DATA PROTECTION POLICY
Personal Data Protection Policy
1. Object:
The Company has adopted this Policy in order to comply with Law 1581 of 2012 and other rules governing the protection of personal data and to guarantee the rights to privacy and good name of Owners. This Policy shall be binding on all employees of the Company, who shall be responsible, in turn, for ensuring that it is known to third parties who in the development of different contractual, commercial, labor activities, whether permanent or occasional, act as Processors. This Policy is applicable to those databases which the Company is Responsible, such as the databases of: (i) applicants, (ii) employees, (iii) minor and adolescent children of employees, (iv) lessors, (v) suppliers and (vi) customers. The foregoing, without prejudice to those policies which each Supplier and/or Customer, as Responsible, communicates to the Company by virtue of the execution of each contract and which shall be applicable in the development of the commercial relationship between them.
2. Definitions:
For the purposes of this Policy and in accordance with the regulations in force regarding the protection of personal data, the following definitions shall be taken into account:
a) Lessor: Refers to the individual or legal person, whether the owner, holder, or usufructuary of a property, with which the Company enters into a lease agreement.
b) Applicant: Refers to the individual involved in a selection process to hold a position in the Company.
c) Authorization: Owner's prior, express, and informed consent to conduct Treatment.
d) Privacy Notice: Oral or written communication generated by the Responsible, addressed to the Owner, informing him or her of the application of this Policy, how to access it, and the purposes of treatment.
e) Database: An organized set of personal data subject to Treatment.
f) Client: The individual or legal person to whom the Company provides its services.
g) Personal Data: Any information linked to or that may be associated with one or more specific or determinable individuals.
h) Public Data: Data that is not semi-private, private, or sensitive. Public Data is considered, among others, data relating to the marital status, their profession or careers and their status as a merchant or public servant. By their nature, Public Data may be contained, among others, in public records, public documents, gazettes and official bulletins, and duly executed judicial judgments that are not subject to confidentiality.
i) Semi-Private Data: Semi-Private Data is data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest not only to the Owners but to a certain sector or group of people or to society in general.
j) Sensitive Data: Sensitive Data means data that affects the privacy of the Owner or whose misuse may result in discrimination, such as revealing racial or ethnic origin, political orientation, religious or philosophical convictions, labor union membership, social organizations, human rights organizations or organizations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.
k) Employee: For the purposes of this Policy, it refers to individuals who have a working relation with the Company, either by contract of employment or service agreement, on a fixed or indefinite basis.
l) Company: Collectively, the subsidiaries of American Tower Corporation operating in Colombia. As of the date of this Policy, these subsidiaries are ATC Sitios de Colombia S.A.S., ATC Sitios Infraco S.A.S. and ATC Fibra de Colombia S.A.S., without prejudice to the inclusion of other subsidiaries of American Tower Corporation in the future.
m) Processor: An individual or legal person, public or private, who by itself or in association with others, performs the treatment by on account of the Responsible.
n) Supplier: Refers to individuals or legal persons who provide their goods or services to the Company.
o) Responsible for the Treatment or Responsible: Individual or legal person, public or private, who by itself or in association with others, decides on the Database and/or the Treatment.
p) Owner: An individual whose Personal Data is being processed.
q) Treatment: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or suppression.
r) Transfer Data transfer takes place when the Responsible and/or the Processor, located in Colombia, sends Personal Data to a recipient, who is a Responsible, for the Treatment and is located whether within or outside the Republic of Colombia.
s) Transmission: Treatment of personal data that involves the communication of Personal Data within or outside the Republic of Colombia with the intention to carry out a Treatment on behalf of the Responsible.
3. Identification of the Responsible:
NAME: ATC SITIOS OF COLOMBIA S.A.S.
NIT: 900.377.163-5
Address and Address: Carrera 11 A No. 93-35, 2nd Floor, Bogota, D.C.
E-mail: habeasdata@americantower.com
Phone: (57) 6015147690
4. Scope:
The Policy shall apply to personal data of individuals, registered in any Database, whether established before or after the entry into force of Decree 1377 of 2013 and that is subject of Treatment for being in the possession of the Company.
The Policy shall not apply to data that by its generality becomes anonymous by not allowing the identification or individualization of a specific Owner.
5. Principles governing treatment:
In order to ensure the protection of Personal Data, the Company will harmoniously and comprehensively apply the following principles, in the light of which the Treatment, Transfer and Transmission of Personal Data must be carried out:
a) Principle of Legality in Treatment: The Treatment is a regulated activity, which must be subject to the applicable and current legal provisions governing the subject.
b) Principle of Purpose: The Treatment performed by the Company shall be due to a legitimate purpose in accordance with the Political Constitution of Colombia, which shall be informed to the Owner.
c) Principle of Freedom: Treatment by the Company may only be carried out with the prior, express and informed consent of the Owner. Personal Data may not be obtained or disclosed without prior authorization, except by legal, statutory, or judicial mandate that relegates consent.
d) Principle of truthfulness or quality: Information subject to Treatment must be truthful, complete, accurate, up-to-date, verifiable and understandable. Partial, incomplete, fractionated, or error-inducing Treatment is prohibited.
e) Principle of Transparency: In the Treatment, the Company shall guarantee to the Owner its right to obtain at any time and without restriction information about the existence of any kind of information or Personal Data that is of interest to such Owner.
f) Principle of access and restricted circulation: Treatment is subject to limits derived from the nature of these, the provisions of the law and the Constitution. Accordingly, Treatment may only take place by individuals authorized by the Owner and/or by persons provided for by law. Personal Data, except Public Data, may not be available on the Internet or other mass media, unless access is technically controllable to provide restricted knowledge only to Owners or third parties authorized by law. For these purposes, the obligation of the Company shall one of means (“obligación de medio”).
g) Safety Principle: Information subject to Treatment by the Company shall be handled with the technical, human and administrative measures necessary to provide security to records, preventing their adulteration, loss, unauthorized consultation or use or fraudulent access.
h) Principle of Confidentiality: All individuals within the Company who administer, manage, update or have access to information of any kind found in Databases are obliged to guarantee the confidentiality of the information, and therefore they undertake to keep it strictly confidential and not disclose to third parties, all information that they may become to know in the performance and exercise of their functions, except in the case of activities expressly authorized by the data protection law. This obligation persists and will be maintained even after the end of the tasks that constitute Treatment.
6. Duties of the Company:
Under this Policy, it is the duty of the Company to:
a) Guarantee the Owner, at all times, the full and effective exercise of its privacy rights.
b) Request and retain a copy of the respective authorization granted by the Owner.
c) Inform the Owner properly about the purpose of the collection and the rights that assist them under the authorization granted.
d) Retain information under the necessary security conditions to prevent its adulteration, loss, unauthorized consultation or use, or fraudulent access.
e) Ensure that the information is truthful, complete, accurate, up-to-date, verifiable and understandable.
f) Update the information in a timely manner, taking into account any update regarding the Personal Data of the Owner. In addition, all necessary measures must be implemented to keep the information up to date.
g) Rectify the information when it is incorrect and communicate the relevant information.
h) Respect the security and privacy conditions of Owners’ information.
i) Process the consultations and claims formulated by Owners, in the terms indicated for in the law.
j) Identify when certain information is under discussion or being disputed by the Owner.
k) Inform the Owners, at their request, about the use of their personal data.
i) To inform the Colombian Superintendency of Industry and Commerce (“Superintendencia de Industria y Comercio”) or any other authority for the protection of personal data when there are violations of the security protocols and there are risks in the Treatment of information of Owners.
l) To inform the Colombian Superintendency of Industry and Commerce (“Superintendencia de Industria y Comercio”) or any other authority for the protection of personal data when there are violations of the security protocols and there are risks in the Treatment of information of Owners.
m) Comply with the requirements and instructions given by the Superintendency of Industry and Commerce (“Superintendencia de Industria y Comercio”) or the relevant authority for the protection of personal data.
n) The other provisions of the law.
7. Rights of Owners:
The rights of Owners are as follows:
a) Right to know, update and rectify Personal Data: The Owners may exercise this right against erroneous, inaccurate or incomplete Personal Data, which is misleading, or those that are expressly prohibited or not authorized, and may update and rectify Personal Data.
b) Right to request proof of authorization: Owners may request proof of authorization granted for treatment, by any valid means, except in cases where they do not require it.
c) Right to be informed of the use given to your personal data: Owners have the right to know at any time the use given to their Personal Data, upon request addressed to the Company.
d) Right to revoke authorization and/or request the deletion of Personal Data: Owners may revoke the authorization granted to the Company and/or request the deletion of the Personal Data. Revocation and/or suppression shall take place when the Superintendency of Industry and Commerce has determined that in the Treatment, the Responsible has incurred in a conduct contrary to the law and the Constitution.
e) Right to file complaints: To file with the Superintendency of Industry and Commerce claims for infractions of Law 1581 of 2012 and the other rules that modify, add or complement it, after consultation or request before the Company.
f) Right to access Personal Data: Owners, upon a request by them or their representatives, may have free access to their Personal Data which has been Treated and whenever there are substantial changes to this Policy that will motivate further consultations.
g) Other rights contained in the regulations in force with respect to the matter.
8. Procedure for the exercise of rights by Owners:
Owners may exercise the rights to know, update, rectify and delete information, revoke the authorization initially granted, consult information, file complaints and, in general, the other rights established in Article 8 of Law 1581 of 2012, through the following means:
By sending an e-mail: habeasdata@americantower.com or sending a written communication to Carrera 7 No 99-53 Piso 15 de Bogota, addressed to the legal area.
The Company, within the legal opportunity, will attend to the rights exercised by the Owners, their requests, inquiries and/or claims through the responsible areas set forth in Section 11 of this document.
The Owners must understand that in accordance with Article 9 of Decree 1377 of 2013, “the request for information and the revocation of the authorization shall not proceed when the Owner has a legal or contractual obligation to remain in the Database”.
9. Sensitive and minor data:
The Company undertakes to comply fully with Title III of Law 1581 of 2012, which establishes the Sensitive Data and data of children and adolescents.
10. Company Databases and Purposes:
10.1 As Responsible: The Company will treat in the terms and scope of the authorization given by the Owners the following databases:
a) Company’s Employee Databases: Collection, storage, copy, delivery, update, sorting, transferring, correcting, verifying, use for statistical purposes and in general the use of all Personal Data provided for the purpose of executing and developing the employment contract, as well as to give effect to labor law, jurisprudence and regulations, social security, occupational risks, to grant benefits to the Employee and any other purpose that is necessary for the proper realization of the employment relationship. The Company collects personal information and Personal Data from active employees, retired employees, and others who have had or currently have an employment contract with the Company. The Company may share the Personal Data of its Employees with its current or potential customers in order to fulfill its commercial and/or contractual obligations.
b) Lessor Databases: Collection, storage, copy, delivery, upgrade, sorting, transferring, correcting, verifying, use for statistical purposes and in general use of all Personal Data provided for the purpose of developing the social purpose of the Company, before, during and after the contractual and according to the provisions in the respective contracts and/or business documents signed between the parties and to properly manage the business relationship between the Company and its Lessors.
c) Company’s Customer Databases: Collection, storage, copy, delivery, update, sorting, sorting, transferring, correcting, verifying, use for statistical purposes and in general use of all Personal Data provided for the purpose of developing the social purpose of the Company, before, during and after the contractual relationship and as stipulated in the respective contracts and/or business documents signed between the parties and in order to properly manage the business relationship between the Company and its Customers.
d) Company’s Supplier Databases: Collection, storage, copy, delivery, update, sorting, transferring, correcting, verifying, use for statistical purposes and in general employment and use of all Personal Data provided for the purpose of developing the social purpose of the Company before, during and after the contractual relationship and as stipulated in the respective contracts and/or business documents signed between the parties and in order to properly manage the business relationship of the Company with the suppliers of the Company.
e) Applicant databases: Collection, storage, copy, delivery, update, sorting, sorting, transferring, correcting, verifying, using to advance personnel selection processes.
10.2. As a Processor: The Company he will manage the Personal Data under the terms and scope of the authorization given by the Owner:
a) Company Customer and Supplier Owned Databases: Collection, storage, copy, delivery, upgrade, use, sort, transfer, correct, verification and use for statistical purposes of databases owned by corporate customers and suppliers of the Company, which shall at all times be subject to the policies and instructions agreed upon between the parties. As far as possible, in contracts with the Customers and Suppliers of the Company, the status of the Processor and of the Responsible of its customers and suppliers shall be expressed, with the obligations that such quality imposes on them.
11. Areas responsible for the attention of Owners' petitions, inquiries and claims in the exercise of their rights:
11.1 Employee and Applicant Databases: Human Resources Area
11.2 Customer Databases: Commercial Area
11.3 Supplier Databases: Purchasing Area
11.4 Lessor Databases: Finance Area
12. Safety measures for Database treatment:
The Company will apply the best practices, the greatest effort and diligence to ensure the security and confidentiality of the Company's Databases in the Treatment of such, either as a Processor or as Responsible, and in accordance with Company's personal information security policies and regulations.
13. Use and transfer of personal data by the Company:
In compliance with the corporate purpose of the Company, and in accordance with the nature of the permanent or occasional relationships that any Owner may have with the Company, the Company may make the transfer and transmission, even international, of all Personal Data, Provided that the applicable legal requirements are met; and in consequence of the acceptance of this Policy, the Owners expressly authorize the transfer and transmission, even internationally, of Personal Data. For the international transfer of Personal Data from Owners, the Company shall take the necessary steps to make the third parties aware of and commit to observe this Policy, on the understanding that the Personal Information they receive may only be used for matters directly related to the Company. For the international transfer of Personal Data, the provisions of article 26 of Law 1581 of 2012 shall be observed. Personal Data transfers by the Company shall not require the Owners to be informed or to have their consent when conducting a contract for the transmission of personal data in accordance with Article 25 of Decree 1377 of 2013.
14. Prevalence of substantive norms on data privacy:
Bearing in mind that this Policy seeks to comply with the rules governing the protection of the privacy right enshrined in the Constitution, the statutory laws on this matter and the regulations issued by the Colombian national government for that purpose, the interpretation of the Policy shall at any time be subject to the content of such higher provisions, so in the event of incompatibility or contradiction between this Policy and the higher regulations the latter shall apply.
15. Privacy Notice:
In accordance with Article 14 of Decree 1377 of 2013, if it is not possible to make this Policy available to the Owner, the persons responsible shall inform the Owner through a Notice of Privacy of the existence of the Policy and how to access it, in a timely manner and in any event no later than the time of collection of Personal Data. Attachment 1 herein contains the Privacy Notices that may be used by the Company in these situations. However, the Company may adjust such notices for application in the different types of authorizations, but not in breach of the regulations in force.
16. Policy Effective Date:
This Information Processing Policy becomes effective as of its publication on the Company Intranet.
17. Attachments:
1. Extended Privacy Notice
Annex 1
Privacy Notice
The Company is committed to the protection of personal data. This notice informs you of our Personal Data Protection Policy, describes the treatment to which the personal data will be submitted and its purpose, the rights of Owners, the security measures and the means of making inquiries, requests and complaints.
1. Databases
We allow you to report that the Company manages the following databases:
1.1 As Responsible: The Company will treat in the terms and scope of the authorization given by the Owners, on the following basis:
a) Company’s Employees Database: Collection, storage, copy, delivery, update, sorting, transferring, correcting, verifying, use for statistical purposes and in general the use of all personal data provided for the purpose of executing and developing the employment contract, as well as to give effect to labor law, jurisprudence and regulations, social security, occupational risks, to grant benefits to the employee and any other purpose that is necessary for the proper realization of the employment relationship. The Company collects personal information and data from active employees, retired employees, and others who have had or currently have a contract with the Company. The Company may share the personal data of its employees with its current or potential customers, in the development of its business relationship and in order to fulfill its commercial and/or contractual obligations.
b) Lessor Databases Collection, storage, copy, delivery, upgrade, sorting, transferring, correcting, verifying, use for statistical purposes and in general employment and use of all personal data provided for the purpose of developing the social purpose of the Company, before, during and after the contractual and as provided for in the respective contracts and/or business documents signed between the parties and to properly manage the business relationship between the Company and its lessors.
c) Customer Databases: Collection, storage, copy, delivery, update, sorting, transferring, correcting, verification, use for statistical purposes and in general employment and use of all personal data provided for the purpose of developing the social purpose of the Company, before, during and after the contractual relationship and as stipulated in the respective contracts and/or business documents signed between the parties, and to properly manage the business relationship between the Company and its customers.
d) Company’s Suppliers Databases: Collection, storage, copy, delivery, update, sorting, transferring, correcting, verifying, use for statistical purposes and in general employment and use of all personal data provided for the purpose of developing the social purpose of the Company before, during and after the contractual relationship and as stipulated in the respective contracts and/or business documents signed between the parties and in order to properly manage the business relationship of the Company with the suppliers of the Company.
1.2 As a Processor: The Company will conduct Treatment on the terms and scope of the authorization given by the Owner:
a) Databases owned by the Company’s Customers and Suppliers Collection, storage, copy, delivery, upgrade, use, sort, sort, transfer, correct, verification and use for statistical purposes of databases owned by corporate customers and suppliers of the Company, which shall at all times be subject to the policies and instructions agreed upon between the parties. To the extent possible, contracts with the clients of the Company will express the status of the Company as Processor and of its clients and suppliers as Responsible, with the obligations imposed on them by such quality.
2. Rights of Owners and Exercising Rights Mechanisms:
The Owners have the rights provided for in the current Data Protection Regulation and may at any time contact the Company by writing to us at: habeasdata@americantower.com, attaching a photocopy of the Owners' identity document. At this email they may also request the submission of our Data Protection Policy.
The Company will respond to the claim as soon as possible; not to exceed the maximum term set by law.
Call: (57) 601-5147690 | Legal | Privacy | Cookie Settings | Media Relations | Site Map | Data Protection Policy
© 2004 - 2023 by ATC TRS V LLC. All rights reserved.