top of page

​​POLÍTICA DE TRATAMIENTO DE DATOS PERSONALES

PERSONAL DATA PROCESSING POLICY

​

This Personal Data Processing Policy (hereinafter "The Policy") applies to the processing of personal data carried out by Sanchez Monroy Legal Partners (hereinafter "Sanchez Monroy"). For all purposes, the following contact details for Sanchez Monroy Legal Partners are provided:

Address: Bogotá D.C.
Email: info@sanchezmonroy.com

​

Sanchez Monroy will act as the Data Controller as defined in the applicable regulations. The Data Controller will act in this capacity based on the data processing authorizations duly granted by the Data Subject.

​

SCOPE

​

This Policy applies to the processing of personal data carried out in all databases and/or files containing personal data that are subject to processing by Sanchez Monroy as the Data Controller. Similarly, if Sanchez Monroy is the data processor for third-party data, the provisions of this Policy will apply.

 

This Policy establishes the rights and responsibilities of the Data Subjects, as well as the duties and commitments of Sanchez Monroy in the use of such information. Additionally, this Policy contains the principles and general parameters to be observed in the processing of personal data and sensitive personal data, if applicable, by Sanchez Monroy or any of its officers and/or employees, or third parties designated as processors.

 

DEFINITIONS

​

For the purposes of this Policy and in accordance with the applicable regulations, the following definitions will be considered:

  • Authorization: Prior, express, and informed consent from the Data Subject to carry out the processing of personal data.

  • Privacy Notice: Verbal or written communication addressed to the Data Subject for the processing of their personal data, informing them about the existence of the Policy, how to access it, and the purposes for which the personal data will be processed.

  • Databases: An organized set of personal data that is subject to processing. Databases may be physical or electronic.

  • Successor: A person who has succeeded another due to the latter's death (heir).

  • Transmission Agreement: A contract that the Data Controller signs with potential Processors for the processing of personal data under their control and responsibility, specifying the scope of processing, the activities the Processor will carry out on behalf of the Controller, and the obligations of the Processor toward the Data Subject and the Controller.

  • Personal Data: Any information related to or that can be associated with one or more identified or identifiable natural persons.

  • Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, information about a person's civil status, profession, trade, or their status as a merchant or public servant.

  • Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social organizations, human rights organizations, political party affiliations, or guarantees of opposition political parties' rights and protections, as well as health-related data, sexual life data, and biometric data.

  • Processor: A person, either natural or legal, who, either independently or in association with others, processes personal data on behalf of the Data Controller.

  • Authorized Persons: Individuals who may exercise the rights of the Data Subject, as listed in Section 4.2 of this Policy.

  • SIC: The Superintendence of Industry and Commerce.

  • Data Subject: The natural person whose personal data is being processed.

  • Transfer: The situation in which the Data Controller and/or the potential Processor, located in Colombia, sends information or personal data to a recipient who, in turn, is responsible for the processing and is located either inside or outside the country.

  • Transmission: The processing of personal data that involves communicating the data within or outside Colombian territory, with the objective of performing the processing by the Processor on behalf of the Data Controller.

  • Processing: Any operation or set of operations carried out on personal data, including but not limited to collection, storage, use, circulation, or deletion of personal data.

 

PURPOSES AND PROCESSING TO WHICH PERSONAL DATA WILL BE SUBJECT

​

The processing carried out by Sanchez Monroy will consist of the collection, storage, use, exchange, reproduction or compilation, processing, analysis, reporting, circulation, updating, systematization and organization, conservation, rectification, and deletion of personal data, either partially or fully, in accordance with the purposes described in detail in each privacy notice and/or the corresponding authorizations. Personal data will not be collected without the prior, express, and informed consent of the Data Subject, except in cases provided by law where such consent is not required. Generally, the purposes for processing the information may be framed in the following:

​

Clients

​

The processing will be carried out for:


(i) executing the existing contractual relationship with clients, controlling, invoicing, and collecting payment for services provided by the Data Controller;
(ii) providing the services required by clients, informing them about new services and/or changes to existing ones, or evaluating the quality of services;
(iii) making calls, sending communications via physical mail, email, cell phone or mobile device, text messages (SMS and/or MMS), or any other similar or digital communication means created or to be created, to promote, invite, direct, execute, inform, and, in general, conduct commercial or advertising campaigns, promotions, or contests carried out by the Data Controller and/or third parties;
(iv) responding to any complaint or claim made by the client regarding the services provided. Additionally, for the specific purposes described in the registration form and/or authorization and data processing consent forms signed by the clients.

​

Suppliers and Contractors

 

The processing of data will be carried out for:


(i) executing the existing contractual relationship with suppliers and contractors, including the payment of contractual obligations;
(ii) purposes related to the development of the contractual management process of products or services required by the Data Controller for its operation in accordance with applicable regulations. Additionally, for the specific purposes described in the registration form and/or authorization and data processing consent forms signed by the suppliers.

​

Marketing Activities

​

In cases where the Data Controller contracts marketing activities by third parties, where such activities involve the collection and processing of personal data, the personal data collected in these activities must never be sensitive data, and the purposes for processing will be defined in the corresponding privacy notice.

 

RIGHTS OF THE DATA SUBJECT

​

In accordance with this Policy and applicable regulations, the Data Subject may exercise the following rights regarding the personal data being processed:

  • Know, update, and rectify their personal data before the Data Controller or the Data Processor, or exercise this right with any party who has received the data as a result of their transmission. This right can be exercised, among other cases, for partial, inaccurate, incomplete, fragmented, erroneous data, or data whose processing is explicitly prohibited or has not been authorized.

  • Request proof of the authorization granted to the Data Controller, unless expressly exempted as a requirement for processing.

  • Be informed by the Data Controller or the Data Processor, upon request, about the use made of the Data Subject's personal data.

  • File complaints with the SIC for violations of this Policy and the applicable personal data protection regulations. The Data Subject or Authorized Persons may only file complaints with the SIC after exhausting the consultation or complaint procedure established in this Policy.

  • Revoke the authorization and/or request the deletion of personal data when the processing does not respect the principles, rights, and constitutional and legal guarantees, following the procedure set out in this Policy. The revocation of authorization and/or request for deletion: (i) will proceed when the Superintendence of Industry and Commerce has determined that the Data Controller or Processor has violated Law 1581 of 2012 and the Constitution; (ii) will not proceed when the Data Subject has a legal or contractual obligation to remain in the database.

  • Access their personal data that has been processed free of charge by submitting a written request to the Data Controller or the Processor.

 

The rights of the Data Subject may be exercised by the following persons:


(i) the Data Subject, who must sufficiently verify their identity;
(ii) the heirs of the Data Subject, who must prove their status;
(iii) the representative and/or attorney of the Data Subject, upon proving the representation or power of attorney;
(iv) by stipulation in favor of another or for another; and

(v) in the case of minors, by the persons authorized to represent them.

 

The personal data of the Data Subject may be provided to the following persons:


(i) the Data Subject, their heirs, or their legal representatives;
(ii) public or administrative entities in the exercise of their legal functions or by judicial order; and
(iii) third parties authorized by the Data Subject or by law.

 

The truthfulness, authenticity, validity, and accuracy of the information provided by the Data Subject or Authorized Persons is the responsibility of the Data Subject, who agrees to notify the Data Controller of any changes to this information.

​

SENSITIVE DATA

​

The processing of sensitive data is prohibited except in cases expressly indicated in the applicable regulations or when clear authorization is obtained from the Data Subject, stating the specific purposes for the processing of such sensitive data. When such processing is allowed under the applicable regulations, the following obligations must be met:
(i) Inform the Data Subject that, due to the sensitive nature of the data, they are not obligated to authorize its processing;
(ii) Explicitly and priorly inform the Data Subject, in addition to the general requirements for authorization for the collection of any type of personal data, which data will be processed as sensitive and the purpose of such processing, and obtain their express consent; and
(iii) No activity may be conditioned on the provision of sensitive data by the Data Subject.

The Data Subject has the right to choose not to provide any sensitive information requested by the Data Controller, related, among others, to data on racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social organizations, human rights organizations, or data that promote the interests of any political party or ensure the rights and guarantees of opposition political parties, as well as health data, sexual life, and biometric data.

Notwithstanding the above, for sensitive personal data provided by employees of the Data Controller, which is necessary for the execution of the contractual relationship due to the nature of the data, processing will proceed in accordance with the stipulated terms.

​

DATA OF MINORS

​

The processing of information of children and adolescents is prohibited except for public data and when such processing meets the following parameters and requirements:


(i) it responds to and respects the best interests of the child;
(ii) it ensures the respect of their fundamental rights; and
(iii) data will be collected for the purpose of affiliating minors with compensation funds and social security as beneficiaries.

Providing personal data of minors is optional and must be done with the authorization of the minor's parents or legal representatives.

​

AUTHORIZATION OF THE DATA SUBJECT

​

Notwithstanding the exceptions provided in the applicable regulations, processing requires the authorization of the Data Subject, which must be obtained by any means that can be consulted and verified later. Therefore, the processing of data by the Data Controller will have corresponding authorization support through the forms provided for that purpose.

​

Authorization from the Data Subject is not required in cases established by the applicable regulations, including cases involving public data, information required by a public or administrative entity in the exercise of its legal functions, or by court order.

In the event that personal data provided by the Data Subject belongs to third parties, it will be understood that the Data Subject is authorized to provide such data. The Data Subject is responsible to these third parties for providing the information, as long as the Data Subject holds the Data Controller harmless from any claim.

​

When the Data Subjects access the Sanchez Monroy website, they must read and understand the provisions of this Policy, so by providing personal data on the website, they are considered to give consent for the processing of the data.

 

CASES WHERE AUTHORIZATION IS NOT REQUIRED

​

The authorization of the Data Subject is not required in cases involving:

  • Information requested by a public or administrative entity in the exercise of its legal functions or by court order;

  • Public data;

  • Medical or health emergencies;

  • Processing of information authorized by law for historical, statistical, or scientific purposes;

  • Data related to the Civil Registry of Persons.

 

CONSULTATION PROCEDURE

​

The Data Subject or Authorized Persons may consult the Data Subject’s personal data by written communication containing at least the following information:
(i) Name of the Data Subject and a copy of the documents proving their identity;
(ii) Contact details of the Data Subject (phone, email, address);
(iii) Clear and precise description of the personal data for which the consultation is requested;
(iv) Clear and precise description of the consultation request;
(v) In cases where the consultation is requested by an Authorized Person, the communication must also include the name of the Authorized Person and a copy of the documents proving their authority.

The Data Controller will respond to the Data Subject's request within a maximum of ten (10) business days from the date of receipt. If it is not possible to respond within this period, the Data Controller will inform the Data Subject before the expiration of the ten (10) business days, stating the reasons for the delay and specifying the date by which the request will be addressed, which may not exceed five (5) business days after the expiration of the initial term.

In all cases, the response will be provided by the same means through which the request was made or, if applicable, by another agreed-upon means with the Data Subject or Authorized Persons.

The Data Subject has the right to consult their personal data free of charge:
(i) At least once per calendar month; and
(ii) Whenever there are significant changes to the Policy that require new consultations.

For consultations exceeding the monthly frequency, the Data Controller may charge the Data Subject for shipping, reproduction, and, if applicable, certification of documents. In all cases, reproduction costs cannot exceed the costs of retrieving the corresponding material.

​

CLAIM PROCEDURE

​

The Data Subject or Authorized Persons, who believe that the information contained in a Database of the Data Controller should be corrected, updated, or deleted, or who detect a potential non-compliance with any of the duties outlined in the applicable regulations, may file a claim through written communication containing at least the following information:


(i) Name of the Data Subject and a copy of the documents proving their identity;
(ii) Contact information of the Data Subject (phone, email, address);
(iii) Clear and precise description of the personal data concerning which the rights are being exercised;
(iv) Clear and precise description of the claim, the facts that give rise to the claim, and the documents that should be considered;
(v) Any other element or document that facilitates the location of the Data Subject's personal data;
(vi) In the case of requests for correction and/or updating of personal data, also indicate the modifications to be made and provide documentation supporting the request;
(vii) In the case where the claim procedure is requested by an Authorized Person, the communication must also contain the name of the Authorized Person and a copy of the documents proving their authority.

​

These documents must be submitted to the addresses identified in the header of this Policy according to the party responsible for the processing. In all cases, the subject should indicate "Personal Data Claim" as the subject of the communication.

If the recipient of the communication is not competent to resolve the claim presented, and they are aware of this, they will transfer it to the competent party within a maximum of two (2) business days and inform the interested party of the situation.

 

If the information in the claim is incomplete, erroneous, or insufficient, the Data Controller will request the interested party, within five (5) business days of receiving the claim, to provide the necessary information, elements, or documents to proceed with the claim. If two (2) months pass from the date of the request without the required information being provided, the claim will be considered abandoned.

 

The maximum period for addressing the claim will be fifteen (15) business days from the day following its receipt. If it is not possible to respond within that period, the Data Controller will inform the interested party of the reasons for the delay and specify the date when it will be addressed, which may not exceed eight (8) business days after the expiration of the original term.

 

In all cases, the response will be provided by the same means through which the request was made or, if applicable, by another agreed-upon method with the Data Subject or Authorized Persons.

​

SECURITY MEASURES

​

The Data Controller has adopted reasonable security measures to protect the information of the Data Subjects in order to minimize the risks of damage, destruction, or loss—including accidental—alteration, destruction, unauthorized or fraudulent use, access, or processing, or processing that does not align with the purposes outlined in the Policy.

 

Access to Personal Data is restricted to employees, contractors, representatives, and agents of the Data Controller involved in data processing and who need to know the data to carry out their functions and develop the Data Controller's corporate purpose. The Data Controller does not allow third parties access to this information except in the cases specified in this policy, unless there is an explicit request from the Data Subject or authorized persons in accordance with national regulations, or if a data transfer agreement has been signed, or explicit authorization from the Data Subject is obtained.

 

However, the Data Controller will not be held responsible for cyberattacks and any other actions aimed at violating the security measures established to protect Personal Data and other information contained in their IT systems or those contracted with third parties.

 

TRANSFER AND TRANSMISSION OF DATA

​

The Data Controller may transfer Personal Data of the Data Subject to fulfill their legal and/or regulatory obligations.

 

The recipients of the Personal Data are required to maintain the confidentiality of the Personal Data and comply with the Policy and other applicable procedures and instructions.

 

International Transmission and Transfer of Personal Data will be carried out in accordance with applicable data protection laws.

 

In accordance with the authorizations and/or Privacy Notices granted, Personal Data may be shared with third parties that the Data Controller contracts to execute any of the processing purposes mentioned, third parties that may be located in countries with different levels of data protection than those of the local legislation.

 

ACCEPTANCE OF THE POLICY

​

Acceptance of this Policy by the Data Subjects will occur when any of the following events take place:

  • Providing data in physical or electronic forms.

  • Using the acceptance mechanisms, security, and access to the information systems established by the Data Controller.

  • Providing Personal Data and Sensitive Personal Data to the Data Controller physically or by any other means.

The consent of the Data Subjects for the processing of their data is a relevant and necessary element to comply with the regulations. Therefore, within this Policy, the manifestation of such consent will be regulated as follows:

​

For the processing of information, prior, express, and informed authorization from the Data Subject is required, which must be obtained by any means that can be consulted later.

​

Such authorization will allow the Data Controller to collect and process the information provided by the Data Subjects by any means.

​

CHANGES TO THE POLICY

​

The Data Controller reserves the right to modify and/or update, either partially or entirely, the Policy to include legislative changes, internal policies, technological advances, or market practices.

​

The Policy and its corresponding modifications will be published on the Sanchez Monroy website.

​

In the event of substantial modifications to the Policy, as defined by the applicable legislation, a new authorization from the Data Subject will be obtained.

​

Notwithstanding the above, it is the responsibility of the Data Subject to review the contents of the Policy before submitting any data considered as Personal Data.

​

APPLICABLE LAW

​

All matters related to the delivery, receipt, handling, and protection of Personal Data between the Data Subject and Sanchez Monroy and/or the eventual Data Processor are governed by the Colombian laws in effect regarding the protection of Personal Data.

​

DATA BASES VALIDITY

​

The Data Bases will remain valid for the period necessary to fulfill the purposes outlined in this Policy or the corresponding Privacy Notices or authorizations.

bottom of page