CONTACT US

Personal Data Handling Policy

C & M Consultants is dedicated to safeguarding your personal information in accordance with this policy.
Objective

For C & M Consultants S.A.S., dedicated to strict compliance with the law and the protection of individuals' rights, such as habeas data, privacy, intimacy, good name, and image; and in line with our policy of total responsibility, the preservation, protection, and integrity of the personal data you have entrusted to us are of utmost importance.

With this purpose in mind, this policy outlines the terms, conditions, and purposes under which C & M Consultants S.A.S. will process the personal data provided freely and voluntarily, whether in-person or virtually, collected directly from national and international branches or through the consortia or temporary alliances of which we are a part.

Scope

This Personal Data Protection Policy applies to all databases and/or files containing personal data that are subject to processing by C & M Consultants S.A.S., whether considered as the data controller and/or processor of this information.

IDENTIFICATION OF THE PERSONAL DATA CONTROLLER

C & M Consultants S.A.S.
IDENTIFICATION
NIT. 830061474-1

Contractual Address:

Carrera 13 No. 96-67. Office 309
Bogotá D.C.

Phone:

+ 57 601 919 5290.

E-mails:

hprotecciondedatos@cmconsultores.com.co
administracion@cmconsultores.com.co

DEFINITIONS
Authorization
The consent given by any individual to allow companies or individuals responsible for information processing to use their personal data.
Privacy Notice
One of the communication options, either verbal or written, provided by the law to inform data subjects about the existence, ways to access information processing policies, and the purpose of data collection and use.
Database
An organized set of personal data subject to processing.
Personal Data

Any information linked to or associated with a specific person, such as their name or identification number, or information that can make them identifiable, such as their physical traits.

Private Data
This refers to information that, due to its intimate or confidential nature, is relevant only to the data subject.
Public Data
Considered public data are, among other things, information regarding individuals' marital status, profession or occupation, and whether they are a merchant or public servant.
Semiprivate Data

These are data that do not have an intimate, confidential, or public nature, and whose knowledge or disclosure may be of interest not only to the data subject but also to a certain sector or society in general.

Sensitive Data
These are types of information that impact the privacy of the data subject or could lead to discrimination. Examples include data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights groups, as well as information related to health, sexual life, and biometric data, among others.
Data Processor
This refers to the natural or legal person who processes personal data on behalf of and delegated by the data controller. They receive instructions on how the data should be managed.
Data Controller
This is the natural or legal person, whether public or private, who decides on the purpose of databases and/or the processing of this data.
Data Subject
This is the natural person whose personal data is subject to processing.
Transfer
This refers to the operation where the data controller or data processor, located in Colombia, sends information or personal data to a recipient, who is also responsible for the processing and may be located inside or outside the country.
Transmission
The processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when the purpose is to carry out processing by the processor on behalf of the controller.
Processing
Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
GUIDING PRINCIPLES
1. Principle of Legality in Data Processing
The processing described in this policy is a regulated activity that must comply with the provisions and regulations that govern it.
2. Principle of Purpose
Processing must align with a legitimate purpose in accordance with the Constitution and the law, and this purpose must be communicated to the data subject.
3. Principle of Freedom
Processing can only be carried out with the prior, express, and informed consent of the data subject. Personal data cannot be obtained or disclosed without prior authorization, except in the absence of legal or judicial mandate that exempts the need for consent.
4. Principle of Truth or Quality
Information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
5. Principle of Transparency
The processing must ensure the data subject's right to obtain, from the data controller or data processor, at any time and without restrictions, information about the existence of data concerning them.
6. Principle of Access and Restricted Circulation
Processing is subject to limits derived from the nature of personal data, the provisions of this law, and the Constitution. In this regard, processing can only be carried out by individuals authorized by the data subject and/or as outlined in this policy. Personal data, except for public information, should not be available on the internet or other means of mass disclosure or communication unless access is technically controllable to provide restricted knowledge only to the data subjects or authorized third parties.
7. Principle of Security
The information subject to processing by the data controller or data processor as outlined in this policy must be handled with the technical, human, and administrative measures necessary to secure the records, preventing their tampering, loss, consultation, use, or unauthorized or fraudulent access.
8. Principle of Confidentiality
All individuals involved in the processing of personal data that is not of a public nature are obligated to ensure the confidentiality of the information, even after their relationship with any of the tasks encompassed by the processing has concluded. They may only disclose or communicate personal data when it corresponds to the development of activities authorized in this policy and within the terms outlined herein.
TREATMENT AND PURPOSE
The collection, storage, use, and circulation that C & M Consultants S.A.S. will carry out as the data controller, with the personal data provided by the information subjects, will be used in the course of the company's functions in accordance with the legal relationship held with each of them:
Visitors

Personal data will be used to maintain a secure record and control of entries and exits from our offices. Likewise, they may be used to address internal emergency plans in situations of risk that may arise during their stay on the premises of C & M Consultants S.A.S.

Customers and Suppliers
Personal data included in contracts and/or documents that support services and/or commercial relationships, provided to all areas of the company, will be used with the purpose of receiving or providing services related to the contractual relationship. This includes informing about changes or new services, fulfilling obligations with our customers and suppliers, assessing service quality, conducting internal studies, and their transmission.
Employees
Personal data will be used during the personnel recruitment process and will serve the purpose of identification, location, communication, contact, and sending information related to the potential hiring process and/or, in the case of an employment, civil, or commercial relationship, regarding the payment of salaries, social benefits, and other compensations stipulated in the employment contract. Additionally, the data may be transmitted to branches within and outside the country for the same purposes.
PROCESSING OF SENSITIVE DATA
The processing of personal data of a sensitive nature is prohibited by law unless explicit, prior, and informed consent is obtained from the data subject, among other exceptions outlined in Article 6 of Law 1581 of 2012. In this case, in addition to meeting the requirements for authorization, C & M Consultants S.A.S. must: (I) Inform the data subject that, due to the sensitive nature of the data, they are not obligated to authorize its processing. (II) Inform the data subject which of the data to be processed are sensitive and the purpose of the processing.
DUTIES OF THE PERSONAL DATA CONTROLLER
  1. Ensure that the data subject, at all times, fully and effectively exercises the right to habeas data.
  2. Request and retain, under the conditions provided in the aforementioned law, a copy of the respective authorization granted by the data subject.
  3. Properly inform the data subject about the purpose of the collection and the rights they are entitled to by virtue of the granted authorization.
  4. Safeguard the information under the necessary security conditions to prevent its tampering, loss, consultation, use, or unauthorized or fraudulent access.
  5. Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
  6. Update the information by promptly informing the data processor of any changes regarding the data previously provided and take other necessary measures to keep the information supplied to them current.
  7. Rectify the information when it is incorrect and communicate the relevant details to the data processor.
  8. Provide the data processor, as applicable, only with data whose processing has been previously authorized in accordance with the provisions of Statutory Law 1581 of 2012.
  9. Insist that the data processor at all times respects the security and privacy conditions of the data subject's information.
  10. Handle inquiries and complaints in accordance with the terms outlined in Statutory Law 1581 of 2012.
  11. Implement an internal manual of policies and procedures to ensure proper compliance in accordance with Statutory Law 1581 of 2012, especially for addressing inquiries and complaints.
  12. Notify the data processor when certain information is under dispute by the data subject, once a complaint has been filed, and the respective process has not yet concluded.
  13. Provide information to the data subject upon their request regarding the use of their data.
  14. Report to the data protection authority when security breaches occur and there are risks in the management of the data subjects' information.
  15. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
DUTIES OF DATA PROCESSORS
  1. Ensure that the data subject, at all times, fully and effectively exercises the right to habeas data.
  2. Safeguard the information under the necessary security conditions to prevent its tampering, loss, consultation, use, or unauthorized or fraudulent access.
  3. Promptly carry out the update, correction, or deletion of data in accordance with the provisions of this Personal Data Processing Policy.
  4. Update the information reported by the data controllers within five (5) business days from its receipt.
  5. Handle inquiries and complaints made by data subjects in accordance with the terms outlined in this Personal Data Processing Policy.
  6. Implement an internal manual of policies and procedures to ensure proper compliance in accordance with the provisions of this Personal Data Processing Policy, particularly for addressing inquiries and complaints from data subjects.
  7. Record in the database the labels "complaint in progress" as stipulated in Statutory Law 1581 of 2012.
  8. Insert into the database the label "information under judicial discussion" once notified by the competent authority regarding judicial processes related to the quality of personal data.
  9. Refrain from circulating information that is being disputed by the data subject and has been ordered to be blocked by the Superintendence of Industry and Commerce.
  10. Allow access to the information only to individuals who are authorized to access it.
  11. Report to the Superintendence of Industry and Commerce in case of security code violations and risks in the management of data subjects' information.
  12. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

C & M Consultants S.A.S.as the data controller, may hire or delegate to a legal or natural person as the data processor. Such delegation or hiring must be documented through a written agreement specifying the instructions and responsibilities to be undertaken by the data processor.

In cases where C & M Consultants S.A.S. acts as the data processor in the collection of personal data to fulfill contractual obligations with public or private entities, it will proceed in accordance with the guidelines stipulated in the contracts entered into. Additionally, with a reasonable lead time before the contract's completion, the company will initiate the process of migrating and delivering the collected digital and physical information. This will be done in accordance with the procedures and criteria set by the contracting entity for receiving the information. At no time will C & M Consultants S.A.S. store, archive, or process in its systems any personal data collected during the execution of contractual relationships.

RIGHTS OF DATA SUBJECTS

Know, update, and rectify their personal data in front of data controllers or data processors. This right can be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented data, data leading to error, or data the processing of which is expressly prohibited or has not been authorized.

Request proof of the authorization granted to the data controller, except when expressly exempted as a requirement for processing.

Be informed by the data controller or data processor, upon request, about how their personal data has been used.

Lodge complaints with the Superintendence of Industry and Commerce for violations of the provisions of Statutory Law 1581 of 2012 and other regulations that modify, add to, or complement it.

Revoke the authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will be applicable when the Superintendence of Industry and Commerce has determined that, in the processing, the data controller or processor has engaged in conduct contrary to the law and the Constitution.

Access their personal data that has been subject to processing free of charge.

CUSTOMER SERVICE FOR REQUESTS, COMPLAINTS, INQUIRIES, AND CLAIMS

The Administrative Human Talent Management of C & M Consultants S.A.S. is responsible for handling the requests, complaints, inquiries, and claims submitted by the data subject in the exercise of the rights outlined in Section 10 of this Policy.

For this purpose, the data subject or their representative may submit their request, complaint, inquiry, or claim from Monday to Friday, from 8:00 a.m. to 5:00 p.m., to the email address:

protecciondedatos@cmconsultores.com.co or by calling +57 601 919 5290. Alternatively, they can submit it in physical form at Carrera 13 No. 96 – 67, Office 309 in Bogotá D.C.

PROCEDURE FOR THE EXERCISE OF HABEAS DATA

In compliance with the regulations on the protection of personal data, C & M Consultants S.A.S., as the data controller, outlines the procedure and minimum requirements for the exercise of your rights.

For the submission and handling of your request, we kindly ask you to provide the following information:

  1. Full name.
  2. Contact information (Physical and/or email address and contact phone numbers).
  3. Preferred means of receiving a response to your request.
  4. Reason(s)/fact(s) giving rise to the claim with a brief description of the right you wish to exercise (know, update, rectify, request proof of authorization granted, revoke, delete, access information).
  5. Signature (if applicable) and identification number.

The maximum period stipulated by law to address your claim is fifteen (15) business days, counted from the day following the date of receipt. If it is not possible to address the claim within this period, C & M Consultants S.A.S., as the data controller, will inform the interested party of the reasons for the delay and the date on which the claim will be addressed. This date shall not exceed eight (8) business days following the expiration of the initial term.

Once the deadlines established by Law 1581 of 2012 and other regulations governing or complementing it have been met, the data subject who is denied, in whole or in part, the exercise of the rights of access, update, rectification, deletion, and revocation may bring their case to the attention of the Superintendence of Industry and Commerce - Delegation for the Protection of Personal Data.

EFFECTIVENESS
The present Policy takes effect from May 26, 2020.
CONTACT US

+57 601 919 5290

comercial@cmconsultores.com.co

Linkedin Youtube Instagram

C & M Consultores © 2026. All Rights Reserved