Personal Data Policy

Personal Data Processing Policy of the Commercial Establishment HOTEL PRADOS DE LA SERRANÍA

I. PURPOSE

To guarantee the protection of the fundamental rights to privacy, intimacy, and good name of our employees, suppliers, and clients in general, who in the exercise of any activity or relationship, including commercial, administrative, and labor relations—whether permanent or occasional—and with respect to whom HOTEL PRADOS DE LA SERRANÍA, a commercial establishment dedicated to providing accommodation, lodging, and other complementary services related to tourism and hotel activities, domiciled in the municipality of Lebrija, Santander, and supervised by the Superintendence of Industry and Commerce of Colombia, acts as Data Controller and/or Data Processor of personal information or personal data.

II. LEGAL FRAMEWORK

The processing of information and personal data for which HOTEL PRADOS DE LA SERRANÍA is responsible shall be governed by the rules set forth in this document in accordance with the corporate policies established by the owner and, in matters not provided herein, by the following regulations:

  • Political Constitution of Colombia, Article 15

  • Law 1581 of 2012

  • Law 1266 of 2008

  • Law 1273 of 2009

  • Regulatory Decree 1377 of 2013

  • Regulatory Decrees 1727 of 2009 and 2952 of 2010

  • Single Regulatory Decree 1074 of 2015

  • Regulatory Decree 888 of 2014

  • Title V of the Single Circular of the Superintendence of Industry and Commerce

III. PROCESSING OF INFORMATION AND DATABASES OF HOTEL PRADOS DE LA SERRANÍA

Processing shall be understood as any operation or set of operations performed on information and databases, such as collection, storage, use, circulation, deletion, transfer, transmission, or any others deemed appropriate in the normal course of activities carried out by HOTEL PRADOS DE LA SERRANÍA in connection with its ordinary course of business, economic activity, and corporate purpose.

IV. APPLICABLE PRINCIPLES

All actions undertaken in the execution of administrative, commercial, and labor processes of HOTEL PRADOS DE LA SERRANÍA shall be governed by the following principles:

Principle of Legality

The use, collection, and processing of personal data shall comply with applicable legal provisions governing personal data protection and related fundamental rights.

Principle of Freedom

Personal data may only be processed with the prior, express, and informed consent of the Data Subject.

Principle of Purpose

Personal data processing shall be subject to a legitimate purpose, which must be informed to the Data Subject.

Principle of Accuracy or Quality

Personal data must be truthful, complete, accurate, updated, verifiable, and understandable.

Principle of Transparency

The Data Subject has the right to obtain information at any time and without restriction regarding the existence of personal data concerning them.

Principle of Security

Personal data shall be protected through technical, human, and administrative measures to prevent unauthorized access, alteration, loss, or misuse.

Principle of Confidentiality

All persons involved in processing personal data must maintain strict confidentiality regarding such information.

Principle of Restricted Access and Circulation

Processing is subject to legal and constitutional limits and may only be carried out by authorized persons.

V. DEFINITIONS

  • Authorization: Prior, express, and informed consent of the Data Subject.

  • Privacy Notice: Verbal or written communication informing the Data Subject about data processing policies and purposes.

  • Database: Organized set of personal data subject to processing.

  • Personal Data: Any information linked or associated with an identified or identifiable natural person.

  • Sensitive Data: Data affecting privacy or that may lead to discrimination (e.g., racial origin, political views, religious beliefs, health data, biometric data, images, fingerprints, facial recognition, etc.).

  • Semi-Private Data: Data not intimate, reserved, or public but of interest to a specific sector.

  • Private Data: Data of an intimate or reserved nature.

  • Public Data: Data not classified as private or sensitive.

  • Data Processor: Natural or legal person who processes data on behalf of the Data Controller.

  • Data Protection Law: Law 1581 of 2012 and related regulations.

  • Habeas Data: The right to know, update, and rectify personal information.

  • Data Controller: Person or entity deciding on the database and processing.

  • Data Subject: Natural person whose data is processed.

  • Transfer: Sending data to another controller inside or outside Colombia.

  • Transmission: Communication of data to a processor for processing on behalf of the controller.

  • Processing: Any operation performed on personal data.

VI. DUTIES OF HOTEL PRADOS DE LA SERRANÍA AS DATA CONTROLLER

HOTEL PRADOS DE LA SERRANÍA shall:

  • Guarantee the full exercise of the right to personal data protection.

  • Request and retain authorization from the Data Subject.

  • Inform the Data Subject of the purpose of data collection.

  • Protect information against unauthorized access or fraud.

  • Ensure data provided to processors is accurate and updated.

  • Process queries and claims from Data Subjects.

  • Inform authorities in case of security breaches.

  • Comply with instructions from the Superintendence of Industry and Commerce.

  • Update, rectify, or delete data in accordance with the law.

VII. RIGHTS OF DATA SUBJECTS

Data Subjects have the right to:

  • Know, update, and rectify their personal data.

  • Be informed about the use of their data.

  • Request deletion of data when applicable.

  • Access their data free of charge.

  • Exercise all other rights provided by law.

VIII. EXERCISE OF RIGHTS

1. Prior, Express and Informed Authorization

HOTEL PRADOS DE LA SERRANÍA requires prior consent for data processing. Authorization may be obtained through physical, electronic, digital, or technological means.

Data deletion or revocation may be requested when:

  • Data is not processed in accordance with legal principles.

  • Data is no longer necessary.

  • The retention period has expired.

Deletion may be denied when:

  • There is a legal or contractual obligation to retain the data.

  • Deletion would hinder legal proceedings.

  • Data is required to protect legitimate interests.

2. Previously Collected Data

The hotel shall inform Data Subjects of this Policy and request authorization to continue processing.

3. Right of Access and Consultation

Requests shall be answered within ten (10) business days.

4. Right of Correction, Update, Deletion and Claim

Claims must include identification and supporting documents and will be resolved within fifteen (15) business days.

5. Processing of Sensitive Data

Sensitive data will only be processed when legally permitted and with explicit authorization, or when necessary to protect vital interests or comply with judicial processes.

IX. VIDEO SURVEILLANCE

HOTEL PRADOS DE LA SERRANÍA operates a video surveillance system for security purposes. Recorded data may be used as evidence in administrative or judicial proceedings.

X. NATIONAL AND INTERNATIONAL DATA TRANSFER

The hotel may share data with national or foreign entities, authorities, or legal representatives when required by law, always ensuring confidentiality and lawful processing.

XI. PERSON RESPONSIBLE FOR DATA PROCESSING

HOTEL PRADOS DE LA SERRANÍA is responsible for data processing. The Reception Area is designated to receive and manage requests related to Data Subject rights.

XII. COMMUNICATION CHANNELS

Data Subjects may exercise their rights through the electronic channels provided by HOTEL PRADOS DE LA SERRANÍA.

For assistance, contact: +57 3009108842

XIII. VALIDITY OF THE POLICY

This Policy is available at:
https://hotelpradosdelaserrania.mydirectstay.com/

HOTEL PRADOS DE LA SERRANÍA may update this Policy at any time to adapt to legal or regulatory changes. Any modification will be published on the website with its effective date.