Privacy Policy

Personal Data Processing Policies

LEGAL BASIS AND SCOPE OF APPLICATION    
The information processing policy is developed in compliance with articles 15 and 20 of the Political Constitution, as well as, based on articles 17 literal k) and 18 literal f) of the Statutory Law 1581 of 2012, by which general provisions are issued for the Protection of Personal Data (LEPD). Additionally, in compliance with article 2.2.2.2.25.1.1 section 1 chapter 25 of Decree 1074 of 2015, by which Law 1581 of 2012 is partially regulated.
This policy shall be applicable to all personal data recorded in databases that are subject to processing by the Data Controller.    
1.1. Scope
This document shall apply to all personal data or any other type of information that is used or stored in the databases and files of HOTEL DANN CARLTON BARRANQUILLA S.A.S, respecting the criteria for the collection, collection, use, treatment, processing, exchange, transfer and transmission of personal data, and set the obligations and guidelines of HOTEL DANN CARLTON BARRANQUILLA S.A.S for the management and processing of personal data contained in its databases and files. This Manual is applicable to the processes of HOTEL DANN CARLTON BARRANQUILLA S.A.S. that must carry out the processing of data (public data, semi-private data, private data, sensitive data, data of children and adolescents), as Responsible and Responsible.
1.2. Applicable Regulations
- Political Constitution of Colombia
- Law 1581 of 2012    
- Decree 1074 of 2015 Chapter 25 and Chapter 26 compiling the decrees:
- Decree 1377 of 2013
- Decree 886 of 2014
- Law 1266 of 2008 “Whereby the general provisions of Habeas Data are issued”.
- Administrative acts issued by the Superintendencia de Industria y Comercio .


2.    DEFINITIONS 
The following definitions are set forth in Article 3 of the LEPD and Article 2.2.2.25.1.3 Section 1 Chapter 25 of Decree 1074 of 2015 (Article 3 of Decree 1377 of 2013).
2.1. Authorization: 
Prior, express and informed consent of the Data Subject to carry out the processing of personal data.    
2.2. Database:
Organized set of personal data that is subject to processing, belonging to the same context and systematically stored for subsequent use.
2.3. Personal data:
Any information linked or that can be associated to one or several determined or determinable natural persons. These data are classified as public, semi-private, private and sensitive:    
2.3.1. Public data:
Data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, and their status as merchants or public servants.
By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, duly executed court rulings that are not subject to confidentiality.
2.3.2. Semi-private data:
It is that which is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its Holder but also to a certain sector or group of persons or to society in general, such as: Databases containing financial, credit, commercial, commercial, service information and that coming from third countries.
2.3.3. Private data:
It is personal data that, due to its intimate or reserved nature, is only of interest to its owner and requires prior, informed and express authorization for its processing. Databases containing data such as telephone numbers and personal e-mails; labor data, data on administrative or criminal offenses, administered by tax administrations, financial entities and Social Security management entities and common services, databases on asset or credit solvency, databases with sufficient information to assess the holder's personality, databases of those responsible for operators providing electronic communication services.
2.3.4. Sensitive data:
Sensitive data are understood as those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data.
2.4. Data Processor:
Natural or legal person, public or private, who by itself or in association with others, carries out the processing of personal data on behalf of the Data Controller.    
2.5. Data Controller:
Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the processing of the data.
2.6. Database administrator:
Employee in charge of controlling and coordinating the proper application of the data processing policies once stored in a specific database; as well as implementing the guidelines issued by the Data Controller and the Data Protection Officer.
2.6. Responsible for administering the databases:
Collaborator in charge of controlling and coordinating the proper application of the data processing policies once stored in a specific database; as well as implementing the guidelines issued by the Data Controller and the Data Protection Officer.
2.7. Data Protection Officer: 
Is the natural person who assumes the function of coordinating the implementation of the legal framework on personal data protection, who will process the requests of the Data Owners, for the exercise of the rights referred to in Law 1581 of 2012.
2.8. Data Subject:
Natural person whose personal data is subject to processing.
2.9. Processing:
Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.    
2.10. Privacy Notice:
Verbal or written communication generated by the Controller, addressed to the Data Subject for the processing of his personal data, through which he is informed about the existence of the information processing policies that will be applicable to him, the way to access them and the purposes of the processing that is intended to be given to the personal data.
2.11. Transfer:
The transfer of data takes place when the Controller and/or Processor of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is Controller of the processing and is located inside or outside the country.
2.12. Transmission:
Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out a specific processing by the processor on behalf of the Controller.

3.    PRINCIPLES OF DATA PROTECTION
Article 4 of the LEPD establishes principles for the processing of personal data that must be applied, in a harmonious and integral manner, in the development, interpretation and application of the Law. The legal principles of data protection are as follows:
3.1. Principle of Legality: 
The processing of data is a regulated activity that must be subject to the provisions of the LEPD, Decree 1377 of 2013 Compiled in Chapter 25 of Decree 1074 of 2015 and other provisions that develop it.
3.2. Principle of Purpose: 
The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.
3.3. Principle of Freedom: 
Processing may only be exercised with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that reveals consent. The processing of data requires the prior and informed consent of the Data Subject by any means that allows for subsequent consultation. 
3.4. Principle of Truthfulness or Quality: 
The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
3.5. Principle of transparency:
In the processing, the right of the Data Subject to obtain from the Data Controller or Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed. At the time of requesting the authorization to the data subject, the data controller shall clearly and expressly inform him/her of the following, keeping proof of compliance with this duty:
- The treatment to which their data will be subjected and the purpose thereof.
- The optional nature of the answer of the Data Subject to the questions asked when they deal with sensitive data or data of children or adolescents.
- The rights of the Data Subject.
- The identification, physical address, e-mail and telephone number of the data controller.
3.6. Principle of Access and Restricted Circulation: 
The treatment is subject to the limits derived from the nature of the personal data, the provisions of the LEPD and the Constitution. In this sense, the processing may only be carried out by persons authorized by the Data Controller and/or by the persons provided for in the Law. Personal data, except for public information, may not be available on the Internet and other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Data Controller or authorized third parties in accordance with the Law.
3.7. Security Principle: 
The information subject to processing by the Data Controller or Data Processor shall be handled with the technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. The Data Controller is responsible for implementing the corresponding security measures and for informing all personnel who have direct or indirect access to the data. Users accessing the Controller's information systems must be aware of and comply with the security rules and measures corresponding to their functions. These security rules and measures are included in the PL-02 Internal Security Policies, which must be complied with by all users and company personnel. Any modification to the rules and measures regarding personal data security by the data controller must be made known to the users.
3.8. Principle of Confidentiality:
All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the processing, and may only supply or communicate personal data when this corresponds to the development of the activities authorized in the LEPD and under the terms of the same.


4.    AUTHORIZATION FOR THE USE OF PERSONAL DATA
In accordance with Article 9 of the LEPD, the processing of personal data requires the authorization of the Data Subject, except in the cases expressly indicated in the rules that regulate the protection of personal data. In advance and/or at the time of making the collection of personal data, HOTEL DANN CARLTON BARRANQUILLA S.A.S shall request the Data Subject's authorization to carry out its collection and processing, indicating the purpose for which the data is requested, using for such purposes automated technical means, written or oral, that allow preserving proof of the authorization and/or unequivocal conduct described in article 2.2.2.2.25.2.2. section 2 of chapter 25 of Decree 1074 of 2015.
The authorization of the Holder shall not be necessary when it concerns:    

- Information required by a public or administrative entity in exercise of its legal functions or by court order.
- Data of a public nature.    
- Cases of medical or health emergency.    
- Processing of information authorized by law for historical, statistical or scientific purposes.
- Data related to the Civil Registry of persons.


5.    REQUEST FOR AUTHORIZATION TO THE OWNER OF THE PERSONAL DATA
The authorization for the use and/or treatment of the data will be managed by HOTEL DANN CARLTON BARRANQUILLA S.A.S, through mechanisms that guarantee its subsequent consultation and the manifestation of the Holder's will through the following means:
- In writing.
- Orally.
- Through automated channels.
- Through unequivocal conduct of the holder that allows the reasonable conclusion that he/she granted the authorization.
HOTEL DANN CARLTON BARRANQUILLA S.A.S., in advance and/or at the time of collecting the personal data, shall clearly and expressly inform the Data Subject of the following:
a) The treatment to which their personal data will be subjected and the purpose thereof;
b) The optional nature of the answer to the questions asked, when they deal with sensitive data or data of children and adolescents;
c) The rights to which the Data Subject is entitled;
d) The identification, physical or electronic address and telephone number of HOTEL DANN CARLTON BARRANQUILLA S.A.S.
6.    PERSON IN CHARGE OF THE TREATMENT    
The person responsible for the processing of the databases covered by this policy is HOTEL DANN CARLTON BARRANQUILLA S.A.S., whose contact details are as follows:
- Address: CL 98 52 B 10, BARRANQUILLA - ATLANTICO- E-mail: informacion@danncarltonbaq.co- Phone: 3677777 - 3135051880

7.    TREATMENT AND PURPOSES OF THE DATA BASES
HOTEL DANN CARLTON BARRANQUILLA S.A.S, in the development of its business activity, carries out the processing of personal data relating to natural persons that are contained and treated in databases for legitimate purposes, in compliance with the Constitution and the Law. The treatment to which the personal data will be subjected includes collection, storage, use, circulation or suppression. The treatment of the data will be subject to the purposes authorized by the Holder, to the contractual obligations between the parties, as well as, to the cases in which there are legal obligations to be fulfilled.Annex 1 PL-01 called Data Bases Organization, contains the information related to the different data bases under the responsibility of the company and the purposes assigned to each one of them for their treatment.


8.    VALIDITY OF THE DATABASE
The personal data included in the databases will be valid for the period necessary to fulfill the purposes for which their processing was authorized and the special rules governing the matter, also taking into account the current rules related to the period of conservation.

9.RIGHTS OF THE OWNER

SIn accordance with Article 8 of the LEPD, Article 2.2.2.25.4.1 Section 4 Chapter 25 of Decree 1074 of 2015 (Articles 21 and 22 of Decree 1377 of 2013), Data Owners may exercise a number of rights in relation to the processing of their personal data. The Data Subject shall have the following rights:
a)To know, update and rectify their personal data vis-à-vis the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose Processing is expressly prohibited or has not been authorized;
b) Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the processing, in accordance with the provisions of article 10 of this law;
c) Be informed by the Data Controller or the Data Processor, upon request, regarding the use made of their personal data;
d) File complaints before the Superintendencia de Industria y Comercio for violations of the provisions of this law and other rules that modify, add or complement it;
e) To revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or suppression shall proceed when the Superintendencia de Industria y Comercio has determined that the Controller or Processor has incurred in conduct contrary to the law and the Constitution; 
f) Access free of charge to their personal data that have been subject to Processing.
These rights may be exercised by the following persons.
1. By the Data Subject, who must prove his identity sufficiently by the different means made available by the Controller.
2.By their successors in title, who must prove such capacity.
3.By the representative and/or attorney-in-fact of the Data Subject, upon proof of representation or power of attorney.
4.By stipulation in favor of another and for another.
The rights of children or adolescents shall be exercised by the persons empowered to represent them.
9.1. Right of access or consultation
This is the right of the Data Subject to be informed by the data controller, upon request, regarding the origin, use and purpose of his or her personal data.
9.2. Complaints and claims rights
The Law distinguishes four types of claims:
- Claim for correction: the right of the Data Subject to have partial, inaccurate, incomplete, fractioned, misleading, or misleading data updated, rectified or modified, or data whose processing is expressly prohibited or has not been authorized.    
- Claim for deletion: the right of the Data Subject to have data that is inadequate, excessive or that does not respect the principles, rights and constitutional and legal guarantees deleted.    
- Claim of revocation: the right of the Data Subject to cancel the authorization previously given for the processing of his/her personal data.    
- Infringement claim: the right of the Data Subject to request that the breach of the Data Protection regulations be remedied.
9.3. Right to request proof of the authorization granted to the Data Controller.
Except when expressly exempted as a requirement for processing in accordance with the provisions of article 10 of the LEPD.
9.4. Right to file complaints before the Superintendency of Industry and Commerce regarding infringements.
The Data Subject or assignee may only submit a petition (complaint) to the SIC - Superintendencia de Industria y Comercio , once the consultation or complaint process has been exhausted before the Data Controller or Data Processor.

10.    TREATMENT OF DATA OF MINORS
HOTEL DANN CARLTON BARRANQUILLA S.A.S in accordance with Article 7° of Law 1581 of 2012, performs Processing of personal data of children and adolescents within the framework of the criteria indicated in Article 2.2.2.2.25.2.9 section 2 of Chapter 25 of Decree 1074 of 2015 (Article 12 of Decree 1377 of 2013), with observance of the following parameters and requirements:
1. That the use of the data responds to and respects the best interests of children and adolescents. 
2. That the use of the data ensures respect for the fundamental rights of the minor.
Once the above requirements have been met, HOTEL DANN CARLTON BARRANQUILLA S.A.S. will request the legal representative of the child or adolescent the authorization after the minor has exercised his/her right to be heard, an opinion that will be assessed taking into account the maturity, autonomy and ability to understand the matter. As Responsible and/or Responsible Party, it shall ensure the proper use of the data of children and adolescents by applying the principles and obligations set forth in Law 1581 of 2012 and regulatory standards. Likewise, it shall identify the sensitive data collected or stored in order to increase the security and treatment of the information.

11.    DUTIES AS DATA CONTROLLER
HOTEL DANN CARLTON BARRANQUILLA S.A.S., as Data Controller, shall comply with the following duties, without prejudice to the other provisions set forth in this law and others that govern its activity:
11.1. Towards the Data Subject:
a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data;
b) Request and keep, under the conditions provided for in this law, a copy of the respective authorization granted by the Data Subject;
c) Duly inform the Data Subject about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted;
d) To process the queries and claims formulated in the terms set forth in this law;
e) To inform, at the Holder's request, about the use given to his/her data;
11.2. With respect to the Data Processor:
a) Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable;
b) Update the information, communicating in a timely manner to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to the Data Processor is kept updated;
c) Rectify the information when it is incorrect and communicate the pertinent to the Data Processor;
d) Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed;
e) To provide to the Data Processor, as the case may be, only data whose Processing has been previously authorized in accordance with the provisions of this law;
f) Demand from the Data Processor, at all times, respect for the security and privacy conditions of the Data Subject's information;
11.3. With regard to the principles and other obligations:
a) Observe the principles of legality, purpose, freedom, quality, truthfulness, transparency, restricted access and circulation, security and confidentiality.
b) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the handling of queries and complaints;
c) Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the data subjects' information.
d) Comply with the instructions and requirements issued by the Superintendencia de Industria y Comercio .
e) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

12.    DUTIES AS DATA PROCESSOR
HOTEL DANN CARLTON BARRANQUILLA S.A.S in its capacity as Data Processor shall comply with the following duties, without prejudice to the other provisions set forth in this law and others that govern its activity:
a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data;
b) To keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
c) Update, rectify or delete data in a timely manner under the terms of this law;
d) Update the information reported by the Data Controllers within five (5) business days from its receipt;
e) To process the queries and claims made by the Data Controllers under the terms set forth in this law;
f) Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the handling of queries and claims by the Data Holders;
g) Register in the database the legend “claim in process” in the manner regulated by this law;
h) Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial proceedings related to the quality of the personal data;
i) Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendencia de Industria y Comercio ;
j) Allow access to the information only to the persons who may have access to it;
k) Inform the Superintendencia de Industria y Comercio when there are violations to the security codes and there are risks in the administration of the information of the Holders;
l) Comply with the instructions and requirements issued by the Superintendencia de Industria y Comercio .

13.    ATTENTION TO DATA OWNERS
HOTEL DANN CARLTON BARRANQUILLA S.A.S. has designated a Data Protection Officer to deal with requests, queries and claims regarding personal data protection. Data owners may send their requests or queries through the following channels:
E-mail: informacion@danncarltonbaq.co
Address: CL 98 52 B 10, BARRANQUILLA - ATLANTICO.
Telephones: 3677777 - 3135051880

14.    PROCEDURES TO EXERCISE THE HOLDER'S RIGHTS    
14.1. Right of access or consultation    
HOTEL DANN CARLTON BARRANQUILLA S.A.S will guarantee the Holder free consultation of their personal data in the following cases (Article 2.2.2.2.25.4.2. section 4 chapter 25 of Decree 1074 of 2015):
1. at least once every calendar month.    
2. Whenever there are substantial modifications to the information processing policies that motivate new consultations.    
For consultations whose periodicity is greater than one per calendar month, HOTEL DANN CARLTON BARRANQUILLA S.A.S may charge the Holder shipping costs, reproduction and, where appropriate, certification of documents. Reproduction costs may not be higher than the costs of recovery of the corresponding material. To this effect, HOTEL DANN CARLTON BARRANQUILLA S.A.S. will demonstrate to the Superintendencia de Industria y Comercio , when required, the support of such expenses.
The Data Subject may exercise the right of access or consultation of their data by writing to HOTEL DANN CARLTON BARRANQUILLA S.A.S sent by email to: informacion@danncarltonbaq.co, indicating in the Subject “Exercise of the right of access or consultation”, or by mail sent to CL 98 52 B 10, BARRANQUILLA - ATLANTICO. The request must contain the following information:
- Name and surname of the Holder.    
- Photocopy of the Card of Citizenship of the Holder and, if applicable, of the person who represents him/her, as well as the document proving such representation.    
- Request in which the request for access or consultation is specified.    
- Address for notifications, date and signature of the applicant.    
- Supporting documents of the request made, when applicable. 
The Holder may choose one of the following ways of consulting the database to receive the requested information:    
- On-screen display.    
- In writing, with copy or photocopy sent by certified mail or not.    
- E-mail or other electronic means.    
- Other system appropriate to the configuration of the database or the nature of the treatment, offered by HOTEL DANN CARLTON BARRANQUILLA S.A.S.    
Once the request is received, HOTEL DANN CARLTON BARRANQUILLA S.A.S. will resolve the consultation request within a maximum period of ten (10) working days from the date of receipt thereof.
When it is not possible to answer the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the consultation will be answered, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are set forth in article 14 of the LEPD.    
Once the consultation process has been exhausted, the Data Subject or assignee may file a complaint before the Superintendencia de Industria y Comercio .
14.2. Complaints and claims rights    
The Data Holder may exercise the rights of complaint about his/her data by means of a written request addressed to HOTEL DANN CARLTON BARRANQUILLA S.A.S sent by e-mail to informacion@danncarltonbaq.co, indicating in the Subject “Exercise of the right of access or consultation”, or through postal mail sent to CL 98 52 B 10, BARRANQUILLA - ATLANTICO. The request must contain the following information:
- Name and surname of the Holder.    
- Photocopy of the Card of Citizenship of the Holder and, if applicable, of the person representing him/her, as well as the document proving such representation.
- Description of the facts and request in which the request for correction, deletion, revocation or inflation is made.
- Address for notifications, date and signature of the applicant.    
- Documents supporting the request to be asserted, when applicable.     
If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults.After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.    
Once the complete claim has been received, a legend will be included in the database stating “claim in process” and the reason for the claim, within a term no longer than two (2) business days. This legend must be maintained until the claim is decided.    
HOTEL DANN CARLTON BARRANQUILLA S.A.S. will resolve the claim request within a maximum period of fifteen (15) business days from the date of receipt thereof. When it is not possible to attend to the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be attended to, which in no case may exceed eight (8) working days following the expiration of the first term.Once the complaint process has been exhausted, the Holder or assignee may file a complaint before the Superintendencia de Industria y Comercio .
14.3. Empowered to receive information
HOTEL DANN CARLTON BARRANQUILLA S.A.S. will provide the information of the Holders of its databases to the following persons authorized or empowered to receive it, in accordance with Article 13 of Law 1581 of 2012:
- To the Data Holders, their assignees or their legal representatives;
- To public or administrative entities in the exercise of their legal functions or by court order;
- To third parties authorized by the Data Subject or by law.
14.3.1. Verification of the authority to request or receive information
For the management of the request for consultation or claim, the applicant shall provide the following documents to prove its ownership or the power to receive the required information, according to the following cases:
- Holder: Copy of the identity document. 
- Beneficiary: Identity document, civil registry of death of the Holder, document proving the capacity in which he/she acts and copy of the identity document of the Holder.  
- Legal representative and/or attorney-in-fact: Valid identity document, document proving the capacity in which he/she acts (Power of Attorney) and copy of the identity document of the Holder.

15.    TREATMENT OF DATA IN VIDEO SURVEILLANCE SYSTEMS
HOTEL DANN CARLTON BARRANQUILLA S.A.S will inform people about the existence of video surveillance mechanisms, by means of visible notices within the reach of all the owners and installed in the video surveillance areas, mainly in the entrance areas to the places that are being watched and monitored and inside them.

These notices shall inform who is the Data Controller, the purposes of the processing, the rights of the Data Subject, the channels enabled to exercise the rights of the Data Subject, as well as where the Information Processing Policy is published.
On the other hand, it will keep the images only for the time strictly necessary to fulfill the purpose of the and will register the database that stores the images in the National Registry of Databases, unless the Treatment consists only in the reproduction or broadcasting of images in real time. 
Access and disclosure of the images shall be restricted to persons authorized by the Data Subject and/or by request of an authority in the exercise of its functions. Consequently, the disclosure of the information collected shall be controlled and consistent with the purpose established by the Data Controller.

16.    SECURITY MEASURES    
HOTEL DANN CARLTON BARRANQUILLA S.A.S, in order to comply with the principle of security enshrined in Article 4 paragraph g) of the LEPD, has implemented technical, human and administrative measures necessary to ensure the security of records to prevent tampering, loss, consultation, use or unauthorized or fraudulent access.    
On the other hand, HOTEL DANN CARLTON BARRANQUILLA S.A.S, through the subscription of the corresponding transmission contracts, has required to the data processors with whom it works the implementation of the necessary security measures to guarantee the security and confidentiality of the information in the processing of personal data.
The following are the security measures implemented by HOTEL DANN CARLTON BARRANQUILLA S.A.S., which are included and developed in its PL-02 Internal Security Policies (Tables I, II, III and IV).
TABLE I: Common security measures for all types of data (public, private, confidential, reserved) and databases (automated, non-automated)
Document and media management 
1. Measures that prevent improper access to or recovery of data that has been discarded, erased or destroyed.
2.    Restricted access to the place where data is stored.
3.    Authorization from the person responsible for managing the databases for the output of documents or media by physical or electronic means.
4.    Labeling system or identification of the type of information.
5.    Inventory of media.
Access control 
1. Access of users limited to the data necessary for the development of their functions.
2.    Updated list of users and authorized access.
3. Mechanisms to prevent access to data with rights other than those authorized.
4.    Granting, alteration or cancellation of permissions by authorized personnel.
Incident
1. Record: type of incident, time of occurrence, sender of the notification, recipient of the notification, effects and corrective measures.
2.    Incident notification and management procedure.
Personal
1. Definition of the functions and obligations of the users with access to the data.
2.    Definition of the control functions and authorizations delegated by the data controller.
3.    Dissemination among the personnel of the rules and the consequences of non-compliance.
Internal Security Manual 
1.    Elaboration and implementation of the Manual of obligatory compliance for the personnel.
2.    Minimum content: scope of application, security measures and procedures, functions and obligations of the personnel, description of the databases, procedure in case of incidents, identification of the persons in charge of the treatment.
TABLE II: Common security measures for all types of data (public, private, confidential, reserved) according to the type of database. 
Non-automated databases
Archiving 
1. Archiving of documentation following procedures that ensure proper preservation, location and consultation, allowing the exercise of the rights of the Data Controllers.
Storage of documents 
1. Storage devices with mechanisms that prevent access by unauthorized persons.
Custody of documents 
1. Duty of care and custody of the person in charge of documents during the review or processing of these.
Automated databases
Identification and authentication 1. Personalized identification of users to access information systems and verification of their authorization.
Identification and authentication mechanisms; Passwords: assignment and expiration. 
Telecommunications 1. Access to data through secure networks.
TABLE III: Security measures for private data according to the type of database.
Non-automated databases
1. Regular audit (internal or external) every two months.
2.    Extraordinary audit for substantial modifications in the information systems.
3.    Report of detection of deficiencies and proposal of corrections.
4.    Analysis and conclusions of the security manager and the person in charge of the treatment.
Security manager 
1.    Designation of one or more Database Administrators.
2.    Designation of one or several persons in charge of the control and the coordination of the measures of the Internal Security Manual.
3.    Prohibition of delegation of the responsibility of the Data Controller to the Database Administrators.
Internal Security Manual 
1.    Periodic compliance controls.
Automated databases
Management of documents and media 
1. Registration of incoming and outgoing documents and media: date, sender and receiver, number, type of information, form of dispatch, person responsible for receipt or delivery.
Access control 
1. Access control to the place(s) where the information systems are located.
Identification and authentication 
1. Mechanism that limits the number of repeated attempts at unauthorized access.
2. Data encryption mechanisms for data transmission. 
Incidents
1. Recording of data recovery procedures, person performing the procedures, data restored, and data manually recorded.
2.    Authorization of the data controller for the execution of the recovery procedures.
TABLE IV: Security measures for sensitive data according to the type of databases
Non-automated databases
Access control 
1. Access only for authorized personnel.
2. Access identification mechanism.
3.    Logging of unauthorized user access.
4.    Destruction to prevent access or retrieval of data.
Storage of documents 
1. File cabinets, cabinets or other cabinets located in access areas protected by keys or other measures.
2. Measures that prevent access to or manipulation of physically stored documents.
Automated databases
Access control 
1. Confidential labeling system.
Identification and authentication 
1. Data encryption mechanisms for transmission and storage. 
Document storage 
1. Access log: user, time, database accessed, type of access, record accessed.
2.    Control of the access log by the security manager. Monthly report.
Telecommunications 
1. Access and transmission of data through secure electronic networks.
2. Data transmission through encrypted networks (VPN).


17.    COOKIES OR WEB BUGS
HOTEL DANN CARLTON BARRANQUILLA S.A.S. may collect personal information from its Users while using the Website, the Application or the Linked Pages (Landing Page). Users may choose to store this personal information on the Website, the Application or the Linked Portal (Landing Page), in order to facilitate transactions and services to be provided by HOTEL DANN CARLTON BARRANQUILLA S.A.S and/or its Linked Portals (Landing Page). So, HOTEL DANN CARLTON BARRANQUILLA S.A.S uses different tracking and data collection technologies such as, own and third party Cookies, this is the analysis tool that helps website and application owners to understand how visitors interact with their properties. This tool may use a set of cookies to collect information and provide website usage statistics without personally identifying Google visitors.
This information allows us to learn about your browsing patterns and offer you personalized services. HOTEL DANN CARLTON BARRANQUILLA S.A.S may use these technologies to authenticate you, to remember your preferences for using the website, application and linked pages (Landing Page), to present offers that may be of interest to you and to facilitate transactions, to analyze the use of the website, application or linked pages and their services, to use it in the aggregate or combine it with personal information we have and share it with authorized entities. 
If a user does not want their personal information to be collected through Cookies, they can change the preferences in their own web browser. However, it is important to note that if a web browser does not accept Cookies, some of the functionality of the website, application and/or linked pages (Landing Page) may not be available or may not function properly. You can allow, block or delete cookies installed on your device by configuring the options of the browser installed on your device, thus:
- Chrome: https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DDesktop&hl=es 
- Microsoft Edge: https://support.microsoft.com/es-es/microsoft-edge/permitir-temporalmente-las-cookies-y-los-datos-del-sitio-en-microsoft-edge-597f04f2-c0ce-f08c-7c2b-541086362bd2
- Firefox: https://support.mozilla.org/es/kb/habilitar-y-deshabilitar-cookies-sitios-web-rastrear-preferencias 
- Safari: https://support.apple.com/es-es/HT201265

18.    PROTOCOL FOR NOTIFICATION, MANAGEMENT AND RESPONSE TO SECURITY INCIDENTS
HOTEL DANN CARLTON BARRANQUILLA S.A.S. has an incident reporting procedure for communication and notification among employees, personal data protection officer, data processors, data owners, surveillance and control entities, as well as judicial bodies: for the management and response to security incidents from the moment they are detected in order to be evaluated and manage the vulnerabilities identified, ensuring that systems, networks, and applications are sufficiently secure.

All users and those responsible for managing databases, as well as any person involved in the collection, storage, use, circulation or any processing or consultation of databases, must know the procedure to act in case of security incidents to ensure the confidentiality, availability and integrity of the information contained in the databases under their responsibility.
Some examples of security incidents are: failure of security systems that allow access to personal data to unauthorized persons, unauthorized attempt to exit a document or medium, loss of data or total or partial destruction of media, change of physical location of databases, knowledge of passwords by third parties, modification of data by unauthorized personnel, among others.
In the event of a security incident, the response team or committee shall take into account the following criteria:
Strategy to identify, contain and mitigate security incidents.
- Implement measures to contain and reverse the impact of the security incident.
- Adequately assess the security incident and its impact on the data subjects.
- Verify the legal or contractual requirements with service providers associated with the security incident. 
- Determine the level of risk to Information Holders and report the occurrence.
- Verify the roles and responsibilities of the personnel responsible for the operation of the affected information or data. 
Timeline for security incident management.
Apply the procedure for dealing with security incidents, according to parameters that allow an adequate management and mitigation of impact.  Verify, according to the evaluation of the security incident, the need to notify entities such as: the Attorney General's Office, the Attorney General's Office, Gaula, National Police, Financial Superintendence of Colombia, Police Cybernetic Center, colCERT; Police CSIRT, Asobancaria CSIRT, Sector CSIRT, among others.
Progress of the security incident report
Monitor the management by establishing deadlines, evaluate its progress and identify possible conflicting points that may arise in the handling of the security incident.
Security incident response evaluation
Once the security incident has been managed and controlled, the response team should review the actions taken to contain it and make the appropriate adjustments to implement the improvement plan.
Actions implemented and improvement plans
Establish the necessary actions to mitigate the impact of the security incident and prevent its recurrence, through corrective and preventive actions, as well as improvement plans to be adopted by the response team.
Documentation and reporting to the oversight and control entity.
Document in an internal record the information related to the security incident, as well as prepare a report with support of the actions taken, which must be filed with the Superintendencia de Industria y Comercio , through the RNBD within 15 working days after the incident has been detected. 
Review
Evaluation of the causes that led to the security incident and the success of its management to assess the effectiveness of the controls and actions implemented. Document lessons learned for future reference.

19.    MANAGEMENT OF RISKS ASSOCIATED WITH DATA PROCESSING
HOTEL DANN CARLTON BARRANQUILLA S.A.S has identified risks related to the processing of personal data and established controls in order to mitigate their causes, through the implementation of PL-02 Internal Security Policies. Therefore, it will establish a risk management system together with the tools, indicators and resources necessary for its administration, when the organizational structure, internal processes and procedures, the amount of database and types of personal data processed by the organization are considered to be exposed to frequent or high impact events or situations that affect the proper provision of the service or threaten the information of the owners.
The risk management system will determine the sources such as: technology, human resources, infrastructure and processes that require protection, their vulnerabilities and threats, in order to assess their risk level. Therefore, in order to guarantee the protection of personal data, the type or group of internal and external persons and the different levels of access authorization shall be taken into account. Likewise, the possibility of occurrence of any type of event or action that may cause damage (material or immaterial) will be observed, such as: 
- Criminality: Understood as actions, caused by human intervention, that violate the law and are penalized by it.
- Events of physical origin: Understood as natural and technical events, as well as events indirectly caused by human intervention.
- Negligence and institutional decisions: Understood as actions, decisions or omissions on the part of people who have power and influence over the system. At the same time they are the least predictable threats because they are directly related to human behavior.
HOTEL DANN CARLTON BARRANQUILLA S.A.S in the risk management program will implement protective measures to prevent or minimize damage in case a threat materializes. 

20.    DELIVERY OF PERSONAL DATA TO THE AUTHORITIES 
When HOTEL DANN CARLTON BARRANQUILLA S.A.S. is requested by a public or administrative entity in the exercise of its legal functions or by court order to access and/or deliver personal data contained in any of its databases, the legality of the request will be verified, the relevance of the data requested in relation to the purpose expressed by the authority. For the delivery, a record will be signed indicating the data of the requesting entity and the characteristics of the personal information requested, specifying the obligation to guarantee the rights of the Holder, both to the official who makes the request, to the one who receives it, as well as to the requesting entity.

21. INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA
HOTEL DANN CARLTON BARRANQUILLA S.A.S. will transfer personal data to countries that provide adequate levels of data protection. It is understood that a country offers an adequate level of data protection when it complies with the standards set by the Superintendencia de Industria y Comercio on the matter, which in no case may be lower than those required by Law 1581 of 2012 to its recipients. This prohibition shall not apply in the case of:
- Information with respect to which the Holder has granted its express and unequivocal authorization for the transfer.
- Exchange of medical data, when so required by the treatment of the Data Subject for reasons of health or public hygiene.
- Banking or stock exchange transfers, in accordance with the applicable legislation.
- Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
- Transfers necessary for the execution of a contract between the Data Subject and the data controller, or for the execution of pre-contractual measures, as long as the Data Subject's authorization is obtained.
- Transfers legally required to safeguard the public interest, or for the recognition, exercise or defense of a right in a judicial process.      
In cases in which the transfer of data is necessary and the destination country is not on the list of countries considered as safe harbors indicated by the Superintendencia de Industria y Comercio , a declaration of conformity regarding the approval for the international transfer of personal data must be managed before the same entity.
The international transmissions of personal data carried out between HOTEL DANN CARLTON BARRANQUILLA S.A.S. and a processor to allow the processor to carry out the processing on behalf of the controller, will not require to be informed to the Data Subject or have his consent, provided that there is a contract for the transmission of personal data. This contract for the transmission of personal data must be signed between the Controller and the Processor to define the scope of the processing of personal data under its control and responsibility, as well as the activities that the Processor will carry out on behalf of the Controller and the obligations of the Processor towards the Data Subject. Additionally, the person in charge shall comply with the following obligations and apply the regulations in force in Colombia regarding data protection.
1. To treat, on behalf of the Controller, the personal data in accordance with the principles that protect them.
2. To safeguard the security of the databases containing personal data.
3. To keep confidentiality with respect to the processing of personal data.
The above conditions established for international data transmissions shall also be applicable to national data transmissions.

22. PROCESSING OF BIOMETRIC DATA
The biometric data stored in the databases are collected and processed for strictly security reasons, to verify personal identity and perform access control to employees, customers and visitors. Biometric identification mechanisms capture, process and store information related to, among others, the physical traits of individuals (fingerprints, voice recognition and facial features), in order to establish or “authenticate” the identity of each subject.
The administration of the biometric databases is carried out with technical security measures that guarantee due compliance with the principles and obligations derived from the Statutory Law on Data Protection, also ensuring the confidentiality and confidentiality of the information of the owners. 

23. NATIONAL REGISTRY OF DATABASES - RNBDD
The term for registering databases in the RNBD shall be as legally established. Likewise, in accordance with Article 12 of Decree 886 of 2014, the Data Controllers shall register their databases in the National Database Registry on the date on which the Superintendencia de Industria y Comercio enables such registration, in accordance with the instructions issued for that purpose by that entity. Databases created after this term must be registered within the following two (2) months, counted as of their creation.


24. SECURITY OF INFORMATION AND PERSONAL DATA
Compliance with the regulatory framework on Personal Data Protection, security, confidentiality and / or confidentiality of information stored in the databases is of vital importance to HOTEL DANN CARLTON BARRANQUILLA S.A.S. Therefore, we have established policies, guidelines and procedures and standards of information security, which may change at any time adjusting to new rules and needs of HOTEL DANN CARLTON BARRANQUILLA S.A.S whose objective is to protect and preserve the integrity, confidentiality and availability of information and personal data.

Likewise, we guarantee that in the collection, storage, use and/or treatment, destruction or elimination of the information provided, we rely on technological security tools and implement security practices that include: transmission and storage of sensitive information through secure mechanisms, use of secure protocols, securing technological components, restricting access to information only to authorized personnel, information backup, secure software development practices, among others.
In case it is necessary to provide information to a third party due to the existence of a contractual link, we subscribe a transmission contract to guarantee the reserve and confidentiality of the information, as well as, the compliance with the present Policy of data treatment, the policies and manuals of information security and the protocols of attention to the owners established in HOTEL DANN CARLTON BARRANQUILLA S.A.S. In any case, we adopt commitments for the protection, care, security and preservation of the confidentiality, integrity and privacy of the stored data.

25. DOCUMENT MANAGEMENT
Documents containing personal data should be easily retrievable, that is why the place where each of the physical and digital documents are stored should be documented, these storage routes should be inspected frequently, their conservation should be guaranteed, leaving defined in what support and under what conditions this conservation will be carried out, The retention time of the documents is determined according to the legal requirements if applicable, otherwise each organization defines it according to its needs, as well as the final disposition of the documents, identifying if they are recycled, reused, preserved, digitalized, among others.
The documents that have to do with the protection of personal data must be elaborated by personnel or a competent entity for it, likewise the organization must be the one who reviews and approves all the documents and leave it registered in the approval box of the documents.
In order to be easily traceable, the documents must be coded, updated and modified by the responsible personnel, this modification will be made whenever necessary, for the elimination of a document must have the justification for it described in the history which is at the bottom of all documents. 
Both physical and digital documents containing personal data must be protected from external or internal agents that may alter their content, following the guidelines described in the PL-02 Internal Security Policy Manual.
The distribution of documents containing personal data shall be carried out by the data controller, who shall document the evidence of such distribution, specifying, among other things, the type of document and the identification of the person to whom the information was delivered.
A person responsible for guaranteeing the confidentiality of the personal data of the owners must be appointed, who will be the one to safeguard documents, guarantee their physical and digital protection, avoid alterations of the information, and guarantee that the documents that come out of his custody are identified and easily traceable.  

26. VALIDITY
The present update of the Policy will be in force from 2024-01-27, the databases under the responsibility of HOTEL DANN CARLTON BARRANQUILLA S.A.S. will be subject to treatment during the time that is reasonable and necessary for the purpose for which the data is collected and in accordance with the authorization granted by the Owners of the personal data.