Back to Home

Data Processing Agreement

legal

PERSONAL DATA PROTECTION POLICY - BACKOFFICE S.A.S.

The purpose of this policy is to comply with the provisions of Law 1581 of 2012, its implementing decree 1377 of 2013, and other relevant regulations governing citizens’ constitutional right to authorize the processing of their personal data, as well as to access, update, and correct information collected about them in the databases or files of public and private entities.

This applies to all personal data recorded in person or online, directly or through third parties, in the databases of Backoffice S.A.S. and the companies or entities that are part of its organization (the Company), with the exceptions established by law, for its processing (collection, storage, use, circulation, or deletion), so that the data subject may access any product, service, offer, promotion, benefit, and/or relationship supported by a legal relationship with the Company.

DEFINITIONS

  • PRIVACY NOTICE: A verbal or written communication issued by the Data Controller and addressed to the Data Subject regarding the processing of their personal data, informing them of the existence of the applicable data processing policies, how to access them, and the purposes for which the personal data will be processed.
  • DATABASE: An organized set of personal data that is subject to processing;
  • PERSONAL DATA: Any information linked to or that can be associated with one or more identified or identifiable natural persons.
  • PUBLIC DATA: Public data includes, among other things, data regarding a person’s marital status, profession or trade, and status as a merchant or public servant. By its nature, public data may be contained, among other sources, in public records, public documents, official gazettes and bulletins, and final court judgments that are not subject to confidentiality.
  • PUBLIC PERSONAL DATA: Any personal information that is freely and openly available to the general public.
  • PRIVATE PERSONAL DATA: Any personal information that is restricted in access and, in principle, private to the general public, for the purpose of identifying customers, prospects, suppliers, employees, partners, and other related individuals with any of our products and/or services, and/or with our organization, for the purpose of ensuring the safety of people and property, or for the security of processes and the information itself.
  • SENSITIVE DATA. This refers to data that affects the Data Subject’s privacy or whose misuse may lead to discrimination against the Data Subject, as defined by law. The Company does not process much sensitive data; however, in matters related to labor, social security, or human resources, it may have access to information regarding the health of the employee or their immediate family. It may also establish biometric identification systems, capture still or moving images, voice recordings, fingerprints, photographs, and other existing data.
  • DATA PROCESSOR: A natural or legal person, public or private, who, either alone or in association with others, processes personal data on behalf of the Data Controller.
  • THE COMPANY: Backoffice S.A.S. and the companies or entities that are part of its organization.
  • DATA PROTECTION OFFICER: The person responsible for overseeing and monitoring the implementation of the Personal Data Protection Policy.
  • DATA CONTROLLER: A natural or legal person, public or private, who, either alone or in association with others, determines the purposes and means of the processing of personal data (for the purposes of this policy, the Company shall, in principle, act as the Data Controller).
  • THE COMPANY: Backoffice S.A.S. and the companies or entities that are part of its organization.
  • DATA PROTECTION OFFICER: The person responsible for overseeing and ensuring compliance with the Personal Data Protection Policy.
  • DATA CONTROLLER: A natural or legal person, public or private, who, alone or in association with others, determines the purposes and means of the processing of personal data (for the purposes of this policy, the Company shall, in principle, act as the Data Controller).
  • DATA SUBJECT: A natural person whose personal data is subject to processing, whether a customer, supplier, employee, or any third party who, by virtue of a commercial or legal relationship, provides personal data to the Company.
  • PROCESSING: Any operation or set of operations performed on personal data, such as collection, storage, use, dissemination, or deletion.

This document establishes the purposes, measures, and procedures that will govern the processing of personal data within the company Backoffice S.A.S.

1. GUIDING PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

The Company will apply the following principles in a consistent and comprehensive manner to the collection, handling, use, processing, storage, and sharing of personal data:

  • PRINCIPLE OF LEGALITY: The processing referred to in this document is a regulated activity that must comply with the provisions of the law and other regulations implementing it.
  • PRINCIPLE OF PURPOSE: Processing must serve a legitimate purpose in accordance with the Constitution and the Law, which is determined in this document and communicated to the Data Subject for the purpose of obtaining their authorization;
  • PRINCIPLE OF FREEDOM: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives the requirement for consent;
  • PRINCIPLE OF TRUTHFULNESS OR QUALITY: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The Company will not process data that is partial, incomplete, fragmented, or misleading.
  • PRINCIPLE OF TRANSPARENCY: In the processing of data, the Company guarantees the Data Subject’s right to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information regarding the existence of data concerning them.
  • PRINCIPLE OF RESTRICTED ACCESS AND CIRCULATION: The processing of personal data is subject to the limitations arising from the nature of the data, as well as the provisions of the Constitution and the law. Accordingly, such processing may only be carried out by persons authorized by the data subject and/or by those persons specified by law. Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted access only to Data Subjects or third parties authorized in accordance with this law.
  • PRINCIPLE OF SECURITY: Information subject to processing by the Data Controller or Data Processor referred to in the law shall be handled using the technical, human, and administrative measures necessary to ensure the security of the records, preventing their alteration, loss, unauthorized or fraudulent consultation, use, or access.
  • PRINCIPLE OF CONFIDENTIALITY: All persons within the Company who are involved in the processing of personal data that is not of a public nature are obligated to ensure the confidentiality of such information, even after their involvement in any of the tasks related to such processing has ended. They may only disclose or communicate personal data if they remain affiliated with the Company and when such disclosure is necessary for the performance of activities authorized by this law and in accordance with its terms.

2. DATA CONTROLLER AND DATA PROCESSOR.

The data controller for personal data is Backoffice S.A.S., whose principal address is: Calle 94 No. 21 - 76 Bogotá - Colombia. Email: info@boffice.cloud

3. TYPE OF INFORMATION SUBJECT TO OUR PROCESSING.

The information processed by Backoffice S.A.S. consists solely of personal data provided by data subjects such as customers, prospects, suppliers, employees, partners, and other individuals associated with any of our products and/or services, and/or with our organization.

4. PURPOSE OF PROCESSING THE COLLECTED PERSONAL DATA.

The purpose of the collected personal data is to use it for informational, commercial, and statistical purposes; to ensure and improve the usability or operation of our products and/or services; for administrative purposes (quotes, billing, collections, orders, purchases, payment management, labor and/or human resources management matters, job offers, references, certifications, etc.); and, in general, for other activities related to our policies, events, campaigns, and news.


The Company will treat the personal data provided by data subjects as confidential and will not disclose it to third parties for commercial purposes without the data subject’s prior authorization and notification.

The Company reserves the right to use the information collected for the purposes indicated, in accordance with the provisions of this policy, including, but not limited to:

A. Processing and managing your transactions as a customer, user, prospect, partner, or employee of Backoffice S.A.S.

B. Providing, through our own channels or in conjunction with third parties, information regarding new product launches, services, plans, promotions, events, and/or benefits.

C. Additional information that benefits the operation, support, maintenance, updates, and warranty of our products or services in the event of incidents, inconveniences, requests, or failures.

D. To provide you with information of interest when you have requested it, including responses to your complaints and, in general, requests, doubts, or inquiries.

E. To review and store information related to requests for any of our products that, as a customer or prospective customer, we need to know for the business relationship.

F. Sending communications related to the commercial activities of Backoffice S.A.S., news and useful information about our company, products, offers, updates, invitations to events, job openings, promotional materials, advertising, and/or surveys regarding our products or services and/or the products and services of our business partners.

G. Processing of data regarding the use of our products and/or services for statistical, marketing, or relational data analysis purposes.

H. Processing of data for research, innovation, and development of new products and/or services.

I. Other activities related to the company’s corporate purpose that necessarily require the use of personal information or data from customers, prospects, suppliers, employees, partners, and other individuals associated with any of our products and/or services, and/or with our organization.

J. Exporting this information abroad, in the event that the hosting service used is not located in Colombia, in accordance with legal guidelines and those determined by the regulatory authority.


The Company may process this data through physical, electronic, cellular, or mobile means, via text messages (SMS), or through any analog and/or digital means of communication, whether currently known or yet to be developed.

Data subjects whose personal data is stored in any of the Company’s databases may at any time exercise their rights of access, update, correction, and deletion with the Company’s data controller.

5. RIGHTS AND LEGAL REQUIREMENTS FOR DATA PROCESSING.

5.1. RIGHTS OF DATA SUBJECTS. The data subject shall have the following rights:

  • To access, update, and correct their personal data by contacting the Data Controllers or Data Processors. This right may be exercised, among other things, with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or data whose processing is expressly prohibited or has not been authorized;
  • To request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for processing, in accordance with the provisions of the law;
  • To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been made of their personal data;
  • To file complaints with the Superintendency of Industry and Commerce regarding violations of the provisions of this law and any other regulations that amend, add to, or supplement it;
  • Revoke authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees, in accordance with the law and the case law interpreting it;
  • Access, free of charge, your personal data that has been subject to processing.

The right to erasure is not an absolute right. The Company may deny or limit the exercise of this right when:

  • The data subject has a legal or contractual obligation to remain in the database.
  • The deletion of data would hinder judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
  • The data is necessary to protect the legally protected interests of the data subject; to take action in the public interest; or to comply with a legal obligation incurred by the data subject.
  • The data is of a public nature and is contained in public records, the purpose of which is to make such information publicly available.
  • The data constitutes a basis for the Company’s normal operations and must be retained by the Company pursuant to the Law or its internal processes.

Likewise, the data subject may revoke, at any time, consent to the processing of such data, provided that no legal or contractual provision prevents it. In this case, the revocation may be partial or total.

5.2. AUTORIZACIÓN DEL TITULAR.

Without prejudice to the exceptions provided for by law, the processing of personal data requires the prior and informed consent of the data subject, which must be obtained by any means that allows for subsequent verification.

By providing express consent through physical or electronic means, including but not limited to telephone, email, the methods provided on the website https://Backoffice.co/, and other channels (landing page), etc., by registering or indicating that they authorize the processing of their personal data and accept the policy included in the privacy notice, the data subject permits Backoffice S.A.S. to collect, record, process, disseminate, and market all data and information voluntarily provided at the time of registration, limited in each case to the type of relationship or database, which determines the type of personal information requested.

By giving their consent, the data subject agrees that the personal data provided at the time of registration, or any other data provided to the Company at any time, in accordance with the type of relationship or database, for access to certain services, events, promotions, information, etc., be used for the purpose of facilitating the relationship that is established or intended to be established, providing the requested services, correctly identifying users who request personalized services, conducting statistical studies of users to design improvements to the services provided, managing basic administrative tasks, as well as keeping you informed, either by email or by any other means of communication.

5.3. CASES WHERE CONSENT IS NOT REQUIRED.

The data subject’s consent is not required in the following cases:

  • Information requested by a public or administrative entity in the exercise of its legal functions or pursuant to a court order;
  • Data of a public nature;
  • Cases of medical or health emergencies;
  • Processing of information authorized by law for historical, statistical, or scientific purposes;
  • Data related to the Civil Registry of Persons.

Any person who accesses personal data without prior authorization must, in all cases, comply with the provisions contained in this law.

5.4. PROVISION OF INFORMATION.

The requested information may be provided by any means, including electronic means, as requested by the Data Subject. The information must be easy to read, free of technical barriers that prevent access, and must fully correspond to the information stored in the database.

5.5. DUTY TO INFORM THE DATA SUBJECT.

When requesting authorization from the Data Subject, the Data Controller must clearly and expressly inform them of the following:

  • The processing to which their personal data will be subjected and the purpose thereof;
  • The optional nature of answering the questions asked, when these concern sensitive data or the data of children and adolescents;
  • The rights to which the Data Subject is entitled;
  • The identification, physical or electronic address, and telephone number of the Data Controller.

PARAGRAPH. The Data Controller must retain proof of compliance with the provisions of this article and, upon request by the Data Subject, provide a copy thereof.

5.6. PERSONS TO WHOM THE INFORMATION MAY BE DISCLOSED.

Information that meets the conditions established in this law may be provided to the following persons:

  • To the Data Subjects, their successors, or their legal representatives;
  • To public or administrative entities in the exercise of their legal functions or by court order;
  • To third parties authorized by the Data Subject or by law.

5.7. PROCESSING OF PERSONAL DATA.

Once authorization has been obtained from the respective data subject(s), Backoffice S.A.S. will collect all personal data pertaining to the data subject(s) in the corresponding electronic database, which it will be responsible for managing and maintaining.

Backoffice S.A.S. will prevent unauthorized access by third parties to the collected personal data and will implement all measures necessary for its protection.

Backoffice S.A.S. undertakes to fulfill its obligation to keep private data confidential, as well as its duty to treat it with confidentiality, and will implement the necessary technical, organizational, and security measures to prevent its alteration, loss, unauthorized processing, or access, in accordance with the provisions of the law and the international treaties signed by Colombia governing this matter.

The Data Subject shall, in any case, be responsible for the accuracy of the data provided.

Backoffice S.A.S. may exclude any Data Subject who has provided false data from any relationship established based on such false information, without prejudice to any other applicable actions.

5.8. PROCESSING OF SENSITIVE DATA. The Company will not process sensitive data, except when:

  • The Data Subject has given explicit consent to such processing, except in cases where such consent is not required by law;
  • The processing is necessary to safeguard the Data Subject’s vital interests and the Data Subject is physically or legally incapacitated. In such cases, the legal representatives must grant their authorization;
  • The processing is carried out in the course of legitimate activities and with due safeguards by a foundation, NGO, association, or any other nonprofit organization whose purpose is political, philosophical, religious, or union-related, provided that it relates exclusively to its members or to persons who maintain regular contact with it by reason of its purpose. In such cases, the data may not be disclosed to third parties without the Data Subject’s authorization;
  • The processing concerns data necessary for the recognition, exercise, or defense of a right in a judicial proceeding;
  • The processing serves a historical, statistical, or scientific purpose. In such cases, measures must be taken to ensure the anonymization of the Data Subjects.

5.9. RIGHTS OF CHILDREN AND ADOLESCENTS.

The Processing shall ensure respect for the prevailing rights of children and adolescents, in accordance with legal guidelines.

6. PROCEDURE FOR HANDLING INQUIRIES FROM DATA SUBJECTS.

In order to facilitate the protection of the rights of data subjects, Backoffice S.A.S. has established the following procedure for them:

6.1. Person or department responsible for handling requests: All requests, inquiries, and complaints arising from the processing of personal data must be directed to the main offices of Backoffice S.A.S. as follows: in person at Calle 94 No. 21-76 in Bogotá or via email at info@boffice.cloud.

6.2. Means of protection: Should the data subject(s) wish to exercise any of their rights, they must submit their request, clearly, in detail, and precisely explaining the reason for their request, the facts supporting it, their contact information, the documents they wish to submit, and their claim(s).

7. DUTIES OF DATA CONTROLLERS

In accordance with the Law, data controllers have the following duties, without prejudice to the other provisions set forth in the Law:

  • To ensure that the Data Subject may, at all times, fully and effectively exercise the right of habeas data;
  • Request and retain, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject;
  • Duly inform the Data Subject of the purpose of the collection and the rights to which they are entitled by virtue of the authorization granted;
  • Maintain the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access;
  • Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable;
  • Update the information, promptly notifying the Data Processor of any changes regarding the data previously provided, and take all other necessary measures to ensure that the information provided to the Data Processor remains up to date;
  • Correct the information when it is incorrect and notify the Data Processor accordingly;
  • Provide the Data Processor, as applicable, only with data whose processing has been previously authorized in accordance with the provisions of this law;
  • Require the Data Processor at all times to comply with the security and privacy conditions regarding the Data Subject’s information;
  • Handle inquiries and complaints in accordance with the terms set forth in the law;
  • Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to address inquiries and complaints;
  • Inform the Data Processor when certain information is under dispute by the Data Subject, once the complaint has been filed and the respective proceedings have not been concluded;
  • Inform the Data Subject, upon request, regarding the use of their data;
  • Notify the data protection authority when security breaches occur and there are risks in the management of Data Subjects’ information;
  • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

8. DUTIES OF DATA PROCESSORS.

Data Processors must comply with the following duties, without prejudice to the other provisions set forth in this law and in other laws governing their activities:

  • Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data;
  • Store the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access;
  • Timely update, rectify, or delete data in accordance with the law;
  • Update the information reported by Data Controllers within five (5) business days from receipt;
  • Process inquiries and complaints submitted by Data Subjects in accordance with the terms set forth in the law;
  • Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to address inquiries and complaints from Data Subjects;
  • Record the notation “complaint pending” in the database as regulated by law;
  • Enter the notation “information under judicial review” into the database once notified by the competent authority of legal proceedings related to the quality of personal data;
  • Refrain from disseminating information that is being contested by the Data Subject and for which the Superintendency of Industry and Commerce has ordered a block;
  • Allow access to the information only to those persons authorized to access it;
  • Notify the Superintendency of Industry and Commerce in the event of security breaches and when there are risks in the management of Data Subjects’ information;
  • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

PARAGRAPH. In the event that the roles of Data Controller and Data Processor are held by the same person, that person shall be required to fulfill the duties established for each role

To guarantee the rights of Data Subjects, the Company has agreed with its employees who are involved in any phase of data processing that they are obligated to safeguard confidentiality and limit the use of such information to the specific purposes for which it was collected.

9. PRIVACY NOTICE

The Company, through verbal or written communication generated by the Data Controller and addressed to the Data Subject regarding the processing of their personal data, informs them of the existence of the data processing policies that will apply to them, how to access them, the purposes for which the personal data will be processed, the privacy of this information, and, in general, will provide access to this document so that the Data Subject may review it prior to giving consent.

The Data Subject can easily find these notices in advertising materials, on landing pages, on the website, in emails, when accessing products or services, on invoices, and on registration forms for the collection of data necessary for contracting, billing, payment, etc.

Made with Emergent