ENTREGAS 2 A 3 DÍAS HABILES
ENVÍOS GRATIS EN COMPRAS MAYORES A $350.000 (COL)
VESTIDOS, SETS Y ENTERIZOS

Personal data processing policy

Personal data processing policy

Through this document, Boral SAS, hereinafter the "Company", in compliance with the normative assumptions indicated in Law 1581 of 2012, Regulatory Decree 1377 of 2013 and the other concordant regulations on the matter, is allowed to implement its Policy for the Treatment and Protection of Personal Data (hereinafter the "Policy").

For these purposes, it is important to take into account that the Company is characterized by being a commercial company domiciled in the municipality of MedellΓ­n - Antioquia dedicated, as provided in its corporate purpose, to: "retail trade of clothing dress through the internet.”

Due to the foregoing, in accordance with what is determined by the Company's corporate purpose and in the development of its powers, it is possible to determine that there are personal data that make up Databases owned by the Company, which are treated according to the established guidelines. in the current legal framework applicable in Colombia.

For all of the above, the Policy will be applied both to protect personal data and transactional information currently processed by the Company, as well as to protect those that may be processed by it in the future, in the course of carrying out its activity. economic.

Β 

GENERAL DISPOSITION

1. Identification of the Responsible.

Boral SAS., commercial company identified with Nit 901.221.192-2, with main office at Carrera 38 No 10a - 35, Office 403, telephone 57(4) 583-13-53 emailΒ info@boral.com.coΒ and websiteΒ www.boral.com.co .

2. Objective.

For the purposes of the Policy, the Company acts as Responsible for the Processing of personal data by virtue of the collection that it carries out directly from the data of the holders, for this reason, the Policy has as its main objective the definition and subsequent determination of all issues regarding the procedures, principles and security policies according to which the Company will guarantee the proper treatment of personal data that is collected in the development of its corporate purpose.

3. Legal framework.

The Policy was prepared in strict compliance with all the provisions of the current regulations on the matter, in this way, this document complies with the provisions of Articles 15 and 20 of the Political Constitution of Colombia, in Law 1581 of 2012 by the which "general provisions are issued for the protection of personal data", in Regulatory Decree 1377 of 2013 and in the other regulations that in the future may modify, regulate or add to the applicable regulations on the Protection of Personal Data.

4. Definitions.

As provided in Article 3 of Decree 1337 of 2013 and Article 3 of Law 1581 of 2012, the following terms will be defined throughout the Policy:

Archive:Β Set of data recorded as a single storage unit, containing personal data.

Authorization:Β Prior, express and informed consent of the owner to carry out the processing of personal data, which is obtained at the time of data collection.

Notice of Privacy:Β Verbal or written communication generated by the Responsible, addressed to the owner, for the processing of their personal data, through which they are informed about the existence of the Information Processing Policy that will be applicable to them, the way to access it and the purposes of the treatment that is intended to be given to personal data.

Database:Β Organized set of personal data that is subject to treatment.

assignee:Β Person who has succeeded another due to the death of the latter (heir).

Personal data:Β Any information linked or that can be associated with one or several determined or determinable natural persons.

Public data:Β It is the data that is not semi-private, private or sensitive. Public data is considered, among others, the data related to the marital status of people, their profession or trade and their quality as merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.

Sensitive data:Β Sensitive Data is understood to be those that affect the privacy of the owner or whose improper use may generate discrimination, such as revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

Treatment Manager:Β Natural or legal person, public or private, that by itself or in association with others, performs the processing of personal data on behalf of the Data Controller.

Responsible for the Treatment:Β Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the treatment of the data contained in it.

Headline:Β Natural person whose personal data is processed.

Treatment:Β Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

Transfer:Β The transfer of data takes place when the person in charge and/or in charge of the treatment of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is the person in charge of the treatment and is located inside or outside the country. .

Transmission:Β Treatment of personal data that implies the communication of the same inside or outside the territory of the Republic of Colombia when its purpose is to carry out a treatment by the Manager, on behalf of the Responsible.Β 

Suppression:Β This is the name given to the action that the owner of the personal data requests from the person in charge and/or in charge of the data, in exercise of his right of freedom and purpose in relation to his information.

It is noted that the definitions included in this Policy were taken from the regulations in force to date, which regulate the due protection of personal data of natural persons against the circulation and treatment of the same.

5. Principles.

Pursuant to the provisions of current regulations, the Company has incorporated into the Policy the general principles relating to the processing of personal data. In this way, these principles have a general application that crosses all the content of the Policy. These fundamental principles are taken from Article 4 of Law 1581 of 2012.

6. Validity and application.

The Databases and the Policy will have an indeterminate period of validity, in accordance with the duration of the Company's corporate purpose.

The Policy will apply to the treatment of the Databases in which the Company has the quality of Responsible and/or Manager, from the date of its publication, leaving without effect the other institutional provisions that are contrary to it.

Given the foregoing, any situation that is not reviewed in the Policy will be regulated in accordance with the General Regime for the Protection of Personal Data in force in Colombia and the other applicable regulations on the matter.

DUTIES OF THE RESPONSIBLE AND/OR PROCESSOR OF THE TREATMENT - RIGHTS OF THE HOLDERS OF THE INFORMATION

7. Duties of the Company as Data Controller.

The Company will have the following duties in its capacity as Data Controller, which arise from the applicable legislation on the matter, without prejudice to all other duties provided for in the provisions that regulate or regulate it.

  • Guarantee the Owner, at all times, the full and effective exercise of their rights in relation to their personal data.
  • Allow access to the information of the Holders only to the people authorized to have access to it.
  • Rectify the information when it is incorrect and communicate what is pertinent.
  • Request and keep a copy of the Authorization granted by the Owner for the Processing of your personal data.
  • Duly inform the Holder about the purpose of the collection and the rights linked to it, from the Authorization granted.
  • Guarantee that the information is true, complete, exact, updated, verifiable and understandable. In addition, prove at all times that the information must correspond to the personal data initially granted for the Treatment.
  • Keep the information under the physical and digital security conditions that prevent adulteration, loss, consultation, use or unauthorized or fraudulent access, in addition to any conduct regulated and sanctioned in the law of computer crimes.
  • Update the information in a timely manner, thus addressing all news regarding the Holder's data, within a term of no less than five (5) business days from receipt of the request.
  • Implement all the necessary measures so that the information is kept up to date.
  • Implement a data processing procedure in terms of queries and claims that the Owners can make of it.
  • Identify when certain information is under discussion by the Owner.
  • Respect the security and privacy conditions of the Owner's information.
  • Process inquiries and claims formulated in the terms indicated by law.
  • Inform, at the request of the Owner, about the use given to their data.
  • Comply with the requirements and instructions issued by the Superintendency of Industry and Commerce on the particular subject.
  • Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the Holders.
  • Ensure the proper use of the personal data of children and adolescents, in those cases in which it is obtained with the express authorization of their legal representative, of the Processing of their data.
  • Use only data whose Treatment is previously authorized in accordance with the provisions of Law 1581 of 2012, Decree 1377 of 2013 and other regulations that develop and complement the matter.
  • Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce or any other competent public entity in this decision-making.
  • Use the Owner's personal data only for those purposes for which it is duly empowered and in all cases respecting the current regulations on personal data protection.

8. Assignment of personal data of the Company to a third party.

For the fulfillment of its corporate purpose, the Company may entrust the Treatment of personal data that it possesses to a third party, in order for the latter to carry out the communication, promotion, marketing, notification, data update, loyalty plan efforts. , programs and special projects that allow, among others, the fulfillment of the following purposes both by physical and digital means:

  • Celebration, subscription or maintenance of contractual relations with the Holders.
  • Treatment of information required in labor and corporate matters of the Company.
  • Confidential, privacy and non-disclosable information.
  • Fulfillment of the purpose of the service as a provider.

All of the above, always respecting the purposes that the Owner of the information has authorized the Company or authorized by Ministry of Law.

The person in charge of the Treatment on any of the Databases delivered or shared by the Company, must comply with the following duties:

  • Guarantee the Owner, at all times, the full and effective exercise of the right of habeas data.
  • Update the information reported by the Company within five (5) business days from its receipt.
  • Timely update, rectify or delete the data in the terms established by law.
  • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Process the queries and claims made by the Holders in the terms indicated in the Law.
  • Register in the Databases the legends "claim in process" in the manner in which it is regulated in the regulations regarding the Processing of personal data.
  • Insert in the Database the legend "information in judicial discussion" once notified by the competent authority about judicial processes related to the quality of personal data.
  • Adopt an internal policy of procedures to guarantee adequate compliance with the regulations regarding the Processing of personal data and, especially, for the attention of queries and claims by the Holders.
  • Allow access to information only to people who may have access to it.
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
  • Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce.
  • Inform the Superintendence of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders.

9. Rights of the Holders of personal data.

In accordance with the Law applicable to the protection of personal data, the following are the rights of the Holders who have authorized the Treatment of their data to the Company:

  • Access, know, update, rectify and delete your personal data before the Company in its capacity as Responsible.
  • Submit to the Superintendence of Industry and Commerce, complaints for violations of the provisions of Law 1581 of 2012, prior consultation or request process before the Company.
  • Request proof of the Authorization granted by the Data Owner or by the Data Controller to the Company, by any valid means.
  • To be informed by the Company, upon request, regarding the use that it has given to your Personal Data.
  • Revoke the Authorization or request the Deletion of the data when the Treatment does not respect the principles, rights and constitutional and legal guarantees.
  • Free access to your Personal Data that has been subject to Treatment by the Company as responsible for them.

The Company acknowledges that the personal data found in its Databases belongs to the Owner who authorized their Treatment.

INFORMATION PROCESSING

10. Capture Channels.

The Owner may authorize the Company to execute the Processing of their personal data through different means, including the following:

  • Physical documents;
  • Electronic documents;
  • data message;
  • Internet;
  • Websites;
  • Any other format that in any case allows the Owner's consent through unequivocal conduct through which it is possible to conclude that if it had not been supplied by the Owner, or the person entitled to do so, the data would not have been stored or captured. in the Database.

The Authorization will be requested by the Company prior to the Processing of personal data.

11. Mechanisms for capturing personal data.

The Company collects Personal Data through the mechanisms listed and defined below:

  • Virtual:Β Mechanism through which the Company, using previously enabled remote technological means (Web Page and Official Accounts in Social Networks), collects personal data, in accordance with the established formats.
  • Written:Β It is the means through which, physically and in person, the Company in the development of its corporate purpose, will collect personal data, through the information provided in documents of incorporation or modification of the shareholding composition of the company, in contracts with Suppliers, in contracts with employees, in resumes of candidates and in recruitment forms in own establishments or those operated by third parties.

12. Information capture fields.

In development of the principles of protection of habeas data, the collection of personal data will be limited to those that are pertinent and adequate for the purpose for which they are collected or required by the Company.

13. Authorization for the use of personal data.

The Company, acting as Responsible for the Processing of personal data and Transactional Information, obtains from the Data Holders their clear, express, prior, informed and defect-free Authorization, through electronic forms, data collection formats and/or through the other means that it has or can have for that purpose.

For the above, the Company will request the Owners of the personal data and the Transactional Information, their Authorization, informing them of the purpose for which the Processing of their personal data will be provided. The foregoing, except in the expressly authorized cases determined by Law, which are regulated in article 10 of Law 1581 of 2012.

14. Revocation of Authorization

All Holders of personal data may at any time revoke their Authorization granted to the Company for the Processing of their personal data and even request the Company to delete or eliminate their personal data contained in its Databases. The foregoing, as long as said conduct does not contravene a current legal or contractual provision.

The Company will guarantee the Owner easy access to these requests, establishing simple and simple mechanisms that allow the Owner to revoke their Authorization or request the deletion of their personal data, at least by the same means by which they were initially granted.

For the previous procedure, the Holder must take into account that the revocation of consent can be expressed in whole or in part in relation to the authorized purposes. (i) If it is totally revoked, the Company must cease any activity of Treatment of the data provided by the Holder; on the contrary (ii) if it is partially revoked only for certain types of Treatment, the Company will cease the treatment for the purposes that were expressly revoked by the Holder. In the latter case, the Company may continue processing personal data for those purposes that were not revoked.

Β 

15. Treatment to which the data will be submitted and its purpose.

All Treatment of the data of the Holders with whom the Company has established a relationship as Responsible for the Treatment and Transactional Information for the offer of value-added services, will be carried out by the Company based on the prescriptions of Law 1581 of 2012 and Law 1266 of 2008 as applicable, and in general for the fulfillment of its corporate purpose.

In any case, the Company will collect and process the personal data of the Holders, with the purpose of executing certain purposes, which vary according to the Database, as described below:

  • Payroll:
  • Advance selection processes.
  • Develop and execute the employment relationship if it is concluded.
  • Send information by any known or unknown means (email, physical, SMS, telephone calls, data messages, among others) about selection processes, execution of labor contracts, disabilities, payments, campaigns, product and service information, notifications of activities, promotions, offers and releases.
  • Carry out training programs and activities.
  • Conduct evaluations and performance assessments.
  • Issue labor and/or commercial references when the Holder requires it.
  • Validate the labor and/or commercial references that the Holder has provided.
  • Provide personal information of a commercial nature, for the execution of contractual relationships acquired by the Company with third parties.
  • Update personal data.
  • Consult, report, process and disclose all the information that refers to your financial, commercial and service behavior, to any Information Operator (Risk Center) or to any entity or source of public or private, national, foreign or multilateral information that administers or manages databases, for commercial purposes and credit services.
  • Carry out procedures for linking to the social security system.
  • Perform biometric data processing for the implementation and use of entry and security systems that require biometric authentication.

  • Purchases, payments and accounting:
  • Establishment of communication channels with the Holder, through email, telephone calls, sending SMS or any known or future communication channel, provided that it is authorized by the Holder.
  • Create and track purchase orders.
  • Manage the payment to suppliers.
  • Analyze information for statistical purposes.
  • Provide personal information of a commercial nature, for the execution of contractual relationships acquired by the Company with third parties.
  • Request proposals and quotes.
  • Address claims.
  • Contact potential supplier or current suppliers for purchases and contracting.
  • Send and request information on product performance.
  • Update personal data.
  • Evaluate quality of contracted products and services.
  • Carry out marketing and advertising activities related to the Company's corporate purpose.
  • Consult, report, process and disclose all the information that refers to your financial, commercial and service behavior, to any Information Operator (Risk Center) or to any entity or source of public or private, national, foreign or multilateral information that administers or manages databases, for commercial purposes and credit services.
  • Analyze, evaluate and consult the information provided by the Holder in lists for the control of money laundering and financing of terrorism administered by any national or foreign authority.

  • Commercial:
  • Establishment of communication channels with the Holder, through email, telephone calls, sending SMS or any known or future communication channel, provided that it is authorized by the Holder.
  • Grant incentives to customers, with the aim of boosting sales, through discounts, gifts, bonuses, or any activity associated with customer loyalty.
  • Carry out studies of transactional behaviors, consumption habits and hobbies, for the offer of own services and those of third parties, or of future allies, for the execution of segmented strategies.
  • Carry out customer service procedures and their claims of all kinds.
  • Execute Campaigns to update personal data and commercial campaigns.
  • Coordinate, execute and promote strategic campaigns of the Company and the offer of services.
  • Execute surveys for customer knowledge.
  • Sending of Commercial Campaigns.
  • Prepare sales invoices.
  • Share with allied companies, associates, branches, franchises, affiliates and subsidiaries, and third parties with which agreements have been signed for the Processing of personal data for the offer of value-added services.
  • Provide personal information of a commercial nature, for the execution of contractual relationships acquired by the Company with third parties.
  • Consult, report, process and disclose all the information that refers to your financial, commercial and service behavior, to any Information Operator (Risk Center) or to any entity or source of public or private, national, foreign or multilateral information that administers or manages databases, for commercial purposes and credit services.
  • Analyze, evaluate and consult the information provided by the Holder in lists for the control of money laundering and financing of terrorism administered by any national or foreign authority.
  • Invite the Holders to participate and/or assist in training programs, logistics coordination, sales or any other issue developed or related to the Company's corporate purpose.

  • Shareholders:
  • Establishment of communication channels with the Holder, through email, telephone calls, sending SMS or any known or future communication channel, provided that it is authorized by the Holder.
  • Control of the Company's shareholder registry and the exercise of their rights.
  • Control of the Shareholder Registry Book of the company.
  • Provision and delivery of information on the payment of dividends or profits.
  • Analyze, evaluate and consult the information provided by the Holder in lists for the control of money laundering and financing of terrorism administered by any national or foreign authority.

16. Treatment of data of children and adolescents.

In the Processing of personal data, the Company will ensure respect for the prevailing rights of minors (boys, girls, and adolescents). For this reason, in the event of any collection of personal data corresponding to this type of person, the provisions of article 7 of Law 1581 of 2012 and the other concordant provisions on the matter will be complied with.

17. Processing of sensitive personal data

The Company knows that it carries out Processing of personal data that is sensitive, so it will ensure that at the time of collecting personal data corresponding to this type, it will comply with what is indicated in Article 6 of Decree 1377 of 2013 and the other concordant provisions on the matter.

SECURITY MEASURES

The Company, in compliance with its purpose of guaranteeing the care of the personal data of third parties, obtained through the Channels authorized by this Policy, has arranged a set of security measures which will be used and implemented seeking adequate protection of all the information that is subject to Treatment.

With the foregoing, it is reasonably considered that the Company has adequate and sufficient document management and information protection models to adequately comply with its legal obligations in relation to the care and custody of information provided by third parties.

Β 

18. Security procedures.

The Company, seeking to achieve adequate protection of the information subject to the Policy, has deployed various security mechanisms to guard and prevent any deterioration, loss or leakage that may occur in the information contained in its Databases.

One of them is related to the location of the Database, which is in the cloud (Dropbox), with the appropriate access controls, among which are:

  • A logical security model that allows you to restrict the users who have access to the data.

PROCEDURES FOR THE ATTENTION OF INQUIRIES AND CLAIMS.

19. Service channels.

For the attention of queries and claims related to the Processing of Personal Data, they may be made through the following URL:

20. Procedure to file a query.

When the Owner of the personal data intends to know, access the information, or request a copy of the Authorization, the area will resolve your query within ten (10) business days following the date of receipt thereof.

When it is not possible to attend to the query within the term indicated in the previous paragraph, the applicant will be informed of this situation, the reasons for the delay and the date on which the request will be resolved, a date that in no case will exceed five (5) days. business days following the expiration of the first term.

21. Procedure to file a claim.

When the Owner of the personal data intends to rectify, update, delete any of their data or revoke their Authorization, the Customer Service area will resolve their claim within fifteen (15) business days following the date of receipt thereof.

When it is not possible to attend to the query within the term indicated in the previous paragraph, the applicant will be informed of this situation, the reasons for the delay and the date on which the request will be resolved, a date that in no case will exceed eight (8) days. business days following the expiration of the first term.

22. Means of response.

The Company will respond to the queries and claims of the Holders, within the terms established in numerals 22 and 23 of this Policy, in writing to the physical or electronic address provided by the applicant for this purpose.

When the applicant provides a physical address and an electronic address, or more than one of those addresses, it will be at the Company's discretion to decide which address to send the response to.

23. Persons entitled to file a query or claim.

In accordance with the regulations applicable to the matter, the following persons are entitled to file a query or claim with the Company:

  • The Holders of personal data.
  • The successors in title of the Holders.
  • The legal representatives.
  • Public or administrative entities in the exercise of their legal functions or by court order.
  • Third parties authorized by the Holder or by law.

24. Updating of databases.

The Company will update its Databases permanently, in accordance with the provisions of Law 1581 of 2012.

25. Transfers of data for treatment by third parties, national and international.

The Company may partially or totally transmit or transfer Personal Data and transactional information to third parties in the country or abroad, in development of its corporate purpose, for which it requests Authorization from its Holder and implements the necessary actions to compliance with the normative precepts enshrined in Colombian National legislation, through the signing of Transfer Agreements and Treatment of Personal Data.

26. Information security.

The Company has an Information Security Policy, which is an integral part of this Policy.

27. Procedure for modifications to this Policy.

Of each decision that determines the need to make any modification to this Policy, a written record will be left signed by the members.

Any modification that complies with the previously determined procedure will become part of this Policy and therefore will be mandatory and immediate compliance.

29. Term.

This Policy will be in force from the date of its publication and will leave without effect the other institutional provisions that are contrary to it. Any element on the subject matter of this Policy that is not contained therein will be regulated in accordance with the General Regime for the Protection of Personal Data in force in the Republic of Colombia.

Inicio Buscar Tienda Carrito