...

Privacy Policy

GENERAL CONSIDERATIONS
Aware of the importance of the protection and good management of the personal information provided to the owners of the information, EXECUTIVE TRAVEL – AGENCIA COLOMBIA VIAJES and its brand Medellín Group, – hereinafter Medellín Group, who acts as responsible for the information received, has designed this policy and procedures that together allow appropriate use of your personal data.

In accordance with the provisions of article 15 of the Political Constitution of Colombia, which develops the fundamental right to habeas data, referring to the right that all citizens have to know, update, and rectify the personal data that exists about them in databases. and in files of both public and private databases, which is inevitably related to the management and processing of information that recipients of personal information must take into account. Said right has been developed through the issuance of Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013, based on which Medellín Group, as RESPONSIBLE for the personal data, receives, manages and processes the information and thus proceeds to issue this personal data processing policy, which is made known to the public so that they know how Medellín Group treats their information. The provisions of this personal data processing policy are mandatory for Medellín Group, its administrators, workers, contractors and third parties with whom Medellín Group establishes relationships of any kind.

AIM
With the implementation of this policy, it is intended to guarantee the confidentiality of information and the security of the treatment that will be given to it to all clients, suppliers, employees and third parties from whom Medellín Group has legally obtained information and personal data in accordance with to the guidelines established by the law regulating the right to Habeas Data. Likewise, through the issuance of this policy, the provisions of literal K of article 17 of the aforementioned law are complied with.

DEFINITIONS

  • Authorization: Prior, express and informed consent of the data owner to carry out the treatment. This can be written, verbal or through unequivocal conduct that allows it to be reasonably concluded that the owner granted authorization.
  • Database: It is the organized set of Personal Data that is subject to processing, electronic or not, regardless of the method of its formation, storage, organization and access.
  • Consultation: Request from the data owner or from persons authorized by the data owner or by law to know the information that rests on him in databases or files.
    Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons. These data are classified as sensitive, public, private and semi-private.
  • Sensitive personal data: Information that affects the privacy of the person or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, of human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data (fingerprints, among others).
    For the purposes of this policy, Medellin Group notes the optional nature of the owner of the personal data to provide this type of information in cases in which it may eventually be requested.
  • Public personal data: It is the data classified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private or private. Public are, among others, the data contained in public documents, public registries, official gazettes and bulletins and duly executed judicial rulings that are not subject to confidentiality, those relating to the marital status of persons, their profession or trade and their quality of employment. merchant or public servant. The personal data existing in the commercial registry of the Chambers of Commerce are public (Article 26 of the C.Co.).

    Likewise, public data are those that, by virtue of a decision of the owner or a legal mandate, are found in files with free access and consultation. These data can be obtained and offered without reservation and regardless of whether they refer to general, private or personal information.

  • Private personal data. It is the data that, due to its intimate or reserved nature, is only relevant to the person who owns the data. Examples: merchants’ books, private documents, information extracted from home inspection.
  • Semi-private personal data. Semi-private data is data that is neither intimate, reserved, nor public and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or society in general, such as, among others, data relating to compliance. and failure to comply with financial obligations or data relating to relationships with social security entities.
  • Responsible for the Treatment: Person who, by themselves or in association with others, decides on the database and/or the processing of the data.
  • Data Processor: Person who processes data on behalf of the data controller.
  • Being “Authorized” means Medellin Group and all the people under its responsibility, who by virtue of the authorization and the Policy have legitimacy to process the owner’s personal data. The Authorized includes the genus of the Authorized.
  • Authorization” or being “Enabled” is the legitimation that Medellin Group expressly and in writing, through a contract or document that acts in its place, grants to third parties, in compliance with the applicable law, for the processing of personal data, converting such third parties in those responsible for the processing of personal data delivered or made available.
  • Claim: Request from the data owner or persons authorized by the data owner or by law to correct, update or delete their personal data or when they notice that there is an alleged breach of the data protection regime, according to article Art. 15 of the Law. 1581 of 2012.
  • Owner of the data: It is the natural person to whom the information refers.
  • Processing: Any operation or set of operations on personal data such as, among others, the collection, storage, use, circulation or deletion of that type of information.
  • Transmission: Processing of personal data that involves the communication of the same within (national transmission) or outside of Colombia (international transmission) and whose purpose is to carry out processing by the person in charge on behalf of the person responsible.
  • Transfer: The transfer of data takes place when the person responsible and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is located inside or outside from the country.
  • Procedural requirement: The owner or successor in title may only file a complaint with the Superintendence of Industry and Commerce once the consultation or claim process has been exhausted before the person responsible for the treatment or person in charge of the treatment, the above according to Article 16 of Law 1581 of 2012.

PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
The processing of personal data must be carried out in compliance with the general and special regulations on the matter and for activities permitted by law. Consequently, the following principles apply for the purposes of this policy:

  • Principle of legality: Data processing is a regulated activity that must be subject to the provisions of the law and the other provisions that develop it.
  • Principle of purpose: The treatment must obey a legitimate purpose in accordance with the Constitution and the Law.
  • Principle of freedom: Treatment can only be carried out with the prior, express and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that requires consent.
  • Principle of truthfulness or quality: The information subject to processing must be truthful, complete, exact, updated, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.
  • Principle of transparency: In the treatment, the right of the owner to obtain from the person responsible for the treatment, at any time and without restrictions, information about the existence of data that concerns him or her must be guaranteed.
  • Principle of restricted access and circulation:  The processing is subject to the limits that derive from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the treatment can only be carried out by people authorized by the owner and/or by the people provided for by law.
  • Security principle: The information subject to Treatment by the Data Controller or Data Processor referred to in this law must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration. unauthorized or fraudulent loss, consultation, use or access.
  • Principle of confidentiality: All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the processing has ended, and may only supply or communicate personal data when this corresponds to the development of the activities authorized in this law and in the terms thereof.

Any new project within the Organization that involves the Processing of Personal Data must be consulted with the Information Security Management, which is the person and agency in charge of the data protection function to ensure compliance with the policy and of the necessary measures to maintain the confidentiality of personal data.

RIGHTS OF DATA OWNERS
In accordance with current legal provisions, the following are the rights of the owners of personal information:

  • Right to know, update, rectify, consult your personal data at any time against Medellin Group regarding data that you consider partial, inaccurate, incomplete, fractioned and those that are misleading.
  • Right to request at any time proof of the authorization granted to Medellin Group except in those cases in which the Controller is legally released from having authorization to process the owner’s data.
  • Right to be informed by Medellin Group upon request of the owner of the data, regarding the use that has been given to them.
  • Right to present to the Superintendency of Industry and Commerce the complaints that you consider pertinent to assert your right to Habeas Data.
  • Right to revoke the authorization and/or request the deletion of any data when you consider that Medellin Group has not respected your constitutional rights and guarantees.
  • Right to access free of charge the personal data that you voluntarily decide to share with Medellin Group.

The information and/or personal data that we collect from you are the following:

Kind of person:
Natural: names and surnames, type of identification, identification number, gender, marital status and date of birth, email, financial data (bank accounts).

Legal: company name, NIT, address, telephone, cell phone, email, country, city, financial data (bank accounts).

Information necessary to facilitate travel or other services, including preferences such as travel class, first and last names of passengers (type of document, document number, date of birth, first name, last name, gender, email, nationality, passport expiration date ), contacts in case of accident or any other anomaly (names and surnames, telephone number).

Quote request: names, surnames, telephone numbers, city and email.

Trip information: type of request, destination, departure date, duration, number of adults, number of children, hotel category, food, additional services, transportation service, budget per person.

These data may be stored and/or processed on servers located in data processing centers, whether owned or contracted with suppliers, located in different countries, which is authorized by our clients/users, upon accepting this treatment and protection policy. of personal data.

For more information about the companies that are part of the Executive Travel business group, their identity, addresses and contact information, you can consult them at the following email address http://www.ariktravel.com.

Medellin Group reserves the right to improve, update, modify, delete any type of information, content, domain or subdomain that may appear on the website, without any obligation to provide prior notice, with publication on the websites being understood as sufficient. of Medellin Group. For the solution of legal or internal requests and for the provision or offering of new services or products.

TREATMENT, SCOPE AND PURPOSES

  1. Medellin Group informs the owners that the data collected from our clients, contractors and suppliers may be used for the following purposes. The processing may be carried out by Medellin Group directly or through its contractors, consultants, advisors and/or third parties in charge of the processing of personal data, to carry out any operation or set of operations such as collection, storage, use, circulation, deletion, classification, transfer and transmission (the “Processing”) of all or part of your personal data:
    * The maintenance of the contractual relationship established with Medellin Group.
    * The provision of services related to the products and services offered.
    * Carrying out all activities related to the service or product will be included in an email list for sending the newsletter.
    * Send information about changes in the conditions of the services and products purchased, and notify you about new services or products.
    * Manage your requests, clarifications, and investigations.
    * Prepare studies and programs that are necessary to determine consumption habits
    * The refinement of security filters and business rules in commercial transactions; confirm, process such transactions, with your financial institution, with our service providers and with yourself.
    * Carry out periodic evaluations of our products and services in order to improve their quality.
    * The sending, by traditional and electronic means, of technical, operational and commercial information on products and services offered by Medellin Group, its associates or suppliers, currently and in the future.
    * The request for satisfaction surveys, which you are not obliged to answer.
    * Carry out the transmission and/or transfer of data to other companies, commercial alliances or third parties in order to fulfill the acquired obligations. The transmission and transfer may be carried out even to third countries that may have a different level of protection compared to the Colombian one, when necessary for the fulfillment of our obligations.
    * Comply with obligations contracted by Medellin Group with its clients when purchasing our services and products.
    * Respond to queries, requests, complaints and claims made by control organizations and other authorities that, by virtue of the applicable law, must receive personal data.
    * Any other activity of a similar nature to those previously described that is necessary to develop the corporate purpose of Medellin Group.
    * Carry out queries in different databases and authorized sources (such as OFAC, UN lists, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies – SARLAFT .

• The data collected from our workers:

Comply with the obligations contracted by Medellin Group with the workers who hold the information, in relation to the payment of salaries, social benefits, and others enshrined in the employment contract and current labor regulations.
Inform the worker of the news that arises during the development of the employment contract and even after its completion.
Evaluate the quality of the services we provide.
Carry out internal studies on the habits of the worker who owns the information or request personal information for the development of programs or management systems.
Carry out payroll deductions authorized by the worker.
Manage your requests, administration of activities, clarifications and investigations.
Marketing and sale of our products and services.
The sending, by traditional and electronic means, of technical, operational and commercial information on products and services offered by associates or suppliers, currently and in the future.
Prepare studies and programs that are necessary to determine consumption habits.
Carry out the transmission and/or transfer of data to other companies, commercial alliances or third parties in order to fulfill the acquired obligations. The transmission and transfer may be carried out even to third countries that may have a different level of protection compared to the Colombian one, when necessary for the fulfillment of our obligations.
The request for surveys, which the worker is not obliged to answer.
Transfer, either by way of transmission or transfer, the information received to all judicial and/or administrative entities when this is necessary for the fulfillment of duties as an employer to fulfill the obligations of labor, social security, pensions, professional risks. , family compensation funds (Comprehensive Social Security System) and taxes.
Transfer the employer’s personal information to third parties that legitimately have the power to access said information, which includes, but is not restricted to, the companies of the Grupo Empresarial Medellin Group Ltda.
Deliver, either by way of transmission or transfer, the worker’s personal information to all entities that are related to the compliance of the person responsible in his capacity as employer.
Any other activity of a similar nature to those previously described that is necessary to develop the corporate purpose of Medellin Group and its labor obligations acquired by virtue of the execution of the employment contract or by operation of law.
Carry out queries in different databases and authorized sources (such as OFAC, UN lists, among others) necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies – SARLAFT .

The processing of personal data will be carried out with prior authorization from the data owner, except in events in which the data is public in nature. For this, an authorization form has been implemented for data processing, which must be completed by the owner of the information at the same time that he or she provides his or her personal information. This authorization explains the scope and purposes of the processing of personal data, refers to the authorization by another, the data of minors and sensitive data, as well as defines the service channel of the owners who wish to exercise the rights contemplated within habeas data and the place where this policy is hosted is indicated. For the purposes of advancing data processing, Medellin Group uses all activities aimed at preserving the confidentiality of the information.

Authorization will be obtained through any means that may be subject to subsequent consultation, such as the website, forms, formats, in-person activities or through social networks, etc. Authorization may also be obtained from unequivocal conduct of the data owner that allows it to be reasonably concluded that he or she granted authorization for the processing of his or her information.
If you provide us with personal information about a person other than yourself, such as your spouse or co-worker, we understand that you have that person’s authorization to provide us with their information; and we do not verify, nor do we assume the obligation to verify, the identity of the user/client, nor the veracity, validity, sufficientness and authenticity of the data of each of them, provided. By virtue of the foregoing, we do not assume responsibility for damages or prejudices of any nature that may arise from the lack of veracity, homonymy or the theft of identity information.
Since Medellin Group belongs to the Medellin Group Business Group, your personal information may be shared by way of transfer or transmission with group companies, business partners and/or third-party suppliers involving (flight, hotel, car reservation systems). , transactional security validators, banks, financial networks, tourist services), these processes can be carried out in different places from which the acquired tourist service or product is contracted, with the same purposes that have been indicated for the collection of personal data. . These entities are required to comply with the corresponding confidentiality, transmission or transfer agreements.

Certain services or products provided on the page www.medellingroup.com, and on any of the portals of the companies of the Medellin Group Business Group and its equivalents, may contain particular conditions with specific provisions regarding the protection of Personal Data.
The Personal Data collected will be subject to manual or automated processing and incorporated into the corresponding files or databases (hereinafter, the «File») of Medellin Group, either in its capacity as data processor and responsible for data protection. To determine the term of treatment, the rules applicable to each purpose and the administrative, accounting, fiscal, legal and historical aspects of the information will be considered.
When at the time of providing the service the owner is accompanied by minors or people considered with disabilities, and in which the collection of their personal data occurs, Medellin Group will always request the authorization of whoever has the legal representation of the minor. . Now, if personal information of the population mentioned here is provided without being the legal representative, you declare that you have the authorization of the respective legal representative, directly assuming the responsibility that this entails. Medellin Group will strive to ensure that their rights and their superior and prevailing interest are respected at all times. The representative must guarantee them the right to be heard and value their opinion of the treatment, taking into account the maturity, autonomy and capacity of the minors. Representatives are informed of the optional nature of answering questions about minors’ data. The data of minors, included in a special protection category, will be processed in accordance with the applicable legislation on the matter and in accordance with the provisions of our personal data policy.
The companies of the Medellin Group Business Group have adopted the security levels of protection of personal data legally required, and have installed all the means and technical measures at their disposal to prevent loss, misuse, alteration, unauthorized access and illegitimate theft. of the personal data provided to Medellin Group, however, the owner must be aware that security measures on the Internet are not unbreakable.
If you choose to delete your information, to the extent permitted by law, we will retain certain personal information in our files for the purposes of identifying accounting and tax data on transactions carried out, preventing fraud, resolving disputes, investigating conflicts or incidents. , enforce our terms and conditions of use and comply with legal requirements.

However, at the time you decide to revoke your authorization, the hosted information will not be used for the purposes provided herein, only in the terms strictly necessary and defined in the previous paragraph.
Security Risks You Should Consider When Transacting Online:
It is possible that a user is deceived through emails or some DNS server deception, to visit a fake site that has the same design, but where the card data is loaded into the fake system, stealing cardholder information. . Therefore, it is important to generate the culture that users must enter directly through known domains to carry out transactions to reduce risks.
It may be that the computer where the user is carrying out the transaction has installed, without prior knowledge, some spyware or malicious software that captures everything typed on the keyboard or captures information from input devices and is sent to some network or host in Internet. Therefore, it is recommended that the transaction be carried out on the home or office computer if possible.
Impersonation of the owner could occur if the owner denies having sent and/or received the transaction and it is used by a third party.
It is recommended that the computer where you carry out electronic transactions have an updated and active antivirus to mitigate the risks of fraud.
If personal information was collected or provided prior to July 30, 2013 and you did not express your opposition to your personal data being transferred, it will be understood that you have given your consent. In the event that you wish to ratify your consent or express your refusal, you can indicate it through the following email privacy@Medellin Group.com.
Like other websites, Medellin Group uses certain technologies, such as cookies and device fingerprinting, that allow us to make your visit to our site easier and more efficient, providing you with personalized service and recognizing you when you return to our site. For the purposes of this Privacy Notice, «cookies» will be identified as the information text files that a website transfers to the hard drive of the users’ computer in order to store certain records and preferences.
Websites may allow advertising or third-party features that send «cookies» to the owners’ computers.

Cookies are only associated with an anonymous user and their computer, and do not provide their first and last name. In many cases, you will be able to browse any of the Medellin Group websites anonymously. When you access any Medellin Group website, your IP address (the Internet address of your computer) is recorded to give us an idea of which parts of the website you visit and how much time you spend in each section. We do not link your IP address to any of your personal information unless you have registered with us and logged in using your profile.
Therefore, it is possible that in certain applications Medellin Group recognizes users after they have registered for the first time, without them having to register each visit to access the areas and services or products reserved exclusively for them.
In other services, the use of certain access codes will be necessary, and even the use of a digital certificate, in the characteristics that are determined.
The cookies used cannot read cookie files created by other providers. Medellin Group encrypts the user’s identification data for greater security.
To use the Medellin Group website, it is not necessary for the user to allow the installation of cookies sent by Medellin Group, without prejudice to the fact that in such case it will be necessary for the user to register for each of the services whose provision requires the prior registration.

NATIONAL OR INTERNATIONAL TRANSFER OF PERSONAL DATA
Medellin Group may transfer data to other Data Controllers when authorized by the owner of the information or by law or by an administrative or judicial order.

INTERNATIONAL AND NATIONAL TRANSMISSION OF DATA TO PROCESSORS
Medellin Group may send or transmit data to one or more managers located inside or outside the Republic of Colombia in the following cases: a) When it has authorization from the owner and b) when, without having the authorization, there exists between the Controller and the manager a data transmission contract.

DUTIES OF THE DATA CONTROLLER
Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
Request and keep, under the conditions provided for in this law, a copy of the respective authorization granted by the owner.
Duly inform the owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.
Maintain the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
Process queries and claims formulated in the terms indicated in this law.
Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, to respond to queries and complaints.
Inform at the request of the owner about the use given to his data.
Inform the data protection authority when violations of security codes occur and there are risks in the administration of the owners’ information.
Comply with the instructions and requirements issued by the superintendence of industry and commerce.

DUTIES OF THE TREATMENT PROCESSORS
Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
Maintain the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
Timely update, rectify or delete data under the terms of this law.
Update the information reported by those responsible for the treatment within five (5) business days from receipt.
Process queries and claims made by the owners in the terms indicated in this law.
Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, to respond to queries and complaints from the owners.
Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the superintendence of industry and commerce.
Allow access to information only to people who can have access to it.
Inform the superintendence of industry and commerce when violations of security codes occur and there are risks in the administration of the owners’ information.
Comply with the instructions and requirements issued by the superintendence of industry and commerce.
PETITIONS, COMPLAINTS AND CLAIMS
For the purposes of receiving requests, complaints and queries related to the handling and processing of personal data, Medellin Group has designated the email privacy@Medellin Group.com to channel, study and respond to them. Therefore, you may send your requests to this address, which will be processed in accordance with Law 1581:

Queries: The owners or their successors may consult the personal information of the owner that resides in our database. Medellin Group will provide them with all the information contained in the individual registration or that is linked to the identification of the owner. The query will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed, and the date on which their query will be attended to will be indicated, which in no case may exceed five (5) business days following the expiration of the first term.

Claims: The owner or his successors who consider that the information contained in a database must be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a claim with Medellin. Group, which will be processed under the following rules:

The claim will be made through a request addressed to Medellin Group with the identification of the owner, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert. If the claim is incomplete, Medellin Group will require the interested party within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that he has withdrawn the claim.
Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the database within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided.
The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed and the date on which their claim will be addressed will be indicated, which in no case may exceed eight (8) business days following the expiration of the first term.
In any case, the owner or successor in title may only file a complaint with the Superintendence of Industry and Commerce once the consultation or claim process with Medellin Group has been exhausted.
The area responsible for receiving and processing claims is the Information Security Management.
The request for deletion of information and revocation of authorization will not proceed when the owner has a legal or contractual duty to remain in the database.

QUESTIONS OR SUGGESTIONS
If you have any questions or queries about the process of collecting, processing or transferring your personal information, or consider that the information contained in a database should be corrected, updated or deleted, please send us a message to the following account email: privacy@Medellin Group.com.

For more information about Medellin Group, identity, address and contact information, you can consult it at the following address www.MedellinGroup.com. This website has the terms and conditions applicable to the published services and products, which can be consulted at any time for more information.

VALIDITY
Medellin Group reserves the right to modify this policy to adapt it to legislative or jurisprudential developments, as well as good practices in the tourism sector and other sectors of the economy that are part of the business group. In such cases, Medellin Group will announce on this page the changes introduced with reasonable advance notice of their implementation.

This policy was modified and published on the Medellin Group websites on March 29, 2024 and is effective as of the date of publication.

Don’t have an account?