Skip Ribbon Commands
Skip to main content



Privacy Policy & Habeas Data


Chapter I. Of the parties involved and the object of the processing of the information or personal data

Responsible or in charge of the processing of information or personal data

Controls Empresariales S.A. S; Legal entity constituted in conformity with the Colombian mercantile laws, with principal domicile in the city of Bogotá, in the physical address Carrera 16a N ° 75 – 50 Bogotá Colombia Tel: 057-546 2727, and electronic address, hereinafter Controls.

Clients, suppliers, subcontractors and collaborators or employees of business controls S.A.S. who have supplied the information or personal data by virtue of the service provided by it, hereinafter user.


The purpose of this document is to comply with the provisions of article 17 (k) of law 1581 of 2012, which consists in the elaboration and adoption of an internal handbook of policies and procedures to ensure adequate compliance with law 1581 of 2 012 which regulates the obtaining, recording, handling and processing of personal data that carries out controls in the ordinary exercise of its social object, in order to guarantee and protect the fundamental right of habeas data of its users.


​Chapter II. Definitions and principles


In accordance with the provisions of article 3 of law 1581 of 2012, the following terms are defined and understood:

Authorization: Prior, express and informed consent of the user to carry out the processing of personal data;

Privacy Notice: Physical, electronic document or any other format generated by controls that is made available to the user for the processing of his personal data. The privacy notice communicates to the user the information regarding the existence of the information processing policies that will be applicable to them, how to access them and the characteristics of the treatment that is intended to be given to the personal data.

Database: Organized set of personal data to be treated.

Personal data: Any related information or that may be associated with one or more specific or determined natural persons.

Private data: It is the fact that by its intimate or reserved nature it is only relevant to the user.

Sensitive data: Sensitive data means those that affect the privacy of the user or whose misuse may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, Membership of trade unions, social organizations, human rights or that promotes the interests of any political party or guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and Biometric data.

Treatment Manager: Natural or legal person, public or private, who by itself or in association with others, carries out the treatment of personal data on behalf of the responsible of the treatment.

Responsible for the treatment: Natural or legal person, public or private, that by itself or in association with others, decide on the data base and/or the treatment of the data.

User: A natural person whose personal data is the subject of treatment.

Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression thereof.



The principles set out below constitute the general parameters which controls apply and safeguard in the exercise of the processes of capture, registration, handling use and processing of personal data.

Principle of legality in the matter of data processing: The treatment referred to in law 1581 of 2012, is a regulated activity that must be subject to what is established in it and the other provisions that develop it.

Principle of Purpose: The treatment must be due to a legitimate purpose in accordance with the Constitution and the law, which must be informed to the user.

Principle of freedom: The treatment can only be exercised with the prior, express and informed consent of the user. Personal data may not be obtained or disclosed without prior autorización, o en ausencia de mandato legal o judicial que releve el consentimiento.

Principle of veracity or quality: The information subject to treatment must be truthful, complete, accurate, up-to-date, verifiable and comprehensible. The treatment of partial, incomplete, fractionated or error-inducing data is prohibited.

Principle of transparency: In the treatment the right of the user to obtain from the responsible of the treatment or the person in charge of the treatment, at any time and without restrictions, must be guaranteed information about the existence of data that will concern to him.

Principle of access and restricted circulation: The treatment is subject to the limits derived from the nature of the personal data, the provisions of law 1581 of 2012 and the Constitution. In this sense, the treatment can only be done by persons authorized by the user and/or by the persons provided for in law 1581 of 2012.

Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to authorized users Pursuant to law 1581 of 2012.

Safety principle: The information subject to treatment by the person responsible for the treatment or in charge of the treatment referred to in law 1581 of 2012, must be handled with the technical, human and administrative measures necessary to give security to the records Avoiding tampering, loss, consultation, use or unauthorized or fraudulent access.

Principle of confidentiality: All persons involved in the processing of personal data which do not have the nature of the public are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks covered by the treatment, Being able to only supply or communicate personal data when this corresponds to the development of the activities authorized in law 1581 of 2012 and in the terms of the same.


Chapter III. Purpose and processing of the data.


Those who access the control services must voluntarily provide their particular physical or personal identification data, such as: name, surname, identification, age, gender, telephone, physical and electronic address, country, city and Other information required to be requested in the registration process as a collaborator, supplier or client of controls.
The personal data provided to user controls are captured in order to:
• adequately provide the services and/or products contracted with controls
• Manage Paperwork (PQR)
• Inform about the status of the services and/or products.
• Perform risk analysis and background checks.
• Carry out satisfaction surveys with regard to the products and/or services of controls
• To inform about our products, services, offers, promotions, alliances, market studies, competitions, contents and others.
• Store technical information for the profiling of each user of the services and/or products contracted with controls.
• Share, transfer and transmit personal data to third parties in other countries for the purposes related to the operation.
• Consolidate the necessary data for the execution of the process of hiring of new applicants of required charges within the organization.
• Store and treat biometric and video surveillance data to safeguard the organization's fiscas facilities.
• Use videos or images captured in the events where the organization participates for commercial campaigns and support of activities before third parties.
• Collect the data required to carry out social welfare activities.
Data processing

Controls manifests to be responsible for the personal data of its users provided that this information has been supplied by them, as well as that of the database or storage medium where they are located the same and is of their property or management.
Protecting the information provided

Controls protects users from access, modification, disclosure or unauthorized destruction of the information recorded in their existing databases, so the organization has as a handbook of good Practices ISO/IEC 27000; This standard establishes the implementation of directives and technical controls that have as main objective the management of the technological risk and the minimization of the harmful impact of these for mission and vision of controls, and thus to provide tranquility in the whole relationship That is generated between controls and users.
Controls in order to comply with their data protection obligation, the following data protection protocols are strictly and rigorously followed:
• Control over information systems to maintain their quality and optimal performance.
• Encryption of services using security protocols, restriction of access to information according to user type of it.
• Confidentiality agreements with all our personnel, subcontractors or suppliers, in the case of the collaborators or employees of controls the infringement of these agreements constitutes a serious foul, grounds for dismissal with just cause and in the case of the suppliers or Subcontractors implies the anticipated termination of contracts or agreements, without prejudice to the indemnity actions provided for in law 1581 of 2012 and international standards.
• Implementation and improvement of controls in the physical installations, to protect the data that is contenidos de forma física, con el fin de mitigar el efecto nocivo que podría originar la materialización de algún riesgo al que se enfrenta los datos sensibles administrados por CONTROLES.
The disclosure of personal information from users to third parties is expressly restricted without their express consent.
There may be circumstances in which it is possible to disclose personal information about a user; The reasons for this are: the use of other companies to perform functions on our behalf, such as fulfillment of orders, providing customer service, email and correspondence, processing credit card payments , currency conversion processing, hiring of servers located in or out of the country (Colombia), or other functions necessary for our business. Personal information may also be disclosed when required by a public or administrative entity exercising its legal functions or by court order, for this case controls will notify users eight (8) business days prior to delivery to the Competent authority, this duty assuming controls when informing the other party of any requirement, is the notification, but does not give the power to disclose personal information.
In the event that controls are not notified of the revocation of the authorisation, it shall take for granted the approval for the disclosure of personal information at the time required by a public or administrative entity exercising its functions Legal or by court order.
In the case of a sale of the majority of the company's assets, the information of the clients and/or users can be transferred to the buyer as part of the establishment of commerce.
Receiving user information and use

The private information of the users is destined to the provision of the service to develop the social object of controls.
Controls can automatically record the user's information in logs of our server from your browser, including your IP address, your Web browser version, reference addresses among others.
We can also record the visits that the user makes to any of the websites or applications that they enter that are owned by controls.
The obligations included in these practices on the care or management that controls must give to the personal information of its users do not apply when the information is required by a public or administrative entity in exercise of its legal functions or by Warrant.
Use of electronic tracing

Controls you can use electronic tracing methods (cookies) to customize and make the user's browsing easier by your website These methods are only associated with an anonymous user and your computer and do not provide references that allow Deduct personal data from the user; However, the user can configure his/her browser to notify and reject the installation of cookies sent by controls, without damaging the user's ability to access the contents.

Management of electronic links or hyperlinks:

In the event that the website contains links or hyperlinks to other Internet sites, controls will not exert any control over such sites and contents. In no case shall controls assume any responsibility for the contents of any link belonging to an external website, nor will it guarantee the technical availability, quality, reliability, accuracy, breadth, veracity, validity and constitutionality of any Material or information contained in any of these hyperlinks or other Internet sites. Likewise, the inclusion of these external connections will not imply any type of association, merger or participation with the connected entities.


Capítulo IV. Derechos de los Usuarios


The rights of the users are:

        To know, update and rectify your personal data in front of controls. This right may be exercised, inter alia, against partial, inaccurate, incomplete, fractionated, error-inducing, or those whose treatment is expressly prohibited or not authorized.

        Request proof of authorization granted to controls except where expressly except as a requirement for treatment, in accordance with the provisions of article 10 of law 1581 of 2012.

        Be informed by controls, on request, regarding the use you have given or give to your personal data.

        Submit to the Superintendency of industry and commerce complaints for infringements of the provisions of law 1581 of 2012 and the other rules amending, adding or supplementing it.

        Revoke the authorization and/or request the deletion of the data when in the treatment the principles, rights and constitutional and legal guarantees are not respected. The revocation and/or suppression will proceed when the Superintendency of industry and commerce has determined that controls have incurred in conduct contrary to law 1581 of 2012 and the Constitution.

        Free access to your personal data that has been the subject of treatment.


Chapter V. Duties of controls

Controls undertakes to fulfil the following duties, without prejudice to the other provisions laid down in law 1581 of 2012 and in others that govern its activity:

        Guarantee to the users, at all times, the full and effective exercise of the right of habeas data.

        Keep the information under the necessary security conditions to prevent tampering, loss, consultation, use or unauthorized or fraudulent access.

        Perform timely updating, rectification or deletion of the data under the terms of law 1581 of 2012.

        Update the information reported within ten (10) business days counted from your receipt.

        To process the queries and the claims made by the users in the terms indicated in the law 1581 of 2012.

        Adopt an internal policy and procedures Manual to ensure adequate compliance with law 1581 of 2012 and, in particular, for the attention of queries and complaints by users.

        Register in the database The legend "claim pending" in the way it is regulated in law 1581 of 2012.

        Insert in the database The legend "information in judicial discussion" once notified by the competent authority on judicial processes related to the quality of personal data.

        Refrain from circulating information that is being disputed by the users and whose blockade has been ordered by the Superintendency of industry and commerce.

        Allow access to information only to people who can access it.

        Inform the Superintendency of industry and commerce when there are violations of security codes and there are risks in the administration of the information of the users.

        Comply with the instructions and requirements of the Superintendency of industry and commerce.


Chapter VI. Attention Channel

Business controls; Appoints the Information Security Coordinator, in addition to its other functions, to fulfil the function of protection of personal data and to give process to the requests of the users, for the exercise of the rights of access, consultation, rectification, Update, deletion and revocation referred to in law 1581 of 2012.

If any requests, requests, complaints, claims or queries regarding the exercise of your rights of user or client are presented, you can contact the e-mail, in the link of contact us of the Web page or to the following Physical Address: Carrera 16 N ° 75 – 50 Bogotá Colombia Tel: 057-546 2727, in office hours from 8.00 am to 5.00 pm.


Chapter VII. Attention of requests, queries and claims of the users

The user has the right to access to his personal data and to the details of the treatment of the same, as well as to rectify or update them if they are inaccurate, he will also be able to request his disposal when he considers that they prove to be excessive or unnecessary For the purposes that justified their obtaining or oppose the treatment of them for specific purpose.  The user will be able to access for free to his personal data that have been the subject of treatment by controls.


In accordance with the provisions of article 14 of law 1581 of 2012, users will be able to consult the personal information that they have in any database. Accordingly, controls shall ensure the right of consultation, supplying to users, all information contained in the individual registry or linked to the user's identification.
For the attention of requests for consultation of personal data controls guarantees:
• Habilitation of electronic means of communication or others that it considers pertinent to attend the consultations.
• Implementation of forms, systems and other simplified methods to address queries, which should be reported in the privacy notice.
• Use the customer service or claims you have in operation.
In any case, regardless of the mechanism implemented for the care of requests for consultation, they will be served in a maximum term of ten (10) business days counted from the date of receipt. Where it is not possible to attend the consultation within that term, the person concerned shall be informed before the expiration of the ten (10) days, expressing the reasons for the delay and stating the date on which his consulta, la cual en ningún caso podrá superar los cinco (5) días hábiles siguientes al vencimiento del primer plazo.


In accordance with the provisions of article 14 of law 1581 of 2012, users who consider that the information contained in a database must be subject to correction, updating or deletion, or when they warn of the alleged breach of any of The duties contained in law 1581 of 2012, may file a complaint with the person responsible for the treatment, which will be processed under the following rules:
• The complaint may be presented by the user in the formats that the effect present controls on its website.  If the claim received does not have complete information to allow it to be processed, that is, with the identification of the user, the description of the facts that give rise to the claim, the address, and accompanying the documents that one wants to enforce, will be required to the Interested within five (5) days of receipt to remedy the failures. After two (2) months from the date of the request without the applicant submitting the required information, it shall be understood that he has withdrawn from the claim, if by any circumstance controls he receives a claim which should not in fact be directed against him, It shall transfer to the person concerned in a maximum term of five (5) business days and inform the person or user of the situation.
• Once the full claim is received, a legend that says "claim pending" and the reason for it will be included in the database that maintains controls in a term not more than two (2) business days. Such a legend must be maintained until the claim is decided.
• The maximum term for the claim shall be fifteen (15) business days counted from the day following the date of receipt. Where it is not possible to take care of it within this term, the applicant shall be informed before the expiration of the term, the reasons for the delay and the date on which the claim will be dealt, which in no case may exceed eight (8) business days following the Maturity of the first term.
• At any time and for free the user or his representative may request the rectification of controls, actualización o supresión de sus datos personales, previa acreditación de su identidad.

Rectification and updating of data

Controls has the obligation to rectify and update at the request of the users, the information of the latter that proves to be incomplete or inaccurate, in accordance with the procedure and the above mentioned terms. The following shall be taken into account:
• In the applications of rectification and current ization of personal data the users must indicate the corrections to make and to provide the documentation that endorse their request.
• Controls is fully free to enable mechanisms to facilitate the exercise of this right, as long as they benefit the user. As a result, electronic media or others that you consider relevant may be enabled.
• Controls may establish forms, systems and other simplified methods, which must be informed in the privacy Notice and made available to those interested in the website.
Deleting data

Users have the right at all times to request controls to delete (remove) their personal data when:
• Consider that they are not being treated in accordance with the principles, duties and obligations laid down in law 1581 of 2012.
• are no longer necessary or relevant to the purpose for which they were collected.
• The period necessary for the fulfillment of the purposes for which they were captured has been exceeded.
• This deletion implies the total or partial elimination of personal information as requested by users in records, files, databases or treatments performed by controls.
Controls may deny the exercise of the right of suppression when:
• Users have a legal or contractual duty to remain in the controls database.
• The elimination of data obstructs judicial or administrative actions linked to tax obligations, investigation and prosecution of offences or the updating of administrative penalties.
• The data are necessary to protect the legally protected interests of the user; To carry out an action according to the public interest, or to comply with an obligation legally acquired by the users.
• In case of cancellation of the personal data, controls must carry out the operation of the deletion in such a way that the elimination does not allow the retrieval of the information.
Repeal of consent Authorization

Users of personal data may revoke their consent to the processing of their personal data at any time, provided that a legal provision does not prevent it. To do this, the user must notify his decision in writing to the controls who will proceed in the following manner:
• If it is the total revoke of the authorization: it is on the totality of the consented purposes, that is, that controls must stop to completely treat the data of the user and to delete all its records, however, it must retain the authorization and the request of Repeal of it.
• If it is partial annulment of the authorization: it is with a special purpose, for example, for publicity, or market studies, etc., but they are kept to other ends, controls must delete and not use the data of the user for the restricted purposes, of accordance with the authorisation granted.
Therefore, users must request in writing the revocation of the consent to controls indicating whether the annulment is total or partial and in the latter case which is the non-compliant treatment.
The mechanisms or procedures that controls are established to meet requests for revocation of consent may not exceed 15 business days counted from the day following your receipt or the time the information is completed to proceed to the required procedure.


Chapter VIII. Validity, modification and versioning and prohibition of use

This policy document and procedure for the protection of personal data is based on the provisions contained in articles 15 and 20 of the Political Constitution and by law 1581 of 2012 "for which general provisions are issued for the protection of Personal data ".  Therefore, this document applies to the processing of personal data that registers and manages business controls S.A.S.  Users accept and acknowledge that this authorization will be effective from the moment they accepted it, and during the time when controls develop the activities of their social object.

Controls may unilaterally change your privacy policy and use of personal data when required without the express consent of the user, but is obliged to retain the previous versions of this privacy and data use policy Personal, if any, and to guarantee the rights of the users who emanate from the Constitution and the Colombian law.

Note of validity. This information and personal data Processing policy document – version 2, is in force and applies from eighteen (18) January of two thousand seventeen (2017).​​