top of page
Personal Data Processing Policy

GONZALEZ CAMACHO ASOCIADOS S.A.S. (hereinafter the “Firm”) issues its Personal Data Processing Policy (hereinafter the “Processing Policy”) in development of the right of Habeas Data, and in compliance with the provisions of Article 15 of the Political Constitution of Colombia, Law 1581/ 2012, Decree 1377/2013, Decree 886/ 2014, and other complementary regulations related to the protection of personal data.


GONZALEZ CAMACHO ASOCIADOS S.A.S., a commercial company identified with the NIT. 900.504.063-2, contact email; phone +57 (601) 781 0357, is the Person in Charge of Processing Personal Data.

I. Purpose

The scope and purpose of the Processing Policy is to delimit any operation on personal data, such as the collection, storage, use, circulation or deletion of information linked or that may be linked to one or more specific or determinable natural persons (hereinafter "Personal Information") that the Firm shall execute in its daily operations, as well as the procedures and mechanisms through which any data subject can enforce their rights over the personal data with respect to which they have authorized their handling.

II. Definitions
  • Authorization: Prior, express and informed consent of the Data Subject to carry out the Personal Data Processing.

  • Database: Organized set of Personal Data, subjected to Processing.

  • Personal Data: Any information linked to or associated with one or more specific or determinable natural persons.

  • Private Data: It is the data that due to its intimate or reserved nature, is only relevant for the Data Subject.

  • Public Data: Data that is not semi-private, private or sensitive. Public data include, among others, data pertaining to the marital status of people, their profession or craft, and their capacity of trader or public servant. Given their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins, and judicial rulings duly executed, not subjected to confidentiality.

  • Sensitive Personal Data: Sensitive Personal Data includes the data that affect the intimacy of the Data Subject or which undue use may give rise to their discrimination, such as those that disclose their race or ethnic background, political preference, religious or philosophical convictions, affiliation to unions, social, human rights organizations, or entities that guarantee the rights and guarantees of opposition political parties, as well as the data pertaining to health, sexual life and biometric data. 

  • Data Processor: Natural or legal person, whether public or private, which by itself or together with others, conducts the Personal Data Processing on behalf of the Data Controller.

  • Data Controller: Natural or legal person, whether public or private, which by itself or together with others decides on the Database and/or Data Processing.

  • Data Subject: Natural person whose Personal Data is subject to Processing.

  • Transfer: The data transfer takes place when the Data Controller and / or processor located in Colombia, sends the information or Personal Data to a recipient, who in turn is the Data Controller and is inside or outside the country.

  • Transmission: Processing of Personal Data that implies the communication thereof within or outside the territory of the Republic of Colombia, when aimed at the Processing by the Processor on behalf of the Controller.

  • Processing: Any operation, or set of operations with Personal Data, such as collection, storage, use, circulation or deletion.

For the understanding of the terms that are not included in the previous list, it should refer to the current legislation, especially Law 1581/2012, the decrees that regulate it and the Processing Policy. Likewise, the terms in plural will include the singular, the singular to the plural, the masculine to the feminine and vice versa.

III. Principles

The handling of personal data by the Firm is governed by the principles of Legality, Purpose, Freedom, Veracity or Truthfulness, Transparency, Access and Restricted Circulation, Security and Confidentiality, as established by current legislation.

  • Legality: The Processing given to Personal Data derived from the Processing Policy is a regulated activity and is limited to the provisions of Law 1581/2012 and regulations that develop, modify or replace it.

  • Purpose: The Processing of Personal Data and Sensitive Personal Data collected by the Firm must obey a legitimate purpose according to the Political Constitution and Laws of Colombia, which must be informed to the Data Subject. 

  • Freedom: The Processing can only be carried out with the prior, express and informed consent of the Data Subject. Personal Data and Sensitive Personal Data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.

  • Veracity or Truthfulness: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. Processing of partial, incomplete, fractional or error-inducing data is prohibited.

  • Transparency: The Processing must guarantee the right of the Data Subject to obtain from the Firm, at any time and without restrictions, information about the existence of data pertaining thereto.

  • Access and Restricted Circulation; Personal data and Sensitive Personal Data, except for public information, may not be available on the internet  or other means of massive.

  • communication or disclosure, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or third parties authorized. 

  • Security: The information subject to Processing by the Firm, must be protected through the use of the technical, human and administrative measures needed to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

  • Confidentiality: All persons who intervene in the Personal Data Processing are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks included in the Processing.

IV. Collection of Personal Information and Purpose of Processing

The Firm may collect Personal Information from employees, natural person suppliers or clients or their natural person representative, that includes but is not limited to name (including any former names); contact information (address, phone number and email); citizenship card number; unique tax record; tax identification number; social security contribution form; bank account number and other banking and financial details; court records; and commercial and labor references.


The Firm may collect, store, use, circulate, transmit and transfer personal data of its employees, suppliers, or clients or their natural person representative for purposes of control, security, establishment of commercial or legal relationships, judicial processes, and requirements of administrative authorities and for future references.


The Firm may use the aforementioned Personal Information for the following purposes (hereinafter "Purpose of the Processing"):

  • Execute the corporate purpose of the Firm.

  • Comply with legal obligations of the Firm, due to the development of its commercial activity.

  • Contact in emergency situations or related to the execution of the employment contract or during the personnel selection process, obtain references and verify them, indicated in resumes, forms or documents presented in the selection process and/or during the execution of the employment contract.

  • Manage internal affairs of the Firm, including but not limited to accounting, financial and management reports, calculation, presentation and payment of taxes, tax obligations, commercial and corporate records, and compliance reports.

  • Provide services to clients, including but not limited to contact for activities related to the billing of professional services offered or performed by the Firm, verification of documents and affiliations, among others.

  • Marketing within the existing network of clients and candidates, including invitations to events, referral of promotions, product offerings, and sending of communications, among others.

  • Manage relationships with third parties with whom they have business relationships, including subcontractors who perform services to customers.

  • Process, manage and send necessary information for processing of payroll, payments, income, records, news and other requirements of the social security system in accordance with Colombian legislation. 

  • Pay contractual and non-contractual obligations. 

  • Send information to government or judicial entities, at their express request, in accordance with legal provisions. 

  • Register supplier information in the company database. 

  • Validate, verify and contract the information collected that is related to academic, labor, banking, commercial and professional references. 

  • Contact clients, employees, candidates and/or suppliers to send information related to contractual, commercial and legal relationships that may apply. 

  • Comply with internal or external precautionary procedures, programs and systems related to safety, care, prevention and protection of the worker's health and biosafety. 

  • Identify and control the people who have access to the Firm's own, leased, shared, or horizontally owned facilities. 

  • Carry out the "Know Your Client" or "Client Due Diligence" process, which consists of the set of procedures for the identification and acceptance of clients.

  • Perform security analysis, prevention, investigation and prosecution of fraud, money laundering and financing of terrorism, reviewing OFAC, CFSP, BOE lists, among others, as well as all the information necessary to comply with SARLAFT, SAGRILAFT and other systems risk management as appropriate.

  • Validate, verify and contrast the information collected with criminal record databases, public databases, financial, commercial, credit databases, risk centers, among others. 

  • Verify, request and/or search the Personal Information of the Data Subjects in risk lists - restrictive and non-restrictive - and binding and non-binding for Colombia, through any search engine such as, but not limited to, the platforms of the Administrative Entities of the Comprehensive Social Security System, the Judicial Authorities and the National Police, the Procuraduria General de la Republica, the Comptroller General's Office or any other legally constituted source of information or through other search engines designed to verify their current employment status, academic qualifications, and other pertinent information for the aforementioned purposes to establish whether its employees, partners, family members or close people qualify as Politically Exposed Persons (hereinafter "PEP"). 

The Firm may carry out these processes directly, or through its strategic allies with whom it agrees to carry out these activities. Additionally, in accordance with the law, the Data Subject is informed that in the event that a family member or close person holds the capacity of PEP or acquires it, the Data Subject must notify the Firm of this situation, indicating the identification data of said relative or  close person, including their full name and the


relationship they have and the position they hold or performed within the previous two (2) years.


In the cases in which the Firm must carry out the processing of Personal Data of third parties provided by the Data Subject, the latter must have the authorization of those persons for their Personal Information to be delivered to the Firm and to be processed in accordance with the Processing Policy.

  • Store, file and update the data that the Firm has collected by any means and with due authorization in its own Databases or those of third parties. 

  • Any other purpose that results in the development of the Firm, negotiation and/or execution of the contract or any type of relationship between the Data Subject of the information and the Firm.

  • The other purposes specified in the respective authorizations granted by each of the Data Subjects.

V. ​Authorization

All procedures related to Personal Data such as collection, circulation and deletion of these, will have the prior, free, express and informed consent of the Data Subjects. The Firm will keep a record of all authorizations granted until the data is removed from its database. The authorization may be granted through physical documents, emails, recorded telephone calls and, in general, by any suitable and verifiable means. The document will present the purpose established in the Processing Policy, as well as the mechanisms that assist the Data Subject to access, consult, request the correction, rectification or deletion of their Personal Data. Collection of Sensitive Data or Data from minors, will require that the privacy notice expressly indicate the optional nature of the answer to the questions that deal with this type of data.

VI. Security and Storage

The Firm as Person in Charge of Processing Personal Data will store the information in private physical or digital files. Additionally, the Firm will adopt the technical, human and administrative measures that are necessary and reasonable to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. The Firm will ensure the proper processing of the information of the Data Subjects, complying with the appropriate security measures and custody of the information as described below:

  • Comply with and implement the personal data protection regulations and the Processing Policy.

  • Inform the client that from the beginning of the commercial relationship, information susceptible to protection will be collected and processed.

  • Request prior and express authorization for the processing of information from any person who, due to any contractual or non-contractual relationship, must provide sensitive data.

  • Inform the employees, clients and/or suppliers of the Processing Policy and train the staff that enters the Firm about the Processing Policy and the security mechanisms and protocols for the Processing of Personal Data.

  • Adopt measures, norms, procedures, rules and standards aimed at guaranteeing the level of security required by Law 1581/2012 and Decree 1377/2013.

VII. Rights of the Data Subjects

In accordance with article 8 of Law 1581/2012, the rights of the Data Subjects of Personal Data and Sensitive Personal Data are:

  • To know, to update and to rectify Personal Data and Sensitive Personal Data for the Data Controllers or the Data Processors. This right may be enforced, among others, with respect to partial, inaccurate, incomplete, split data inducing to error, or those whose Processing is expressly prohibited, or was not authorized.

  • To request proof of the authorization granted to the Data Controller except when expressly excepted as a requirement for the Processing.

  • To be informed by the Data Controller or the Data Processor, upon request, regarding the use given to Personal Data and Sensitive Personal Data.

  • To submit before the Superintendence of Industry and Commerce complaints for infractions to the provisions of the Law regarding the information processing.

  • To repeal the authorization and/or request suppression of data, when the Processing does not respect the constitutional and legal principles, rights and guarantees. The repeal and/or deletion shall proceed when the Superintendence of Industry and Trade had determined that in the Processing, the Controller or Processor have incurred in conducts contrary to Law and the Constitution.

  • To freely access the Personal Data and Personal Sensitive Data subject to Processing.

VIII. Procedure to Exercise de Rights

The Firm Will process any inquiry or complaint in relation to Personal Information collected and processed in accordance with the law. To do This, Data Subjects must send a written description of their inquiries or complaints to, considering the following procedures:

i. Inquiries

In accordance with the provisions of article 14 of Law 1581/2012, the Data Subjects can enquire their personal information found in any Firm database. Therefore, the Firm will guarantee the right of inquiry, providing the Data Subject or his/her successors with all the information contained in the individual record or that is linked to the identification of the Data Subject as a subject of Personal Data.


When it comes to inquiries, the Firm will guarantee that they are attended within a maximum period of ten (10) business days from the day following the date of receipt. When it is not possible to answer the inquiry within said period, the interested party will be informed before the expiration of ten (10) business days, indicating the reasons for the delay and indicating the date on which the inquiry will be attended, which in no case may exceed five (5) business days after the expiration of the first term.

ii. Complaints

In accordance with the provisions of article 15 of Law 1581/2012, the Data Subjects, when they consider that the information contained in a database must be subject to correction, updating or elimination, or when they evidence the alleged breach of any of the duties contained in Law 1581/2012, can file a claim with the Firm. The maximum term to attend the claim will be fifteen

(15) business days from the day following the date of receipt. When it is not possible to deal with it within that term, you will be informed, prior to the expiry of the mentioned term, of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiry of the first term.

ii. ​​Last Revision

The Processing Policy constitutes the comprehensive document of instructions for handling personal data and binds all employees of the Firm.

The Processing Policy will take effect as of September 1, 2022 and will be in force as long as the Firm collects and processes Personal Information.

bottom of page