Privacy policy and treatment of personal data

GENERAL CONSIDERATIONS

Aware of the importance of the protection and proper handling of personal information provided by the owners of the information, AVIA HOTEL SOLUTIONS, – onwards AVIANETwho acts as responsible for the information received, has designed this policy and procedures that together allow us to make proper use of your personal data.
In accordance with the provisions of Article 15 of the Political Constitution of Colombia, which develops the fundamental right to habeas data, referring to the right of all citizens to know, update and rectify the personal data that exist about them in databases and files, both public and private, which is inevitably related to the handling and treatment of information that the recipients of personal information must take into account. This right has been developed through the issuance of the Statutory Law 1581 of 2012 and the Regulatory Decree 1377 of 2013, based on which AVIANET as RESPONSIBLE for the personal data it receives, handles and treats the information and thus proceeds to issue this policy of treatment of personal data, which is made known to the public so that they know how AVIA treats their information. The provisions of this personal data treatment policy must be complied with by AVIANET, its administrators, employees, contractors and third parties with whom AVIANET enters into relations of any kind.

OBJECTIVE

With the implementation of this policy, it is intended to ensure the confidentiality of information and security on the treatment that will be given to all customers, suppliers, employees and third parties from whom AVIANET has legally obtained information and personal data in accordance with the guidelines established by the law regulating the right to Habeas Data. Likewise, through the issuance of this policy, the provisions of article 17, paragraph K of the aforementioned law are complied with.

DEFINITIONS

– Authorization: Prior, express and informed consent of the data subject to carry out the processing. This can be written, verbal or
by means of unequivocal conduct that allows the reasonable conclusion that the holder granted authorization.
– Data Base: It is the organized set of Personal Data that are subject to processing, electronic or not, whatever the modality of its formation, storage, organization and access.
– Consultation: Request from the owner of the data or from the persons authorized by the owner or by law to know the information about him/her in databases or files.
– Personal data: Any information linked or that can be associated to one or several determined or determinable natural persons. These data are classified as sensitive, public, private and semi-private.
– Sensitive personal data: Information that affects the privacy of the person or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data (fingerprints, among others). For the purposes of this policy, AVIANET warns of the optional nature of the holder of the personal data to provide this type of information in cases in which, eventually, may be requested.
– Public personal data: It is the data qualified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private or private. Data contained in public documents, public records, official gazettes and bulletins and duly executed court rulings that are not subject to confidentiality, data relating to the civil status of persons, their profession or trade and their status as merchants or public servants, among others, are public. The personal data in the commercial registry of the Chambers of Commerce are public (Article 26 of the Commercial Code). Likewise, public data are those which, by virtue of a decision of the owner or a legal mandate, are in files that are freely accessible and available for consultation. This data may be obtained and provided without reservation and regardless of whether it relates to general, private or personal information.
– Private personal data. It is data that, due to its intimate or reserved nature, is only relevant to the data subject. Examples: merchants’ books, private documents, information extracted from the inspection of the domicile.
– Semi-private personal data. Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as, among others, data concerning the fulfillment or non-fulfillment of financial obligations or data relating to relations with social security entities.
– Data Controller: Person who by himself or in association with others, decides on the database and/or the processing of data.
– Data processor: Person who processes data on behalf of the data controller.
– To be “Authorized” is AVIANET and all persons under the responsibility of the same, who by virtue of the authorization and the Policy have legitimacy to submit to processing the personal data of the holder. The Authorized includes the gender of the Entitlees.
– “Enabling” or being “Enabled”, is the legitimization expressly and in writing by contract or document that takes its place, granted by AVIANET to third parties, in compliance with applicable law, for the processing of personal data, making such third parties in charge of the processing of personal data delivered or made available.
– Claim: Request of the data owner or the persons authorized by the data owner or by law to correct, update or delete their personal data or when they notice that there is an alleged breach of the data protection regime, according to Article 15 of Law 1581 of 2012.
– Data subject: The natural person to whom the information refers.
– Processing: Any operation or set of operations on personal data such as, among others, the collection, storage, use, circulation or deletion of such information.
– Transmission: Processing of personal data that involves the communication of such data within (national transmission) or outside Colombia (international transmission) and that has as its purpose the performance of a processing operation by the processor on behalf of the controller.
– Transfer: The transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia,
sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.
– Procedural requirement: The holder or assignee may only file a complaint before the Superintendence of Industry and Commerce once the consultation or complaint process has been exhausted before the data controller or data processor, according to Article 16 of Law 1581 of 2012.
PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
The processing of personal data must be carried out in compliance with the general and special rules on the subject and for activities permitted by law. Consequently, for the purposes of this policy, the following principles apply:
– Principle of legality: Data processing is a regulated activity that must be subject to the provisions of the law and other provisions that develop it.
– Principle of purpose: The processing must obey a legitimate purpose in accordance with the Constitution and the Law.
– Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
– Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.
– Principle of transparency: The right of the owner to obtain from the controller, at any time and without restriction, information about the existence of data concerning him/her, must be guaranteed in the processing.
– Principle of restricted access and circulation:strong> The processing is subject to the limits derived from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the processing may only be carried out by persons authorized by the owner and/or by the persons provided for by law.
– Security Principle: The information subject to Processing by the Data Controller or Data Processor referred to in this law, must be handled with the technical, human and financial measures required by law.
administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
– Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only supply or communicate personal data when this corresponds to the development of the activities authorized in this law and under the terms of the same.
Any new project within the Organization that involves the Processing of Personal Data must be consulted with the Information Security Management, which is the person and unit in charge of the data protection function to ensure compliance with the policy and the necessary measures to maintain the confidentiality of personal data.

RIGHTS OF DATA SUBJECTS

In accordance with the legal provisions in force, the rights of the holders of personal information are the following:
– The right to know, update, rectify, consult your personal data at any time before AVIANET with respect to the data that you consider partial, inaccurate, incomplete, fractioned and those that induce to error.
– The right to request at any time a proof of the authorization granted to AVIANET except in those cases in which the responsible is legally released from having authorization to process the holder’s data.
– The right to be informed by AVIANET upon request of the owner of the data, regarding the use that has been given to them.
– The right to file before the Superintendence of Industry and Commerce the complaints that he/she considers pertinent to enforce his/her right to Habeas Data.
– The right to revoke the authorization and/or request the deletion of any data when you consider that AVIANET has not respected your constitutional rights and guarantees.
– Right to access free of charge to the personal data that you voluntarily choose to share with AVIANET.
The information and/or personal data we collect from you are as follows:
Type of person:
Natural: first and last names, type of identification, identification number, gender, marital status and date of birth, e-mail, financial data (bank accounts).
Legal: company name, NIT, address, telephone, cell phone, e-mail, country, city, financial data (bank accounts).
Information necessary to facilitate travel or other services, including preferences such as class of travel, names and surnames of passengers (type of document, document number, date of birth, name, surname, gender, email, nationality, passport expiration date), contacts in case of accident or any other anomaly (names and surnames, telephone).
Cardholder data: type of document, document number, telephone, address, email, names, card number, expiration date and bank.
Request for quotation: names, surnames, telephone numbers, city and email.
Travel information: type of request, destination, departure date, duration, number of adults, number of children, hotel category, meals, additional services, transportation service, budget per person.
Write to Jean Claude Bessudo: first name, last name, ID number, address, telephone (landline or cellular), city and e-mail address.
Chat “online help”: name, email, what is your question?
Rate our site: your opinion is very important for us to continuously improve our customer service channels: names, surnames, email, phone numbers and city.
Claim request: name, surname, ID number, address, telephone numbers, city, email and comments.
Report technical problems: names, surnames, address, telephone numbers, city, email and comments.
Biometric data: images, video, audio, fingerprints that identify or make identifiable our customers, users or any person who enters or is or transits in any place where AVIANET has implemented devices to capture such information.
This data may be stored and/or processed in servers located in data processing centers, either our own or contracted with suppliers, located in different countries, which is authorized by our customers/users, by accepting this policy of treatment and protection of personal data.
AVIANET reserves the right to improve, update, modify, delete any type of information, content, domain or subdomain that may appear on the website, without any obligation of prior notice, being understood as sufficient with the publication on Aviatur’s websites. For the solution of legal or internal requests and for the provision or offering of new services or products.

TREATMENT, SCOPE AND PURPOSES

– AVIANET informs the owners that the data collected from our customers, contractors and suppliers may be used for the following purposes. The processing may be carried out by AVIANET directly or through its contractors, consultants, advisors and/or third parties in charge of the processing of personal data, to carry out any operation or set of operations such as the collection, storage, use, circulation, deletion, classification, transfer and transmission (the “Processing”) of all or part of your personal data:
– Substantiation of the contractual relationship established with AVIANET.
– The provision of services related to the products and services offered.
– The performance of all activities related to the service or product will be included in a mailing list for the sending of the newsletter.
– Send information about changes in the conditions of the services and products purchased, and notify you about new services or products.
– Manage your requests, clarifications, and inquiries.
– Elaborate studies and programs that are necessary to determine consumption habits.
– The fine-tuning of security filters and business rules in commercial transactions; confirming, processing such transactions, with your financial institution, with our service providers and with yourself.
– Conduct periodic evaluations of our products and services in order to improve their quality.
– The sending, by traditional and electronic means, of technical, operational and commercial information on products and services offered by AVIANET, its partners or suppliers, currently and in the future.
– The request for satisfaction surveys, which you are not obliged to answer.
– Perform the transmission and/or transfer of data to other companies, business alliances or third parties in order to fulfill the obligations acquired. The transmission and transfer may be made even to third countries that may have a different level of protection with respect to Colombia, when necessary for the fulfillment of our obligations.
– To comply with obligations contracted by AVIANET with its customers at the time of acquiring our services and products.
– To respond to inquiries, petitions, complaints and claims made by control bodies and other authorities that by virtue of the applicable law must receive personal data.
– Any other activity of a similar nature to those described above that are necessary to develop the corporate purpose of AVIATUR.
– Perform consultations in different databases and authorized sources (such as OFAC lists, UN, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies – SARLAFT.
– Data collected from our employees:
– To comply with the obligations contracted by AVIANET with the workers holding the information, in relation to the payment of salaries, social benefits, and others established in the employment contract and labor regulations in force.
– Inform the employee of any new developments that may occur during the development of the employment contract and until after its termination.
– Evaluate the quality of the services we provide.
– Conduct internal studies on the habits of the worker who owns the information or request personal information for the development of programs or management systems.
– To make the payroll deductions authorized by the employee.
– Manage your requests, administration of activities, clarifications and investigations.
– Marketing and sales of our products and services.
– The sending, by traditional and electronic means, of technical, operational and commercial information on products and services offered by partners or suppliers, now and in the future.
– Elaborate studies and programs that are necessary to determine consumption habits.
– Perform the transmission and/or transfer of data to other companies, business alliances or third parties in order to fulfill the obligations acquired. The transmission and transfer may be made even to third countries that may have a different level of protection with respect to Colombia, when necessary for the fulfillment of our obligations.
– The request for surveys, which the employee is not obliged to answer.
– To transfer, either by way of transmission or transfer, the information received to all judicial and/or administrative entities when this is necessary for the fulfillment of its duties as an employer in order to comply with its own labor, social security, pension, professional risk, family compensation funds (Integral Social Security System) and tax obligations.
– To transfer the employer’s personal information to third parties that legitimately have the power to access such information, which includes, but is not restricted to the companies of Grupo Empresarial Aviatur Ltda.
– Deliver either by way of transmission or transfer of the employee’s personal information to all entities that are related to the fulfillment of the responsible party in its capacity as employer.
– Any other activity of a similar nature to those described above that are necessary to develop AVIATUR’s corporate purpose.
and its labor obligations acquired by virtue of the conclusion of the employment contract or by operation of law.
– Perform consultations in different databases and authorized sources (such as OFAC lists, UN, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies – SARLAFT.
– The processing of personal data will be carried out with the prior authorization of the owner of the data, except in events in which the data is of a public nature. For this purpose, an authorization form for data processing has been implemented, which must be filled out by the owner of the information at the very moment he/she submits his/her personal information. This authorization explains the scope and purposes of the processing of personal data, alludes to the authorization by another, the data of minors and sensitive data, as well as defines the channel of attention for holders who wish to exercise their rights under the habeas data and indicates the place in which this policy is hosted. For the purposes of data processing, AVIANET employs all activities aimed at preserving the confidentiality of the information. Authorization shall be obtained through any means that may be subject to subsequent consultation, such as the website, forms, formats, face-to-face activities or through social networks, etc. Authorization may also be obtained from unequivocal conduct of the data owner that allows to reasonably conclude that he/she has granted authorization for the processing of his/her information.
– If you provide us with personal information about a person other than yourself, such as your spouse or a co-worker, we understand that you have the authorization of such person to provide us with their data; and we do not verify, nor do we assume the obligation to verify the identity of the user/customer, nor the veracity, validity, sufficiency and authenticity of the data provided by each of them. By virtue of the above, we do not assume responsibility for damages or prejudices of any nature that could have origin in the lack of veracity, homonymity or the impersonation of identity information.
– Since AVIANET belongs to Grupo Empresarial Aviatur, your personal information may be shared by way of transfer or transmission with group companies, business partners and/or third parties.
suppliers involved (flight reservation systems, hotels, cars, transactional security validators, banks, financial networks, tourist services), such processes may be carried out in different locations from the one where the purchased tourist service or product is contracted, with the same purposes as indicated for the collection of personal data. These entities are required to comply with the corresponding confidentiality, transmission or transfer agreements.
– The Personal Data collected will be processed manually or automatically and incorporated into the corresponding files or databases (hereinafter, the “File”), either in the capacity of data processor and data protection officer. In order to determine the end of the processing, the rules applicable to each purpose and the administrative, accounting, fiscal, legal and historical aspects of the information will be considered.
– When at the time of providing the service the holder is accompanied by minors or persons considered with disabilities, and in which the collection of their personal data takes place, AVIANET will always request the authorization of whoever has the legal representation of the minor. However, if you provide personal information of the population mentioned here without being the legal representative, you declare that you have the authorization of the respective legal representative, assuming directly the responsibility that this entails. AVIANET will strive to ensure that their rights and their best and prevailing interests are respected at all times. The representative must guarantee them the right to be heard and assess their opinion of the treatment, taking into account the maturity, autonomy and capacity of minors. Representatives are informed of the optional nature of answering questions about data of minors. The data of minors, included in a special category of protection, will be treated in accordance with the provisions of the applicable legislation on the subject and in accordance with the provisions of our personal data policy.
– The companies of Grupo Empresarial Aviatur have adopted the legally required personal data protection security levels and have installed all the technical means and measures within their reach to prevent the loss, misuse, alteration, unauthorized access and illegitimate theft of the personal data provided to AVIANET.
The holder should be aware that security measures on the Internet are not unbreakable.
– If you choose to delete your information, to the extent permitted by law, we will retain certain personal information in our files for the purposes of accounting and tax identification of transaction data, fraud prevention, dispute resolution, investigating disputes or incidents, enforcing our terms and conditions of use, and complying with legal requirements. However, at the moment you decide to revoke your authorization, the hosted information will not be used for the purposes foreseen herein, only in the terms strictly necessary and defined in the previous paragraph.
– Security Risks you should be aware of when conducting transactions on the Internet:
– It is possible that a user may be tricked by means of e-mails or DNS server trickery to visit a fake site with the same design, but where the card data is loaded into the fake system, stealing information from the cardholder. Therefore, it is important to generate the culture that users should enter directly through known domains to reduce risks.
– It is possible that the computer where the user is performing the transaction, has installed without prior knowledge, some spyware or malicious software that captures everything typed on the keyboard or captures information from input devices and sent to a network or host on the Internet. Therefore, it is recommended that the transaction be carried out on a home or office computer if possible.
– There is a risk of owner impersonation if the owner denies having sent and/or received the transaction and it is used by a third party.
– It is recommended that the computer where electronic transactions are carried out has an updated and active antivirus to mitigate fraud risks.
– If the personal information was collected or provided prior to July 30, 2013 and you did not express your opposition for your personal data to be transferred, it will be understood that you have given your consent. In the event that you wish to ratify your consent or
If you wish to express your refusal, you may do so by sending an e-mail to the following address privacidad@aviasolucioneshoteleras.com.
– Like other Web sites, AVIANET uses certain technologies, such as cookies and device fingerprinting, that allow us to make your visit to our site easier and more efficient by providing you with a personalized service and recognizing you when you return to our site. For the purposes of this Privacy Notice “cookies” shall be identified as text files of information that a website transfers to the hard drive of the users’ computer in order to store certain records and preferences.
– Websites may allow advertising or third-party functions that send “cookies” to the computers of the owners.
– Cookies are only associated with an anonymous user and your computer, and do not provide the name and surname of the same, in many cases, you can browse any of the AVIANET websites anonymously. When you access any AVIANET website, your IP address (the Internet address of your computer) is recorded to give us an idea of which parts of the website you visit and how much time you spend in each section. We do not link your IP address to any of your personal information unless you have registered with us and logged in using your profile.
– Therefore, it is possible that in certain applications AVIANET recognizes users after they have registered for the first time, without them having to register on each visit to access the areas and services or products reserved exclusively for them.
– For other services, the use of certain access keys will be required, and even the use of a digital certificate, in the characteristics to be determined.
– The cookies used cannot read cookie files created by other providers. AVIANET encrypts the user’s identification data for greater security.
– To use AVIANET’s web site, it is not necessary that the user allows the installation of cookies sent by AVIANET, notwithstanding that in such case it will be necessary that the user registers in each of the services whose provision requires prior registration.

NATIONAL OR INTERNATIONAL TRANSFER OF PERSONAL DATA

AVIANET may transfer data to other data controllers when authorized by the owner of the information or by law or by an administrative or judicial mandate.

INTERNATIONAL AND NATIONAL TRANSMISSION OF DATA TO DATA PROCESSORS

AVIANET may send or transmit data to one or more persons in charge located inside or outside the Republic of Colombia in the following cases: a) When it has the authorization of the holder and b) when, without authorization, a data transmission contract exists between the data controller and the data processor.

DUTIES OF THE DATA CONTROLLER

– Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
– Request and keep, under the conditions provided for in this law, a copy of the respective authorization granted by the holder.
– Duly inform the owner about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
– Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
– To process the consultations and claims formulated under the terms set forth in this law.
– Adopt an internal manual of policies and procedures to ensure adequate compliance with this law and, in particular, for the handling of inquiries and complaints.
– Inform upon request of the owner about the use given to their data.
– Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the owners.
– Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

DUTIES OF DATA PROCESSORS

– Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
– Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
– Timely updating, rectification or deletion of data under the terms of this law.
– Update the information reported by the data controllers within five (5) business days of receipt.
– To process the consultations and claims formulated by the owners under the terms set forth in this law.
– Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, for the attention of inquiries and complaints by the owners.
– Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the superintendence of industry and commerce.
– Allow access to information only to those who can access it.
– Inform the superintendence of industry and commerce when there are violations to the security codes and there are risks in the administration of the information of the owners.
– Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

PETITIONS, COMPLAINTS AND CLAIMS

For the purpose of receiving requests, complaints and queries related to the handling and processing of personal data, AVIANET has assigned the e-mail privacidad@aviasolucioneshoteleras.com, to channel, study and answer them. Therefore, you may send your requests to this address, which will be treated in accordance with the provisions of Law 1581:
Consultations: The holders or their successors in title may consult the personal information of the holder that is in our database. AVIANET will provide them with all the information contained in the individual record or that is linked to the identification of the holder. The consultation will be answered within a maximum term of ten (10) business days from the date of receipt of the same. When it is not possible to attend the consultation within said term, the interested party shall be informed and the date on which the consultation will be attended shall be indicated, which in no case may exceed five (5) business days following the expiration of the first term.
Claims: The holder or his assignees who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in the law, may file a claim with AVIANET, which will be processed under the following rules:
– The claim shall be formulated by means of a request addressed to AVIANET with the identification of the holder, the description of the facts that give rise to the claim, the address, and accompanying the documents to be asserted. If the claim is incomplete, AVIANET will require the interested party within five (5) days of receipt of the claim to correct the faults. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that the claim has been abandoned.
– Once the completed claim has been received, a legend will be included in the database stating “claim in process” and the reason for the claim, within a term not exceeding two (2) business days. Such legend shall be maintained until the claim is decided.
– The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within said term, the interested party will be informed and the date on which the claim will be attended, which in no case may exceed eight (8) working days following the expiration of the first term.
– In any case, the holder or the assignee may only file a complaint before the Superintendence of Industry and Commerce once the consultation or complaint process has been exhausted before AVIANET.
– The area responsible for receiving and processing complaints is the Information Security Management.
– The request for deletion of information and revocation of authorization will not proceed when the holder has a legal or contractual duty to remain in the database.

DATA OF THE PERSON IN CHARGE OF THE TREATMENT

Name of the Company: Operadora de Hoteles Avia SAS
Address: Centro de Negocios Andino, Carrera 11 # 82-01 Piso 4, Bogotá DC – Colombia
E-mail: privacidad@aviasolucioneshoteleras.com
Phone number: (+57 1) 3817111
Website: www.aviasolucioneshoteleras.com
QUESTIONS OR SUGGESTIONS
If you have any questions or queries about the process of collection, processing or transfer of your personal information, or consider that the information contained in a database should be subject to correction, updating or deletion please send us a message to the following email account: privacidad@aviasolucioneshoteleras.com.
For more information about AVIATUR, its identity, address and contact information, please visit www.aviasolucioneshoteleras.com. This website, has with itself the terms and conditions, applicable to the services and products published which can be consulted at any time for more information.

CURRENT

AVIANET reserves the right to modify this policy to adapt it to new legislation or jurisprudence, as well as to good practices in the tourism sector and other sectors of the economy that are part of the business group. In such cases, AVIANET will announce on this page the changes introduced with reasonable notice before their implementation.