Nextstop Group

Data Privacy Policy

  • Home
  • -
  • Data Privacy Policy
SCOPE

Given the importance of implementing controls and preventive measures that guarantee transparency and avoid situations that may involve NEXTSTOP in illicit activities that would affect its value chain, the trust of business partners, the integrity and reputation of the company, a complementary policy is adopted to the existing national and international regulations, aimed at the proper management of personal data collected in the database and sensitive documents.
In accordance with the above and taking into account current regulations, NEXTSTOP has decided to implement this policy to prevent risks in the treatment and protection of personal data, which must be complied with and observed by management bodies, collaborators, clients, suppliers and other interested parties, regardless of their position, functions, operations or place where they are carried out.

AIM

This policy aims to define and apply the guidelines, controls and actions necessary to protect NEXTSTOP and its stakeholders from the risk of processing and protecting personal data.

DEFINITIONS
  • Authorization: Prior, express and informed consent of the owner of the personal data to carry out the processing of personal data.
  • Privacy notice: Verbal or written communication generated by the controller, addressed to the Owner for the processing of his/her personal data, through which he/she is informed about the existence of the information processing policies that will be applicable to him/her, the way to access them and the purposes of the processing that is intended to be given to the personal data.
  • Database: Organized set of personal data that is subject to processing.
  • Personal data: Any information linked to or capable of being associated with one or more specific or identifiable natural persons. “Personal data” should therefore be understood as information related to a natural person (an individual considered individually).
  • Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the civil status of individuals, their profession or occupation, and their status as a merchant or public servant. By its nature, public data may be contained in, among others, public records, public documents, official gazettes and bulletins, and duly enforced court decisions that are not subject to confidentiality.
  • Public personal data: All personal information that is freely and openly known to the general public.
  • Private personal data: All personal information that has restricted knowledge, and is in principle private to the general public.
  • Semi-private data: Semi-private data is data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or to society in general.
  • Sensitive data: Data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data, including, but not limited to, the capture of still or moving images, fingerprints, photographs, iris, voice, facial or palm recognition, etc.
  • Data processor: Natural or legal person, public or private, who by itself or in association with others, processes personal data on behalf of the data controller.
  • Data controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of the data.
  • Owner: Natural person whose personal data is subject to processing.
  • Transfer: Data transfer occurs when the person responsible for and/or in charge of processing personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is located within or outside the country.
  • Transmission: Processing of personal data that involves the communication of these within or outside the territory of the Republic of Colombia when its purpose is to carry out processing by the person in charge on behalf of the person responsible.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

RESPONSIBILITY

The General Management is responsible for approving, promoting the application of the guidelines and providing the appropriate resources to ensure compliance with this policy.

TREATMENT TO WHICH YOU ARE UNDERGOING

Collection: NEXTSTOP collects personal information through various means in the development of different activities related to its corporate purpose and the obligations it has as an employer. Personal information will be obtained in three different ways:
  • Straight from the headline.
  • From a third party, provided that they have authorization.
  • From public sources of information.
Likewise, the collection of personal information may be carried out through physical, digital or electronic means, and each of them will include a privacy notice and authorization, thus complying with the requirements established in art. 2.2.2.25.3.2 and 2.2.2.25.3.3 of Decree 1074 and obeying the principles of freedom and purpose of art. 4 of Law 1581.
Storage: The storage of personal information contained in databases or information systems is located on our own servers within the country and on third-party external servers, which have physical, technical and administrative security measures. There are access controls to the information, guaranteeing the principle of restricted access and circulation. Personal information that is subject to legal requirements will remain stored in our databases in accordance with what the Law has established for this purpose. In those cases where the Law has not ruled, the information will remain as long as the purpose for which it was collected is in force.

Circulation: As a general rule, NEXTSTOP does not share the personal data it collects with third parties in general. However, in order to effectively fulfill its obligations, it may provide the data to other entities, protected by articles 2.2.2.25.5.1 and 2.2.2.25.5.2 of Decree 1074, which establishes that the transmission of personal data is permitted when necessary for the execution of a contract between the owner and the data controller, or for the execution of measures.
Deletion: Deletion of personal information that has been collected will be carried out when:
  • It is not necessary for compliance with legal, contractual, tax, financial or auditing aspects or is covered by provisions or requirements of the Law.
  • It does not affect or imply the loss of traceability or integrity of the databases or information systems where the information is stored.
  • The purpose for which they were collected has been fulfilled or eliminated.
  • It is requested by the data owner or by anyone who demonstrates that he or she is authorized and does not go against the previous definitions.
However, some information may be retained for statistical or audit purposes only.

PURPOSE OF PROCESSING PERSONAL DATA

The information collected by NEXTSTOP on a voluntary basis about clients, suppliers, strategic partners and employees, current or former, is stored in order to facilitate, promote, allow or maintain labor, civil and commercial relationships. The information about actors in the international transit operation is stored in order to comply with the activities inherent to its purpose. Personal Data will be processed solely and exclusively for the purposes authorized by the Owner and for those provided for in this Policy and for the time necessary to comply with said purposes. The obtaining of the Personal Data of the Owners may be carried out by any means provided for such purpose.
Personal Data is processed by NEXTSTOP for the following purposes:
  • Provide the owner of this information of interest such as services, financial reports of the company, shareholder information, settlement of dividends, billing and collection of services provided by NEXTSTOP.
  • For the recognition, protection and exercise of the rights of NEXTSTOP shareholders.
  • Actions, activities and processes related, linked or referred to the company's shareholders and investors.
  • To manage and operate, directly or through third parties, the personnel selection and recruitment processes, including the evaluation and qualification of participants and the verification of work and personal references, and the performance of security studies.
  • Develop activities related to human resources management, such as payroll, membership in entities of the general social security system, prepaid medical entities or insurance companies, wellness and occupational health activities, among others.
  • Actions, activities and processes related to, linked to or referred to employees and retirees of the company, including their family members.
  • To strengthen relationships with its customers by sending relevant information, responding to Requests, Complaints and Claims ( PQR's ) by customer service, evaluating the quality of its customer service and inviting customers to events organized or sponsored by NEXTSTOP.
  • To consolidate a timely and quality supply with its Suppliers, through the invitation to participate in selection processes, the evaluation of compliance with their obligations and the invitation to events organized or sponsored by NEXTSTOP.
  • To verify your creditors' balances.
  • Control access to NEXTSTOP offices as security measures.
  • Comply with fraud and money laundering control and prevention and obtain the information required for SARLAFT/SAGRILAFT or any other risk management system that the organization implements.
  • To determine outstanding obligations, consult financial information and credit history, and report unfulfilled obligations to information centers regarding debtors.
  • For marketing activities, statistics, surveys, research and other commercial purposes that do not contravene current legislation in Colombia.
  • To attend to judicial or administrative requirements and to comply with judicial or legal mandates.
  • Actions, activities and processes related, linked or referred to contractors or suppliers of the company.
  • To eventually contact, via email, telephone or any other means, natural persons with whom you have or have had a relationship, such as, without limitation, employees and their families, shareholders, consumers, the community in general, clients, distributors, suppliers, creditors and debtors, for the aforementioned purposes.

CUSTOMER DATA PROCESSING

The data collected by NEXTSTOP may, eventually, be shared with authorities that exercise Supervision and Control over NEXTSTOP in order to develop quality reviews, understand its financial, commercial and credit behavior and compliance with its legal obligations, carry out all necessary procedures aimed at confirming and updating customer information, validating and verifying the identity of the customer for the offer and administration of products and services, as well as to share information with various market players, establish a contractual relationship, as well as maintain and terminate a contractual relationship, receive messages related to the management of collection and portfolio recovery, either directly or through a third party contracted for such function, carry out an adequate provision and administration of financial services, including collection management, provide commercial, legal, product, security, service or any other information, know the location and contact information of the customer for the purposes of notifications for security purposes and offering benefits and commercial offers, prevent money laundering, the financing of terrorism, as well as detect fraud, corruption, and other illegal activities. Conduct satisfaction surveys regarding the services provided by NEXTSTOP, carry out audits, monitoring activities or in order to comply with quality standards regarding the services contracted by the Client.

Likewise, NEXTSTOP may process the personal information of its current or future Clients and of those Clients with whom it has terminated its commercial relationship, in order to send them commercial information that, in NEXTSTOP's opinion, may be of interest to them. Likewise, NEXTSTOP, on the occasion of events, training sessions or other activities carried out by them, may record and take audios, videos or photos of Clients as they develop these. These audios, videos or photos may be used in publications, and in general in any activity.

PROCESSING DATA OF SUPPLIERS OR THOSE WITH WHOM THEY HAVE A COMMERCIAL RELATIONSHIP

NEXTSTOP will process the personal information of its Suppliers or of the persons with whom it has a business relationship in order to comply with the obligations acquired by virtue of the respective relationship. In relation to Suppliers and agents, such obligations include establishing, managing or terminating business relationships or verifying references; the information requested from the supplier or partner may include information on the natural or legal person as appropriate.

Likewise, information may be requested from the employees of the supplier or ally who are dedicated to fulfilling a function or relationship with NEXTSTOP that, due to the work performed, require access to the facilities, applications and/or systems or others of the organization, carry out the process of linking the supplier or ally with the Organization, generating the development of internal procedures, which are relationship, accounting, financial, commercial, logistical, among others, manage and verify commercial and reputational background and the risks of money laundering and financing of terrorism, as well as to detect and/or prevent fraud, corruption and other illegal activities, by the supplier or its employees in relation to the operation of NEXTSTOP, manage and strengthen contractual relationships with the supplier or ally, allowing greater control in the obligations assumed by the parties, review and evaluate the results of the supplier or ally, in order to strengthen the contracting processes within NEXTSTOP, offer and provide products or services through any means or channel according to the profile of the supplier or ally, and in accordance with the progress made. technological, to carry out commercial, statistical, risk, market, interbank and financial analyses and research based on the results of the supplier or ally. The processing of the data collected pursuant to the provisions of this document will be carried out and will be in effect as long as the purpose for which the respective data was collected is maintained.

AUTHORIZATIONS

The processing of personal information contained in NEXTSTOP databases will be preceded, except for legal exceptions, by the informed authorization of its Owner, which will be requested at the latest at the time of collection, detailing the treatment to which they will be subjected and the specific purposes for which their consent is obtained.

In order to guarantee the rights of the information Holders, NEXTSTOP will determine the appropriate mechanisms to obtain the authorization of the Holder, Clients, Contractors, Suppliers, Agents, Employees, Former Employees, Visitors, among others, or those who are legitimized by virtue of what is established by Article 20 of Decree 1377 of 2013. It will also request in a free, prior, express and duly informed manner, the authorization from the holders of the personal data and for this purpose it will generate appropriate mechanisms guaranteeing in each case that it is possible to verify the granting of said authorization. The authorization may be recorded in any medium, whether a physical, digital, electronic document or in any format that guarantees its subsequent consultation through technical tools, complying with the requirements established by law. In any case, it will be understood that the authorization complies with the legal requirements when it is expressed in writing, orally or through unequivocal conduct that allows a reasonable conclusion that it was granted; within the latter, silence cannot be considered unequivocal conduct.

Furthermore, as provided by Decree 1377 of 2013, authorization will not be required for the processing of information contained in databases that are available to the general public, provided that by their nature they are public data.

RIGHTS OF PERSONAL DATA OWNERS

The Fundamental Right to Habeas Data, empowers the data owner to request access, update, rectification and deletion of their personal data that is in the possession of a third party, in turn, they can revoke the authorization they have granted for the treatment. If a personal data owner considers that NEXTSTOP has access to their personal data, this person can at any time request the consultation of their data, or if they consider that NEXTSTOP is misusing their data, they can make the respective claim. In accordance with the provisions of article 8 of law 1581 of 2012, the owners may:
  • Know, update and rectify your personal data before NEXTSTOP. This right may be exercised, among others, against partial, inaccurate, incomplete, fractional data that may lead to error, or those whose processing is expressly prohibited or has not been authorized.
  • Request proof of the authorization granted to NEXTSTOP, except when it is expressly excepted as a requirement for Treatment, in accordance with the provisions of article 10 of this law.
  • Be informed by NEXTSTOP or the Controller, upon request, regarding the use that has been given to your personal data.
  • Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add to or complement it.
  • Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that NEXTSTOP has engaged in conduct contrary to this law and the Constitution.
  • Access free of charge to your personal data that has been subject to processing.
  • Refrain from answering questions about sensitive data. Answers regarding sensitive data or data about children and adolescents will be optional.

OBLIGATIONS OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

NEXTSTOP shall:
  • Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
  • Request and retain, under the conditions provided for in this law, a copy of the respective authorization granted by the Owner.
  • Properly inform the Owner about the purpose of the collection and the rights granted to him/her by virtue of the authorization granted.
  • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  • Ensure that the information provided to the Controller is true, complete, accurate, up-to-date, verifiable and understandable.
  • Update the information, communicating in a timely manner to the Data Processor all new developments regarding the data that you have previously provided and adopt the other measures necessary to ensure that the information provided to it remains up to date.
  • Correct information when it is incorrect and report the relevant information to the Manager.
  • Provide the Controller, as the case may be, only with data whose processing has been previously authorized in accordance with the provisions of this law.
  • Demand from the Manager at all times, respect for the security and privacy conditions of the Owner's information.
  • Process queries and complaints made under the terms set out in this law.
  • Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, to address queries and complaints.
  • Inform the Controller when certain information is being discussed by the Owner, once the claim has been submitted and the respective process has not been completed.
  • Inform the Data Subject upon request about the use given to his/her data;
  • Inform the data protection authority when security code violations occur and there are risks in the management of the information of the Holders.
  • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

PERSONAL DATA CONTROL AND SECURITY POLICIES

In accordance with the provisions of Article 19 of Decree 1377 of 2013, NEXTSTOP undertakes to adopt the instructions issued for such purpose by the Superintendency of Industry and Commerce. However, NEXTSTOP declares that it has information security policies and a technological infrastructure that reasonably protects the personal information collected, limiting access to third parties to the extent possible. However, NEXTSTOP will continually work to improve the security standards that protect the personal information collected.

Likewise, NEXTSTOP has adopted the technical, legal, human and administrative measures necessary to ensure the security of personal data, protecting confidentiality, integrity, use, unauthorized and/or fraudulent access. Likewise, internal security protocols and guidelines have been implemented that are mandatory for all personnel with access to personal data and information systems.

In accordance with the provisions of Article 26 of Law 158 of 2012, NEXTSTOP undertakes not to transfer data to third countries that do not comply with the personal data protection standards required by the Superintendency of Industry and Commerce, except for the exceptions indicated below:
  • Information for which the Owner has given his/her express and unequivocal authorization for the transfer.
  • Exchange of medical data, when required for the Treatment of the Owner for reasons of public health or hygiene.
  • Bank or stock transfers, in accordance with the applicable legislation.
  • Transfers agreed upon within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
  • Transfers necessary for the execution of a contract between the Owner or commercial transaction in the development of the corporate purpose and the Data Controller, or for the execution of pre-contractual measures provided that the Owner's authorization is obtained.
  • Transfers legally required to safeguard the public interest, or for the recognition, exercise or defence of a right in a judicial process.
In cases not contemplated as an exception, the Superintendency of Industry and Commerce shall be responsible for issuing the declaration of conformity regarding the international transfer of personal data. The Superintendent is empowered to request information and to carry out the procedures tending to establish compliance with the requirements required for the viability of the operation. International transfers of personal data carried out between a controller and a processor to allow the processor to carry out the processing on behalf of the controller shall not require the Holder to be informed or have his consent, provided that there is a contract for the transfer of personal data."

COMPLAINT MECHANISM

NEXTSTOP is responsible for the application of this policy, protecting its collaborators, contractors, interested parties and, above all, the good name and image of the company and its ethical principles.

Anyone who has information or knows of cases in which one or more collaborators or contractors or interested parties of NEXTSTOP are involved in acts against the personal data processing policy, can report it to the email: contacto@nextstop.com.co, call the phone number (+57) 6044797618, or leave the physical complaint at the address: Carrera 43A #1-85 Banco Caja Social Building Office 803 addressed to the Security Supervisor.

icono whatsapp