Free local calls (CO) 018000 520 777 PBX +57 6053677777 | +57(313)505 1880
reservas@danncarltonbaq.co
BOOKING

Esta entrada también está disponible en: English Spanish

PERSONAL DATA PROCESSING POLICY

TABLE OF CONTENT

1. LEGAL BASIS AND SCOPE OF APPLICATION 4
1.1. Scope 4
1.2. Applicable Regulations 4
2. DEFINITIONS 5
2.1. Authorization: 5
2.2. Database: 5
2.3. Personal Data: 5
2.3.1. Public Data: 5
2.3.2. Semi Private Data: 5
2.3.3. Private data: 5
2.3.4. Sensitive Data: 5
2.4. Data processor: 6
2.6. Database Administrator: 6
2.7. Data Protection Officer: 6
2.8. Registrant: 6
2.9. Data Management: 6
2.10. Privacy Notice: 6
2.11. Transfer: 6
3. PRINCIPLES OF DATA PROTECTION 7
3.1. Principle of Legality: 7
3.2. Principle of Finality: 7
3.3. Principle of Freedom: 7
3.4. Principle of Truthfulness or Quality: 7
3.5. Principle of transparency: 7
3.6. Principle of Access and Restricted Circulation: 8
3.7. Principle of Security: 8
3.8. Principle of Confidentiality: 8
4. AUTHORIZATION FOR USE OF PERSONAL DATA 8
5. REQUEST FOR AUTHORIZATION TO THE PERSONAL DATA BELONGING TO REGISTRANT 9
6. DATA CONTROLLER 9
7. MANAGEMENT AND PURPOSES OF DATABASES 9
8. VALIDITY OF DATABASE 10
9. RIGHTS OF THE REGISTRANTS 10
9.1. Right of access or consultation 11
9.2. Rights to Complaints and Claims 11
9.3. The right to request proof of authorization granted to the Data Controller. 11
9.4. Right to file complaints before the Superintendence of Industry and Commerce for infringements. 11
10. MANAGEMENT OF CHILDREN’S DATA 12
11. DUTIES AS THE DATA CONTROLLER 12
12. DUTIES AS A MANAGER OF DATA 13
13. ATTENTION TO REGISTRANTS 14
14. PROCEDURES FOR EXERCISING THE REGISTRANT’S RIGHTS 14
14.1. Right of access or consultation 14
14.2. Rights of Complaints and Claims 15
14.3. Authorized personnel to receive information 16
14.3.1. Confirmation of authority to request or receive information 16
15. DATA PROCESSING IN VIDEO SURVEILLANCE SYSTEMS 17
16. SECURITY MEASURES 17
17. COOKIES OR WEB BUGS 21
18. PROCEDURE FOR NOTIFICATION, MANAGEMENT AND RESPONSE TO INCIDENTS 21
19. MANAGEMENT OF RISKS ASSOCIATED WITH DATA MANAGEMENT 22
20. RELEASE OF PERSONAL DATA TO THE AUTHORITIES 23
21. INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA 23
22. MANAGEMENT OF BIOMETRIC DATA 24
23. NATIONAL DATABASE REGISTRY – RNBD 25
24. INFORMATION AND PERSONAL DATA SECURITY 25
25. DOCUMENT MANAGEMENT 25
26. VALIDITY 26
27. Appendix 26
28. PREPARATION AND APPROVAL OF THE DOCUMENT 26
29. DOCUMENT HISTORY 27

1.LEGAL BASIS AND SCOPE OF APPLICATION
The management of personal information is generated in compliance with articles 15 and 20 of the Constitution of Colombia. It is also based on articles 17 literal k) and 18 literal f) of Statutory Law 1581 of 2012, by which general provisions for the Protection of Personal Data (LEPD) are issued. Additionally, this policy is also in compliance with article 2.2.2.25.1.1 section 1 chapter 25 of Decree 1074 of 2015, by which Law 1581 of 2012 is partially regulated.

This policy will be applicable to all personal data registered in databases that are processed by the Data Controller.

1.1.Scope
This document shall apply to all personal data or any other type of information that is used or stored in the databases and files of HOTEL DANN CARLTON BARRANQUILLA S.A, all the while respecting the criteria for the collection, gathering, use, treatment, processing, exchange, transfer and transmission of personal data, and to establish the obligations and guidelines of HOTEL DANN CARLTON BARRANQUILLA S.A for the administration and management of personal data stored in its databases and files. This manual is applicable to the processes carried out by HOTEL DANN CARLTON BARRANQUILLA S.A. who must process data (public data, semi-private data, private data, sensitive data, data of children and adolescents) in its capacity as Data Controller and Data Processor.

1.2.Applicable Regulations

-Constitution of Colombia
-Law 1581 of 2012
-Decree 1074 of 2015 Chapter 25 and Chapter 26 compiling the decrees:
— Decree 1074 of 2015 Chapter 25 and Chapter 26 which compile Decrees:
●Decree 1377 of 2013
●Decree 886 of 2014
-Law 1266 of 2008 “Whereby the general provisions of Habeas Data are issued”.
-Administrative measures issued by the Superintendence of Industry and Commerce.
2.DEFINITIONS

The following definitions are set forth in Article 3 of the LEPD and Article 2.2.2.25.1.3 Section 1 Chapter 25 of Decree 1074 of 2015 (Article 3 of Decree 1377 of 2013).
2.1. Authorization:
Prior expressed and informed consent on the part of the Registrant in order to carry out the processing of personal data.
2.2. Database:
An organized set of personal data that is the object of processing, pertinent to the same context and systematically stored for later use.
2.3. Personal Data:
Any information connected to, or that can be associated to, one or several specific or determinable natural persons. This data is classified as public, semi-private, private and sensitive:
2.3.1. Public Data:
Data that is not semi-private, private or sensitive. Public data are considered, among others, as data relating to the civil status of persons, their profession or trade and their status as a businessperson or public servant.
By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, duly executed judicial decisions that are not subject to confidentiality.
2.3.2. Semi Private Data:
It is that which is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to the Registrant but also to a certain sector or group of persons or to society in general. These include Databases containing financial, credit, commercial, service and third country information.

2.3.3. Private data:
It is personal data that, due to its intimate or reserved nature, is only of interest to its owner and requires prior, informed and expressed authorization for its processing. Databases containing data such as telephone numbers and personal emails; labor data, data related to administrative or criminal offenses, administered by tax administrations, financial institutions and management entities and joint services of the Social Security, databases regarding asset or credit solvency, databases with sufficient information to assess the identity of the Registrant, databases of those responsible for operators that provide electronic communication services.

2.3.4. Sensitive Data:
Sensitive data are understood as those that affect the privacy of the Registrant or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, human rights social organizations or organization that promote the interests of any political party or that guarantee the rights and safeguards of opposing political parties, as well as data related to health, sex life, and biometric data.

2.4. Data processor:
Natural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the Data Controller.
2.5. Data Controller:
Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of data.
2.6. Database Administrator:
Collaborator in charge of controlling and coordinating the proper implementation of data processing policies once they are stored in a specific database; as well as implementing the guidelines issued by the Data Controller and the Data Protection Officer.
2.7. Data Protection Officer:
Refers to the natural person who undertakes the task of coordinating the implementation of the legal framework for the protection of personal data, who will process the requests of the Registrants, for the implementation of the rights referred to in Law 1581 of 2012.
2.8. Registrant:
Natural person whose personal data is subject to processing.
2.9. Data Management:
Any process or set of processes with regards to personal data, such as the collection, storage, use, circulation or deletion thereof.
2.10. Privacy Notice:
Verbal or written communication generated by the Data Controller, addressed to the Registrant for the processing of his personal data, through which he is informed regarding the existence of the data management policies that will be applicable to him, how to access the aforementioned data and the end result of the processing that the data will undergo.
2.11. Transfer:
The transfer of data takes place when the Data Controller and/or the Data Processor, located in Colombia, sends the information or personal data to a recipient, who in turn is the Data Controller who is located within or outside of the country.
2.12. Transmission:
Management of personal data that involves the dissemination thereof within or outside of the territory of the Republic of Colombia when the purpose is to carry out a specific processing of data will be determined by the Data Processor on behalf of the Data Controller.

.
3.PRINCIPLES OF DATA PROTECTION

Article 4 of the LEPD (Statutory Law for the Protection of Personal Data) establishes principles for the management of personal data that must be applied harmoniously and integrally in the development, interpretation and application of the Law. The legal principles of data protection are as follows:

3.1. Principle of Legality:
The management of data is a regulated activity that must be subject to the provisions set forth in the above-mentioned LEPD, Decree 1377 of 2013 compiled in Chapter 25 of Decree 1074 of 2015 and other provisions that execute it.
3.2. Principle of Finality:
The management of data must adhere to a legitimate purpose in accordance with the Constitution of Colombia and the Law, action which must be informed to the Registrant.
3.3. Principle of Freedom:
The management of data may only be carried out with the prior, expressed and informed consent of the Registrant. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate revealing consent. The management of data requires the prior and informed consent of the Registrant by any means that allows him to be consulted at a later date.
3.4. Principle of Truthfulness or Quality:
The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.
3.5. Principle of transparency:
During the processing of data, the Registrant has the right to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information must be guaranteed regarding the existence of data concerning him or herself. At the time of requesting the Registrant’s authorization, the Data Controller must clearly and expressly inform him or her of the following, in keeping of proof of the fulfillment of this duties:
-The processing to which their data will be subjected to and the purpose thereof.
-The optional nature of the response of the Registrant to the questions asked of him when they make reference to sensitive data or data related to children or adolescents.
-The rights of the Registrant.
-The identification, physical address, e-mail and telephone number of the Data Controller.
3.6. Principle of Access and Restricted Circulation:
The management of data is subject to the limits deriving from the nature of the personal data, the provisions of the LEPD and the Constitution of Colombia. In this regard, the management of data may only be carried out by persons authorized by the Registrant and by persons authorized by law. Except for public information, personal data may not be available on the Internet and other means of mass communication or dissemination, unless access is technically controllable so as to provide restricted knowledge only to the Registrant or authorized third parties in accordance with the Law.
3.7. Principle of Security:
The information subject to management by the Data Controller or Data Processor shall be manipulated with the technical, human and administrative measures necessary to provide security to the records while avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. The Data Controller is responsible for implementing the corresponding security measures and for informing all personnel who have direct or indirect access to the data. Users accessing the Controller’s information systems must be aware of and comply with the security rules and measures corresponding to their functions. These norms and security measures are compiled in the PL-02 Internal Security Policies, which must be complied with by all users and company personnel. Any modification of the rules and measures regarding the security of personal data by the Data Controller must be made known to the users.
3.8. Principle of Confidentiality:
All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized in the LEPD and under the terms of the same.
4.AUTHORIZATION FOR USE OF PERSONAL DATA

In accordance with article 9 of the LEPD, the Registrant’s authorization is required for the processing of personal data, except in cases expressly indicated in the guidelines that regulate the protection of personal data. Prior to and/or at the time of collecting personal data, HOTEL DANN CARLTON BARRANQUILLA S.A shall request the Registrant’s authorization to collect and process personal data, indicating the purpose for which it is requested, using for such purposes automated technical measures, written or oral, that allow the retention of proof of the authorization and/or the unequivocal conduct described in article 2.2.2.2.25.2.2. section 2 of chapter 25 of Decree 1074 of 2015.

The authorization of the Registrant shall not be required in the case of:

-Information required by a public or administrative entity in the exercise of its legal functions or by court order.
-Data of a public nature.
-Cases of medical or sanitary emergencies.
-Processing of information authorized by law for historical, statistical or scientific purposes.
-Data related to the Civil Registry of persons.
5.REQUEST FOR AUTHORIZATION TO THE PERSONAL DATA BELONGING TO REGISTRANT

The authorization for the use and/or processing of the data will be carried out by HOTEL DANN CARLTON BARRANQUILLA S.A., by means of mechanisms that guarantee its subsequent consultation and the manifestation of the Registrant’s consent through the following means:
-In writing.
-spoken.
-Through automated channels.
-Through unequivocal conduct on the part of the Registrant that allows the reasonable conclusion that he/she granted the authorization.
HOTEL DANN CARLTON BARRANQUILLA S.A., prior to and/or at the time of collecting the personal data, shall clearly and expressly inform the Registrant of the following:
a)The processing to which his or her personal data will be submitted and the purpose of such processing;
b)The optional nature of the response to the questions asked of him, when they are related to sensitive data or to the information regarding children and adolescents;
c)The rights a person has as a Registrant;
d)HOTEL DANN CARLTON BARRANQUILLA S.A.’s identification, physical or electronic address and telephone number.
6.DATA CONTROLLER

The person responsible for the processing of the databases covered forth by this policy is HOTEL DANN CARLTON BARRANQUILLA S.A., whose contact details are as follows:

-Address: CL 98 52 B 10, BARRANQUILLA – ATLÁNTICO.
-Email: informacion@danncarltonbaq.co
-Telephone number: 3677777 –

7.MANAGEMENT AND PURPOSES OF DATABASES

HOTEL DANN CARLTON BARRANQUILLA S.A, in the commission of carrying out its business activity, exercises the management of personal data related to natural persons that are contained and processed in databases intended for legitimate purposes, in compliance with the Constitution of Colombia and the Law. The management of the data will be subject to the objectives authorized by the Registrant, to the contractual obligations between the parties, as well as to the cases in which there are legal obligations that must be fulfilled.
Annex 1 PL-01, titled Databases Organization, contains the information related to the different databases under the company’s responsibility and the purposes assigned to each one of them for their management.
8.VALIDITY OF DATABASE

The personal data incorporated in the databases will be valid for the period of time necessary to carry out the purposes for which its management was authorized and of the special rules that regulate the matter. The current norms related to the period of storage will also be taken into account.

9.RIGHTS OF THE REGISTRANTS
In accordance with Article 8 of the LEPD, Article 2.2.2.25.4.1 Section 4 Chapter 25 of Decree 1074 of 2015 (Articles 21 and 22 of Decree 1377 of 2013), the Registrants may exercise a number of rights in relation to the management of their personal data. The Owner of the personal data (The Registrant) shall have the following rights:

a) To know, update and rectify personal data with respect (regulated by) to the Data Controller or Data Processor. This right may be exercised, among others, in reference to partial information, inaccurate, incomplete, fractioned, misleading data, or data whose management is expressly prohibited or has not been authorized;
b) Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the management of data, in accordance with the provisions set forth in Article 10 of this law;
c) Be informed by the Data Controller or Data Processor, upon request, regarding the use that has been given to their personal data;
d) To file complaints for violations of the provisions of this law and other regulations that modify, add or complement it before the Superintendence of Industry and Commerce;
e) To revoke the authorization and/or solicit the deletion of the data when the process of the management of data does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion of authorization will proceed when the Superintendence of Industry and Commerce has determined that, in the commission of processing data, the Data Controller or Data Processor has engaged in conduct contrary to the law and the Constitution of Colombia;
f) Access free of charge to personal data that have been subject to data management.

These rights may be exercised by the following individuals.

1. By the Registrant, who must prove his identity adequately through the various means made available to him by the Controller.
2. By their successors or assignee, who must prove their status as such.
3. By the representative and/or attorney-in-fact of the Registrant, prior to certification of the representation or power of attorney.
4. By stipulation in favor of another and for another.

Conocer, actualizar y rectificar sus datos personales frente a los Responsables del Tratamiento o Encargados del Tratamiento.

9.1. Right of access or consultation

This is the right of the Registrant to be informed by the Data Controller, upon request, regarding the origin, use and purpose for which his personal data is used.

9.2. Rights to Complaints and Claims

The Law distinguishes four types of claims:

-Correction claim: the right of the Registrant to update, rectify or modify partial, inaccurate, incomplete, fragmented, misleading data, or data whose management is expressly prohibited or has not been authorize
-Claim for deletion: the right of the Registrant to have data deleted that is inadequate, excessive or that does not respect constitutional and legal principles, rights and guarantees.
-Revocation claim: the Rights of the Registrant to cancel the authorization previously given with regards to the management of his or her personal data.
-Infringement claim: the right of the Registrant to request that a breach of Data Protection regulations be remedied.

9.3. The right to request proof of authorization granted to the Data Controller.

This is so save for when expressly exempted as a requirement for the management of data in accordance with the provisions of Article 10 of the LEPD.

9.4. Right to file complaints before the Superintendence of Industry and Commerce for infringements.

The Registrant or successor may only file a petition (complaint) before the SIC – Superintendence of Industry and Commerce, once the consultation or complaint process has been exhausted before the Data Controller or Data Processor.

10.MANAGEMENT OF CHILDREN’S DATA

HOTEL DANN CARLTON BARRANQUILLA S.A in accordance with Article 7° of Law 1581 of 2012, undertakes the management of personal data of children and adolescents within the framework of the criteria outlined in Article 2.2.2.2.25.2.9 section 2 of Chapter 25 of Decree 1074 of 2015 (Article 12 of Decree 1377 of 2013), in compliance with the following parameters and requirements:

1. That the use of the data responds to and respects the best interests of children and adolescents.
2. That in the use of data, respect for the fundamental rights of the minor is ensured.

Once the above requirements have been met, HOTEL DANN CARLTON BARRANQUILLA S.A. shall request the legal representative of the child or adolescent for authorization of management of personal data prior to the minor having exercised his or her right to be heard, an opinion that shall be assessed taking into account the maturity, autonomy and ability to understand the matter. In exercising their duty as Data Controller and Data Processor, they shall ensure the proper use of the data of children and adolescents by applying the principles and obligations set forth in Law 1581 of 2012 and regulatory standards. Likewise, it will identify the sensitive data collected or stored in order to increase the security and management of the information.

11.DUTIES AS THE DATA CONTROLLER

HOTEL DANN CARLTON BARRANQUILLA S.A in its capacity as Data Controller shall comply with the following duties, without prejudice to the other provisions set forth in this law and others that govern its activity:
11.1. TO THE REGISTRANT:
a)Guarantee to the Registrant, at all times, the full and effective exercise of the right of habeas data;
b)Request and keep, under the conditions provided for in this law, a copy of the respective authorization granted by the Registrant;
c)Duly inform the Registrant about the purpose for the collection data and the rights he/she has by virtue of the authorization granted;
d)To process questions and claims formulated in accordance with the terms set forth in this law;
e)At the Registrant’s request, inform him or her regarding the use given to his/her data;
11.2. TO THE DATA PROCESSOR
a)Guarantee that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable;
b)Update the information, communicating, in a timely manner, to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided is kept up to date;
c)Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor ;
d)Inform the Data Processor when certain information is under discussion by the Registrant, once the claim has been filed and the respective process has not been completed;
e)To provide to the Data Processor, as the case may be, only data whose management is previously authorized in accordance with the provisions of this law;
f)To demand from the Data Processor, at all times, to respect the security and privacy conditions of the registrant’s information;
11.3. To the principles and other obligations:
a)Adhere to the principles of legality, purpose, freedom, quality, truthfulness, transparency, restricted access and circulation, security and confidentiality.
b)Adopt an internal policies and procedures manual to ensure proper adherence to this law and especially for answering questions and complaints;
c)Inform the data protection authority when there are violations to the security codes and when there are risks in the administration of the Registrants’ information.
d)Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.
e)Maintain information under necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access;
12.DUTIES AS A MANAGER OF DATA

HOTEL DANN CARLTON BARRANQUILLA S.A in its capacity as Data Processor shall comply with the following duties, without prejudice to the other provisions set forth in this law and others that govern its activity:
a)Guarantee the Registrant, at all times, the full and effective exercise of the right of habeas data;
b)Maintain information under secure conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
c)Timely updating, correction or deletion of data under the terms of this law;
d)Update the information reported by the Data Controller within five (5) business days upon receipt;
e)Process the questions and claims made by the Registrants under the terms set forth in this law;
f)Adopt an internal Policies and Procedures Manual to ensure proper adherence to this law and, in particular, to give attention to questions and claims made by the Registrants;
g)Register the legend “claim in process” in the database in the manner regulated by this law;
h)Insert the legend “information under judicial discussion” in the database once notified by the competent authority regarding any judicial proceedings related to the quality of the personal data;
i)Abstain from disseminating information that is under question by the Registrant, information whose restriction has been ordered by the Superintendence of Industry and Commerce;
j)Allow access to the information only to the persons who may have access to it;
k)Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the registrants’ information;
l)Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
13.ATTENTION TO REGISTRANTS

HOTEL DANN CARLTON BARRANQUILLA S.A. has appointed a Data Protection Officer to deal with requests, queries and claims regarding personal data protection. The registrants may send their requests or queries through the following channels:
Email: informacion@danncarltonbaq.co
Address: CL 98 52 B 10, BARRANQUILLA – ATLÁNTICO.
Telephone number: 3677777 –

14.PROCEDURES FOR EXERCISING THE REGISTRANT’S RIGHTS

14.1. Right of access or consultation

HOTEL DANN CARLTON BARRANQUILLA S.A will guarantee the Registrant free consultation of his/her personal data in the following cases (Article 2.2.2.2.25.4.2. section 4 chapter 25 of Decree 1074 of 2015):

1. At least once every calendar month.
2. Whenever there are substantial modifications to the management of information policies that lead to new queries.

For inquiries whose frequency is greater than one per calendar month, HOTEL DANN CARLTON BARRANQUILLA S.A. may charge the Registrant for shipping costs, reproduction and, if applicable, certification of documents. Reproduction costs may not be higher than the recovery costs of the corresponding material. For such purpose, HOTEL DANN CARLTON BARRANQUILLA S.A. shall demonstrate to the Superintendence of Industry and Commerce, when so required, the support of such expenses.

The Registrant whose data is in question may exercise the right of access or consultation of their data by writing to HOTEL DANN CARLTON BARRANQUILLA S.A. by e-mail to: informacion@danncarltonbaq.co, indicating in the Subject “Exercise of the right of access or consultation”, or by mail sent to CL 98 52 B 10, BARRANQUILLA – ATLANTICO. The request must contain the following information:

-First Name and Last Name of the Registrant.
-Photocopy of the registrant’s Citizenship Card and, if applicable, of the person representing him/her, as well as the document proving such representation.
-Petition in which the request for access or consultation is specified.
-Address for notifications, date and signature of the applicant.
-Documents in support of the request made, when applicable.

The Registrant may choose one of the following ways to consult the database in order to receive the requested information:
-On-screen display.
-In writing, with copy or photocopy sent by certified mail or not.
-E-mail or other electronic means.
-Other systems appropriate to the configuration of the database or to the nature of the management of data offered by DANN CARLTON BARRANQUILLA S.A. HOTEL.

Once the request is received, HOTEL DANN CARLTON BARRANQUILLA S.A. will resolve the consultation request within a maximum period of ten (10) working days from the date of receipt thereof. When it is not possible to give response to the consultation within such a term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the consultation will be answered, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are set forth in Article 14 of the LEPD.

Once the inquiry process has been exhausted, the Registrant or successor or assignee may file a complaint before the Superintendence of Industry and Commerce.

14.2. Rights of Complaints and Claims

The Registrant may exercise his/her right of claim regarding his/her data by writing to HOTEL DANN CARLTON BARRANQUILLA S.A. by e-mail to informacion@danncarltonbaq.co, indicating in the Subject “Exercise of the right of access or consultation”, or by mail sent to CL 98 52 B 10, BARRANQUILLA – ATLANTICO. The request must contain the following information:

-First Name and Last Name of the Registrant.
-Photocopy of the Registrant’s Citizenship Card and, if applicable, of the person representing him/her, as well as the document proving such representation.
-Description of the facts and petition in which the request for correction, deletion, withdrawal, or inflation is made.
-Address for notifications, date and signature of the applicant.
-Documents supporting the request to be asserted, when applicable.

If the claim is incomplete, the interested party will be required to correct the errors within five (5) days of receipt of the claim. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

Upon receipts of completed claim, a legend stating “claim in process” and the motive for the claim will be included in the database within a term no longer than two (2) business days. Said legend shall be maintained until the claim is decided.

HOTEL DANN CARLTON BARRANQUILLA S.A. will resolve the claim request within a maximum period of fifteen (15) business days from the date of receipt thereof. When it is not possible to process the claim within the time specified, the interested party will be informed of the reasons for the delay and the date on which the claim will be processed, which under no circumstances may exceed eight (8) business days following the expiration of the first date.
Once the complaint process has been exhausted, the Registrant or successor or assignee may file a complaint before the Superintendence of Industry and Commerce.

14.3. Authorized personnel to receive information

HOTEL DANN CARLTON BARRANQUILLA S.A. will provide the Registrant’s data found on databases to the following persons authorized to receive it, in accordance with Article 13 of Law 1581 of 2012:
●To the Registrants, their successors or their legal representatives;
●To public or administrative entities in the exercise of their legal functions or by court order;
●To third parties authorized by the Registrant or by law.

14.3.1. Confirmation of authority to request or receive information

For the processing of the request for consultation or claim, the applicant must provide the following documents to prove his status as Registrant or to prove that he has been given authority to receive the required information, according to the following cases:
●Registrant: Copy of identity document.
●Successor of assignee: Proof of Identity document, Registrant’s death certificate, document that certifies under which capacity he/she is acting on and the Registrant’s identity document number.
●Legal representative and/or proxy: Valid identity document, document certifying legal capacity under which he/she is acting (Power of Attorney) and the registrant’s identity document number
15.DATA PROCESSING IN VIDEO SURVEILLANCE SYSTEMS

HOTEL DANN CARLTON BARRANQUILLA S.A. will inform the public about the existence of video surveillance systems. This will be done by posting signs within sight of all Registrants. These signs will be installed in the video surveillance areas, mainly in the spaces that lead to the entrance areas that are being monitored by video surveillance and inside the same. These signs shall inform who the Data Controller is, the purposes for monitoring, the rights of the Registrant, the available channels so that the Registrant can exercise his rights, as well as where the Data Management Policy is published.

Moreover, it will retain the images only for the time strictly necessary to comply with the purpose of the management of data and will register the database that stores the images in the National Registry of Databases, unless the management of data consists only in the reproduction or broadcasting of images in real time.

Access to and disclosure of the images will be restricted to persons authorized by Registrant and/or by request of an authority figure in exercise of his duly appointed functions. Consequently, the disclosure of the information collected will be controlled and be consistent with the purpose established by the Data Controller.

16.SECURITY MEASURES

HOTEL DANN CARLTON BARRANQUILLA S.A., in order to comply with the principle of security established in Article 4 paragraph g) of the LEPD, has implemented technical, human and administrative measures necessary to ensure the security of the records to avoid their adulteration, loss, consultation, use or unauthorized or fraudulent access.

Moreover, HOTEL DANN CARLTON BARRANQUILLA S.A., by signing the corresponding transfer contracts, has required the data processors with whom it works with to implement the necessary security measures to guarantee the security and confidentiality of the information in management of personal data.

The following are the security measures implemented by HOTEL DANN CARLTON BARRANQUILLA S.A., which are included and elaborate upon in its PL-02 Internal Security Policies (Tables I, II, III and IV).

TABLE I: Common security measures for all types of data (public, private, confidential, reserved) and databases (automated, non-automated).
(public, private, confidential, reserved) and databases (automated, non-automated)
Document and media management 1.Measures to prevent improper access to or recovery of data that has been discarded, erased or destroyed.
2.Restricted access to the location of where the data is stored.
3.Authorization of the Databases Administrator for the physical or electronic release of documents or media.
4.Labeling system or identification of the type of information.
5.Support inventory.
Access control 1.User access is limited to the data necessary for carrying out their functions.
2.Updated list of authorized users and accesses.
3.Mechanisms to prevent access to data with access rights other than those authorized.
4.Granting, alteration or cancellation of permissions by authorized personnel.
Incidents 1.Incident record: type of incident, time of occurrence, reporting party, receiving party, effects and corrective measures.
2.Incident notification and management procedure.
Personal 1.Definition of the duties and obligations of the users with access to the data.
2.Definition of the control functions and authorizations delegated by the Data Controller.
3.Dissemination of the rules and the consequences of non-compliance among personnel.
Internal Security Manual 1.Preparation and implementation of the mandatory manual for personnel.
2.Minimum content: scope of application, security measures and procedures, functions and obligations of the personnel, description of the databases, procedure in case of incidents, identification of the individuals in charge of the treatment.

TABLE II: Common security measures for all types of data (public, private, confidential, reserved) by type of database
(public, private, confidential, reserved) according to type of databases
Non-automated databases
Filing 1.Filing of documentation adhering to procedures that guarantee correct safekeeping, tracking and access, which allows for the exercise of the Registrants’ rights.
Storage of documents 1.Storage devices with mechanisms to prevent access by unauthorized persons.
Custody of documents 1.Duty of management and custody on the part of the person in charge of documents during their review or processing.
Automated databases
Identification and authentication 1.Personalized identification of users so they can access information systems and verification of their authorization.
2.Identification and authentication mechanisms; Passwords: issuing and expiration dates.
Telecommunications 1.Data access through secure networks.

TABLE III: Security measures for private data according to the type of databases
Non-automated databases
Audit 1.Ordinary audit (internal or external) every two months.
2.Extraordinary audit for substantial modifications in the information systems.
3.Report of detection of weaknesses and proposed corrections.
4.Analysis and conclusions made by the Security Manager and the Data Manager.
Responsable de seguridad 1.Designation of one or more Database Administrators.
2.Designation of one or more persons in charge of the control and coordination of the measures of the Internal Security Manual.
3.Prohibition against the delegation of responsibility belonging to the Data Controller to the Database Administrators.
Internal Security Manual 1.Periodic compliance controls.
Automated databases
Management of documents and media 1.Record of incoming and outgoing documents and support documents: date, sender and receiver, number, type of information, method of delivery, person responsible for receipt or delivery.
Control of access 1.Control of access to the site or sites where the information systems are located.
Identification and authentication 1.Mechanism to limit the number of repeated unauthorized access attempts.
2.Data encryption mechanisms for transmission.
Incidents 1.Record of data recovery procedures, person performing the procedures, restored data and manually recorded data.
2.Authorization on the part of the Data Controller for the execution of recovery procedures.

TABLE IV: Security measures for sensitive data according to the type of databases
Non-automated databases
Access control 1.Access only to authorized personnel.
2.Access identification mechanism.
3.Logging of access by unauthorized users.
4.Destruction to prevent access or recovery of data.
Document storage 1.File cabinets, cabinets or other types of cabinets located in access areas protected by keys or other measures.
2.Measures to prevent access to or manipulation of physically stored documents.
Automated databases
Control of access 1.Confidential labeling system.
Identification and authentication 1.Data encryption mechanisms for transmission and storage.
Document storage 1.Access log: user, time, database accessed, type of access, log of what is accessed.
2.Control of the access log by the security manager. Monthly report.

Telecommunications 1.Access and transmission of data through secure electronic networks.
2.Data transmission through encrypted networks (VPN).

17.COOKIES OR WEB BUGS

HOTEL DANN CARLTON BARRANQUILLA S.A. may collect personal information from its Users while using the Website, the Application or the Linked Pages (Landing Page). Users may opt to store this personal information on the Website, the Application or the Linked Portal (Landing Page), in order to facilitate transactions and services to be provided by HOTEL DANN CARLTON BARRANQUILLA S.A and/or its Linked Portals (Landing Page). Therefore, HOTEL DANN CARLTON BARRANQUILLA S.A uses different tracking and data collection technologies such as, own and third party Cookies. This is the analysis tool that helps website and application owners to understand how visitors interact with their properties. This tool may use a set of cookies to collect information and provide statistics on website usage without personally identifying Google visitors.

This information allows us to know your browsing patterns and offer you personalized services. HOTEL DANN CARLTON BARRANQUILLA S.A may use these technologies to authenticate your identity, to remember your preferences for the use of the website, application and linked pages (Landing Page), to inform you of offers that may be of interest to you and to facilitate transactions, to analyze the use of the website, application or linked pages and their services, to use it in the aggregate or combine it with the personal information we have and share it with authorized entities.

If a user does not wish for their personal information to be collected through cookies, they can adjust the preferences in their own web browser. However, it is important to note that, if a web browser does not accept Cookies, some of the functions of the website, the application and/or the linked pages (Landing Page) may not be available or may not work properly. You can allow, block or delete cookies installed on your device by configuring the options of the browser installed on your device, as follows:
-Chrome: https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DDesktop&hl=es
-Microsoft Edge: https://support.microsoft.com/es-es/microsoft-edge/permitir-temporalmente-las-cookies-y-los-datos-del-sitio-en-microsoft-edge-597f04f2-c0ce-f08c-7c2b-541086362bd2
-Firefox: https://support.mozilla.org/es/kb/habilitar-y-deshabilitar-cookies-sitios-web-rastrear-preferencias
-Safari: https://support.apple.com/es-es/HT201265
18.PROCEDURE FOR NOTIFICATION, MANAGEMENT AND RESPONSE TO INCIDENTS

HOTEL DANN CARLTON BARRANQUILLA S.A. establishes a procedure for notification, management and response to incidents in order to guarantee the confidentiality, availability and integrity of the information contained in the databases under its responsibility.

Users and those responsible for procedures, as well as any person who has contact with the storage, management of data or consultation of the databases included in this document, must know the procedure to take in the event of an incident.

The procedure for notification, management and response to incidents is as follows:

-When a person becomes aware of an incident (loss, theft and/or unauthorized access) that affects or may affect the confidentiality, availability and integrity of the protected information of the company or any of the Data Processors, he/she must immediately notify the Data Protection Officer, describing in detail the type of incident that has occurred, and indicating the persons who may have been involved in the incident, the date and time it occurred, the person notifying the incident, the person to whom it is communicated and the effects it has produced.
-Once the incident has been reported, you must request an Acknowledgement Receipt from the Data Protection Officer stating that you have been notified of the incident with all the requirements listed above.
-HOTEL DANN CARLTON BARRANQUILLA S.A, creates a record of incidents that must contain the following: the type of incident (Internal or external fraud, Damage to physical assets, Technological failures, Execution and administration of processes), date and time of the incident, person who notifies, person to whom it is communicated, effects of the incident and corrective measures when applicable. This record is processed by the Data Protection Officer. Refer to FR-08 Security Incident Log.
-Likewise, HOTEL DANN CARLTON BARRANQUILLA S.A must also put in place the procedures for data recovery when applicable, indicating who executes the procedure, the data restored and, if applicable, the data that has been manually recorded in the recovery process.
-Additionally, the Data Protection Officer must inform the Superintendence of Industry and Commerce, through the RNBD within 15 working days of detection.
-Finally, HOTEL DANN CARLTON BARRANQUILLA S.A. will notify the Registrants of the incident when it is determined that they may be significantly affected.
19.MANAGEMENT OF RISKS ASSOCIATED WITH DATA MANAGEMENT

HOTEL DANN CARLTON BARRANQUILLA S.A. has identified risks related to the management of personal data and established controls in order to mitigate their causes, through the implementation of the PL-02 Internal Security Policies. Therefore, it will establish a risk management system along with the tools, indicators and resources necessary for its administration, when the organizational structure, internal processes and procedures, the amount of database and types of personal data processed by the organization are considered to be exposed to frequent or high impact events or situations that affect the proper provision of the service or threaten the registrants’ information.

The risk management system will determine, in order to assess their level of risk, potential weakness in the following areas: technology, human resources, infrastructure and processes that require protection, their vulnerabilities and threats. Therefore, in order to guarantee the protection of personal data, the type or group of internal and external persons and the different levels of access authorization they possess shall be taken into account. Likewise, the possibility of occurrence of any type of event or action that may produce damage (material or immaterial) will be observed. These are as follows:
-Criminality: Understood as actions, caused by human intervention, that violate the law and are punishable by law.
-Physical Events: Understood as natural and technical events, as well as events indirectly caused by human intervention.
-Negligence and institutional decisions: Understood as actions, decisions or omissions by individuals who have power and influence over the system. At the same time, they are the least predictable threats because they are directly related to human behavior.
Using the risk management system, HOTEL DANN CARLTON BARRANQUILLA S.A will implement protective measures to avoid or minimize damages in case a threat becomes real.

20.RELEASE OF PERSONAL DATA TO THE AUTHORITIES

When a public or administrative entity in the exercise of its legal functions or by court order requests HOTEL DANN CARLTON BARRANQUILLA S.A. access and/or release of personal data contained in any of its databases, the legality of the request will be verified as well as the relevance of the data requested in relation to the purpose expressed by the authority. For the release of information to be executed, a written record will be signed indicating the identity of the requesting entity and the characteristics of the personal information requested, specifying the obligation to guarantee the rights of the Registrant, both to the official who makes the request, to the person who receives it, as well as to the requesting entity.
21.INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA

HOTEL DANN CARLTON BARRANQUILLA S.A. will transfer personal data to countries that provide adequate levels of data protection. It is understood that a country offers an adequate level of data protection when it complies with the standards set by the Superintendence of Industry and Commerce on the matter, which in no case may be inferior to those required by Law 1581 of 2012 to its recipients. This prohibition shall not apply in the case of the following:

-Information with respect to that which the Registrant has given his or her expressed and unequivocal authorization for the transfer.
-Exchange of medical information, when required by the Registrant’s management of data for health or public hygiene reasons.
-Bank or stock exchange transfers, in accordance with the applicable legislation.
-Transfers agreed upon within the framework of international treaties to which the Republic of Colombia is a party of, based on the principle of reciprocity.
-Transfers necessary for the execution of a contract between the Registrant and the Data Manager for the execution of pre-contractual measures, subject to the authorization of the Registrant.
-Transfers legally required to safeguard the public interest, or for the recognition, exercise or defense of a right in a judicial proceeding.

In situations in which the transfer of data is necessary and the destination country is not on the list of countries considered safe harbors indicated by the Superintendence of Industry and Commerce, a declaration of conformity regarding the approval for the international transfer of personal data must be processed before the same entity.

The international transfers of personal data carried out between HOTEL DANN CARLTON BARRANQUILLA S.A and a data processor in order to allow the data processor to carry out the management of data on behalf of the Registrant, shall not require the Registrant to be informed or to have its consent, provided that there is a contract for the transfer of personal data. This personal data transfer contract must be signed between the Data Controller and the data Processor to define the scope of the personal data management under its control and responsibility, as well as the activities that the Data Processor will carry out on behalf of the Data Controller and the obligations of the Data Processor towards the Registrant. Additionally, the Data Processor shall comply with the following obligations and apply the regulations in force in Colombia regarding data protection.

1.To manage, on behalf of the data controller, personal data in accordance with the principles that protect them.
2.Safeguarding the security of databases containing personal data.
3.To keep confidentiality regarding the management of personal data.

The above conditions set forth for international data transfers shall also apply to domestic data transfers.
22.MANAGEMENT OF BIOMETRIC DATA

The biometric data stored in the databases are collected and processed strictly for security reasons, to verify personal identity and to carry out access control of employees, customers and visitors. Biometric identification mechanisms capture, process and store information related to, among others, the physical traits of individuals (fingerprints, voice recognition and facial features), in order to establish or “authenticate” the identity of each subject.

The administration of biometric databases is carried out with technical security measures that guarantee due compliance with the principles and obligations derived from the Statutory Law on Data Protection, also ensuring the confidentiality and protection of the registrants’ information.
23.NATIONAL DATABASE REGISTRY – RNBD

The deadline for registering databases in the RNBD will be legally established. Likewise, in accordance with Article 12 of Decree 886 of 2014, the Data Controllers shall register their databases in the National Registry of Databases on the date on which the Superintendence of Industry and Commerce enables such registration, in accordance with the instructions issued for that purpose by that entity. The databases created after this date must be registered within the following two (2) months, starting from the date of their creation.
24.INFORMATION AND PERSONAL DATA SECURITY

Compliance with the regulatory framework for the Protection of Personal Data, the safety, reserve and/or confidentiality of the information stored in the databases is of vital importance for HOTEL DANN CARLTON BARRANQUILLA S.A. Therefore, we have established policies, guidelines and procedures and standards of information security, which are liable to change at any time in order to adjust to new rules and needs of HOTEL DANN CARLTON BARRANQUILLA S.A. whose objective it is to protect and preserve the integrity, confidentiality and availability of the information and personal data.

Likewise, we guarantee that in the collection, storage, use and/or management of data, destruction or elimination of the information provided, we rely on cyber security tools and implement security practices that include the following: secure transfer and storage of sensitive information through secure mechanisms, use of secure protocols, securing of technological components, restriction of access to information to authorized personnel only, information backup, secure software development practices, among others.

In case it is necessary to provide information to a third party due to the existence of a contractual relationship, we will sign a transfer contract to guarantee the privacy and confidentiality of the information, as well as, the compliance with the present data management policy, the information security policies and manuals and the protocols of attention to the registrants established in HOTEL DANN CARLTON BARRANQUILLA S.A. In any case, we adopt commitments for the protection, care, security and preservation of the confidentiality, integrity and privacy of the stored data.
25.DOCUMENT MANAGEMENT

The documents containing personal data must be easily retrievable. That is why the location where each of the documents, both physical and digital, are stored must be documented, inspections of these storage routes must be carried out frequently, their preservation must be guaranteed, leaving defined in what support and under what conditions this preservation will be carried out, taking into account environmental conditions, storage places, risks to which they are exposed, among others. The retention time of the documents is determined according to the legal requirements if applicable. Otherwise, each organization defines it according to its needs. Likewise, the final disposition of the documents must be clear, identifying whether they are recycled, reused, preserved, digitized, among others.

The documents related to the protection of personal data must be prepared by personnel or a competent entity, and the entity must be the one who reviews and approves all documents and record it in the document approval checkbox.

In order to be easily traceable, documents must be coded, updated and modified by the responsible personnel. This modification will be made if and when necessary, for the elimination of a document must have the justification for it described in the history which is at the bottom of all documents.

Both physical and digital documents containing personal data must be protected from external or internal agents that may alter their content, following the guidelines described in the PL-02 Internal Security Policy Manual.

The distribution of documents containing personal data shall be carried out by the Data Controller. He shall leave documented evidence of such distribution, specifying, among other things, the type of document and the identification of the person to whom the information was delivered.

A person responsible for guaranteeing the confidentiality of the registrants’ personal data must be appointed. He will be in charge of safeguarding documents, guaranteeing their physical and digital protection, avoiding alterations to the information, as well as guaranteeing that the documents leaving their custody are identified and easily traceable.

26.VALIDITY
This update of Policy will be effective as of 2022-04-18. The databases under the responsibility of HOTEL DANN CARLTON BARRANQUILLA S.A. will be subject to management of personal data during the time that it is reasonable and necessary for the purpose for which the data is collected and in accordance with the authorization granted by the Registrants, owners of personal data.
27. Appendix

not applicable.
28.PREPARATION AND APPROVAL OF THE DOCUMENT

REVIEW AND APPROVAL OF THE DOCUMENT
Created by:
PROTECDATA COLOMBIA S.A.S Approved by:
Position
Date: 2022-04-25 Date:

29.DOCUMENT HISTORY

DATE VERSION DESCRIPTION OF ALTERATION

Menu