Skip to Content

Policy and treatment 

of data 

Write to us

POLITICA DE TRATAMIENDO DE DATOS BATX SAS

DATA PROCESSING POLICY BATX SAS


1. OBJECT

 BATx S.A.S., a company based in Colombia hereinafter referred to as "BATx" or "The Company"; acknowledges the importance of the security, privacy, and confidentiality of the Personal Data of our clients and potential clients, employees, candidates, shareholders, suppliers, contractors (hereinafter referred to as "Data Subjects"), issues this Personal Data Protection policy (hereinafter referred to as "Personal Data Protection Policy" or "the Policy").

The aim of this Data Protection Policy is to communicate and inform you how we handle your Personal Data, what types of data we collect, the principles that govern our data processing activities, your rights, and the purposes of our data processing activities..

This Data Protection Policy applies to all our activities.



2. REACH

This Personal Data Protection Policy applies to all Personal Data that we collect and process to provide our services and fulfil our obligations to you and the authorities..



3. DEFINITIONS

Authorisation: any specific, informed and unequivocal expression of free will by which the Data Subject accepts and authorises the processing of their Personal Data, whether through a written statement or a clear affirmative action.

Database: an organised set of Personal Data, whether automated or not, whether physical, magnetic, digital, optical, among others, regardless of the form of its creation, storage, organisation, and access.

Biometric Data: personal data obtained from a specific technical process, relating to the physical, physiological or behavioural characteristics of an individual that allow or confirm the unique identification of that person, such as facial images or fingerprint data.

Personal Data: all information about an identified or identifiable individual; an identifiable individual is considered to be any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier, or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person..

Sensitive Personal Data: are those that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in a trade union, information concerning health, or the sexual life or orientation of a natural person, genetic or biometric information for the purpose of uniquely identifying a natural person, and information related to criminal convictions.

Data Processor: the natural or legal person, whether private or public, public authority, service or other body that processes Personal Data on behalf of the Data Controller.

Security Incident: any breach of security that results in the destruction, loss, or accidental or unlawful alteration of Personal Data transmitted, stored, or otherwise processed, or the unauthorised communication or access to such data.

Data Controller: is the natural or legal person of a private or public nature, authority, service or other body that, alone or together with others, determines the purposes and means of processing Personal Data.

Holder: Any natural person whose personal data is subject to data processing activities.

Data Processing: any operation or set of operations performed on Personal Data or sets of Personal Data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, comparison or interconnection, restriction, erasure or destruction.



4. DESCRIPTION

We process your Personal Data based on the following principles and in accordance with all those principles defined by the applicable legislation:

a) Principle of legality in data processing: Processing is a regulated activity that must adhere to the principles established in the Law and in other provisions that develop it.

b) Principle of purpose: The Processing must comply with a legitimate purpose in accordance with the Constitution and the Law, which must be communicated to the Data Subject.

c) Principle of freedom: Processing may only be carried out with the prior, explicit, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorisation, or in the absence of a legal or judicial mandate that relieves the consent.

d) Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. Partial, incomplete, fragmented data or data that may lead to error will not be processed..

e) Principle of transparency: In the Processing, the right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning them must be guaranteed.

f) Principle of restricted access and circulation: The Processing is subject to the limits arising from the nature of personal data, the provisions of the law, and the Constitution. In this regard, the Processing may only be carried out by persons authorised by the Data Subject and/or by the persons provided for in the Law..

Personal data, except for public information, shall not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or authorised third parties in accordance with the Law.

g) Principle of security: The information subject to Processing by the Data Controller or Data Processor must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, consultation, use, or unauthorised or fraudulent access..

h) Principle of confidentiality: All individuals involved in the processing of personal data that is not of a public nature are obliged to ensure the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended, being able to supply or communicate personal data only when it corresponds to the development of the activities authorised in this law and under its terms..

4.1. WHAT ARE THE RIGHTS OF THE HOLDERS?

  • Access the provided data free of charge
  • To know, update and rectify your information in the case of partial, inaccurate, incomplete, fragmented data, that may lead to error, or those whose processing is prohibited or has not been authorised.
  • Request proof of the granted authorisation.
  • Submit complaints to the Superintendency of Industry and Commerce (hereinafter referred to as 'SIC') for violations of the provisions of the current regulations.
  • Revoke the authorisation and request the deletion of the data, provided that there is no legal or contractual obligation preventing its deletion.
  • Refrain from granting authorisation for the processing of sensitive data or that of children and adolescents.
  • To be informed by the data controller or the data processor, upon request, regarding the use that has been made of your personal data.

4.2. WHAT TYPE OF DATA DO WE HANDLE?

We may collect Personal Data about you directly or automatically through your use of our website and/or from third-party sources (which we may combine with other information we have collected about you). These third-party sources may include, but are not limited to, service providers, marketing partners, advertising networks, data analytics providers, public and third-party databases, social media platforms, operating system and platform providers, government entities, commercial clients, payment processors, and healthcare service providers..

If you are one of our customers, potential customers, users of our website, suppliers, employees, candidates, or shareholders, we may collect and process the following Personal Data, if this is necessary and in compliance with the applicable regulations.:

Data related to your personal information:

  • Name
  • Age
  • Occupation
  • Date and place of birth.
  • Type and Identification Number
  • Marital status, citizenship, country and city of residence.
  • Contact information.
  • The necessary data to develop the scope of the relationship

Data related to your employment references, performance, and benefits

  • Depending on your job application, we may process sensitive data, such as your criminal record or your health status.
  • We process Personal Data related to your profession, occupation, references, and background checks.
  • Portfolio of projects in which they have been involved.

4.3 SENSITIVE DATA

BATx will process Sensitive Data when:

  • It has explicit authorisation for its processing, for the purposes for which it was authorised, except in cases where Law 1581 of 2012 establishes that authorisation is not required.
  • The processing is necessary to safeguard the vital interests of the data subject, and they are physically or legally unable to give consent..
  • The processing refers to data necessary for the recognition, exercise, or defence of a right in judicial proceedings.
  • The processing has a historical, statistical or scientific purpose, adopting the necessary measures to suppress the identity of the Data Subject.
  • In no case will the authorisation for the processing of sensitive data be mandatory.
  • The authorisations and questions concerning sensitive data or data about children and adolescents will be optional.

BATx may process the following Sensitive Data:

  • Biometric data: image (videos or photographs).
  • Health Data: Information relating to the health status of the holder, for employment, security, and welfare purposes within BATx, or when necessary for the exercise or defence of a right in legal proceedings.
  • Data related to political, religious or philosophical beliefs: Only when it is strictly necessary for the development of a legal matter in which legal advice or representation is provided, and always with the express consent of the data subject.
  • Data on ethnic or racial origin: in cases where it is necessary for the defence of rights before judicial or administrative authorities, or for the provision of specialised legal services that require the inclusion of this information.
  • Data on sexual life or sexual orientation: Only when it is essential for the handling of specific legal cases, always respecting confidentiality and with the express consent of the individual concerned.

In any case, the processing of sensitive data will be carried out in accordance with the current regulations on personal data protection, ensuring the adoption of appropriate security measures to protect the privacy and integrity of the data.

The processing and the purpose to which the sensitive data will be subjected will be:

  • To ensure safety at the BATx facilities.
  • To represent the holder in a legal process.
  • This processing would be for the same purposes expressed subsequently, safeguarding the rights and interests of the holder..
  • For the fulfilment of legal obligations.
  • For the management of labour relations
  • For the Development of wellbeing and occupational health programmes

 

4.4 HOW DO WE USE YOUR DATA?

It will be understood that the personal data to be processed will depend on whether you are a customer, potential customer, employee, candidate, supplier, or contractor..

4.4.1 PURPOSES FOR ALL HOLDERS

  • For all tax, commercial, contractual, negotiation, corporate matters and any other type of obligation of
  • Issue the contractual certifications requested by contractors, suppliers, etc..
  • Take the necessary actions to develop the company's social purpose. Manage procedures: requests, complaints, claims.
  • Take the necessary actions to develop and fulfil the scope of the proposal or contract.
  • Contact the Holder by any means.
  • Provide information to third parties with whom BATx has a contractual relationship and that is necessary for the execution of the contractual relationship with the supplier, contractor, or client.
  • For the collection of invoices, securities, and, in general, outstanding balances.
  • To consult or manage any matters related to the social security system and tax and accounting issues.
  • To consult judicial, administrative and financial records and to carry out due diligence.
  • Consult the commercial, business, accounting, and financial activities of the Holder, provided that such information is not protected by confidentiality clauses or commercial or industrial secrets.
  • Transfer or transmit the information when necessary to fulfil any of the purposes set out in this policy.
  • Establish communication channels with all data subjects and send institutional and commercial information.
  • Carry out advertising activities related to the social purpose of BATx
  • Comply with all legal or contractual obligations related to the development of the activities specific to BATx
  • Store information in files when there is a legal obligation to retain the information after the execution of the activities or relationships that give rise to that data processing.
  • Adopt control and security measures regarding the processing.
  • Verify, consult and report information related to the credit behaviour of the holders, public or private entities, and anyone who manages or handles databases related to the fulfilment of financial, commercial, credit and service obligations.
  • Verify and consult information related to the holders in lists and databases of a private or public nature, related to judicial records, disqualifications, incompatibilities, LA/FT/PADM/C/ST.

4.4.2 PURPOSES FOR EMPLOYEES, CANDIDATES, CONTRACTORS AND FORMER EMPLOYEES

  • Execute selection processes, promotion, employee wellbeing, payroll, performance evaluations, competencies, induction, training, development, occupational health and safety, and all those related to the work environment.
  • Carry out tasks of investigation, analysis and reporting of incidents and situations presented within the facilities of BATx
  • To understand the family environment of each employee, ensuring and respecting the labour rights that may arise from the composition of that environment, with purposes solely aimed at promoting workplace well-being.
  • Access, consult and obtain medical records and their annexes for the recovery of incapacities and follow-up on recommendations, restrictions, and potential assessments of loss of work capacity.
  • Implement training and development programmes.
  • Control access to the BATx facilities.
  • Collect, store, consult, circulate, transmit, verify, use, reproduce, disclose, communicate, adapt, extract and defer the image of the information holders, in order to make institutional, marketing and advertising publications related to the social purpose of BATx, to be disseminated on the BATx website and social media..

 

4.4.3 PURPOSES FOR CLIENTS AND POTENTIAL CLIENTS

  • Monitor the compliance of obligations by clients.
  • Analyse the establishment and/or maintenance of contractual relationships.
  • Evaluate the risks arising from existing contractual relationships.

 

4.4.4 PURPOSES FOR SUPPLIERS AND POTENTIAL SUPPLIERS

  • Monitor compliance with obligations by the suppliers.
  • Evaluate the quality of the services and products received.
  • Analyse the establishment and/or maintenance of contractual relationships.
  • Evaluate the risks arising from existing contractual relationships.

 

4.4.5 PURPOSES FOR SHAREHOLDERS

  • Make any notes or transactions related to you as a shareholder.
  • Process claims and provide services for shareholders
  • To fulfil any of the obligations we have to our shareholders.
  • To inform you about any relevant situation regarding our products and services.
  • Detect, prevent and mitigate any activity that may be considered illegal or harmful
  • Advertising, marketing and profiling activities, as secondary activities, as described in the section on customers and passengers of the Policy.

 

4.5 DATA OF MINORS

BATx, as a general rule, will refrain from processing data belonging to minors, as dictated by Article 7 of Law 1581 of 2012. Exceptionally, BATx will need to carry out processing activities on personal data of minors, therefore, in cases where this occurs, BATx will subject the data processing to the following rules:

  • Respect for the best interests of children and adolescents, minors who are the data subjects.
  • Respect for the fundamental rights of children and adolescents, minors who are data subjects.
  • Obtain authorisation issued by the legal representative of the child, minor or adolescent, who is the holder of the data, when required, taking into account the provisions of Article 12 of Decree 1377 of 2013, which states “prior to the exercise of the minor's right to be heard, their opinion shall be valued considering their maturity, autonomy and ability to understand the matter.”




5. CONTACT CHANNELS AND PROCEDURE FOR EXERCISING YOUR LEGAL RIGHTS

If you have any requests or complaints regarding this Policy, you can contact:

  • Contact: Pablo Castellanos Ramelli

Compliance Officer

  • Email: pcastellanos@BATx.co

 

You, as the Data Subject or your legal representative, have the right to request information from BATx regarding how we process your Personal Data, the purpose of the processing, the transfers or transmissions and their recipients, the type of Personal Data we collect, among others..

You can also submit complaints or grievances regarding the processing of your Personal Data or related to your rights.

This right must not affect the rights and freedoms of other interested parties, and you can exercise your rights using the channels mentioned above..

All applications must contain the following information:

  • Full name and surname.
  • Contact details (physical address and email address or contact phone numbers).
  • Means to receive a response to your request.
  • Reason(s)/fact(s) that give rise to the claim with a brief description of the right you wish to exercise (to know, update, rectify, request proof of the granted authorisation, revoke, delete, access the information).
  • Company
  • Identification number.

 

5.1 INQUIRIES 

  • The holders, their representatives or their successors may consult the personal information of the holder, contained in the databases of BATx
  • Consultation requests will be forwarded to the designated staff and will be received from Monday to Friday between 8:00 a.m. and 5:00 p.m. Requests received outside of these hours will be considered submitted on the next working day..
  • The query will be responded to within a maximum period of ten (10) working days from the date of receipt of the same..
  • When it is not possible to address the query within the specified timeframe, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be addressed, which in no case shall exceed five (5) working days following the expiry of the initial term..

 

5.2 CLAIMS

  • The Data Subject, their representative, or their successors who believe that the information contained in a database should be corrected, updated, or deleted, or when they notice the alleged breach of any of the duties contained in this policy or in the law, may file a complaint with BATx.
  • Claims will be sent to the designated staff and will be received from Monday to Friday from 8:00 a.m. to 5:00 p.m. Requests received outside of these hours will be considered submitted on the next working day..
  • The inquiry will be addressed within a maximum period of ten (15) working days from the date of receipt of this.
  • When it is not possible to address the complaint within the specified period, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be addressed, which in no case may exceed eight (8) working days following the expiry of the initial period..
  • If the claim is incomplete, the interested party will be required to rectify the deficiencies within five (5) working days following the receipt of the claim. If two (2) months pass from the date of the request without the applicant providing the required information, it will be understood that the claim has been withdrawn..
  • The request for the deletion of information or the revocation of authorisation will not proceed when the holder has a legal or contractual obligation to remain in the database, unless it concerns sensitive data..
  • If a prompt resolution has not been given within the period or extension indicated in numbers 8.2.3 and 8.2.4, it shall be understood, for all legal purposes, that the respective request has been accepted..

 

5.3 REVOKING

You can revoke the authorisation that, in your case, you have granted us for the processing of your Personal Data. However, it is important to bear in mind that we may not be able to comply with your request or cease use immediately in all cases, as it is possible that due to a legal obligation, we must continue processing your Personal Data in compliance with applicable legislation..

Likewise, you should consider that, for certain purposes, the revocation of your authorisation will imply the termination of your relationship with us.

In any case, the process for the revocation of authorisation will be carried out in accordance with the applicable law.




6. SUPPLY OF INFORMATION

The requested information may be provided by any means, including electronic ones, as required by the holder. The information will be easy to read, without technical barriers that hinder access, and must correspond to that which is held in the Database.

The information regarding personal data may be provided to the following individuals:

  • To the holder, to the duly authorised attorney, to their duly identified heirs or to their legal representatives;
  • To public or administrative entities in the exercise of their legal functions or by court order;
  • To third parties authorised by the holder or by law.

7. OBLIGATIONS OF BATX

BATx, in line with the provisions of Articles 17 and 18 of Law 1581 of 2012, and by virtue of its role as the "data controller", adopts the following commitments to the holders of personal information:

  • To guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
  • Request the authorisation granted by the Holder.
  • Properly inform the Holder about the purpose of the collection and the rights that they have by virtue of the granted authorisation.
  • Preserve the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorised or fraudulent access.
  • Ensure that the information provided to the data controller is truthful, complete, accurate, up-to-date, verifiable, and understandable.
  • Update the information, promptly communicating to the data controller all the updates regarding the data that you have previously provided, and take any other necessary measures to ensure that the information supplied to them remains up to date.
  • Rectify the information when it is incorrect and communicate the relevant details to the person in charge of the Processing.
  • Provide the Data Controller, as applicable, only with data whose processing has been previously authorised in accordance with the provisions of this law.
  • To require the data controller at all times to respect the security and privacy conditions of the data subject's information.
  • Process the inquiries and complaints made in the terms specified in this law.
  • To adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the handling of inquiries and complaints.
  • Inform the data controller when certain information is under dispute by the data subject, once the complaint has been submitted and the respective process has not been completed..
  • Inform the data subject upon request about the use made of their data.
  • Inform the data protection authority when violations of security codes occur and there are risks in the management of the information of the Data Subjects.
  • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.


8. CHANGES TO THIS PERSONAL DATA PROTECTION POLICY

This Personal Data Protection Policy may be modified to comply with applicable laws or to align with our current business practices. We will publish any changes on our website and, in the event of substantial modifications to the policy, regarding aspects such as the identity of the data controller and/or the means and purposes of data processing required by applicable legislation, we will seek the authorisation of the data subject or will make efforts to notify them in advance of such changes by highlighting the modification on our website, in accordance with applicable legislation. We encourage you to revisit our website from time to time to check for updates..

9. TEMPORARY LIMITATIONS

BATx may only collect, store, use or disseminate personal data for as long as is reasonable and necessary, in accordance with the purposes that justified the processing, and in accordance with the consent granted. 

10. ENTRY INTO FORCE

This policy is effective from the date of its publication and will remain in force for as long as BATx carries out the activities described in this policy and these correspond to the processing purposes that inspired this policy..