WEB POLICY MANUAL (WEB PROCESSING POLICIES)
Content
1. Legal basis and scope of application
2. Definitions
3. Authorization of the treatment policy
4. Data controller
5. Treatment and purposes of databases
6. Browsing data
7. Cookies or Web bugs
8. Rights of the Holders
9. Attention to Data Subjects
10. Procedures for exercising the rights of the Owner 10.1. Right of access or consultation
10.2. Rights to complaints and claims
11. Security measures
12. Transfer of data to third countries
13. Validity
1. Legal basis and scope of application
The information processing policy is developed in compliance with Articles 15 and 20 of the Political Constitution; Articles 17 (k) and 18 (f) of Statutory Law 1581 of 2012, which establishes general provisions for the Protection of Personal Data (LEPD); and Article 13 of Decree 1377 of 2013, which partially regulates the previous Law.
This policy will apply to all personal data recorded in databases that are processed by the data controller.
2. Definitions
Established in Article 3 of Statutory Law 1581 of 2012 and Article 3 of Decree 1377 of 2013.
Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.
Privacy Notice: Verbal or written communication generated by the data controller, addressed to the Data Subject for the processing of their personal data, through which they are informed of the existence of the information processing policies that will be applicable to them, how to access them, and the purposes of the processing intended to be given to their personal data.
Database: Organized set of personal data that is the object of processing.
Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.
Public data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person's marital status, their profession or occupation, and their status as a merchant or public servant. By its nature, public data may be contained in, among other things, public registries, public documents, official gazettes and bulletins, and duly enforceable court rulings that are not subject to confidentiality.
Sensitive data: Sensitive data is understood to be that which affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
Data processor: A natural or legal person, public or private, who, either alone or in association with others, processes personal data on behalf of the data controller.
Data controller: A natural or legal person, public or private, who, either alone or in association with others, decides on the database and/or the processing of data.
Data subject: Natural person whose personal data is being processed.
Transfer: Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is in turn the controller and is located within or outside the country.
Transmission: Processing of personal data that involves communicating it within or outside the territory of the Republic of Colombia when the purpose is to carry out processing by the data processor on behalf of the controller.
Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
3. Authorization of the treatment policy
Pursuant to Article 9 of the Personal Data Protection Act (LEPD), the processing of personal data requires the prior and informed consent of the Data Subject. By accepting this policy, any Data Subject who provides information relating to their personal data consents to the processing of their data by MUNDIAL DE REPUESTOS DE MOTOS SAS under the terms and conditions set forth herein.
The authorization of the Holder will not be necessary when it comes to:
Information required by a public or administrative entity in the exercise of its legal functions or by court order.
Data of a public nature.
Cases of medical or health emergencies.
Processing of information authorized by law for historical, statistical or scientific purposes.
Data related to the Civil Registry of persons.
4. Data controller
The person responsible for processing the databases covered by this policy is MUNDIAL DE REPUESTOS DE MOTOS SAS, whose contact details are as follows:
Address: CALLE 38 # 52- 30 MEDELLÍN, ANTIOQUIA.
Email: PROTECCIONDATOS@MUNDIMOTOS.COM.CO
Telephone: 2324513
5. Treatment and purposes of databases
MUNDIAL DE REPUESTOS DE MOTOS SAS, in the course of its business activities, processes personal data relating to natural persons contained and processed in databases intended for legitimate purposes, in compliance with the Constitution and the Law.
“Annex 1. Database Information” presents the different databases managed by the company, along with the information and characteristics of each of them.
6. Browsing data
The navigation system and the software required for the operation of this website collect some personal data, the transmission of which is implicit in the use of Internet communication protocols.
By its very nature, the information collected could allow users to be identified through association with third-party data, even if it is not collected for that purpose. This category of data includes the IP address or domain name of the device used by the user to access the website, the URL, the date and time, and other parameters related to the user's operating system.
This data is used solely to obtain anonymous statistical information about website usage or to monitor its proper technical functioning. It is deleted immediately after verification.
7. Cookies or Web bugs
This website does not use cookies or web beacons to collect personal data from the user; instead, their use is limited to facilitating user access to the website. The use of session cookies, which are not permanently stored on the user's device and disappear when the browser is closed, is limited to collecting technical information to identify the session and facilitate secure and efficient access to the website. If you do not wish to allow the use of cookies, you can reject them or delete existing ones by configuring your browser and disabling JavaScript in your browser's security settings.
8. Rights of the Holders
Pursuant to Article 8 of the Personal Data Protection Act (LEPD) and Articles 21 and 22 of Decree 1377 of 2013, data subjects may exercise a series of rights regarding the processing of their personal data. These rights may be exercised by the following persons:
1. By the Holder, who must sufficiently prove his identity by the different means made available to him by the person responsible.
2. By their successors in title, who must prove such status.
3. By the representative and/or attorney of the Owner, upon prior accreditation of the representation or power of attorney.
4. By stipulation in favor of another and for another.
The rights of children and adolescents shall be exercised by persons empowered to represent them.
The rights of the Holder are the following:
Right of access or consultation: This is the Data Subject's right to be informed by the data controller, upon request, about the origin, use, and purpose of their personal data. Rights to complain and file claims: The Law distinguishes four types of claims:
• Correction request: This is the right of the Data Subject to have partial, inaccurate, incomplete, fragmented, misleading data updated, rectified, or modified, or whose processing is expressly prohibited or unauthorized.
• Request for deletion: This is the Data Subject's right to have data that is inadequate, excessive, or does not respect constitutional and legal principles, rights, and guarantees deleted.
• Revocation request: This is the Data Subject's right to revoke the authorization previously granted for the processing of their personal data.
• Claim of infringement: This is the Data Subject's right to request that the breach of data protection regulations be remedied.
Right to request proof of the authorization granted to the data controller: Except when expressly exempted as a requirement for processing in accordance with the provisions of Article 10 of the LEPD.
Right to file complaints for violations with the Superintendency of Industry and Commerce: The Data Subject or legal successor may only file this complaint once they have exhausted the consultation or claim process with the data controller or data processor.
9. Attention to Data Subjects
The TRAINING FACILITATOR of MUNDIAL DE REPUESTOS DE MOTOS SAS will be responsible for handling requests, queries and complaints before which the Data Owner may exercise their rights, in accordance with "Annex 3. Roles and Responsibilities".
Telephone: 2324513
Email: PROTECCIONDATOS@MUNDIMOTOS.COM.CO
10. Procedures for exercising the rights of the Owner
10.1. Right of access or consultation
According to Article 21 of Decree 1377 of 2013, the Data Subject may consult his or her personal data free of charge in two cases:
1. At least once every calendar month.
2. Whenever there are substantial modifications to the information processing policies that motivate new consultations.
For inquiries with a frequency greater than once per calendar month, MUNDIAL DE REPUESTOS DE MOTOS SAS may only charge the Holder for the costs of shipping, reproduction, and, where applicable, certification of documents. Reproduction costs may not exceed the costs of recovering the corresponding material. To this end, the responsible party must provide proof of such expenses to the Superintendency of Industry and Commerce, upon request.
Data subjects may exercise their right to access or consult their data by writing to MUNDIAL DE REPUESTOS DE MOTOS SAS, sending an email to: PROTECCIONDATOS@MUNDIMOTOS.COM.CO, indicating "Exercise of the right of access or consultation" in the subject line, or by post to CALLE 38 # 52-30 MEDELLÍN, ANTIOQUIA. The request must contain the following information:
Name and surname of the Holder.
Photocopy of the Citizenship Card of the Holder and, where applicable, of the person representing him/her, as well as the document proving such representation.
Petition in which the request for access or consultation is specified.
Address for notifications, date and signature of the applicant.
Supporting documents for the request made, where applicable.
The Data Subject may choose one of the following methods of querying the database to receive the requested information:
On-screen display.
In writing, with a copy or photocopy sent by certified mail or not.
Telecopy.
Email or other electronic means.
Another system suitable for the configuration of the database or the nature of the treatment, offered by MUNDIAL DE REPUESTOS DE MOTOS SAS
Once the request has been received, MUNDIAL DE REPUESTOS DE MOTOS SAS will resolve the consultation request within a maximum period of ten (10) business days from the date of receipt. When it is not possible to respond to the consultation within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their consultation will be attended to, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are established in article 14 of the LEPD.
Once the consultation process has been completed, the Owner or beneficiary may file a complaint with the Superintendency of Industry and Commerce.
10.2. Rights to complaints and claims
Data subjects may exercise their right to file a claim regarding their data by writing to MUNDIAL DE REPUESTOS DE MOTOS SAS, sent by email to PROTECCIONDATOS@MUNDIMOTOS.COM.CO with the subject line "Exercise of the right of access or consultation," or by post to CALLE 38 # 52-30 MEDELLÍN, ANTIOQUIA. The request must contain the following information:
Name and surname of the Holder.
Photocopy of the Citizenship Card of the Holder and, where applicable, of the person representing him/her, as well as the document proving such representation.
Description of the facts and request specifying the application for correction, deletion, revocation or inflation.
Address for notifications, date and signature of the applicant.
Documents supporting the request made that you wish to assert, where applicable.
If the claim is incomplete, the interested party will be required within five (5) days of receipt to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that the claim has been withdrawn.
Once the complete claim has been received, a legend stating "claim in process" and the reason for the claim will be added to the database within a period of no more than two (2) business days. This legend must remain in effect until the claim is decided.
MUNDIAL DE REPUESTOS DE MOTOS SAS will resolve the consultation request within a maximum period of fifteen days.
(15) business days counted from the date of receipt thereof. When it is not possible to address the claim within this period, the interested party will be informed of the reasons for the delay and the date on which his/her claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
Once the claim process has been exhausted, the Holder or beneficiary may file a complaint with the Superintendency of Industry and Commerce.
11. Security measures
In order to comply with the security principle enshrined in Article 4, letter g) of the LEPD, MUNDIAL DE REPUESTOS DE MOTOS SAS has implemented the necessary technical, human, and administrative measures to guarantee the security of the records, preventing their adulteration, loss, consultation, use, or unauthorized or fraudulent access.
Furthermore, MUNDIAL DE REPUESTOS DE MOTOS SAS, by signing the corresponding transfer agreements, has required the data processors with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information when processing personal data.
Below are the security measures implemented by MUNDIAL DE REPUESTOS DE MOTOS SAS, which are collected and developed in its Internal Security Manual (I, II, III, IV).
TABLE I: Common security measures for all types of data (public, semi-private, private, sensitive) and databases (automated, non-automated)
| Document and media management | Access control | Incidents | Staff | Internal Security Manual |
|
1. Measures to prevent unauthorized access to or recovery of data that has been discarded, deleted, or destroyed. 2. Restricted access to the location where the data is stored. |
1. Unlimited user access to the data necessary for the performance of their functions. 2. Updated list of authorized users and accesses. |
1. Incident log: type of incident, time of occurrence, notification issuer, effects and corrective measures. 2. Procedure for reporting and managing incidents. |
1. Definition of the functions and obligations of users with access to the data. 2. Definition of the control functions and authorizations delegated by the data controller. |
1. Preparation and implementation of the mandatory manual for staff. 2. Minimum content: scope of application, security measures and procedures, functions and obligations of staff, description of databases, incident response procedures, data backup and recovery procedures, security measures for the transportation, destruction, and reuse of documents, identification of data processors. |
|
3. Authorization of the person responsible for the release of documents or media by physical or electronic means. 4. Labeling or identification system of the type of information. 5. Inventory of supports. |
3. Mechanisms to prevent access to all rights other than those authorized. 4. Granting, alteration or cancellation of permits by authorized personnel. |
3. Dissemination among staff of the rules and the consequences of non-compliance. |
TABLE II: Common security measures for all types of data (public, semi-private, private, sensitive) according to the type of databases
| Non-automated databases | ||
| Archive | Document storage | Custody of documents |
| 1. Documentation archive following procedures that guarantee correct conservation, location and consultation and allow the exercise of the rights of the Holders | 1. Storage devices with mechanisms that prevent access by unauthorized persons. | 1. Duty of diligence and custody of the person in charge of documents during their review or processing. |
| Automated databases | |
| Identification and authentication | Telecommunications |
| 1. Personalized user identification to access the information systems and verification of their authorization. 2. Identification and authentication mechanisms; Passwords: allocation, expiration and encrypted storage. |
1. Access to data through secure networks. |
TABLE III: Security measures for private data according to the type of databases
| Automated and non-automated databases | ||
| Audit | Security Officer | Internal Security Manual |
|
1. Ordinary audit (internal or external) every two months. 2. Extraordinary audit due to substantial modifications in 3. Report on the detection of deficiencies and proposal for corrections. 4. Analysis and conclusions of the security officer and the 5. Keeping the Report available to the authority. |
1. Designation of one or more security officers. 2. Designation of one or more persons in charge of controlling and coordinating the measures in the Internal Security Manual. 3. Prohibition of delegation of responsibility of the person responsible for the |
1. Periodic compliance controls. |
| Automated databases | |||
| Document Management and Access Control Identification and Incidents Supports |
Access control | Identification and authentication | Incidents |
| 1. Record of incoming and outgoing documents and media: date, sender and receiver, number, type of information, method of delivery, person responsible for reception or delivery. | 1. Access control to the place or places where the information systems are located. | 1. Mechanism that limits the number of repeated unauthorized access attempts. |
1. Record of data recovery procedures, person performing them, data restored and data manually recorded. 2. Authorization of the data controller for the execution of recovery procedures. |
TABLE IV: Security measures for sensitive data according to the type of databases
| Non-automated databases | |||
| Access control | Document storage | Copy or reproduction | Transfer of documentation |
|
1. Access for authorized personnel only. 2. Access identification mechanism. 3. Log of access by unauthorized users. |
1. Filing cabinets, cupboards and other items located in access areas protected with keys or other measures. |
1. Only for authorized users. 2. Destruction that prevents access to or recovery of the data. |
1. Measures that prevent access to or manipulation of documents. |
| Automated databases | ||
| Document and media management | Access control | Telecommunications |
|
1. Confidential labeling system. 2. Data encryption. 3. Encryption of portable devices when they are away. |
1. Access log: user, time, database accessed, access type, record accessed. 2. Access log control by the security officer. Monthly report. 3. Data retention: 2 years. |
1. Data transmission through encrypted electronic networks. |
12. Transfer of data to third countries
Pursuant to Title VIII of the Data Protection Act (LEPD), the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. A country is deemed to offer an adequate level of data protection when it meets the standards set by the Superintendency of Industry and Commerce on the matter, which in no case may be lower than those required by this law for recipients. This prohibition shall not apply in the case of:
Information for which the Owner has given his express and unequivocal authorization for the transfer.
Exchange of medical data when required by the Data Subject's processing for reasons of public health or hygiene.
Bank or stock transfers, in accordance with applicable legislation.
Transfers agreed upon within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
Transfers necessary for the execution of a contract between the Data Controller and the Data Controller, or for the execution of pre-contractual measures, provided that the Data Controller's authorization is obtained.
Transfers legally required to safeguard the public interest, or for the recognition, exercise or defense of a right in a judicial process.
In cases not contemplated as an exception, the Superintendency of Industry and Commerce will be responsible for issuing the declaration of compliance regarding the international transfer of personal data. The Superintendent is empowered to request information and carry out the necessary procedures to establish compliance with the requirements for the viability of the transaction.
International transfers of personal data between a controller and a processor to enable the processor to process the data on behalf of the controller do not require the data subject's notification or consent, provided that a personal data transfer agreement exists.
13. Validity
The databases under the responsibility of MUNDIAL DE REPUESTOS DE MOTOS SAS will be processed for as long as is reasonable and necessary for the purpose for which the data was collected. Once the purpose or purposes of the processing have been fulfilled, and without prejudice to any legal provisions that provide otherwise, MUNDIAL DE REPUESTOS DE MOTOS SAS will delete the personal data in its possession unless there is a legal or contractual obligation requiring its retention. For all these reasons, this database has been created without a defined validity period.
This processing policy remains in effect since 2016-10-03




