POLICY OF PROCESSING PERSONAL DATA
THE COCKTAIL AMERICA S.A.S.
General considerations
The purpose of this policy is to establish the criteria for the collection, storage, use, circulation, and deletion of personal data processed by The Cocktail America S.A.S. This policy applies to all personal information recorded in the databases of The Cocktail America S.A.S., which acts as the responsible entity for the processing of personal data.
The Cocktail America S.A.S., identified with NIT: 900.552.000-3 (hereinafter "TCK" or "The Cocktail"), located at Cra 9 No. 101-67, 2ND Floor, Building Naos in Bogota, D.C. – Colombia, is a member of The Cocktail business group and provides consulting services in the field of creativity, marketing, processes, strategy, and technology through its different lines of service involving the processing of personal data. TCK counts on the global data protection Security Policies of The Cocktail Group.
The data collected by The Cocktail in Colombia may be shared with the other members of the business group in Spain to fulfill the company's aims. In such cases, It will comply with The Cocktail Group's data protection Security Policies. If such information is to be shared by third parties other than other members of the Business Group, with third parties who are not customers or have no direct interest in the information provided, a contract for the transmission or transfer of personal data must be in place. In accordance with the provisions of Article 26 of Law 1581 of 2012, TCK undertakes not to transfer data to third countries that do not comply with the standards of protection of personal data required by the Superintendence of Industry and Commerce, except as provided by law.
Compliance with these policies is mandatory for all employees of The Cocktail in Colombia, contractors, and third parties acting on behalf of The Cocktail.
The TCK Code of Ethics forms part of this policy. All the employees of The Cocktail must observe these policies in the performance of their duties. In cases with no employment link, a contractual clause must be included to oblige those acting on behalf of The Cocktail to comply with these policies.
Definitions:
- Notice of Privacy: Verbal or written communication generated by the responsible person, addressed to the owner regarding the processing of his personal data, by means of which the existence of policies, the channels of access of said policies, and the purposes of the processing of the personal data is informed.
- Authorisation: Prior, express, and informed consent of the Owner to process his personal data.
- Database: An organised set of personal data that is the subject of the processing.
- Personal Data: Any information related to or that may be associated with one or more specific or determinable persons. (Personal data can be public, semi-private, or private).
- Private data: It is the data that, by its intimate or reserved nature, is only relevant to the Owner.
- Public data: It is that so qualified by law or the National Constitution and that is neither semi-private nor private.
- Semi-private data: It is semi-private data that has no intimate nature, reserved or public, and whose knowledge or disclosure may interest not only its owner but also a particular sector or group of people or the society in general, such as the financial and credit data of commercial activity or services.
- Sensitive Data: It is that which affects the privacy of the Owner, a natural person whose misuse may result in discrimination.
- Responsible for the Processing: It is the natural or legal person of a public or private nature who, acting by itself or in conjunction with others, decides on the database and/or the processing of the data. For the purposes of this document, The Cocktail is understood to be the responsible person for the processing.
- Processing manager: A natural or legal person, public or private, who, by itself or in association with others, carries out the processing of personal data on behalf of the person responsible for the processing.
- Owner of the information: A natural person whose personal data is being processed.
- Process: Any operation or set of operations on personal data such as collection, storage, use, circulation, or deletion of such data.
- Transmission: Processing personal data that involves the communication of these inside and outside the Republic of Colombia and whose purpose is the performance of a process by the person in charge on behalf of the person responsible.
- Transfer: The transfer of data takes place when the responsible person or person in charge of processing personal data, located in Colombia, sends the information or personal data to a recipient, who is in turn responsible for the processing and is located inside or outside the country.
Principles for the processing of personal data
In all processing of personal data carried out by TCK, the managers and/or third parties to whom personal data is given must comply with the principles established in the law and this policy.
- Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Owner.
- Principle of liberty: The processing may only be performed with the Owner's prior, express, and informed consent. Personal data may not be obtained or disclosed without prior authorisation, or in the absence of a legal or judicial mandate that relieves consent.
- Principle of veracity or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. Processing partial, incomplete, fractional, or misleading data is prohibited.
- Principle of transparency: In the processing, the right of the Owner must be guaranteed to obtain from the responsible person or the person in charge of the processing, at any time and without restriction, information about the existence of data concerning them.
- Principle of access and restricted circulation: The processing may only be performed by persons authorised by the Owner.
- Personal data, other than public information, may not be available on the Internet or other means of mass disclosure or communication unless the access is technically controllable to provide restricted knowledge only to the authorised owners or third parties;
- Principle of security: The information subject to processing by the person responsible for the processing or the person in charge of the processing shall be handled with the technical, human, and administrative measures necessary to provide security to the records preventing their adulteration, loss, consultation, use, or unauthorised or fraudulent access;
- Principle of confidentiality: All persons involved in the processing of personal data that are not public persons are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of activities authorised by law.
- Principle of temporality: Personal data shall be retained only for a reasonable and necessary time to comply with the purpose of processing and with the legal requirements or instructions of the supervisory, control, or other competent authorities. Once the purpose(s) have been fulfilled, the data will be deleted. The data will be retained when necessary to comply with a legal or contractual obligation. The rules applicable to each purpose and the administrative, accounting, fiscal, legal, and historical aspects of the information shall be considered in determining the term of the processing.
- Principle of non-discrimination: It is prohibited to carry out any act of discrimination based on information collected in the databases or archives.
- Principle of minimisation of the data: Personal data will always be processed that is suitable, relevant, and limited to what is necessary in relation to the purposes for which they are processed
- Principle of proactive responsibility: All the companies of the Group will be responsible for compliance with these principles and for maintaining a privacy compliance system that allows evidence of compliance with them.
- Principle of integral interpretation of constitutional rights: The rights shall be interpreted in harmony with and in balance with the right to information provided for in Article 20 of the Constitution and with the applicable constitutional rights.
- Principle of necessity: The personal data processed must be strictly necessary to fulfil the purposes pursued with the database.
Process to which personal data will be subjected and its purpose
The Cocktail America S.A.S, in compliance with Law 1581 of 2012 and other related regulations, will carry out processing operations that include data collection, storage, use, circulation, and/or deletion, either as the responsible person for the processing or as the person in charge of the processing on behalf of third parties, when the provision of their services so requires.
These processes will always be carried out with the purposes specified at the time of the data collection and taking into account the specific authorisations granted by the owner of the personal data as well as the existence of a legal or contractual obligation for this purpose.
Within the scope of the social object of The Cocktail America S.A.S and the services it provides in the exercise of its business activity, it performs the processing of personal data with the purposes indicated below, organised by groups of data owners:
In relation to its employees:
The processes carried out are the proper ones to manage the aspects of the working relationship between the worker and The Cocktail America S.A.S. and to comply with the legal obligations of both parties, including company payments to the workers; management of the accounting process; compliance with the requirements related to the Integral Social Security System; control of physical access to the company's headquarters; training of personnel; and compliance with current legislation.
In relation to its customers:
The processes carried out are those necessary to manage the provision of the service to the customers of The Cocktail America S.A.S. provided in any case to legal persons, so the contact data of the persons who dealt with the client companies are processed.
In relation to market research participants:
The processes carried out are those necessary to prepare market studies. The Cocktail America S.A.S performs said processing as the processing manager when the entity that defines and contracts the study is its clients. And as the responsible person for the processing, when the study is for the purposes and conclusions of The Cocktail America S.A.S.
In relation to the suppliers:
The processes carried out are those necessary for the provision of the service as well as the fulfillment of accounting obligations, information on the contracts, and contact details of the legal representatives of the suppliers.
In relation to the candidates:
The processes performed are necessary to manage the curriculum database that the candidates themselves facilitate when they want to be part of the employment exchange of The Cocktail America S.A.S for the recruitment processes.
In relation to the processes of Video surveillance:
For the processes carried out to control access to the different TCK sites, video surveillance mechanisms may be used to broadcast it on visible sites with video surveillance advertisements. This information can be used as evidence in any process before any authority and organisation.
TCK, in general, may also process personal data for the following purposes:
- To comply with Colombian or foreign law and the orders of judicial or administrative authorities.
- Manage applications, complaints, and grievance procedures, and conduct satisfaction surveys.
- Disclose, transfer and/or transmit personal data within and outside the country to companies linked to The Cocktail Group of Companies or third parties as a result of a contract, law, or legal link that so requires or implements cloud computing services, archiving, or managing information.
- To know the information of the data owner that is found in credit information centres or operators of financial, credit, and commercial data banks.
- Within the framework of TCK staff selection processes: a study of curriculum, verification of data provided by the candidate, examination of admission health conditions, affiliations to the Integral Social Security System, and, in general, the process related to internal selection procedures.
- Perform statistical, historical, and marketing analyses based on personal data.
International transfer of personal data
When data is transferred to a responsible person in another country, it will be necessary to have the authorisation of the owner of the information being transferred unless the country offers an adequate level of data protection in accordance with the standards set by the Superintendence of Industry and Commerce.
In this sense, before sending personal data to responsible persons of the process located in another country, those obliged to comply with this policy must verify that it has the prior, express, and unequivocal authorisation of the owner that permits transmission of his personal data or that the country has an adequate level of data protection in accordance with the list developed by the Superintendence of Industry and Commerce.
The Cocktail America S.A.S is part of the group of companies that may be consulted on this link:
https://tcksites-pre.the-cocktail.com/en/contact
In this sense, data communications can be produced between the group's companies to Spain, where the group's head office is located.
In the case of TCK and The Cocktail Business Group, there is a global regulation level of Security Policies in the area of Data Protection, which is fully applicable to the following companies: THE COCKTAIL Global S.L, THE COCKTAIL Experience S.L., THE COCKTAIL America S.L.U, THE COCKTAIL AMÉRICA S.A DE C.V (México) THE COCKTAIL AMÉRICA S.A.S (Colombia). All companies belonging to the Group are located in countries considered safe by the Superintendence of Industry and Commerce.
International and national data transmissions to managers
Also, The Cocktail America S.A.S may transfer and transmit personal data to third-party service providers necessary for the company's own functions. To contract such third parties, measures are taken to ensure that when such third parties have access to the personal data for which The Cocktail America S.A.S or its customers are responsible, they comply with this Policy and the principles of protection of personal data and obligations established in the Law. Among other measures, The Cocktail America S.A.S establishes contractual measures through contracts for the transmission of personal data indicating the scope of the process; the activities that the person in charge of the process will carry out on behalf of The Cocktail America S.A.S; as well as the obligations of the person responsible for the process, which include the processing of the data in accordance with the principles indicated by The Cocktail America S.A.S; and to guarantee the confidentiality and security of the databases to which they access on behalf of The Cocktail America S.A.S or its customers.
Information and authorisation of the owner for the processing of his data
The processing of personal data requires the authorisation of the owner of the same in an informed manner and prior to the collection. This authorisation must also be subject to consultation at a later date.
Authorisation of the owner will not be necessary in cases where there are exceptions provided for by law.
In addition to the present policy of data processing, The Cocktail America S.A.S has provided different mechanisms to always inform the owners of personal data, in advance, of the purposes of processing before collecting the data.
Prior authorisation of the data owner is not required in the following cases:
a) Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b) Data of a public nature.
c) Cases of medical or health emergencies.
d) Processing of information authorised by law for historical, statistical, or scientific purposes.
e) Data related to the Civil Registry of Persons.
The information requested by the data owners will preferably be supplied by electronic means as far as possible, its content being easy to read and access.
Processing of sensitive data and children’s data
If the processing of sensitive data is necessary based on the authorisation of the owner, The Cocktail America S.A.S shall inform the owner of the data, through the means of data collection, that it is not obliged to grant authorisation for the processing of sensitive data.
In any case, the processing of data of minors is prohibited in the provision of services carried out by The Cocktail America S.A.S.
Duties of The Cocktail America S.A.S when acting as the responsible person for the process
The main duties of The Cocktail America S.A.S as the responsible person for the process are, among others, the following:
- Inform the data owner of the purpose of collecting his personal data.
- Inform the data owner of his rights to guarantee the habeas data.
- Ensure the security of the personal data it processes.
- Ensure the security of the personal data processed by the processing managers.
- Comply with ISO 27001 information security policies implemented by The Cocktail Group.
- Duties of The Cocktail America S.A.S when
Duties of The Cocktail America S.A.S when acting as the process manager
The main duties of The Cocktail America S.A.S as the responsible person for the process are, among others, the following:
a) Guarantee the owner, at all times, the full and effective exercise of the right to habeas data.
b) Maintain the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorised or fraudulent access.
c) Carry out the timely updating, rectification, or deletion of the data in terms of this law.
d) Update the information reported by the persons responsible for the treatment within five (5) business days of receipt.
e) Process the consultations and the claims formulated by the owners in the terms indicated in the present law.
f) Adopt an internal manual of policies and procedures to ensure adequate compliance with this law and, in particular, for the attention of inquiries and claims by the owners.
g) Record in the database the legend "Claim in Process" in the form in which it is regulated in the present law.
h) Insert in the database the legend "Information Under Judicial Discussion" once notified by the competent authority about judicial proceedings related to the quality of personal data.
i) Abstain from circulating information disputed by the owner whose blockage has been ordered by the Superintendence of Industry and Trade.
j) Allow access to information only to those who are permitted to access it.
k) Inform the Superintendence of Industry and Commerce when violations of security codes occur, and risks exist in the administration of the owners' information.
l) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
Rights of the data owners
All interest groups in respect of which The Cocktail America S.A.S processes personal data have the right to expect respect in the exercise of their data protection rights. In this sense, all the personnel who work at The Cocktail America S.A.S are obliged to know the procedures for attending the exercise of these rights. In addition, the specific department for handling petitions, inquiries, or complaints is the Legal Department.
The Cocktail America S.A.S has implemented the following mechanisms for the exercise of rights by owners:
- Contact via the following e-mails; opd@the-cocktail.com ; lopd@the-cocktail.com
- Contact at the address listed at the beginning of this policy
TCK and those persons required to comply with this policy must guarantee the following rights to the data owners:
A. Free access at least once a month to the data provided that has been processed.
B. To know, update, and rectify their information in the face of partial, inaccurate, incomplete, fractional, misleading data, or those whose processing is prohibited or has not been authorised.
C. To request proof of the authorisation granted when it is necessary for the specific processing of the owner's personal data.
D. To present to the Superintendence of Industry and Commerce (SIC) complaints for violations of the provisions of the current regulations.
E. Revoke the authorisation and/or request the deletion of the data, provided that there is no legal or contractual obligation that prevents their deletion.
F. Refrain from answering questions regarding sensitive data. Responses on sensitive data or data on girls, boys, and adolescents shall be optional.
The requested information may be provided to the data owner, their successors, or legal representatives.
In addition, the data owners must exercise their rights as follows:
A. Provide personal data in a truthful, accurate, complete, and timely manner.
B. Exercise the rights conferred by law in a correct manner and without abuse.
C. Consult the information published by TCK regarding the protection of personal data.
D. Update the personal data provided.
Procedure for the exercise of owners' rights
The rights of the owners may be exercised by the following persons legitimised in accordance with Article 20 of Decree 1377 of 2013:
A. By the owner who must prove his identity in sufficient form by the different means that TCK makes available to him.
B. For their successors, who must attest to such quality.
C. By the representative and/or agent of the owner, prior accreditation of the representation or agent.
The rights of the children and adolescents shall be exercised by the persons entitled to represent them.
All consultations and claims will be channelled through the means authorised by TCK, which will adopt mechanisms to prove the filing and processing of the same.
The Legal Area will assume the function of protecting personal data and will handle the owners' requests for the exercise of the rights referred to in Law 1581 of 2012, Decree 1377 of 2013, and the present policy. It can be contacted through the following means:
Email: lopd@the-cocktail.com
Website: https://the-cocktail.com
Physical Address: Cra 9 No. 101-67, 2ND Floor, Building Naos in Bogota, D.C. – Colombia
Consultations
The owner of the information, its successors, or any other person with a legitimate interest, shall make inquiries by written communication or by e-mail, which:
A. Determine their identity, including their name and identification number.
B. Clearly and explicitly specify the reason for the query.
C. Attest the legitimate interest with which it acts, attaching in any case the appropriate supports.
D. Indicate the physical or e-mail address to which the request response can be sent.
In accordance with Article 14 of Law 1581 of 2012, it is stated that:
"The consultation will be attended within a maximum period of ten (10) business days counted from the date of receipt of the same. When it is not possible to attend it within said term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which its consultation will be resolved, which in no case may exceed five (5) working days following the expiration of the first term".
Claims
The owner, his successors, or anyone with a legitimate interest who believes that the information contained in a database should be corrected, updated, deleted, or revoked from the authorisation granted for processing or when they notice the alleged failure to comply with any of the duties contained in Law 1581 of 2012, they may, in a timely manner, present a claim to the responsible area. In accordance with Article Fifteen (15) of Law 1581 of 2012, such claim shall be appropriate once compliance with the following requirements is verified:
A. Name and identification of the owner of the data or the legitimate person.
B. Accurate and complete description of the facts that give rise to the complaint.
C. Physical or electronic address to submit the response and report on the status of the transaction.
D. Documents and other relevant evidence you wish to assert.
If the claim is incomplete, the person concerned will be required to correct the failures within five (5) days of receipt of the claim. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claim has been dismissed.
If the claim is complete, a legend stating "Claim in Process" and the reason for the claim shall be included in the database or information system within two (2) business days. This must be maintained until the claim is decided. The maximum term for handling the claim shall be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to attend to the claim within said term, the interested party shall be informed of the reasons for the delay and the date on which his claim will be considered, which in no case may exceed eight (8) working days following the expiration of the first term.
Once the terms indicated by Law 1581 of 2012 and the other rules that regulate or supplement it have been fulfilled, the Owner who is denied, in whole or in part, the exercise of the rights of access, updating, rectification, deletion, and revocation may bring his case to the attention of the Superintendence of Industry and Commerce – Delegate for the Protection of Personal Data.
Delegate for the Protection of Data
Without prejudice to the need for all staff working in and with The Cocktail America S.A.S to know their data protection obligations, the Cocktail Group has appointed a Data Protection Delegate who has, among other functions, the responsibility to review the compliance system for data protection of the Cocktail group, to verify the proper compliance with the security measures on personal data; and to serve as a link between the different areas of The Cocktail America S.A.S and The Cocktail group to ensure the coordination of data protection aspects.
Security measures
The Cocktail America S.A.S applies to all personal data covered by the defined security policies in order to ensure the appropriate level of security for all personal data in accordance with the risks to which it is exposed.
Validity
This version of the Personal Data Processing Policy is effective from July 12, 2022
The databases in which personal data is recorded shall be valid for the time the information is maintained and used for the purposes described in this policy. Once these purposes are fulfilled and provided there is no legal or contractual duty to retain your information, the data will be deleted from our databases.
TCK reserves the right to review and/or modify this policy if it deems necessary. If changes are made to the policy, please note that it may take up to 30 business days before the new privacy practices are implemented. TCK will publish on its website any changes to this policy, and in the event of substantial changes regarding the purposes for the use of your information and the way to exercise your rights to the data processed by TCK, they will be announced through our site and notified by e-mail, if possible, to allow the manifestation of the acceptance of these changes by the owners of the data.