POLICY MANUAL HANDLING DATA
Legal basis and scope of application
The information treatment policy is developed in compliance with articles 15 and 20 of the Political Constitution; of articles 17 literal k) and 18 literal f) of Statutory Law 1581 of 2012, which dictates general provisions for the Protection of Personal Data (LEPD); and Article 13 of Decree 1377 of 2013, which regulates the previous Law.
This policy will be applicable to all personal data registered in databases that are subject to treatment by the person responsible for the treatment.
Definitions established in article 3 of the LEPD and article 3 of Decree 1377 of 2013.
Authorization: Prior, express and informed consent of the Holder to carry out the processing of personal data.
Database: Organized set of personal data that is the object of treatment.
Personal data: Any information linked or that may be associated with one or more specific or determinable natural persons.
Public data: It is the data that is not semi-private, private or sensitive. Public data, among others, are data related to the marital status of individuals, their profession or trade and their status as a merchant or public servant. By its nature, public data may be contained, among others, in public registers, public documents, gazettes and official gazettes and duly executed judicial decisions that are not subject to reservation.
Sensitive data: Sensitive data is understood to be those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, union membership, social, human rights organizations or organizations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
We receive, collect and store any information that you enter on our website or otherwise provide to us. In addition, we collect the Internet Protocol (IP) address used to connect your computer to the Internet; login details, email address, password, computer and connection information and purchase history. We may use software tools to measure and collect session information, including page response times, duration of visits to certain pages, page interaction information, and methods used to navigate off page. We also collect personally identifiable information (including names, email, password, communications), payment details (including credit card information), comments, suggestions, product reviews, recommendations, and personal profile.
Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the processing of personal data on behalf of the person responsible for the treatment.
Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and / or the treatment of the data.
Owner: Natural person whose personal data is subject to treatment.
Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.
Privacy notice: Verbal or written communication generated by the person in charge, addressed to the Owner for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable, the way to access to the same and the purposes of the treatment that is intended to give personal data.
Transfer: The data transfer takes place when the person in charge and / or person in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is inside or outside from the country.
Transmission: Processing of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a treatment by the person in charge on behalf of the person in charge.
​
2. Authorization of the treatment policy
​
According to article 9 of the LEPD, the prior and informed authorization of the Holder is required for the processing of personal data. By accepting this policy, any Holder who provides information regarding their personal data is consenting to the processing of their data by MERCAVICOLA INSTITUCIONAL SAS in the terms and conditions contained therein.
The authorization of the Holder will not be necessary when it comes to:
Information required by a public or administrative entity in the exercise of its legal functions or by court order.
Data of a public nature.
Cases of medical or health emergency.
Treatment of information authorized by law for historical, statistical or scientific purposes.
Data related to the Civil Registry of people.
​
​
3. Responsible for the treatment
​
​
The person responsible for the treatment of the databases object of this policy is MERCAVICOLA INSTITUCIONAL SAS, whose contact information is the following:
Address: AC 19 # 25-40. LOCAL 80154. CC PALOQUEMAO, Bogotá Colombia.
Email: gestion@mercavicola.com
Phone: (57) 1 3686259
4. Treatment and purposes of the databases
​
MERCAVICOLA INSTITUCIONAL SAS, in the development of its business activity, carries out the processing of personal data related to natural persons that are contained and are processed in databases destined for legitimate purposes, complying with the Constitution and the Law.
The following table (Table I) presents the different databases managed by the company and the purposes assigned to each of them.
Table I. Databases and purposes
Database
Purpose
Databases Employees
Resumes and everything related to work well-being.
Customer databases
Operational and administrative management and sales and after-sales services.
Databases Suppliers
Operational and administrative management.
​
5. Navigation data
​
When you carry out a transaction on our website, as part of the process, we collect personal information that you provide us, such as your name, physical address and email address. Your personal information will be used only for the specific reasons stated above.
The navigation system and the software necessary for the operation of this website collect some personal data, the transmission of which has been implicit in the use of Internet communication protocols.
By its very nature, the information collected could allow the identification of users through its association with third-party data, even if it is not obtained for that purpose. In this category of data are the IP address or domain name of the computer used by the user to access the website, the URL, the date and time and other parameters related to the user's operating system.
These data are used for the sole purpose of obtaining anonymous statistical information on the use of the website or to control its correct technical operation, and are canceled immediately after being verified.
​
6. Cookies or web bugs
​
This website uses cookies or web bugs to collect personal data from the user, their use is limited to providing the user with access to the website.
​
​
​
​
​
​
​
​
​
​
​
​
​
If you do not want us to process your data, contact us at [management@mercavicola.com] or send us an email to: [AC 19 # 25-40. LOCAL 80154].
​
7. Rights of the Holders
​
In accordance with article 8 of the LEPD and articles 21 and 22 of Decree 1377 of 2013, Data Holders may exercise a series of rights in relation to the processing of their personal data. These rights may be exercised by the following persons.
By the Holder, who must sufficiently prove his identity by the different means made available to him by the person in charge.
By their successors, who must prove such quality.
By the representative and / or attorney-in-fact of the Holder, prior accreditation of the representation or power of attorney.
By stipulation in favor of another and for another.
​
The rights of children or adolescents shall be exercised by the persons who are empowered to represent them.
The rights of the Holder are the following:
​
Right of access or consultation: This is the right of the Holder to be informed by the person responsible for the treatment, upon request, regarding the origin, use and purpose that they have given to their personal data.
Rights of complaints and claims. The Law distinguishes four types of claims:
Correction claim: the right of the Holder to update, rectify or modify partial, inaccurate, incomplete, fractioned, misleading data, or those whose treatment is expressly prohibited or has not been authorized.
Claim of deletion: the right of the Holder to have data that is inappropriate, excessive or that does not respect constitutional and legal principles, rights and guarantees be deleted.
Revocation claim: the right of the Holder to revoke the authorization previously given for the processing of their personal data.
Claim of infringement: the right of the Holder to request that the breach of the regulations on Data Protection be remedied.
Right to request proof of the authorization granted to the person responsible for the treatment: except when expressly excepted as a requirement for the treatment in accordance with the provisions of article 10 of the LEPD.
Right to present before the Superintendence of Industry and Commerce complaints for infractions: the Holder or successor in title may only file this complaint once the consultation or claim process has been exhausted before the person responsible for the treatment or person in charge of the treatment.
​
8. Attention to Data Holders
​
MERCAVICOLA INSTITUCIONAL SAS, will be in charge of the attention of requests, queries and claims before which the Owner of the data can exercise their rights. Telephone: (057) 1 3686259, Email: gestion@mercavicola.com
​
9. Procedures to exercise the rights of the Holder
​
9.1. Right of access or consultation
According to article 21 of Decree 1377 of 2013, the Holder may consult his personal data for free in two cases:
​
At least once every calendar month.
Every time there are substantial modifications to the information treatment policies that motivate new consultations.
​
For inquiries whose periodicity is greater than one for each calendar month, MERCAVICOLA INSTITUCIONAL SAS, may only charge the Holder the costs of shipping, reproduction and, where appropriate, document certification. Reproduction costs may not be greater than the costs of recovery of the corresponding material. For this purpose, the person in charge must demonstrate to the Superintendency of Industry and Commerce, when it so requires, the support of said expenses.
The Data Owner may exercise the right of access or consultation of their data by means of a letter addressed to MERCAVICOLA INSTITUCIONAL SAS, sent, by email to gestion@mercavicola.com, indicating in the Subject "Exercise of the right of access or consultation" , or through postal mail sent to AC 19 # 25-40. LOCAL 80154. CC PALOQUEMAO, Bogotá Colombia. The request must contain the following information:
​
Name and surname of the principal.
Photocopy of the Certificate of Citizenship of the Holder and, where appropriate, of the person who represents him, as well as the document accrediting such representation.
Request in which the request for access or consultation is specified.
Address for notifications, date and signature of the applicant.
Documents accrediting the request made, when applicable.
The Holder may choose one of the following forms of querying the database to receive the requested information:
On screen display.
In writing, with a copy or photocopy sent by certified mail or not.
Email or other electronic means.
Another system appropriate to the configuration of the database or the nature of the treatment, offered by MERCAVICOLA INSTITUCIONAL SAS
Once the request is received, MERCAVICOLA INSTITUCIONAL SAS, will resolve the query request within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be attended, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are set in article 14 of the LEPD.
Once the consultation process has been exhausted, the Holder or successor in title may file a complaint with the Superintendency of Industry and Commerce.
9.2. Complaints and claims rights
The Data Owner may exercise the rights to claim their data by writing to MERCAVICOLA INSTITUCIONAL SAS, sent by email to management@mercavicola.com, indicating in the Subject "Exercise of the right of access or consultation", or via postal mail sent to AC 19 # 25-40. LOCAL 80154. CC PALOQUEMAO, Bogotá Colombia., The request must contain the following information:
Name and surname of the principal.
Photocopy of the Certificate of Citizenship of the Holder and, where appropriate, of the person who represents him, as well as the document accrediting such representation.
Description of the facts and request in which the request for correction, deletion, revocation or inflation is specified.
Address for notifications, date and signature of the applicant.
Supporting documents of the petition formulated that they want to enforce, when appropriate.
If the claim is incomplete, the interested party will be required within five (5) days after receiving the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.
Once the complete claim is received, a legend that says "claim in process" and the reason for it will be included in the database, within a term of no more than two (2) business days. Said legend must be kept until the claim is decided.
MERCAVICOLA INSTITUCIONAL SAS, will resolve the request for consultation within a maximum period of fifteen (15) business days from the date of receipt. When it is not possible to attend to the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be attended, which in no case may exceed eight (8) business days following the expiration of the first finished.
Once the claim process has been exhausted, the Holder or successor in title may file a complaint with the Superintendency of Industry and Commerce.
10. Validity
The databases that are the responsibility of MERCAVICOLA INSTITUCIONAL SAS, will be processed for as long as is reasonable and necessary for the purpose for which the data is collected. Once the purpose or purposes of the treatment have been fulfilled, and without prejudice to legal regulations that provide otherwise. MERCAVICOLA INSTITUCIONAL SAS, will proceed to delete the personal data in its possession unless there is a legal or contractual obligation that requires its conservation. We reserve the right to change this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately after their publication on the website. If we make material changes to this policy, we will notify you that it has been updated so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use or disclose the information.
If you wish to: access, correct, modify or delete any personal information we have about you, you are invited to contact us at [management@mercavicola.com] or send us an email to: [AC 19 # 25-40. LOCAL 80154. CC PALOQUEMAO
​
11. Security measures
​
Our company is hosted on the Wix.com platform. Wix.com provides us with the online platform that allows us to sell our products and services to you. Your data may be stored through the Wix.com data storage, the general Wix.com databases and applications. They store your data on secure servers behind a firewall.
All direct payment gateways offered by Wix.com and used by our company adhere to the standards set by PCI-DSS administered by the PCI Security Standards Council, which is a joint effort of brands such as Visa, MasterCard, American Express, and Discover. . PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
​
MERCAVICOLA INSTITUCIONAL SAS, in order to comply with the security principle enshrined in article 4 literal g) of the LEPD, has implemented technical, human and administrative measures necessary to guarantee the security of the records avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.
On the other hand, MERCAVICOLA INSTITUCIONAL SAS, by signing the corresponding transmission contracts, has required those in charge of the treatment with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the treatment of Personal information.
​
The following are the security measures implemented by MERCAVICOLA INSTITUCIONAL SAS, which are collected and developed in its Internal Security Manual (Tables II, III, IV and V).
​
Table II. Common security measures for all types of data (public, semi-private, private, sensitive) and databases (automated, non-automated)
Document and media management
Access control
Incidents
Personal
​
Internal Safety Manual
​
1. Measures that prevent improper access or recovery of data that has been discarded, deleted, or destroyed.
2. Restricted access to the place where the data is stored.
3. Authorization of the person responsible for the output of documents or supports by physical or electronic means.
4. Labeling or identification system of the type of information.
5. Inventory of supports.
6. User access limited to the data necessary for the development of their functions.
7. Updated list of users and authorized accesses.
8. Mechanisms to prevent access to data with rights other than those authorized.
9. Granting, alteration or cancellation of permits by authorized personnel.
10. Record of incidents: type of incident, time when it occurred, issuer of the notification, recipient of the notification, effects and corrective measures.
11. Procedure for notification and management of incidents.
12. Definition of the functions and obligations of the users with access to the data
13. Definition of the control functions and authorizations delegated by the data controller.
14. Disclosure among staff of the rules and the consequences of non-compliance with them.
15. Preparation and implementation of the Manual that is mandatory for staff.
16. Minimum content: scope of application, security measures and procedures, functions and obligations of personnel, description of databases, procedure for incidents, procedure for data copies and recovery, security measures for transport, destruction and reuse of documents, identification of those in charge of the treatment.
​
Table III. Common security measures for all types of data (public, semi-private, private, sensitive) according to the type of databases
Non-automated databases
Automated databases
Archive
Document storage
Custody of documents
Identification and authentication
Telecommunications
​
1. File of documentation following procedures that guarantee a correct conservation, location and consultation and exercise of the rights of the Holders.
2. Storage devices with mechanisms that prevent access to unauthorized persons.
3. Duty of care and custody of the person in charge of documents during their review or processing.
4. Personalized identification of users to access information systems and verification of their authorization.
5. Identification and authentication mechanisms; Passwords: allocation, expiration and encrypted storage.
6. Access to data through secure networks.
Table IV. Security measures for private data according to the type of databases
Automated and non-automated databases
Automated databases
Audit
Security manager
Internal Safety Manual
Document and media management
Access control
Identification and authentication
Incidents
​
1. Ordinary audit (internal or external) every two months.
2. Extraordinary audit for substantial modifications in the information systems.
3. Report of detection of deficiencies and proposal of corrections.
4. Analysis and conclusions of the person in charge of security and of the person in charge of the treatment.
5. Preservation of the report at the disposal of the authority.
6. Appointment of one or more security officers.
7. Appointment of one or more people in charge of the control and coordination of the measures of the Internal Safety Manual.
8. Prohibition of delegation of responsibility from the data controller to the security manager.
9. Periodic compliance checks
10. Record of entry and exit of documents and supports: date, sender and receiver, number, type of information, shipping method, person responsible for the reception or delivery.
11. Access control to the place or places where the information systems are located.
12. Mechanism that limits the number of repeated unauthorized access attempts.
13. Record of data recovery procedures, person who executes them, restored data and manually recorded data.
14. Authorization of the person responsible for the treatment to carry out the recovery procedures?
​
We may contact you to notify you about your account, to solve problems with your account, resolve a dispute, collect fees or money owed, to probe your opinions through surveys or questionnaires, to send updates about our company, or when necessary to contact you. to enforce our User Agreement, applicable national laws, and any agreements we may have with you. For these purposes, we may communicate with you by email, telephone, text messages, and postal mail.
​
DAVID RIVEROS PALACIOS
Legal representative
Updated March 2021