PERSONAL DATA PROTECTION POLICY DECAMERON ORGANIZATION.
The Decameron Organization and its integrated companies, hereinafter the Organization, in their capacity as Data Controller, recognize the importance of the security, privacy and confidentiality of the personal data of their collaborators, shareholders, potential clients, customers, suppliers and in general of all its interest groups, of which it processes personal information.
The Organization shall promote the adequate treatment and protection of personal data, in all those activities that involve the processing of personal information at the national and international level, in accordance with the applicable legislation of the countries where the Organization operates, and in particular, shall be taken into account the guidelines issued by the General Data Protection Regulation (GDPR) of the European Union.
Define the guidelines for the personal data treatment and protection, in all activities carried out by the Organization.
The provisions of this policy apply to the Decameron Organization and are mandatory for its shareholders, board members, legal representatives, collaborators, proxies, representatives and contractually linked third parties, acting on their own behalf or on behalf of the Organization.
- 4.1 Authorization: Prior, express and informed consent of the owner of the personal data to carry out the processing of personal data. The consent can be granted in writing, orally or through unequivocal behavior of the Data Subject, which allows to conclude that the authorization was granted.
- 4.2 Privacy Notice: It is the verbal or written communication whose purpose is to inform the owner of the data about the existence of a personal data treatment policy, which will be applicable in the process of processing your information.
- 4.3 Database / Data Bank: It is the organized set of personal data that will be processed by the Organization and that has the characteristics required to be registered with the competent control entity, in accordance with current regulations. Databases are considered information assets that contain information organized in magnetic or physical media of potential customers, customers, suppliers and collaborators, among others.
- 4.4 Personal Data: Any information linked or that may be associated with one or more specific or determinable natural persons. The personal data is classified as:
- 4.4.1 Public Data: It is the data that is not private or sensitive. The following data are considered public data: name, identity document, people's marital status, gender, among others.
- 4.4.2 Private Data: It is the data that due to its intimate or reserved nature is only relevant for the person holding the data, such as salary information and financial information.
- 4.4.3 Sensitive Data: Information that affects the privacy of the owner or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights or that promotes interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data, among others, the capture of still image or movement, fingerprints, photographs, iris, voice recognition, facial or palm, among others. Personal data of minors are considered sensitive data, regardless of the type of data.
- 4.5 Data processor: Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of the Data Controller.
- 4.6 Data Protection Officer: Person in charge of implementing, monitoring, controlling and promoting the application of the Personal Data Protection Policy within the Organization.
- 4.7 Data Controller: Natural or legal person, public or private, that by itself or in association with others, decides on the basis of data and / or data treatment.
- 4.8 Information Repository: Organized set of data in physical or magnetic media, in which there may or may not be personal information of owners, which are not subject to reporting to the control entities.
- 4.9 Data Holder/ Data Subject: Natural person whose personal data is subject to processing.
- 4.10 Transfer: The transfer of data takes place when the Data Controller or the Data Processor, located in any of the countries in which the operation is established, sends the information or personal data to a recipient, who in turn It is responsible for the treatment and is located inside or outside the country from which it was sent.
- 4.11 Transmission: Treatment of personal data that implies the transmission of these inside or outside the country, when its objective is to carry out treatment by the Data Processor on behalf of the Data Controller.
- 4.12 Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.
5. APPLICABLE PRINCIPLES TO THE PERSONAL DATA PROCESSING
The Organization will apply the principles mentioned below, which constitute the rules to follow in the collection, handling, use, treatment, storage and exchange of personal data:
- 5.2.1 Legality: The personal data processing must be carried out in accordance with the applicable legal provisions.
- 5.2.2 Purpose: The personal data collected must be used for a specific and explicit purpose allowed by the applicable regulations in the country, as appropriate, which must be informed to the Data Holder. The Data Holder must be informed in a clear, sufficient and prior manner about the purpose of the treatment of the information he provides.
- 5.2.3 Freedom: The collection of Personal Data may only be exercised with the prior, express and informed authorization of the owner.
- 5.2.4 Truthfulness or Quality: The information subject to the processing of personal data must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractional or error-inducing data is prohibited.
- 5.2.5 Transparency: In the processing of personal data, the right of the Holder to obtain from the Organization, at any time and without any restriction, information about the existence of any type of personal information that is of his interest or ownership.
- 5.2.6 Access and restricted circulation: Personal data, except those that are categorized as public data, may not be available on the Internet or mass media or communication, and in all cases the treatment must be carried out in accordance with the applicable legal provisions.
- 5.2.7 Security: The personal data subject to treatment must be handled by adopting all the necessary security measures to prevent their loss, adulteration, consultation, use or unauthorized or fraudulent access.
- 5.2.8 Confidentiality: All the people who manage, update or have access to personal information, undertake to keep and keep confidential, and not disclose to third parties, personal, commercial, accounting, financial, credit or any other information another type, that was known in the exercise of its functions. This is a duty that is extended to allied or collaborating third parties that relate to the Organization by any conventional or contractual link.
6. PURPOSES TO WHICH THE PERSONAL DATA PROCESSED BY THE ORGANIZATION WILL BE SUBMITTED
The following are the purposes for which the Organization will carry out the processing of personal data::
6.1. Human Talent Management
- Manage and operate, directly or through third parties, the processes of selection and linking of personnel, including the evaluation and qualification of the participants and the verification of labor and personal references, and the conduct of safety or risk studies;
- Develop the activities of human resources management within the Organization, such as payroll, affiliations with entities responsible for the provision of health and pension services, occupational health and welfare activities, exercise of the employer's sanctioning power, between others;
- Register the collaborator in the Organization's computer systems, so that the accounting, administrative and financial activities of the contractual link can be carried out;
- Make the necessary payments derived from the execution of the employment contract and / or its termination, and other social benefits that may take place in accordance with the applicable law;
- Contract labor benefits with third parties, such as life insurance, medical expenses, among others;
- Report incidents or accidents that occur during working hours to authorized emergency contacts.
- Coordinate professional development, and employee training programs and access to computer resources for this purpose;
- Plan business activities that may require information on the minor children of employees
- Advance internal investigations for disciplinary purposes.
6.2. Customers and Users
- Generate reservations in the hotels of the Organization, as well as their respective modifications, cancellations, changes and refunds;
- Generate air and land transportation reservations, as well as modifications, cancellations, changes and refunds;
- Manage reservations and general information about products and services from internet portals, contact centers and social networks;
- Send information about changes in the conditions of services and products offered by the Organization;
- Send promotional or commercial information of the services provided by the Organization.
- Manage all activities related to hotel registration for room allocation, payment processing, accounting and billing;
- Manage recreational activities, tourism (tours), towel service, laundry service, and restaurant reservation;
- Manage activities related to the provision of nursing, spa and gym services.
6.3 Suppliers and Contractors
- Register contractors and suppliers in the Organization's systems and process their payments;
- Formalize the contractual, conventional or legal link in order to manage the administrative, accounting, financial, operational and logistical aspects associated with the fulfillment of the contractual object;
- Train contractors, vendors and agents in basic aspects of commercial management of the products offered by the Organization;
- Perform the verification of commercial, reputational and eventual relationship risks associated with money laundering, terrorism financing, corruption, fraud, etc;
- Evaluate the performance and results of the supplier or contractor in order to strengthen the supply processes.
- Send information on services and procedures of the Organization.
6.4 Commercial Strategy, Alliances and Business Collaborations
- Share information nationally and internationally with third-party allies of the Organization that support or contribute to the adequate provision of the services offered;
- Establish a regular and permanent communication channel to send information about offers related to the services and products of the Organization.
- Manage marketing and promotional activities (including participation in contests, raffles and draws), through various channels, including social networks;
- Manage communication and loyalty activities;
- Transfer the information collected to different areas of the Organization when necessary, for the development of operations (portfolio collection, tax matters, administrative collections, treasury, accounting, among others);
- Manage goods and services provided by third parties for the proper development of the commercial activity of the Organization, for example: air and land transportation; accommodation services of international allies associated with the Multivacations Program, among others;
- Transfer or transmission of data to third companies with which the Organization has contracts for the adequate provision of its services. To ensure proper data management, contractual provisions must be included to transfer or transmit personal data to third parties.
6.5 Administrative and Compliance Management
- Register the entrance to the offices, agencies and hotels of the Organization;
- Give administrative procedure to obligations contracted by the Organization with its clients when acquiring our services and products;
- Control access to the Organization's offices and establish security measures, including the establishment of video-monitored areas;
- Evaluate the quality of the service, carry out market studies on consumption habits and statistical analysis for internal uses;
- Carry out internal or external audit processes of the commercial activity that the Organization develops;
- Respond to inquiries, requests, complaints and claims that are made by the owners, control bodies and other authorities that under the applicable law make requirements;
- Transfer the information collected to different areas of the Organization, when necessary for the development of its operations (portfolio collection, tax matters, administrative collections, treasury, accounting, among others);
- Make the requested reports to government and control entities, when required.
- Manage the acquisition of tickets for air or multimodal transport required by the Organization's personnel to carry out their duties.
- Verification in restrictive lists and media to carry out due diligence processes of knowledge of third parties.
- All those activities in walks to the prevention of risks of fraud, corruption, money laundering, financing of terrorism.
- Advance investigations for complaints that violate corporate policies.
7. RIGHTS FOR THE PROCESSING OF PERSONAL DATA
7.1. Rights of the Data Holders
In accordance with the provisions of the national and international regulations for the processing of personal data, the Data Holders has the following rights:
- Know, update and rectify your personal data in front of the Organization;
- Request proof of authorization granted to the Organization;
- Be informed by the Organization, upon request, regarding the use given to your personal data;
- Submit complaints to the competent entity for violations of the provisions of the rules on personal data, once the consultation or claim process has been exhausted before the Organization;
- Revoke the authorization and / or request the deletion of the data when the constitutional and legal principles, rights and guarantees are not respected in the treatment carried out by the Organization;
- Access free of charge to your personal data that have been processed.
The rights of the owners may be exercised by the following persons:
- By the Data Holder;
- For their successors, who must prove such quality;
- By the representative and / or proxy of the holder, prior accreditation of the representation or power duly granted.
- By stipulation in favor of another or for another.
7.2. Children and Teenagers Rights
All personal information associated with children and adolescents will be subject to special protection by the Organization and will be treated under appropriate security measures and with strict respect for their prevailing rights.
The information will be treated in the development of social activities, internal or external communication strategies, as well as in the execution of programs or campaigns associated with the management of traditional or digital media whose purpose is the promotion or development of the missionary purpose of the Organization .
Additionally, in each type of treatment, the compilation of specific terms and conditions for each of the activities will be promoted, defining their requirements and restrictions for the treatment of the information of children and adolescents, taking into account the best interests and the prevalent respect for their rights. It is important to keep in mind that in the event that the particular terms and conditions are not available, the provisions contemplated in this policy and relevant special rules that apply in the matter will apply.
Likewise, in cases where it is necessary to collect personal data of minors, for example, to make hotel or air reservations, the accommodation of minors not accompanied by their parents or the affiliation of beneficiaries to the social security system of employees of the Organization, the Organization will request that the corresponding treatment authorization be signed by the legal representatives of the minors; and whenever necessary, the minor's opinion will be taken into account in accordance with the reasonable determination of his level of maturity and understanding of the specific case.
8. DUTIES OF THE COMPANY WHEN IT WORKS AS DATA CONTROLLER
The Organization is aware that personal data are the property of the owners and only they can decide on them. In that sense, the Organization will make use of the personal data collected only for the purposes for which it is duly authorized and respecting, in any case, the regulations in force in this regard. In this regard, the Organization will fulfill the following duties:
- Guarantee to the data holder, at all times, the full and effective exercise of his rights;
- Request and keep a copy of the respective authorization granted by the holder;
- To duly inform the data holder about the purpose of the collection and the rights that assist him by virtue of the authorization granted;
- Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
- Ensure that the information provided to the Data Processor, complete, accurate, updated, verifiable and understandable;
- Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data that you have previously provided and take the other necessary measures so that the information provided to it is kept updated;
- Rectify the information when it is incorrect and communicate the pertinent to the Data Processor;
- Provide to the Data Processor, as the case may be, only data whose Treatment is previously authorized;
- Require to the person in charge of the treatment at all times to respect the security and privacy conditions of the owner's information;
- Process inquiries and complaints made.
9. APPLICATION FOR AUTHORIZATION AND CONSENT OF THE DATA HOLDER
9.1. Means and Manifestations to Grant Authorization
In all cases, the consent that is granted by the owner for the data holder must be expressly granted, and its manifestation can be materialized under the various modalities established in the rules that regulate the protection of personal data, being written , verbally or through unequivocal behaviors.
The purposes for the use of personal data will be disclosed through privacy notices that will be communicated through different physical or virtual channels.
9.2. Proof of Authorization
The authorization for the adequate treatment of personal data depends on the channel or point of information collection, so the test will be focused on the mechanism used to obtain it, as an example of this will be written formats, acceptance records through audiovisual media or audio recordings, acceptance through check boxes that are implemented in forms through the web, among others.
10. PROCEDURES TO ACCESS, CONSULT, RECTIFY AND UPDATE YOUR INFORMATION
The holders of personal data processed by the Organization have the right to access them, to know the details of their treatment, as well as to rectify and update them if they are inaccurate, or to request their deletion when they consider them to be excessive or unnecessary to the purposes that justified their obtaining, or oppose their treatment for specific purposes.
The holders may make inquiries about the personal information that rests in any database of the Organization, so the right to consultation will be guaranteed and the procedures will be carried out in a timely manner against the following requests:
- Access to information
- Proof of authorization granted by the data holder
- Consultation on the use of personal information
Inquiries must be submitted through the enabled channels and following the procedure described below:
- At any time and for free, the holder or his representative may make inquiries regarding the personal data that are subject to processing by the Organization. In all cases, the identity and the power to carry out the consultation must be accredited.
- When the query is made by a person other than the holder of the personal information, the request must be supported with the following information: name of the holder and physical or email address in which the response can be received and the documents that accredit the identification and link with the holder.
- Description of the data on which the right of consultation is exercised.
- Clear and detailed description of the query
The consultation will be attended by the Organization in the terms provided for each local regulation according to the country of origin.
The holders may request the correction and updating of personal information, the deletion of the data and the partial or total revocation of the authorization given to the Organization through the presentation of a claim that will follow the following procedure:
- A claim may be submitted at any time, free of charge, by the holder or his representative, upon accreditation of his identity or mandate to act.
- The claim must contain at least the name and identification document, together with the documents proving the suitability of the representation, must be detailed with a clear and precise description referring to the facts that give rise to it.
- In the event that is necessary, documentation supporting the claim must be provided.
- The complaint will be addressed by the Organization in the terms provided for each local regulation according to the country of origin.
These channels may be used by the holders of personal data, or third parties authorized by law to act on their behalf, in order to exercise their rights.
The area in charge of ensuring compliance with this policy is the Vice President of Compliance and Internal Control, through the Corporate Risk and Compliance Management and the Personal Data Protection Officer.
11. PERSONAL DATA PROCESSING PROGRAM AND ACCREDITATION OF THE ACCOUNTABILITY PRINCIPLE
In order to fully comply with the personal data processing regime, the Organization will identify the information assets by keeping the data life cycle up to date, thus:
- Identification of the activities or processes that initiate or capture personal data to which a certain treatment will be carried out.
- Identification of channels and sources of personal data capture, identifying the type of information that is collected, its means of collection and the purpose.
- Identification of databases and information repository where personal information is stored, specifying their treatment through physical or automated means.
- Identification of users or areas of the Organization that have access to databases with personal information, identifying the relationship they have with third-party allies.
- Mechanisms for disposition or deletion of personal data.
These elements are the essential basis that gives rise to the data cycle and will be the starting point for determining any type of legal, technical and organizational coverage that allows the Organization to promote an adequate treatment of personal data.
Each area of the Organization will be the owner of the information assets they manage, and must comply fully with the legal provisions that regulate the matter.
12. VALIDITY PERIOD OF DATABASES
The Personal Data under the control of the Organization will be kept for the time required according to the purpose of the Treatment and / or for the corresponding legal term, in the event so determined.