Treatment Policies

1. Legal basis and scope

The information treatment policy is developed in compliance with articles 15 and 20 of the Political Constitution; of articles 17 letter k) and 18 letter f) of Statutory Law 1581 of 2012, by which general provisions for the Protection of Personal Data (LEPD) are issued; and of article 13 of Decree 1377 of 2.013, by which the previous Law is partially regulated. This policy will be applicable to all personal data registered in databases that are subject to treatment by the data controller.

2. Definitions

Established in article 3 of Law 1581 of 2012 and in article 3 of Decree 1377 of 2013. Authorization: Prior, express and informed consent of the Owner to carry out the processing of personal data.

  • Privacy notice: Verbal or written communication generated by the person in charge, directed to the Owner for the processing of their personal data, by means of which they are informed about the existence of the information treatment policies that will be applicable to them, the way to access to them and the purposes of the treatment that is intended to give personal data.
  • Database: Organized set of personal data that is subject to treatment.
  • Personal data: Any information linked to or associated with one or several natural persons determined or determinable.
  • Public data: It is the data that is not semi-private, private or sensitive. Public data are considered, among others, the data related to the civil status of the persons, to their profession or trade and to their status as merchants or public servants. By its nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins and judicial sentences duly executed that are not subject to reservation.
  • DSensitive data: Sensitive data are those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, of human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as the data related to health, sexual life, and biometric data.
  • Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, perform the processing of personal data on behalf of the controller.
  • Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and / or the treatment of the data.
  • Owner: Natural person whose personal data are subject to treatment.
  • Transfer: The transfer of data takes place when the person in charge and / or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a receiver, who in turn is responsible for the treatment and is inside or outside from the country.
  • Transmission: Treatment of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when it has for its object the performance of a treatment by the person in charge on behalf of the person in charge.
  • Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion

3. Authorization of the treatment policy

According to article 9 of the LEPD, the prior and informed authorization of the Holder is required for the processing of personal data. By accepting this policy, any Owner who provides information regarding their personal data is consenting to the treatment of their data by BLUE PACIFIC ASSETS in the terms and conditions set out therein. The Holder’s authorization will not be necessary in the case of:

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Data of public nature.
  • Cases of medical or sanitary emergency.
  • Processing of information authorized by law for historical, statistical or scientific purposes.
  • Data related to the Civil Registry of persons.

4. Responsible for the treatment

The responsible for the treatment of the databases object of this policy is BLUE PACIFIC ASSETS, whose contact data are the following:

5. Treatment and purposes of the databases

BLUE PACIFIC ASSETS, in the development of its business activity, carries out the processing of personal data relating to natural persons that are contained and treated in databases destined for legitimate purposes, complying with the Constitution and the Law.

In the “Annex 1. Data Bases Information”, the different databases that manage the company, the information and characteristics of each of them are presented.

6. Rights of the Holders

In accordance with article 8 of the LEPD and articles 21 and 22 of Decree 1377 of 2.013, the Holders of the data may exercise a series of rights in relation to the processing of their personal data.These rights may be exercised by the following persons.

  • By the Holder, who must prove his identity sufficiently by the different means put at his disposal by the responsible
  • For their successors, who must prove such quality.
  • By the representative and / or agent of the Holder, prior accreditation of representation or empowerment.
  • By stipulation in favor of another and for another.

The rights of children or adolescents will be exercised by the persons who are authorized to represent them.

The rights of the Holder are the following:

  • Right of access or consultation: This is the right of the Owner to be informed by the data controller, upon request, regarding the origin, use and purpose that they have given to their personal data.
  • Rights of complaints and claims: The Law distinguishes four types of claims:
    • Proof of correction: It is the right of the Owner to update, rectify or modify those partial, inaccurate, incomplete, fractioned, misleading, or those whose treatment is expressly prohibited or has not been authorized.
    • Claim of suppression: It is the right of the Holder to delete the data that are inappropriate, excessive or that do not respect the principles, rights and constitutional and legal guarantees.
    • Revocation claim: It is the right of the Owner to revoke the authorization previously provided for the processing of their personal data.
    • Claim of infringement: It is the right of the Owner to request that the breach of the regulations on Data Protection be remedied.
  • Right to request proof of the authorization granted to the data controller: Except when expressly exempted as a requirement for processing in accordance with the provisions of article 10 of the LEPD.
  • Right to submit complaints to the Superintendency of Industry and Commerce for infringements: The Holder or successor can only raise this complaint once the process of consultation or claim has been exhausted before the person responsible for the treatment or in charge of the treatment.

7. Attention to Data Holders

The Data Protection Officer of BLUE PACIFIC ASSETS will be in charge of the attention of requests, queries and claims before which the Holder of the data can exercise their rights.

8. Procedures to exercise the rights of the Holder

8.1. Right of access or consultation

According to article 21 of Decree 1377 of 2.013, the Holder may consult his personal data free of charge in two cases:

  • At least once each calendar month
  • Every time there are substantial modifications of the information treatment policies that motivate new consultations.

For consultations whose periodicity is greater than one for each calendar month, BLUE PACIFIC ASSETS may only charge the Holder for shipping, reproduction and, where appropriate, certification of documents. The costs of reproduction may not be greater than the costs of recovering the corresponding material. For this purpose, the responsible party must demonstrate to the Superintendence of Industry and Commerce, when it so requires, the support of said expenses.

The owner of the data can exercise the right of access or consultation of their data by writing to BLUE PACIFIC ASSETS sent, by email to: protecciondedatos@hotel-lm.com, indicating in the subject “Exercise of the right of access or consult “, or through postal mail sent to Centro, Calle de la Mantilla # 3-56, Cartagena, Bolívar. The request must contain the following information:

  • Name and surname of the principal.
  • Photocopy of the Certificate of Citizenship of the Holder and, where appropriate, of the person who represents it, as well as of the document accrediting such representation.
  • Request in which the request for access or consultation is specified.
  • Address for notifications, date and signature of the applicant.
  • Documents accrediting the request made, when appropriate.

The Holder may choose one of the following ways to consult the database to receive the requested information:

  • On screen display.
  • In writing, with a copy or photocopy sent by certified mail or not.
  • Fax.
  • Email or other electronic means.
  • Another system suitable for the configuration of the database or the nature of the treatment, offered by BLUE PACIFIC ASSETS

Once the request is received, BLUE PACIFIC ASSETS will resolve the request for consultation within a maximum period of ten (10) business days from the date of receipt of the request. When it is not possible to attend the consultation within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are set in Article 14 of the LEPD.

Once the consultation procedure has been exhausted, the Holder or successor may file a complaint with the Superintendence of Industry and Commerce.

8.2. Rights of complaints and claims

The owner of the data can exercise the rights of claim on their data by writing to BLUE PACIFIC ASSETS sent, by email to protecciondedatos@hotel-lm.com, indicating in the subject “Exercise of the right of access or consultation”, or through postal mail sent to Centro, Calle de la Mantilla # 3-56, Cartagena, Bolívar. The request must contain the following information:

  • Name and surname of the principal.
  • Photocopy of the Certificate of Citizenship of the Holder and, where appropriate, of the person who represents it, as well as of the document accrediting such representation.
  • Description of the facts and request that specifies the request for correction, deletion, revocation or violation.
  • Address for notifications, date and signature of the applicant.
  • Documents accrediting the petition made that they want to assert, when appropriate.

If the claim is incomplete, the interested party will be required within five (5) days after receipt. 
of the claim to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it shall be understood that the claim has been abandoned.

Once the complete claim has been received, a legend that says “claim in process” and the reason for it will be included in the database, in a term not exceeding two (2) business days. This legend must be maintained until the claim is decided.

BLUE PACIFIC ASSETS will resolve the request for consultation within a maximum period of fifteen (15) business days from the date of receipt thereof. When it is not possible to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which his claim will be handled, which in no case may exceed eight (8) business days following the expiration of the first finished.

Once the claim process has been exhausted, the Holder or successor may file a complaint with the Superintendence of Industry and Commerce.

9. Security measures

BLUE PACIFIC ASSETS, in order to comply with the principle of security enshrined in Article 4 paragraph g) of the LEPD, has implemented technical, human and administrative measures necessary to ensure the security of records avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access.

On the other hand, BLUE PACIFIC ASSETS, through the signing of the corresponding transmission contracts, has required the treatment managers with whom it works to implement the necessary security measures to guarantee the security and confidentiality of the information in the treatment of Personal information.

Below are the security measures implemented by BLUE PACIFIC ASSETS that are collected and developed in its Internal Security Manual (Tables I, II, III and IV).

TABLE I: Common security measures for all types of data
(public, semi-private, private, sensitive) and databases (automated, not automated)

Document and support management Access control Incidents Personal Internal Security Manual
1. Measures that prevent undue access or recovery of data that has been discarded, deleted or destroyed.
2. Restricted access to the place where the data is stored
3. Authorization of the responsible for the exit of documents or media by physical or electronic means.
4. Labeling system or identification of the type of information.
5. Inventory of supports.
1. Limited user access to the data necessary for the development of its functions.
2. Updated list of authorized users and accesses.
3. Mechanisms to prevent access to data with rights other than those authorized.
4. Granting, alteration or cancellation of permits by authorized personnel.
1. Incident registration: type of incident, moment in which it occurred, issuer of the notification, recipient of the notification, effects and corrective measures.
2. Incident notification and management procedure.
1. Definition of the functions and obligations of users with access to data.
2. Definition of the control functions and authorizations delegated by the controller.
3. Disclosure among the staff of the rules and the consequences of non-compliance with them.
1. Preparation and implementation of the Manual of mandatory compliance for the personnel.
2. Minimum content: scope of application, security measures and procedures, functions and obligations of the staff, description of the databases, procedure before incidents, procedure of copies and recovery of data, security measures for transport, destruction and reuse of documents, identification of those in charge of the treatment.

TABLE II: Common security measures for all types of data
(public, semi-private, private, 
sensitive) according to the type of databases

Non-automated databases
Archive Document storage Custody of documents
1. File of documentation following procedures that guarantee a correct conservation, location and consultation and allow the exercise of the Rights of the Owners. 1. Storage devices with mechanisms that prevent access to unauthorized persons 1. Duty of duty and custody of the person in charge of documents during the review or processing of them.
Automated databases
Identification and authentication Access to data through secure networks.
1. Personal identification of users to access the information systems and verification of their authorization.
2. Identification and authentication mechanisms; Passwords: assignment, expiration and encrypted storage.
1. Access to data through secure networks.

TABLE III: Security measures for private data according to the type of databases

Automated and non-automated databases
Audit Security manager Internal Security Manual
1. Ordinary audit (internal or external) every two months.
2. Extraordinary audit due to substantial modifications in the information systems.
3. Report of detection of deficiencies and proposal of corrections.
4. Analysis and conclusions of the safety officer and the person responsible for the treatment.
5. Conservation of the Report
1. Designation of one or more security officers.
2. Designation of one or more persons in charge of the control and coordination of the measures of the Internal Security Manual.
3. Prohibition of delegation of the responsibility of the data controller to the person responsible for security.
1. Periodic compliance checks.
Automated databases
Document and support management Access control Identification and authentication Incidents
1. Registration of entry and exit of documents and media: date, issuer and receiver, number, type of information, shipping form, responsible for the receipt or delivery. 1. Control of access to the place or places where the information systems are located. 1. 1. Mechanism that limits the number of repeated attempts of unauthorized access. 1. Record of data recovery procedures, person who executes them, restored data and manually recorded data.
2. Authorization of the controller for the execution of recovery procedures.

TABLE IV: Security measures for sensitive data according to the type of databases

Non-automated databases
Access control Document storage Copy or reproduction Transfer of documentation
1. Access only for authorized personnel.
2. Access identification mechanism.
3. Access registry of unauthorized users.
1. Filing cabinets, cupboards or others located in access areas protected with keys or other measures. 1. Only by authorized users.
2. Destruction that prevents access or recovery of data.
1. Measures that prevent access or manipulation of documents.
Automated databases
Document and support management Access control Telecommunications
1. Confidential labeling system.
2. Data encryption.
3. Encryption of portable devices when they are outside.
1. Access record: user, time, database accessed, type of access, register access.
2. Control of the access record by the security officer.Monthly report.
3. Data conservation: 2 years.
1. Transmission of data through encrypted electronic networks.

10. Data transfer to third countries

In accordance with Title VIII of the LEPD, the transfer of personal data to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it complies with the standards set by the Superintendency of Industry and Commerce on the subject, which in no case may be lower than those required by this law to its recipients. This prohibition will not apply when dealing with:

  • Information regarding which the Holder has granted his express and unequivocal authorization for the transfer.
  • Information regarding which the Holder has granted his express and unequivocal authorization for the transfer.
  • Exchange of medical data, when required by the Holder’s treatment for health reasons or public hygiene.
  • Bank or stock transfers, according to the legislation that is applicable to them.
  • Transfers agreed upon in the framework of international treaties in which the Republic of Colombia is a party, based on the principle of reciprocity.
  • Transfers necessary for the execution of a contract between the Holder and the controller, or for the execution of pre-contractual measures, provided that the Holder has authorization.
  • Transfers legally required for the safeguarding of the public interest, or for the recognition, exercise or defense of a right in a judicial process.

In cases not contemplated as an exception, the Superintendence of Industry and Commerce shall issue the declaration of conformity regarding the international transfer of personal data. The Superintendent is authorized to request information and advance the diligences aimed at establishing compliance with the budgets required by the viability of the operation.

The international transmissions of personal data that are made between a responsible and a manager to allow the manager to perform the treatment on behalf of the responsible party, will not require to be informed to the Owner or have their consent, provided that there is a contract of transmission of personal data.

11. Validity

The databases under BLUE PACIFIC ASSETS will be processed for as long as is reasonable and necessary for the purpose for which the data is collected. Once the purpose or purposes of the treatment have been fulfilled, and without prejudice to legal regulations that stipulate otherwise. BLUE PACIFIC ASSETS will proceed to the suppression of the personal data in its possession unless there is a legal or contractual obligation that requires its conservation. For all these reasons, said database has been created without a defined period of validity.

This treatment policy remains effective as of 2017-04-11.