PROTECTION POLICY
OF PERSONAL DATA

Identity of the responsible party:

  • DUQUE ARANGO GALLERY
  • Address: Carrera 37 # 10 A – 34
  • E-mail: [email protected]
  • Telephone: (04) 266 87 63
  • Web Site: www.galeriaduquearango.com

Scope:

Applies to all companies, areas and persons who perform the processing of personal data of users, in compliance with their functions within the company.

Object:

To guarantee that the personal data provided and authorized by our consumers and other subjects that interact with the company, hereinafter referred to as Users, are stored with security standards that guarantee their adequate treatment and custody.

Principles:

The company carries out the processing of personal data based on the principles of:

  • Purpose
  • Freedom
  • Truthfulness or quality
  • Transparency
  • Security
  • Restricted access and circulation
  • Confidentiality

Authorization, use and privacy notice

To guarantee that the personal data provided and authorized by our consumers and other subjects that interact with the company, hereinafter referred to as Users, are stored with security standards that guarantee their adequate treatment and custody.

The information of the users can only be used by the company; and it will be with its commercial and strategic partners, as long as there is the previous authorization of the person in charge of the information.

In Colombia there is a privacy notice, containing the information required by decree 1377 of 2013, which will be communicated to the holder of personal data. To facilitate disclosure, its content may be included in the authorization.

Information processing

Personal data will be included in databases and its treatment will be according to the type of user, as follows:

a) Consumers: The data and personal information will be used for the purposes derived from the existing relationship, such as the shipment of products purchased by the consumer, the resolution of PQR, conducting studies or surveys on products and services, the development of promotional campaigns through the channels intended for this purpose, the inclusion of new products and services through the management and analysis of preferences, tastes, needs and profiling of consumers in demographic aspects and consumption habits, sending commercial information or invitations from the company or third parties to participate in different contests or events and conducting evaluations of the quality of our products, among other purposes that are specified in each of the authorizations.

b) Suppliers: The personal data and information will be used for the purposes derived from the existing relationship, such as selecting, evaluating and executing contracts; sending information based on the current business relationship; and making inquiries for the necessary verifications on the origin of funds and risk management of money laundering and terrorist financing; among other purposes that are specified in each of the authorizations. When the company is required to disclose personal data of any supplier, as a result of a contracting process, this shall be done with the provisions that comply with the provisions of this policy and that warn third parties about the purpose of the information disclosed. The company will collect from its suppliers the personal data of their employees, which are necessary and relevant, that for security or regulatory compliance reasons must be analyzed and evaluated; make inquiries through any means to carry out the necessary verifications on the origin of funds and risk management of money laundering and terrorist financing, among other purposes that are specified in each of the authorizations.

c) Data of minors: The collection of data of minors will be done only with prior authorization of their legal representative through the electronic or physical mechanisms provided for such purpose. The representatives of the minor will be informed of the purpose of the processing of their personal data, as well as the terms, conditions and this policy so that they can be read and accepted by the person who is presumed to be the holder of parental authority. The contents of the company are suitable and designed for minors, guaranteeing the rights of minors.

d) Community in general: The collection of data from minors will only be done with prior authorization from their legal representative through the electronic or physical mechanisms provided for such purpose. The representatives of the minor will be informed of the purpose of the processing of their personal data, as well as the terms, conditions and this policy so that they can be read and accepted by the person who is presumed to be the holder of parental authority. The contents of the company are suitable and designed for minors, guaranteeing the rights of minors.

User rights

  • Contact the company through the established channels (indicated in this policy), to know, update, rectify or delete your personal data free of charge, or revoke the authorization for the treatment of these.

  • Request proof of the authorization granted to the company except when, according to the law, the treatment being carried out does not require it.

  • Be informed upon request made through the channels provided, regarding the use that this has been given to their personal data.

  • Submit queries or claims, through the established channels, attaching a copy of the identity document that certifies them as owners of the data and informing through which means they wish to receive the answer to their request.

Processing of user requests for personal data

  1. Send the request to any of the means of contact established in this policy indicating your request, full name, contact email, contact number and copy of identity document.

  2. In the event that any of the requirements necessary to exercise your rights to consult or claim are missing, you will be informed within three (3) business days following the receipt of the request to complete them, if you do not correct them, your request will not be processed.

    After two (2) months from the date of the request without them being corrected, it will be understood that you have abandoned the request.

  3. In the case of queries, these must be resolved within five (10) working days. If it is not possible to answer a query within the aforementioned term, the user will be informed of the reasons for the delay and will be given a date on which the request will be answered, which will never be more than five (5) business days after the date of the initial term.

    In the case of updating, rectification and deletion of data, the maximum term to address a claim will be five (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the user will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed five (8) business days following the expiration of the first term.

  4. Once the complete claim has been received, a legend will be included in the database stating “claim in process” and the reason for the claim, within a term no longer than two (2) business days. Said legend will be maintained until the claim is decided.

Location and contact for claims and requests

The channels established by the company to exercise the rights of users will be as follows:

Revocation of authorization

The holders of personal data may revoke their consent to the processing of their personal data at any time, as long as it is not prevented by a legal provision.

The holder of the information must clarify whether the revocation of their authorization is for all the purposes initially consented to, that is, that the company will stop processing the holder’s data completely, or if the request is for any particular processing.

Information storage

Personal information will be stored and guarded under security measures, with the use of appropriate tools and access control procedures to prevent unauthorized access by third parties to personal data stored in the databases.

User rights

  • Guarantee the holder the full and effective exercise of the right of habeas data.

  • Request and keep a copy of the respective authorization and consent granted by the holder, as provided by law.

  • Duly inform the owner about the purpose of the collection and the rights he/she has by virtue of the authorization granted.

  • Keep the information under security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

  • Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable and understandable.

  • To update the information, communicating in a timely manner to the data processor, all the news regarding the data previously provided and to adopt the other necessary measures so that the information provided to the data processor is kept up to date.

  • Rectify the information when it is incorrect and communicate the pertinent to the person in charge of the treatment.

  • To provide to the data processor, as the case may be, only data whose processing is previously authorized in accordance with the law.

  • To require the data processor at all times to respect the security and privacy conditions of the owner’s information.

  • To process queries and claims formulated in the terms indicated in this policy and in the law.

  • Inform upon request of the owner about the use given to their data.

  • Inform the data processor when information is under discussion by the owner, once the claim has been filed and the respective process has not been completed.

  • Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the owners.

  • Comply with the instructions and requirements issued by the data protection authority in this regard.

Validity of the databases

  • The databases will have a validity equal to the period in which the purpose or purposes of the processing are maintained in each database, or the established legal validity.

Validity and updating of the policy

  • This Company’s Personal Data Protection Policy will be updated if any of the following events occur:
  1. A regulatory change that implies the modification of the same.
  2. A change in one of the purposes of the processing of personal data or the inclusion of a new stakeholder.