are not subject to confidentiality.

Sensitive data: Sensitive data is understood as that which affects the privacy of the Data Subject or whose improper use can generate discrimination, such as that which reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of the definitions included in this document are taken from the current regulations in Colombia that regulate the protection of personal data.

Data Processor: Natural or legal person, public or private, who by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller.

Data Controller: Natural or legal person, public or private, who by themselves or in association with others, decides on the database and/or the Processing of the data.

Data Subject: Natural person whose personal data is subject to Processing.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

Transfer: the transfer of data takes place when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is a data controller and is inside or outside the country.

Transmission: processing of personal data that implies the communication of the same inside or outside the territory of the Republic of Colombia when its purpose is the performance of processing by the processor on behalf of the controller.

 
1. PRINCIPLES

For the purpose of guaranteeing the protection of personal data, DRAGONJAR S.A.S will apply the following principles in a harmonious and integral manner, in light of which the processing, transfer, and transmission of personal data must be carried out:

Principle of legality in data processing: Data processing is a regulated activity, which must be subject to the current and applicable legal provisions that govern the matter.

Principle of purpose: the personal data processing activity carried out by DRAGONJAR S.A.S or to which it has access, will obey a legitimate purpose in line with the Political Constitution of Colombia, which must be informed to the respective owner of the personal data.

Principle of freedom: the processing of personal data can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal, statutory, or judicial mandate that exempts consent.

Principle of truthfulness or quality: the information subject to personal data processing must be truthful, complete, accurate, updated, verifiable, and understandable. The processing of partial, incomplete, fragmented data or data that misleads is prohibited.

Principle of transparency: In the processing of personal data, DRAGONJAR S.A.S will guarantee the Data Subject their right to obtain at any time and without restrictions, information about the existence of any type of information or personal data that is of their interest or ownership.

Principle of restricted access and circulation: The processing of personal data is subject to the limits derived from their nature, the provisions of the law, and the Constitution. Consequently, processing can only be done by persons authorized by the data subject and/or by the persons provided for by law. Personal data, except for public information, may not be available on the internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to the data subjects or third parties authorized by law. For these purposes, the obligation of DRAGONJAR S.A.S will be of means.

Principle of security: the information subject to processing by DRAGONJAR S.A.S must be handled with the necessary technical, human, and administrative measures to grant security to the records, avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access.

Principle of confidentiality: All persons who in DRAGONJAR S.A.S, administer, manage, update, or have access to information of any kind found in Databases, are obliged to guarantee the reservation of the information, for which they commit to preserve and maintain in a strictly confidential manner and not to reveal to third parties, all the information they come to know in the execution and exercise of their functions; except when it comes to activities expressly authorized by the data protection law. This obligation persists and will be maintained even after their relationship with any of the tasks that comprise the Processing has ended.

The principles included in this document are taken from the current regulations in Colombia that regulate the protection of personal data.

VI. RIGHTS OF THE DATA SUBJECT

In accordance with the provisions of the current applicable regulations on data protection, the following are the rights of the owners of personal data:

 
1. Access, know, update, and rectify your personal data before DRAGONJAR S.A.S in its capacity as data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented data, data that leads to error, or those whose processing is expressly prohibited or has not been authorized.

 

2. Request proof of the authorization granted to DRAGONJAR S.A.S for data processing, by any valid means, except in cases where authorization is not necessary.

 

3. Be informed by DRAGONJAR S.A.S, upon request, regarding the use that has been given to your personal data.

 

4. File complaints with the Superintendence of Industry and Commerce, or the entity that takes its place, for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add to, or complement it, after a consultation or request process before DRAGONJAR S.A.S.

 

5. Revoke the authorization and/or request the deletion of the data when the principles, rights, and constitutional and legal guarantees are not respected in the Processing.

 

6. Access your personal data that has been subject to processing free of charge, at least once every calendar month, and every time there are substantial modifications to this policy that motivate new consultations.

These rights may be exercised by:

 
• The data subject, who must sufficiently accredit their identity by the different means made available by DRAGONJAR S.A.S

 

• The successors of the data subject, who must accredit such quality.

 

• The representative and/or attorney of the data subject, after accreditation of the representation or power of attorney.

 

• Another in favor of or for which the data subject has stipulated.

VII. DUTIES OF DRAGONJAR S.A.S AS CONTROLLER AND PROCESSOR OF PERSONAL DATA

DRAGONJAR S.A.S recognizes the ownership of personal data held by individuals and consequently, they can exclusively decide on them. Therefore, DRAGONJAR S.A.S will use personal data to fulfill the purposes expressly authorized by the owner or by current regulations.

In the processing and protection of personal data, DRAGONJAR S.A.S will have the following duties, without prejudice to others provided for in the provisions that regulate or may regulate this matter:

 
1. Guarantee the data subject, at all times, the full and effective exercise of the right of habeas data.

 

2. Request and keep a copy of the respective authorization granted by the data subject for the processing of personal data.

 

3. Duly inform the data subject about the purpose of the collection and the rights that assist them by virtue of the authorization granted.

 

4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.

 

5. Guarantee that the information is truthful, complete, accurate, updated, verifiable, and understandable.

 

6. Timely update the information, thus attending to all the news regarding the data subject's data. Additionally, all necessary measures must be implemented so that the information is kept up-to-date.

 

7. Rectify the information when it is incorrect and communicate what is pertinent.

 

8. Respect the security and privacy conditions of the data subject's information.

 

9. Process the queries and claims made in the terms indicated by law.

 

10. Identify when certain information is under discussion by the data subject.

 

11. Inform the data subject, upon request, about the use given to their data.

 

12. Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the data subjects' information.

 

13. Comply with the requirements and instructions issued by the Superintendence of Industry and Commerce on the particular subject.

 

14. Use only data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012.

 

15. Ensure the proper use of the personal data of children and adolescents, in those cases in which the processing of their data is authorized.

 

16. Register in the database the legend "claim in process" in the manner regulated by law.

 

17. Insert in the database the legend "information in judicial discussion" once notified by the competent authority about judicial processes related to the quality of the personal data.

 

18. Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.

 

19. Allow access to information only to people who can have access to it.

 

20. Use the personal data of the data subject only for those purposes for which it is duly authorized and always respecting the current regulations on personal data protection.

VIII. AUTHORIZATION AND CONSENT OF THE DATA SUBJECT

DRAGONJAR S.A.S requires the free, prior, express, and informed consent of the owner of the personal data for its processing, except in cases expressly authorized by law, namely:

 
1. Information required by a public or administrative entity in the exercise of its legal functions or by judicial order.

 

2. Data of a public nature.

 

3. Cases of medical or health emergency.

 

4. Processing of information authorized by law for historical, statistical, or scientific purposes.

 

5. Data related to the Civil Registry of Persons Manifestation of authorization

The authorization to DRAGONJAR S.A.S for the processing of personal data will be granted by:

 
• The data subject, who must sufficiently prove their identity through the different means made available by DRAGONJAR S.A.S.

 

• The successors of the data subject, who must prove such quality.

 

• The representative and/or attorney of the data subject, after accreditation of the representation or power of attorney.

 

• Another in favor of or for which the data subject has stipulated.

Means to grant authorization

DRAGONJAR S.A.S will obtain the authorization through different means, including physical documents, electronic documents, data messages, Internet, Websites, or in any other format that in any case allows obtaining consent through unequivocal conduct through which it is concluded that if it had not been provided by the data subject or the person legitimized for it, the data would not have been stored or captured in the database.

The authorization will be requested by DRAGONJAR S.A.S prior to the processing of personal data.

Proof of authorization

DRAGONJAR S.A.S will keep the proof of the authorization granted by the owners of the personal data for its processing, for which it will use the mechanisms available to it at present, as well as adopt the necessary actions to maintain the record of the form and date in which it was obtained. Consequently, DRAGONJAR S.A.S may establish physical files or electronic repositories made directly or through third parties hired for this purpose.

Revocation of authorization.

The owners of the personal data may at any time revoke the authorization granted to DRAGONJAR S.A.S for the processing of their personal data or request their deletion, as long as a legal or contractual provision does not prevent it. DRAGONJAR S.A.S will establish simple and free mechanisms that allow the owner to revoke their authorization or request the deletion of their personal data, at least by the same means by which it was granted.

For the above, it should be taken into account that the revocation of consent can be expressed, on the one hand, totally in relation to the authorized purposes, and therefore DRAGONJAR S.A.S must cease any data processing activity; and on the other hand, partially in relation to certain types of processing, in which case it will be these on which the processing activities will cease, such as for advertising purposes, among others. In the latter case, DRAGONJAR S.A.S may continue to process the personal data for those purposes in relation to which the owner has not revoked their consent.

 
1. TREATMENT TO WHICH THE DATA WILL BE SUBJECTED AND ITS PURPOSE

The processing of personal data of students, applicants, graduates, alumni, professors, employees, former employees, retirees, suppliers, contractors, or any person with whom DRAGONJAR S.A.S has established or establishes a relationship, permanent or occasional, will be carried out within the legal framework that regulates the matter.

In any case, personal data may be collected and processed to:

 
1. Send information related to programs, activities, news, content by area of interest, products, and other goods or services offered by DRAGONJAR S.A.S.

 

2. Develop the mission of DRAGONJAR S.A.S in accordance with its statutes.

 

3. Comply with current regulations in Colombia.

 

4. Comply with the provisions of the Colombian legal system in labor and social security matters, among others, applicable to former employees, current employees, and future job candidates.

 

5. Conduct surveys related to the services or goods of DRAGONJAR S.A.S.

 

6. Develop programs in accordance with its statutes.

 

7. Keep alumni with similar professions or interests in contact.

 

8. Inform about job opportunities, fairs, seminars, or other studies at a local and international level.

 

9. Fulfill all its contractual commitments.

Sensitive data

In the case of sensitive personal data, DRAGONJAR S.A.S may make use and process it when:

 
1. The data subject has given their explicit authorization, except in cases where by law the granting of said authorization is not required.

 

2. The processing is necessary to safeguard the vital interest of the Data Subject and they are physically or legally incapacitated. In these events, the legal representatives must grant their authorization.

 

3. The Processing refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial process.

 

4. The Processing has a historical, statistical, or scientific purpose. In this event, measures must be adopted leading to the suppression of the identity of the data subjects.

Without prejudice to the exceptions provided by law, in the processing of sensitive data, the prior, express, and informed authorization of the data subject is required, which must be obtained by any means that can be subject to subsequent consultation and verification.

 
1. PRIVACY NOTICE

The Privacy Notice is the physical, electronic, or any other format document, made available to the data subject to inform them about the processing of their personal data. Through this document, the data subject is informed about the existence of the information processing policies of DRAGONJAR S.A.S and that they will be applicable, how to access them, and the characteristics of the processing that is intended for the personal data.

The privacy notice must contain, as a minimum, the following information:

 
1. The identity, domicile, and contact details of the data controller.

 

2. The type of processing to which the data will be subjected and its purpose.

 

3. The rights of the data subject.

 

4. The general mechanisms provided by the controller for the data subject to know the information processing policy and the substantial changes that occur in it. In all cases, you must inform the data subject how to access or consult the information processing policy.

 

5. The optional nature of the answer to questions about sensitive data.

 
1. GUARANTEES OF THE RIGHT OF ACCESS

To guarantee the right of access of the data subject, DRAGONJAR S.A.S will make available to them, after accreditation of their identity, legitimacy, or the personality of their representative, without any cost or expense, in a detailed and itemized manner, the respective personal data through all types of media, including electronic media that allow direct access by the data subject to them. Said access must be offered without any limit and must allow the data subject the possibility of knowing and updating them online.

XII. PROCEDURE FOR HANDLING INQUIRIES, COMPLAINTS, PETITIONS FOR RECTIFICATION, UPDATING AND DELETION OF DATA

 
1. Inquiries:

The data subjects or their successors may consult the personal information of the data subject that rests with DRAGONJAR S.A.S, who will provide all the information contained in the individual record or that is linked to the identification of the Data Subject.

With respect to the attention of requests for consultation of personal data, DRAGONJAR S.A.S guarantees:

 
• Enable electronic communication means or others that it deems pertinent.

 

• Establish forms, systems, and other simplified methods, which must be informed in the privacy notice.

 

• Use the customer service or claims services that it has in operation.

 

• In any case, regardless of the mechanism implemented for handling consultation requests, they will be attended to within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend to the consultation within said term, the interested party will be informed before the expiration of the 10 days, expressing the reasons for the delay and indicating the date on which their consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.

 

• Inquiries may be made to the email datospersonales@dragonjarsas.org

 
1. Complaints

The Data Subject or their successors who consider that the information contained in a database should be corrected, updated, or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a complaint with DRAGONJAR S.A.S, which will be processed under the following rules:

 
1. The complaint of the Data Subject will be formulated by means of a request addressed to DRAGONJAR S.A.S at the email address datospersonales@dragonjarsas.org, with the identification of the data subject, the description of the facts that give rise to the complaint, the address, and accompanying the documents that you want to assert. If the claim is incomplete, the interested party will be required within five (5) days of receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that they have withdrawn the claim.

In the event that the person who receives the claim is not competent to resolve it, they will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.

 
2. Once the complete claim is received, it will be cataloged with the label "claim in process" and the reason for it, within a term not exceeding two (2) business days. This label will be maintained until the claim is decided.

 
3. The maximum term to address the claim will be fifteen (15) business days from the day following the date of its receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

 
1. Petition for updating and/or rectification

DRAGONJAR S.A.S will rectify and update, at the request of the data subject, their information that proves to be incomplete or inaccurate, in accordance with the procedure and terms indicated above, for which the following will be taken into account:

 
1. The data subject must send the request to the email datospersonales@dragonjarsas.org or in physical form addressed to the personal data area indicating the update and/or rectification to be made and provide the documentation that supports their request.

 

2. DRAGONJAR S.A.S may enable mechanisms that facilitate the exercise of this right to the data subject, as long as they benefit them. Consequently, electronic means or others that it deems pertinent may be enabled, which will be informed in the privacy notice and will be made available to interested parties on the website.

 
1. Petition for deletion of data

The owner of the personal data has the right to request DRAGONJAR S.A.S its suppression (elimination) in any of the following events:

 
1. Considers that they are not being treated in accordance with the principles, duties, and obligations provided in the current regulations.

 

2. They have ceased to be necessary or relevant for the purpose for which they were collected.

 

3. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

This suppression implies the total or partial elimination of the personal information in accordance with what is requested by the data subject in the records, files, databases, or treatments carried out by DRAGONJAR S.A.S. However, this right of the data subject is not absolute and consequently DRAGONJAR S.A.S may deny the exercise of the same when:

 
1. The data subject has a legal or contractual duty to remain in the database.

 

2. The elimination of data hinders judicial or administrative actions related to fiscal obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.

 

3. The data are necessary to protect the legally protected interests of the data subject; to carry out an action in the public interest, or to comply with a legally acquired obligation by the data subject.

XIII. INFORMATION SECURITY AND SECURITY MEASURES

In compliance with the principle of security established in the current regulations, DRAGONJAR S.A.S will adopt the necessary technical, human, and administrative measures to provide security to the records, preventing their adulteration, loss, consultation, use, or unauthorized or fraudulent access.

XIV. USE AND INTERNATIONAL TRANSFER OF PERSONAL DATA AND PERSONAL INFORMATION BY DRAGONJAR S.A.S

In compliance with and attending to the nature of the permanent or occasional relationships that any person who is a data subject may have with DRAGONJAR S.A.S, the latter may carry out the transfer and transmission, including international, of all personal data, provided that the applicable legal requirements are met; and consequently the data subjects, with the acceptance of this policy, expressly authorize the transfer and transmission, including internationally, of personal data. The data will be transferred for all relationships that may be established with DRAGONJAR S.A.S.

For the international transfer of personal data of the data subjects, DRAGONJAR S.A.S will take the necessary measures so that third parties know and undertake to observe this policy, under the understanding that the personal information they receive can only be used for matters directly related to DRAGONJAR S.A.S and only for as long as it lasts and may not be used or intended for a different purpose or end. For the international transfer of personal data, the provisions of Article 26 of Law 1581 of 2012 will be observed.

International transmissions of personal data carried out by DRAGONJAR S.A.S will not require to be informed to the data subject nor have their consent when there is a contract for the transmission of personal data in accordance with Article 25 of Decree 1377 of 2013.

DRAGONJAR S.A.S may also exchange personal information with governmental or other public authorities (including, but not limited to, judicial or administrative authorities, tax authorities, and criminal, civil, administrative, disciplinary, and fiscal investigation agencies), and third parties participating in civil legal proceedings and their accountants, auditors, lawyers, and other advisors and representatives, because it is necessary or appropriate: (a) to comply with applicable laws, including laws other than those of your country of residence; (b) to comply with legal processes; (c) to respond to requests from public authorities and the government, and to respond to requests from public authorities and the government other than those of your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, security, or property, yours, or those of third parties; and (g) to obtain applicable remedies or limit the damages that may affect us.

XVI. RESPONSIBLE AND IN CHARGE OF THE PROCESSING OF PERSONAL DATA

DRAGONJAR S.A.S will be responsible for the processing of personal data.

XVII. VALIDITY

This policy is effective as of September 29, 2017.