Data Protection
POLICIES FOR THE TREATMENT OF PERSONAL INFORMATION: GUESTS, CLIENTS, AND USERS:
FIRST: GENERALITIES
We have a special interest in protecting and respecting your information and personal data. Therefore, we have designed these policies for the treatment of information within the framework of Law 1581 of 2012 and Regulatory Decree 1377 of 2013.
1.1. Introduction.
Logística GHL SAS and affiliated companies, operators of the "una experiencia GHL" hotels and responsible for the treatment of information, may collect personal data from their users, guests, or visitors through various means provided for accessing services offered by them. In any case, the collection will be done with explicit authorization from the data subject, and the treatment of this data will be subject to what is established by law.
The personal information subject to the considerations set forth here may be collected directly from the information provided and contained in the hotel registration card, through the website www.ghlhoteles.com, by visiting or acquiring services offered on the platform, or directly at hotels linked or associated with GHL.
The considerations set forth here will be considered accepted by the Data Subject when they sign the Hotel Registration Card regarding the information contained therein, when they visit or use the website www.ghlhoteles.com, and/or when they enter personal data or information through the established functions, regardless of the purpose.
1.2. General Principles.
The collection and gathering of personal data, as well as the use, treatment, processing, exchange, transfer, and transmission of such data, will always be guided by principles of legality, freedom, truthfulness, transparency, security, confidentiality, access principle, and restricted circulation.
1.3. Legal Definitions.
In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions shall govern the policies for the treatment of personal information.
1.3.1. Authorization: The prior, express, and informed consent of the Data Subject to carry out the Treatment of personal data.
1.3.2. Database: An organized set of personal data subject to Treatment.
1.3.3. Personal data: Any information linked to or that can be associated with one or more identified or identifiable natural persons.
1.3.4. Data Processor: The natural or legal person, public or private, who, by themselves or in association with others, carries out the Treatment of personal data on behalf of the Data Controller.
1.3.5. Data Controller: The natural or legal person, public or private, who, by themselves or in association with others, decides on the database and/or the Treatment of the data.
1.3.6. Sensitive data: Sensitive data refers to information that affects the privacy of the Data Subject or whose misuse could lead to their discrimination. This includes data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or data promoting the interests of any political party or ensuring the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
1.3.7. Public data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data related to the marital status of individuals, their profession or occupation, and their status as a merchant or public servant. Due to their nature, public data can be contained, among other places, in public records, official documents, gazettes, and official bulletins, and legally binding court judgments that are not subject to confidentiality.
1.3.8. Data Subject: The natural person whose personal data is subject to Treatment.
1.3.9. Transfer: Data transfer occurs when the Data Controller and/or Data Processor of personal data, located in Colombia, send the information or personal data to a recipient who is also a Data Controller and is located inside or outside the country.
1.3.10. Transmission: The Treatment of personal data involving the communication of such data within or outside the territory of the Republic of Colombia when the purpose is to carry out Treatment by the Processor on behalf of the Controller.
1.3.11. Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
SECOND: DATA SUBJECT'S AUTHORIZATION:
The provided data will be subject to authorized treatment, granted in advance, expressly, and informed by the Data Subject. By providing your data upon checking into the hotel to complete the Hotel Registration Card, you are authorizing the treatment in the terms and conditions set forth in this policy.
Visiting, accessing, or using the website www.ghlhoteles.com constitutes prior, express, and informed authorization for the storage, collection, and treatment of information in accordance with the data treatment policy contained herein.
In any case, data collection will be limited to those personal data that are relevant and suitable for the intended purpose.
THIRD: INFORMATION TREATMENT:
3.1. Collected Data. The collection of data for the development of Treatment and purposes pursued by it will focus on personal data received and stored as a result of completing the Hotel Registration Card, information provided by our guests, clients, visitors, and will include all information provided or provided during visits to the website www.ghlhoteles.com, as well as all information related to services or bookings made, and accommodation and lodging data provided physically or virtually.
Without prejudice to the fact that in some cases these may be public data, the information collected and subject to treatment will correspond to the name, identification document number such as citizenship card, passport, or any other valid form, profession, nationality, date of birth, email address, personal preferences and interests, occupation or activity, consumption habits, or travel habits. If a reservation is made through the website www.ghlhoteles.com, the information related to the credit card provided for reservation and stay purposes will be collected.
3.2. Treatment to Which Data Will Be Subjected and Purpose Thereof.
The data and information obtained will be used in the normal course of their commercial activities only for the purpose established in these information treatment policies, in a way that allows direct and effective communication with the guest, client, or user, leading to establishing a closer relationship and consolidating a business relationship.
The treatment consists of sending digital information through various communication channels, with the intention of contacting the Data Subject to send service surveys after each stay to allow the assessment of the service provided and communicating invitations, offers, promotions, service portfolios, or information about the Hotel or the "una experiencia GHL" hotels. At no time will the data be provided, transferred, or delivered to individuals other than those responsible or in charge of information treatment. Additionally, through data collection, the aim is to: carry out, process, handle, and/or complete hotel night reservations or other services; conduct internal studies on tourism habits; evaluate the quality of our services; send surveys and questionnaires regarding the services provided; promptly address requests, petitions, or needs; communicate invitations, offers, promotions, and general information about the portfolio of services offered by natural or legal persons directly linked to hotel operations and specifically with the services provided.
Authorization for the use of the provided information or data
that are collected, gathered, or stored in accordance with these policies expressly includes authorization for the data and information to be shared, processed, transmitted, transferred, updated, and/or deleted for the purpose defined in these policies, to be used as established.
By accessing the website www.ghlhoteles.com, you authorize your information and data to be shared with the tourism providers referred to and in front of whom your reservations and/or requests are processed.
It is assumed that all information or data provided or entered on the Hotel Registration Card or through the website www.ghlhoteles.com is true, accurate, and complete, and it can be withdrawn at any time if it is considered harmful or detrimental to your interests or the interests of a third party.
The data and generally the information received when accessing the website www.ghlhoteles.com can belong to you or to the device from which you are accessing. In order to optimize and make your experience visiting the website www.ghlhoteles.com more efficient, cookies and/or web beacons may be used, and information about visited internet pages, your IP address, and the operating system of the device from which you are accessing may be obtained and stored. This will be done through a recognition and tracking process that allows identifying your preferences and identifying you when you visit the website again, and storing certain records based on your IP address. The IP address is not associated or linked to your name or personal data.
3.3. Sensitive Data and Data of Children and Adolescents.
Under no circumstances and in no event will sensitive data be treated, nor is data collection intended to gather sensitive information.
The collection of data corresponding to children and adolescents under legal age and the respective authorization must always be given through their legal representative, following the minor's exercise of their right to be heard. The treatment of data corresponding to children and adolescents must respect the best interests and fundamental rights of children and adolescents.
In the event that for any reason a question may lead to a response containing sensitive data or data from girls, boys, or adolescents, the response to such a question will be optional.
3.4.- Responsibilities of the Data Controller.
Data controllers, as well as responsible parties and processors of personal data, commit to: a) Guarantee the Data Subject's full and effective exercise of the right to habeas data at all times; b) Request and retain, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject; c) Properly inform the Data Subject about the purpose of data collection and the rights they have due to the granted authorization; d) Maintain the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access; e) Ensure that the information provided to the Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable; f) Update the information by timely informing the Processor of any updates regarding the data previously provided and taking the necessary measures to keep the information supplied to them updated; g) Rectify the information when it is incorrect and communicate the relevant details to the Processor; h) Provide the Processor with only data whose Processing has been previously authorized in accordance with the provisions of this law, when applicable; i) Demand from the Processor at all times respect for the security and privacy conditions of the Data Subject's information; j) Process inquiries and complaints according to the terms indicated in the law; k) Inform the Processor when certain information is under discussion by the Data Subject, once a claim has been filed, and the respective process has not concluded; l) Provide, upon request from the Data Subject, information about the use of their data; m) Report to the data protection authority when security breaches occur and there are risks in the administration of the Data Subject's information; n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
FOURTH: RIGHTS AND POWERS OF THE DATA SUBJECT:
4.1.- Rights of the Data Subject. Once the authorization has been granted by the Data Subject for the corresponding processing, they have the right to: a) Know, update, and rectify their personal data. This right can be exercised in relation to partial, inaccurate, incomplete, misleading, or prohibited data or data whose processing has not been authorized; b) Request proof of the granted authorization, except when expressly exempted as a requirement for processing, in accordance with Article 10 of Law 1581 of 2012; c) Be informed by the responsible party and/or processor of personal data, upon request, about the use that has been given to their personal data; d) File complaints with the Superintendence of Industry and Commerce for breaches of the law; e) Revoke the authorization and/or request the deletion of data when the processing does not comply with constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce determines that the processing has involved behaviors contrary to this law and the Constitution; f) Request, at any time from the responsible party or processor, the deletion of their personal data and/or the revocation of the granted authorization for their processing, by submitting a claim. These actions will not proceed when the Data Subject has a legal or contractual duty to remain in the database; g) Access their personal data that have been subject to processing for free: (i) at least once every calendar month, and (ii) whenever substantial modifications to the information processing policies that motivate new inquiries occur. In the case of requests whose frequency exceeds once per calendar month, the responsible party and/or processor may charge the Data Subject for shipping, reproduction, and, if applicable, certification expenses for documents.
4.2.- Legitimation for the exercise of the Data Subject's rights.
The following individuals are also authorized to exercise the rights of the information holder: a) The Data Subject themselves, who must prove their identity sufficiently through the means made available by the responsible party; b) Their successors, who must prove such capacity; c) The representative and/or attorney of the Data Subject, following the accreditation of representation or power of attorney; d) By stipulation in favor of another or for another; e) The rights of children or adolescents will be exercised by individuals authorized to represent them, following the accreditation of the power of representation.
4.3.- Procedure for exercising the rights to know, update, rectify, or delete information and revoke authorization.
The procedures for access, updating, deletion, and rectification of personal data, as well as the revocation of authorization, can be carried out through queries or complaints, directed to the email address contactus@ghlhotels.com or to the address Calle 72 No. 6 - 30 Bogotá, Colombia, depending on the intended purpose, providing at a minimum the legitimacy to make the request and clearly and specifically stating the purpose.
All requests, suggestions, and recommendations related to information processing should be sent to the email address contactus@ghlhotels.com, and a response will be provided no later than ten (10) business days after their receipt.
The information holder or authorized person must accompany their written request with proof of their acting capacity and must provide the necessary data and documents to verify their identity and capacity.
The email should specify the reason or purpose of the communication, and it will suffice if the text indicates that the right to know, update, rectify, delete, or revoke the granted authorization is being exercised.
4.4.- Procedure for correction, updating, or deletion of data and for filing complaints and claims.
Individuals authorized by law, who believe that the contained information must be corrected, updated, or deleted, or who believe that the processing of personal data violates legal norms, may file complaints via email to contactus@ghlhotels.com, in accordance with Article 15 of Law 1581 of 2012.
Complaints and claims will be processed according to the following rules:
4.4.1.- The complaint will be formulated by submitting a request to the Responsible Party or the Processor, including the identification of the Data Subject, a description of the facts that give rise to the complaint, and the address, accompanied by the documents that are intended to be used. If the complaint is incomplete, the interested party will be required to correct the deficiencies within five (5) business days following the receipt of the complaint. If, after two (2) months from the date of the request, the requested information is not provided, it will be understood that the claim has been withdrawn.
If the recipient of the complaint is not competent to resolve it, it will be forwarded to the appropriate party within a maximum of two (2) business days, and the interested party will be informed of the situation.
4.4.2.- Once the complete complaint is received, a note saying "complaint being processed" and the reason for it will be included in the database within a period of no more than two (2) business days. This note must be maintained until the complaint is resolved.
4.4.3.- The maximum term for addressing the complaint will be fifteen (15) business days from the day following the date of its receipt. When it is not possible to address the complaint within this term, the interested party will be informed of the reasons for the delay and the date on which the complaint will be addressed. This date will not exceed eight (8) business days from the expiration of the first term.
4.5.- Consultation and access to information.
Queries regarding personal data will be addressed through a written request sent to the email
address contactus@ghlhotels.com.
Queries will be addressed within a maximum period of ten (10) business days from the date of their receipt. When it is not possible to address the query within this term, the interested party will be informed before the expiration of ten (10) business days, stating the reasons for the delay and indicating the date on which the query will be addressed. This date will not exceed five (5) business days from the expiration of the first term.
FIFTH: SECURITY.
5.1.- Information Handling Security.
The collected data will always be treated within a framework of confidentiality, and therefore will not be provided, transferred, or delivered to persons other than those responsible or processors of the data.
5.2.- Transfer and Transmission of Data.
In the event that a contract is signed with a third party that is a professional and experienced in handling and using databases, the responsible party will sign the personal data transmission contract referred to in Article 25 of Decree 1377 of 2013.
SIXTH: DISCLOSURE AND VALIDITY.
6.1.- Means of Disseminating Information Processing Policies and Privacy Notice.
This document, which establishes the policies for processing information about collected personal data, will be permanently published on the link www.ghlhoteles.com for consultation by interested parties.
When requesting explicit authorization from the Data Subject for data processing, the specific purposes for which consent is obtained will be indicated, and the Processing Policy and the rights they have as the Data Subject will be disclosed.
6.2.- Effective Date of Information Processing Policies.
The collection, storage, use, and circulation of personal data, in line with the considerations established here, will take place and be maintained as long as the needs and purposes established and proposed by the Processing remain valid. If the purpose cannot be achieved through the Processing of personal data, the data will be permanently deleted from the database.
This document comes into effect on February 22, 2016.
6.3.- Procedure for Policy Modifications.
In the event of modifications to the established personal data processing policies, they will be notified and communicated through this same website prior to their effective date.
6.4.- Incorporation of the Terms of Use of the Website www.ghlhoteles.com.
In accordance with applicable regulations, the information processing policy is an integral part of the terms and conditions of use of the website www.ghlhoteles.com.
6.5. - Information Responsible.
The company LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA, with tax ID 90076001-06, is the responsible party and processor of personal data. The companies will be responsible for the information and personal data collected. When the information has been received or collected by any of the mentioned companies, with express authorization to be transferred, LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA will be responsible for the processing.
Any communication can be directed to Calle 72 # 6-30 floor 13 in Bogotá, or to the email address contactus@ghlhoteles.com.
INFORMATION PROCESSING POLICIES FOR SUPPLIERS PERSONAL DATA
FIRST: GENERALITIES
In the course of our business relationships, we have a special interest in protecting and respecting your information and personal data, and therefore, we have designed these information processing policies within the framework of Law 1581 of 2012 and Regulatory Decree 1377 of 2013.
1.1.- Introduction.
The company Logística GHL SAS and the affiliated companies, hotel operators of "una experiencia GHL," and responsible for data processing, may collect personal data from their suppliers and from anyone who sells them goods or services, in the course of a business relationship to facilitate its execution and ensure the highest possible efficiency. Collection will be done under the explicit authorization of the data owner, and the processing of this data will be subject to what is established by law and this policy.
Personal information may be collected directly from suppliers or from the information contained in the certificate of existence and legal representation issued by the Chamber of Commerce, in the tax identification number (RUT), in contracts, quotes, proposals, invoices, purchase orders, and generally in any document related to the business relationship.
It will be understood that the Data Subject has accepted the terms and conditions of these policies when they submit the proposal or quote and/or when they sign the corresponding contract or equivalent document.
1.2- General Principles.
The collection and gathering of personal data, as well as the use, processing, exchange, transfer, and transmission of this data, will always be guided by principles of legality, freedom, truthfulness, transparency, security, confidentiality, access principle, and restricted circulation principle.
1.3- Legal Definitions.
In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions will govern the policies for processing personal information.
1.3.1.- Authorization: The prior, express, and informed consent of the Data Subject to carry out the processing of personal data.
1.3.2.- Database: An organized set of personal data subject to processing.
1.3.3.- Personal Data: Any information related to one or more identified or identifiable natural persons.
1.3.4.- Processor: A natural or legal person, public or private, who, on their own or in association with others, carries out the processing of personal data on behalf of the Responsible Party.
1.3.5.- Responsible Party: A natural or legal person, public or private, who, on their own or in association with others, decides on the database and/or the processing of data.
1.3.6.- Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse could result in discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or data promoting the interests of any political party or guaranteeing the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
1.3.7.- Public Data: Data that is not semiprivate, private, or sensitive. Data related to an individual's marital status, profession or occupation, and their status as a trader or public servant are considered public data, among others. Due to their nature, public data can be contained in public records, official documents, official gazettes, and duly executed court judgments that are not subject to confidentiality.
1.3.8.- Data Subject: A natural person whose personal data is subject to processing.
1.3.9.- Transfer: Data transfer occurs when the Responsible and/or Processor of personal data, located in Colombia, sends information or personal data to a recipient who is also a Responsible Party for the processing, located within or outside the country.
1.3.10- Transmission: Processing of personal data involving the communication of such data within or outside the territory of the Republic of Colombia, when the purpose is processing by the Processor on behalf of the Responsible Party.
1.3.11.- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
SECOND: HOLDER'S AUTHORIZATION:
The provided data will be subject to authorized processing, granted in advance, expressly and informed by the Holder of the same. By providing your data for the execution of the legal transaction corresponding to the purchase of goods or services, you are authorizing the processing under the terms and conditions established in this policy.
In any case, the collection of data will be limited to those personal data that are relevant and appropriate for the intended purpose.
THIRD: INFORMATION PROCESSING:
3.1- Collected Data. The collection of data for the development of the Processing and the purposes pursued by it will fall on personal data received in the development or execution of the commercial relationship between the parties and specifically those received regarding the purchase of goods or services.
Without prejudice to the fact that in some cases they are public data, the collected information and the subject of processing will correspond to the name, identification number (Tax ID, citizenship ID, passport), contact information such as phone number, physical address, email address, information contained in the Tax Registry (RUT), type of goods or services offered, category in which it is located, economic activity, commercial and personal references, banking references, bank account numbers for payments, and all the information necessary to fulfill the contractually assumed obligations, legal obligations, and the proper execution and development of the commercial relationship between the parties.
3.2- Processing of Data and Purpose.
The data and information obtained will be used in the normal course of business activities only for the purpose established in these information processing policies, so that the commercial relationship and as such the acquisition of goods and services and the provision of contracted services are executed and developed properly.
The treatment that will be given to the data consists of the handling and disposition of the data to have the information that allows for the administrative and accounting management of the suppliers; control over payment status, balances, discounts; management of the inventory of acquired goods; compliance with fiscal, tax, legal, and any other requirements with national, district, or municipal government entities; categorization and classification of the supplier according to the goods or services offered, price, quality; support internal or external audit processes.
The authorization for the use of the information or data provided that are collected, gathered, or stored in accordance with these policies expressly includes authorization for the data and information to be shared, processed, transmitted, transferred, updated, and/or deleted for the purpose defined in these policies, to be used in the manner established.
3.3.- Sensitive Data and Data of Children and Adolescents.
Under no circumstances will sensitive data or data corresponding to children or adolescents be processed. The collection of supplier data is not intended to collect sensitive information or information from children or adolescents.
3.4.- Responsibilities of the Data Controller.
Those responsible for the information, and/or responsible and processors of personal data, undertake to: a) Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data; b) Request and retain, under the conditions provided by law, a copy of the respective authorization granted by the Holder; c) Properly inform the Holder about the purpose of the collection and the rights that arise from the granted authorization; d) Preserve the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access; e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable; f) Update the information, promptly communicating to the Data Processor all the news regarding the data previously provided and take the necessary measures for the information provided to remain updated; g) Rectify the information when it is incorrect and communicate the relevant to the Data Processor; h) Provide the Data Processor, as the case may be, only with data whose processing is previously authorized in accordance with the provisions of this law; i) Demand from the Data Processor at all times, respect for the security and privacy conditions of the Holder's information; j) Process the consultations and claims submitted in the terms indicated in the law; k) Inform the Data Processor when certain information is under discussion by the Holder, once the claim has been filed and the respective process has not been completed; l) Inform at the request of the Holder about the use given to their data; m) Inform the data protection authority when security breaches occur and there are risks in the administration of the Holder's information; n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
FOURTH: RIGHTS AND POWERS OF THE HOLDER:
4.1.- Holder's Rights. Once the authorization by the Holder for the corresponding processing has been granted, they have the right to: a) Know, update, and rectify their personal data. This right can be exercised in relation to partial, inaccurate, incomplete, fractioned data, which lead to errors, or those whose processing is expressly prohibited or has not been authorized; b) Request proof of the granted authorization, except when expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012; c) Be informed by the Data Controller and/or Processor, upon request, of the use that has been given to their personal data; d) File complaints with the Superintendence of Industry and Commerce for breaches of the law; e) Revoke the authorization and/or request the deletion of the data when the processing does not comply with constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the processing has engaged in conduct contrary to this law and the Constitution; f) Request, at any time from the Data Controller or Processor, the deletion of their personal data and/or revoke the authorization granted for their processing, through the submission of a claim, it will not proceed when the Holder has a legal or contractual duty to remain in the database. g) Access their personal data that have been subject to processing free of charge: (i) at least once every calendar month, and (ii) every time there are substantial modifications to the Information Processing Policies that prompt new queries. In the case of requests whose frequency is greater than once every calendar month, the Data Controller and/or Processor may charge the Holder for the expenses of shipping, reproduction, and, if applicable, certification of documents.
4.2.- Legitimacy for the exercise of the holder's rights.
The following individuals are also legitimate to exercise the rights that belong to the information Holder: a). The Holder themselves, who must prove their identity sufficiently through the means made available by the Data Controller; b). Their successors, who must prove such quality; c). The representative and/or attorney-in-fact of the Holder, after accrediting the representation or power of attorney; d). By stipulation on behalf of another or for another.
4.3.- Procedure for exercising the rights to know, update, rectify, or delete information and revoke authorization.
The procedures for accessing, updating, deleting, and rectifying personal data, and for revoking authorization, can be carried out through inquiries or complaints, directed to the email address contactenos@ghlhoteles.com or to the address Calle 72 No. 6 - 30 Bogotá, Colombia, depending on the object they pursue, establishing at least the legitimacy to make the request and explaining clearly and concisely what is intended.
All requests, suggestions, and recommendations related to the processing of information must be
sent to the email address contactenos@ghlhoteles.com and will be responded to no later than ten (10) business days after their receipt.
The information Holder or the legitimate person must accompany their writing with proof of their acting capacity and must provide the necessary data and documents to account for their identity and their status.
The email should specify the reason or purpose of the communication, and for this, it will suffice for the text to indicate that the right to know, update, rectify, delete, or revoke the granted authorization is being exercised.
4.4.- Procedure for the correction, update, or deletion of data and for the submission of complaints and claims.
Anyone legitimized by law, and who considers that the contained information must be corrected, updated, or deleted; or when they consider that the treatment given to personal data violates legal norms, may submit complaints, in accordance with Article 15 of Law 1581 of 2012, to the email address contactenos@ghlhoteles.com.
Complaints and claims will be processed under the following rules:
4.4.1.- The complaint will be made by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Holder, the description of the facts that give rise to the complaint, and the address, attaching the documents to be asserted. If the complaint is incomplete, the interested party will be required within five (5) business days following the receipt of the complaint to correct the deficiencies. After two (2) months from the date of the request, without the applicant providing the requested information, it will be understood that they have withdrawn the complaint.
If the recipient of the complaint is not competent to resolve it, it will be forwarded to the appropriate person within a maximum period of two (2) business days, and the situation will be informed to the interested party.
4.4.2.- Once the complete complaint is received, a legend will be included in the database that says "complaint in process" and the reason for it, within a period not exceeding two (2) business days. This legend must be maintained until the complaint is decided.
4.4.3.- The maximum term to address the complaint will be fifteen (15) business days from the day following the date of its receipt. When it is not possible to address the complaint within that period, the interested party will be informed of the reasons for the delay and the date on which their complaint will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
4.5.- Consultation and access to information.
Requests for personal data contained in the database will be addressed through written requests through the email address contactenos@ghlhoteles.com.
Queries will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to address the query within that period, the interested party will be informed before the expiration of ten (10) business days, expressing the reasons for the delay and indicating the date on which the query will be addressed, which in no case may exceed five (5) business days following the expiration of the first period.
FIFTH: SECURITY.
5.1.- Information handling security.
The collected data will always be treated within a framework of confidentiality, so they will not be provided, transferred, or delivered to people other than those responsible or in charge of processing.
5.2.- Transfer and transmission of data.
In the event that a contract is signed with a third person who is a professional and experienced in the handling and use of databases, the responsible party will sign the personal data transmission contract referred to in Article 25 of Decree 1377 of 2013.
SIXTH: DISCLOSURE AND VALIDITY.
6.1.- Means of disseminating information processing policies and privacy notice.
This document, through which the information processing policies on collected personal data are established, will be permanently published at the link www.ghlhoteles.com so that it can be consulted by anyone interested.
When requesting the express authorization of the Holder for data processing, the specific purposes for which consent is obtained will be indicated, and the Processing Policy and the rights they have as Holder will be disclosed.
6.2.- Effectiveness of the information processing policies.
The collection, storage, use, and circulation of personal data, in development of the considerations established here, will be carried out and maintained while the needs and purposes established and proposed by the Processing remain in force. In case the purpose cannot be achieved through the processing given to personal data, they will be permanently deleted from the database.
This document becomes effective on February 22, 2016.
6.3.- Procedure for policy modification events.
In the event that modifications are made to the personal data processing policies established here, they will be notified and communicated through this same website before they come into effect.
6.4.- Incorporation of the terms of use of the website www.ghlhoteles.com.
In accordance with applicable regulations, the information processing policy is an integral part of the terms and conditions of use of the website www.ghlhoteles.com.
6.5. - Information Responsible.
The company LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA, with Tax ID 90076001-06 has the quality of responsible and processor of personal data. The companies will be responsible for the information and personal data collected. When the information has been received or collected by one of the aforementioned companies, with express authorization to be transferred, LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA will be responsible for the processing.
Any communication can be directed to Calle 72 # 6-30 13th floor in Bogotá, or to the email address contactenos@ghlhoteles.com.
POLICIES FOR THE PROCESSING OF PERSONAL INFORMATION OF EMPLOYEES, OFFICIALS, AND COLLABORATORS
FIRST: GENERALITIES
In the development of our business relationships, we have a special interest in protecting and respecting your information and personal data. That is why we have designed these policies for the processing of information, within the framework of Law 1581 of 2012 and Regulatory Decree 1377 of 2013.
1.1 Introduction
The company Logística GHL SAS and the affiliated companies operating the "una experiencia GHL" hotels and responsible for the processing of information may collect personal data from their employees, officials, and/or collaborators, regardless of the employment or contractual nature of the relationship. The collection will be done with the explicit authorization of the data subject, and the processing of this data will be subject to what is established by the law and this policy.
Personal information will be collected directly from employees, officials, and/or collaborators and will be related to the activities they perform.
1.2 General principles
The collection and gathering of personal data, as well as the use, processing, exchange, transfer, and transmission of such data, will always be guided by principles of legality, freedom, truthfulness, transparency, security, confidentiality, the principle of access, and restricted circulation.
1.3 Legal definitions
In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions will govern the policies for the processing of personal information.
1.3.1 Authorization: Prior, express, and informed consent of the Data Subject for the processing of personal data.
1.3.2 Database: An organized set of personal data that is subject to processing.
1.3.3 Personal data: Any information linked or that can be associated with one or more specific or determinable natural persons.
1.3.4 Data Processor: The natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the Data Controller.
1.3.5 Data Controller: The natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the processing of data.
1.3.6 Sensitive data: Data that affect the privacy of the Data Subject or whose misuse could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or data promoting the interests of any political party or ensuring the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
1.3.7 Public data: Data that is not semi-private, private, or sensitive. Data related to the marital status of individuals, their profession or occupation, and their status as a trader or public servant are considered public data, among others. By their nature, public data can be found in public records, official documents, gazettes, and official bulletins, as well as legally enforceable judicial decisions not subject to confidentiality.
1.3.8 Data Subject: The natural person whose personal data is subject to processing.
1.3.9 Transfer: Data transfer occurs when the Data Controller and/or Data Processor of personal data, located in Colombia, sends information or personal data to a recipient, who is also a Data Controller, located inside or outside the country.
1.3.10 Transmission: Processing of personal data involving the communication of such data within or outside the territory of the Republic of Colombia, when the purpose is to carry out processing by the Data Processor on behalf of the Data Controller.
1.3.11 Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
SECOND: CONSENT OF THE DATA SUBJECT
The provided data will be subject to authorized processing, granted in advance, expressly and informedly by the Data Subject.
In any case, the collection of data will be limited to personal data that is relevant and appropriate for the intended purpose.
THIRD: INFORMATION PROCESSING
3.1 Collected data. The collection of data for the development of processing and its intended purposes will be related to personal data received in the course of or in execution of the relationship between the parties.
Without prejudice to cases where data are considered public, the collected and processed information will correspond to that provided in the curriculum vitae, name, identification number (citizen ID or passport), academic experience, professional experience, information related to the execution of the contractual relationship, information related to salary payments, remuneration, fees, social security information as appropriate, and basic health information such as blood type or allergies in cases where such information is provided.
3.2 Processing of data and purpose.
The data and information obtained will be used solely for the purpose established in these policies for information processing.
The processing of data will involve the management and disposition of data to have the information necessary to carry out human resources activities, processes, and procedures; to establish payroll payment status; fees or any other compensation, as applicable; to manage information related to social security and family compensation funds; to respond to information requests from government entities and comply with legal obligations for fiscal, tax, and other reporting; to support internal or external audit processes; maintain effective communication with employees, officials, or collaborators; manage and inform changes that may occur during the course of the contractual relationship; conduct internal studies on habits; allow employees access to computer resources.
The authorization for the use of provided information or data collected in accordance with these policies expressly includes authorization for data and information to be shared, processed, transmitted, transferred, updated, and/or deleted for the purposes defined in these policies, to be used as established.
3.3 Sensitive data and data related to children and adolescents.
Under no circumstances will sensitive data or data related to children or adolescents be processed. The collection of data from employees, officials, or collaborators is not intended to collect sensitive information or information about children or adolescents.
3.4 Duties of the information controller.
Those responsible for information and/or responsible and processors of personal data are obligated to: a) Guarantee the Data Subject's full and effective exercise of the right to habeas data at all times; b) Request and retain, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject; c) Properly inform the Data Subject about the purpose of the collection and the rights they have by virtue of the authorization granted; d) Maintain the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access; e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable; f) Update the information, communicating any changes in a timely manner to the Data Processor for all previously provided data and take any necessary steps to keep the information provided to them up-to-date; g) Rectify incorrect information and communicate relevant information to the Data Processor; h) Provide the Data Processor with, when applicable, only data whose processing is previously authorized in accordance with the law; i) Demand that the Data Processor at all times respect the security and privacy conditions of the Data Subject's information; j) Process inquiries and complaints in accordance with the terms established by law; k) Inform the Data Processor when certain information is under dispute by the Data Subject, once a complaint has been filed and the respective process has not yet been completed; l)
Provide the Data Subject, upon request, with information about the use of their data; m) Inform the data protection authority when violations of security codes occur and risks arise in the administration of Data Subjects' information; n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
FOURTH: RIGHTS AND POWERS OF THE DATA SUBJECT
4.1 Rights of the Data Subject. Once authorization has been granted by the Data Subject for the corresponding processing, they have the right to: a) Know, update, and rectify their personal data. This right can be exercised for partial, inaccurate, incomplete, misleading, or prohibited processing, or processing that has not been authorized; b) Request evidence of the granted authorization, unless expressly exempted as a requirement for processing, in accordance with Article 10 of Law 1581 of 2012; c) Be informed by the responsible party and/or data processor, upon request, of the use that has been made of their personal data; d) Lodge complaints with the Superintendence of Industry and Commerce for violations of the provisions of the law; e) Revoke the authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the processing has involved conduct contrary to this law and the Constitution; f) Request, at any time from the responsible party or data processor, the deletion of their personal data and/or the revocation of the authorization granted for their processing, through the submission of a complaint. These actions will not proceed when the Data Subject has a legal or contractual obligation to remain in the database; g) Access their personal data that has been subject to processing: (i) at least once every calendar month, and (ii) each time there are substantial modifications to the information processing policies that necessitate new consultations. In the case of requests with a frequency greater than once per calendar month, the responsible party and/or data processor may charge the Data Subject for shipping, reproduction, and, if necessary, certification costs of documents.
4.2 Legitimacy to exercise the Data Subject's rights.
The following individuals are also legitimized to exercise the rights of the information holder: a) The Data Subject themselves, who must prove their identity sufficiently using the means made available by the responsible party; b) Their heirs, who must prove their status as such; c) The representative and/or attorney-in-fact of the Data Subject, upon verification of representation or power of attorney; d) By stipulation in favor of another or for another.
4.3 Procedure for exercising the right to know, update, rectify, or delete information and revoke authorization.
Procedures for accessing, updating, deleting, and rectifying personal data, and for revoking authorization, may be carried out through inquiries or complaints sent to the email address contactenos@ghlhoteles.com or to the address Calle 72 No. 6 - 30, Bogotá, Colombia, depending on the purpose, establishing at least the legitimacy to make the request and clearly and specifically stating the purpose.
All requests, suggestions, and recommendations related to information processing should be sent to the email address contactenos@ghlhoteles.com, and a response will be provided no later than ten (10) business days after receipt.
The information holder or authorized person must include proof of their acting capacity with their written communication and provide the necessary data and documents to confirm their identity and capacity.
The email should specify the reason or purpose of the communication, and it will suffice to indicate in the text that the right to know, update, rectify, delete, or revoke the granted authorization is being exercised.
4.4 Procedure for correcting, updating, or deleting data and for submitting complaints and claims.
Those authorized by law, and who believe that the contained information must be corrected, updated, or deleted; or that the processing of personal data infringes legal norms, may submit complaints, in accordance with Article 15 of Law 1581 of 2012, to the email address contactenos@ghlhoteles.com.
Complaints and claims will be processed under the following rules:
4.4.1 The claim will be made through a request addressed to the Data Controller or Data Processor, with the identification of the Data Subject, a description of the facts giving rise to the claim, and the address, attaching the documents that they wish to present. If the claim is incomplete, the interested party will be requested to correct the deficiencies within five (5) business days of receiving the claim. If two (2) months have passed since the date of the request without the applicant providing the requested information, it will be understood that they have withdrawn the claim.
In the event that the recipient of the claim is not competent to resolve it, the claim will be forwarded to the appropriate recipient within a maximum of two (2) business days, and the interested party will be informed of the situation.
4.4.2 Once the complete claim is received, a note will be added to the database that says "claim in process" and the reason for it, within a maximum of two (2) business days. This note must be maintained until the claim is resolved.
4.4.3 The maximum period for addressing the claim will be fifteen (15) business days from the day following the receipt of the claim. When it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which will not exceed eight (8) business days following the expiration of the initial term.
4.5 Consultation and access to information.
Inquiries about personal data contained in the database will be addressed through a written request via the email address contactenos@ghlhoteles.com.
Inquiries will be addressed within a maximum period of ten (10) business days from the date of receipt. When it is not possible to address the inquiry within this term, the interested party will be informed before the ten (10) business days have passed, stating the reasons for the delay and indicating the date on which the inquiry will be addressed, which in no case will exceed five (5) business days following the expiration of the initial period.
FIFTH: SECURITY.
5.1 Security in information management.
The collected data will always be treated with confidentiality, and they will not be provided, transferred, or delivered to individuals other than those responsible for or processors of the processing.
5.2 Transfer and transmission of data.
In the event that a contract is signed with a third party professional with experience in the management and use of databases, the responsible party will sign the contract for the transmission of personal data referred to in Article 25 of Decree 1377 of 2013.
SIXTH: DISSEMINATION AND VALIDITY.
6.1 Means of disseminating information processing policies and the privacy notice.
This document, which establishes policies for the processing of personal data collected, will be permanently published on the link www.ghlhoteles.com so that it can be consulted by interested parties.
At the time of requesting the Data Subject's explicit authorization for data processing, they will be informed of the specific purposes for which consent is obtained and will be made aware of the processing policy and their rights as a Data Subject.
6.2 Effective date of information processing policies.
The collection, storage,
use, and circulation of personal data, as set forth in the considerations established here, will be carried out and maintained as long as the established needs and purposes of the processing remain in effect. If the purpose cannot be achieved through the processing of personal data, they will be permanently deleted from the database.
This document comes into effect on February 22, 2014.
6.3 Procedure for modifying policies.
In the event that modifications are made to the personal data processing policies established here, they will be notified and communicated through this same website, prior to their entry into force.
6.4 Incorporation into the terms of use of the website www.ghlhoteles.com.
In accordance with applicable regulations, the information processing policy is an integral part of the terms and conditions of use of the website www.ghlhoteles.com.
6.5 Responsible for the information.
The company LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA, with tax identification number (NIT) 90076001-06, is responsible for and the processor of personal data. The companies will be responsible for the information and personal data collected. When the information has been received or collected by any of the companies mentioned, with explicit authorization for transfer, LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA will be responsible for the processing.
Any communication can be directed to Calle 72 # 6-30, 13th floor, Bogotá, or to the email address contactenos@ghlhoteles.com.