In compliance with the provisions of Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, SYNERGY ADVISORS LLC informs the policy applicable to the entity for the treatment and protection of personal data.
COMPANY NAME: SYNERGY ADVISORS LLC (hereinafter THE COMPANY)
ADDRESS: 704 228th Ave NE #311 Sammamish WA
EMAIL: [email protected]
PHONE: +1 425-689-3310
AUTHORIZATION: prior, express, and informed consent of the data subject to carry out the processing of personal data.
PRIVACY NOTICE: verbal or written communication generated by the data controller, addressed to the data subject for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the way to access them, and the purposes of the processing that is intended to be given to the personal data.
DATABASE: organized set of personal data that is subject to processing.
SUCCESSOR: a person who has succeeded another due to the death of the latter (heir).
PERSONAL DATA: any piece of information linked to one or more determined or determinable persons or that can be associated with a natural or legal person.
PUBLIC DATA: data that is not semi-private, private, or sensitive. Public data includes, among others, data related to the civil status of persons, their profession or occupation, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial decisions that are not subject to confidentiality.
SENSITIVE DATA: sensitive data is understood as those that affect the privacy of the data subject or whose misuse can lead to discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations, or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
INDISPENSABLE DATA: indispensable personal data of the data subjects necessary to carry out the commercial activity that is the company’s business purpose. Indispensable data must be provided by the data subjects themselves or those authorized to exercise these rights.
OPTIONAL DATA: data that THE COMPANY requires to offer additional services to stakeholders in the development of its corporate purpose.
DATA PROCESSOR: a natural or legal person, public or private, who alone or in association with others, processes personal data on behalf of the Data Controller.
DATA PROTECTION LAW: Law 1581 of 2012 and its regulatory decrees or the regulations that modify, complement, or replace them.
HABEAS DATA: the right of any person to know, update, and rectify the information that has been collected about them in databases and archives of public and private entities.
DATA CONTROLLER: a natural or legal person, public or private, who alone or in association with others, decides on the database and/or the processing of the data.
DATA SUBJECT: a natural person whose personal data is subject to processing.
PROCESSING: any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
TRANSFER: the transfer of data occurs when the data controller and/or data processor, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing, and is located inside or outside the country.
TRANSMISSION: the processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia, when it is intended to be carried out by the processor on behalf of the controller.
In the development, interpretation, and application of Law 1581 of 2012, which establishes general provisions for the protection of personal data and the rules that complement, modify, or add to it, the following guiding principles shall be applied harmoniously and integrally:
a) LEGALITY PRINCIPLE: the Processing of Data is a regulated activity that must comply with the provisions established in the law and other regulations that develop it.
b) PURPOSE PRINCIPLE: the processing must have a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the data subject. Regarding the collection of personal data, THE COMPANY will limit itself to those data that are pertinent and adequate for the purpose for which they were collected or required.
c) FREEDOM PRINCIPLE: the processing can only be carried out with the prior, express, and informed consent of the data subject. Personal data cannot be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that releases it from consent.
d) TRUTHFULNESS OR QUALITY PRINCIPLE: the information subject to processing must be truthful, complete, accurate, updated, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
e) TRANSPARENCY PRINCIPLE: the processing must guarantee the data subject’s right to obtain information from the data controller or data processor, at any time and without restrictions, about the existence of data concerning them.
f) ACCESS AND RESTRICTED CIRCULATION PRINCIPLE: the processing is subject to the limits derived from the nature of personal data, the provisions of the law, and the Constitution. In this sense, processing can only be carried out by persons authorized by the data subject and/or by the persons provided for in the law. Personal data, except for public information, cannot be available on the internet or other mass dissemination or communication media, unless access is technically controllable to provide restricted knowledge only to data subjects or third parties authorized under the law.
g) SECURITY PRINCIPLE: the information subject to processing by THE COMPANY must be handled with the necessary technical, human, and administrative measures to provide security to the records, preventing their alteration, loss, consultation, use, or unauthorized or fraudulent access.
h) CONFIDENTIALITY PRINCIPLE: THE COMPANY is obliged to guarantee the confidentiality of the information, even after the end of its relationship with any of the tasks included in the processing, being able to supply or communicate personal data only when it corresponds to the development of authorized activities under the law.
The data subject will have the following rights:
a) Know, update, and rectify their personal data with THE COMPANY in its capacity as the data controller. This right can be exercised, among others, against partial, inaccurate, incomplete, fragmented data that induces error, or data whose processing is expressly prohibited or has not been authorized.
b) Request proof of the authorization granted to THE COMPANY except when expressly exempted as a requirement for processing (cases in which authorization is not necessary).
c) Be informed by THE COMPANY, upon request, about the use given to their personal data.
d) File complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add, or complement it.
e) Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights, and guarantees.
f) Access their personal data that have been subject to processing free of charge.
In the Processing, respect for the prevailing rights of children and adolescents will be ensured.
The Processing of personal data of children and adolescents is prohibited, except for data of a public nature.
It is the responsibility of the State and educational entities of all kinds to provide information and train legal representatives and guardians about the potential risks faced by children and adolescents regarding the improper Processing of their personal data, and to provide knowledge about the responsible and secure use of personal data by children and adolescents, their right to privacy, and the protection of their personal information and that of others.
In light of this policy for the treatment and protection of personal data, THE COMPANY has the following duties, without prejudice to the provisions of the law:
a) Guarantee the data subject, at all times, the full and effective exercise of the right of habeas data.
b) Request and keep a copy of the respective authorization granted by the data subject.
c) Properly inform the data subject about the purpose of the collection and the rights they have under the authorization granted.
d) Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.
e) Guarantee that the information is truthful, complete, accurate, updated, verifiable, and understandable.
f) Update the information, thus attending to all updates regarding the data of the data subject. Additionally, all necessary measures must be implemented to keep the information updated.
g) Rectify the information when it is incorrect and report accordingly.
h) Respect the security and privacy conditions of the data subject’s information.
i) Handle queries and claims submitted within the terms indicated by law.
j) Identify when certain information is under discussion by the data subject.
k) Inform the data subject, upon request, about the use given to their data.
l) Inform the data protection authority when security codes are violated and there are risks in the administration of the data subjects’ information.
m) Comply with the requirements and instructions issued by the Superintendence of Industry and Commerce on the particular subject.
n) Use only data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012.
o) THE COMPANY will use the data subjects’ personal data only for those purposes for which it is duly authorized and respecting in all cases the current regulations on personal data protection.
The National Database Registry (RNBD) is the public directory of databases subject to Processing operating in the country and will be managed by the Superintendence of Industry and Commerce and will be freely accessible to citizens.
THE COMPANY, in accordance with the provisions of Decree 090 of 2018, is not obliged to submit databases subject to processing to the Superintendence of Industry and Commerce within the indicated time.
Notwithstanding the exceptions provided by law, the processing of personal data of the data subject requires their prior and informed authorization, which must be obtained by any means that may be subject to subsequent consultation.
THE COMPANY, under the terms provided by law, defined two mechanisms to proceed with the capture of Authorizations. The first, when requesting information from THE COMPANY, through the website ([URL]), Contact Us option, the interested party in information must select the option provided to grant the Authorization for sending the interested party’s personal information.
The other established mechanism is given through the use of a computer tool, accessible through a computer with web access, or a mobile device, through which the Authorization of the Data Subject’s Personal Data can be captured.
The authorization of the data subject is not necessary in the following cases:
a) Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b) Data of a public nature.
c) Cases of medical or sanitary emergency.
d) Processing of information authorized by law for historical, statistical, or scientific purposes.
e) Data related to the Civil Registry of persons.
The rights of the data subjects established in the law may be exercised by the following persons:
a) By the data subject, who must sufficiently prove their identity by the different means made available by THE COMPANY.
b) By the data subject’s successors, who must prove such status.
c) By the data subject’s representative and/or attorney, upon proving the representation or power of attorney.
d) By stipulation in favor of another or for another.
The rights of children and adolescents will be exercised by the persons authorized to represent them.
The processing of indispensable personal data of employees, partners, clients, suppliers, allies, and former employees will be framed in the legal order and by virtue of the Company’s condition as a private company with a corporate purpose, as stipulated in its statutes.
In the case of sensitive personal data, use and processing may be made of them when:
a) The Data Subject has given their explicit authorization for such Processing, except in cases where by law the granting of such authorization is not required;
b) Processing is necessary to safeguard the Data Subject’s vital interest and the Data Subject is physically or legally incapacitated. In these events, legal representatives must grant their authorization;
c) Processing is carried out in the legitimate course of activities and with the proper guarantees by a foundation, NGO, association, or any other non-profit organization, whose purpose is political, philosophical, religious, or union-related, provided that they refer exclusively to their members or persons who have regular contact with them due to their purpose. In these events, data cannot be provided to third parties without the Data Subject’s authorization;
d) Processing refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial process;
e) Processing has a historical, statistical, or scientific purpose. In this event, measures must be adopted to suppress the identity of the Data Subjects.
The processing of personal data of children and adolescents is prohibited, except when it is data of a public nature, and when such processing complies with the following parameters and/or requirements:
Once these requirements are met, the legal representative of the children or adolescents will grant the authorization, prior exercise of the minor’s right to be heard, an opinion that will be assessed considering the minor’s maturity, autonomy, and capacity to understand the matter.
THE COMPANY will ensure the proper use of the processing of children’s and adolescents’ personal data.
The information that meets the conditions established by law may be provided to the following persons:
a) To the data subjects, their successors (when they are absent), or their legal representatives.
b) To public or administrative entities in the exercise of their legal functions or by court order.
c) To third parties authorized by the data subject or by law.
THE COMPANY has designated as the area responsible for ensuring compliance with this policy within the Company, the General Management, with the support of the Personal Data Officer, to ensure in collaboration with the functional areas, the responsible handling of the Data Subjects’ Personal Data.
This department will be attentive to resolve requests, inquiries, and claims by data subjects and to carry out any updates, rectifications, and deletions of personal data through the email: [email protected].
a) Inquiries:
The Data Subjects or their successors may inquire about the Data Subject’s personal information held by THE COMPANY, which will provide all the information contained in the individual record or linked to the Data Subject’s identification.
The inquiry will be submitted via email: [email protected].
The inquiry will be addressed within a maximum of ten (10) business days from the date of receipt. When it is not possible to address the inquiry within this term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which the inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.
b) Claims:
The Data Subject or their successors who consider that the information contained in a database should be corrected, updated, or deleted, or when they notice the alleged non-compliance with any of the duties contained in the law, may file a claim with THE COMPANY, which will be processed under the following rules:
1. The Data Subject’s claim will be submitted via email to THE COMPANY at [email protected] with the Data Subject’s identification, the description of the facts giving rise to the claim, the address, and the documents to be asserted. If the claim is incomplete, the interested party will be required within five (5) days of receiving the claim to correct the deficiencies. Two (2) months after the date of the requirement, without the applicant providing the required information, it will be understood that they have withdrawn the claim.
Upon receipt of the claim, THE COMPANY will assign the case to the responsible person for resolution within a maximum term of two (2) business days and will inform the interested party of the situation.
2. Once the email with the complete claim is received, it will be categorized within no more than two (2) business days with the label “claim in process” and the reason for it. This label will be maintained until the claim is resolved.
3. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
c) Request for updating, rectification, and deletion of data
THE COMPANY will rectify and update, at the request of the data subject, the information that is incomplete or inaccurate, in accordance with the procedure and terms indicated above. The data subject will submit the request via email: [email protected] indicating the update, rectification, and deletion of the data and providing the documentation supporting their request.
d) Revocation of authorization and/or deletion of data
The holders of personal data can revoke consent to the processing of their personal data at any time, provided this is not prevented by a legal or contractual provision. To do so, THE COMPANY will provide the data subject with the email: [email protected].
If, after the legal term, THE COMPANY has not deleted the personal data, the Data Subject will have the right to request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the deletion of the personal data. The procedure described in article 22 of Law 1581 of 2012 will apply for these purposes.
THE COMPANY, in compliance with its corporate purpose and the portfolio of services and products offered to the market, may carry out international transfers and transmissions of personal data of the data subjects.
For the international transfer of personal data of the data subjects, THE COMPANY will take the necessary measures to ensure that third parties know and commit to observing this Policy,