Política de Tratamiento de Información
POLÍTICA DE TRATAMIENTO DE DATOS PERSONALES
INTRODUCCIÓN
En Stay S.A.S. (en adelante “Stay”) es muy importante la conservación, protección, integridad y confidencialidad de los Datos Personales de sus huéspedes, visitantes, clientes en general, proveedores, contratistas, accionistas, inversionistas, empleados y demás. Para esto hemos diseñado una política de almacenamiento y tratamiento de los Datos Personales que se nos suministren a través de cualquier medio, y estamos comprometidos con la protección y manejo adecuado de los mismos, conforme el régimen legal de protección de Datos Personales aplicable en cada territorio en donde operamos.
OBJETIVO
Describir las directrices para el tratamiento de Datos Personales teniendo en cuenta lo dispuesto por la Ley 1581 de 2012, Decreto 1377 de 2013, Decreto 886 de 2014, incorporados en el Decreto Único 1074 de 2015, y las demás normas que amplíen, modifiquen o sustituyan la regulación sobre la materia.
DEFINICIONES
Para efectos de la aplicación de las reglas contenidas en la presente política, y, de acuerdo con lo establecido en el artículo 3 de la Ley 1581 de 2012, se entiende por:
Autorización: Consentimiento previo, expreso e informado del Titular para llevar a cabo el Tratamiento de datos personales. Se entenderá que la Autorización cumple con estos requisitos cuando se manifieste (i) por escrito, (ii) de forma oral o (iii) mediante conductas inequívocas del Titular que permitan concluir de forma razonable que otorgó la autorización. En ningún caso el silencio podrá asimilarse a una conducta inequívoca.
Aviso de Privacidad: Comunicación verbal o escrita generada por el Responsable dirigida al Titular para el tratamiento de sus datos personales, mediante la cual se le informa acerca de la existencia de las políticas de Tratamiento de información que le serán aplicables, la forma de acceder a las mismas y las finalidades del Tratamiento que se pretende dar a los datos personales.
Base de datos: Conjunto organizado de Datos Personales que sea objeto de Tratamiento
Personal Data: Cualquier información vinculada o que pueda asociarse a una o varias personas naturales determinadas o determinables.
Private Data: Conjunto organizado de Datos Personales que sea objeto de Tratamiento.
Semi-private Data: Datos que no sean de naturaleza íntima, reservada o pública y cuyo conocimiento y difusión pueda interesar no sólo a su titular sino también a un determinado sector o grupo de personas, o a la sociedad en general, como los datos financieros y crediticios.
Sensitive Data: Datos que afecten a la intimidad del Titular o cuyo uso indebido pueda generar discriminación, como aquellos que revelen el origen racial o étnico, la orientación política, las creencias religiosas o filosóficas, la pertenencia a sindicatos,
organizaciones sociales, organizaciones de derechos humanos u organizaciones que promuevan intereses de cualquier partido político o garanticen los derechos y garantías de partidos políticos de oposición, así como datos relativos a la salud, a la vida sexual y datos biométricos.
Procesador de datos Cualquier persona física o jurídica, pública o privada, que, sola o en asocio con otros, trate Datos Personales por cuenta del Responsable del Tratamiento.
Responsable del tratamiento de datos (o simplemente “Responsable”): Cualquier persona física o jurídica, pública o privada, que, sola o en asocio con otros, trate Datos Personales por cuenta del Responsable del Tratamiento.
Transferecia La transferencia de datos ocurre cuando el Responsable del Tratamiento y/o Encargado del Tratamiento, ubicado en Colombia, envía la información o Datos Personales a un destinatario, quien a su vez es Responsable del Tratamiento y se encuentra dentro o fuera del país.
Transmisión: El Tratamiento de Datos Personales que implica la comunicación de dichos datos dentro o fuera del territorio de la República de Colombia con el fin de que sean tratados por el Encargado del Tratamiento por cuenta del Responsable del Tratamiento.
Sujeto de datos: Una persona física cuyos Datos Personales sean objeto de tratamiento.
Procesando Cualquier operación o conjunto de operaciones sobre datos personales, como la recolección, almacenamiento, uso, circulación o supresión de dichos datos.
Principios
Los principios que se describen a continuación constituyen los parámetros generales que serán adoptados por Stay en los procesos de tratamiento de datos personales:
Principio de Propósito: El tratamiento de los Datos Personales recogidos por Stay deberá cumplir con una finalidad legítima, la cual deberá ser informada al Titular de los Datos.
Principio de Libertad: El tratamiento solo podrá realizarse con el consentimiento previo, expreso e informado del titular de los datos. Los datos personales no podrán obtenerse ni divulgarse sin autorización previa o en ausencia de un mandato legal o judicial que exima de la necesidad del consentimiento.
Principio de Veracidad o Calidad: La información objeto de tratamiento debe ser veraz, completa, precisa, actualizada, verificable y comprensible. Se prohíbe el tratamiento de datos parciales, incompletos, fragmentados o engañosos.
Principio de Transparencia: En el tratamiento se deberá garantizar el derecho del Titular de los Datos a obtener de Stay o del Encargado del Tratamiento, en cualquier momento y sin restricciones, información acerca de la existencia de datos que le conciernan.
Principio de Acceso y Circulación Restringida: Los datos personales, salvo la información pública, no pueden estar disponibles en Internet u otros medios de comunicación o divulgación masiva, a menos que el acceso sea técnicamente controlable para brindar un conocimiento restringido sólo a los Titulares de los Datos o a terceros autorizados.
Principio de Seguridad: La información sujeta a tratamiento por parte de Stay S.A.S. deberá ser protegida mediante las medidas técnicas, humanas y administrativas necesarias para garantizar la seguridad de los registros, impidiendo su adulteración, pérdida, consulta, uso o acceso no autorizado o fraudulento.
Principio de confidencialidad: Todas las personas que intervengan en el tratamiento de Datos Personales están obligadas a garantizar la confidencialidad de la información, incluso una vez finalizada su relación con alguna de las tareas que comprenden el tratamiento.
Principio de Colaboración con Autoridades Nacionales o Extranjeras: Además de lo establecido en la ley, la Autorización del Titular de los Datos incluirá la posibilidad de proporcionar información a autoridades nacionales o extranjeras, con el objetivo de colaborar en la prevención, detección y mitigación de riesgos relacionados con la evasión fiscal, corrupción nacional o extranjera, lavado de activos, financiamiento del terrorismo y/o actividades similares, así como realizar las acciones necesarias para mitigar los efectos de dichas situaciones en caso de presentarse.
Principio de Legalidad: La recolección, uso y tratamiento de los datos personales se basará en las disposiciones establecidas en la ley y demás normas que la desarrollen.
Principio de necesidad y proporcionalidad: Los datos personales registrados en una base de datos deben ser estrictamente necesarios para cumplir con las finalidades del tratamiento, según lo informado al titular de los datos. En este sentido, deben ser adecuados, pertinentes y acordes con las finalidades para las que fueron recopilados.
Principio de Propósito: El tratamiento de los Datos Personales recogidos por Stay deberá cumplir con una finalidad legítima, la cual deberá ser informada al Titular de los Datos.
Principio de Temporalidad o Caducidad: El período de conservación de los datos personales será el necesario para la consecución de la finalidad para la que han sido recogidos.
ÁMBITO DE APLICACIÓN
This policy will be applicable to the Personal Data registered and to be registered in the different databases managed by Stay. This includes databases of guests, visitors, members, general clients, suppliers, contractors, shareholders, investors, employees, former employees, and others who provide their data through different communication channels (digital or printed media) for commercial, legal, contractual, labor, or security purposes, as applicable. The information collected by Stay may include, in whole or in part depending on the needs of each product and/or service, among others, the following data:
– Nombre y apellidos
– Tipo y número de identificación
– Nacionalidad y país de residencia
– Fecha de nacimiento y género
– Estado civil y/o relación con menores o personas con discapacidad que solicitan nuestros servicios
– Números de contacto fijos y móviles (personales y/o laborales)
– Direcciones postales y electrónicas (personales y/o laborales)
– Profesión u ocupación
– Empresa donde trabajas y puesto
– Origen y destino
– Propósito de su viaje
– Información de la tarjeta de crédito (número, banco, fecha de vencimiento)
– Datos personales del titular de la tarjeta (nombre y apellidos, tipo y número de identificación)
– Home address where the cardholder receives bank statements
– Datos biométricos, específicamente registros de cámaras de seguridad para vigilancia.
– Imágenes fotográficas o vídeos
Estos datos podrán ser almacenados y/o tratados en servidores ubicados en centros de datos propios o contratados con terceros proveedores y/o contratistas, quienes a su vez están obligados a cumplir con esta política como Encargados del Tratamiento bajo cláusulas de confidencialidad.
Veracidad de la información
Nuestros huéspedes, visitantes, miembros, clientes, proveedores, contratistas, accionistas, inversionistas, empleados y demás personas deben proporcionar información veraz sobre sus Datos Personales para establecer una relación adecuada con Stay, ya sea para la prestación de servicios o para el cumplimiento de obligaciones legales o contractuales. Stay presume la veracidad de la información proporcionada y no verifica, ni está obligado a verificar, la identidad de los huéspedes, visitantes, clientes, proveedores, contratistas, accionistas, inversionistas, empleados y demás personas, ni la veracidad, validez, suficiencia y autenticidad de los datos que cada uno de ellos proporciona. Por lo tanto, Stay no asume ninguna responsabilidad por daños y perjuicios de cualquier naturaleza que puedan derivarse de la falta de veracidad, validez, suficiencia o autenticidad de la información, incluyendo los daños y perjuicios que puedan deberse a homonimia o suplantación de identidad.
INFORMACIÓN DE NIÑOS Y ADOLESCENTES
De acuerdo con la ley, Stay no tratará Datos Personales de niños, niñas y adolescentes, salvo cuando se trate de datos públicos, de conformidad con el artículo 7 de la Ley 1581 de 2012, y cuando dicho tratamiento cumpla con los siguientes parámetros y requisitos:
a) Responda y respete los intereses superiores de los niños, niñas y adolescentes.
b) Garantiza el respeto de sus derechos fundamentales.
La recopilación de datos personales de menores de edad es opcional y debe realizarse con la autorización previa y expresa del tutor o de la persona que ejerza la patria potestad. En el caso de los niños y otros familiares de los interesados, el tratamiento de esta información se realizará para fines relacionados con el departamento de recursos humanos (afiliación a la seguridad social, cajas de compensación familiar, prestaciones y otras obligaciones legales) y garantizará el respeto de los derechos prevalentes de los niños, niñas y adolescentes. Stay garantizará el uso adecuado de los datos de los niños, niñas y adolescentes, garantizando el respeto de su interés superior y sus derechos fundamentales en el tratamiento de sus datos.
FINALIDADES DEL TRATAMIENTO DE DATOS PERSONALES
Los Datos Personales de los huéspedes, visitantes y clientes en general son recabados para procesar, confirmar, cumplir y prestar los servicios y/o productos adquiridos, directamente y/o con la participación de terceros contratistas y/o proveedores de productos o servicios, así como para promover y publicitar, directamente y a través de terceros proveedores, nuestras actividades, productos y servicios, realizar transacciones, realizar reportes a diversas autoridades administrativas de control y vigilancia nacionales o internacionales, autoridades policiales o judiciales, bancos y/o compañías de seguros, para fines administrativos internos y/o comerciales tales como estudios de mercado, auditorías, informes contables, análisis estadísticos, facturación y ofrecimiento y/o reconocimiento de beneficios de nuestros programas de lealtad.
Los Datos Personales de los huéspedes, visitantes y clientes en general son recabados para procesar, confirmar, cumplir y prestar los servicios y/o productos adquiridos, directamente y/o con la participación de terceros contratistas y/o proveedores de productos o servicios, así como para promover y publicitar, directamente y a través de terceros proveedores, nuestras actividades, productos y servicios, realizar transacciones, realizar reportes a diversas autoridades administrativas de control y vigilancia nacionales o internacionales, autoridades policiales o judiciales, bancos y/o compañías de seguros, para fines administrativos internos y/o comerciales tales como estudios de mercado, auditorías, informes contables, análisis estadísticos, facturación y ofrecimiento y/o reconocimiento de beneficios de nuestros programas de lealtad.
En el caso de datos biométricos (específicamente, grabaciones de cámaras de seguridad para vigilancia), la información recolectada será utilizada para la seguridad de los empleados, visitantes, así como de la propiedad e instalaciones; y la información recolectada como imágenes fotográficas o videos capturados en eventos, cursos, talleres, seminarios y demás actividades de Stay para el desarrollo de nuestro bienestar social, será utilizada o podrá ser procesada para seguridad, convivencia, apoyo o evidencia del trabajo y actividades realizadas.
En el caso de información de contacto (número de teléfono, correo electrónico para envío de mensajes SMS o a través de WhatsApp, Telegram, o cualquier otro medio tecnológico o de mensajería instantánea) de ubicación y geolocalización, los datos serán tratados por Stay S.A.S., por su proveedor de CRM o Customer Relationship Management – Progress (Experience Hôtel ©) y cualquier tercero que lo sustituya o tenga acceso a estos datos para cumplir las finalidades descritas a continuación:
– Make event invitations and offer products and services;
– Manage procedures (requests, complaints, claims);
– Conduct satisfaction surveys regarding the goods and services offered by Stay S.A.S. or its business partners;
– Provide contact information to the sales force and/or distribution network, telemarketing, market research, and any third party with which Stay S.A.S. has a contractual relationship for the development of such activities (market research and telemarketing, etc.) for their execution;
– Contact the Data Subject through telephone, email, chat, WhatsApp, or Telegram to conduct surveys, studies, and/or confirmation of personal data necessary for the execution of a contractual relationship;
– Contact the Data Subject through electronic means – SMS or chat to send news related to loyalty campaigns or service improvement;
– Provide the services offered by Stay S.A.S. and accepted in the signed contract (where applicable);
– Learn about clients’ tastes, preferences, and hobbies; and the most used or preferred social networks.
By accepting the processing of personal data, our guests, members, visitors, general clients, suppliers, contractors, shareholders, investors, employees, and others, as data subjects, authorize Stay to apply this policy and process their personal data, in whole or in part, including the collection, storage, recording, use, circulation, processing, deletion, for the execution of activities related to the services and products acquired, such as making reservations, modifications, cancellations, and changes thereof, refunds, handling inquiries, complaints and claims, payment of compensations and indemnifications, accounting records, correspondence, processing and verification of credit, debit cards, and other identification instruments, fraud detection and prevention of money laundering and other criminal activities, and/or for the operation of loyalty programs, sending of advertisements and commercial material, requesting the completion of satisfaction surveys, and other purposes indicated in this document. This is without prejudice to other purposes that have been informed in this document and in the terms and conditions of each of the products and services specific to each of our business units.
Third-party providers and/or contractors may be involved in these activities and are compelled to comply with this policy as Data Processors under confidentiality clauses, such as reservation system providers, travel agencies, reservation centers, banks, insurers, security personnel or security agencies, and others. Additionally, our travelers, clients, and users, as Data Subjects of the collected data, by accepting this policy, authorize us to:
– Use, directly or through contracted third parties, the information received from them for marketing purposes of our products and services, and the products and services of third parties with whom Stay maintains a business relationship.
– Provide Personal Data to police or judicial control and surveillance authorities, by legal or regulatory requirement and/or use or disclose this information and Personal Data in defense of its rights and/or property as far as such defense is related to the products and/or services contracted by its travelers, clients, and users.
– Allow access to information and Personal Data to auditors or third parties contracted to carry out internal or external audit processes related to the commercial activity we develop.
– Consult and update personal data, at any time, to keep such information up to date.
– Contract with third parties for the storage and/or processing of information and Personal Data for the proper execution of the contracts entered into with us, under the security and confidentiality standards to which we are obliged.
AUTHORIZATION
The collection, storage, use, circulation, or deletion of Personal Data by Stay requires the free, prior, express, and informed consent of the Data Subject. The authorization will be considered compliant with these requirements when expressed (i) in writing, (ii) orally, or (iii) through unequivocal actions of the data subject that reasonably allow concluding that the authorization was granted. In no case shall silence be understood as an unequivocal conduct.
Stay, in its capacity as the data controller, has implemented the necessary mechanisms to obtain the Data Subject’s Authorization, ensuring that it is always possible to verify the granting of such authorization. With the aforementioned Authorization, the Data Subject accepts the policies and conditions established in this document. The Data Subject’s Authorization will not be necessary in the following events:
– Personal Data is required by a public or administrative entity in the exercise of its legal functions or by court order.
– The data is of a public nature.
– In cases of medical or sanitary emergency.
– The processing of Personal Data is authorized by law for historical, statistical, or scientific purposes.
– The data is related to civil registry records.
FORM AND MECHANISMS FOR GRANTING AUTHORIZATION
The Data Subject’s Authorization will be included in each of the data collection channels and mechanisms of Stay. It may be in a physical document, electronic format, or any other format that guarantees its subsequent consultation. The Authorization will be issued by the Data Subject prior to the processing of their personal data, in accordance with Law 1581 of 2012, Decree 1377 of 2013, Decree 886 of 2014, incorporated in the Sole Decree 1074 of 2015, and other regulations that expand, modify, or replace the rules on the matter.
With the consented Authorization procedure, it is ensured that the Data Subject of the personal data is informed that their personal information will be collected and used for specific and known purposes and that they have the option to know any alteration to them and the specific use that has been made of them. This allows the Data Subject to make informed decisions regarding their Personal Data and control the use of their personal information. The Authorization may also be consented to by the Data Subject through unequivocal actions that reasonably allow concluding that the Authorization was granted, such as entering and remaining in buildings with video surveillance systems, and with entry and exit records.
RIGHTS OF THE DATA SUBJECTS
In accordance with Article 8 of Law 1581 of 2012, the Data Subject of Personal Data has the following rights:
– To know, update, and rectify their Personal Data with Stay, in its capacity as data controller.
– To authorize Stay, as the data controller, to handle the information contained in the databases in accordance with Law 1581 of 2012.
– To request proof of the Authorization granted to Stay, in its capacity as data controller, except when expressly exempted as a requirement for processing, in accordance with Article 10 of Law 1581 of 2012.
– To be informed by Stay, upon request, about the use that has been made of their personal data.
– To file complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012, once they have exhausted the consultation or claim process with the data controller.
– Except for legal exceptions, to revoke the Authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights, and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the data controller has engaged in conduct contrary to the law and the Constitution during processing.
– To access their Personal Data that has been subject to Processing free of charge.
– To refrain from answering questions about sensitive data or about the data of children and adolescents.
– To be informed about this data protection policy.
DUTIES OF STAY IN RELATION TO THE PROCESSING OF PERSONAL DATA
Stay will always keep in mind that Personal Data belongs to the individuals they refer to and that only they can decide on it. Accordingly, it will use them only for the purposes for which it is duly authorized and will always respect Law 1581 of 2012 on personal data protection. In accordance with Article 17 of Law 1581 of 2012, Stay commits to permanently comply with the following duties:
– Guarantee the Data Subject, at all times, the full and effective exercise of their rights.
– In accordance with the law, request and retain the respective authorization granted by the data subject.
– Clearly inform the data subject about the purpose of the collection of personal data and their rights.
– Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.
– Request and retain, under the conditions provided by law, a copy of the respective Authorization granted by the data subject.
– Timely perform the updating, rectification, or deletion of data within the terms provided in Articles 14 and 15 of Law 1581 of 2012.
– Process consultations and claims made by the Data Subjects within the terms indicated in Article 14 of Law 1581 of 2012.
– Record the legend “Claim in Process” in the database in the manner regulated by Law 1581 of 2012.
– Insert the legend “Information under Judicial Discussion” in the database once notified by the competent authority about judicial processes related to the quality or details of the Personal Data.
– Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
– Allow access to information only to those who may have access to it.
– Inform the Superintendence of Industry and Commerce when security codes are violated, and there are risks in the administration of the Data Subjects’ information.
– Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
– Strictly comply with Law 1581 of 2012 as well as the decrees that regulate it and all requirements made by the Superintendence of Industry and Commerce.
– Use information responsibly, including security, administrative, physical, and technological controls.
PROCEDURES FOR ACCESS, CONSULTATION, AND CLAIMS
RIGHT OF ACCESS
The power of disposition or decision that the Data Subject has over their information necessarily entails the right to access and know if their personal information is being processed, as well as the scope, conditions, and generalities of such processing. Likewise, the Data Subject has the right to request the rectification of their data if it is inaccurate or incomplete and to cancel it when it is not being used in accordance with legal or contractual purposes or the purposes and terms contemplated in this Policy. Stay will guarantee the right of access when, upon verification of the identity of the Data Subject or their representative or attorney, it is requested as provided in Law 1581 of 2012, including the following data:
a) Names and surnames.
b) Type of document.
c) Document number.
d) Phone number.
e) Personal email.
f) Country.
g) Subject.
Clients and users can exercise their rights to know, update, rectify, and delete their Personal Data by sending their request to the email: protecciondatos@staygroup.co, or through the website https://seissta.com in the legal terms section, in accordance with this Policy.
RESPONSE TO CONSULTATIONS
In any case, regardless of the mechanism implemented for handling consultation requests, they will be attended to within a maximum term of ten (10) business days from the date of receipt. When it is not possible to attend to the consultation within this term, the interested party will be informed before the expiration of the 10 days, explaining the reasons for the delay and indicating the date on which the consultation will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.
CLAIMS
In accordance with Article 14 of Law 1581 of 2012, the Data Subject or their successors who consider that the information contained in a database should be corrected, updated, or deleted, or when they notice an alleged breach of any of the duties contained in Law 1581 of 2012, may file a claim with the Data Controller, which will be processed under the following rules:
The claim can be submitted by the Data Subject using the forms provided by Stay in its Hotel registry. If the received claim lacks complete information that allows it to be processed, such as the identification of the Data Subject, description of the facts giving rise to the claim, address, and accompanying documents that are intended to be enforced, the interested party will be required within five (5) days following its receipt to remedy the deficiencies. If two (2) months elapse from the date of the request without the applicant providing the required information, it will be understood that they have withdrawn the claim. If for any reason the Company receives a claim that should not be directed to it, it will transfer it to the appropriate party within a maximum term of two (2) business days and inform the interested party of the situation.
Once the complete claim is received, a legend will be included in the database maintained by Stay that says “claim in process” and the reason for it, within a term not exceeding two (2) business days. This legend must be maintained until the claim is decided.
The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address it within this term, the interested party will be informed before the expiration of the referred term of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
In cases where the Data Subject claims identity theft, Stay S.A.S. must inform the Data Processor to include the respective legend regarding the Data Subject and the obligation or obligations affecting them with the impersonation. In any case, the Data Controller must carry out the corresponding process to establish if there are indications that lead to the elimination of the information report, both positive and negative. If as a result of the process it is determined that the elimination of the information does not proceed, the Data Subject may turn to the Superintendence of Industry and Commerce for it to rule on the matter.
IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO FILE CLAIMS
At any time and free of charge, the Data Subject or their representative may request Stay to rectify, update, or delete their personal data, upon verification of their identity. The rights of rectification, updating, or deletion may only be exercised by:
– The Data Subject or their successors, upon verification of their identity, or through electronic means that allow them to be identified.
– Their representative, upon verification of the representation.
When the request is made by a person other than the Data Subject and it is not proven that they are acting on behalf of the Data Subject, it will be considered not submitted.
The request for rectification, updating, or deletion must be submitted through the means enabled by Stay indicated in this policy and contain, at a minimum, the following information:
– The name and address of the Data Subject or any other means to receive the response.
– The documents that prove the identity or representation of the Data Subject.
– A clear and precise description of the Personal Data regarding which the Data Subject seeks to exercise any of their rights.
– Any other elements or documents that facilitate the location of the personal data.
– Indicate the corrections to be made and provide the documentation that supports the request.
DATA DELETION AND/OR REVOCATION OF AUTHORIZATION
The Data Subject has the right, at any time, to request Stay to delete their Personal Data when:
– They consider that the data is not being processed in accordance with the principles, duties, and obligations set out in Law 1581 of 2012.
– The data is no longer necessary or relevant for the purpose for which it was collected.
– The period necessary for fulfilling the purposes for which the data was collected has expired.
The request for data deletion or the revocation of the Authorization will not proceed when:
– The Data Subject has a legal or contractual obligation to remain in the database.
– The deletion of the data would hinder judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
– The data is necessary to protect the legally protected interests of the Data Subject, to carry out an action in the public interest, or to comply with a legally acquired obligation by the Data Subject.
INFORMATION SECURITY
In accordance with the principle of security established in Law 1581 of 2012, Stay has adopted the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized consultation, use, or fraudulent access. Nonetheless, the client assumes the risks arising from providing this information through a medium such as the internet, which is subject to various variables—third-party attacks, technical or technological failures, among others. Stay will make its best technological effort to guarantee the security of the personal information of all its clients and/or users, employing reasonable and current security methods to prevent unauthorized access, maintain data accuracy, and ensure the correct use of the information.
MODIFICATIONS TO THE POLICY
Stay reserves the right to make modifications or updates to this Policy at any time, to address legislative changes, internal policies, or new requirements for the provision or offering of its services or products.
VALIDITY
This Policy begins to take effect according to the terms of Law 1581 of 2012. The validity of the databases mentioned herein and the corresponding Personal Data will be maintained in accordance with contractual terms or the legal terms on document retention.
ANNEXES
– Authorization for Personal Data Processing (in contract and/or any document provided by Stay)
– Authorization for Image and Photography Use
– Hotel Registration