ARD Colombia Data Protection Policy
General Index
- Introduction
- Definitions
- Guiding Principles for Processing Personal Data
- Personal Data Collected by ARD
- Data Processing Purposes
- Rights of Data Owners
- Channels and Mechanisms for Addressing Inquiries, Requests, and Complaints from Data Owners
- Processing of Sensitive Personal Data
- Processing of Personal Data of Boys, Girls and/or Adolescents
- National or International Transmission and/or Transfer of Data
- Security and Confidentiality of Personal Data
- Validity
1. Introduction
ARD, INC. SUCURSAL COLOMBIA (hereinafter “ARD”) is a branch of a foreign company. It is identified with Tax I.D. (NIT) 830.084.362-2, located at Carrera 7 # 72-13, in the city of Bogotá, with telephone number 3907730 and e-mail [email protected]. It is responsible for implementing social assistance programs in Colombia in cooperation with the United States Agency for International Development (hereinafter “USAID”).
At ARD, we acknowledge the importance of security, privacy and confidentiality of personal information. To ensure strict compliance with the current regulations regarding the protection of Personal Data, in accordance with the provisions of Law 1581 of 2012, Decree 1377 of 2013 (compiled in Decree 1074 of 2015) and other provisions that may amend, supplement, or complement them, ARD presents the following PERSONAL DATA PROTECTION AND PROCESSING POLICY (hereinafter “Processing Policy”) This policy is designed to protect the personal information provided by Data Owners who have a relationship with ARD, such as our suppliers, employees, business partners, grantees, and beneficiaries of programs developed by ARD, as outlined in this Data Processing Policy.
2. Definitions
For the purposes of this Processing Policy, the following definitions shall apply:
- Authorization: Prior, express and informed consent from the Data Owner to process Personal Data.
- Personal Database: An organized set of Personal Data subject to processing by a natural or legal person.
- Personal Data: Any information linked or that can be associated with specific or determinable natural persons.
- Private Data: Personal data that, due to its intimate or confidential nature, is relevant to the Data Owner.
- Public Data: Personal data classified as such according to the Constitution and the law, and not categorized as private or semi-private Personal Data.
- Semi-Private Data: Personal data known and of interest to both the Data Owner and a particular group of individuals or society in general. It is not of an intimate, confidential, or public nature.
- Sensitive Data: Personal data that impacts the privacy of the Data Owner and whose improper use could lead to discrimination. It includes biometric data (such as fingerprints or facial images), as well as information that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights advocacy, or involvement in activities promoting the interests of any political party, as well as data concerning the rights and guarantees of opposition political parties. This category also extends to health-related and sexual life-related data.
- Data Processor: A natural or legal person, whether public or private, who, on its own or in association with others, processes Personal Data on behalf of the Data Controller.
- Habeas Data: The right of the Data Owner to know, update and rectify the information collected by the Data Controller about him/her.
- Applicable Law: Law 1581 of 2012, Decree 1377 of 2013 (compiled in Decree 1074 of 2015), Title V of the Official Publication of the Superintendence of Industry and Commerce and the other applicable regulations concerning Personal Data in Colombia.
- Data Controller: Natural or legal person, whether public or private, who, on his/her own behalf or in association with others, decides on the Processing of Personal Data.
- Personal Data Owner: Natural person whose data is subject to processing by the Data Controller.
- Transfer: The Transfer of Personal Data occurs when the Data Controller and/or Data Processor of Personal Data sends the information or Personal Data to a recipient, who is also a Data Controller and is located inside or outside the country.
- Transmission: The Processing of Personal Data that involves sharing the data with a third party, whether within or outside the territory of the Republic of Colombia, in order that the Data Processor processes the data in the name and on behalf of the Data Controller, to fulfill the latter’s purposes.
- Processing: Any operation, physical or automated procedure, or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.
3. Guiding Principles for Processing Personal Data
In accordance with the provisions of Title II of Law 1581 of 2012, the Processing of Personal Data carried out by ARD shall be governed by the harmonious and comprehensive application of the following principles:
- Principle of Legality in the Processing of Personal Data: The processing of Personal Data referred to in Law 1581 of 2012 is a regulated activity that must comply with the provisions stipulated in this Law and wany other provisions that develop, regulate, add, amend or replace it.
- Principle of Purpose: The Processing of Personal Data must serve a legitimate purpose in accordance with the Constitution and the applicable Law, which must be informed to the Data Owner through the means provided by law.
- Principle of Freedom: The Processing of Personal Data can only be exercised with the prior, express and informed consent of the Data Owner. Personal Data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that that releases the requirement for consent.
- Principle of Veracity or Quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.
- Principle of Transparency: In the Processing of Personal Data, the Data Owner must be guaranteed his/her right to obtain information from the Data Controller or Data Processor, at any time and without restrictions, regarding the existence of data concerning him/her in accordance with the rules governing this access.
- Principle of Restricted Access and Circulation: The Processing is subject to the limits derived from the nature of the Personal Data, the provisions of Law 1581 of 2012 and the Constitution. In this regard, the Processing may only be carried out by individuals authorized by the Data Owner and/or by the persons provided for in the aforementioned law.
- Principle of Security: The information subject to Processing by the Data Controller or Data Processor referred to in Law 1581 of 2012, shall be managed with the technical, human and administrative measures that may be necessary to provide security to the records, preventing their tampering and loss, as well as their unauthorized or fraudulent access, use, or disclosure.
- Principle of Confidentiality: All individuals involved in the Processing of Personal Data that is not of a public nature, are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks related to the Processing has ended. They may only provide or disclose Personal Data when it is necessary for the development of the activities authorized in Law 1581 of 2012 and in accordance with its terms.
- Principle of Demonstrated Responsibility: When collecting and Processing Personal Data, ARD will implement appropriate and effective measures to comply with the obligations set forth by the applicable law.
- Principle of Necessity: The Processing of Personal Data must be limited to those data that are strictly necessary for the fulfilment of the objectives pursued with the respective database.
4. Personal Data Collected by ARD
In the course of conducting its business activities, ARD will collect the following Personal Data, depending on the relevant Data Owner category:
4.1. Data Owners
ARD Employees:
- Personal Data contained in the Curriculum Vitae.
- Identification data (ID card or passport).
- Contact information (telephone number, e-mail address, address, home address).
- Gender.
- Salary and financial information.
- Bank details.
- Data related to social security affiliation.
- Information related to academic background and training.
- Tax information and Tax Payer Identification Number (RUT).
Contractors or Service Providers:
- Personal Data included in the Curriculum Vitae.
- Identification data (ID card or passport).
- Contact information (telephone number, e-mail address, address, home address).
- Gender.
- Financial information.
- Bank details.
- Data related to social security affiliation.
- Tax information and Tax Payer Identification Number (RUT).
Suppliers:
- Bank details.
- Information on the Tax Payer Identification Number (RUT).
- Identification data (ID card or passport).
- Financial information.
- Contact information (telephone number, e-mail address, address, home address).
ARD Subscribers of Agreements or Donors:
- Tax information and Tax Payer Identification Number (RUT).
- Bank details.
- Identification data (ID card or passport).
- Contact information (telephone number, e-mail address, address, home address).
- Identification data (ID card or passport).
- Contact information (telephone number, e-mail address, address, home address).
- Specification of whether the person belongs to a minority group.
Beneficiaries of ARD Programs:
- Identification data (ID card or passport).
- Contact information (telephone number, e-mail address, address, home address).
- Gender.
- Specification of whether the person belongs to a minority group.
5. Data Processing Purposes
The Personal Data listed in the previous section will be processed by ARD for the following purposes, as applicable:
Purposes applicable to ARD employees:
- Transferring or transmitting Personal Data, whether domestically or internationally, to suppliers with whom ARD develops its programs, to its parent company or to third parties necessary for the development of ARD.
- Managing accounting, economic, tax and administrative aspects related to employees.
- Formulating internal compliance programs, policies and procedures, including, but not limited to, initiatives aimed at the prevention of money laundering and terrorist financing, and programs for the prevention of bribery and corruption.
- Carrying out maintenance, development and/or control of the employment relationship between the Data Owner and
- Maintaining records of economic, accounting, tax, and administrative activities for the purpose of managing collections, payments, invoicing, and ensuring compliance with financial obligations.
- Preparing the income tax return or managing information related to the payment and collection of taxes.
- Contacting emergency responders when necessary.
- Overseeing and managing the employment relationship and labor-related procedures.
- Enrolling in the general social security system.
- Disbursing salaries, employment benefits, and other legally mandated benefits.
- Categorizing, storing, and archiving candidates’ Personal Data obtained during selection processes.
- Verifying, comparing, and assessing candidates’ professional and personal competencies against the selection criteria.
- Addressing inquiries made by regulatory authorities.
- Performing entry and exit control for ARD facilities.
- Disseminating employment offers.
Purposes Applicable to Contractors or Service Providers:
- Transferring or transmitting Personal Data, either nationally or internationally, to suppliers with whom ARD develops its programs, to its headquarters, or to third parties as may be necessary for the development of ARD.
- Managing accounting, economic, tax and administrative aspects related to contractors or service providers.
- Formulating internal compliance programs, policies and procedures, including, but not limited to, initiatives aimed at the prevention of money laundering and terrorist financing, and programs for the prevention of bribery and corruption.
- Managing contractual processes.
- Requesting or performing consulting, audits, advisory or services related to contractors or service providers.
- Paying financial obligations and remunerations.
- Addressing inquiries made by regulatory authorities.
- Complying with ARD’s internal processes regarding the administration of contractors or service providers.
- Validating information provided by contractors or service providers to control and prevent fraud.
- Performing the management of contractors and service providers, including their billing and payment of their invoices.
- Performing entry and exit control for ARD facilities
Purposes Applicable to Suppliers:
- Transferring or transmitting Personal Data, either nationally or internationally, to suppliers with whom ARD develops its programs, to its headquarters, or to third parties as may be necessary for the development of ARD.
- Managing accounting, economic, tax and administrative aspects related to suppliers.
- Formulating internal compliance programs, policies and procedures, including, but not limited to, initiatives aimed at the prevention of money laundering and terrorist financing, and programs for the prevention of bribery and corruption.
- Paying financial obligations and remunerations.
- Requesting or performing consulting, audits, advisory or services related to suppliers.
- Addressing inquiries made by regulatory authorities.
- Implementation of programs developed by ARD.
- Complying with ARD’s internal processes regarding supplier management.
- Validating information provided by suppliers to control and prevent fraud.
- Performing the management of suppliers, including their billing and payment of their invoices.
- Performing entry and exit control for ARD facilities
Purposes Applicable to ARD Subscribers of Agreements or Donors:
- Transferring or transmitting Personal Data, either nationally or internationally, to suppliers with whom ARD develops its programs, to its headquarters, or to third parties as may be necessary for the development of ARD.
- Managing accounting, economic, tax and administrative aspects related to grantees.
- Formulating internal compliance programs, policies and procedures, including, but not limited to, initiatives aimed at the prevention of money laundering and terrorist financing, and programs for the prevention of bribery and corruption.
- Investing and managing resources received by ARD.
- Implementing programs developed by ARD.
- Addressing inquiries made by regulatory authorities.
- Preparing the income tax return or managing information related to the payment and collection of taxes.
Purposes Applicable to Beneficiaries of ARD Programs:
- Transferring or transmitting Personal Data, either nationally or internationally, to suppliers with whom ARD develops its programs, to its headquarters, or to third parties as may be necessary for the development of ARD.
- Managing accounting, economic, tax and administrative aspects related to beneficiaries of ARD.
- Formulating internal compliance programs, policies and procedures, including, but not limited to, initiatives aimed at the prevention of money laundering and terrorist financing, and programs for the prevention of bribery and corruption.
- Management and implementation of programs developed by ARD.
- Assessing the progress indicators and the implementation of programs.
- Assessing program goals.
6. Rights of Data Owners
In compliance with the fundamental guarantees established in the Constitution and the applicable Law, the Personal Data Owners may exercise the following rights, in accordance with the procedure outlined below:
- Right to Update and Rectification: The Data Owner has the right to be informed, update and rectify his/her Personal data in the possession of the Data Controller or Data Processor. This right may be exercised, among others, in instances of partial, inaccurate, incomplete, fragmented data that is misleading, or data whose Processing is expressly prohibited or has not been authorized.
- Right to request Proof: The Data Owner has the right to request the Data Controller proof of the authorization granted, except when expressly excepted as a requirement for the Processing. Authorization from the Data Owner is not required in cases such as (i) information required by a public or administrative entity in the course of its legal duties or by court order; (ii) publicly available data; (iii) instances of medical or health emergencies; (iv) processing of information authorized by law for historical, statistical or scientific purposes; and (v) data related to the Civil Registry of Persons. Unauthorized access to this Personal Data will be subject to the provisions outlined in Law 1581 of 2012.
- Right to be Informed: The Data Owner has the right to be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been given to his/her Personal Data, as well as the revisions and updates of the Processing Policies, security measures and purposes.
- Right to file complaints and claims: The Data Owner has the right to file complaints with the Superintendence of Industry and Commerce in cases of violations of the provisions of the Applicable Law and any other regulations that amend or supplement it.
- Right to object, revoke consent and request deletion: The Data Owner has the right to revoke the authorization and/or request the deletion of Personal Data when the Processing fails to adhere to constitutional and legal principles, rights, and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce determines that the Data Controller or the Data Processor has infringed the constitutional and legal principles, rights and guarantees or when the Data Owner requests the revocation of his/her authorization and/or the deletion of his/her Personal Data. However, requests for deletion of Personal Data and authorization revocation will not proceed when the Data Owner has a legal or contractual duty to remain in the database.
- Right to access: The Data Owner has the right to access his/her Personal Data that has undergone Processing, free of charge.
To exercise any of these rights, the Data Owner must send a communication to ARD, as outlined in the following section.
7. Channels and Mechanisms for Addressing Inquiries, Requests, and Complaints from Data Owners
In line with the constitutional guarantee of Habeas Data concerning the rights of access, updating, rectification, and deletion of Personal Data by the Data Owner, his/her successors, legal representatives, and/or attorneys-in-fact, ARD has established the following communication channels for Data Owners:
- Electronic Contact: The Data Owner can submit a request to exercise his/her rights by sending an email to the following e-mail address: [email protected].
- Written Contact: The Data Owner shall make his/her formal request at Carrera 7# 72-13, Piso 10, Bogotá D.C. Colombia, providing prior and sufficient proof of his/her identity.
a. Legal procedure for submitting queries, complaints and claims:
Queries, complaints, or claims must be submitted through a document that meets the following requirements, in accordance with Articles 14 and 15 of Law 1581 of 2012:
Queries
In the case of the right to request information and/or make queries, ARD will provide a response within a maximum period of ten (10) business days counted from the day following the date of receipt of the request or query.
If it is not possible to respond to the query within this timeframe, the interested party will be notified, indicating the reasons for the delay and specifying the date on which it will be addressed, which in no case may exceed five (5) business days, counted after the expiration of the initial period.
When the Data Owner submits a query, it must contain the following:
- The name and identification number of the Data Owner.
- Copy of the Data Owner’s identification document.
- A brief explanation of the reason for the query.
In the event that the query is submitted by the Data Owner´s successor, the following must be attached to the application:
- The name and identification number of the Data Owner.
- Copy of the identification document of the Successor.
- Copy of the Data Owner’s Death Certificate.
- Document confirming the capacity in which the Successor is acting.
- Copy of the Data Owner’s identification document.
- Full description of the query.
- Address and contact details of the inquirer.
In the case of the legal representative and/or attorney-in-fact of the Data Owner, the following must be submitted:
- The name and identification number of the Data Owner.
- Copy of the identification document of the legal representative.
- Document confirming the capacity in which the representative and/or attorney-in-fact is acting (power of attorney, certification).
- Copy of the Data Owner’s identification document.
- In the event that the representative is a minor, he/she must present the identity card and/or the civil registry and the document that proves his/her capacity as representative or guardian of the minor.
- Full description of the query.
- Address and contact details of the inquirer.
Complaints and/or claims
When the Data Owner considers that his/her information should be corrected, updated or deleted, or when he/she notices an alleged violation of any of his/her rights, the maximum period allowed to address the complaint or claim will be fifteen (15) business days, counted from the day following the date of receipt of the document.
If it is not possible to address to the claim within this timeframe, the interested party will be notified. The notification will include the reasons for the delay and specify the date by which it will be addressed, which in no case may exceed eight (8) business days from the expiration of the initial period. In the event that the complaint is found to be incomplete, the concerned party will be requested to correct the deficiencies within five (5) days of receipt of the complaint and/or claim. If two (2) months have passed from the date of the request without the requestor submitting the necessary information, the complaint or claim will be considered withdrawn.
The complaint or claim document should include:
- The name and identification number of the Data Owner.
- Copy of the Data Owner’s identification document.
- A brief account of the events that lead to the complaint and/or claim.
In the event that the Data Owner’s Successor submits the complaint and/or claim, the following must be attached:
- The name and identification number of the Data Owner.
- Copy of the Data Owner’s identification document.
- Copy of the Identification document of the Successor.
- Copy of the Data Owner’s Death Certificate.
- Full description of the query.
- Address and contact details of the inquirer.
- Document confirming the capacity in which the Successor is acting.
If the requestor it is a legal representative and/or attorney-in-fact, the following must be attached:
- The name and identification number of the Data Owner.
- Copy of the Data Owner’s identification document.
- Copy of the identification document of the legal representative.
- Document confirming the capacity in which the legal representative and/or attorney-in-fact is acting (power of attorney, certification).
- In the event that the attorney-in-fact is a minor, he/she must present the identity card and/or the civil registry and the document that proves his/her capacity as legal representative or guardian of the minor.
- Description of the facts giving rise to the claim and/or complaint.
- What is intended by the complaint and/or claim.
- Address and contact details of the claimant.
8. Processing of Sensitive Personal Data
ARD will refrain from collecting, storing, or processing sensitive data unless it is strictly essential for the fulfillment of the purposes outlined in this Processing Policy.
In situations where sensitive data processing is necessary, it will only be undertaken with the explicit prior, informed and express consent of the Data Owner, except when such consent is not mandated by law, and one of the following exceptions applies:
- When the Processing is required to safeguard the vital interests of the Data Owner, and the Data Owner is physically or legally incapacitated.
- When the Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association, or any other non-profit entity, whose purpose is political, philosophical, religious or trade union-related, provided that it pertains exclusively to its members or individuals who maintain regular contact due to their shared objectives. In these cases, data may not be disclosed to third parties without the Data Owner’s authorization.
- When the Processing pertains to data that is necessary for the recognition, exercise or defense of a right in a legal proceeding.
- When the Processing serves a historical, statistical or scientific purpose. In this scenario, measures should be implemented to anonymize the identity of the Data Owners.
- When it is performed in compliance with a public or administrative order, in fulfilment of legal duties or by court order.
Responses to inquiries about sensitive data are optional and therefore not mandatory. Nevertheless, ARD is committed to strictly adhering to the legal restrictions governing the Processing of Sensitive Data. ARD shall strictly observe the legal limitations on the Processing of Sensitive Data. ARD will never, under any circumstances, make participation in any activity contingent upon the provision of Sensitive Data. Sensitive Data will be Processed with the greatest possible diligence and with the highest security standards. Limiting access to Sensitive Data will be a foundational principle in protecting the privacy of such information, ensuring that only authorized personnel can access this type of data.
Sensitive data may not be Processed for purposes other than those explicitly authorized by the Data Owner.
9. Processing of Personal Data of Boys, Girls, and/or Adolescents
ARD will make every effort to avoid Processing the data of children and adolescents under 18 years of age, unless such processing is essential for the implementation of the Company’s social assistance programs.
In all cases, the Processing of Personal Data of minors under 18 years of age will always require the explicit authorization of their legal representative.
In the event of Processing data of minors, ARD, as the Data Controller, will ensure that such Personal Data is handled appropriately, adhering to the obligations outlined in Law 1581 of 2012 and other regulations related to the protection of Personal Databases that are currently in force.
The Processing of Personal Data of children and adolescents will be subject to special handling and stringent measures to safeguard their privacy. Data that is not of a public nature shall conform to the following parameters and requirements:
- It will prioritize and uphold the best interests of boys, girls, and adolescents.
- The fundamental rights of boys, girls, and adolescents will be duly respected.
- When the minor possesses the capacity and autonomy to comprehend the issue, their opinion will be taken into consideration.
In every instance, the legal representatives of the boys, girls, and adolescents will be responsible for authorizing the Processing of the Personal Data of minors. Without the representative’s authorization, the Processing will not take place, and the minor will not be eligible to participate in any ARD program, if applicable.
10. National or International Transmission and/or Transfer of Data
ARD may share the Personal Data information with third parties when it is necessary for the execution of its activities and corporate objectives, always with respect for the rights and information of the Data Owner.
The Transmission or Transfer of Personal Data will comply with the regulations established for this purpose by the relevant authorities, especially the following:
- For domestic transmissions or transfers of Personal Data, ARD will guarantee compliance with the requirements of Applicable Law and the protection measures provided by the Data Processor or the new Data Controller, as applicable.
- For international transfers, it will be ensured that the country receiving the Personal Data offers sufficient levels of data protection.
11. Security and Confidentiality of Personal Data
In accordance with the security principle outlined in Law 1581 of 2012, ARD has adopted and integrated the essential technical, human, and administrative measures into its various processes signed to guarantee the security of records containing personal information, thus preventing their alteration, loss, unauthorized access, or fraudulent use. ARD has established security measures that regulate access to Personal Data based on the level of responsibility of the personnel responsible for processing Personal Data. Any official seeking to access Personal Data must possess their respective access code.
12. Validity
This Policy is effective as of December 19th, 2023.
Personal Data undergoing Processing will be retained in ARD’s databases for as long as required to accomplish the purposes stipulated in this Policy or to fulfill ARD’s legal obligations.
Authorization Forms
- Authorization to Process Beneficiaries’ Personal Data in ARD Colombia Programs
- Authorization to Process Agreements and Donations Data in ARD Colombia Programs
- Authorization to Process Personal Data of Candidates Involved in Selection Processes in ARD Colombia Programs
- Authorization to Process Personal Data of Contractors and Service Providers for ARD Colombia Programs
- Authorization to Process Personal Data of Employees in ARD Colombia Programs
- Authorization Clause on the Processing of Personal Data for Employees in ARD Colombia Programs
- Authorization to Process Personal Data of Suppliers in ARD Colombia Programs
- GEP-MOU-XXX Form V.23
- Informed Consent for Children’s Data
- Personal Data Transmission Agreement Between ARD, Inc. Colombia Branch and Others