Regresar

TITLE I: Responsible for the treatment

Para todos los efectos, será responsables de los datos, la siguiente empresa: Corporación García S.A., identificada con RUC 20493387163, ubicada en la Calle Riomar C-12 en Maynas, Perú, ubicada en Jirón Belisario Flores 951 Piso 2, Lima, Perú.

TITLE II: Objective

THE CONTROLLER is a company dedicated to online education, consulting and execution of construction works and other activities that constitute engineering services as the controller of the data, and recognizes the importance of the security, privacy and confidentiality of the personal data of its employees, clients, suppliers and, in general, of all its stakeholders with respect to whom it processes personal information. For this purpose, it has created this policy for the processing of personal data (hereinafter the "Processing Policy") which will regulate the information and data that is collected, stored and/or managed by THE CONTROLLER.

TITLE III: Definitions

The concepts presented below are the result of what is set forth in the Peruvian Personal Data Protection Law and the corresponding legal provisions. In the event that the law is modified or replaced in these aspects, its meaning will be that indicated in the current legal regulations:

  • Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data.
  • Database: Organized set of personal data that is subject to processing.
  • Personal information: Any information linked to or that can be associated with one or more specific or identifiable natural persons.
  • Data Controller: Natural or legal person, public or private, who by itself or in association with others, carries out the processing of personal data on behalf of the Data Controller.
  • Data Controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of data.
  • Titular: Natural person whose personal data is subject to processing.
  • Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
  • Area in charge of Personal Data Protection/Privacy Officer: Designated person in charge within the Company, responsible for supervising, controlling and promoting the application of the Personal Data Protection Policy.

TITLE IV: Principles to which the treatment is subject

The processing of personal data carried out in connection with this Data Processing Policy must be strictly governed by the following principles:

  • Legality: Treatment must be subject to the provisions of the Law.
  • Purpose: The purpose of the Treatment must be legitimate, temporary and informed to the owner.
  • Reasonable limit: The storage and processing of personal data will be limited to what is essentially necessary to fulfill the previously specified purposes of the business relationship, as well as the fulfillment of the purposes authorized by the Owner.
  • Freedom: The data may only be processed with the prior, express, informed and self-determined consent of the owner or by legal or judicial order.
  • Truthfulness or quality: The information must be true, complete, accurate, up-to-date, verifiable and understandable.
  • Transparency: The right of the data subject to obtain information about his or her data at any time and without restrictions must be guaranteed.
  • Restricted access and circulation: The Treatment may only be carried out by persons authorized by the Owner or by the persons provided for by Law.
  • Security: Information must be handled with the necessary measures to ensure the security of records and prevent their alteration, loss, unauthorized or fraudulent consultation, use or access.
  • Confidentiality: Personal data that is not public in nature is confidential and can only be provided under the terms of the Law. Any person involved in the processing of information must guarantee its confidential nature.

TITLE V: Purposes of the Treatment

As the party responsible for the processing of the data collected, THE CONTROLLER has various databases, in respect of which it declares that they will be processed for one or more of the following purposes.

Administrative and Accounting Management:

  • Data administration for managing supplier and customer account statements.
  • Obtaining authorization to consult credit history in risky entities.
  • Formalization and management of commercial agreements, support for external and internal audits.
  • Annual report to the National Tax and Customs Directorate (DIAN) in compliance with legal obligations.
  • Recording and supporting financial and accounting information for transaction tracking.
  • Administration of contracts with third-party service providers.
  • Management of billing and collection processes to support internal and external audits.

Commercial Management, Suppliers and Contractors:

  • Management of relationships with customers and suppliers to facilitate internal processes.
  • Maintaining business relationships with suppliers and contractors.
  • Management of training programs for workers according to the requirements of commercial areas.
  • Control and monitoring of distribution and logistics with suppliers.
  • Advertising commercial promotions and commercial prospecting through text messages to clients.

Human Resources and Occupational Health:

  • Verification and evaluation of candidates in selection processes.
  • Conducting and verifying comprehensive security studies for candidates.
  • Control and monitoring of formalization of employment contracts.
  • Monitoring and delivery of equipment to workers according to requirements and labor legislation.
  • Statistical control of active and inactive personnel.
  • Tracking temporary workers.
  • Verification and management of payroll payments and reporting of employment developments.
  • Management of the occupational health and safety system to mitigate risks and respond to incidents.
  • Promotion of well-being activities and comprehensive development of workers in the work environment.
  • Risk control and monitoring and development of action plans for their mitigation.
  • Monitoring absenteeism and administering entry and exit medical examinations.

Technology and Security:

  • Control of computer and technological systems for the administration of keys, users and licenses.
  • Guaranteed security of personal, financial and educational information.
  • Development and updating of computational tools.
  • Management of security controls for entry and exit of the Company's facilities.

TITLE VI: Processing of Personal Data of a Sensitive Nature

According to data protection legislation in Peru, sensitive personal data is considered to be data that affects the privacy of the Data Subject or whose misuse may lead to discrimination. This data includes information on racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions or social organizations, health data, sexual life and biometric data, as well as data on minors.

THE CONTROLLER, in the development of its employment relationships with employees and candidates in selection processes, processes data of a sensitive nature, especially those related to health and, occasionally, biometric data to implement security measures in the access control to its facilities.

Processing of data of minors:

THE CONTROLLER seeks in the development of its economic activity not to collect information from minors. If you are under 18 years of age, your data may only be entered into our databases with the express consent of the minor's legal representative.

The processing of personal data of minors is subject to certain restrictions and legal requirements. In particular, we try not to collect information from minors under 18 years of age without the express consent of their legal representative. The processing of data of children and adolescents is prohibited, unless they meet the following criteria:

  • Respect the best interests of minors.
  • Ensure respect for your fundamental rights.
  • Obtain authorization from the minor's legal representative, considering the opinion of the minor himself or herself according to his or her maturity, autonomy and ability to understand the matter.
Once the above requirements have been met, the legal representative of the child or adolescent will grant authorization after the minor has exercised his or her right to be heard, an opinion that will be assessed taking into account maturity, autonomy and ability to understand the matter.

The processing of data of minors requires express authorization from the legal representative, in addition to facilitating the exercise of their rights of access, rectification, cancellation and opposition of the data. Those responsible for and in charge of processing data of minors must guarantee the appropriate use of the information and comply with the principles established in the data protection regulations in Peru.

By virtue of the above, THE CONTROLLER will only process data of minors, subject to the respect of the principles already indicated in the collection of the authorization and as long as the best interests of the minors are respected in the processing of the same.

Rights of the owner of the information:

  • Know, update and rectify your personal data that is being processed by THE CONTROLLER or those in charge of the processing.
  • Request proof of the authorization granted to THE CONTROLLER, except when it is expressly excepted as a requirement for processing.
  • Be informed by THE CONTROLLER upon request, regarding the use that has been given to your personal data.
  • Revoke authorization and/or request deletion of data when the processing does not respect constitutional and legal principles, rights and guarantees.
  • Be familiar with our Policy on the processing of Personal Data and any substantial changes that may occur in it.
  • Access and know free of charge the personal data that is subject to processing in accordance with the provisions of the law, in the processing of personal data.
  • Please refrain from answering questions about sensitive data. Answers regarding sensitive data or data about children and adolescents will be optional.
  • Others granted by current legal regulations.

TITLE VII: Rights of the Information Holder

  • Know, update and rectify your personal data that is being processed by THE CONTROLLER or those in charge of the processing.
  • Request proof of the authorization granted to THE CONTROLLER, except when it is expressly excepted as a requirement for processing.
  • Be informed by THE CONTROLLER upon request, regarding the use that has been given to your personal data.
  • Revoke authorization and/or request deletion of data when the processing does not respect constitutional and legal principles, rights and guarantees.
  • Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012.
  • Be familiar with our Policy on the processing of Personal Data and any substantial changes that may occur in it.
  • Access and know free of charge the personal data that is subject to processing in accordance with the provisions of the law, in the processing of personal data.
  • Please refrain from answering questions about sensitive data. Answers regarding sensitive data or data about children and adolescents will be optional.
  • Others granted by current legal regulations.

TITLE VIII: Obligations of the Company as Data Controller

THE CONTROLLER hereby wishes to inform you of the duties that he/she assumes in his/her capacity as controller of the processing:

  • Guarantee the Owner, at all times, the full and effective exercise of his or her rights.
  • The data controller must seek the means through which to obtain express authorization from the data owner to carry out any type of processing and keep a copy of said authorization.
  • The Data Controller must clearly and expressly inform its users, employees, suppliers and third parties in general from whom it obtains data, the treatment to which they will be subjected, the purpose of said treatment and the rights that assist it by virtue of the authorization granted. To do so, THE CONTROLLER must design the strategy through which for each event, mechanism or request for data that is made, it will inform them of the respective treatment in question.
  • Inform the data owners in each case of the optional nature of responding and providing the respective information requested.
  • In all cases where data is collected, all data subjects must be informed of their rights with respect to their data.
  • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  • Provide the identification, physical or electronic address and telephone number of the person or area that will be responsible for the treatment.
  • Guarantee at all times to the owner of the information the full and effective exercise of the right to habeas data and petition, that is, the possibility of knowing the information that exists or is stored in the database about him, requesting the updating or correction of data and processing queries, all of which will be carried out through the consultation or claim mechanisms provided for in this manual.
  • Maintain the records of stored personal data with the appropriate security measures to prevent their deterioration, loss, alteration, unauthorized or fraudulent use and periodically and promptly update and rectify the data, whenever the data owners report new developments or requests.
  • Ensure that the information provided to the Data Processor is true, complete, accurate, up-to-date, verifiable and understandable.
  • Update the information, communicating in a timely manner to the Data Processor all new developments regarding the data that you have previously provided and adopt the other measures necessary to ensure that the information provided remains up to date.
  • Rectify information when it is incorrect and communicate the relevant information to the Data Processor.
  • Provide the Data Processor, as appropriate, only with data whose processing has been previously authorized in accordance with the provisions of this Manual.
  • Demand that the Data Processor respect the security and privacy conditions of the Owner's information at all times.
  • Process queries, complaints and requests made under the terms set out in the Law or in this Manual.
  • Adopt an internal manual of policies and procedures to ensure proper compliance with the Personal Data Protection Law and, in particular, to address queries, complaints and requests.
  • Inform the Data Processor when certain information is being discussed by the Owner, once the request has been submitted and the respective process has not been completed.
  • Inform, at the request of the Owner, about the use given to their data.
  • Inform the data protection authority when security code violations occur and there are risks in the management of the information of the Holders.

TITLE IX: Transmission and International Transfer of Data

On the occasion of the activities carried out by THE CONTROLLER, its parent company, subsidiaries, affiliates, branches and business group, it may use the transfer and/or transmission of information to be processed by responsible third parties within and outside the national territory. This transfer of personal data must be carried out in strict compliance with the provisions of this Processing Policy and the security standards implemented by THE CONTROLLER. THE CONTROLLER is authorized to carry out international transmission and transfer of data between its parent company, subsidiaries, affiliates, branches and business group.

TITLE X: Data Security

Our platform has all the required licensing in all aspects of software development, infrastructure and third-party tools. With the required licensing levels that adapt to the needs of each situation and with support from manufacturers and experts.

This also applies to access to the data of our clients, suppliers and collaborators, since these accesses are protected by auditing concepts and are only granted through controlled access tools such as VPNs or proprietary tools that control and audit access.

Likewise, access to information by our collaborators is protected by filters and security levels that guarantee the restriction of the information based on roles and responsibilities. A detailed record is kept of any query or modification of the information with audit data responding to who, when and what was done.

TITLE XI: Authorization for Treatment

For the processing of personal information, THE CONTROLLER will request prior and informed authorization from the owners of the information, which may be in writing, verbally or through unequivocal conduct such as that granted through digital media such as web pages, social networks or WhatsApp. THE CONTROLLER will retain proof of the authorizations obtained for the processing of the data.

TITLE XII: Procedure for the presentation of Claims, Queries and Complaints

THE CONTROLLER will have the following procedures for handling questions, complaints, queries, claims and suggestions submitted by the Information Holders:

Questions:

The owner of the information, his/her successors in title or any other person with a legitimate interest, will make inquiries through written communication or by email, in which:

  • Determine your identity, including your name and identification number.
  • The reason for the consultation must be clearly and expressly specified.
  • The legitimate interest with which the action is taken must be accredited, attaching in all cases the appropriate supporting documents.
  • The physical or electronic correspondence address to which the response to the request can be sent is indicated.
De conformidad con el artículo catorce (14) de la Ley 1581 de 2012, se establece que: “La consulta será atendida en un término máximo de diez (10) días hábiles contados a partir de la fecha de recibo de la misma. Cuando no fuere posible atenderla dentro de dicho término, se informará al interesado, expresando los motivos de la demora y señalando la fecha en que se resolverá su consulta, la cual en ningún caso podrá superar los cinco (5) días hábiles siguientes al vencimiento del primer término».

Claims:

The owner, his successors or any other person with a legitimate interest who considers that the information contained in a database should be subject to correction, updating, deletion, or revocation of the authorization granted for the treatment, or when they notice the alleged non-compliance of any of the duties contained in Law 1581 of 2012, may, by physical or electronic means, submit a timely claim to the responsible area. In accordance with article fifteen (15) of Law 1581 of 2012, said claim will be admissible once compliance with the requirements presented below is verified:

The claim must: i) include the identity of the person making the claim, stating his or her name and identification number; ii) clearly and expressly specify the reason for the query; iii) prove the legitimate interest with which the claimant is acting, attaching in all cases the appropriate supporting documents; and iv) indicate the physical or electronic address for correspondence to which the response to the request should be sent. If the claim is found to be incomplete, "the interested party will be required within five (5) days following receipt of the same to correct the deficiencies. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he or she has withdrawn the claim."

In the event that THE CONTROLLER is not competent to resolve the claim, it will forward it to the appropriate party within a maximum period of two (2) business days and will inform the interested party of the situation.

«Una vez recibido el reclamo completo, se incluirá en la base de datos una leyenda que diga “reclamo en trámite” y el motivo del mismo, en un término no mayor a dos (2) días hábiles. Dicha leyenda deberá mantenerse hasta que el reclamo sea decidido”.

“The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address it within said term, the interested party will be informed of the reasons for the delay and the date on which the claim will be resolved, which in no case may exceed eight (8) business days following the expiration of the first term.”

The request for deletion of information and revocation of authorization will not proceed when the Owner has a legal or contractual obligation to remain in the database with THE CONTROLLER.

TITLE XIII: Handling of Queries and Complaints

THE CONTROLLER has an area responsible for handling and resolving queries and complaints from personal data holders or persons authorized to do so. Holders may submit their queries and complaints through the following channels:

  • Email: comercial@corgasa.pe.
  • Physical address: Riomar Street C-12, Belén, Maynas, Loreto, Peru.

TITLE XIII: Modifications to the Policy

THE CONTROLLER reserves the right to modify the privacy policy for personal information at any time. To this end, a notice will be published on the website or in the mechanism enabled by THE CONTROLLER 15 business days prior to its implementation and during the validity of the policy. In the event of disagreement with the new policies for handling personal information, the owners of the information or their representatives may request the removal of their information through the means indicated above. However, the removal of data may not be requested as long as a link of any kind with THE CONTROLLER is maintained.

TITLE XIII: Validity of Databases

The Personal Data provided will be kept as long as its deletion is not requested by the interested party (unless it is requested and there is a legal obligation to keep them). THE CONTROLLER's databases will have an indefinite period of validity since the processing of the same will be necessary while THE CONTROLLER exists and the development of its corporate purpose, in any case this term will not be less than (50) years. This version of this policy is effective from the date of its publication, which completely replaces any previous data processing provision or policy, and will be valid indefinitely and for as long as THE CONTROLLER carries out the activities described therein and they correspond to the processing purposes that inspired this policy.

en_USEnglish