Personal Data Processing and Privacy Policy – KLYM
KLYM S.A.S., domiciled at Carrera 11 No. 98-07, Office 501 A, Edificio Green Pijao in the city of Bogotá D.C., identified with Tax ID No. 900.296.536-0, telephone +57 601 357 11 62 and email latam-datospersonales@klym.com (“KLYM” or “we”), is an entity committed to protecting your privacy and that of the representatives and agents of your company.
We receive, collect, use, manage, analyze, segment, index, convey, transfer, store and, in general, process all information that may be associated or related to natural persons and legal entities, determined or determinable (the “Personal Data”), to which we may have access in the performance of our activities and duties. Personal Data includes data such as identification, contact, financial information, occupation and profession data, among others, which may be obtained in the course and for the performance of our activities and duties.
Scope of Application
This Klym Information Processing Policy (the “Policy”) is directed to: users and potential users who use the website klym.com and who are in any way related to or involved in a transaction with Klym either in person, by telephone or in writing, to its workers, candidates and retirees, suppliers and in general, to any person whose Personal Data are being or will be processed by us, including through tools such as web scrapers, web hooks, cookies, web spiders, web crawler and web beacons (the “Holders”).
The Personal Data of Holders are very important to us and will be processed based on the principles established under Law 1581/2012 and will be used only for the purposes indicated below.
We process our databases on an automated basis. The purpose of this Policy is to describe the mechanisms and procedures to protect the rights of Holders; to identify the area that will deal with queries, questions, claims and complaints, and, finally, to describe the purposes and types of Processing (as defined below) to which the Personal Data will be subject.
This Policy will apply to all Processing carried out on our platform, which is why the regulations established in the Republic of Colombia will apply, as allowed by the mandatory regulations of the Holder’s country of residence.
This Policy, or equally or more stringent legal standards, will apply to third parties with whom Klym eventually enter into Conveyance agreements, for such third parties to know the obligations that will apply to them, the purposes to which they must be subject and the security and confidentiality standards they must implement when carrying out the Processing on behalf of Klym.
Below, we include an explanatory text, detailing our obligations and your rights regarding our Processing of the Personal Data of Holders:
Personal Data we use
To carry out the purposes described in this Policy, we will use the following Personal Data, among others, which are held by users and/or visitors and workers and suppliers:
Confirming Debtors/Anchors
- Contact information
- Identification data
- Data of the legal representative
- Financial and tax data
Workers
- Contact information
- Identification data
- Demographic data
- Financial data
- Biometric data
- Medical data
- Data necessary for compliance with legal obligations
- Sensitive data
- Socioeconomic data
Suppliers/users of the website
- Contact information
- Identification data
- Financial and tax information
- Data relating to their profession or trade
- Webpage access credentials
Rights of Holders
Holders have the following rights:
Right |
Descripción |
Update |
To update the Personal Data residing in Klym’s Databases to maintain its integrity and truthfulness. |
Knowledge and Access |
To know and access their Personal Data stored by Klym or Processors. This access will be provided free of charge upon request at least once a month. |
Proof |
To request proof of the Authorization granted to Klym, unless the Law indicates that said Authorization is not necessary or that it has been validated in accordance with article 10 of Decree 1377 (article 2.2.2.25.2.7 of Decree 1074/2015). |
Complaint |
To file complaints to the Superintendence of Industry and Commerce for violations of the Law when the procedural requirement has been exhausted and to go to Klym in the first instance. |
Correction |
To correct the information and Personal Data under the control of KLYM. |
Revocation |
To request the revocation of the Authorization, provided the Holder has no legal duty or contractual obligation to Klym, according to which the Holder is not entitled to request the deletion of their Personal Data. |
Request |
To submit requests to Klym or the Processor regarding the use given to their Personal Data. |
Deletion |
To request the deletion of their Personal Data from Klym’s Databases, provided the Holder has no legal duty or contractual obligation to Klym, according to which the Holder is not entitled to request the deletion of their Personal Data. |
Authorizations
We require an Authorization for the processing of the Personal Data of Holders, which will be part of the onboarding process of each company.
The Authorization may consist of a paper-based document, electronic document, voice recording or any other format that ensures its subsequent consultation, or through a suitable technical or technological mechanism through which it can be unequivocally concluded that, if not so authorized by the Holder, the Personal Data would never have been captured and stored in the Database.
The Authorization of the Holder will not be necessary in the case of:
- information requested by a public or administrative entity in the exercise of its legal duties or by a court order;
- data of a public nature;
- cases of medical or health emergency;
- 4. processing of information authorized by law for historical, statistical, or scientific purposes; or
- data related to the Office of Vital Statistics.
We can obtain this Authorization through different means, including electronically, data messages, internet, websites, or in any other format that allows in any case obtaining consent through unequivocal conducts, by the Holder or the person entitled to do so.
Purposes
We, in the course of our commercial activities, will process Personal Data only for the purposes indicated below or those that are accepted by Holders at the time of collection of Personal Data:
Confirming Debtors/Anchors
- To deliver to the Holder thereof or to its representative in the case of legal entities, information that is of interest, which includes: products, services, financial reports, statements, settlements of used products, invoices, among others.
- To interface with state information platforms that contain their information and allow Klym, on your behalf, to carry out transactions in accordance with your instructions.
- To provide services in Klym’s portfolio.
- To offer and provide products or services through any means or channel according to the customer’s profile.
- 5. To send commercial information, invitations or gifts from Klym, the promotion of both own and third-party products and services, and other communications necessary to keep the customer informed and appraised by: telephone calls, text messages, emails, Facebook, Twitter, Instagram or any integration social network or instant messaging, among others; receive messages related to portfolio collection and recovery management, either directly or through a third party contracted for such purpose.
- To conduct surveys of any kind.
- To send invitations to corporate events of Klym, its partners and investors.
- To know your financial, commercial and credit behavior and compliance with your legal obligations.
- To carry out all necessary steps to confirm and update customer information.
- To establish a contractual relationship, as well as to maintain and terminate a contractual relationship.
- To carry out collection management tasks directly or through a third party.
- To know the location and contact information of the customer for the purposes of security notices and the offering of benefits and commercial offers.
- To prevent money laundering, terrorist financing, as well as to detect fraud, corruption, and other illegal activities.
- To carry out, validate, authorize or verify transactions, including, when so required, the consultation and reproduction of sensitive data such as fingerprints, images or voices, among others.
- To consult fines and sanctions with various administrative and judicial authorities or public databases which function is the administration of data of this nature.
- To make consultations and reports to restrictive lists and information bureaus, for the prevention and mitigation of financial risks and impersonation, among others, at their time of onboarding and to periodically receive information on their financial behavior.
- To take all the necessary steps to confirm and update the identity of the customer, and the identity and capacity of their legal representative.
- To share information with their parent company, affiliates, related companies, employees, consultants, and funders.
- To fill out the necessary documents to maintain and terminate a contractual relationship.
- To interface with state information platforms that contain customer information and allow Klym, on behalf of the customer, to carry out transactions in accordance with the customer’s instructions.
- To execute legal documents on behalf of the customer, in compliance with the instructions provided by the customer.
- To validate credentials, store credential and carry out document backup processes.
Workers and Candidates
- To deliver to Holders any information that is of interest, including: payment stubs, statements, settlements, among others.
- To conduct surveys of any kind.
- To send invitations to corporate events of Klym, its partners and investors.
- To send invitations to selection processes carried out by Klym.
- To assess the entry and onboarding process of applicants, which include: private investigations of people, in order to complete the security process of candidates and medical information about the entry exam.
- To manage existing labor relations with them, as well as to carry out various activities established by KLYM.
- In the case of retirees, Klym will store, even after the employment agreement has been terminated, the information necessary to comply with the obligations that may arise as a result of the employment relationship that existed under the Colombian law.
- To provide any work certifications that may requested by the former worker or by third parties with which they are carrying out a selection process.
- To maintain the security of Klym’s buildings and facilities.
- To carry out internal disciplinary processes and investigations.
- To monitor the use of the work tools provided by Klym.
- To process their Personal Data for the performance of legal and contractual obligations, and for carrying out cultural activities.
- To conduct sociological surveys and opinion polls.
- To grant and manage permits, licenses, and authorizations.
- To reserve and issue transport tickets.
- To carry out judicial proceedings
- To carry out activities of the human resources department, which include: personal training activities; payroll management; personnel management; compliance with social benefits; prevention of occupational hazards; promotion and management of employment and; promotion and selection of personnel.
- To carry out epidemiological research work and similar activities.
- To know about the mental health of workers.
Users of the webpage or platform
- To confirm and update your information and identity and that of your legal representative, as applicable.
- To establish and manage a contractual relationship.
- To contact you for commercial, marketing and management purposes in respect of the contractual relationship, through any means.
- To conduct satisfaction and quality surveys.
- To verify and manage compliance with legal and contractual obligations, including the control and prevention of fraud and money laundering.
- To conduct analyses of suppliers/users of the website and process information to analyze the feasibility of carrying out financing operations.
- To develop predictive models for risk analysis.
- To make consultations and reports to risk and information bureaus.
- To examine financial, commercial and credit behavior and compliance with legal and financial obligations.
- To interface with state information platforms that contain their information and allow Klym, on behalf of the supplier/user of the website, to carry out transactions in accordance with the instructions given.
- To execute legal documents on behalf of the supplier/user of the website, in accordance with the instructions given by the supplier/user of the website.
- To offer and provide products or services through any means or channel in accordance with the profile of the supplier/user of the website. To validate credentials, store credentials and carry out document backup processes.
Likewise, the information may be delivered to the authorities or public entities, when required to do so under the applicable legal, contractual or consensual provisions.
Sharing of Information with Third Parties
We may share the Personal Data of Holders with:
- the authorities that may require it in accordance with the applicable legislation;
- the authorities that may request it as part of a judicial or administrative proceeding where the disclosure of such information is required;
- investors or funders;
- affiliates, employees and agents of Klym;
- suppliers of tools procured by Klym for communication and marketing with its consumers and for outsourcing services; and
- in the other cases provided by the law.
Confidentiality and Security Measures
The confidentiality and protection of Personal Data is a priority for us, for which we have established and maintained administrative, technical and physical security measures to prevent any damage, loss, tampering, destruction, as well as any improper use, access or disclosure.
Furthermore, and in compliance with the security principle established by the law, Klym has and will implement the appropriate technical, technological, human and administrative measures to provide security to records, safeguarding their confidentiality, integrity and availability.
We are committed to fighting the risks of fraud and impersonation and therefore carry out thorough customer identity checkups in accordance with the principle of Security and Demonstrated Responsibility.
Additionally, all our products have been carefully designed to safeguard the privacy of Holders. However, it is impossible to ensure that our information security measures will be 100% effective, which, however, follow very high standards.
Claims Policies and Procedures
- 1. Queries:
We will receive and answer to queries from Holders, their Registered Persons or the representatives of underage persons, regarding:
- the Personal Data of the Holder residing in Klym’s Databases;
- the Processing to which the Personal Data are subject; and
- the use we give to such Personal Data.
Such queries must be sent in writing to the following email address: latam-datospersonales@klym.com. We will keep proof of the query and its reply.
Queries will be answered within a maximum term of ten (10) business days from the date of receipt thereof.
When it is not possible to answer to the query within said term, the interested party will be informed of the reasons for the delay and the date on which the query will be answered, which in any case may not exceed ten (10) business days following the expiration of the first term.
2. Claims:
We will receive and answer to claims filed by Holders, their Authorized Persons or the representatives of underage persons, regarding:
- the Personal Data Processed by Klym that must be corrected, updated or deleted; and
- any alleged breaches of any of Klym’s obligations under the law.
Such claims must be sent in writing to the following email address: latam-datospersonales@klym.com. We will keep proof of the claim and its reply.
3. Receipt of Requests:
The legal team will be responsible for receiving your complaints and requests. It will be in charge of receiving requests from Holders for the exercise of the rights of access, consultation, correction, updating, deletion and revocation referred to in Law 1581/2012. Internally, procedures have been established for the timely and effective dealing with queries and claims, taking into account those responsible for the different databases.
Publicity and Amendments to the Policy
This Policy may be amended by us from time to time and will be part of the terms and conditions of use of our platform. Any material amendment to this Policy will be previously communicated to Holders through efficient mechanisms, such as Klym’s website privacy policy and/or by email.
A material amendment means, among others, the following:
- any modification to the identification of the area, office or person in charge of dealing with queries and claims; and
- any obvious modification of the purposes that may affect the Authorization. In this case, Klym will obtain a new Authorization.
Amendments will be informed on Klym’s website and/or by email sent to Holders, as long as Klym has such information in its possession.
Validity of the Policy and Databases
This Policy shall be effective as of its date of publication. The Personal Data that is may be stored, used or conveyed will remain in Klym’s Database, based on the criteria of temporality, for as long as necessary to fulfill the purposes mentioned in this Policy, for which they were collected. Thus, the validity of the Database is closely related to the purposes for which the Personal Data were collected.
Below we include a chapter on definitions, in which we explain in detail the meaning of the capitalized words included in this Policy:
Definitions
Expressions in parentheses, underlined, and capitalized in this Policy shall have the meaning given to them before the parentheses. Any undefined terms will have the meaning given to them in the law or in the applicable jurisprudence of Colombia. Notwithstanding the foregoing, the most relevant terms of this Policy are defined below:
- Authorization: Prior, express and informed consent of the Holder for the Processing of Personal Data.
- Authorized Person: KLYM and all the people under the responsibility of Klym who, in accordance with the Authorization and this Policy, are authorized to carry out the Processing.
- Database: Organized set of Personal Data that is subject to Processing, electronic or otherwise, however it may be formed, stored, organized and accessed. KLYM will maintain the Databases in which it holds the status of Processor separately from those in which it holds the status of Controller.
- Personal Data: Information of any kind, related to or that can be associated with one or several determined or determinable natural persons, such as identification data (name, identification document, age, gender), contact (telephone, email, address), financial information, information about their profession or trade, among others.
- Public Data: Personal Data qualified as such according to the mandates of the law or the Political Constitution and which is not semi-private, private or sensitive. Public data are considered, among others, as data related to the marital status of people, their profession or trade and their status as a merchant or public servant and those that can be obtained without being subject to any confidentiality obligation. Due to their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality.
- Sensitive Data: Personal Data that could affect the intimacy of the Holder or which misuse may give rise to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social, human rights or other organizations that promote the interests of any political party or that ensures the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
- Processor: Natural person or legal entity, public or private, that by itself or in association with others performs the Processing of Personal Data on behalf of the Controller.
- Authorized Person: The persons who can exercise the rights of the Holder, such as the Holder himself, his successors in title, representatives, attorneys-in-fact and those who, as stipulated in favor of one or another, are accredited, provided they can prove their status as such.
- Law: Law 1581/2012, Decree 1074/2015, Ruling C-748/2011, the applicable jurisprudence of the Constitutional Court and the regulations issued by the Government in the matter.
- Manual: The document that establishes the policies and procedures to ensure compliance with the Law.
- Controller: Natural person or legal entity, public or private, that by itself or in association with others, takes decisions on the Database and/or the Processing of Personal Data. For the purposes of this document, the Data Controller will be KLYM.
- Holder: The natural person to whom the Personal Data concern, whose information may reside on a Database and who is the subject of the right of habeas data.
- Transfer: The Processing that implies the sending of information or Personal Data to a receiver, who is a Controller and can be located inside or outside the territory of the Republic of Colombia. In Transfers, the recipient will act as Controller and will not be subject to the terms and conditions of this Policy.
- Conveyance: The Processing that implies the communication of Personal Data inside or outside the territory of the Republic of Colombia, for the Processor to Process such Personal Data on behalf of the Controller. In Conveyances, the receiver will act as Processor and will be subject to the Policy or to the terms established in the corresponding Conveyance agreement.
- Processing: Any systematic operation or procedure, electronic or otherwise, including through tools such as web scrapers, web hooks, cookies, web spiders, web crawlers and web beacons, for the collection, retention, ordering, storage, modification, indexing, profiling, listing, use, circulation, analysis, segmentation, anonymization, summarization, evaluation, blocking, destruction and, in general, the processing of Personal Data, as well as the delivery thereof to third parties through communications, consultations, interconnections, assignments, data messages and other means for such purpose.
Principles
In all Processing activities carried out by us, the Processors and/or third parties to whom Personal Data is Conveyed, shall comply with the principles set forth below:
- 1. Principle of legality in Data Processing: The Processing referred to in this manual is a regulated activity that must be subject to the provisions of Law 1581/2012 and other related regulations.
- Principle of purpose: All Processing activities must be consistent with the legitimate purposes mentioned in this Policy, which purposes must be informed to Holders when obtaining their authorization.
- Principle of freedom: Processing activities can only be carried out with prior, express and informed Authorization from the Holder. Personal Data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves such consent.
- Principle of truthfulness or quality: The Personal Data subject to Processing must correspond to the information provided by Holders and be complete, accurate, up-to-date, verifiable and understandable. KLYM will use reasonable efforts to avoid Processing partial, incomplete, fragmented or misleading Personal Data and to maintain the integrity and truthfulness of the Personal Data contained on its Databases.
- Principle of transparency: When so requested by Holders, KLYM will prove them with access to the Personal Data requested. The reply to the request will be sent by email within the deadline established by law.
- Principle of access and restricted circulation: KLYM may not make Personal Data available for access over the Internet or through other means of communication, unless technical and security measures are established for such access to be controlled and restricted only to Authorized persons. Personal Data may only be Processed by KLYM personnel who have authorization to do so in accordance with the provisions of this document, or those who, according to their duties, are responsible for carrying out such activities. Personal Data may not be delivered to third parties, inside or outside the territory of the Republic of Colombia, without Authorization or without executing an agreement, in the event of any Conveyance.
- Principle of security: For any Processing, KLYM must have the necessary technical, human and security measures in place to maintain the reasonable confidentiality and security of Personal Data. The foregoing, in order to prevent Personal Data from being tampered, modified, consulted, used, accessed, deleted or known by unauthorized third parties. KLYM will adjust the Processing of Personal Data to the security standards that may be regulated in the future by the competent authorities.
- Principle of confidentiality: Any Processing must be subject to confidentiality requirements and, therefore, the people involved therein must keep the information confidential, even after the link that gave rise to such Processing has been terminated.
- Processing of Sensitive Data and Diligence: Any Sensitive Data that may be collected in the activities of KLYM must be Processed with diligence to preserve its integrity, including restricted access and security.
- Temporality: KLYM will not use the Personal Data beyond the reasonable time period required for the purpose for which they were disclosed to the respective Holder. KLYM will also apply measures to ensure the deletion of Personal Data if they cease to fulfill the purpose for which they were collected.