(Institutional Guide o15 January 2019)

Personal data treatment policy

Policies and procedures to ensure proper compliance with Law 1581 of 2012, its complementary rules and especially for the attention of queries and claims associated with the protection of personal data.<


Adopt the internal manual of policies and procedures to ensure proper compliance with Law 1581 of 2012, its complementary rules and especially for the attention of queries and claims associated with the protection of personal data.



To establish guidelines to guarantee the constitutional right of all persons in Colombia to know, update and rectify the information that has been collected about them in databases or files, and the other rights, freedoms and constitutional guarantees referred to in the Constitution, especially the right to privacy of citizens.


  1.  Political Constitution of Colombia.
  2.  Law 1581 of 2012, which establishes general provisions for the protection of personal data.
  3. Decree 1377 of 2013, which partially regulates Law 1581 of 2012.
  4. Circulars of the Superintendence of Industry and Commerce.
  5. Information and Knowledge Policy of ISA and its companies.1.


* Responsible for the Processing of Personal Data.

Name:     INTERNEXA S.A.


Address: Medellín

Address: Calle 12 sur 18 168

Phone: 57 (4) 3171111

Web Page: www.internexa.com 

E-mail: contactenos@internexa.com

The Responsible for the Processing of Personal Data is a mixed economy company, governed by Law 1341 of 2009, and in all matters not provided therein by the rules of private law.

* Statement. As evidence of the commitment of the management to an organizational culture of respect for the protection of personal data, the guidelines applicable to all personal information recorded in the databases of the person responsible for the Processing of Personal Data are adopted. Therefore, these guidelines are of mandatory and strict compliance for the Responsible for the Processing of Personal Data, which includes managers and employees, who must observe them.

"* For the purposes of these guidelines, the definitions contained in Law 1581 of 2012 and its regulatory decrees or those rules that modify, add, replace or repeal them are accepted.
However, in order to facilitate the understanding of these guidelines, the following concepts are detailed below:"

Personal data: Any information linked or that can be associated to one or several determined or determinable natural persons.
Database: Organized set of personal data.


Figure 1. Basic Concepts. Personal Data

Owner: Natural person to whom the personal data belongs.

Responsible for the Processing of Personal Data: It is the company established in these guidelines.

Data Processor: Natural or legal person, public or private, that by itself or in association with others, carries out the processing of personal data on behalf of the Data Controller (for example: suppliers, customers, among others).


Figure 2. Basic Concepts. Actors: Data Controller, Responsible and Responsible Party

  • Processing: Any operation or set of operations on personal data or databases, such as collection, storage, use, circulation or deletion, carried out by the Controller or Processor.
  • On the protection of Personal Data. When the law makes reference to the personal data processing policies, it shall be understood as a reference to this Guide; and in particular, when in the authorizations, registrations, notices, commercial proposals, contracts, messages or any other document reference is made to the incorporation of the data processing policies, it shall be understood as made to the following terms:
  • Purpose of the Processing. The Processing carried out by the Controller with the personal information, will be treated for the fulfillment of the specific purposes for which the Data Subject provided the Personal Data, at the time of authorization.

Figure 3. Basic Concepts. Treatment of Personal Data

Notwithstanding the foregoing, in any case, personal data may be collected and processed for the particular purposes of each database, in accordance with the provisions of the National Registry of Databases (RNBD) administered by the Superintendence of Industry and Commerce.

However, it is understood that, with the authorization of the Data Subject, the Data Controller may process the data for the following purposes:

  • Comply with the regulations in force in Colombia for Public Utility Companies.
  • Recognize the legitimate interest of the Data Controller on the occasion of the public services it provides in accordance with the law.
  • Fulfill or maintain legal or contractual obligations acquired with shareholders, employees, customers, suppliers and other stakeholders, including attention to requests, complaints and claims.
  • Perform commercial management and stakeholder relations.
  • Provide information related to campaigns, projects, warnings, programs or operations.
  • Provide commercial, advertising or promotional information, contests, and events, regarding any product and/or service.
  • Contact the Data Controller to request information or opinion about the products or services of the Data Controller.
  • Perform market and/or statistical analysis and/or segmentation.
  • To present value-added services in relation to the information it manages for its stakeholders.
  • Transfer and transmit, inside or outside Colombia, personal data to companies economically linked to the Data Controller or with which it reaches legally permitted commercial agreements.
  • Transfer and transmit, inside or outside Colombia, personal data to companies economically linked to the Data Controller or with which it reaches legally permitted commercial agreements.
  • Allow access to information and personal data to auditors or third parties to carry out internal or external auditing processes.
  • Determine the habits of use, the IP address of the device used, geographic location, cookie information of the Data Subject, among others, derived from the entry and/or registration of personal data in the digital or mobile platforms of the Data Controller, when applicable.
  • Provide features and services related to tastes, location and preferences.
  • Linking third parties to the activities it performs, such as sharing a news item, event or situation, commenting on it, emailing it to a third party, noting that it is liked or of interest for its contacts/friends to see it on the social networks where the Data Subject is located; in internal operations, including troubleshooting, data analysis, research, development and service improvement.
  • Transfer the information of the Data Controllers as part of the assets, in the event of a disposal of the same by the Data Controller.


The Holder understands that the authorization may be recorded in a physical or electronic document, or in any other format that allows to guarantee its subsequent consultation, or by means of any other technical or technological mechanism.
Likewise, the authorization may be made by means of unequivocal conduct of the Holder that allows to reasonably conclude that he/she granted the authorization.

Finally, the Data Controller accepts and declares to know that the Data Controller may provide this information to related companies or companies of the same business group, inside and outside the Colombian territory.

Delivery of personal data to authorities.

The Data Controller may provide personal information to the authorities, by virtue of the request made by them.
In this event, the legality of the request will be verified, the relevance of the data requested in relation to the purpose expressed by the authority and the delivery of the personal information will be documented, noting that the delivery is made under a requirement of authority and the duty of protection on the part of the person receiving the information.

Treatment of sensitive data.

The Data Controller will only collect sensitive personal data when it is necessary and relevant to its business activity and will adopt the security measures that are proportional to the protection of this type of data. Among the sensitive data are biometric data, including images, photographs, videos, voices and/or sounds, fingerprints, among others.

Taking into account the condition of critical infrastructure that must support the permanent and continuous provision of public services and that the same is subject to national security, the Holders are warned that the authenticity for the use of certain platforms, networks or physical or virtual accesses, and the verification of the identity of the Holders, requires some sensitive data. Additionally, among the sensitive data are those that are collected during the participation in events organized or promoted by the Data Controller, inside or outside the facilities or in any of the activities developed on the occasion of the relationship of the Data Subject with the Data Controller. Therefore, by participating in the event, the Data Subject authorizes the processing of his/her data to comply with the purposes set forth herein.

In addition, this authorization includes the use of the rights related to the image or images of the Data Controller, to be incorporated in any type of work, physical or digital, electronic, optical, magnetic media, networks (Intranet and Extranet), data messages or similar, communication platforms and social networks and in general for any medium or support known or to be known in the future, and in particular, with the purpose of being used for internal or external publications of the Data Controller or its subsidiaries.

In addition to the above, in relation to sensitive data, everything contained in this Guide applies, including the purpose of the processing of such data, the rights and procedure for handling queries and complaints.

* Processing of personal data of children and adolescents.
The processing of personal data of children and adolescents is prohibited, except in the case of data of a public nature, in accordance with the provisions of the law and when such processing complies with the following parameters and requirements:

1. that it responds to and respects the best interests of children and adolescents.
2. That it ensures respect for their rights

"Once the above requirements have been met, the legal representative of the child or adolescent will grant the authorization after the minor has exercised his or her right to be heard, an opinion that will be assessed taking into account the maturity, autonomy and capacity to understand the matter.

The Data Controller and the person in charge of the processing of personal data of children and adolescents shall ensure the proper use of such data. For this purpose, the principles and obligations set forth in Law 1581 of 2012 and Regulatory Decree 1377 of 2013 and the rules that modify or add to them shall be applied."

Rights of the Data Subject.

The Holder of Personal Data has the rights enshrined in Article 8 of Law 1581 of 2012, which in general are described below:

  1. Access free of charge to the personal data subject to Processing.
  2. To know, update and rectify their personal data before the Data Controller or Data Processors.
  3. Request proof of the authorization granted, except when expressly exempted as a requirement for the Treatment, in accordance with the provisions of Article 10 of Law 1581.
  4. To be informed by the Data Controller or the Data Processor, upon request, regarding the use given to their personal data.
  5. To file before the Superintendence of Industry and Commerce (SIC) complaints for violations of the provisions of the regulations in force.
  6. To revoke the authorization and/or request the deletion of the data, provided that there is no legal or contractual obligation that prevents their deletion.
  7. Refrain from answering questions about sensitive data. The answers that deal with sensitive data or data of children and adolescents will be optional.

Attention to requests, complaints and claims for the Protection of Personal Data.

The Compliance Officer is responsible for the attention of requests, queries and complaints, before which the Data Subject may exercise his/her rights to know, update, rectify and delete the data and revoke the authorization. The Compliance Officer can be contacted through written communication sent to "Contact Us" available on the website www.internexa.com, or by sending written correspondence addressed to:

Comité de Ética (Ethics Committee)
Address Calle 12 Sur No. 18-168 (Bloque 5, piso 2)
Medellín – Antioquia
Phone: 57(4) 317 1111

Procedure for the exercise of right.

In compliance with the rules on personal data protection, the Data Controller presents the procedure and minimum requirements for the exercise of the rights of the Data Controllers.
For the filing and attention of your request we ask you to provide the following information:

Full name and surname; contact details (physical and/or electronic address and contact telephone numbers); means to receive a response to your request; reason(s)/fact(s) that give rise to the claim with a brief description of the right you wish to exercise (know, update, rectify, request proof of the authorization granted, revoke it, delete, access the information); signature (in the event that applies) and identification number.

The following is the procedure for queries and claims:

The Data Subject may consult his/her personal data free of charge: (i) at least once every calendar month and (ii) every time there are substantial modifications to the policies for the Processing of the information that motivate new consultations.

For consultations whose frequency is greater than one per calendar month, the Data Controller may charge the Data Subject for the costs of sending, reproduction and, if applicable, certification of documents. Reproduction costs shall not exceed the costs of retrieval of the corresponding material.

The Data Controller shall respond to the queries made by the Data Subject or his/her assignees, within a maximum term of ten (10) business days from the date of receipt thereof. When it is not possible to answer the query within such term, the interested party shall be informed, stating the reason for the delay and indicating the date on which the query will be answered, which in no case may exceed five (05) business days following the expiration of the first term.

The Data Subject or its assignees who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012 or in the rules that regulate or modify it, may file a complaint with the Data Controller or the Data Processor, which will be processed under the following rules:

  1.   The claim shall be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Data Subject, the description of the facts that give rise to the claim, his address, and accompanied by the documents to be asserted. If the claim is incomplete, the interested party will be required within five (05) days of receipt of the claim to correct the faults. After two (02) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been withdrawn. In the event that the Data Controller is not competent to resolve the claim, it will transfer it to the appropriate person within a maximum period of two (02) working days and inform the interested party of the situation.
  2. Once the complete claim has been received, a legend stating "claim in process" and the reason for the claim will be included in the database containing the information in the claim, within a term no longer than two (02) business days. Said legend shall be maintained until the claim.
  3. The maximum term to address the claim will be fifteen (15) working days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (08) business days following the expiration of the first term.
  4. The request for deletion of the information and the revocation of the authorization shall not proceed when the Data Subject has a legal or contractual duty to remain in the database. If upon expiration of the respective legal term, the Data Controller and/or the Data Processor, as the case may be, have not deleted the personal data, the Data Subject shall have the right to request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the deletion of the personal data.
  5. Complaint procedure before the Superintendence of Industry and Commerce. The Data Subject or assignee may only file a complaint with the Superintendence of Industry and Commerce once the consultation or complaint process has been exhausted before the Data Controller, according to the aforementioned procedure.
  6. Truthfulness of the information. The holders of personal data have the duty to provide the Data Controller with truthful personal information in order to fulfill the purpose for which the collection of information from the data holder is made. The Data Controller presumes the truthfulness of the information provided by the Data Subjects and shall not assume the obligation to verify the identity of the Data Subjects, nor the truthfulness, validity, sufficiency and authenticity of the data provided by each of them. Therefore, they shall not be liable for damages and/or losses of any nature that may arise from the lack of truthfulness, validity, sufficiency or authenticity of the information and personal data, including damages that may be due to homonymy or impersonation.
  7. Validity The Data Controller accepts and acknowledges that the authorization for the processing of data will be valid during the time in which the Data Controller carries out the activities of its corporate purpose and/or when the data owner decides to revoke the authorization on them.

Therefore, the databases in which the personal data will be recorded will be valid for as long as the information is kept and used for the purposes described in this Guide. In any case it is necessary to have the data for compliance with the legal and/or contractual obligations of the Data Controller, especially in accounting, fiscal and tax matters or for all the time necessary to comply with the provisions applicable to the matter in question, the administrative, accounting, fiscal, legal and historical aspects of the information, or in any event provided by law.

The Data Controller may unilaterally change the terms of this Guide, and therefore undertakes to publish any modification, without affecting the rights of the Data Subjects.

  •  Compliance Officer.
    The Compliance Officer is the person appointed by the Data Controller to ensure the effective implementation of this Guide and to comply with the rules of personal data protection, as well as the implementation of good practices of personal data management by the Data Controller and in particular, shall be responsible for processing the requests of the Data Controllers, for the exercise of the rights referred to in law 1581 of 2012 and other concordant rules.
  •  Security of information.
    Considering that personal data are information and intangible assets, it is understood that the policies and procedures of the Data Controller in these matters apply to them.
  • Validity.
    This Institutional Guide is effective as of its issuance and signature.


Gerente General