Contact us
Contact us contacto@malunga.org

Article 1. Person Responsible for Personal Data Processing. __________________________, identified with NIT./C.C. ____________, is responsible for the processing of personal data that it collects, uses, or incorporates into the databases under its control. For all relevant purposes, the person responsible is domiciled in the city of _________, Colombia, at the address _____________ and communications related to the matters regulated by this resolution should be sent to the email address ___________________.

Article 2. Object. The purpose of this Policy is to establish the criteria for obtaining, collecting, using, processing, exchanging, transferring, transmitting, and deleting personal data; it aims to establish the responsibilities of the person responsible in the management and processing of personal data contained in its databases and files, and the rights of the owners of personal data contained in its files and databases.

Article 3. Definitions. For the purposes of this Policy, the following definitions shall apply:

  1. Authorization: Prior, express, and informed consent of the owner to carry out the processing of their personal data.
  1. Privacy notice: Verbal or written communication, generated by the person responsible, addressed to the owner for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, how to access them, and the purposes of the processing that is intended to be given to the personal data.
  1. Database: Organized set of personal data that is subject to processing and that is in the possession of the person responsible.
  1. Personal data: Any information linked to or that may be associated with one or more determined or determinable natural persons.
  1. Public data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to the civil status of persons, their profession or occupation, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to reservation.
  1. Private data: Data that, due to its intimate or reserved nature, is only relevant to the owner.
  1. Semi-private data: Data that does not have an intimate, reserved, public, or sensitive nature and whose knowledge or disclosure may be of interest not only to its owner, but to a certain sector or group of people or to society in general.
  1. Sensitive data: Sensitive data is understood to be that which affects the privacy of the owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social or human rights organizations, or that promote the interests of any political party, or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data.
  1. Person in charge of processing: Natural or legal person, public or private, who by itself or in association with others, carries out the processing of personal data on behalf of the person responsible. Those natural or legal persons with whom the person responsible has a conventional or contractual relationship, within whose obligations is to process personal data on behalf of the person responsible, will be in charge of processing.
  1. Person responsible for processing: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of the data.
  1. Owner: Natural person whose personal data is subject to processing.
  1. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
  1. Transfer: The transfer of data takes place when the person responsible, and/or the persons in charge of processing personal data, located in Colombia, send the information or personal data to a recipient who, in turn, is responsible for the processing, whether inside or outside the country.
  1. Transmission: Processing of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when its purpose is the realization of a processing by the Person in Charge on behalf of the person responsible.

Article 4. Principles. The person responsible shall apply the following principles in the processing of personal data that it collects, stores, uses, or circulates:

  1. Principle of legality in the matter of data processing: The processing of personal data carried out by the person responsible will be subject to the provisions of Law 1581 of 2012, its regulatory decrees, and other provisions that add to or modify it.
  1. Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Owner.
  1. Principle of freedom: The processing can only be exercised with the prior, express, and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
  1. Principle of veracity or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. The processing of partial, incomplete, fragmented data or that induces error is prohibited.
  1. Principle of transparency: In the processing, the right of the Owner to obtain from the person responsible for the processing or the Person in Charge of the Processing, at any time and without restrictions, information about the existence of data that concerns him must be guaranteed.
  1. Principle of restricted access and circulation: The processing is subject to the limits that derive from the nature of personal data, the provisions of the law and the Constitution. In this sense, the processing may only be done by persons authorized by the Owner and/or by the persons authorized in accordance with the law. Personal data, except for public information, may not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties in accordance with the law and this policy.
  1. Principle of security: The information subject to processing will be handled with the technical, human, and administrative measures that are necessary to grant security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
  1. Principle of confidentiality: All persons who intervene in the processing of personal data that does not have the nature of public are obliged to guarantee the reservation of the information, even after the termination of their relationship with any of the tasks that comprise the Processing, being able to only carry out the supply or communication of personal data when it corresponds to the development of the activities authorized in the law and in the terms of the authorization granted by the owner.
  1. Principle of Necessity: The personal data processed must be strictly necessary for the fulfillment of the purposes pursued with the database.
  1. Principle of temporality: Personal data will be kept only for the reasonable and necessary time to fulfill the purposes that justified the processing, according to the provisions applicable to the matter in question and the administrative, accounting, tax, legal and historical aspects of the information. The data will be kept when this is necessary for compliance with a legal or contractual obligation. Once the purpose of the processing and the terms established above have been fulfilled, the data will be deleted.

Article 5. Processing of Sensitive Data. The Processing of sensitive data is prohibited, except when:

  1. The Holder has given their explicit authorization to said Processing, except in cases where the granting of said authorization is not required by law.
  1. The Processing is necessary to safeguard the vital interest of the Holder and the Holder is physically or legally incapacitated. In these events, legal representatives must grant their authorization.
  1. The Processing refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
  1. The Processing has a historical, statistical or scientific purpose. In this event, measures must be taken to suppress the identity of the Holders.

The controller may process biometric data through photographic or video recording within the framework of virtual, in-person events and for the publication of photographs and memories on social networks. In these cases, measures will be taken to ensure that in the places where the collection of biometric data is intended, there are notices informing the data subjects of the collection of the data or that the corresponding written authorization is available.

Article 6. Processing of personal data of children and adolescents. The processing of personal data of minors is prohibited, except when it comes to data of a public nature. However, when processing is required, respect for the prevailing rights of children and adolescents will be guaranteed. In these cases, authorization will be obtained from the legal representative of the minor, after exercising the minor’s right to be heard.

Article 7. Processing and Purposes. The controller of personal data may collect, store, circulate, delete, update, transmit and/or transfer within or outside the country, and dispose of the data that has been supplied and that is supplied, and that has been incorporated or is incorporated in different files, databases or electronic repositories of all kinds that the controller has.

Personal data will be processed for the following purposes:

  1. Send newsletters, journalistic information, news, calls and other communications related to the mission and activities of the Malunga Network.
  2. Send invitations to events, talks, campaigns and other activities developed within the framework of the Network’s objectives.
  3. Manage the registration and participation process in events, activities and spaces organized or co-organized by the Malunga Network.
  4. In the case of biometric data captured in video, photographs and/or audio during events and activities, use them for publication on the Network’s website, streaming platforms and social networks, for the purposes of recording, memory and dissemination of its actions.
  5. Conduct surveys, consultations and statistical studies to strengthen the actions and scope of the Network.
  6. Respond to queries, requests or exercises of rights of the data subjects.
  7. Share personal data, when necessary and pertinent, with allies, organizations and actors linked to the work of the Network, inside and outside Colombia, for the fulfillment of its mission purposes, guaranteeing at all times the adequate processing of information.

Article 8. Transfer and transmission of personal data. The controller may transfer and/or transmit personal data to third parties located inside and outside Colombia, with whom it has relationships of any contractual and/or conventional modality.

The transfer and/or transmission will be carried out in accordance with the law and the purposes established in this policy. Without prejudice to the obligation to observe and maintain the confidentiality of the information, the controller will take the necessary measures to ensure that these third parties know and commit to observe this Policy, under the understanding that the personal information they receive may only be used for matters directly related to the activities of the relationship with the controller, and only while it lasts, and may not be used or intended for a different purpose or end.

Agreements that involve the transfer and/or transmission of personal data must include obligations to guarantee: (i) that the processing will be carried out in accordance with this policy and the authorized purposes; (ii) Commitments to adopt the necessary security measures for the protection of the databases where personal data is stored; and, (iii) Commitments of confidentiality of the information regarding personal data.

Article 9. Authorization and consent. Without prejudice to the exceptions provided for in law, the Processing requires the prior and informed authorization of the Holder, which must be obtained by any means that may be subject to subsequent consultation.

Authorization may be obtained in writing, orally or through unequivocal conduct of the holder that allows to reasonably conclude that the holder granted authorization to the controller for the processing of their data.

Paragraph One. When the authorization is written, it may be contained in a physical document, data message, Web sites, in any other format that allows to guarantee its subsequent consultation or through a suitable technical or technological mechanism, that allows to express or obtain consent via click or double click, through which it can be unequivocally concluded that if a conduct of the holder had not been carried out, the data would never have been captured and stored in the database.

Paragraph Two. For the purposes of this policy, the following will be understood as unequivocal conduct of authorization, without being limited to those listed below:

  1. The completion of forms and attendance lists of events organized or in which the controller participates.
  1. The participation of online events that are being recorded.
  1. The entry to events organized by the controller, in which there is a video surveillance system for security reasons.

In any of the cases, the controller will take the necessary actions to inform the data subjects of the collection of personal data and, in accordance with the technical capacities and the space in which the data is collected, information will be given for access to this policy.

Article 10. Mechanisms for obtaining authorization. The authorization for the use and processing of personal data of the data subjects may be obtained using the following mechanisms:

  1. Completion of an electronic form, for participation in events, surveys, among others.
  1. Completion of an authorization format in physical form or attendance lists to events that are developed in person.
  1. Subscription to newsletters and/or newsletters through the controller’s website.
  1. Through a privacy notice when it comes to events developed without prior registration, on streaming platforms and/or social networks.

Article 11. Duty to inform the data subjects. The controller, at the time of obtaining the authorization of the data subject, must inform in a clear and express manner:

  1. The Processing to which their personal data will be subjected and its purposes.
  1. The optional nature of the response to the questions that are made to them, when these relate to sensitive data or data of children and adolescents.
  1. The rights that assist them as a Holder.
  1. The identification, physical or electronic address, and telephone number of the controller.

Article 12. Cases in which authorization is not necessary. In accordance with the Law, it will not be necessary to obtain authorization from the data subject when it comes to:

  1. Information required by a public or administrative entity in the exercise of its legal functions or by judicial order.
  1. Data of a public nature,
  1. Cases of medical or sanitary emergency.
  1. Processing of information authorized by law for historical, statistical, or scientific purposes.
  1. Data related to the Civil Registry of Persons.

In any case, the processing of personal data carried out under the exceptions listed in this article will be carried out in accordance with the provisions in force regarding the processing of personal data and for the purposes contemplated in this policy.

Article 13. Rights of data subjects. The rights of the holders of personal data are:

  1. Know, update, and rectify their personal data. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned data, that induce error, or those whose processing is expressly prohibited or has not been authorized.
  1. Request proof of the authorization granted to the controller unless it is expressly and legally excepted as a requirement for processing.
  1. Be informed by the controller, upon request, regarding the use that has been given to their personal data.
  1. File complaints with the competent authority for infractions of the provisions of Law 1581 of 2012, which dictates general provisions for the protection of personal data and other regulations that modify, add to, or complement it.
  1. Revoke the authorization and/or request the deletion of the data when the principles, rights, and constitutional and legal guarantees are not respected in the processing.
  1. Access their personal data that has been subject to processing free of charge.

Article 14. Persons to whom information may be supplied. The controller may provide information related to the personal data being processed to the following persons:

  1. To the Data Subjects, their successors or their legal representatives.
  1. To public or administrative entities in the exercise of their legal functions or by judicial order.
  1. To third parties authorized by the Data Subject or by law.

Article 15. Procedure for consultations, claims, and revocation of authorizations.

Consultations:

The data subjects, or the third parties legitimized in the terms established by law, may request through the email _________________ the personal information of the data subject that rests in any database and files of the controller.

In any case, the consultations will be attended to within a maximum term of ten (10) business days counted from the date of receipt. When it is not possible to attend to the consultation within said term, the interested party will be informed before the expiration of the ten (10) days, expressing the reasons for the delay and indicating the date on which the consultation will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.

Claims and revocations of authorization: The data subjects, or those legitimized in the terms established by law, may submit requests for rectification, updating, and deletion of data, as well as the revocation of authorization, through the email: __________________

The study of a claim will proceed when the data subject considers that their information contained in a database of the controller should be subject to correction, updating, or deletion, or when they believe that there is a presumed breach of any of the duties as controller of the processing.

Any claim or revocation must contain the identification of the Data Subject, the description of the facts that give rise to the claim, the address, and must be accompanied by the documents that you want to assert. If the claim is incomplete, the interested party will be required within five (5) days following the receipt of the claim to correct the errors. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that they have withdrawn the claim.

In the event that the controller is not competent to resolve the claim or the revocation, it will transfer it to the corresponding party within a maximum term of two (2) business days and inform the interested party of the situation.

Once the claim or the revocation request has been received completely, a legend will be included in the database to which it belongs that says “claim in process” and the reason for this, within a term no greater than two (2) business days. Said legend must be maintained until the claim is decided.

The maximum term to attend to the claim or a revocation of authorization will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term.

Paragraph One. The controller must rectify and update the inaccurate, incomplete, or outdated information at the request of the data subject, in accordance with the procedure and terms indicated. In the requests for rectification and updating of personal data, the data subject must indicate the corrections to be made and provide the documentation that supports their request.

Article 16. Deletion of personal data. The data subject has the right to request the controller at all times to delete (eliminate) their personal data or revoke the authorization when:

  1. Consider that they are not being treated in accordance with the principles, duties, and obligations provided in the current regulations and this policy.
  1. They are no longer necessary or relevant for the purpose for which they were collected.
  1. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

When a request for deletion of personal data is appropriate, the controller must take actions to eliminate the data in such a way that it does not allow the recovery of the information.

Due to the fulfillment of legal duties, the controller may deny the request for deletion of personal data presented by the data subject, informing the reasons that oblige the Center to keep the information and limiting the active processing of personal data to what is required by the law that orders its conservation.

Article 17. Duties of the controller of the processing: The duties of the controller of the processing are:

  1. Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
  1. Request and keep, under the conditions provided in the law and this policy, a copy of the respective authorization granted by the Data Subject.
  1. Duly inform the Data Subject about the purpose of the collection and the rights that assist them by virtue of the authorization granted.
  1. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
  1. Guarantee that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable.
  1. Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data that has previously been provided and adopt the other necessary measures so that the information provided to it is kept updated.
  1. Rectify the information when it is incorrect and communicate the pertinent to the Data Processor.
  1. Supply the Data Processor, as the case may be, only with data whose processing is previously authorized in accordance with the provisions of this policy.
  1. Require the Data Processor at all times to respect the security and privacy conditions of the Holder’s information.
  1. Process the queries and claims made in the terms indicated in this policy.
  1. Inform the Data Processor when certain information is under discussion by the Holder, once the claim has been filed and the respective procedure has not been completed.
  1. Report at the request of the Holder on the use given to their data.
  1. Inform the data protection authority when violations of the security codes occur and there are risks in the administration of the information of the Holders.
  1. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.