Privacy Policy

HomePrivacy Policy

POLICY ON THE PROCESSING OF PERSONAL INFORMATION

In compliance with the provisions set forth in Article 15 of the Colombian Constitution, Law 1581 of 2012, Regulatory Decree 1377 of 2013, and other applicable regulations that amend, add to, or complement it, Medellin Legal Partners, hereinafter referred to as MLP, committed to respecting and safeguarding the rights of its clients and third parties in general, hereby discloses the policies and procedures for the processing of personal data stored and protected in our database, which are mandatory in all activities that involve, wholly or partially, the collection, storage, use, circulation, and/or transfer of such information.
This Personal Information Processing Policy is binding upon MLP as the entity responsible for data processing.

 

1. LEGAL FRAMEWORK 

This Personal Information Processing Policy is legally grounded in Article 15 of the Colombian Constitution, Law 1581 of 2012, and Regulatory Decree 1377 of 2013.

 

2. PURPOSE OF THE PERSONAL DATA PROCESSING POLICY

The purpose of this Personal Data Processing Policy is to establish and disclose to the general public the corporate and legal guidelines under which MLP processes personal data, the purpose of the processing, the rights of data subjects, as well as the internal and external procedures available for exercising those rights with MLP, among other aspects.

 

3. LEGAL DEFINITIONS

For the execution of this policy, and in accordance with the applicable regulations, the following definitions apply:

  • Authorization: The prior, express, and informed consent of the Data Subject for the processing of personal data;
  • Database: An organized collection of personal data subject to processing;
  • Data Subject: A natural person whose personal data is subject to processing, whether they are a client, supplier, employee, or any third party who, by virtue of a commercial or legal relationship, provides personal data to MLP.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
  • Personal Data: Any information linked or that can be associated with one or more identified or identifiable natural persons;
  • Public Data: Data that is not semi-private, private, or sensitive. Public data includes, among others, data related to the civil status of individuals, their profession or trade, and their status as a merchant or public servant. Due to their nature, public data may be found in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.
  • Sensitive Data: Sensitive data refers to information that affects the privacy of the Data Subject or whose improper use could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human rights organizations, or political parties, as well as data related to health, sexual life, and biometric data.
  • Transfer: The transfer of data occurs when the entity responsible for or in charge of data processing, located in Colombia, sends the information or personal data to a recipient who, in turn, is responsible for the processing and is located either inside or outside the country.
  •  Transmission: The processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia, for the purpose of enabling processing by the data processor on behalf of the data controller.
    When a term used in this Personal Information Processing Policy is defined herein, it shall be interpreted according to that definition. Likewise, if a term used is not expressly defined in this document or in the applicable law, its literal meaning shall apply, provided such interpretation is consistent with the purpose of this Personal Information Processing Policy.

 

4. PRINCIPLES GOVERNING MLP’S ACTIONS IN THE PROCESSING OF PERSONAL DATA

The principles governing MLP’s Processing of Personal Data are as follows: 

Principle of Legality: The Processing of personal data is a regulated activity that must comply with the provisions set forth in Law 1581 of 2012, Decree 1377 of 2013, and any other related regulations. 

Principle of Purpose: The purpose of the Processing must be legitimate and communicated to the data subject. 

Principle of Reasonable Limitation: The storage and processing of personal data will be limited to what is strictly necessary to fulfill the specified purposes of the business relationship, as well as the authorized purposes by the Data Subject. 

Principle of Freedom: Personal data may only be processed with the prior, express, and informed consent of the Data Subject or by legal or judicial mandate.

Principle of Accuracy: The information must be truthful, complete, accurate, updated, verifiable, and understandable. 

Principle of Transparency: The Data Subject’s right to obtain information regarding their personal data being processed by MLP must be guaranteed. 

Principle of Restricted Access and Circulation: Processing may only be carried out by persons authorized by the Data Subject or by those authorized by law. 

Principle of Security: Information must be managed with the necessary measures to ensure the security of the records and to prevent their alteration, loss, unauthorized consultation, use, or fraudulent access. 

Principle of Confidentiality: Personal data that is not public in nature is confidential and can only be disclosed under the terms of the law. 

Principle of Systematic Incorporation: The principles of Personal Data Protection will be incorporated into all processes and procedures of MLP’s commercial activities. 

 

5. RIGHTS OF DATA SUBJECTS

 

The rights of Data Subjects regarding their personal data include: 

  •  To know, update, and rectify their personal data with the Data Controllers or Data Processors. This right can be exercised with respect to partial, inaccurate, incomplete, misleading data, or data whose processing is expressly prohibited or has not been authorized; 
  • To request proof of the authorization granted to the Data Controller, except when it is explicitly exempted as a requirement for Processing in accordance with Article 10 of the law; 
  • To be informed by the Data Controller or Data Processor, upon request, about the use of their personal data; 
  • To file complaints with the Superintendence of Industry and Commerce for violations of this law and other regulations that amend, add to, or complement it; 
  • To revoke the authorization and/or request the deletion of data when the Processing does not comply with constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the Data Controller or Processor has engaged in conduct contrary to this law and the Constitution; 
  • To access their personal data free of charge that has been subject to Processing.

 

6.AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA 

MLP, acting as the Data Controller, has adopted procedures to request your authorization for the Processing of your personal data at the latest at the time of collection. MLP will inform you of the personal data being collected, as well as the specific purposes for which your consent is sought. 

It is understood that the Data Subject has granted MLP authorization for the Processing of their personal data when this is manifested: (i) in writing; (ii) orally; or (iii) through unequivocal conduct by the Data Subject that reasonably indicates they have granted MLP the necessary authorization. In no case will silence be construed as an unequivocal action. 

However, authorization from the Data Subject will not be required in the following cases: (i) Information requested by a public or administrative entity in the exercise of its legal duties or by court order; (ii) Public data; (iii) Medical or health emergencies; (iv) Processing of information authorized by law for historical, statistical, or scientific purposes; and (v) Data related to Civil Registry records.

7. REVOCATION OF AUTHORIZATION AND/OR DELETION OF DATA 

The Data Subject may at any time request MLP to revoke the authorization granted for the Processing of their data by submitting a claim, in accordance with Article 15 of Law 1581 of 2012. 

However, the request for deletion of information and/or revocation of authorization will not proceed when the Data Subject has a legal or contractual obligation to remain in MLP’s database. 

 

8. PURPOSE OF THE PROCESSING OF PERSONAL DATA 

MLP will process personal data for the following purposes: 

  1. To carry out, either directly or through third parties, marketing, promotion, and/or advertising activities for its own or third-party services, sales, billing, collections, technical support, market intelligence, service improvement, verifications, payment method enablement, fraud prevention, and any other activities related to its products and services, both current and future, in fulfillment of contractual obligations and MLP’s corporate purpose. 
  2. To ensure optimal communication regarding its legal services and other activities. 

iii. To perform the necessary actions to comply with the obligations inherent to MLP’s legal services.

  1. To fulfill contractual obligations with clients and other individuals directly or indirectly connected to MLP’s corporate purpose. 
  2. To control and prevent fraud in all forms. 
  3. To consult and report information to credit bureaus and national and international watchlists for the prevention of money laundering and terrorism financing. 

 

9. PROCEDURE FOR HANDLING REQUESTS AND INQUIRIES RELATED TO PERSONAL INFORMATION 

The Data Subject or their authorized representative may: 

  1. Submit requests and inquiries to access the personal information held by MLP. 
  2. Request the update, modification, rectification, or deletion of the Data Subject’s data when applicable, in accordance with this Policy and applicable law. 
  3. Request a copy of the authorization granted by the Data Subject to MLP for the Processing of their personal data. 

These inquiries may be made free of charge at least once a month or whenever there are substantial changes to the Information Processing Policy that warrant new inquiries. 

Inquiries may be submitted to MLP regarding the Data Subject’s personal information through the following channel: 

– Email: info@medellinlegal.com 

The inquiry will be addressed within a maximum of ten (10) business days from the date of receipt. If the inquiry cannot be addressed within this period, MLP will inform the interested party, stating the reasons for the delay and indicating a new response date, which will not exceed five (5) business days after the initial deadline. 

 

 

10. PROCEDURE FOR HANDLING CLAIMS AND REVOCATION OF AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA 

Through this procedure, the Data Subject or their authorized representative may: 

  1. Revoke the Authorization for the Processing of Data. 
  2. File claims when they believe there has been a breach of MLP’s obligations regarding the Processing of Personal Data, as provided in this Policy or the Personal Data Protection Law.

Revocation of the Data Subject’s Authorization for the Processing of Personal Data 

The Data Subject may revoke their authorization and request the deletion of their data in the following situations: 

– By unilateral, free, and voluntary decision of the Data Subject, when no legal or contractual obligation exists that requires the Data Subject to remain in the database; and – When the principles, rights, and constitutional and legal guarantees are not respected, provided that the Superintendence of Industry and Commerce has determined that the Data Controller or Processor has acted contrary to the law. 

This is without prejudice to the document retention rules MLP must observe to comply with formal obligations. Consequently, MLP will delete or suspend the use of the data when applicable, respecting the document retention regulations. 

The procedure for handling claims related to the Data Subject’s personal data is as follows: 

The Data Subject or their duly authorized representative may file claims with MLP concerning the Processing of their Personal Data in the following situations: 

– When they believe that the Data Subject’s information in a database should be corrected, updated, or deleted; or – When they suspect a breach of any obligations contained in the Data Protection Law. 

Claims must be submitted through the following channels: 

– Email: info@medellinlegal.com 

The claim submitted by the Data Subject or their representative must contain at least the following information: (i) Identification of the Data Subject; (ii) Description of the facts leading to the claim; (iii) Contact information for the Data Subject (address, phone, email, etc.); and (iv) Supporting documents or evidence for the claim. If this information is incomplete, MLP will request the claimant to provide the necessary details within five (5) business days of receiving the claim. After two (2) months without the claimant providing the required information, the claim will be considered withdrawn and filed. 

MLP has fifteen (15) business days to address the claim, starting from the next business day after receiving it. 

If the claim cannot be addressed within this period, MLP will inform the claimant of the reasons for the delay and the new response date, which will not exceed eight (8) business days after the initial deadline.

 

11. EFFECTIVE DATE OF THE PERSONAL DATA PROCESSING POLICY 

This Personal Data Processing Policy is effective as of October 3, 2024, and will remain in effect until it is expressly revoked or modified.