Privacy Policy

Chapter: General Provisions

Article 1. Purpose. This manual is intended to comply with the provisions set forth in item K) of Article 17 of Law 1581 of 2012, which regulates the duties of those responsible for personal data processing. These duties include the adoption of an internal manual of policies and procedures to ensure proper compliance with the law, particularly regarding the handling of inquiries and complaints.

Additionally, this manual aims to regulate the procedures for the collection, handling, and processing of personal data carried out by HOTEL BARLOVENTO S.A., in order to guarantee and protect the fundamental right to habeas data in accordance with the same law.

Article 2. Applicable Legislation. This manual has been developed considering the provisions contained in Law 1581 of 2012 "By which general provisions for the protection of personal data are issued" and Decree 1377 of 2013 "By which Law 1581 of 2012 is regulated."

Article 3. Scope of Application. This manual applies to the processing of personal data collected and handled by HOTEL BARLOVENTO S.A.

Article 4. Databases. The policies and procedures contained in this manual apply to the databases managed by the company, which will be registered in accordance with the provisions of the Law and the Decree "which regulates Article 25 of Law 1581 of 2012." The validity period of the database will be counted from the date of authorization until (indefinite).

Article 5. Definitions. For the purposes of applying the rules contained in this manual and in accordance with Article 3 of Law 1581 of 2012, the following terms are defined as:

  • Privacy Notice: A document, whether physical, electronic, or in any other format, generated by the data controller and made available to the data subject regarding the processing of their personal data. The Privacy Notice informs the data subject about the existence of applicable data processing policies, how to access them, and the characteristics of the intended data processing.

  • Database: An organized set of personal data subject to processing.

  • Personal Data: Any information linked or that can be associated with a specific or determinable natural person.

  • Private Data: Data that, by its nature, is intimate or reserved and is only relevant to the data subject.

  • Sensitive Data: Data that affects the privacy of the data subject or whose misuse may lead to discrimination. This includes data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights groups, or political parties, as well as data related to health, sexual life, and biometric data.

  • Public Data: Data that is not semi-private, private, or sensitive. Public data includes information such as civil status, profession, or occupation, and whether the individual is a merchant or public servant. Public data can typically be found in public records, official gazettes, and court rulings that are not subject to confidentiality.

  • Data Processor: A natural or legal person, whether public or private, that processes personal data on behalf of the data controller.

  • Data Controller: A natural or legal person, whether public or private, who determines the purposes and means of processing personal data, either alone or in association with others.

  • Data Subject: A natural person whose personal data is being processed.

  • Processing: Any operation or set of operations carried out on personal data, such as collection, storage, use, circulation, or deletion.

  • Transfer: The transfer of data occurs when the Data Controller and/or Data Processor, located in Colombia, sends personal data to a recipient, who is also responsible for processing the data, whether within or outside the country.

  • Transmission: Processing of personal data involving communication within or outside the territory of Colombia when the purpose is to legalize the processing by the processor on behalf of the Data Controller.

Article 6. Principles. The principles outlined below constitute the general guidelines that will be respected by HOTEL BARLOVENTO S.A. in the processes of collecting, using, and processing personal data.


Chapter II: Authorization

Article 7. Collection of Personal Data and Authorization.
In line with the principles of purpose and freedom, the collection of data should be limited to those personal data that are relevant and adequate for the purpose for which they are collected or required according to current regulations. Unless expressly provided by law, personal data may not be collected without the authorization of the data subject.

Upon request by the Superintendence of Industry and Commerce, the data controllers must provide a description of the procedures used for the collection, storage, use, circulation, and deletion of information, as well as an explanation of the purposes for which the information is collected and the justification for the need to collect the data in each case.

Deceptive or fraudulent means may not be used to collect or process personal data.

Authorization may be documented in physical, electronic, or any other format that ensures subsequent consultation, or through a suitable technical or technological mechanism that allows for an unequivocal conclusion that, had the data subject not been consulted, the data would never have been captured and stored in the database. The authorization will be issued by HOTEL BARLOVENTO S.A. and made available to the data subject prior to the processing of their personal data, in accordance with the provisions of Law 1581 of 2012.

The consent-based authorization procedure guarantees that the data subject is informed both that their personal information will be collected and used for specific, clearly stated purposes, and that they have the option to review any modifications and the specific uses given to their data. The goal is to enable the data subject to make informed decisions regarding their personal data and to control the use of their personal information. The authorization is a declaration that informs the data subject about:

  • Who is collecting the data.
  • What data is being collected.
  • The purpose of collecting the data.
  • How to exercise their rights to access, correct, update, or delete the personal data provided.
  • Whether sensitive data is being collected.

Article 8. Proof of Authorization.
HOTEL BARLOVENTO S.A. will adopt the necessary measures to maintain records or use suitable technical or technological mechanisms to document when and how authorization was obtained from data subjects for the processing of their personal data.

Article 9. Privacy Notice.
The Privacy Notice is a physical, electronic, or any other format document that is made available to the data subject for the processing of their personal data. This document informs the data subject about the existence of the applicable data processing policies, how to access them, and the characteristics of the intended processing of their personal data.

Article 10. Content of the Privacy Notice.
The Privacy Notice must, at a minimum, contain the following information:

  • The identity, address, and contact details of the data controller.
  • The type of processing to which the data will be subjected and its purpose.
  • The general mechanisms provided by the data controller for the data subject to know the data processing policies and any substantial changes to them. In all cases, it must inform the data subject how to access or consult the data processing policy.

Article 11. Privacy Notice and Data Processing Policies.
HOTEL BARLOVENTO S.A. will retain the model of the privacy notice that was transmitted to the data subjects as long as the personal data processing takes place and while the obligations arising from it persist. For the storage of the model, HOTEL BARLOVENTO S.A. may use computer, electronic, or any other technology.


Chapter III: Rights and Duties

Article 12. Rights of the Data Subjects.
Data subjects have the following rights:

  1. To know, update, and rectify their personal data held by HOTEL BARLOVENTO S.A. as the data controller.
  2. To request proof of the authorization granted to HOTEL BARLOVENTO S.A. as the data controller.
  3. To be informed by HOTEL BARLOVENTO S.A., upon request, about how their personal data has been used.
  4. To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012, once the consultation or complaint process with the data controller has been exhausted.
  5. To revoke the authorization and/or request the deletion of data when the processing does not respect the principles, rights, and constitutional and legal guarantees.
  6. To access their personal data that has been processed, free of charge.

Article 13. Duties of HOTEL BARLOVENTO S.A. Regarding the Processing of Personal Data.
HOTEL BARLOVENTO S.A. acknowledges that personal data belongs to the individuals to whom it refers, and only they can decide on its use. Accordingly, HOTEL BARLOVENTO S.A. will only process personal data for the purposes for which it is duly authorized, in full compliance with Law 1581 of 2012 on personal data protection.

In accordance with Article 17 of Law 1581 of 2012, HOTEL BARLOVENTO S.A. is committed to permanently fulfilling the following duties in relation to the processing of personal data:

  1. To ensure that data subjects can fully and effectively exercise their right to habeas data at all times.
  2. To store information under conditions that guarantee its security and prevent its alteration, loss, unauthorized access, or fraudulent use.
  3. To update, rectify, or delete data in a timely manner, as stipulated in Articles 14 and 15 of Law 1581 of 2012.
  4. To process requests for consultations and complaints made by data subjects as outlined in Article 14 of Law 1581 of 2012.
  5. To include the legend "information under judicial dispute" in the database once notified by the competent authority about legal proceedings related to the quality or details of personal data.
  6. To refrain from circulating data that is being disputed by the data subject and has been ordered to be blocked by the Superintendence of Industry and Commerce.
  7. To restrict access to the data only to those who are authorized.
  8. To inform the Superintendence of Industry and Commerce of any breaches in security codes and risks in managing the personal data of data subjects.
  9. To comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

Chapter IV: Procedures for Access, Consultation, and Complaints

Article 14. Right of Access.
The data subject has the right to access and know if their personal data is being processed, as well as the scope, conditions, and generalities of such processing. HOTEL BARLOVENTO S.A. must guarantee the data subject's right to access in three ways:

  1. The data subject should be able to confirm the existence of processing of their personal data.
  2. The data subject should be able to access their personal data held by the data controller.
  3. The data subject should be informed of the essential details of the processing, which includes knowing the types of personal data processed and the purposes justifying the processing.

Paragraph: HOTEL BARLOVENTO S.A. will guarantee the right of access when, after verifying the identity of the data subject or their representative, the data is made available to them free of charge through electronic means that allow direct access to the data. This access should be provided without time limitation and should allow the data subject to view and update their data online.

Article 15. Consultations.
In accordance with Article 14 of Law 1581 of 2012, data subjects or their heirs may consult their personal information stored in any database. Accordingly, HOTEL BARLOVENTO S.A. will guarantee the right of consultation, providing data subjects with all the information contained in the individual record or associated with their identification.

To facilitate personal data consultation, HOTEL BARLOVENTO S.A. will:

  • Enable electronic communication channels or other appropriate means.
  • Establish forms, systems, and simplified methods, which must be outlined in the privacy notice.
  • Utilize customer service or complaint management systems in operation.

In all cases, regardless of the mechanism used for consultation, requests will be responded to within a maximum of ten (10) business days from the date of receipt. If it is not possible to attend to the consultation within this period, the data subject will be informed before the end of the ten-day term, explaining the reason for the delay and specifying the new response date, which may not exceed five (5) business days after the expiration of the original term.

Article 16. Complaints.
In accordance with Article 15 of Law 1581 of 2012, data subjects or their heirs who consider that the information in a database should be corrected, updated, or deleted, or who believe there has been a violation of any duty under Law 1581 of 2012, may file a complaint with the data controller, which will be processed under the following rules:

  • The complaint may be submitted by the data subject using the formats provided by the data controller. If the complaint is incomplete (e.g., missing identification of the data subject, description of the complaint, address, or supporting documents), the data controller will request the necessary information within five (5) days of receipt. If the requested information is not provided within two (2) months, the complaint will be considered withdrawn.
  • If the complaint is directed to the wrong entity, HOTEL BARLOVENTO S.A. will forward it, to the extent possible, to the correct party within two (2) business days and inform the data subject of the situation.
  • Once a complete complaint is received, the data controller will add a note to the database stating "complaint in process" along with the reason for the complaint within a maximum of two (2) business days. This note must remain until the complaint is resolved.
  • The maximum term to address a complaint is fifteen (15) business days from the date of receipt. If the complaint cannot be resolved within this term, the data subject will be informed before the expiration of the term, explaining the reason for the delay and the new date of response, which cannot exceed eight (8) business days after the expiration of the original term.

Article 17. Implementation of Procedures to Guarantee the Right to Submit Complaints.
At any time and free of charge, the data subject or their representative may request HOTEL BARLOVENTO S.A. to rectify, update, or delete their personal data, provided that their identity is verified.

Rectification, update, or deletion rights may only be exercised by:

  1. The data subject or their heirs, upon proof of identity or through electronic means that allow for identification.
  2. Their representative, upon proof of representation.

When the request is made by someone other than the data subject and they do not prove they are acting on behalf of the data subject, the request will not be considered.

The request for rectification, update, or deletion must be made through the means provided by HOTEL BARLOVENTO S.A. as outlined in the privacy notice, and should include at least the following information:

  1. The name and address of the data subject or any other means of communication for the response.
  2. Documents verifying the identity or representation of the data subject.
  3. A clear and precise description of the personal data the data subject seeks to rectify, update, or delete.
  4. Any additional elements or documents that may assist in locating the personal data.

Paragraph 1. Rectification and Update of Data.
HOTEL BARLOVENTO S.A. is obligated to rectify and update, upon request from the data subject, any information that is incomplete or inaccurate, in accordance with the procedure and timelines set out. The following should be considered:

  • When requesting rectification or updating, the data subject must indicate what corrections need to be made and provide supporting documentation for the request.
  • HOTEL BARLOVENTO S.A. may implement mechanisms that facilitate the exercise of this right, such as electronic means or other methods.

Paragraph 2. Data Deletion.
The data subject has the right to request the deletion of their personal data at any time, if:

  1. They believe the data is not being processed according to the principles, duties, and obligations set out in Law 1581 of 2012.
  2. The data is no longer necessary or relevant for the purpose for which it was collected.
  3. The period for which the data was necessary for processing has expired.

However, the right to deletion is not absolute. It can be denied if:

  • The data subject has a legal or contractual obligation to remain in the database.
  • The deletion of data interferes with judicial or administrative proceedings, tax obligations, criminal investigations, or updates of administrative sanctions.
  • The data is necessary to protect the legal interests of the data subject, to perform a public interest action, or to comply with a legal obligation of the data subject.

If data deletion is appropriate, HOTEL BARLOVENTO S.A. must ensure that the data is deleted in such a way that it cannot be recovered.

Article 18. Revocation of Authorization.

The data subjects may revoke their consent for the processing of their personal data at any time, as long as this is not prevented by any legal or contractual provision. To facilitate this, HOTEL BARLOVENTO S.A. must establish simple and free mechanisms that allow the data subject to revoke their consent, at least through the same means by which it was initially granted.

There are two types of revocation:

  1. Complete Revocation: The data subject may revoke consent for all the purposes initially agreed upon. In this case, HOTEL BARLOVENTO S.A. must stop processing the data entirely.

  2. Partial Revocation: The data subject may revoke consent for specific types of processing, such as for advertising purposes or market studies. In this case, other processing purposes that were originally consented to by the data subject remain valid.

Because of this distinction, it is necessary for the data subject, when submitting a revocation request, to indicate whether the revocation is total or partial. In cases of partial revocation, the data subject must specify which particular type(s) of processing they no longer agree with.

There will be cases where consent cannot be revoked due to its essential role in the relationship between the data subject and the data controller, particularly when required for contract fulfillment or by legal provisions. In such cases, the data subject may not revoke consent for those specific purposes.

The mechanisms or procedures established by HOTEL BARLOVENTO S.A. to handle revocation requests must comply with the timelines set forth for handling complaints as stated in Article 15 of Law 1581 of 2012. This ensures that the data subject's revocation request is processed within the same time limits set for addressing data subject complaints.


CHAPTER V: INFORMATION SECURITY

ARTICLE 19. SECURITY MEASURES
In accordance with the security principle established in Law 1581 of 2012, HOTEL BARLOVENTO S.A. will adopt the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, consultation, unauthorized or fraudulent use, or access.

ARTICLE 20. IMPLEMENTATION OF SECURITY MEASURES
HOTEL BARLOVENTO S.A. will maintain mandatory security protocols for personnel with access to personal data and information systems.

The procedure must address, at a minimum, the following aspects:

  1. Scope of the procedure: A detailed specification of the protected resources.
  2. Measures, rules, procedures, and standards: These must guarantee the level of security required by Law 1581 of 2012.
  3. Roles and responsibilities of personnel: Clear definition of duties.
  4. Structure of personal data databases and system descriptions: An overview of the systems that process personal data.
  5. Notification, management, and response procedure for incidents: Methods to manage and respond to security incidents.
  6. Backup and data recovery procedures: Strategies to ensure data availability.
  7. Periodic controls: Regular checks to verify compliance with the security procedure.
  8. Measures for the transport, disposal, or reuse of data-bearing media or documents: Procedures for handling data-bearing media.

The procedure must be kept up-to-date at all times and reviewed whenever significant changes occur in the information system or the organization. The content of the procedure must always comply with current data protection security regulations.


CHAPTER VI: FINAL PROVISIONS

ARTICLE 21. RESPONSIBLE FOR DATA PROTECTION
HOTEL BARLOVENTO S.A. designates the ACCOUNTING DEPARTMENT OF HOTEL BARLOVENTO or its equivalent, to fulfill the data protection function. This department will handle requests from data subjects regarding the exercise of their rights of access, consultation, rectification, update, deletion, and revocation as set forth in Law 1581 of 2012.

PARAGRAPH:
HOTEL BARLOVENTO S.A. designates the ACCOUNTING DEPARTMENT OF HOTEL BARLOVENTO as responsible for adopting and implementing the obligations set forth in Law 1581 of 2012.

ARTICLE 22. EFFECTIVE DATE
This manual is effective as of July 27, 2013.


ANNEX 1

RECTIFICATION AND UPDATE OF PERSONAL DATA

How to access, rectify, and update your personal data or request its deletion?

You have the right to access your personal data and the details of how it is processed, as well as to rectify or update it if it is inaccurate or to request its deletion when you believe it is excessive or unnecessary for the purposes for which it was collected, or to object to its processing for specific purposes.

To exercise this right, please keep in mind the following:

  • The department responsible for matters related to data protection is the one indicated in Article 22 of this manual, located at the address provided in the Privacy Notice.
  • Our service establishments or customer service centers are located at the physical and electronic addresses stated in our Privacy Notice.
  • For more information, please contact the phone numbers and physical and electronic addresses provided in our Privacy Notice and on our website.

ANNEX 2

AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA
COMPANY NAME: HOTEL BARLOVENTO S.A. – HOTEL BARLOVENTO
ADDRESS: Cra. 3 No. 6-23, Bocagrande neighborhood, Cartagena, Colombia

DESCRIPTION OF THE PURPOSE FOR WHICH THE COLLECTED DATA WILL BE USED:
The personal data we request is intended to facilitate smooth communication related to our services, including conducting studies and analyses on consumption habits, promoting services, processing bookings, notifying about offers and promotions; organizing events, fairs, conventions, seminars, meetings; conducting surveys for commercial, historical, and administrative purposes, and generally informing you about the development of all activities related to our service portfolio and corporate purpose.

We inform you that, in accordance with the provisions of Law 1581 of 2012, the personal data obtained from your request or provision of services or products will be collected in a database for the above-mentioned purpose and for a period starting from July 27, 2013, and continuing indefinitely. This database is maintained and managed under the responsibility of HOTEL BARLOVENTO S.A. The database has the necessary security measures for the proper conservation of the data for the duration of the company's existence.

By accepting this, you authorize the processing of your data for the mentioned purpose and acknowledge that the information provided in the request is true, with no omission or alteration of any data. You are also informed that any falsehood or omission of data will result in the impossibility of providing the service properly.

We remind you of the possibility to access the data you have provided at any time, as well as to request its correction, update, or deletion, under the terms established by Law 1581 of 2012. You can send a written request to the data controller at the address above, including the following information: name, address for notification purposes, request specifying your request, date, and signature of the interested person. For your convenience, you can also exercise these rights via email at gerencia@hotelbarlovento.com.

I consent and authorize that my personal data be processed in accordance with the provisions of this authorization.


PRIVACY NOTICE

AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA

HOTEL BARLOVENTO S.A., a commercial company, owner of the business establishment "HOTEL BARLOVENTO," hereby issues this notice to its clients, suppliers, employees, temporary staff, survey participants, contractors, and other data subjects whose personal data is recorded in our database, requesting your authorization to continue processing the personal data collected in relation to our commercial and/or contractual services. The data will be used to conduct studies and analyses on consumption habits, promote services, process reservations, provide information on offers and promotions, organize events, fairs, conventions, seminars, and meetings, as well as to conduct surveys for commercial, historical, and administrative purposes, and generally to inform you about the development of all activities related to our service portfolio and corporate purpose.

The data within the company’s databases are protected by our information handling policies, which can be consulted at our facilities, located at Bocagrande neighborhood, Cra. 3 No. 6-23, Cartagena. Additionally, information on how to exercise your rights as the data subject of the data stored in our databases can also be consulted at the aforementioned address.

To exercise your rights in accordance with Law 1581 of 2012 and Decree 1377 of 2013, you can contact us by calling the phone number +57 605 6511276, sending an email to gerencia@hotelbarlovento.com, or visiting us personally at the address mentioned.