Privacy Policy
ISLA CORONA PRIVACY POLICY
1. OBJECTIVE
In order to comply with the provisions of the Constitution, Law 1581 of 2012, the Regulatory
Decree 1377 of 2013 and other complementary provisions, this policy is prepared to report on
the collection, storage, use, circulation, deletion and all activities that constitute processing of
personal data carried out by ISLA VERDE CARTAGENA S.A.S. (hereinafter “ISLA VERDE”),
identified with TIN 901.682.824-6 and located at Carrera 11 A No. 93 - 52 Office 701 Bogotá
D.C., Colombia.
2. SCOPE
This policy regulates all organizational processes of ISLA VERDE that involve the treatment of
personal data and seeks to inform all persons, who have provided or will provide their personal
data to ISLA VERDE, about the policy that applies to all databases and personal data contained
therein.
This Policy was developed based on the provisions contained in Articles 15 and 20 of the
Political Constitution, Law 1581 of 2012 “Whereby general provisions are issued for the
protection of personal data” and its regulatory decrees compiled in Decree 1074 of 2015 Sole
Regulatory Decree of the Industry, Commerce and Tourism sector.
This policy only applies to ISLA VERDE for the processing of information, and in no way covers
personal information processing activities carried out by or at the instruction of third parties, such
as airlines, car rental companies, tour operators, physical or online travel agencies, or partners in
marketing or advertising activities and other service providers.
3. LEGAL FRAMEWORK
This policy was developed taking into account the current legislation on Personal Data Protection:
Statutory Law 1581 of 17 October 2012, Decree 1377 of 2013 ‘By which Law 1581 of 2012 is
partially regulated’ and Article 2.2.2.2.25.1.1 section 1 chapter 25 of Decree 1074 of 2015.
4. DATABASES
ISLA VERDE stores the personal data it collects for the purposes mentioned in this Policy and in
the respective authorizations, in physical and/or digital databases, which are identified within an
internal inventory generated in compliance with the Principle of Demonstrated Responsibility.
Being a subject bound by the provisions of the Superintendence of Industry and Commerce,
ISLA VERDE will register the databases on which it acts as the party responsible for the
processing before the National Registry of Databases, as well as the monthly, semi-annual
and/or annual reports that are required.
The databases, as well as the information contained therein, will be available in accordance with
the execution of the activities for which they were collected, and in accordance with the
processing and storage parameters set out in this privacy policy.
5. DEFINITIONS
For the purposes of this Policy, the following terms shall have the following meanings:
● Authorization: Prior, express and informed consent of the data subject to carry out the
processing of personal data.
● Privacy Notice: Verbal or written communication generated by ISLA VERDE addressed
to the data subject for the processing of personal data, by which they are informed about
the existence of this policy for the handling and processing of personal data of ISLA
VERDE, how to access it and the purposes of the processing that the company intends
to give to the personal data.
The privacy notice is used only in the event that ISLA VERDE is not able to make this
Policy available to the public.
● Database: An organized set of personal data which is the subject of processing.
● Query: Request made by the data subject, persons authorized by the data subject or by
law, to access the information contained in any database of ISLA VERDE, whether it is
contained in an individual record or is linked to the identification of the data subject.
● Personal Data: Any data related or that can be associated to one or several determined
individuals.
● Publicly Available Personal Data: Data that is neither semi-private, nor private, nor
sensitive, and which by its nature may be found in public records, public documents,
official gazettes, official bulletins and/or duly executed court rulings that are not subject
to confidentiality.
● Publicly available data includes, among others, data related to the civil registry of
individuals, their profession or trade and/or their status as merchants or public
employees.
● Confidential Personal Data: It is the data that is only relevant to its subject.
● Non-sensitive Personal Data: Data whose knowledge or disclosure may be of interest
to the data subject and to a certain sector or group of people.
● Sensitive Personal Data: Data that might affect the privacy of the data subject or
whose misuse may result in discrimination, such as those that reveal racial or ethnic
origin, political orientation, religious or philosophical convictions, membership in trade
unions, social organizations, human rights organizations or those that promote the
interests of any political party or that guarantee the rights and guarantees of opposition
political parties, as well as data related to health, sex life and biometric data.
● Party in Charge of Processing: Individual or legal entity, public or private, that by itself
or in association with others, carries out the Processing of personal data on behalf of the
Party Responsible.
● Personal Data Protection Officer: Area or person in the organization in charge of the
personal data protection function.
● Claim: Request by the data subject or persons authorized by the data subject or by law
to correct, update or delete their personal data or to revoke authorization in the cases
established by law.
● Party Responsible for the Data: Individual or legal entity, public or private, that by
itself or in association with others, decides on the database and/or the processing of
the data.
● Data Subject: Individual whose personal data is the subject of processing.
● Processing: Any action or set of actions taken over personal data, such as collection,
storage, use, distribution or deletion.
● Transfer: It occurs when the Party Responsible, located in Colombia, sends personal
data to a third party recipient, located within or outside the country, and which in turn
becomes the Party Responsible for the Data.
● Transmission: It occurs when the Party Responsible for the Data that is located within
or outside the country, shares personal data for its processing by the Party in Charge of
the Processing located within or outside the country.
6. PRINCIPLES
Principle of Legality in Data Processing: Data processing is a regulated activity that must be
subject to the provisions of the law and other provisions that implement it.
Principle of Purpose: Processing must be carried out for a legitimate purpose in accordance
with the Constitution and the law, which the Data Subject must be informed of.
The purpose of the ISLA VERDE databases is established by current regulations and/or the
operational needs of the company.
The data collected will not be used for purposes other than those established in the authorization
granted by the data subject and/or for those legally and contractually authorized.
Principle of Freedom: Processing may only be carried out with the prior explicit and informed
consent of the data subject. Personal data may not be obtained or disclosed without prior
authorization, or in the absence of legal or judicial mandate that relieves the consent.
In the event that data are collected, the data subject must be informed clearly, sufficiently and in
advance of the purpose of the processing of the information provided and, therefore, data may
not be collected without the clear specification of the purpose of the processing thereof.
Principle of Veracity or Quality: The data subject to processing must be truthful, complete,
accurate, updated, verifiable and understandable. The processing of partial, incomplete,
fragmented or misleading data is prohibited.
Principle of Transparency: The data subject has the right to obtain information about their data
at any time, without restriction, from the party responsible for it or the one in charge of its
processing, in accordance with the applicable regulations.
Principle of Restricted Access and Distribution: Personal data, except for public information,
shall not be available on the Internet or other means of distribution or mass communication,
unless access is technically controllable to provide restricted knowledge only to data subjects or
authorized third parties
Principle of Security: The data subject to processing by the party responsible for it or in charge
of its processing shall be handled with the technical, human and administrative measures
necessary to ensure the security of the records, avoiding their adulteration, loss, unauthorized or
fraudulent consultation, use or access.
Principle of Confidentiality: All persons involved in the processing of personal data that are not
of a public nature are obliged to guarantee the confidentiality of the data, even after the end of
their participation in any of the tasks involved in the processing.
7. DATOS DEL RESPONSABLE DEL TRATAMIENTO.
Legal Name: ISLA VERDE CARTAGENA S.A.S.
Address: Carrera 11 A No. 93 – 52 Oficina 701, Bogotá D.C., Colombia
E-mail: protecciondedatosislaverde@oxohotel.com
Phone: (57) (1) 7451400
Website: www.oxohotel.com
The Responsible Party may appoint a third party to manage the hotel unit or the hotel and its
business in its capacity as operator. The third party may enter into and execute all necessary and
inherent acts related to the commercial activities of the ordinary course of business of the hotel.
8. PROCESSING AND PURPOSE OF PERSONAL DATA COLLECTION
ISLA VERDE will process your personal data, that is to say, it will carry out activities such as
collection, storage, use, circulation, transmission or deletion, in order to comply with the normal
development of the corporate purpose of our company and our relationship with the data
subjects. Within this purpose, we will process your personal data in order to:
● Processing of Guests’ Personal Data
ISLA VERDE may carry out the processing of the personal data of its customers for the
purposes of engaging and providing professional services contracted by them. In this
sense, they will be processed within the framework of the object of the services
contracted by the guest, in order to comply with the business relationship entered into
with this, consisting of the collection, storage, use, distribution, transmission or deletion of
these data from our databases for the following purposes: Administrative management,
administrative procedures, customer loyalty, booking management, internal statistics
management, opinion surveys, collection and payment management, billing management,
economic and accounting management, tax management, marketing, commercial
prospecting, data update campaigns, data transmission and/or transfer, information
queries, processing that in any case falls within the following activities:
Establish a smooth, current and constant communication in relation to services, products,
promotions, programming and everything related to the corporate purpose. To carry out
marketing, promotion and/or advertising activities of its own or of third parties repeatedly
in accordance with the provisions of Law 2300 of 2023, sales, billing, collection,
schedules, market intelligence, service improvement, verifications and consultations,
control, behavior, habit, and enabling of means of payment, fraud prevention, as well as
any other related to the products and services, current and future, for the fulfillment of the
contractual obligations and the corporate purpose, which users and/or clients expressly
authorize to be sent through any means of communication, virtual, social networks, mail,
voice, SMS, instant messaging applications and any other that is developed for the
massive or personal sending of information in accordance with the provisions of Law 2300
of 2023 and Law 1581 of 2012, that is, unless they indicate that they do not authorize any
of the indicated channels.
Evaluate the quality of products and services, and conduct studies on consumption
habits, preference, purchase interest, product testing, concept, service evaluation,
satisfaction and others related to services and products. Carry out everything that is
necessary to comply with the obligations inherent to the contracted services and products.
Comply with the obligations contracted with customers, users, suppliers, partners,
subsidiaries, distributors, subcontractors, outsourcing and other public and/or private third
parties, directly or indirectly related to the corporate purpose of the company.
Inform about changes in products and services related to the ordinary course of business
of the company. The data provided by the booking holder may be processed, collected,
stored, used, circulated, deleted, shared, updated, transmitted, in accordance with the
terms and conditions of the above Privacy Policies as applicable, mainly to enable the
provision of its services, for reports to control and surveillance authorities, and also use
for administrative, commercial and advertising purposes and contact with the data
subjects.
ISLA VERDE may transfer or share the personal contact data of the data subjects with
allied companies, for the purpose of sending them commercial information of all types of
products and services through e-mails, text messages and phone calls in accordance with
the provisions of Law 2300 of 2023.
The data related to the payment method is used to request the collection authorization
from the respective entities. Therefore, the data provided in the portal by users and/or
customers such as personal data, card number, expiration dates, at no time is stored or
recorded. Confidentiality agreements are subscribed in any remission of this type of data
to a third party and authorized entity, and the users and/or clients authorize this
processing.
Due to the security applicable to the gateway, no data related to credit and/or debit cards,
or any other electronic means of payment will ever be stored or saved, for which reason
the guest and/or user is obliged to enter all the data related to the card or means of
payment he/she will use, each time he/she makes a transaction on the gateway.
● Processing of Personal Data of Candidates, Current And Former Employees
The processing of the essential personal data of candidates, current and former
employees will be framed in the legal order and by virtue of the status of ISLA VERDE
and will be all that is necessary for the fulfillment of the obligations it has as an employer.
The information subject to processing will be used, among others, to: i) Enter into the
employment contract and proceed with the affiliations to the comprehensive social
security and parafiscal systems, as well as to the unemployment fund; ii) Comply with the
legal and extra-legal labour obligations, in the event that they exist, derived from the
employment contract; iii) Make reports to administrative, police and judicial authorities,
when they so require; iv) Benefits administration; payroll payment; recognition of legal
obligations, audits; accounting reports; statistical analysis; interaction with the entities that
manage or will manage the general social security system, parafiscal collection entities,
Ministry of Labour, Pension and Parafiscal Management Unit, Superintendence of Health,
operator of the Comprehensive Contribution Settlement System, Superintendence of
Industry and Commerce, Regional and National Disability Rating Board; training and
education; access to agreements with third parties; among other processes inherent to
personnel administration; v) Conduct socio-demographic surveys in order to design
activities and strategies that benefit the staff; vi) Development of training; vii) Monitor and
use the images captured through the video surveillance systems installed in the facilities
of ISLA VERDE in order to control and verify the development and performance of work
activities, as well as to carry out administrative and disciplinary investigations when
necessary; viii) Others related to the events in which the information may be susceptible
to be shared.
The information provided by active workers, including that of their family group and
beneficiaries, shall be stored physically, electronically or by other means available for the
term indicated by labor and accounting regulations.
The information provided by applicants or candidates to be employees of ISLA VERDE
and that is collected in the development of the selection process, is intended to proceed
with the i) verification, comparison, evaluation of work and personal skills of prospects
with respect to the selection criteria of ISLA VERDE; ii) schedule interviews and
application of tests to applicants; evaluate directly or through third parties the selection
tests of applicants; iii) report the overall results of the selection process; iv) consult and
evaluate all the information about the applicant for the position that is stored in the
databases of judicial or security records legitimately constituted, of state or private,
national or foreign nature and in any case, the information will be removed from the
information systems of ISLA VERDE when such applicants or candidates are not selected
by ISLA VERDE and/or when for any reason a contract of employment is not concluded
with it.
The information provided by former employees of ISLA VERDE as part of an employment
relationship will be retained by ISLA VERDE under the terms of the applicable regulations
on commercial, labor and occupational hazards, and occupational health and safety
management, and will remain stored physically, in electronic media or other means
available.
● Processing of Personal Data of Minors
ISLA VERDE will guarantee that minors can exercise their rights to freedom of
expression, free development of personality and data.
Thus, in the event that data must be obtained about minors, its provision by the legal
representative or guardian of the minor will be optional.
ISLA VERDE reserves the possibility of bringing to the attention of the authorities
situations that, in its opinion, may endanger the integrity of a minor.
This data will be stored in the database(s) generated for the purposes that its collection
requires, and its processing will be maintained as long as the purposes of its collection
and knowledge are maintained.
● Processing of Personal Data of Suppliers
Data from our suppliers is collected, recorded, stored, managed, used, transmitted,
updated and deleted for the following purposes:
(i) Administrative management, (ii) invoicing management, (iii) economic and accounting
management, (iv) internal statistics management, (v) opinion surveys, (vi) data update
campaigns and information on changes in the processing of personal data, (vii) consult,
compare and evaluate all information about the supplier stored in lawfully constituted
judicial or security background databases, of a state or private, national or foreign nature,
or any commercial or service database that allows for the comprehensive establishment
of behaviour as a supplier, including consultations in the lists for the prevention and
control of money laundering and financing of terrorism, viii) attention of information
queries, ix) sending correspondence, emails, social networks, messages through instant
messaging applications, SMS, or telephone contact as an activity of the execution and / or
performance of the contractual relationship and / or in the development of promotional
and marketing activities, x) manage the process of archiving, updating systems, protection
and custody of information and databases of ISLA VERDE, xi) issuance of certifications
relating to the business relationship between the data subject and ISLA VERDE, xii)
delivery of information to inspection, monitoring, control, regulatory bodies or internal or
external auditors, xiii) to make payments for services rendered or products sold by the
supplier, xiv) for the preparation of invitations for quotations, xv) to keep it for statistical
and historical purposes and/or to comply with legal obligations regarding the conservation
of information and documents and, xvi) to transmit data to any country within the
framework of the commercial relationship between the PARTIES.
● Processing of Personal Information in the Commercial and Marketing Operations
ISLA VERDE may use the personal information of the data subject to provide information
to guests, offer promotions and special offers, as well as to share other marketing
messages such as surveys, sweepstakes and contests. Communications may be made
through email, physical mail, online ads, phone calls, text messages (including SMS and
MMS), and other means, unless expressly stated that any of the above channels are not
authorized in accordance with the provisions of Law 2300 of 2023.
● Processing of Personal Information in its Investor Relations Activities
As part of its administrative and communication duties with investors, ISLA VERDE
collects and stores personal information of the co-owners, in order to send them
information of interest about their activities and financial data and to respond to their
concerns. Such information is treated in accordance with this policy and within the
contextual framework of Law 1581 of 2012 and its regulations.
● Processing of Sensitive Data
ISLA VERDE, in the normal development of its operations, does not process sensitive
data; however, in case it is imperative to do so (as is the treatment of medical disabilities
of its employees and contractors), it will have the corresponding authorizations, prior to
having informed the data subject: i) That it is not obliged to authorize the processing of
sensitive data. ii) That it is optional to answer questions that deal with sensitive data. iii)
The sensitive data to be processed. iv) The processing and the purposes thereof.
This data will be stored in the database(s) created for the purposes that its collection
requires, and its processing will be maintained as long as the purposes of its collection
and/or the legal obligation to maintain the storage of such data is maintained, with the
understanding that ISLA VERDE may not condition any activity to the provision of
sensitive personal data unless it is absolutely necessary for the corresponding activity.
● Processing of Data in Video Surveillance Systems
ISLA VERDE also has security cameras in its facilities, through which your personal
image will be recorded every time you visit the facilities. These images will only be
accessible to the Security Department of ISLA VERDE in case of violation or suspected
violation of the security measures implemented.
The personal images of people who visit our facilities will be recorded in our DVR for a
period of thirty (30) days and then automatically deleted. ISLA VERDE will only use the
personal data in order to ensure the security of entry to the facilities, make the registration
of visitors and advance administrative or criminal investigations in those cases where the
above is necessary for security issues. If a crime is detected, the images may be
extracted and kept for a longer period of time and will only be shared by order of a
competent authority or for the security purposes of the company.
● Processing of Personal Data of Website Users
ISLA VERDE collects through the contact channels provided on its website personal data
of those who are interested in establishing contact with ISLA VERDE. These channels are
composed of a registration form and collection of personal data, as well as an
authorization checkbox through which the data subjects give ISLA VERDE their consent
for their personal data to be processed.
This data will be disclosed to the data subject, to third parties with the express
authorization of the data subject, or when requested by a Competent Authority.
The purposes for which these personal data are used are:
a) To process the request, complaint or claim included in the message of the web contact
form;
b) Send information from ISLA VERDE , from allied companies, or that which is
considered of interest, for commercial and marketing purposes, via email, text
messages (SMS), instant messaging tools or by phone to the contact phone number
provided.
c) To meet the requirements of authorities in the exercise of their functions.
d) Keep it for statistical and historical purposes and/or to comply with legal obligations
regarding the conservation of data and documents.
e) Conduct surveys of knowledge and satisfaction of the service provided.
This data will be stored digitally in the database(s) generated for the purposes required
for its collection, which are within the inventory of internal databases of ISLA VERDE.
DATA STORAGE TERM: ISLA VERDE processes and stores personal data in strict compliance
with applicable laws, in accordance with the purposes for which such data is collected.
Therefore, the data will be stored and retained only for the period appropriate and strictly
necessary for the purposes for which they were collected, except if (i) there is a specific legal
requirement to store the data for a specific period, (ii) the data must be stored for a longer period
to defend any rights and interests in a judicial or administrative proceeding, up to one (1) year
after the final disposition of the relevant judgment, or (iii) the right of deletion or revocation of the
authorization is exercised within the legal limits. It should be noted that, apart from the
exceptions listed above, the personal data processed for the aforementioned purposes will be
kept for a maximum of twenty (20) years, a period that will be automatically renewed unless there
is a request from the owner of the information to proceed to its deletion or revocation of the
authorization.
9. RIGHTS OF DATA SUBJECTS
In accordance with the provisions of Article 8 of Law 1581 of 2012, the data subject shall have
the following rights:
● Know, update and rectify their personal data, which are contained in the company's
databases.
● Know upon request the treatment that will be given to their personal data.
● Request the respective proof of authorization for the use of their personal data.
● To revoke all or part of the authorization for the use of their personal data.
● Raise their complaints before the Superintendence of Industry and Commerce, for
non-compliance with the provisions of Law 1581 of 2012, once you have exhausted
the respective process before the party responsible for the processing.
● Access free of charge to your personal data that has been subject to processing.
The rights of the data subjects may be exercised by the following persons:
● By the data subject, who must prove their identity sufficiently by the various means made
available by ISLA VERDE, which, for this purpose may maintain mechanisms to validate
the information.
● By their assignees, who must prove such status.
● By the representative and/or attorney-in-fact of the data subject, upon accreditation of the
representation or power of attorney.
10. OBLIGATIONS OF THE PARTY RESPONSIBLE FOR PROCESSING
ISLA VERDE as the party responsible for the processing must comply with the following
obligations, without prejudice to the other provisions of Law 1581 of 2012 and others governing
its activity:
a. Guarantee the data subject, at all times, the full and effective exercise of the right of
Habeas Data.
b. Request and keep, under the conditions provided by law, a copy of the respective
authorization granted by the data subject.
c. Duly inform the data subject about the purpose of the collection and the rights they are
entitled to by virtue of the authorization granted.
d. Keep the information under the security conditions necessary to prevent its adulteration,
loss, consultation, unauthorized or fraudulent use or access.
e. Guarantee that the information provided to the party in charge of the processing is truthful,
complete, accurate, updated, verifiable and understandable.
f. Update the data, communicating in a timely manner to the party in charge of the
processing, all changes regarding the data previously provided and take other necessary
measures to ensure that the information provided to them is kept up to date.
g. Rectify the data when it is incorrect and communicate the pertinent to the party in
charge of the processing.
h. Provide to the party in charge of the processing, as the case may be, only data whose
processing is previously authorized in accordance with the provisions of the law.
i. Require the party in charge of the processing at all times to respect the conditions of
security and privacy of the data subject's data.
j. Process queries and claims submitted in accordance with the terms set forth in the law.
k. Adopt an internal manual of policies and procedures to ensure proper compliance with
the law and, in particular, for the handling of queries and claims.
l. Inform the party in charge of the processing when certain information is under
discussion by the data subject, once the claim has been filed and the respective process
has not been completed.
m. Inform at the request of the data subject about the use given to their data.
n. Inform the data protection authority when there are violations to the security codes and
there are risks in the management of the data subjects' data.
o. Register in the database the label “claim in process” in the manner established in this
policy;
p. Insert in the database the label “information under judicial discussion” once notified by the
competent authority about judicial proceedings related to the quality of the personal data:
q. Refrain from circulating information that is being disputed by the data subject and whose
blocking has been ordered by the Superintendence of Industry and Commerce;
r. Allow access to the information only to persons authorized by the data subject or entitled
by law to that effect.
11. QUERIES PROCESSING
The company will guarantee the right to inquire, informing the data subjects of any information
contained in their records and that is directly related to their personal data, upon proof of identity
or that of their representative.
For the attention of queries, ISLA VERDE has the following channels:
a. Customer service line: (57) (1) 7451400
b. E-mail: protecciondedatosislaverde@oxohotel.com
c. Address: Carrera 11 A No. 93 - 52 Office 701, Bogotá D.C., Colombia
Queries, regardless of the means used, will be dealt with within a maximum of ten (10) working
days from the date of receipt. When it is not possible to deal with the query within the
aforementioned period, the data subject shall be informed before the expiry of the established
time, stating the reasons for the delay and indicating the date on which the query will be dealt
with, which may not be more than five (5) working days following the expiry of the first deadline.
12. CLAIMS AND COMPLAINTS PROCESSING
Data subjects who consider that the information contained in the databases of ISLA VERDE
should be corrected, updated or deleted, or when non-compliance with the duties defined in Law
1581 of 2012 is identified, may submit the respective complaint to the company, through the
previously informed channels.
The following procedure shall be followed for the processing of complaints:
- The claim shall be made by request addressed to ISLA VERDE, with the identification of
the data subject, the description of the facts giving rise to the claim, the address, and
accompanying supporting documents.
- If the claim is incomplete, the interested party will be required within five (5) days of
receipt of the claim to rectify it. After two (2) months from the date of the request, if the
applicant has not submitted the required information, it will be understood that the claim
has been withdrawn.
- In the event that the person who receives the complaint is not competent to resolve it,
they shall transfer it to the appropriate person within a maximum of two (2) working days
and inform the interested party of the situation.
- Once the completed complaint has been received, a label stating ‘complaint in process’
and the reason for the complaint will be included in the database within a period not
exceeding two (2) working days. This label must be maintained until the complaint is
decided.
- The maximum term to deal with the claim will be fifteen (15) working days from the day
following the date of receipt. When it is not possible to deal with the claim within this
period, the interested party will be informed of the reasons for the delay and the date on
which the claim will be dealt with, which in no case may exceed eight (8) working days
following the expiry of the first period.
13. AUTHORIZATIONS AND CONSENT
The collection, storage, use, circulation or deletion of personal data by ISLA VERDE requires the
free, prior, express and informed consent of the data subject.
● METHODS FOR GRANTING AUTHORIZATION
The authorization may be stated in a physical or electronic document, text message, voice
recordings, internet, web sites, or by means of a suitable technical or technological mechanism
that allows to express or obtain the consent via click or double click, or in any other format that
allows to guarantee its subsequent consultation.
The authorization shall be issued by the company and made available to the data subject and
shall inform the data subject of the following:
- The processing to which your personal data will be subjected and the purpose of
such processing.
- The optional nature of the response to the questions asked, when they deal with
sensitive data or with the data of minors.
- Their rights as data subjects under Article 8 of Law 1581 of 2012.
- The identification, physical or electronic address of ISLA VERDE.
● PROOF OF AUTHORIZATION
ISLA VERDE will use the necessary mechanisms to maintain records or suitable technical or
technological mechanisms that preserve the authorisations given by the data subjects for the
processing of their personal data. To comply with the above, physical files or electronic
repositories may be established directly or through third parties contracted for this purpose.
● AUTHORIZATION FOR THE PROCESSING OF SENSITIVE DATA
In the case of the collection of sensitive data, the following requirements must be met:
- Authorization must be explicit.
- The data subject must be informed that they are not obliged to authorize the
processing of such information unless it is absolutely necessary for the provision of
the services of ISLA VERDE.
- The data subject must be informed explicitly and in advance which of the data to
be processed is sensitive and the purposes of the processing.
● INSTANCES IN WHICH AUTHORIZATION IS NOT REQUIRED
The authorization of the data subject will not be necessary when it concerns:
a. Information required by a public or administrative entity in the exercise of its legal
functions or by court order
b. Data of a public nature
c. Cases of medical or health emergency
d. Processing of data authorized by law for historical, statistical or scientific purposes
e. Data related to the Civil Registry of Persons
In any case, the processing of personal data that do not require prior authorization will be
carried out in compliance with all the provisions included in the law.
● REVOCATION OF AUTHORIZATION
Data subjects may revoke their consent to the use and processing of their personal data at any
time, as long as it is not prevented by a legal or contractual provision. The revocation may be
partial or total, which is why the scope of the revocation must be clarified by the data subject at
the time of requesting the revocation.
● AUTHORIZATION FOR THE PROCESSING OF DATA OF MINORS
When it comes to the collection and processing of data of minors, the following requirements
must be met:
- Authorization must be granted by individuals who are authorized to represent the
minor. The minor's representative must guarantee the right to be heard and
assess their opinion of the process, taking into account their maturity, autonomy
and capacity to understand the matter.
- Notice should be given that this data is an optional response.
- The processing must respect the best interests of the minor and ensure respect
for their fundamental rights.
14. REQUEST OF JUDICIAL OR ADMINISTRATIVE AUTHORITIES
For the provision of data to judicial or administrative authorities, the Constitutional Court's
ruling C-748 of 2011 must be followed:
● The public or administrative entity must justify its request indicating the link between the
need to obtain the data and the fulfillment of its constitutional or legal functions.
● Secondly, with the delivery of the data, the public or administrative entity will be informed
that it has the duty to comply with the obligations and requirements imposed by Law
1581 of 2012, as the party responsible for the data, or in charge of its processing in
certain cases.
● The receiving administrative entity must comply with all legal mandates that exist for the
date of receipt of the data, especially the principles of purpose, legitimate use, restricted
distribution, confidentiality and security.
15. DATABASES
ISLA VERDE stores the personal data it collects for the purposes mentioned in this Policy and in
the respective authorizations, in physical and/or digital databases, which are identified within an
internal inventory generated in compliance with the Principle of Demonstrated Responsibility.
Being a subject bound by the provisions of the Superintendence of Industry and Commerce,
ISLA VERDE will register the databases on which it acts as the party responsible for the
processing before the National Registry of Databases, as well as the monthly, semi-annual
and/or annual reports that are required.
The databases, as well as the information contained therein, will be available in accordance with
the execution of the activities for which they were collected, and in accordance with the
processing and storage parameters set out in this privacy policy.
16. SECURITY MEASURES
Pursuant to the principle of security established in the current regulations on privacy and
protection of personal data, ISLA VERDE will adopt the technical, human and administrative
measures necessary to provide security to the records avoiding their adulteration, loss,
consultation, use or unauthorized or fraudulent access.
In particular, all ISLA VERDE employees, contractors and those in charge of the use of personal
data that are not of a public nature, are obliged at all times to guarantee the confidentiality of the
data.
17. INTERNATIONAL TRANSFER OF PERSONAL DATA
De acuerdo con el Título VIII de la Ley 1581 de 2012, se prohíbe la transferencia de datos
personales a países que no proporcionen niveles adecuados de protección de datos. Se
entiende que un país ofrece un nivel adecuado de protección de datos cuando cumpla con los
estándares fijados por la Superintendencia de Industria y Comercio sobre la materia, los cuales
en ningún caso podrán ser inferiores a los que la ley exige a sus destinatarios. Esta prohibición
no regirá cuando se trate de:
- Información respecto de la cual el Titular haya otorgado su autorización expresa e
inequívoca para la transferencia.
- Intercambio de datos de carácter médico, cuando así lo exija el tratamiento del Titular por
razones de salud o higiene pública.
- Transferencias bancarias o bursátiles, conforme a la legislación que les resulte aplicable.
- Transferencias acordadas en el marco de tratados internacionales en los cuales la
República de Colombia sea parte, con fundamento en el principio de reciprocidad.
- Transferencias necesarias para la ejecución de un contrato entre el Titular y el
responsable del tratamiento, o para la ejecución de medidas precontractuales siempre y
cuando se cuente con la autorización del Titular.
- Transferencias legalmente exigidas para la salvaguardia del interés público, o para el
reconocimiento, ejercicio o defensa de un derecho en un proceso judicial.
Se debe tener en cuenta que, en los casos no contemplados como excepción, corresponderá a
la Superintendencia de Industria y Comercio proferir la declaración de conformidad relativa a la
transferencia internacional de datos personales.
18. COOKIES OR WEB BUGS.
The ISLA VERDE website does not use cookies or web bugs to collect personal data of the user,
but its use is limited to facilitate the user's access to the website. The use of session cookies,
which are not permanently stored on the user's computer and disappear when the browser is
closed, are only limited to collecting technical information to identify the session to facilitate safe
and efficient access to the website, in order to provide better service on the page.
If you do not wish to allow the use of cookies, you can reject them or delete existing ones by
configuring your browser (Internet Explorer, Firefox, Safari, Chrome, among others), and
disabling the Javascript code of the browser in the security settings.
Most web browsers allow you to manage your cookie preferences, however, it should be noted
that if you choose to block them may affect or prevent the operation of the page. Also, one of the
third party services that may be used to track activity related to the service, e.g. Google Analytics,
so if you do not want information to be obtained and used, you can install an opt-out system in
your web browser, such as: tools.google.com/dlpage/gaoptout?hl=None.
19. RESTRICTIONS ON THE USE OF THIS POLICY
This Policy is for the exclusive use of ISLA VERDE, therefore, it is forbidden to copy, reproduce,
distribute, transfer, publish and/or translate it, for security reasons and in order to respect
intellectual property, as a creation protected by national and international legislation.
20. EFFECTIVE DATE OF THE POLICY
This policy comes into effect from March 2023 and in any case ISLA VERDE may collect, store,
use or circulate personal data during the time that is reasonable and necessary, according to the
purposes that justified the processing, taking into account the provisions applicable to the matter
in question and the administrative, accounting, fiscal, legal and historical aspects of the
information.
Once the purpose or purposes of the processing have been fulfilled, and without prejudice to
legal provisions to the contrary, the personal data in its possession shall be deleted. However,
personal data must be retained when so required for compliance with a legal obligation or
contractual obligation.
21. AMENDMENTS
This Policy may be modified by ISLA VERDE in accordance with Decree 1377 of 2013.
Any substantial change will be communicated in a timely manner to the data subjects in an
efficient manner, at no later than the time the new policy is implemented