Personal data processing policy

The registration processes for field trips, camps and events require us to collect a wide variety of personal data from the participants in order to provide a better service in case of emergencies. For this purpose we have an electronic database that stores the information in a main server. In this document we will call it hereinafter BBDDE. It is Kajuyalí's policy to be consistent with the rules stipulated in the Statutory Law 1581 of 2012 on Data Protection (LEPD) and the Statutory Law 1377 of 2013 of the Congress of the Republic of Colombia, so we have established a procedure to communicate our commercial promotions based on the following premises:

 

1.  Actors involved in the BBDDE.

The enrollment processes of educational outings, camps and events require us to collect a wide variety of personal data from the participants in order to provide a better service in case of emergencies. For this purpose we have an electronic database that stores the information on a main server. In this document we will call it hereinafter BBDDE.

It is Kajuyalí's policy to be consistent with the rules stipulated in the Statutory Law 1581 of 2012 on Data Protection (LEPD) and the Statutory Law 1377 of 2013 of the Congress of the Republic of Colombia, so we have established a procedure to communicate our commercial promotions based on the following premises:

 

Level Position

A

General Manager of Kajuyalí

A

External technology provider

A

Kajuyali Technology Coordinator

B

Commercial Director of Kajuyalí

B

Chief Operating Officer of Kajuyalí

B

Administrative Director of Kajuyalí

B

Staff Director

B

Kajuyalí Customer Service Coordinator

B

Camp Director / Pedagogical Outing

B

Medical Camping / Salida Pedagógica

C

Kajuyalí's Reservations and Marketing Advisor

C

Human Resources Advisor

C

Accounting Coordinator

C

Camp Logistics

C

Regional Marketing and Sales Districts

 

 

2. 2. Access levels to the BBDDE
We have defined three different levels of access to the DDBB information. Each level has access to certain parts of the information and has the authority to manage the accesses of the sub-levels to improve security:

LEVEL A: Has full access to the information for design - access - administration and deletion of data. Leads the restoration and data protection processes.
• General Manager of Kajuyali.
• External technology provider (ARKEDATA SAS).
• Technology Coordinator.

LEVEL B: Has partial access to the system to manage clients, invoices, reservations and content. Can create campaigns and communicate openly with the entire DB.
• Level A.
• Customer Service Coordinator.
• Commercial, Operative, Administrative and Staff Managers. 

NIVEL C: Has access to view - edit - complete customer information. Has restricted access to delete information. Does not have access to Program Scrypts.
• Level B.
• Advisors and authorized users with password.

 

3. Storage server - physical access:

3.1 The physical server that keeps the digital information of the Database shall remain in a locked rack in the main office of Kajuyali. Such access shall be exclusive for LEVEL A and LEVEL B. In order to avoid the loss of information from the server due to damage or theft, this server makes automatic digital copies through an external hard disk that must also remain under lock and key in the rack. The keys must remain in the company's safe. This access will be exclusive for
LEVEL A AND LEVEL B.

3.2 Additionally, this server performs digital backups in the cloud with the ONEDRIVE system. Only LEVEL A has access to this information.

 

4. Storage Server - Electronic Access:

4.1 Access to the DBDE is through an encrypted user key/personal key (non-transferable) that is created from a
user creation procedure authorized by LEVEL A only.

4.2 This key commits the users of all levels to the responsible use of the information for which the document CONTRACT OF SERVICE PROVISION that commits them to align with the policies of Protection of personal data of the company must be mediated. This document governs as an internal work rule.

4.3 The system allows access from a computer, tablet or cell phone terminal and only requires web access. Therefore, every time a user enters the system, it is recorded in a log that registers the access IP with its date/time. This allows to have the necessary control to know who, when and where has had access to information from the EDDB.

4.4 The DDBB allows the selection of particular searches specially designed for marketing and promotion of Kajuyali's programs. This selection leads to the extraction of information in .cvs or .txt files or other formats. The extraction of these massive lists is provided by the system only under LEVEL A and LEVEL B supervision.

 

5. Information Storage:
The user accesses an enrollment or registration through the online system that leads him/her to complete medical, behavioral and contact data. In order to enroll a user in a Kajuyali program, he/she must accept the Terms and Conditions of the Service Contract, which is attached to this document.

5.1 Entering the BBDDE enrollment system: A user of our BBDDE is created automatically when you enter the system seeking to create an enrollment and/or acquire one of the programs. This process is carried out online through the web page. When registering, the system may request personal information that is covered by the Data Protection laws. In doing so, the user must create a user password to access his or her account. This access is permanent and free for the user. Some fields are required for registration. The information will adhere to the corresponding Terms and Conditions form and must be accepted by the user in order to access the registration.

5.2 Entering information into the system from a corporate or business event: Whenever we collect data from people interested in the service through a booth or event (TGMP) we will seek the approval of the interested party in writing using the KCTGMPDATAFORM22 (Acceptance of Terms and Conditions).

This data is manually entered into the database so that the information can be sent. Eventually the user will have to accept the sending of information through the electronic enrollment process on the web.

5.3 Acceptance of enrollment in the DDBB: When the client accesses our enrollment process, he/she accepts that his/her information will be stored in our DDBB for the following 5 years after his/her last enrollment in a Kajuyali program. We do this in order to have historical information of the user for eventual situations or needs during or after an operation. For example a disease or ailment that appears 2 years later.

5.4 Acceptance to receive information: As part of Kajuyalí's commercial strategy, we will only send promotional emails about our programs to users who are registered in the BBDDE and who have authorized the sending of commercial information. That is why the online registration process performs a query to registrants to know if they agree to receive such promotions by any means. As of November 23, 2016, Kajuyalí always asks whoever processes a registration whether or not they want to be part of the list of people to whom promotions are sent by different means through the following text present at the end of the registration form:

 

 

5.5 Storage of users who did not authorize the sending of promotional emails: It is Kajuyalí's policy that our users remain in the database for 10 years. During this period of time the user will not receive promotional emails. At the end of the tenth year we will ask the user if he/she wants to continue in our database. If the answer is "no", we will delete it.

We keep the information for 10 years in order to make use of the information when required for issues related to the operation of a program, for a re-purchase or whenever there is a possible claim or medical information is required from the family.

5.6 Storage of authorized users: As with unauthorized users, they remain in the SDBB for 10 years. However, these are users who have agreed to have information sent to them will be included in promotions and communications unless:

5.6.1 12 months pass since their last enrollment.

5.6.2 The user enters the system with his/her personal password and removes his/her name or family from the list of users who authorize us to send them promotional mailings by requesting to be "unsubscribed.

 

6. Cases of loss of information:
In case there is any situation external to Kajuyali by which a partial or total listing of the BBDDE is lost or stolen, an Emergency Protocol will be activated that links the last person associated to that information in any of the three levels (A,B or C) and will be held responsible while a solution is found.

Emergency procedure in case of loss of information: This process seeks to reestablish the information service and limit access to the information physically or electronically to anyone who would like to make improper use of it.

6.1.1 The DBDE represented by the physical server shall be temporarily deactivated and the hardware archiving elements shall be temporarily removed. For this purpose, it shall be disconnected from the network for 6 hours from the time the failure is detected.

6.1.2 The EDBB represented by the electronic information will be limited to LEVEL B AND LEVEL C accesses to the users for 6 hours.

6.1.3 An investigation shall be carried out with the Technology Coordinator who shall look for the electronic failures and losses associated with The Technology Coordinator shall investigate the electronic failures and losses associated with the attack, submit a detailed report and an action plan to correct the failures and prevent a recurrence of the attack.

 

This document was prepared in Bogota, approved and published by the General Director of Grupo Kajuyali on September 1, 2022 and is valid for 24 months from that date.