Personal data protection policy



This document contains the Personal Data Protection Policy (hereinafter the “Policy”) under which the processing of personal data by OFICOMCO S.A.S. (hereinafter THE COMPANY) is carried out in compliance with the provisions of Law 1581 of 2012, Decree 1377 of 2013, GDPR and other regulatory rules that modify, add or complement them (the “Applicable Rules”).


It shall apply to the personal data of natural persons that are included in the COMPANY’s databases.


Authorization: prior, express and informed consent of the Data Subject to carry out the Processing of personal data;

Database: organized set of personal data that is subject to processing.

Confidentiality: The pillar that guarantees that the information is accessible only by personnel authorized to know such information.

Availability: This principle seeks to guarantee access to information and systems by authorized persons when required.

Personal data: any information linked or that can be associated to one or more natural persons;

Data processor: natural or legal person, public or private, who by himself or in association with others, carries out the processing of personal data on behalf of the controller.

GDRP: European standard for data processing.

Integrity: Seeks to keep the data free from unauthorized modifications, that is, to keep the information exactly as it was generated, without being manipulated or altered.

Data controller: natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of data.

Data subject: natural person: customers, consumers, employees, former employees, suppliers, among others, whose personal data are subject to processing.

Transfer: activity in which the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the processing and is located inside or outside the country.

Transmission: processing of Personal Data that involves the communication of such data within or outside the territory of the Republic of Colombia when its purpose is the performance of a Processing by the Processor on behalf of the Controller.

Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation, transfer or deletion.

 Personal data processing policy

In performing the Processing of Personal Data, the controller shall comply with the requirements of the applicable rules, and shall take into account the following guidelines:

    • This Policy shall at all times comply with the provisions of the Applicable Rules, and shall be available to owners and third parties who wish to consult it.
    • Currently, THE COMPANY is responsible for the processing of personal data collected by its personnel, by third parties to whom it has entrusted such work, or by any electronic means that it makes available to the owners for this purpose.
    • The personal data contained in the databases of the data controller will be handled exclusively for the mission purposes of THE COMPANY, under strict information security policies.

The data controller collects Personal Data with the purpose of processing them for the following purposes:

    • To carry out marketing, promotion and/or advertising activities, market research, own or third party, through various suitable means such as invoices, e-mails or electronic messages, text messages (SMS) and telephone communications.
    • To carry out tasks required for the offering and/or provision of services, such as sales, billing, collection, payment collection, enabling payment methods, technical support, service improvement, programming, control, fraud prevention or any other activity related to current or future products of the data controller, which are relevant or necessary for the fulfillment of its corporate purpose or its contractual obligations.
    • To have contact with customers of the services in relation to the data controller’s current or future products or services and about promotions, packages, releases or additional services.
    • To comply with the obligations contracted with the Personal Data Holders, among which are suppliers, customers, employees, former employees, future employees.
    • Conduct studies on consumption habits.
    • Share, Transfer and Transmit data to business partners, subsidiaries, parent company in order to carry out commercial activities and promotion of products or services owned by such companies or to persons with whom the Data Controller has or may have a business relationship that is related to the contracts for the provision of services to the owners.
    • Transfer, transmit and share personal data to third parties that have or may have commercial ties with the Company that are related to the contracts for the provision of services of the Data Subjects.
    • When the Transfer or Transmission of Personal Data is carried out, they will remain as confidential information and may not be processed for purposes other than those established in these policies or those indicated in the document containing the contractual relationship to be executed. In case of Transfer, whoever receives the information shall be considered the Data Controller and shall apply its privacy policies.
    • Respond to and manage requests and suggestions made by customers, suppliers and third parties in general.
    • o Under any circumstances, the processing of sensitive data is prohibited, i.e. data that affect the privacy of the Data Subject or whose improper use may generate discrimination (i.e. data that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life, and biometric data). Likewise, the Processing of Personal Data of children and adolescents without the authorization of the parents or representatives of the minors is prohibited.
    • When this Policy undergoes any change, it will be necessary to notify the Personal Data Subjects of such change. Such modification may be made through the means of communication normally used between the Parties.
    • The area responsible within THE COMPANY for the Processing of Personal Data, and for dealing with queries or claims related to Personal Data is called PERSONAL DATA PROCESSING.
    • It will be necessary to request and keep proof of the authorizations granted.

Rights of owners

The Personal Data Subject shall have the following rights:

    • To know, update and rectify their personal data. Being able to exercise this right, among others against partial, inaccurate, incomplete, fractioned, misleading data, or those whose treatment is expressly prohibited or has not been authorized;
    • Request proof of the authorization granted except when expressly exempted as a requirement for the processing, in accordance with the provisions of Law 1581 of 2012;
    • Be informed, upon request, regarding the use that has been made of your personal data;
    • File before the Superintendence of Industry and Commerce complaints for violations of the provisions of this law and other rules that modify, add or complement it;
    • To revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the Processing. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the Processing has incurred in conduct contrary to this law and the Constitution.
    • The revocation of the authorization or deletion of the data does not proceed when the Data Subject has a legal or contractual duty to remain in the database;
    • Access free of charge, as established in Article 21 of Decree 1377 of 2013, to their personal data that have been subject to Processing.

For the exercise of the aforementioned rights by the Personal Data Holders, they may communicate with the area responsible for the Processing of Personal Data, and attention to queries and claims about them. The exercise of the rights shall be exercised in accordance with the provisions set forth in the following paragraph, and in accordance with the requirements of the Applicable Rules.

Procedure for handling inquiries and complaints

For the exercise of the rights as Personal Data Holder, the Data Controller shall make available to the Data Holders adequate means of communication for such purpose. In this sense, the area in charge of Personal Data Processing and attention to queries and claims may be contacted at the following e-mail addresses: or or through the website:

The procedure to be followed for the exercise of the rights of the Holders shall be as follows:


    • When the Personal Data Subject, his representative or assignee requires to consult his Personal Data contained in the databases of the Data Controller, the latter shall answer the consultation within ten (10) working days from the date of receipt of the consultation made.
    • If it is not possible to attend the consultation within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.


    • The Holder, its representative or assignee may request the correction, update or deletion, by filing a claim which must be processed through a written request containing the following information: i) Identification of the Holder, ii) Description of the facts that give rise to the claim, iii) Correspondence address of the Holder, iv) Supporting documents of the request.
    • If the request is incomplete, the data controller, or its responsible area, will require the interested party to provide additional documents within five (5) days following the receipt of the claim. The interested party will have up to sixty (60) days to respond to the requested information, in case of no response it will be understood that the claim has been withdrawn.
    • Once the claim is received, a note stating that a claim is in process must be included in the respective database within two (2) days of receipt of the claim.
    • The claim must be addressed within fifteen (15) business days following receipt of the claim. In case it is not possible to attend it within that term, the interested party will be informed, and the reasons for the delay will be informed, and a response will be given within a maximum term of eight (8) days.

The exercise of the rights of the Holders may be made at any time. For the purposes of consultation of their Personal Data, they will be provided free of charge, under the terms of Decree 1377 of 2013.

Access to policy

    1. Enter the website
    2. There you can read, consult and authorize it.
    3. Select the option “Data processing policy”.
× How can we help?