Data Processing Policy

In compliance with current personal data protection legislation, specifically Law 1581 of 2012 (including any subsequent amendments, additions, or supplemental regulations) and Decree 1377 of 2013, we hereby inform you of the relevant aspects regarding the collection, use, and transfer of Personal Data carried out by INNMETEC S.A.S. (hereinafter, the “Company” or “Innmetec”) pursuant to the authorization granted by you to perform such processing.
“Compañía” o “Innmetec”) realiza de sus Datos Personales, en virtud de la autorización otorgada por usted para adelantar dicho ratamiento.

In this Personal Data Processing Policy (hereinafter, the “Policy”), you will find the guidelines and terms under which the Company processes your data, the purposes of such processing, your rights as a data subject, and the internal and external procedures for exercising those rights. This policy applies to all personal data or any other type of information used or stored within the Company’s databases and files. Likewise, this Policy is also applicable to Data Processors and is of mandatory and strict compliance for the Company, its associates and employees, and in general, for any third party who maintains a contractual or legal relationship with the Company or who has access to information processed by it.

I. Definitions

For the interpretation of this Policy, we ask you to take into account the following definitions:

  • Authorization: The prior, express, and informed consent of the data subject to carry out the Processing of Personal Data;
  • Database: An organized set of Personal Data subject to processing, belonging to the same context and systematically stored for subsequent use;
  • Customer: Any person to whom the Company provides a service or with whom it maintains a contractual/obligatory relationship;
  • Personal Data: Any information linked to or that can be associated with one or more identified or identifiable natural persons;
  • Private Data: Personal Data that, due to its intimate or reserved nature, is only of interest to the data subject and requires their prior, informed, and express authorization for processing. This includes databases containing data such as personal telephone numbers and email addresses; labor data; information on administrative or criminal offenses managed by tax authorities, financial institutions, and Social Security management entities and common services; databases on financial solvency or creditworthiness; databases with sufficient information to evaluate the data subject's personality; and databases belonging to operators providing electronic communication services;
  • Public Data: Data that is not semi-private, private, or sensitive. Public Data includes, among others, data relating to the civil status of individuals, their profession or trade, and their status as a merchant or public servant. By its nature, Public Data may be contained in, among others, public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality.
  • Semi-private Data: Data that is not of an intimate, reserved, or public nature, and whose knowledge or disclosure may be of interest not only to the Data Subject but also to a certain sector or group of persons, or to society in general. This includes: Databases containing financial, credit, commercial, and service information, as well as information originating from third countries.
  • Sensitive Data: Those data that affect the privacy of the Data Subject or whose misuse may lead to discrimination;
  • Data Processor: A natural or legal person, public or private, who by themselves or in association with others, performs the processing of personal data on behalf of the Company as the Data Controller;
  • Processing Policy: Refers to this document as the personal data processing policy applied by the Company, in accordance with the guidelines of current legislation on the matter;
  • Proveedor: Toda persona natural o jurídica que preste algún servicio a la Compañía en virtud de una relación contractual/obligacional;
  • Data Processor: A natural or legal person, public or private, who by themselves or in association with others, performs the processing of personal data on behalf of the Company as the Data Controller;
  • Data Subject: The natural person whose personal data is subject to Processing, whether as a customer, supplier, employee, or any third party who, by reason of a commercial or legal relationship, provides personal data to the Company;
  • Transfer: Refers to the sending of personal data by the Company as the Data Controller or a Data Processor to a third party or a natural/legal person (recipient), within or outside the national territory, for the effective processing of personal data;
  • Data Transfer (Transmission): Refers to the communication of personal data by the Data Controller to the Data Processor, located within or outside the national territory, so that the Data Processor, on behalf of the Data Controller, may process personal data;
  • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.

For the understanding of any terms not included in the list above, you must refer to current legislation, specifically Law 1581 of 2012 and Decree 1377 of 2013, applying the meaning provided in said regulations to any terms whose definition may be in doubt.

II. Use and Purpose of Processing

The Company recognizes that the Personal Data Subject has the right to a reasonable expectation of privacy, while taking into account their responsibilities, rights, and obligations to the Company. The processing of personal data may be carried out through physical, automated, or digital means, depending on the type and method used to collect the personal information.

By virtue of the relationship established between you and the Company, the latter collects, stores, uses, and transfers Personal Data to companies located both within and outside of Colombia. Personal Data is used for the following purposes:

  • Execution of contracts entered into with the Company.
  • Payment of contractual obligations.
  • Sending information to governmental or judicial entities upon their express request.
  • Support in external/internal audit processes.
  • Sending/Receiving messages for commercial, advertising, and/or customer service purposes.
  • Resolution of PQR (Petitions, Queries, and Requests) or petitions for the protection of rights.
  • Registration of Customer information in the Company's database.
  • Registration of employee information in the Company's database.
  • Registration of Supplier information in the Company's database.
  • Contact with customers, employees, or suppliers to send information related to the contractual, commercial, and obligatory relationship that takes place.
  • Collection of data for the fulfillment of the duties that correspond to the Company as the Controller of information and personal data;
  • For security purposes or fraud prevention.
  • Carry out research, including secondary and follow-up research, as well as market studies or commercial or statistical research;
  • To issue invitations to academic and/or research events organized and promoted by the Company or third parties;
  • Any other purpose resulting from the performance of the contract or the relationship between you and the Company.

If you provide us with Personal Data, this information will be used only for the purposes stated herein, and we will not sell, license, transmit, or disclose it outside of the Company unless: (i) you expressly authorize us to do so; (ii) it is necessary to allow our contractors or agents to provide the services we have entrusted to them; (iii) it is related to a merger, consolidation, acquisition, divestiture, or other restructuring process; or (iv) as required or permitted by law.

In order to implement the purposes described above, your Personal Data may be disclosed for the aforementioned ends to human resources personnel, processors, consultants, advisors, and other persons and offices as appropriate.

The Company may outsource certain functions or information processing to third parties. When we engage third parties to process your personal information or provide your personal information to third-party service providers, we notify such third parties of the need to protect said personal information with appropriate security measures; we prohibit them from using your personal information for their own purposes and prevent them from disclosing your personal information to others.

Additionally, please be advised that once the necessity for processing your data ceases, said data may be deleted from Innmetec's databases or archived under secure terms, ensuring they are only disclosed when applicable in accordance with the law.

III. Processing of Sensitive Data

In the event of the collection of sensitive information or data relating to minors, the Data Subject has the right to withhold authorization, to choose whether or not to answer any questions asked, and to choose whether or not to provide the requested data. Sensitive Data are those that affect the privacy of the subject or whose misuse may lead to discrimination, such as political, philosophical, religious, or sexual orientation; membership in labor unions, social organizations, or human rights groups; health data; biometric data; and data of minors for whom the subject holds legal representation. No activity may be conditioned upon the provision of Sensitive Data. Data belonging to minors may only be provided by the minor's legal representative following the minor's prior exercise of their right to be heard; in such cases, the processing shall respond to and respect the best interests of children and adolescents, ensuring respect for their fundamental rights.

The Company will only process Sensitive Data when:

  • The Data Subject has given their explicit authorization for said Processing to the Data Controller or the Data Processor, except in cases where the granting of such authorization is not required by law;
  • The Processing is necessary to safeguard the vital interest of the Data Subject and the latter is physically or legally incapacitated. In these events, legal representatives must grant their authorization;
  • The Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association, or any other non-profit organization whose purpose is political, philosophical, religious, or trade union-related, provided that they refer exclusively to its members or individuals who maintain regular contact by reason of its purpose. In these events, the data may not be provided to third parties without the authorization of the Data Subject;
  • The Processing has a historical, statistical, or scientific purpose. In this event, measures leading to the suppression of the Data Subjects' identity shall be adopted.

IV. Rights of the Data Subject

In accordance with Article 8 of Law 1581 of 2012, the rights you are entitled to as a Data Subject regarding your personal data are:

  • Know, update, and rectify your Personal Data with Innmetec as the Data Controller or Data Processor. This right may be exercised, among others, regarding partial, inaccurate, incomplete, or fragmented data, data that leads to error, or data whose Processing is expressly prohibited or has not been authorized;
  • Request proof of the authorization granted to the Company as the Data Controller, except when expressly exempted as a requirement for Processing;
  • Be informed by the Company, as the Data Controller or by the Data Processor, upon request, regarding the use given to your Personal Data;
  • File complaints before the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and any other regulations that modify, add to, or complement it;
  • Revocar la autorización y/o solicitar la supresión del dato cuando en el Tratamiento no se respeten los principios, derechos y garantías constitucionales y legales;
  • Access, free of charge, your Personal Data that has been subject to Processing.
  • Refrain from answering questions regarding Sensitive Data or data concerning children and adolescents.

The Company reserves the right to verify your identity in connection with any request related to personal information to guarantee and ensure the protection of the collected information for the individuals to whom it belongs, and to allow only those individuals or their authorized representatives to exercise rights regarding it. If you are an authorized agent making a request on behalf of a consumer, the Company may request additional information to verify that you are authorized to make such a request.

The Company reserves the right to reject your request if your identity cannot be verified. The Company will make its best effort to provide information regarding the denial and will offer an explanation of the grounds, facts, and reasons for the rejection of your request.

V. Digital Tools Management

Depending on how you access the Company's online services, we may use "cookies" or similar technologies to record log data. The collection of this data is carried out in accordance with the terms and conditions contained in the "Cookies Policy" available at the following link: Cookies Policy.

VI. Procedure for the Exercise of Your Rights as a Data Subject

For the handling of petitions, inquiries, and claims regarding Personal Data protection, Data Subjects may submit their requests or inquiries to the following email address: gerenciatecnica@innmetec.com.

Please note that once you notify the responsible department, your request or petition regarding your Personal Data will be addressed within a maximum term of fifteen (15) business days from the receipt of said request or petition. For the correct and complete consideration of your petition, request, or claim, we ask that you provide the applicant's identity, identification number, an address for notifications/responses, and any documents you wish to present as evidence.

If your request or petition does not contain sufficient data and facts to allow Innmetec to address it correctly and completely, you will be required within five (5) days following the receipt of the request, petition, or claim to remedy the deficiencies. After fifteen (15) days have elapsed from the date of the requirement, if you as the applicant have not remedied the request as required, the Company shall understand that you have withdrawn your request.

VII. Amendments to the Policy

In order to maintain the validity of this Policy, the Company may adjust and modify it, indicating the update date on the website. Notwithstanding, any substantial change in its content—particularly those referring to the identity of the Data Controller and the purpose of the personal data processing, which may affect the scope of the authorization—will be promptly and efficiently communicated to the data subjects before the implementation of the new policies, via the website or other means. Effective Date: May 2024.

Instagram Linkedin
@Innmetec

Dirección: Carrera  48A #10, El Poblado, Medellín, Antioquia, Colombia.
Contacto:  +57 318 265 6050 – +57 314 632 0993

Personal Data Policy

Logo Innmetec letra blanca
en_US
en_US es_CO