PERSONAL DATA PROCESSING POLICY
In effect from: December, 2023
Thank you for visiting web page www.brahma.co (the "Site") operated by Stanton SAS (hereinafter “Stanton” or “Brahma”). We respect your privacy and personal information. Stanton informs you that the contents of the Privacy Policy below are applicable to the processing of your personal data collected from the access, use and/or navigation of the Site. For your interaction, use and/or navigation, as well as voluntary delivery of personal data in those cases where this aspect is authorized in the Site (“User”), we understand that you consent and accept the contents of this Policy, for this reason, we invite you then to read carefully the contents hereof.
IDENTIFICATION OF THE RESPONSIBLE FOR THE PROCESSING OF THE INFORMATION:
- Legal Entity
- Stanton S.A.S
- Nit
- 860009034
- Address
- Carrera 42b # 12-64
- protecciondatos@stanton.co
OBJECTIVE
For STANTON S.A.S, protecting the personal data provided by any natural person is fundamental. For this reason, the following privacy policy has been defined to communicate and inform data subjects about how personal data is processed.
This personal data processing policy ("Privacy Policy") establishes how we collect, store, safeguard, manage, transfer, transmit, and/or share information, whether personal or not, provided by the data subject in any form, including but not limited to when contacting us through any of our communication channels, when directly contacted, when purchasing products from any of the company's brands, when accessing our websites, or any other digital platform, medium, or channel developed in the future by STANTON S.A.S.
SCOPE
We hereby inform you that STANTON S.A.S holds the position of data controller for personal data of its employees, contractors, applicants, clients, potential clients, suppliers, users, partners, and/or third parties in general. This policy applies to all personal information recorded in any of STANTON S.A.S’s databases and is mandatory and strictly enforced.
DEFINITIONS
For the purposes of this policy, the following terms have the meanings assigned in this chapter, whether written in uppercase or lowercase, and whether in the singular or plural.
- Authorization
- Prior, express, and informed consent of the data subject to carry out the Processing of Personal Data.
- Privacy Notice
- Physical, electronic, or any other format document generated by the Data Controller, made available to the Data Subject for the Processing of their Personal Data, which informs the Data Subject about the existence of the information processing policies applicable to them, how to access them, and the characteristics of the Processing intended for the personal data.
- Personal Data
- Any information linked or that can be associated with one or more specific or identifiable natural persons.
- Sensitive Data
- Sensitive data refers to data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data relating to health, sexual life, and biometric data, among others.
- Data Processor
- Natural or legal person, public or private, who, by themselves or in association with others, processes Personal Data on behalf of the Data Controller.
- Data Controller
- Natural or legal person, public or private, who, by themselves or in association with others, decides on the databases and/or the Processing of data.
- Data Subject
- Natural person whose personal data is subject to Processing.
- Business Partners
- Strategic alliance between two or more companies aimed at providing benefits of interest to all parties.
- Processing of Personal Data
- Any operation or set of operations on Personal Data, such as collection, storage, use, circulation, or deletion.
PURPOSES AND PROCESSING TO WHICH PERSONAL DATA WILL BE SUBJECTED
The personal data collected, stored, used, circulated, and deleted by STANTON S.A.S will be used for one or more of the following purposes:
Related to the nature and functions of STANTON S.A.S
Data processing will be carried out to ensure the manufacturing and commercial operations of our products.
Related to the operation of STANTON S.A.S
Human Resources
Data processing for our employees, contractors, or active and inactive collaborators, judicial officers, interns, and job applicants will be carried out for the following purposes:
- To receive the resume of a job applicant.
- To execute the selection process, as well as conducting interviews, tests, evaluations, inductions, contracts, and information validation.
- To store information in physical or digital databases.
- In case of employment, to affiliate to the social security system, accounting, and information archiving.
- To send internal communications related or unrelated to their employment or contractual relationship.
- To manage the employee's personal data and that of their family nucleus for affiliation procedures to health promoting entities (EPS), family compensation funds, occupational risk administrators (ARL), and others necessary to fulfill obligations.
- To fulfill obligations arising from the contractual relationship, such as payment of fees or salary, and other remunerations established in the contract or as required by law.
- To respond to employee or contractor requests for certificates, statements, and other documents requested, as a result of the existing or past contractual relationship.
- To promote their participation in activities aimed at well-being and a good working environment.
- To monitor and use images captured through video surveillance systems to maintain the physical security of people and material objects.
- To transmit personal data outside the country to third parties with whom a data transmission contract has been signed and it is necessary to deliver it for the fulfillment of the contractual purpose.
- To comply with legal and regulatory obligations applicable to our company.
- To fulfill contracted obligations or services.
- To comply with internal policies applied for regulatory compliance and organization, such as occupational health and safety, environmental, and other applicable to the company.
- To manage procedures, requests, consultations, complaints, and/or congratulations.
- To conduct analysis for fraud control and prevention and money laundering, including consultation on restrictive lists, and all necessary information required for SAGRILAFT.
Clients, Suppliers, and Contractors of STANTON S.A.S
Data processing will be carried out for the following purposes related to the contractual management process of products or services that STANTON S.A.S requires for its operation in accordance with current regulations.
- To provide information of interest about products and/or services offered by STANTON S.A.S.
- For advice, support, and acquisition of products and/or services.
- Comprehensive management and execution of the contracted service with STANTON S.A.S.
- To store information in physical or digital databases.
- To send commercial, advertising, or promotional information about products and/or services, events, and/or commercial or non-commercial promotions via physical mail, email, mobile phone, or device, through text messages (SMS and/or MMS), to encourage, invite, direct, execute, inform, and in general, carry out commercial or advertising campaigns or contests.
- To contact the Data Subject via email for the sending of extracts, account statements, or invoices.
- To transmit personal data outside the country to third parties with whom a data processing contract has been signed and it is necessary to deliver it for the fulfillment of the contractual purpose.
- Those indicated in the authorization granted by the data subject or described in the respective privacy notice, as applicable.
- To comply with legal and regulatory obligations applicable to our company.
- To manage procedures, requests, consultations, complaints, and/or congratulations by internal or external customers, suppliers, and contractors, and direct them to the responsible areas for issuing the corresponding responses.
- To conduct the study, linkage, and due registration in the databases of STANTON S.A.S in accordance with the procedures already established in the company.
- To comply with internal processes regarding the administration of internal and external customers, suppliers, and contractors.
- To manage all the information necessary to comply with tax obligations and commercial, corporate, financial, and accounting records of the parties.
- To control access to the company's premises and establish security measures, including the establishment of video-monitored areas.
- Notification of compliance with payment obligations to suppliers or third parties.
- To conduct analysis for fraud control and prevention and money laundering, including consultation on restrictive lists, and all necessary information required for SAGRILAFT and the Business Transparency and Ethics Program.
- To consult financial information and credit history and make the respective reports to credit bureaus when the requirements for it are met, according to the payment obligations contracted with the company and their breach.
- To inform about new products or services related or unrelated to those contracted or acquired by the Data Subject.
- To conduct internal studies on compliance with commercial relationships and market studies at all levels.
- To respond to legal requirements from administrative and judicial entities.
- To share the personal data collected with third parties who are business and/or commercial partners to offer products and/or services that improve Stanton's value proposition for customers, all in accordance with the provisions of Law 1581 of 2012 and its Regulatory Decree 1377 of 2013.
- To verify, control, and monitor the development of processes, activities, and products in accordance with environmental guidelines and quality management.
Visitors of STANTON S.A.S:
- To address requests from judicial or administrative authorities.
- To manage relationships, rights, and obligations with data subjects.
- To ensure security management in our facilities.
- To manage risks or accidents within the facilities.
- To control the access and exit of individuals in the facilities.
- To carry out administrative management activities.
- To receive and manage requests regarding products or services, attending to data subjects (PQR Management).
- To conduct investigations in case of risk situations or security breaches.
Public Entities
When STANTON S.A.S is in processes of affiliation with Public Entities, the information collected will be obtained from public sources, therefore, it will not be necessary to request authorization for the processing of the information. It should be mentioned that the information will be used solely and exclusively for the development of the contractual relationship.
Data Processing on our websites
Cookies
Acceptance of cookies is not a requirement to visit the Site. However, we would like to point out that using the "my cart" functionality on the Site and accepting an order is only possible with the activation of cookies. Cookies are small text files that identify your computer on our server as a unique user. Cookies can be used to recognize your Internet Protocol address, saving you time while on the Site or if you want to return to it in the future. We only use cookies for your convenience in using the site (for example, to remember who you are when you want to modify your shopping cart without having to re-enter your email address) and not to obtain or use any other information about you (for example, targeted or hidden advertising). Your browser can be configured not to accept cookies, but this could restrict your use of the Site and limit your experience on it. The use of cookies does not contain or affect personal or private data and does not pose a virus threat.
Security
We have technical and security measures in place to prevent unauthorized or illegal access or accidental loss, destruction, or damage to your information. All data we collect through the Site is stored on a secure server as these servers have protection programs. When we collect electronic payment card information, Secure Socket Layer (SSL) encryption systems are used to encode it, preventing fraudulent use. While it is not possible to guarantee a result, these systems have proven to be effective in handling confidential information since they have mechanisms that prevent access from external threats (i.e., hackers). It is recommended not to send all credit or debit card details without encrypting electronic communications with us. Additionally, we maintain physical, electronic, and procedural safeguards regarding the collection, storage, and disclosure of your information. Our security procedures require that sometimes we may ask you for proof of identity before disclosing personal information. Please note that you are solely responsible for protecting against unauthorized access to your password and computer.
SENSITIVE DATA
In cases where it is necessary, sensitive personal data will be collected, respecting the guarantees and rights of the data subjects; processing will always be carried out if there is the prior and express authorization of the data subject, and will obey the higher interest or the guarantees of other rights necessary to safeguard the higher interest of the data subject.
The Data Subject has the right to choose not to grant authorization for the processing of sensitive data requested by STANTON S.A.S, related, among others, to data regarding their racial or ethnic origin, membership in unions, social organizations or human rights, political, religious, sexual life, biometric data, or health data.
PROCESSING OF VIDEO RECORDING IMAGES AND BIOMETRIC DATA
STANTON S.A.S captures photographic images and/or video recordings, fingerprinting for
- Recognition of employees in different media such as bulletin boards, bulletins, internal and external newspapers.
- Access to the company's facilities.
- Protection oriented to the security and surveillance of people and physical facilities.
- To fulfill the purpose of legal and contractual requirements.
Such recordings may be collected from: customers, suppliers, employees, and/or visitors.
These images are collected with prior express or unequivocal authorization from the data subject, or their legal representative if the data subject is a minor, in order to have control of the activities carried out.
This information will be stored in the database(s) generated for the purposes that its collection requires, and its processing will be maintained as long as the purposes of its collection and/or the legal obligation to maintain the storage of such data are maintained, or in which case your data will be kept until you express your opposition.
PROCESSING OF DATA FOR CHILDREN AND ADOLESCENTS
STANTON S.A.S in the exercise of some of its obligations captures and processes data of minors. However, it has all the guarantees so that minors can exercise their rights. This processing is intended to safeguard an essential public interest, which is assessed in accordance with international human rights standards, and at a minimum, must satisfy the criteria of legality, proportionality, and necessity, safeguarding the fundamental rights of the interested parties.
Thus, their information is processed or provided expressly by the data subject and their legal representative. Providing treatment that responds to and respects the best interests of children and adolescents and their fundamental rights. Once the above requirements are met, the legal representative of the child or adolescent will grant authorization after the exercise of the minor's right to be heard, an opinion that will be valued taking into account maturity, autonomy, and understanding of the matter.
This information will be stored in the database(s) generated for the purposes that its collection requires, and its processing will be maintained as long as the purposes of its collection and knowledge are maintained.
DATABASES
STANTON SAS stores the personal data it collects for the purposes mentioned in this Policy and in the respective authorizations, in physical and/or digital databases, which are identified within an internal inventory generated in compliance with the Principle of Demonstrated Responsibility.
In compliance with the provisions of the Superintendence of Industry and Commerce, STANTON SAS will register the databases on which it acts as Data Controller before the National Database Registry, as well as the monthly, semi-annual, and/or annual reports that may be required. The databases, as well as the information contained in them, will be available according to the execution of the activities for which they were collected, and in accordance with the treatment and storage parameters informed in the previous section and the execution of the rights of the data subjects as mentioned below.
Those responsible for the information and the different contractors have limited access to the information contained in the databases of STANTON SAS for the development of the corporate purpose, without the need to be shared or transmitted.
DATA SUBJECTS' RIGHTS
Law 1581 of 2012 establishes that Data Subjects of personal data will have the following rights:
- To know, update, and rectify their personal data in front of STANTON S.A.S as Data Controller and Data Processor. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned data, which mislead, or those whose treatment is expressly prohibited or has not been authorized.
- To request proof of the authorization granted to STANTON S.A.S as Data Controller and Data Processor, unless expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
- To be informed by STANTON S.A.S as Data Controller and Data Processor, upon request, regarding the use that has been given to the personal data of the Data Subject.
- To file complaints before the Superintendence of Industry and Commerce for infractions of Law 1581 of 2012 and other regulations that modify, add or complement it.
- To revoke the authorization and/or request the deletion of personal data when the principles, rights, and constitutional and legal guarantees are not respected in the Treatment. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Treatment, the Controller or Processor have engaged in conduct contrary to Law 1581 of 2012 and the Constitution.
- To access their personal data that have been subject to Treatment free of charge.
DATA SUBJECT'S AUTHORIZATION
Without prejudice to the exceptions provided by law, prior, express, and informed authorization of the Data Subject is required for the Treatment, which must be obtained by any means that may be subject to subsequent consultation and verification, indicating the purpose for which the data is requested, using for these purposes automated technical means, written or oral, physical, electronic, data messages, voice recordings, or through technical or technological mechanisms, which allow preserving evidence of the authorization and/or of the unequivocal conduct described in Article 7 of Decree 1377 of 2013 that allows its subsequent consultation. Such authorization will be requested for as long as it is reasonable and necessary to satisfy the needs that gave rise to the request for the data, and, in any case, observing the legal provisions governing the matter. When the authorization is not granted directly by the Data Subject, the following additional information must be requested:
- Data of Children and Adolescents: The condition of Legal Representative of the minor must be accredited.
- Attorney: The power of attorney granted by the Data Subject will be requested.
TEMPORARY LIMITATIONS ON THE PROCESSING OF PERSONAL DATA BY STANTON S.A.S
STANTON S.A.S may only collect, store, use, or circulate personal data for as long as is reasonable and necessary, according to the purposes that justified the processing, in accordance with the applicable provisions of the relevant matter and the administrative, accounting, fiscal, legal, and historical aspects of the information. Once the purpose(s) of the processing has been fulfilled and without prejudice to legal provisions to the contrary, the personal data in its possession will be deleted. However, personal data must be retained when required to fulfill a legal or contractual obligation.
CASES WHERE AUTHORIZATION IS NOT REQUIRED
Authorization from the Data Subject will not be necessary when it comes to:
- Information required by a public or administrative entity in the exercise of its legal functions or by court order.
- Public nature and/or consulted data in the Transparency and Access to Information section of public entities.
- Cases of medical or health emergency.
- Information processing authorized by law for historical, statistical, or scientific purposes.
- Data related to the Civil Registry of Persons.
AREA/POSITION RESPONSIBLE FOR HANDLING REQUESTS, QUERIES, AND COMPLAINTS REGARDING THE PROCESSING OF PERSONAL DATA
The Data Protection Officer is the person responsible for receiving requests, queries, and complaints from Data Subjects regarding their rights to: know, update, rectify, and delete, as well as revoke authorization. Likewise, the Officer will ensure timely and appropriate responses from each of STANTON SAS's departments to requests, queries, and complaints from Data Subjects.
Rights to query and complain may be exercised as follows:
- On One's Own Behalf: Data Subjects can directly exercise their rights, provided they prove their identity, by making inquiries or complaints regarding the data stored in our databases and/or files. They have the right to know, update, access, rectify, delete, request proof of authorization, be informed about the use of their data, and revoke the granted authorization.
- Through a Proxy: Data Subjects may exercise their rights through a proxy, who must prove their status. For these purposes, an authenticated power of attorney must be attached to the request. If a request is made by a person other than the data subject, without the submission of the appropriate document substantiating representation, it will be considered not submitted, and no response will be provided to such request.
- Exercise of Minors' Rights: Minors must exercise their Habeas Data rights through their legal representative.
CHANNELS FOR RECEIVING REQUESTS, QUERIES, AND COMPLAINTS
The channels provided by STANTON SAS for receiving, addressing, and responding to requests, queries, or complaints are as follows:
- Email: protecciondatos@stanton.co
- Address: Carrera 42b # 12 – 64, Bogotá.
- Through the "contact us" button on the websites:
PROCEDURE FOR EXERCISING RIGHTS
Queries
- Will be resolved within a maximum period of ten (10) business days from the date of receipt.
- If it is not possible to respond within this period, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date by which the request will be addressed, which in no case may exceed five (5) business days following the expiration of the initial period.
Complaints
- Must be submitted through the aforementioned communication channels.
- Must contain detailed information such as the name and identification of the data subject, a precise description of the facts, the address to receive the response, and supporting documents.
- If STANTON SAS is not competent to resolve the complaint, it will be forwarded to the appropriate authority within a maximum period of two (2) business days.
- If the complaint is incomplete, the interested party will be requested to complete it within five (5) days following its receipt.
- The maximum period for addressing the complaint will be fifteen (15) business days.
DATA COLLECTED BEFORE THE ISSUANCE OF DECREE 1377 OF 2013
STANTON SAS will proceed to send an email to its customers and employees to inform them about this information processing policy and how to exercise their rights as data subjects whose personal data is stored in the company's databases.
STANTON AS DATA PROCESSOR
When STANTON SAS acts as a data processor, the data controllers must request and retain the data subject's authorization for the processing of personal data by STANTON SAS. The company also undertakes to enter into contracts for the transmission of personal data and to comply with the corresponding obligations.
UPDATING AND VALIDITY
This policy has an indefinite term from the date of signing this document and is subject to modifications to comply with Colombian legislation on data processing. It comes into effect from December 27, 2023.