From the company BETR MEDIA SAS, Currently, the COMPANY’s information has been recognized as a valuable asset and as information systems increasingly support mission-critical processes, it is required to have high-level strategies that allow control and effective administration of the data, this document also includes the indications in accordance with Law 1581 of 2012, Decree 1377 of 2013 and the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files referred to in articles 15 and 20 of the Political Constitution and the other norms that clarify, modify or complement them.
2. ABOUT INFORMATION SECURITY
Information security is understood as the preservation, assurance, and fulfillment of the following characteristics of the information:
Confidentiality: information assets can only be accessed and guarded by users who have permission to do so.
Integrity: The content of the information assets must remain unaltered and complete. The modifications made must be recorded, ensuring their reliability.
Availability: Information assets can only be obtained in the short term by users who have the appropriate permissions.
For this, it is necessary to consider aspects such as:
Authenticity: Information assets are created, edited, and guarded by recognized users who validate their content.
Possibility of Audit: Evidence is kept of all activities and actions that affect information assets.
Protection against duplication: Information assets are classified, and records are kept of the copies generated of those classified as confidential.
Non-repudiation: The authors, owners, and custodians of the information assets can be fully identified.
Legality: The information assets comply with the legal, regulatory, and statutory parameters of the COMPANY.
Information Reliability: The content of the information assets that maintain confidentiality, integrity, availability, authenticity, and legality is reliable.
This Manual applies to the information and data that the company collects and manages BETR MEDIA S.A.S.
3. ORGANIZATION FOR INFORMATION SECURITY
BETR MEDIA S.A.S. guarantees support for the process of establishment, implementation, operation, monitoring, review, maintenance, and improvement of the information security policy, the review of which is made up of a commission that works through a working group made up of:
General Manager
Assistant manager
External Security Consultants
In any case, said commission or the work table, must review and update this policy annually, presenting the proposals to the institution’s directives for their approval, likewise the members of this work table are part of the group responsible for Security. Of the Information and therefore must follow the management guidelines framed in this policy and in the standards, norms, guides, and procedures recommended by the law in force in Colombia.
4. DEFINITIONS
For the purposes of applying the rules contained in this Manual and in accordance with the provisions of Colombian law and applicable for all legal purposes.
Authorization: Prior, express, and informed consent of the Holder to carry out the processing of personal data.
Privacy notice: Verbal or written communication generated by the person in charge, addressed to the Owner for the Treatment of their personal data, through which they are informed about the existence of the information Treatment policies that will be applicable, the way to access the same and the purposes of the Treatment that is intended to give the personal data.
Database: Organized set of personal data that is subject to Treatment.
Personal data: Any information linked or that may be associated with one or more specific or determinable natural persons.
Location data: such as those related to the commercial or private activity of people such as an address, telephone, email, etc.
Socio-Economic Content Data: such as stratum, homeownership, financial, credit, and/or economic data of the people, patrimonial data such as movable and immovable property, income, expenses, investments, work history, work experience, position, dates of entry, and withdrawal, annotations, calls for attention, educational level, training and/or academic history of the person, etc.
Identification Data: Name, surname, type of identification, identification number, date and place of issue, name, marital status, sex, signature, DOCUMENTO CONTROLADO BETR MEDIA S.A.S. INFORMATION SECURITY POLICY Version: 01 Code: BM-PO-SI-001 Date: 01/10/2020-Page 2 of 20 nationalities, family data, electronic signature, other identification documents, place and date of birth or death, age, fingerprint, DNA, iris, facial or body geometry, photographs, videos, fingerprint formula, voice, etc.
Public data: It is data that is not semi-private, private, or sensitive. Public data, among others, are data related to people’s marital status, their profession or trade, and their status as a merchant or public servant. By its nature, public data may be contained, among others, in public registers, public documents, gazettes, and official gazettes and duly executed judicial decisions that are not subject to reservation.
Sensitive data: Sensitive data is understood to be those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, union membership, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of personal data on behalf of the person responsible for the Treatment.
Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data.
Owner: Natural person whose personal data are subject to Treatment.
Transfer: The data transfer takes place when the person in charge and/or Person in Charge of the Treatment of personal data, located in Colombia, send the information or personal data to a recipient, who in turn is Responsible for the Treatment and is inside or outside from the country.
Transmission: Processing of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a Treatment by the Manager on behalf of the person in charge.
Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation, or deletion.
Assets: Refers to any information or element related to the treatment of this (systems, supports, buildings, people) that have value for the entity.
Critical asset: Facilities, systems, and equipment which, if they are destroyed, or their operation is degraded or for any other reason are not available, will affect the fulfillment of the strategic objectives of the Ministry.
Risk Management: Risk management is understood as the process of identification, control, minimization, or elimination, at an acceptable cost, of the security risks that could affect the information or impact DOCUMENTO CONTROLADO BETR MEDIA S.A.S. INFORMATION SECURITY POLICY Version: 01 Code: BM-PO-SI-001 Date: 01/10/2020-Page 3 of 20 considerably the operation. This process is cyclical and should be carried out periodically.
Threat: Potential cause of an unwanted incident, which can cause damage to a system or the entity.
Business Impact Analysis: It is a methodology that allows identifying the critical processes that support key products and services, the interdependencies between processes, the resources required to operate at a minimum acceptable level, and the effect that a business interruption could have on them.
Authenticity: Seeks to ensure the validity of the information in time, form, and distribution. Likewise, the origin of the information is guaranteed, validating the issuer to avoid identity theft.
Cabling center: The cabling center is the place where the information technology communication resources are located, such as (Switch, patch, panel, UPS, Router, voice, and data cabling).
Critical cyber asset: Cyber asset that is critical to the operation of a critical asset.
Cyberactive: Digital assets such as data, devices, and systems that allow the organization to meet its business objectives are identified as the focus of cybersecurity.
Cybersecurity: It is the process of protecting information assets by treating threats to information that is processed, stored, and/or transported through interconnected information systems.
Information Security Committee: The Information Security Committee is a body made up of representatives from all substantive areas of the Ministry, intended to support compliance with the information security standards, processes, and procedures.
Information Reliability: That is, the information generated is adequate to support decision-making and the execution of missions and functions.
Confidentiality: The information is guaranteed to be accessible only to those persons authorized to have access to it.
Datacenter: It is also called Data Processing Center (DPC) to that location or space where the necessary resources (IT) are concentrated on the information processing of an organization.
Availability: It is guaranteed that authorized users have access to the information and the resources related to it, whenever they require it.
Mobile devices: Cellular smartphone equipment, laptops, tablets, or anyone whose main concept is mobility, which allows limited storage, internet access, and has processing capacity.
DMZ: Acronym in English for Demilitarized Zone refers to a segment of the network that is located between the internal network of an organization and the external network or Internet of VPN.
Active network equipment: These are all the devices that distribute communications through the data network. DOCUMENTO CONTROLADO BETR MEDIA S.A.S. INFORMATION SECURITY POLICY Version: 01 Code: BM-PO-SI-001 Date: 01/10/2020-Page 4 of 20
Risk Assessment: Risk assessment is understood to be the assessment of threats and vulnerabilities related to information and its processing facilities, the probability of their occurrence, and their potential impact on the entity’s operation.
Security Incident: Unwanted or unexpected information security events or series of events that have a significant probability of compromising business operations and threatening information security.
Information: Refers to any communication or representation of knowledge as data, in any form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms, and in any medium, whether magnetic, on paper, on computer screens, audiovisual or other.
Integrity: The accuracy and completeness of the information and processing methods are safeguarded.
Legality: Referred to compliance with the laws, rules, regulations, or provisions to which the entity is subject.
Removable media: Removable storage devices are storage devices independent of the computer and can be transported freely. The most common mobile devices are USB sticks, removable hard drives, DVDs, and CDs.
Service Desk: It is the only point of contact with the end-users to register, communicate, attend and analyze all calls, reported incidents, service requirements, and requests for information. It is through the proactive management of the Service Desk that the Information Technology Office collects the needs that dependencies have regarding technological resources.
Non-repudiation: The sender cannot deny that he sent it because the recipient has proof of the shipment. The receiver receives unforgeable proof of the origin of the shipment, which prevents the sender from denying the shipment.
5. LEGAL FRAMEWORK
Political Constitution of Colombia. Article 15.
Law 44 of 1993. By which Law 23 of 1982 is modified and added and Law 29 of 1944 and Andean Decision 351 of 2015 (Copyright) are modified.
Law 527 of 1999. By which the access and use of data messages, electronic commerce, and digital signatures are defined and regulated and certification entities are established and other provisions are issued.
Law 1266 of 2008. By which the general provisions of Habeas data are dictated and the handling of the information contained in personal databases is regulated, especially financial, credit, commercial, services and that from third countries and is dictating other provisions.
Law 1221 of 2008. By which rules are established to promote and regulate Telework and other provisions are issued.
Law 1273 of 2009. By means of which the Penal Code is modified, a new protected legal asset is created – called “of the protection of information and data” – and the systems that use the technologies of the information and communications, among other provisions.
Law 1341 of 2009. By which principles and concepts on the information society and the organization of information and communication technologies are defined – ICT- The National Spectrum Agency is created and other provisions are issued.
Law 1581 of 2012. By which general provisions are issued for the protection of personal data.
Law 1915 of 2018. By which Law 23 of 1982 is modified and other provisions on copyright and related rights are established.
Decree 1377 of 2013. By which Law 1581 of 2012 is partially regulated.
Decree 886 of 2014. By which the National Registry of Databases is regulated.
Decree 1074 of 2015. Through which the Regulatory Decree of the Commerce, Industry, and Tourism Sector is issued. It partially regulates Law 1581 of 2012 and provides instructions on the National Registry of Databases. Articles 25 and 26.
6. RESPONSIBLE FOR THE TREATMENT
The company BETR MEDIA S.A.S., a company that is dedicated to the integral management of digital media from the generation of strategies to the monitoring and reporting of content. 2. the creation of audiovisual content for distribution in digital media. 3. The design and administration of web pages. 4. Administration and management of social networks for companies and individuals. 5. other activities that are included in digital marketing 6. the company may carry out, in general, all operations, of whatever nature they may be, related to the aforementioned object, as well as any similar, related or complementary activities or that allow to facilitate or develop the commerce or industry of the company. 7. Likewise, you may carry out any other legal economic activity both in Colombia and abroad. For the development of the corporate purpose, the company may: a) acquire, organize, administer or dispose of the various commercial establishments that are required to carry out the purposes of the company. b) carry out banking, credit, insurance, financial operations and, in general, execute all financial, commercial, credit acts and enter into the necessary or consequential contracts for the development and fulfillment of the corporate purpose, which allow it to obtain funds or other necessary assets for the development of the company or facilitate the fulfillment of its social purposes, without this implying the development of financial intermediation activities. c) participate in public or private tenders, direct contracts with public, private, or mixed entities. d) enter into business collaboration contracts (consortia, temporary unions, outsourcing) with national or foreign firms. e) split, merge with other companies, or acquit them. f) acquire movable or immovable property, dispose of it in any way, mortgage it, encumber it, lease it, exploit it and, finally, manage the movable and immovable property. g) Celebrate all kinds of acts, operations, and contracts that are directly related to the activities that make up the corporate purpose or whose purpose will be to exercise the rights or fulfill the legal or conventional obligations derived from the existence or activities of the company.
The company BETR MEDIA S.A.S. identified with the NIT. 901124752-1 is responsible and in charge of the processing of the personal data of its clients, suppliers, workers, contractors, shareholders, advisors, of the same company, and other natural or legal persons from whom it is required to collect information due to our activity.
7. FUNCTIONS
The following will be functions of the Administration in terms of protection of personal data of BETR MEDIA S.A.S.:
Follow up on the activities related to information management within their areas of responsibility.
Propender because in the missionary and support processes of its responsibility, all the necessary mechanisms for the protection of personal data are implemented.
Guarantee that in the event of changes in processes and/or new products or services that are developed within the scenario or area of their responsibility, these have the necessary requirements for the protection of personal data before their start-up or operation.
Guarantee in the processes of dismissal of the officials who belong to the scenario of their responsibility, that the assigned profiles where personal information is accessed are disabled, no later than the day on which the official leaves BETR MEDIA S.A.S.
8. PRINCIPLES
In the development, interpretation, and application of this Manual, the following principles established in article 4 of Law 1581 of 2012 will be applied, harmoniously and comprehensively:
Principle of legality regarding data processing: The processing referred to in this law is a regulated activity that must be subject to what is established in it and in the other provisions that develop it;
Principle of purpose: The Treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Holder;
Principle of freedom: Treatment can only be exercised with the prior, express, and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent;
Principle of truthfulness or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable, and understandable. Processing of partial, incomplete, fractional, or misleading data is prohibited;
Principle of transparency: In the treatment, the right of the Holder to obtain from the person responsible for the treatment or the Person in Charge of the Treatment, at any time and without restrictions, information about the existence of data concerning him must be guaranteed;
Principle of access and restricted circulation: The Treatment is subject to the limits that derive from the nature of the personal data, the provisions of this law, and the Constitution. In this sense, the Treatment can only be done by persons authorized by the Holder and/or by the persons provided for in this law. Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication unless the access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties in accordance with this law;
Security principle: The information subject to Treatment by the person in charge of the Treatment or Person in Charge of the Treatment referred to in this law, must be handled with the technical, human, and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
Principle of confidentiality: All persons who intervene in the processing of personal data that are not public in nature are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks that the Treatment comprises, being able only to carry out supply or communication of personal data when this corresponds to the development of authorized activities.
BETR MEDIA S.A.S. clarifies that all workers of the organization have the obligation to comply with the CONFIDENTIALITY clause established in the Internal Work Regulations, which reads: “Confidentiality. The worker accepts that all types of information related to the employer that he receives or knows in relation to the execution of his work, has as its sole and exclusive purpose, to allow the full and correct performance of his work, therefore, he is obliged not to disseminate, comment, copy, deliver or communicate to third parties or make use different from this, so it must be handled with absolute secrecy. Similarly, the worker may only obtain and use the information required for their work with prior authorization from the Management. The parties agree to classify as a serious offense for the purposes of the contract that the employee, even for the first time, violates the confidentiality clause”
9. SCENARIOS OF PROCESSING OF PERSONAL INFORMATION.
In order to know, control, and materialize the postulates, principles, and obligations enshrined in this manual, BETR MEDIA S.A.S. has identified the following personal information processing scenarios, from which it collects, stores, uses, transfers, shares and deletes information of public, private, semi-private, sensitive nature and special information of CUSTOMERS, SUPPLIERS, EMPLOYEES of its holders. The scenarios identified by BETR MEDIA S.A.S. are as follows:
STAGE
PURPOSE
WORKERS
Administer and manage the payroll information and other data required to control the execution of the labor relations signed by BETR MEDIA S.A.S.
CLIENTS / USERS
Administer and manage information related to third parties that have a contractual or commercial relationship with BETR MEDIA S.A.S.
SUPPLIERS
Administer and manage the information of third-party providers of goods and services linked to BETR MEDIA S.A.S. in order to meet the needs of this and ensure the development of its missionary purpose.
INTERNET AND MASS MEDIA
Channel relevant information about the operation and dissemination of the missionary purpose of BETR MEDIA S.A.S.
CORPORATE TOOLS
Use of computer equipment, information management systems, computer infrastructure elements, corporate emails, among other tools that are intended to support the development and management of the missionary objective of BETR MEDIA S.A.S. Under conditions of security, confidentiality, privacy, integrity, and availability.
10. PURPOSE OF THE DATA
The processing of the personal data of the Holders will be carried out by BETR MEDIA S.A.S., with the following purpose:
Comply with the obligations contracted by virtue of the legal, contractual, labor, and/or regulatory relationship contracted with BETR MEDIA S.A.S.
Evaluate the quality of our services and the service of our suppliers.
Report on service and/or loyalty campaigns.
Make invitations to events, communicate news related to our social work.
Generate the corresponding reports to the Judicial, Commercial, Environmental Authorities, the Ministry of Labor, DIAN, and other government agencies that so provide.
Baseline and monitoring of the Integrated Management System programs.
Develop, register, control, and monitor the activities and administrative, operational, and commercial procedures of the operation, development, and consolidation of BETR MEDIA S.A.S.
Share or supply to third parties valid before the law such as control and surveillance bodies, information expressly required or authorized by the owner of the information.
Meet the legal requirements and information requirements of the administrative and judicial authorities that regulate, supervise, and/or monitor the activities and operations of BETR MEDIA S.A.S.
Register, document and feed the general and statistical information of BETR MEDIA S.A.S. for the development of business intelligence and analytics activities, aiming for the continuous improvement and sustainability of BETR MEDIA S.A.S.
Issue certifications requested by the holders of information, legal representatives, administrative or judicial authorities, and authorized third parties, regarding the information that resides in the files of BETR MEDIA S.A.S.
Carry out marketing efforts exclusively related to the promotion of the services of BETR MEDIA S.A.S. Personal information will not be provided to third parties other than BETR MEDIA S.A.S. for marketing or commercial promotion purposes.
Allow the creation of cases or users in the information system (s) of BETR MEDIA S.A.S. associated with the process of linking suppliers or contractors, as well as the development of the strategic, administrative, commercial, and accounting function of BETR MEDIA S.A.S.
Enter the information into the internal registry of suppliers and contractors of BETR MEDIA SAS, in compliance with the administrative, commercial, accounting, and tax procedures, as well as for the analysis and studies of prices, conditions, antecedents, and market trends associated with future supplier or contractor selection processes in which BETR MEDIA SAS has an interest
Control, monitor, evaluate, record, and update the activities, procedures, and other obligations of the eventual subscription and execution of contracts, as well as the preparation, monitoring, and reporting of management indicators and results of the work of the supplier or contractor.
Endorse the personal information of the applicant through its corroboration before the direct sources of the certifications, certificates, or references provided.
File and preserve under adequate security conditions, the information required to feed the historical archive of BETR MEDIA S.A.S. during the term of validity legally applicable to each type of information asset.
11. RIGHTS OF THE HOLDER
In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the holders of personal data processed by the company BETR MEDIA S.A.S. have the following rights:
Know, update and rectify your personal data in front of BETR MEDIA S.A.S., in its capacity as responsible for the treatment. This right may be exercised, among other fronts, to partial, inaccurate, incomplete, fractioned, misleading data, or those whose treatment is expressly prohibited or has not been authorized.
Request proof of authorization granted to BETR MEDIA S.A.S. of the treatment except when expressly excepted as a requirement for the treatment, in accordance with the provisions of article 10 of Law 1581 of 2012.
Be informed by BETR MEDIA S.A.S. Upon request, regarding the use, you have given your personal data.
Present before the Superintendency of Industry and Commerce complaints about infractions to the provisions of Law 1581 of 2012 and the other regulations that modify, add, or complement it, once the consultation or claim process has been exhausted before BETR MEDIA S.A.S.
Revoke the authorization and/or request the deletion of the data when the principles, rights, and constitutional and legal guarantees are not respected in the Treatment. The revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that in the Treatment BETR MEDIA S.A.S. has incurred in conducts contracted to Law 1581 of 2012 and the Constitution.
Free access to your personal data that have been subject to Treatment.
Request the Superintendency of Industry and Commerce to order the revocation of the authorization and/or the deletion of personal data, in the terms of the third paragraph of article 9 of Decree 1377 of 2012. For these purposes, the procedure is described in Article 22 of Law 1581 of 2012.
Access personal data that are under their control and exercise their rights over them, as regulated by article 22 of Decree 1377 of 2013.
12. DUTIES OF BETR MEDIA S.A.S. IN RELATION TO THE PROCESSING OF PERSONAL DATA
BETR MEDIA S.A.S. You will keep in mind, at all times, that personal data are the property of the natural or legal persons to whom they refer and that only they can decide on them. In this sense, it will use them only for those purposes for which it is duly empowered, and in any case respecting Law 1581 of 2012 on the protection of personal data.
In accordance with the provisions of article 17 of Law 1581 of 2012, BETR MEDIA S.A.S. undertakes to permanently comply with the following duties in relation to the processing of personal data:
Guarantee the Holder, at all times, the full and effective exercise of the right to Habeas data¹.
Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
Carry out in a timely manner, this is in the terms provided in articles 14 and 15 of Law 1581 of 2012, the updating, rectification, or deletion of the data.
Process the queries and claims made by the Holders in the terms indicated in article 14 of 1581 of 2012.
Insert in the database the legend “information in judicial discussion” once notified by the competent authority about judicial processes related to the quality or details of personal data.
Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendency of Industry and Commerce.
Allow access to information only to people who can have access to it.
Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders.
Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.
¹ Habeas data is a jurisdictional action proper to law, normally constitutional, that confirms the right of any natural or legal person to request and obtain existing information about their person, and to request its elimination or correction if it is false or out of date. This right applies to information stored in records or databases of all kinds, whether in public or private institutions and in computer records or not. The habeas data right can also cover the concept of the right to be forgotten, that is, the right to eliminate information that is considered obsolete over time and has lost its usefulness. In more specific terms, habeas data is an action that any citizen can take when his data is not valid, a debt that is not real, etc.
13. PROCEDURE SO THAT THE HOLDERS OF THE INFORMATION CAN EXERCISE THE RIGHTS TO KNOW, UPDATE, RECTIFY AND DELETE INFORMATION AND REVOKE THE AUTHORIZATION
13.1 Quality of Personal Data
specific, explicit, and legitimate activities necessary for the development of the corporate purpose of the company BETR MEDIA S.A.S.
In the same way, the data collected for its treatment may not be used for purposes that are incompatible with those that motivated its collection in each case, unless there is the consent of the affected person for this new treatment.
In general, the data provided by the affected party is considered accurate.
Without prejudice to the exercise of the rights of rectification and cancellation by those affected, the personal data will be kept accurate and updated in such a way that at all times they respond to the current situation of the Holder.
13.2 Area Responsible for the Attention of Petitions, Queries, and Claims of the Holders
The administrative, commercial, and marketing departments of the company BETR MEDIA S.A.S. They will have the responsibility to protect the personal data of the Holders, as appropriate, and will process the requests that they present for the exercise of the rights referred to in Law 1581 of 2012, Decree 1377 of 2013, and this Manual.
For all those determined in the current regulations and, with the essential purpose of determining the person responsible for the Treatment of the Information that appears in its database, in order to allow the proper exercise of rights by the Owner of the information, You can submit all your doubts, clarifications and additional information to said office, which is located at the COMMERCIAL ADDRESS: CALLE 30 24 38 MUNICIPALITY: FLORIDABLANCA – SANTANDER TELEPHONE1: 6836797; PHONE2: 3005525228; EMAIL: [email protected]
13.3 Queries
In accordance with the provisions of article 14 of Law 1581 of 2012, the owners or their successors in title may consult the personal information of the owner that resides in any database. Consequently, BETR MEDIA S.A.S. will guarantee the right of consultation, providing the holders with all the information contained in the individual record or that is linked to the identification of the Holder.
Consultation requests will be answered within a maximum term of fifteen (15) business days from the date of receipt. When it is not possible to attend the consultation within said term, the interested party will be informed before the expiration of the fifteen days, stating the reasons for the delay and indicating the date on which the consultation will be attended.
13.4 Claims
In compliance with the provisions of article 15 of Law 1581 of 2012, the Holder or his successors in title who consider that the information contained in a database should be subject to correction, updating, or deletion, or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, you may file a claim with BETR MEDIA SAS, which will be processed within a maximum term of fifteen (15) business days from the date of receipt.
13.5 Rectification and Updating of Data
BETR MEDIA S.A.S. has the obligation to rectify and update at the request of the Holder, the information of the latter that turns out to be incomplete or inaccurate.
In requests for rectification and updating of personal data, the Holder must indicate the corrections to be made and provide the documentation that supports his request.
BETR MEDIA S.A.S. may establish forms, systems, or other simplified means for updating data.
13.6 Data Deletion
The Holder has the full right, at all times, to request the company BETR MEDIA S.A.S. the deletion of your personal data and/or revoke the authorization granted for the Treatment of these, by filing a claim, in compliance with the provisions of article 15 of Law 1581 of 2012.
The request for deletion of data and the revocation of the authorization will not proceed when the Holder has a legal, contractual, labor, and/or regulatory duty to remain in the database.
The deletion of personal data can be requested when:
Consider that they are not being treated in accordance with the principles, duties, and obligations provided in Law 1581 of 2012.
They are no longer necessary or relevant for the purpose for which they were collected.
The period necessary for the fulfillment of the purposes for which they were collected has been exceeded.
14. PHYSICAL AND ENVIRONMENTAL SECURITY
14.1 Access
BETR MEDIA S.A.S. has developed procedures to have controlled and restricted access to the telecommunications room. The BETR MEDIA S.A.S Data Network, from the general management, prepares and maintains the rules, controls, and access records to these areas.
14.2 Equipment safety
The equipment and/or devices that contain information and institutional services are kept in a safe and protected environment with at least:
Access controls and physical security.
Fire detection and conflagration extinguishing systems.
Humidity and temperature controls.
Low risk of flooding.
Regulated electrical systems backed by uninterruptible power supplies (UPS).
General. Hosting institutional information on external servers is not allowed without written approval from the General Management. Key Communications Equipment is powered by regulated electrical power systems and protected by UPS. The Data Network is secured, as well as the IT services infrastructure is covered by adequate hardware and software maintenance and support. Workstations must be properly secured and operated by personnel of the institution who must be trained on the content of this policy and personal responsibilities in the use and administration of business information. The media that host backup copies must be conserved correctly in accordance with the policies and standards that the general management of BETER SAS prepares and maintains for this purpose. Dependencies are responsible for adopting and complying with defined standards for creating and managing backups.
15. ADMINISTRACIÓN DE LAS COMUNICACIONES Y OPERACIONES
15.1 Reporte e investigación de incidentes de seguridad
El personal de BETR MEDIA S.A.S. debe reportar con diligencia, prontitud y responsabilidad presuntas violaciones de seguridad a través de su jefe inmediato o directamente a la Gerencia General, la cual debe garantizar las herramientas informáticas para que formalmente se realicen tales denuncias. La Gerencia General debe preparar, mantener y difundir las normas, procesos y guías para el reporte e investigación de incidentes de seguridad. En conformidad con la ley, la Gerencia General de BETR MEDIA S.A.S. podrá interceptar o realizar seguimiento a las comunicaciones por diferentes mecanismos, y en todo caso notificando previamente a los afectados por esta decisión.
15.2 Protección contra software malicioso y hacking.
Todos los sistemas informáticos deben ser protegidos teniendo en cuenta un enfoque multinivel que involucre controles humanos, físicos técnicos y administrativos. La Gerencia General de BETR MEDIA S.A.S. elaborará y mantendrá un conjunto de políticas, normas, estándares, procedimientos y guías que garanticen la mitigación de riesgos asociados a amenazas de software malicioso y técnicas de hacking, o la contratación de un tercero que haga ese tipo de revisiones de manera escalonada y en periodos de tiempo consistentes y acorde con la costumbre informática. En todo caso y como control mínimo, las estaciones de trabajo deben estar protegidas por software antivirus con capacidad de actualización automática. Los usuarios de las estaciones no están autorizados a deshabilitar este control. La Gerencia General de BETR MEDIA S.A.S. podrá hacer seguimiento al tráfico de la red cuando se tenga evidencias de actividad inusual o detrimentos en el desempeño. La Gerencia General deberá mantener actualizada una base de datos con alertas de seguridad reportadas por organismos competentes y actuar en conformidad cuando una alerta pueda tener un impacto considerable en el desempeño de los sistemas informáticos.
15.3 Copias de Seguridad
Toda información que pertenezca a la matriz de activos de información institucional o que sea de interés para un proceso operativo o de misión crítica debe ser respaldada por copias de seguridad tomadas de acuerdo con los procedimientos estipulados por la Gerencia General de BETR MEDIA S.A.S.. Dicho procedimiento debe incluir las actividades de almacenamiento de las copias en sitios seguros. Las copias de seguridad de información crítica deben ser mantenidas de acuerdo con las políticas de respaldo del proveedor contratado para tal fin. La creación de copias de seguridad de archivos usados, custodiados o producidos por usuarios individuales están estrictamente prohibidas.
15.4 Administración de Configuraciones de Red
La configuración de enrutadores, switches, firewall, sistemas de detección de intrusos y otros dispositivos de seguridad de red; debe ser documentada, respaldada por copia de seguridad y mantenida por la empresa contratada para tal fin. Todo equipo de TI debe ser revisado, registrado y aprobado por la Gerencia General de BETR MEDIA S.A.S. antes de conectarse a la Red de comunicaciones y datos institucional. La Gerencia General debe desconectar aquellos dispositivos que no estén aprobados y reportar tal conexión como un incidente de seguridad a ser investigado.
15.5 Intercambio de Información con Organizaciones Externas.
Las peticiones de información por parte de entes externos de control deben ser aprobadas por la Gerencia General de BETR MEDIA S.A.S..
15.6 Internet y Correo Electrónico
Las normas de uso de Internet y de los servicios de correo electrónico serán elaboradas, mantenidas y actualizadas por la Gerencia General de BETR MEDIA S.A.S. y en todo caso se debe velar por el cumplimiento del manejo responsable de los recursos de tecnologías de la información.
15.7 Instalación de Software
Todas las instalaciones de software que se realicen sobre sistemas de BETR MEDIA S.A.S. deben ser aprobadas por la Gerencia General, de acuerdo con los procedimientos elaborados para tal fin. No se permite la instalación de software que viole las leyes de propiedad intelectual y derechos de autor en especial la ley 23 de 1982 y relacionadas, constitución política de Colombia artículo 61, código penal Colombia, articulo 270, 271, Ley 1273 de 5 de enero de 2009, y relacionados.
16.SUPPLY AND USE OF CORPORATE TOOLS INVOLVING THE PROCESSING OF PERSONAL INFORMATION
BETR MEDIA S.A.S. may provide its workers and/or suppliers with the different tools, media, or corporate equipment such as telephone lines, laptops or desktop computers, mobile communication equipment, corporate email accounts, data storage services, users, and access profiles to its information systems, among other corporate elements that include software, applications and other developments that BETR MEDIA SAS installs or licenses for the development of the activities, functions, and obligations of its activity. Therefore, the recipient of this type of tool agrees at the time of receipt and subsequent use to comply with the following commitments:
The supports, equipment, tools, and other corporate elements are the property of BETR MEDIA SAS, so any recipient of these is obliged to safeguard, preserve, maintain, protect and use them properly in accordance with the instructions and protocols applicable to each of the elements made available to you.
You can only access and/or use the means, equipment, tools, and other corporate elements that have been expressly delivered or supplied by BETR MEDIA S.A.S. prior to the completion and subscription of the respective inventory. Therefore, it is prohibited to share or give access to unauthorized third parties or provide confidential and/or personal data on which BETR MEDIA S.A.S. has the condition of being responsible or in charge of the treatment in the terms of the law.
It is forbidden to use the corporate media, equipment, or tools delivered or made available by BETR MEDIA S.A.S. for topics that are not directly related to the tasks, functions, or purposes for which it is provided. Likewise, the installation or use of any software is prohibited without the prior written authorization of BETR MEDIA S.A.S.
The telephone line, as well as the corporate email account, are work tools that must be used for the specific purposes and purposes for which they have been assigned, for this reason, the information that circulates through these means will be considered classified property material. by BETR. MEDIA SAS, allowing its access, registration, as well as the performance of any other traceability and information control activity in accordance with its internal security and personal data protection policies.
17. PRIVACY NOTICE AND INFORMATION PROCESSING POLICIES
BETR MEDIA S.A.S. will keep the privacy notice model that was transmitted to the Holders while the processing of personal data is carried out and the obligations derived from it remain. For the storage of the model, BETR MEDIA S.A.S. You may use physical, computer, electronic, or any other technology.
18. DIVULGATION
This Manual is part of the Integrated Management system and will be published on the billboard of the administrative office of the company BETR MEDIA S.A.S. and on the website.
19. NATIONAL REGISTRY OF DATABASES
BETR MEDIA S.A.S. reserves, in the events contemplated in the law and in its statutes and internal regulations, the power to maintain and catalog certain information that resides in its databases, as confidential in accordance with the rules in force, its statutes, and regulations.
20. VALIDITY
This Manual of the company BETR MEDIA S.A.S. It is effective as of January 10, 2020.
21. RELATED DOCUMENTS:
Confidentiality agreement.
Clients Confidentiality Agreement.
Informed consent document and express authorization for the processing of personal data of workers, applicants.
Informed consent document and express authorization for the processing of personal data for clients and suppliers.
Update, modify, or revocation documents for the processing of personal data for clients and suppliers.