0

Terms and conditions

Through Law 1581 of the year 2012, the general regime for the treatment of personal data was enacted. This law, in its purpose, upholds the constitutional right that all individuals have to know, update, and rectify the information collected about them in databases or records, along with other rights established in Articles 15 and 20 of the Political Constitution.
Decree 1377 of July 27, 2013, regulated Law 1581 of the year 2012 for its implementation and application.
In compliance with the aforementioned law and the respective regulatory decree, it becomes necessary to adopt an internal manual of policies and procedures for the protection of information and personal data of individuals who have had or currently have a relationship with Harry Pastelería Artesanal. The purpose of this manual is to fulfill the guarantees and instruments established in the aforementioned law.

Shipping policy

By accepting our terms and conditions, you also agree to adhere to our detailed shipping policy outlined in shipping information. This includes compliance with delivery schedules, coverage areas, and handling additional charges in case of changes to delivery addresses. We strongly recommend reading our shipping policy carefully before completing your purchase.

CHAPTER I GENERAL PROVISIONS

ARTICLE 1 - APPLICABLE LEGISLATION: This manual has been prepared based on the provisions contained in Law 1581 of 2012, in development of Articles 15 and 20 of the Political Constitution.

ARTICLE 2 - SCOPE OF APPLICATION: This manual applies to the processing of personal data collected, stored, managed, and used by Harry Pastelería as part of its business activities.

ARTICLE 3 - DATABASES: The policies and procedures contained in this manual apply to the databases managed by the Company, and their validity extends throughout the time in which Harry Pastelería conducts its business activities.

ARTICLE 4 - PURPOSE: This manual aims to ensure compliance with what is provided in paragraph k) of Article 17 of Law 1581 of 2012, which lists the duties of those responsible for processing personal data. This includes the obligation to adopt an internal manual of policies and procedures to ensure the proper compliance with the law, especially the procedure for addressing inquiries and claims related to the data and images collected, as well as the handling and processing of personal data obtained by Harry Pastelería as part of its operations.

ARTICLE 5 - DEFINITIONS: For the application of the rules contained in this manual and in accordance with Article 3 of Law 1581 of 2012, the definitions provided in the law will be used. These definitions are as follows:

  • Authorization: Prior, express, and informed consent of the Data Subject to carry out the Processing of personal data.
  • Privacy Notice: A physical, electronic, or any other format document generated by the Data Controller and made available to the Data Subject for the processing of their personal data. The Privacy Notice communicates to the Data Subject the information related to the existence of information processing policies applicable to them, the way to access such policies, and the characteristics of the data processing that is intended for personal data.
  • Database: An organized set of personal data or images that are subject to Processing.
  • Personal Data: Any information linked or that can be associated with one or more specific or identifiable natural persons.
  • Public Data: Data qualified as such according to the mandates of the law or the Political Constitution, and data that is not semi-private, private, or sensitive. Public data includes, among others, information related to the marital status of individuals, their profession or occupation, their status as a merchant or public servant, and any data that can be obtained without any reservation. By its nature, public data may be contained, among other places, in public records, public documents, official gazettes, and bulletins.
  • Private Data: Data that, due to its intimate or confidential nature, is only relevant to the Data Subject.
  • Sensitive Data: Sensitive data refers to data that affects the Data Subject's privacy or whose misuse could lead to discrimination. Such data includes those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or promotion of interests of any political party, as well as data related to health, sexual life, and biometric data.
  • Data Processor: A natural or legal person, whether public or private, who, on their own or in association with others, processes personal data on behalf of the Data Controller.
  • Data Controller: A natural or legal person, whether public or private, who decides on the basis of data and/or the Processing of data.
  • Data Subject: A natural person whose personal data is subject to Processing.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion of such data.

ARTICLE 6 - PRINCIPLES. Harry Pastelería: The company embraces, respects, and applies each and every one of the principles established in Article 4 of Law 1581 of 2013. These principles serve as the general guidelines for the collection, use, and processing of personal data.

CHAPTER II AUTHORIZATION

ARTICLE 7 - AUTHORIZATION: The collection, storage, use, circulation, or deletion of personal data by Harry Pastelería requires the free, prior, express, and informed consent of the data subject. Harry Pastelería, as the data controller, has established the necessary mechanisms to obtain authorization from data subjects, ensuring that the granting of such authorization can be verified in all cases.

PARAGRAPH: EXCEPTIONS: The authorization of the Data Subject is not required in the following cases:

  • a) Information required by a public or administrative entity in the exercise of its legal functions or by a court order.
  • b) Data of a public nature.
  • c) Information processing authorized by law for historical, statistical, or scientific purposes.
  • d) Images recorded by the company's security cameras.

Anyone who accesses personal data without prior authorization must, in any case, comply with the provisions of the law.

ARTICLE 8 - FORM AND MECHANISMS TO GRANT AUTHORIZATION: Authorization can be documented in a physical, electronic, or any other format that allows for subsequent consultation. Authorization will be issued by Harry Pastelería and will be made available to the data subject before the processing of their personal data, in accordance with what is established in Law 1581 of 2012. With the consented authorization procedure, it is ensured that the data subject has been informed that their personal information will be collected and used for specific and known purposes, and that they have the option to learn about any alterations to the data and the specific use that has been made of it. This is done so that the data subject can make informed decisions regarding their personal data and control the use of their personal information. Authorization is a statement that informs the data subject of the following:

  • Who collects (data controller or data processor).
  • What is collected (the data that is gathered).
  • Why the data is collected (the purposes of processing).
  • How to exercise rights of access, correction, update, or deletion of the provided personal data.
  • If sensitive data is being collected.

ARTICLE 9 - PROOF OF AUTHORIZATION: Harry Pastelería will take the necessary measures to keep records of when and how they obtained authorization from data subjects for the processing of their data.

ARTICLE 10 - PRIVACY NOTICE: The Privacy Notice is the physical, electronic, or any other format document made available to the Data Subject for the processing of their personal data. Through this document, the Data Subject is informed about the existence of the information processing policies that will apply to them, how to access them, and the characteristics of the processing that will be applied to the personal data.

ARTICLE 11 - MINIMUM CONTENT OF THE PRIVACY NOTICE: The Privacy Notice, at a minimum, must contain the following information:

  • The identity, address, and contact information of the Data Controller.
  • The type of processing to which the data will be subject and its purpose.
  • The general mechanisms provided by the Data Controller for the Data Subject to access the information processing policy and any substantial changes to it. In all cases, it must inform the Data Subject how to access or consult the information processing policy.

ARTICLE 12 - PRIVACY NOTICE AND INFORMATION PROCESSING POLICIES: Harry Pastelería will retain the model of the privacy notice sent to Data Subjects while the processing of personal data is ongoing and the obligations derived from it persist. For the storage of the model, Harry Pastelería may use computer, electronic, or any other technology.

CHAPTER III RIGHTS AND DUTIES

ARTICLE 13 - RIGHTS OF DATA SUBJECTS: In accordance with Article 8 of Law 1581 of 2012, data subjects have the following rights:

  • Know, update, and rectify their personal data in relation to Harry Pastelería, as the data controller.
  • Request proof of the authorization granted to Harry Pastelería, as the Data Controller.
  • Be informed by Harry Pastelería upon request regarding the use that has been made of their personal data.
  • Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012, once they have completed the consultation or complaint process with the Data Controller.
  • Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights, and guarantees.
  • Access their personal data that has been subject to processing free of charge.

ARTICLE 14 - DUTIES OF Harry Pastelería REGARDING THE PROCESSING OF PERSONAL DATA: Harry Pastelería will bear in mind at all times that personal data is the property of the individuals to whom it refers, and that only they can decide on the data. In this sense, it will use the data only for the purposes for which it is duly authorized, and always respecting Law 1581 of 2012 on data protection.
In accordance with the provisions of Article 17 of Law 1581 of 2012, Harry Pastelería undertakes to comply permanently with the following duties in relation to the processing of personal data:

  • Guarantee the Data Subject, at all times, the full and effective exercise of the right to habeas data.
  • Keep the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent access, consultation, or use.
  • Perform the updating, rectification, or deletion of data in a timely manner, as provided in Articles 14 and 15 of Law 1581 of 2012.
  • Process the queries and claims submitted by the Data Subjects in the terms indicated in Article 14 of Law 1581 of 2012.
  • Include the legend "information under judicial discussion" in the database once notified by the competent authority about judicial processes related to the quality or details of personal data.
  • Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendency of Industry and Commerce.
  • Allow access to information only to those individuals who are authorized to access it.
  • Inform the Superintendency of Industry and Commerce when security codes are violated and there are risks in the administration of Data Subject information.
  • Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

Paragraph: In the processing of information and personal data, the prevailing rights of children and adolescents will be respected.
The processing of personal data of children and adolescents is prohibited, except for data that is of public nature or is strictly necessary for the provision of the service.

CHAPTER IV ACCESS, CONSULTATION, AND COMPLAINT PROCEDURES

ARTICLE 15 - RIGHT OF ACCESS: The power of control or decision that the data subject has over the information concerning them necessarily entails the right to access and find out if their personal information is being processed, as well as the scope, conditions, and generalities of such processing. In this way, Harry Pastelería must ensure the data subject's right of access through three means:

  • The first means that the data subject can determine the actual existence of the processing to which their personal data is subjected.
  • The second means that the data subject can access their personal data held by the data controller.
  • The third means implies the right to know the essential circumstances of the processing, which translates into the duty of Harry Pastelería to inform the data subject about the type of personal data being processed and each of the purposes justifying the processing.

Paragraph: Harry Pastelería will ensure the right of access when, upon verification of the identity of the data subject or their representative, the details of personal data are made available to them, free of charge, through electronic means that allow the data subject direct access to them. This access must be provided without a time limit and must allow the data subject the possibility to view and update their data.

ARTICLE 16 - CONSULTATION: In accordance with Article 14 of Law 1581 of 2012, data subjects or their successors may inquire about the personal information of the data subject that is stored in any database. Therefore, Harry Pastelería will guarantee the right of consultation, providing data subjects with all the information contained in the individual record or related to the identification of the data subject. To address requests for personal data consultation, Harry Pastelería ensures:

  • Enabling electronic communication methods or others deemed relevant.
  • Establishing forms, systems, and other simplified methods, which must be communicated in the privacy notice.
  • Using customer service or claims services currently in operation. In any case, regardless of the mechanism implemented for handling consultation requests, they will be addressed within a maximum of ten (10) business days from the date of receipt. When it is not possible to respond to the consultation within this term, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which their consultation will be addressed, which in no case may exceed five (5) business days from the expiration of the initial deadline.

ARTICLE 17 - COMPLAINTS: In accordance with Article 14 of Law 1581 of 2012, the data subject or their successors who believe that the information contained in a database should be corrected, updated, or deleted, or who observe the alleged non-compliance with any of the duties contained in Law 1581 of 2012, may file a complaint with the Data Controller, which will be processed according to the following rules:

  • If the received complaint does not contain complete information that allows it to be processed, that is, with the identification of the data subject, a description of the facts that give rise to the complaint, the address, and the accompanying documents to be invoked, the interested party will be required to rectify the deficiencies within five (5) days of receipt. If two (2) months have elapsed since the date of the requirement, and the applicant has not submitted the requested information, it will be understood that they have withdrawn the complaint. If, due to any circumstances, Harry Pastelería receives a complaint that should not actually be directed to them, they will forward it to the appropriate entity within a maximum of three (3) business days and inform the interested party of the situation.
  • Once the complete complaint is received, a legend will be included in the database maintained by Harry Pastelería indicating "complaint in process" and the reason for it within a period not exceeding two (2) business days. This legend must be maintained until the complaint is resolved. The maximum term for handling the complaint will be fifteen (15) business days from the day following the date of receipt. If it is not possible to handle it within this period, the interested party will be informed before the expiration of the aforementioned period of the reasons for the delay and the date on which their complaint will be addressed, which may not, in any case, exceed eight (8) business days from the expiration of the initial term.

ARTICLE 18 - IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO FILE COMPLAINTS: At any time and free of charge, the data subject or their representative may request Harry Pastelería to rectify, update, or delete their personal data, upon verification of their identity. The rights of rectification, updating, or deletion can only be exercised by:

  • The data subject or their successors, upon verification of their identity, or through electronic tools that allow them to identify themselves.
  • The data subject's representative, upon verification of the representation.
  • When the request is made by a person other than the data subject and it is not proven that they are acting on behalf of the data subject, it will be considered as not presented. The request for rectification, updating, or deletion must be submitted through the means provided by Harry Pastelería indicated in the privacy notice and must contain, at a minimum, the following information:
    • The name and address of the data subject or any other means to receive a response.
    • Documents proving the identity or the representative's capacity.
    • A clear and precise description of the personal data regarding which the data subject seeks to exercise one of the rights.
    • In certain cases, other elements or documents that facilitate the location of the personal data.

Paragraph 1. RECTIFICATION AND UPDATING OF DATA: There is an obligation to rectify and update, at the request of the data subject, their information that is incomplete or inaccurate, in accordance with the procedure and terms outlined above. In this regard, it should be noted:

  • In requests for rectification and updating of personal data, the data subject must indicate the corrections to be made and provide the documentation supporting their request. Harry Pastelería has complete freedom to enable mechanisms that facilitate the exercise of this right, as long as they benefit the data subject. Consequently, electronic means or others that are deemed relevant may be enabled.
  • Harry Pastelería may establish forms, systems, and other simplified methods, which must be communicated in the privacy notice and made available to interested parties on the website.
  • Harry Pastelería will use the customer service or claims services it has in operation, as long as the response times are not greater than those indicated by Article 15 of Law 1581 of 2012. Each time Harry Pastelería makes a new tool available to facilitate the exercise of data subject rights or modifies existing ones, it will inform this through its website.

Paragraph 2 - DELETION OF DATA: The data subject has the right, at any time, to request the deletion (elimination) of their personal data from Harry Pastelería when:

  • They believe that it is not being processed in accordance with the principles, duties, and obligations established in Law 1581 of 2012.
  • It is no longer necessary or relevant for the purpose for which it was collected.
  • The period necessary for the fulfillment of the purposes for which it was collected has elapsed. This deletion implies the total or partial elimination of personal information as requested by the data subject in records, files, databases, images, or processing carried out by Harry Pastelería. It is important to note that the right to deletion is not absolute, and the data controller may deny the exercise of it when:
    • Requests for deletion of information will not proceed when the data subject has a legal or contractual duty to remain in the database.
    • Deletion of data obstructs judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes, or the enforcement of sanctions.
    • The data is necessary to protect the legally protected interests of the data subject, to take action in the public interest, or to fulfill an obligation legally acquired by the data subject.

If the deletion of personal data is appropriate, Harry Pastelería must carry out the deletion in a way that prevents the recovery of the information.

ARTICLE 19 - REVOCATION OF AUTHORIZATION: Data subjects may revoke their consent to the processing of their personal data at any time, provided that it is not prevented by a legal provision. To do this, Harry Pastelería must establish simple and free mechanisms that allow the data subject to revoke their consent, at least through the same means by which it was granted. It should be noted that there are two ways in which the revocation of consent can occur. The first may be for all the consented purposes, that is, Harry Pastelería must stop processing the data subject's data completely. The second may occur for specific types of processing, such as for advertising or market research purposes. In the second scenario, the partial revocation of consent, other processing purposes with which the data subject agrees, in accordance with the granted authorization, will be unaffected. Therefore, when the data subject submits a request to revoke consent to Harry Pastelería, they must indicate whether the revocation they intend to make is total or partial. In the second scenario, it must be indicated which processing the data subject does not agree with. There will be cases in which consent, due to its necessary nature in the relationship between the data subject and the controller for the fulfillment of a contract, by legal provision, cannot be revoked. The mechanisms or procedures that Harry Pastelería establishes to address requests for revocation of consent may not exceed the deadlines for addressing claims as set out in Article 15 of Law 1581 of 2012.

CHAPTER V INFORMATION SECURITY

ARTICLE 20 - SECURITY MEASURES: In accordance with the security principle established in Law 1581 of 2012, Harry Pastelería will adopt the technical, human, and administrative measures that are necessary to ensure the security of records, preventing their alteration, loss, unauthorized or fraudulent access or use.

ARTICLE 21 - IMPLEMENTATION OF SECURITY MEASURES: Harry Pastelería will maintain security protocols that are mandatory for personnel with access to personal data and information systems.

CHAPTER VI PURPOSES IN THE COLLECTION, USE, AND PROCESSING OF PERSONAL DATA

ARTICLE 22 - PURPOSE OF INFORMATION COLLECTION: Harry Pastelería, in the pursuit of its corporate objectives and its relationships with third parties, including customers, employees, suppliers, creditors, and economic associates, continuously collects Personal Data to carry out various purposes and uses, including:

  • Administrative, commercial, promotional, informational, marketing, and sales purposes.
  • Offering commercial services, conducting promotional campaigns, marketing, and advertising.
  • Building closer relationships with all its customers, suppliers, employees, and associated third parties.
  • Providing protection and security at points of sale in case of criminal incidents, for which video, audio, or photographic means may be used as evidence in legal proceedings.

In the contractual relationship between Harry Pastelería and its employees and their families regarding the obligations, responsibilities, and duties inherent to the relationship, Personal Data will be processed for the following purposes:

  • Assessing and analyzing employees' competencies to contribute to their personal and professional growth within the organization.
  • Developing strategies and activities for personal and family well-being and improving living conditions.
  • Conducting health campaigns for employees and their families, as needed.
  • Managing employee information in connection with their relationships with banks, employee funds, and other third parties as authorized by the employee.
  • Using the image and voice of the employee and/or their family through illustrations, photographs, recordings, or videos for advertising purposes related to Harry Pastelería's sales promotions or internal company activities, through media and methods chosen by the company, for an indefinite period and without any compensation.
  • Providing the personal information required by third parties that provide services to Harry Pastelería, such as those related to academic activities, legal services, sports, celebrations, insurance, international cooperation, and other activities necessary for productivity, competitiveness, and the fulfillment of Harry Pastelería's obligations.
  • Communicating to the public, through traditional and/or virtual media, activities related to corporate social responsibility involving stakeholders.
  • Using the information as evidence in cases of minor or serious violations of internal labor regulations.

PARAGRAPH: The Personal Data collected and processed may exist in physical, video, audio, photographic, biometric, or electronic formats, and it will be securely protected according to the nature of the information being processed. In this regard, Harry Pastelería may take the following actions:

  • Obtaining, storing, compiling, exchanging, updating, collecting, processing, reproducing, and/or disposing of the data or information, whether in part or in whole, with the appropriate authorization as required by law and in formats deemed appropriate for each case.
  • Classifying, organizing, and separating the information provided by the data subjects.
  • Conducting investigations, comparisons, verifications, and validations of Personal Data obtained in the proper manner with credit risk central agencies with which commercial relationships exist.
  • Sharing information obtained in accordance with the Habeas Data law with companies that provide data capture, storage, and management services, provided they have obtained the necessary authorizations for this purpose.
  • Transferring data or information, whether in part or in whole, to affiliated entities.
  • Harry Pastelería may transfer such data or information, whether in part or in whole, to its businesses and companies to enable Harry Pastelería to offer its products and/or services to its customers in a more personalized and direct manner, as well as to send out advertising information about its own brands through mailing, SMS, direct mail, and to market all voluntarily provided data and information.
  • Using all information obtained in physical, video, audio, photographic, or electronic format in legal and judicial procedures as required.