Introduction and General Guidelines
This Policy for the Treatment and Protection of Personal Data (the “Policy”) of the companies that make up the BIZ LATIN HUB -BLH- Group (“BLH Group” / “Company”) establishes the criteria that must be applied for the treatment and protection of Personal Data, such as the collection, storage, use, circulation, elimination and, in general, of all those activities that imply the Treatment of Personal Data.
Likewise, the purpose of this policy is to provide a common understanding of the Company’s data as a critical resource for the business line and to establish the responsibilities that accompany the use of this data and the management by all employees of the BLH Group.
Company data is defined as any information that is created, collected and stored by the Company or any office of the Company in support of its functions. Such data may relate to employees, customers, customers of our customers or other members of the Company. This includes both current and former employees, customers, customers of our customers and other members of the Company which may consist of personal, financial, medical or job performance information.
Our customers’ data is one of BLH Group’s most valuable resources and represents a significant investment. Sound data management policies, procedures and practices will effectively support informed decision making based on real data that can significantly contribute to furthering the Company’s strategic directions.Our data management policies, procedures and practices are designed to safeguard three vital aspects of data: Integrity, Security and Access. Our data management policies, procedures and practices are designed to safeguard three vital aspects of data: Integrity, Security and Access.
Data integrity includes qualities of accuracy, consistency and timelines. This data is a company resource that can be used by many users and is trustworthy. Data integrity begins with the person or office that creates it, and it is the responsibility of the IT department and every office in the Group to ensure that it exists.Data security encompasses more than electronic security. While some aspects of security can be of security may be assured by technology, security also encompasses a measure of trust. As a business-critical company resource, data must be safeguarded at all levels against damage, loss, and corruption and security breaches, and all users share this responsibility.
Access to institutional data is granted internally when there is a demonstrated legitimate business or research need for the data and externally when disclosure of such data would not violate obligations, privacy legislation or legal contracts. Whenever possible, data should be collected at the source and made available to all members of the Company who have a legitimate business need for the data for commercial purposes.
These terms correspond to generalities and guidelines regarding the protection of personal data, which should be interpreted in accordance with the regulations governing each country belonging to Group Biz Latin Hub.
- Personal data: This is any information linked or that can be associated to a specific person, such as name or identification number, or that can make it determinable, such as physical features.
- Public data: This is one of the existing types of personal data. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to reserve.
- Semi-private data: Data that are not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to the owner but also to a certain sector or society in general. Financial and credit data from commercial or service activities are some examples.
- Private data: It is the data that due to its intimate or reserved nature is only relevant to the holder. The tastes or preferences of individuals, for example, correspond to private data.
- Sensitive data: It is information of a personal nature that reveals, for example, but not limited to: racial or ethnic origin, political preferences, religious convictions or beliefs, sexual orientation, self-determination in its different spheres, exercise of the right to privacy, and the exercise of the right to freedom of expression unionization, political affiliations, membership in social groups, information on the person’s health status, biometric data, among others.
- Authorization: It is the consent conferred to any person so that the companies or persons responsible for the processing of information, can use their personal data.
- Database: Organized set of personal data that are subject to processing and use.
- Data processor: The natural or legal person who carries out the processing of personal data, based on a delegation made by the data controller, receiving instructions about the way in which the data should be managed.
- Data controller: The natural or legal person, public or private, who decides on the purpose of the databases and/or the use of the data.
- Data subject: The natural person whose personal data is the object of processing.
- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.
- Privacy notice: It is one of the verbal or written communication options granted by law to inform the owners of the information, the existence and ways to access the information processing policies and the purpose of its collection and use.
- Data protection officer: Person responsible for supervising and controlling that the measures on the treatment of personal data implemented by the company, are fully complied with. in turn, becomes responsible for the treatment of such data.
- Data transmission: Processing of personal data that involves the communication of such data within or outside the territory of each country when the purpose of the processing is to be carried out by the Data Processor on behalf of the Controller.
- Transfer of data: Refers to the transfer by the person responsible or directly in charge of the processing of personal data of the information or personal data, to another person or public or private entity; which in turn, is responsible for the processing of the data; which may be located within or outside of each country.
2. General Principles
– Principle of legality in matters of data processing.
The processing referred to in the law is a regulated activity that must be subject to the provisions of the law and other provisions that develop it.
– Principle of purpose
The processing must obey a legitimate purpose in accordance with the laws that regulate it, which must be informed to the Data Subject.
– Principle of freedom
Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal mandate that relieves the consent.
– Principle of truthfulness or quality
The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
– Principle of transparency
The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the Processing.
– Principle of restricted access and circulation
Processing is subject to the limits that derive from the nature of the personal data, from the provisions of the laws that regulate it. Processing may only be carried out by persons authorized by the Data Controller and/or by the persons provided for in the laws that regulate it.
– Principle of security
The information subject to Processing by the Responsible or Responsible party referred to in the laws that regulate it, shall be handled with the technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
– Principle of confidentiality
All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law and under the terms of this.
3. Responsible for data processing
Any request, complaint or claim related to the handling of personal data, in application of the provisions of the law of each country, should be sent to:
- Name: Biz Latin Hub Group
- Telephone numbers: +57 (1) 4673388 – +57 (1) 4672296
- Principal Data Protection Officer: BIT Manager
- Alternate Data Protection Officer: Business Improvement Director
- Email: firstname.lastname@example.org
- Website: www.bizlatinhub.com
4. General provisions set forth in the GDRP (General Data Protection Regulation) for the protection of personal data
The GDRP (General Data Protection Regulation) develops the right to know, update and rectify the information collected in databases and the other rights, freedoms and guarantees (right to privacy and right to information, respectively.) Considering the way a database is stored, a distinction can be made between automated databases and manual databases or archives. Automated databases are those that are stored and managed with the help of computer tools. Manual databases or archives are those whose information is organized and stored in a physical way, such as and stored in a physical form, such as supplier order forms containing personal information relating to the supplier, such as name, identification, telephone numbers, e-mail addresses, etc. The guidelines exempt from the protection regime the following: (i) files and databases belonging to the personal or domestic sphere; (ii) those whose purpose is national security and defense, prevention, detection, monitoring and control of money laundering and financing of terrorism, (iii) those whose purpose and contain intelligence and counterintelligence information, (iv) journalistic information and other editorial content, (v) financial and credit information, commercial, services and from third countries and (vi) information on population and housing censuses.
5. Confidentiality Guarantee
At Group Biz Latin Hub, all employee and customer information of a personal nature is handled with the utmost confidentiality. Internally, different controls and processes are managed to ensure that all information is handled confidentially.
The Human Resources and Recruitment team maintains confidential databases to which only the department has access. Additionally, everything is handled by Google Drive, an encrypted storage system that meets the highest standards of confidentiality.
As far as possible, the BLH Group refrains from storing physical documents concerning employees. concerning employees. When a document is received, the team in charge scans it and stores it within the private shared drive where the relevant client information is stored.
Virtual Storage Units (“Drives”)
Each BLH Group office has established protocols for the storage and handling of client information. In general, the BLH Group has computer programs that comply with the following standards The main storage resource is the Google Drive “cloud”, a protected service for the exclusive use of Biz Latin Hub members. The main storage resource is the Google Drive “cloud”, a protected service for the exclusive use of the members of the Biz Latin Hub companies.
The other IT security and privacy protocols are in more detail in the document attached to this policy, called: HR_Annexo_Security measures for data protection by: TI_SPA_GRP.
Physical storage units
Additionally, for the handling of customer data, BLH Group companies have physical storage units for the storage of physical customer documents. These units are usually secured or padlocked cabinets, with restricted access granted only to employees working directly with the client or to country managers.
As in previous points, BLH takes care not to store physical information in any of its locations as much as possible. Most of the time BLH stores information virtually with the highest security standards.
6. Comprehensive Data Protection Program
1. Classification of personal data.
The data that the company processes is defined and classified as follows:
- General identification data such as: first name, last name, type of identification, identification number, date and place of issue, name, marital status, sex, etc.
- Specific identification data such as: signature, nationality, electronic signature, other identification documents, place and date of birth, age, etc.
- Biometric data such as: fingerprints, photographs, videos, etc.
- Location data related to the private activity of individuals such as: address, telephone, e-mail, etc.
- Data related to the person’s health in terms of orders and list of complementary tests such as laboratory, imaging, endoscopies, pathological, studies, etc.
- Data on persons with disabilities.
- Data related to the person’s work history, work experience, position, dates of entry and retirement, annotations, calls for attention, etc.
- Data related to the person’s educational level, training and/or academic history, etc.
- General data related to affiliation and contributions to the social security systems of each country.
- Personal data of access to information systems such as: users, IP, passwords, profiles, etc.
2. Personal Data Protection Committee
The Personal Data Protection Committee will be made up of:
- The Group Operations Manager of the company.
- The Chief Data Protection Officer.
- The deputy Data Protection Officer.
Duties of the members of the Personal Data Committee:
- The committee shall meet in January of each year. The following topics will be discussed at this meeting:
- Current status of data protection compliance in all Biz Latin Hub companies.
- Review of particular cases where action needs to be taken.
- Review of the “checklists” of all offices detailing compliance with the provisions of this policy.
- From the member of each department that manages databases within the company:
- Annual data report addressed to the Data Protection Officer of the group by each of the departments of Biz Latin Hub, including the updating of all databases, if applicable.
- That within the report submitted to the Data Protection Officer, an assessment is made of the relevance and necessity of the data held in the databases for which they are responsible, in order to determine whether they are still being used or whether, on the contrary, they should be deleted.
From the Data Protection Officer:
- Semi-annual data report addressed to the Senior Management of the company regarding the reports submitted by each of the departments of Biz Latin Hub, in which all databases are included.
- Follow up on the controls, evaluation and review of the Integral Personal Data Protection Management Program and present a report on the progress of its management at least once a year within the framework of the Personal Data Protection Committee.
- Supervise, coordinate efforts among the group’s departments and provide effective response to requests from holders for the exercise of rights.
- Control that the databases reported to the SIC are kept intact and unaltered.
- Evaluate that the data processed within Biz Latin Hub continue to comply with the purpose for which they were collected, in accordance with the principles of necessity and relevance of personal data. If this is not the case, he/she shall instruct the team responsible for their elimination from the databases.
- Liaise and coordinate with the other areas of Biz Latin Hub that manage databases to ensure a cross-cutting implementation of the Integral Personal Data Management Program.
- Report, update, supervise and approve the databases in the Database Registry in accordance with the regulations of each country.
- Accompany and assist Biz Latin Hub in the inspection visits and requirements made by the designated authorities to verify compliance with the laws on personal data protection in each country.
- Submit reports or progress reports on the status of the comprehensive data protection management program that the control bodies require on personal data protection.
- Any other functions established by the regulations related to personal data protection.
- Conduct training around the Biz Latin Hub data policy to new employees of the group.
- Conduct refresher trainings around current legislation, as well as Biz Latin Hub’s data policy.
- Promote a culture of personal data protection through awareness-raising activities for employees and senior management of Biz Latin Hub, which should respond to the organization’s internal data management cycles.
From the company’s Senior Management:
- Lead decision making around the personal data protection policy, based on the reports received by the Data Protection Officer.
- Articulate efforts, resources, methodologies and strategies to ensure the. implementation, sustainability and improvement of the Integrated Personal Data Protection Management Program.
7. Duties of the Data Controller
BIZ LATIN HUB, in addition to being the authority for the protection of personal data, has the status of Data Controller for the databases created by the entity. These are duties of the Controllers and, consequently:
The Data Controllers must comply with the following duties, without prejudice to the other provisions of the laws governing their activities:
- Guarantee the Data Subject, at all times, the full and effective exercise of the right to protection of personal data.
- Request and keep, under the conditions provided for in the laws governing the matter, a copy of the respective authorization granted by the Data Subject.
- Duly inform the Data Subject about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted.
- Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Ensure that the information provided to the Data Processor is truthful, complete, accurate, current, verifiable and understandable.
- Update the information, communicating in a timely manner to the Data Processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to this is kept up to date.
- Rectify the information when it is incorrect and communicate the relevant information to the Data Processor.
- Provide the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this law.
- Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.
- Inform at the request of the Data Subject about the use given to his or her data.
The Data Processors shall comply with the following duties, without prejudice to the other provisions set forth in the laws governing their activity:
- Guarantee the Data Subject, at all times, the full and effective exercise of the right to protection of personal data.
- Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Timely update, rectification or deletion of data in accordance with the terms of the laws in force in each country.
8. Rights of the holders
The holders of the personal data shall have the following rights:
(a) To know, update and rectify their personal data before the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
b) Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of the GDRP.
c) Be informed by the Data Controller or the Data Processor, upon request, regarding the use given to their personal data.
d) To revoke the authorization and/or request the deletion of the data when the Processing does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion will proceed when the entity in charge of each country has determined that BIZ LATIN HUB or the person in charge has incurred in conduct contrary to the law of each country.
e) Access free of charge to your personal data that have been subject to Processing.
The information provided to Group Biz Latin Hub by customers, suppliers, employees and shareholders, for their treatment have, without being limited to those listed, the following purposes:
- The proper provision of the services contracted with Biz Latin Hub.
- To be contacted for product offerings and contract renewals.
- To send you commercial and promotional information or invitations from Biz Latin Hub.
- To manage and operate, directly or through third parties, the processes of selection and recruitment of personnel, including the evaluation and qualification of participants, as well as the verification of employment and personal references, and the performance of security studies.
- For the attention of judicial or administrative requirements and compliance with legal mandates, as well as the provision of information to the competent authorities if required.
- To eventually contact, via email, or by any other means, natural persons with whom it has or has had a relationship, employees, shareholders, customers, suppliers, for invitations or meetings with Biz Latin Hub.
- For the development of administrative processes that have to do with employees, customers, suppliers and/or shareholders in accordance with the corporate purpose of Biz Latin Hub.
- In the case of suppliers, we seek to know the national services they offer and their commercial behavior.
- Attention to Petitions, Complaints, Claims and suggestions from customers, suppliers and employees of Biz Latin Hub, as well as other interested parties.
- Updating of data provided by the owner.
- To respond to requirements to control entities.
- To send information, through corporate mail or any other means of communication about the status of the service, as well as administrative and commercial activities that support the provision and management of the service.
- To carry out the contractual and/or commercial linkage.
- Carry out the economic recognition for the provision of the service.
- Linkage, identification and validation of acquired products.
- Recognizing, protecting and exercising shareholder rights and payment of dividends.
- Compliance and recording of wellness activities, trainings and other events conducted by Biz Latin Hub for employees, contractors, suppliers, shareholders and other interested parties.
- To monitor the security of persons entering the facilities, as well as the organization’s assets.
- In general for any other purpose arising from the legal nature of Biz Latin Hub.
10. Guidelines on the use of data and information.
The Company’s data should be used only by those persons duly authorized to access and use specific data by virtue of their position in the Company, and only for the purpose for which they have been authorized. Authorization to access data is not transferable.
Company data may not be accessed or manipulated for personal gain or for a particular interest. Data users must perform all tasks related to the creation, storage, maintenance, use, distribution and disposal of Company data responsibly, promptly and with the greatest possible care.
Data users must not knowingly falsify data, delete data that should not be deleted or reproduce data that should not be reproduced.
Data users must respect the privacy of individuals to whose records they may have access.
Personal information contained in database files may not be disclosed. Disclosure is understood to include, but is not limited to, verbal references or inferences, correspondence, memoranda, and electronic file sharing.
The Company and all its employees will ensure that users are aware of the application of privacy legislation and compliance with it. The appropriate Department Head will grant access to Company data. Its use is subject to the Company’s policies on intellectual property and ethics, as well as applicable privacy legislation.
If there is reasonable evidence that laws or Company policies are being or have been violated, or that continued access threatens the normal operations or reputation of the Company, the Company may withdraw or restrict access privileges to any employee. Any violation of this policy may be grounds for disciplinary action, up to and including termination of employment and criminal prosecution.
11. Technology and Information Management Guidelines
Maintain the anti-virus system up to date. One of the fundamental axes of security is to have a good antivirus and antispyware to help protect us from various viruses, Trojans, spyware and other malicious software that can damage our computer. It is necessary to keep the antivirus that comes with Windows updated in all computers.
Do not download suspicious files. It is important not to download unidentified attachments that arrive via e-mail, especially from unidentified senders. Likewise, downloading programs directly from the Internet can bring with it a malicious executable. If you need to download or install again, it is necessary to consult with the IT team.
Protection against phishing. Banks do not usually request personal information via e-mail or instant messaging. So, when receiving this type of emails, before sharing any information, it is essential to verify the origin and veracity of the senders.
Changing passwords. A recommended practice is not to always use the same password for our email and computer accounts. Any identity theft implies that the person could easily enter all our accounts. Therefore, it is advisable to have different passwords for each platform.
Information management. It is important that BLH Group’s business files are only handled through our company’s G-Suit (Drive), especially in shared drives where all the information of your department is centered.
Do not access links from strange sources. A very common strategy for information theft is to hide viruses through links that are sent through chains or promotions that at first glance seem harmless. For this reason, no Biz Latin Hub employee is authorized to share sensitive information about their team and/or clients.
Information about suppliers. Before accessing or purchasing any type of software, it is necessary that the technology department (BIT) is aware of this and only with their approval will it be possible to proceed.
Secure computer information. When leaving the workspace, all employees must block access to their computers in order to protect the information.
12. Database Inventories
Biz Latin Hub will keep a record of all databases of the organization, in order to have knowledge of the data being processed in the processes, purposes of treatment, the positions responsible for the databases, updates, database managers, creation of new databases, among others.
The Inventory of Personal Data Bases is built with the support of each process leader, who must inform the number of databases in their charge at the time of identification and the news about them when they occur, for example, the inactivation of databases, creation of new databases, updating of the information contained in the databases, among others. These new developments must be notified to the personal data protection officer by e-mail.
Keeping the database inventory form updated is of great importance since it is a tool that provides the necessary information to report to the National Registry of Databases RNBD of the Superintendence of Industry and Commerce.
The fields of the Database Inventory format are described below:
- No. This is the consecutive number to keep track of the number of databases, it must start at 01.
- Name of the database. Corresponds to the name given to the database.
- Responsible and in charge of the database. Position responsible for the custody and administration of the database.
- Way of Obtaining Personal Data. Collection channel. Manner in which the information is received, it can be through email, physical, phone call, certified mail, web page, among others.
- Type of Personal Data Contained. Brief list of the information contained in the database. Define whether it contains private, sensitive or public data.
- Number of Data Holders. This is the number of data subjects registered in the database.
- Data Storage. The place where the database is located. For example, an office, in the cloud, computer, own or external server.
- Purpose of Processing. Process for which the information is required internally in the organization.
- Need for the Data. Description of the purpose for which the database is created.
Additionally, there is an annex defined to keep the record of the persons in charge of the databases of Biz Latin Hub, in case they exist.
The purpose of the registry of the database managers is to have clarity on the number of managers the company has, their security measures regarding the information transmitted to them, existing confidentiality agreements to protect the data and their contacts for personal data protection issues.
13. Additional Security Considerations
Biz Latin Hub Companies committed to the security of its employees’ and clients’ information, adhere to the following parameters to ensure that personal information is safeguarded in a secure manner.
- Normal office hours of operation will be Monday through Friday between 8 am to 6 pm and those will be the hours that employees will be allowed to be present(s) in the office(s).
- No employee shall enter any BLH office outside of the established hours. Only by exception, employees may request written permission from managers or country coordinators to enter or stay longer than permitted in the office, outside of working hours.
- For security reasons, BLH offices are located in buildings with private security and controlled access by building personnel.
- No visitor should be granted access to any BLH company office unless accompanied by a member of the Biz Latin Hub team and with formal authorization.
- All visitors must be registered at the reception desk of the building where the Biz Latin Hub office is located.
BIZ LATIN HUB’s Personal Information Processing Policies will be effective as of January 1, 2022. BIZ LATIN HUB reserves the right to modify them, under the terms and limitations set forth in the recommendations made by the GDRP. The databases managed by BIZ LATIN HUB will be maintained indefinitely, as long as it develops its purpose, and as long as necessary to ensure compliance with legal obligations, particularly labor and accounting, but the data may be deleted at any time at the request of the holder, as long as this request does not contravene a legal obligation of BIZ LATIN HUB or an obligation contained in a contract between BIZ LATIN HUB and the Holder.