DATA PROTECTION POLICY 

DATA PROTECTION POLICY 

INDEX

  • GENERAL PROVISIONS

Pg. 1

  • PERSONAL DATA PROCESSING

Pg. 2

  • THIRD PARTIES AND PERSONAL INFORMATION

Pg. 6 

  • PURPOSES OF PROCESSING PERSONAL INFORMATION

Pg. 7 

  • RIGHTS OF DATA SUBJECTS

Pg. 9 

  • REQUESTS FROM JUDICIAL OR ADMINISTRATIVE AUTHORITIES

Pg. 11 

  • OBLIGATIONS OF BLUEWAY AS DATA CONTROLLER

Pg. 11 

  • FINAL PROVISIONS

Pg. 12 















FIRST CHAPTER – GENERAL PROVISIONS


  • Objective of the Policy: 

The Personal Data Protection Policy aims to provide the parameters, rules, and conditions for the processing of personal data carried out by BLUEWAY CONSULTING S.A.S. (hereinafter “BLUEWAY”).

  • Scope of the Policy: 

The Personal Data Protection Policy establishes the handling, general provisions, and specification of the personal data that BLUEWAY collects within the framework of its ordinary activities. Likewise, it establishes the rights that data subjects have and the mechanisms that have been implemented to effectively exercise the right to habeas data.

  • Policy Recipients: 

The Personal Data Protection Policy is addressed to employees, customers, contractors, suppliers, and, in general, any data subject whose personal information we may need in the course of our activities to maintain ongoing relationships.

  • Compliance with Data Protection Regulations: 

This Personal Data Protection Policy complies with the Data Protection Regulations in Colombia, especially Articles 15 and 20 of the National Constitution, Law 1581 of 2012, the regulatory decrees, and the regulations issued by the Superintendence of Industry and Commerce.

  • Identification of the Data Controller: 

For the purpose of identifying BLUEWAY CONSULTING S.A.S as the Data Controller, the contact details are as follows:

 

ADDRESS

Carrera 3 D # 59 – 60

EMAIL

contacto@bluewayconsulting.com 

TELEPHONE

+57 312 481 2007

 

CHAPTER TWO – PERSONAL DATA PROCESSING

This policy applies to the personal data provided to BLUEWAY by data subjects or third parties authorized for this purpose, through any means (verbal, website, data messages, or in physical form). It also applies to data collected by BLUEWAY through any lawful means without requiring prior authorization for processing.

  • Types of Personal Data Held: 

BLUEWAY collects personal data of a public and semi-private nature, which may include:

  • General identification data.
  • Specific identification data.
  • Location data related to business activities.
  • Financial and credit data.
  • Socioeconomic data.
  • Data related to educational level and/or academic history of individuals.
  • General data related to affiliation and contributions to the comprehensive social security system: EPS, IPS, ARL, entry/exit dates for EPS, AFP, etc.
  • Personal data for access to information systems: usernames, IPs, passwords, profiles, etc.
  • General Data Processing of Personal Data Held by BLUEWAY: 

The personal data held by BLUEWAY is subject to the following processing:

  • Collection: 

The processing of personal information carried out by BLUEWAY is obtained through various activities related to its business activities and obligations as an employer. The information is directly requested from the data subject. 

The instruments used by BLUEWAY to collect information comply with all the requirements established in the regulations on the protection of personal data, and adhere to the principles of freedom and purpose. Each of these instruments includes the data subject’s consent for the processing of personal data.

  • Storage: 

In some cases, personal information is stored directly on the equipment of those responsible for BLUEWAY’s processes or in physical files. For these cases, access controls to the information are established, with physical, technical, and administrative security measures, ensuring the principle of restricted access and circulation. The information may also be stored on servers managed by third parties, either within or outside the country.

  • Use: 

The information stored in our database serves various purposes, including:

  1. Keeping records and control of BLUEWAY’s payroll and external collaborators.
  2. Maintaining records and control of customers and suppliers for respective payments.
  3. Controls in the hiring of personnel.
  4. Generating reports from different areas of BLUEWAY related to accounting, inventory, payroll, sales, financial aspects, and similar matters.
  5. Keeping records and control of information aimed at the administration of BLUEWAY and all daily company management procedures.
  6. Sending information to our subscribers about the services and content offered by BLUEWAY.
  7. Sending information about organized events.
  8. Sending information about future events that BLUEWAY may organize.
  9. Sending information about our services, being recorded in our live broadcasts and through other streaming platforms.
  • Sharing: 

BLUEWAY does not share the data it collects with third parties. The data circulates internally in a restricted manner according to the uses and purposes for which it is required. However, it may include your information on the platforms used for service provision, such as streaming platforms, email lists, and newsletters, or sending information to mobile devices. 

This information is communicated by transmitting personal data; that is, these platforms will be considered data processors rather than data controllers.

  • Deletion: 

The deletion of personal information is carried out once it has completed the intended cycle for which the data was requested, or in cases where the data subject requests the removal of the information, provided that the law authorizes it. In any case, BLUEWAY’s internal procedures manual establishes the criteria for proceeding with such deletion.

  • Authorization for the Processing of Personal Data: 

BLUEWAY freely, priorly, expressly, and duly informed, requests the authorization from data subjects. To this end, it has established suitable mechanisms to ensure verification of the granting of such authorization in each case. 

The authorization may be documented in any medium, whether physical, electronic, or in any format that ensures its subsequent consultation through technical tools, in compliance with the requirements established by law.

  • Protection Measures: 

BLUEWAY has the technical, legal, human, and administrative measures necessary to ensure the security of personal data, protecting the confidentiality, integrity, unauthorized access, and/or fraudulent use of information. 

Internally, BLUEWAY has implemented mandatory security protocols for all personnel with access to personal data and information systems.

The internal security policies used to preserve the data subject’s information to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access are as follows:

  1. Personal Data Processing Policies.
  2. Internal procedure manuals for personal data processing.
  3. Confidentiality clauses in employment contracts.
  4. Authorization for personal data processing in formats and spaces where personal information is captured.
  • Treatment according to specific data types:
  • Public Data: 

BLUEWAY may process personal data of a public nature without prior authorization from the Data Subjects. These data can be collected from public records, public documents, gazettes, official bulletins, and duly executed court judgments. 

In this situation, BLUEWAY takes the necessary measures to ensure compliance with the principles and obligations established in Law 1581 of 2012 and its Regulatory Decrees.

  • Personal Information of Employees: 

Through different communication channels or documents provided for this purpose, personal data of BLUEWAY employees are collected and stored. 

This information is provided directly by the data subjects or collected from public or private sources, with the latter being consulted with the prior authorization of the data subjects. 

In any case, employee personal information is processed in accordance with this Policy, within the framework of Law 1581 of 2012 and its Regulatory Decrees, and for the purposes established in the authorizations granted for this purpose.

  • Personal Information of Suppliers and Contractors: 

Through different communication channels or documents provided for this purpose, personal data of suppliers who provide services to BLUEWAY are collected and stored. 

This information is provided directly by the legal representative of the supplier if it is a legal entity, or directly by the data subjects. It is processed in accordance with this Policy, within the framework of Law 1581 of 2012 and its Regulatory Decrees, and for the purposes established in the authorizations granted for this purpose.

  • Personal Information of Customers: 

Through different communication channels, contracts, or documents provided for this purpose, BLUEWAY may collect, store, and generally process the personal data of those who request and contract BLUEWAY’s services. This data is provided directly by the data subjects. 

In any case, the personal information of service applicants or customers is processed for the provision of services by BLUEWAY, in accordance with this Policy, within the framework of Law 1581 of 2012 and its Regulatory Decrees, and for the purposes established in the authorizations granted for this purpose.

  • Sensitive Personal Information: 

In the course of its activities, BLUEWAY does not collect, store, or process data that may be considered sensitive and not suitable for its business operations. 

However, if such information is required for the proper development of its activities or the provision of its services, BLUEWAY requests express, prior, and informed authorization from data subjects, which is obtained freely and voluntarily. 

Responses to questions asked to data subjects about sensitive information will be optional, and in this case, the data subject will be informed in advance about the sensitive information being collected and the purpose of its processing by BLUEWAY.

  • Personal Information of Children and Adolescents: 

BLUEWAY does not collect or process data of minors. However, in the event that it does so, in compliance with the current regulations on the protection of personal data in Colombia, guarantees will be provided to allow minors to exercise their right to freedom of expression, the free development of personality, and access to information. 

In this sense, if information regarding children, minors, or minors is to be obtained, it will be optional for their legal representative or guardian to provide this information, and BLUEWAY reserves the possibility of reporting to the authorities situations that, in its opinion, may endanger the integrity of a minor.

  • Personal Information of Website Users: 

It is possible that through its website, BLUEWAY may collect, store, and generally process the personal data of those who access this digital tool and provide their personal information through the “Contact Us” tool on the website. 

This information is processed in accordance with this Policy, within the framework of Law 1581 of 2012 and its Regulatory Decrees, and for the purposes established in the authorizations granted for this purpose.

CHAPTER THREE – THIRD PARTIES AND PERSONAL INFORMATION

  • Data Processors: 

As established within the purposes for which personal information is collected and processed, BLUEWAY, for the proper provision of its services, occasionally relies on individuals or legal entities so that, through their collaboration or services, all their tasks can be optimally carried out. 

This occasionally implies the need for these third parties to have access to certain personal information stored in BLUEWAY’s databases, in which case it ensures that:

  • All information provided to a third party is preceded by an agreement that outlines their obligations of confidentiality and security in the processing of the information, which will be, at a minimum, similar to those established by BLUEWAY in its internal processes.
  • The information is only used for the fulfillment of the purposes established in the authorizations granted by the Data Subjects and in this Policy.
  • Only the information strictly necessary for the performance of the third party’s functions entrusted by BLUEWAY is shared.
  • The information shared with a third party is returned to BLUEWAY or securely destroyed in case of return being impossible, once the third party has carried out the assigned tasks.
  • Personal Information from Third Parties: 

In the course of business alliances and/or during the provision of its services, BLUEWAY may receive personal information independently collected by its partners, customers, or suppliers, who act as Data Controllers. 

In these cases, BLUEWAY’s actions are based on the belief that these third parties have the necessary authorizations to use the information for the purposes for which it is provided to BLUEWAY.

  • Personal Information of References: 

The receipt of personal information from third parties provided by customers, service applicants, suppliers, or employees of BLUEWAY must be preceded by the necessary authorizations from the Data Subjects. 

Thus, BLUEWAY understands that anyone providing personal information about third parties, such as providing information about individuals who serve as personal, employment, or commercial references, has all the relevant authorizations for their processing by BLUEWAY.

CHAPTER FOUR – PURPOSES OF PROCESSING PERSONAL INFORMATION

BLUEWAY processes personal information in the course of activities that are part of its corporate purpose, always acting in accordance with this Policy and the express authorizations granted by the Data Subjects.

Personal information will be processed by BLUEWAY for the following purposes:

  • Personal Information of Employees:
  • Conducting selection processes;
  • Verifying educational background, work experience, job and personal references through public and/or private sources;
  • Conducting psychometric tests, knowledge tests, security studies, and medical examinations;
  • Carrying out all activities related to hiring and managing employment relationships;
  • Conducting administrative and/or disciplinary investigations when necessary;
  • Compliance with legal obligations related to social security affiliations and information archiving.
  • Personal Information of Suppliers:
  • Carrying out all activities related to the selection, hiring, and evaluation of suppliers;
  • Verifying the financial, legal, and commercial viability of a potential business relationship;
  • Verifying the information provided by suppliers, potential or contracted, with credit bureaus, public and/or private sources, and other lists that may be relevant to verify their suitability;
  • Executing and/or complying with contractual obligations.
  • Compliance with legal obligations related to accounting and information archiving.
  • Personal Information of Customers and Service Applicants:
  • Sending communications with information considered of interest regarding current legal topics and BLUEWAY’s services or products, through email, text messages (SMS/MMS), instant messaging tools, telephone communication, and/or any other known or future means of contact;
  • Processing service requests;
  • Executing and/or complying with contractual obligations;
  • Processing information to conduct prospecting, segmentation, and market research activities.
  • Sharing information with partners and/or suppliers to fulfill their legal and/or contractual obligations.
  • Sharing information with partners and/or suppliers to manage the communications informed in this same section.
  • Compliance with legal obligations related to accounting and information archiving.
  • Personal Information of Website Users:
  • Recording and processing what is requested through the website’s contact tools.
  • Conducting knowledge management and data updates.
  • Sending communications with information considered of interest regarding current legal topics and BLUEWAY’s services or products, through email, text messages (SMS/MMS), instant messaging tools, telephone communication, and/or any other known or future means of contact.
  • Purposes Common to All Data Subjects:
  • Complying with legal obligations to provide information to the authorities and entities that require it in the exercise of their functions;
  • Addressing and processing requests, complaints, and claims made by Data Subjects;
  • Maintaining information for control, statistical, and historical purposes, and/or to comply with legal obligations related to information and archive retention.

Personal information will not be used or processed for purposes other than those indicated here. In any case, BLUEWAY will inform the specific purposes to the Data Subject, prior to the treatment of personal information by the entity, and will obtain the respective authorization from the Data Subject.

CHAPTER FIVE – RIGHTS OF DATA SUBJECTS

  • Rights granted to you as the data subject:
  • Know, update, and rectify your personal data. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized;
  • Request proof of authorization, except when expressly exempted as a requirement for processing.
  • Be informed, upon request, regarding the use that has been made of your personal data;
  • File complaints with the Superintendence of Industry and Commerce for violations of the regulations on the protection of personal data.
  • Revoke the authorization and/or request the deletion of the data when the principles, constitutional and legal rights and guarantees are not respected during processing.
  • Access your personal data that have been processed for free.
  • Procedure for data subjects to exercise their rights:
  • Query: 

Through the query mechanism, the data subject may request access to their personal information held in our databases.

The query will be addressed within a maximum period of ten (10) business days from the date of receipt. If it is not possible to respond to the query within the mentioned term, the reasons for the delay will be communicated, and a response will be provided within a maximum of five (5) business days following the expiration of the initial term.

  • Claim:

Through the claim mechanism, the data subject may file a complaint with BLUEWAY regarding any dissatisfaction with how their data is being used.

The claim will be addressed within a maximum period of (15) fifteen business days from the day following the date of receipt. If it is not possible to address the claim within this term, the reasons for the delay will be communicated, and a response will be provided within a maximum of (8) eight business days following the expiration of the initial term.

If the claim is incomplete, the data subject will be required, within five (5) days following the receipt of the claim, to remedy the deficiencies. If two (2) months pass from the date of the request without the required information being provided, it will be assumed that the data subject has withdrawn the claim.

If BLUEWAY is not competent to resolve the claim, it will transfer it to the appropriate authority within a maximum period of two (2) business days and will inform the data subject about the situation.

  • Authorized persons to make a query or claim:

The persons authorized to request a query with BLUEWAY are as follows:

  • Employees, contractors, suppliers, and collaborators who have had any relationship with BLUEWAY.
  • Customers and suppliers who have had or have a commercial relationship with BLUEWAY.
  • Public or administrative entities in the exercise of their legal functions or by court order.
  • Third parties authorized by the Data Subject or by Law.
  • In general, any data subject with personal information stored in our databases.
  • These cases are merely illustrative and not exclusive or excluding.
  • Information that the data subject must prove:

For the purpose of a query or claim, the data subject must prove their identification data such as:

  • Full names and surnames.
  • Type and identification number.
  • Home address.
  • Contact telephone number.
  • Email.
  • Provide the necessary information to process your request.

In case of a claim, the documents to support or prove the request must be attached. In the case of a minor, this request must be made by the adult responsible party, with BLUEWAY never denying the exercise of their rights.

  • Channels enabled for exercising the Right to Habeas Data:

BLUEWAY has enabled the following channel for data subjects to exercise their Right to Habeas Data:

CHAPTER SIX – REQUESTS FROM JUDICIAL OR ADMINISTRATIVE AUTHORITIES

  • To provide information to judicial or administrative authorities, the following must be considered as indicated by the Constitutional Court in Judgment C-748 of 2011:
  • The public or administrative entity must justify its request by indicating the connection between the need to obtain the data and the fulfillment of its constitutional or legal functions.
  • Secondly, when delivering the information, the public or administrative entity will be informed that it is responsible for complying with the obligations and requirements imposed by Law 1581 of 2012, as the data controller or processor in certain cases.
  • The receiving administrative entity must comply with all legal mandates that exist for the date of receiving the information, especially the principles of purpose, legitimate use, restricted circulation, confidentiality, and security.

CHAPTER SEVEN – OBLIGATIONS OF BLUEWAY AS THE DATA CONTROLLER

  • BLUEWAY, as the Data Controller, fulfills the following obligations, without prejudice to other provisions established in Law 1581 of 2012 and/or other regulations governing its activity:
  • Ensure that the Data Subject can fully and effectively exercise the right to habeas data at all times;
  • Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject when necessary;
  • Properly inform the Data Subject about the purpose of the data collection and the rights they have due to the authorization granted when necessary;
  • Maintain the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access by third parties;
  • Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and comprehensible;
  • Update the information, timely informing the Data Processor of any developments regarding the data previously provided and take the necessary measures to keep the information provided to it updated;
  • Rectify the information when it is incorrect and communicate the relevant information to the Data Processor;
  • Demand that the Data Processor, at all times, respects the conditions of security and privacy of the Data Subject’s information;
  • Process the inquiries and claims made by the Data Subject in accordance with the law;
  • Adopt an internal manual of policies and procedures to ensure compliance with the law and, in particular, the handling of inquiries and claims;
  • Inform the data protection authority when there are breaches of security codes and risks in the management of Data Subject information;
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce regarding the protection and processing of personal data.

CHAPTER EIGHT – FINAL PROVISIONS

  • Permanent Measures:

In the processing of personal data, BLUEWAY will permanently verify, in its processes, protocols, procedures, and policies, that the right to habeas data of the Data Subjects is guaranteed.

  • Binding Nature of the Policy:

Employees, clients, suppliers, contractors, and any Data Subject who has a commercial relationship with BLUEWAY must comply with this policy and internal manuals for effective compliance.

  • Compliance with Principles for the Processing of Personal Data:

BLUEWAY ensures compliance with the principles of legality, purpose, freedom, truth or quality, transparency, access, restricted circulation, security, and confidentiality regarding the data in our possession.

  • Modifications to the Personal Data Processing Policy:

BLUEWAY reserves the right to modify this Policy at any time and unilaterally. To do so, it will publish a notice on its website ten (10) business days before it takes effect.

If, for valid reasons constituting just cause, you disagree with the new policies for the handling of personal information, Data Subjects or their representatives may request BLUEWAY to withdraw their information through the means indicated in this Policy. However, data cannot be requested for withdrawal as long as any form of relationship with BLUEWAY is maintained.

  • Law and Jurisdiction:

Any interpretation, judicial or administrative action arising from the processing of personal data that make up the databases of BLUEWAY or related to this Policy will be subject to the data protection regulations established in the Republic of Colombia. The competent administrative or jurisdictional authorities for the resolution of any request, complaint, claim, or lawsuit will be those of the Republic of Colombia.

  • Date of Policy Approval and Effective Date: 7/11/2023.

***

BLUEWAY CONSULTING S.A.S.