Saltar al contenido

Privacy Policy

Personal Data Processing and Protection Policy for El Placer Trading:

A Compliance Model for Agricultural and E-Commerce Operations in Colombia**

I. Introduction and Regulatory Framework

1.1. Purpose and Scope of the Policy

The purpose of this policy is to establish the framework governing the processing and protection of personal data belonging to customers, suppliers, employees, and any other natural persons interacting with the “Finca El Placer” project. This document ensures that the collection, storage, use, circulation, and deletion of information is carried out in strict compliance with current Colombian legislation, serving as a fundamental pillar to foster trust and transparency in a business that, while agricultural in nature¹, operates digitally through e-commerce and communication channels.¹
The scope of this policy extends to all databases, whether manual or automated, containing personal data processed by the company. Its application is mandatory for all employees, contractors, and any other natural or legal persons involved in the processing of personal data for the business.

1.2. Applicable Legal Framework

Personal data protection in Colombia is grounded in statutory and regulatory norms that grant citizens the fundamental right to habeas data.³ The “Finca El Placer” project adheres to this legal framework, which includes but is not limited to:

  • Law 1581 of 2012: The central statutory law governing personal data protection. Its purpose is to develop the constitutional right all individuals have to know, update, and rectify information collected about them in databases or files.⁴ The law is generally applicable and covers personal data recorded in any database subject to processing by public or private entities.⁶

  • Decree 1377 of 2013: This decree partially regulates Law 1581 of 2012 and establishes key provisions regarding data collection, the data subject’s authorization, the dissemination of privacy notices, and administrative structures for data protection.⁷

  • Decree 1074 of 2015: As the Unified Regulatory Decree for the Commerce, Industry, and Tourism sector, this instrument consolidates various provisions applicable to the sector and is essential for e-commerce business operations.¹⁰ The Superintendence of Industry and Commerce (SIC) safeguards fundamental rights related to the proper administration of personal data.¹¹

1.3. Role of the Company: Data Controller

For the purposes of this policy, the company acts as the **“Data Controller.”**¹² This role entails the fundamental duty to **“guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.”**¹⁴ “Finca El Placer” commits to acting as the guardian of the information, using the data exclusively for the purposes for which proper authorization has been granted.¹⁵

II. Definitions and Fundamental Principles

2.1. Glossary of Terms

To ensure clarity, the following definitions are provided in accordance with Law 1581 of 2012⁶ and its regulatory decree:

  • Authorization: Prior, express, and informed consent from the Data Subject for the processing of their personal data.⁴

  • Database: An organized set of personal data subject to processing.⁶

  • Data Subject (Titular): The natural person whose personal data is being processed.¹⁹

  • Processing (Tratamiento): Any operation or set of operations performed on personal data, including but not limited to collection, storage, use, circulation, or deletion.¹⁹

  • Data Controller (Responsable): The natural or legal person who decides on the database and/or the processing.¹²

  • Data Processor (Encargado): The natural or legal person who performs data processing on behalf of the Controller.¹⁴

2.2. Governing Principles

The processing of personal data shall be governed by the principles established under Law 1581 of 2012⁷, applicable to all company databases:

  • Principle of Purpose: Processing must serve a legitimate purpose and be informed to the Data Subject.¹² In an online coffee store, purposes include order management, billing, shipping⁵, and promotional communication.¹

  • Principle of Freedom: Processing may only occur with the Data Subject’s prior, express, and informed consent.⁶ Data may not be collected using deceptive or fraudulent practices.⁷

  • Principle of Truthfulness or Quality: Information must be truthful, complete, accurate, up-to-date, and understandable.⁶ Processing partial or misleading data is prohibited.¹²

  • Principle of Transparency: The Data Subject has the right to obtain information from the Controller at any time regarding the existence of data concerning them.⁶

  • Principle of Security: Adequate technical, human, and administrative measures must be employed to protect data from adulteration, loss, unauthorized consultation, misuse, or fraudulent access.⁶

  • Principle of Confidentiality: Those involved in data processing must maintain confidentiality even after their relationship with the platform has ended.⁶

III. Types of Personal Data Collected and Processing Purposes

3.1. Categories of Personal Data Collected

The “Finca El Placer” project will collect and process the following categories of personal data, limited to what is relevant and necessary for the intended purposes⁷:

  • Identification and Contact Information: Name, physical address, email address, and telephone number.⁵

  • Transactional Data: Payment information (if applicable, through certified payment gateways) and purchase history.

The collection of this information is justified by the following purposes:

Processing Purpose Type of Personal Data Required Legal Basis for Processing
Order and delivery management: Processing and fulfilling specialty coffee purchases.¹⁷ Identification, contact, and transactional data. Express authorization from the Data Subject.⁴
Billing and legal compliance: Issuing invoices and meeting tax obligations.⁵ Identification and contact information. Legal and contractual obligation.¹⁶
Marketing communications: Sharing information on new products, offers, and newsletters.¹ Email and name. Express authorization.¹²
Customer service and technical support: Responding to inquiries, complaints, and claims.²⁵ Identification and contact information. Express authorization.¹⁴

3.2. Processing of Sensitive Data

Processing sensitive data is prohibited unless an exception provided by law applies.¹⁹ If such processing is required, the company must inform the Data Subject that they are not obligated to authorize its processing and must clearly explain the purpose for collection.⁷
Given the nature of the agricultural business, collecting sensitive data such as biometric or health-related information is unlikely.

3.3. Processing of Data of Children and Adolescents

Processing personal data of minors is prohibited except when the data is of a public nature.¹⁴ If a service potentially involves use by minors, the company will ensure that authorization is obtained from their legal representative.⁷

IV. Rights of Data Subjects and Mechanisms for Exercising Them

4.1. Rights of the Data Subject

Data Subjects have the following rights, which they may exercise free of charge through the channels provided by the company¹⁴:

  • Right to know, update, and rectify data: The core habeas data right allowing individuals to know, update, and correct their information stored by the company.⁵

  • Right to request proof of authorization: The right to obtain a copy of the granted authorization.¹⁶

  • Right to be informed: The right to request information about how their personal data has been used.¹⁵

  • Right to file complaints before the SIC: Once internal procedures have been exhausted, Data Subjects may file complaints with the Superintendence of Industry and Commerce.⁸

  • Right to revoke authorization and/or request deletion: Unless a legal or contractual obligation requires otherwise.¹⁹

4.2. Procedure for Inquiries and Claims

Data Subjects may inquire about their personal information at any time.⁴ Inquiries will be answered within ten (10) business days. If an extension is needed, the requester will be notified, and the response period may be extended by up to five (5) additional business days.¹⁵
If a Data Subject believes information should be corrected, updated, or deleted, they may submit a claim.¹⁴ Claims must include the Data Subject’s identification, a description of the facts, a contact address, and supporting documents.¹⁵ The company will address claims within fifteen (15) business days, with a possible eight (8)-day extension if necessary.¹⁵
A complaint before the SIC may only be filed after the internal process has been completed.⁸

V. Duties and Obligations of the Data Controller

5.1. General Duties of the Company

As Data Controller, “Finca El Placer” commits to fulfilling the following duties¹⁴:

  • Guarantee the Data Subject full and effective exercise of habeas data rights.¹⁴

  • Request and retain a copy of the Data Subject’s authorization.¹⁴

  • Inform Data Subjects about the purpose of data collection and the rights available to them.¹⁴

  • Maintain information under appropriate security measures to prevent adulteration, loss, unauthorized access, or fraudulent use.⁶

  • Handle inquiries and claims submitted by Data Subjects.¹⁴

  • Designate a person or department responsible for personal data protection.⁷

  • Inform the SIC of any security breaches or risks related to data administration.¹⁵

VI. International Transfer and Transmission of Personal Data

Given that “Finca El Placer” markets its coffee internationally through e-commerce and distributors¹⁷, the company must observe the following:

6.1. Requirements for Transfer and Transmission

Colombian law distinguishes between:

  • Transfer: When the Data Controller sends data to a recipient outside the country who acts as a Controller.²⁰

  • Transmission: When the Data Controller sends data to a Processor outside the country for processing on its behalf.³⁵

Transfers to countries lacking an “adequate level of protection” are prohibited.¹⁴ The SIC determines which countries meet this requirement.¹⁴

6.2. Procedure for “Declaration of Conformity”

If a transfer does not fall under a legal exception and the destination country lacks adequate protection, the Controller must request a “Declaration of Conformity” from the SIC’s Data Protection Delegation.³⁴ The SIC will review and approve or deny the request.³⁴

VII. Final Provisions

7.1. Validity and Updates

This personal data processing policy is effective as of its publication date. The company reserves the right to modify the policy at any time, and any substantial changes affecting the authorization will be communicated to Data Subjects prior to or at the time of implementing the new policies.⁷

7.2. Contact Information for Inquiries, Complaints, and Claims (PQR)

To ensure the full exercise of Data Subject rights, “Finca El Placer” provides the following channels for inquiries, complaints, and claims (PQR)²⁵:

  • Email address: [business email]

  • Physical address: [farm address]

  • Telephone number: [business contact number]

7.3. Sanctions for Non-Compliance

Failure to comply with the obligations established in this policy and in Law 1581 of 2012 and its regulations will result in sanctions imposed by the SIC.⁷ Such sanctions may include fines, suspension of processing activities, and, in severe cases, shutdown of operations.¹⁴