Privacy Policy and Treatment of Personal Data

Versión en Inglés



The Latin American Federation of Banks - FELABAN, incorporated and existing under the laws of the Republic of Colombia, domiciled in the city of Bogotá, Colombia at Carrera 7 No. 71-21 Oficina 402-2 Torre A, and contact telephone 7451187, hereinafter referred to as "FELABAN" or the "Entity", is an organization that is sincerely committed to your privacy. We take the privacy of your information very seriously, and are committed to protecting the integrity, security and confidentiality of all information that may be associated with or related to you and to which we have access by virtue of our relationship.

The purpose of this Policy regarding the Processing of Information as required by Decree 1377 of 2013 (the "Policy"), and other regulations concerning this matter or which supplement, modify or repeal it, is to guarantee the rights of personal data Owners [Title Holders]; disclose the mechanisms and procedures used to effectively implement these rights; report who within the organization is in charge of addressing consultations, questions, claims and complaints, and, finally, disclose the purposes and types of treatment the personal data will be subject to in pursuit of the organization’s activities.

I. Scope of Application of the Policy

Our Policy applies to any and all collection, storage, use, transfer, transmission, and deletion (generally the " "Processing") of information that may be associated with or related to specific or discernible individuals (the "Personal Data"), as well as the Processing carried out by the third parties with which FELABAN agrees to undertake any activity pertaining to or related to the Processing of Personal Data for which FELABAN is responsible.

This Policy shall apply to all Owners who have a relationship with the Entity and/or whose Personal Data have been collected and processed in any way as a consequence or on the occasion of a relationship established with the Entity, whether such Processing is carried out by the Entity or by third parties who do so on behalf of the Entity.

This Policy shall apply to all Processing performed by the Entity and its employees and, where applicable, by those third parties with whom all or part of the performance of any activity related to the Processing of Personal Data is agreed to.

The Policy shall apply to third parties with which the Entity may eventually sign Transmission agreements (as defined below) so that those third parties may be aware of the obligations that apply to them, the goals to which they must submit and the security and confidentiality standards they must adopt when carrying out the Processing on behalf of the Entity.

II. Principal definitions

Expressions in parentheses and in capital letters in this Policy shall have the meaning assigned to them before the parentheses. Non-defined terms shall have the meaning assigned to them by law or case law in Colombia. Notwithstanding the foregoing, the most relevant terms of this Policy are defined below:

Term Definition
Authorization The prior, express and informed consent of the Holder/Owner to carry out the Processing.
Authorized The Entity and all individuals under the its responsibility who, by virtue of the Authorization and this Policy, can legitimately undertake Processing.
Privacy Notice The verbal or written communication produced by the Responsible Party, addressed to the Holder/Owner, informing the Holder/Owner about the existence of the Policy (as defined below), the way to access it and the purpose of the Processing.
Database Means the organized set of Personal Data subject to Processing, electronic or otherwise, regardless of how they are created, stored, organized and accessed.
Personal Data Any piece of information of any kind, linked to or capable of being associated with one or more specific or discernible individuals.
Public Data Means Personal Data characterized as such in accordance with legal mandates or with the Political Constitution and which are not semi-private, private or sensitive. Among others, data about the civil status of individuals, their profession or occupation, their capacity as businessmen/women or public servants, and data that can be obtained without restrictions, are public. Owing to their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins, and in unrestricted final and enforceable court rulings.
Sensitive Data Personal Data capable of affecting the privacy of Holders/Owners or which, if used improperly, could cause discrimination [against the Holder/Owner], such as data that reveal trade union affiliations, racial or ethnic origin, political orientation, religious, moral or philosophical convictions, membership in trade unions, social organizations, human rights organizations or those that promote the interests of political parties or which guarantee the rights and protections of opposition political parties, as well as information about the health and sexual life of Holders/Owners and their biometric data.
Party in Charge The individual or public or private legal entity which, either on its own or in association with others, undertakes the Processing on behalf of the Responsible Party.
Enabled This is the legitimacy that is expressly granted by the Entity to a third party, by way of a written contract or similar document and in compliance with applicable law, in order to undertake the Processing, and which converts said third party or parties into a Party in Charge.
Legitimate Those individuals who can exercise rights as Holders/Owners, such as a Holder/Owner, and who certify their identity using the means at their disposal; successors who certify their capacity as such; the representative and/or attorney-in-fact certified by means of a power of attorney or legal representation; and those who, by means of a stipulation in favor of another or for another, are accredited.
Law Law 1581 of 2012, Decree 1377, Decree 886 of 2014, Ruling C-748 of 2011 and the case law of the Constitutional Court regarding personal data that sets precedent, and any regulation issued by the government that regulating legal precepts in force at the time the Entity initiates Processing, including any modifications to this Law made from time to time and which apply to the Processing performed by the Entity.
Manual The document that contains the policies and procedures that guarantee proper compliance with the Law.
Policy Means this document, which contains the information processing policy required by Decree 1377. This decree guidelines and directives regarding the protection of personal data and includes, among others, (i) full identification of the Responsible Party (name, company name, domicile, address, e-mail and telephone); (ii) the ways in which the Data are Processed; (iii) the purposes the data are submitted to; (iv) the Rights of the Holders/Owners; (v) the procedures followed for consultations, claims and complaints and used to exercise the rights of Holders/Owners; and (vi) the individual or unit in charge of servicing all the queries made by Holders/Owners.
Responsible Party All the individuals to whom this Policy is addressed, and who must comply with the Policy because they perform Processing activities on behalf or in representation of the Entity.
Holder/Owner The individuals whom the Personal Data located in the Database may refer to and who are subjects in the right to habeas data.
Transfer The Processing that implies delivery of the information or Personal Data to a receiver, who is a Responsible Party located within or outside the country. In a Transfer the recipient acts as a Responsible Party and is not subject to the terms and conditions of this Policy.
Transmission Processing that implies delivery of Personal Data inside or outside the territory of the Republic of Colombia with the goal of having the Party in Charge performing Processing for the Responsible Party. In a Transmission the receiver acts as the Party in Charge and is subject to the Policy and the terms set forth in the Transmission agreement.
Treatment Any systematic operation and procedure, whether electronic or not, that permits the collection, conservation, organization, storage, modification, listing, use, circulation, evaluation, blocking, destruction and, in general, the processing of Personal Data, as well as its delivery to third parties by means of communications, consultations, interconnections, assignments, or data messages.

III - Principles

All Processing undertaken by FELABAN, the Responsible Party, the Party in Charge and/or the third parties to whom Personal Data is Transferred and/or Transmitted shall comply with the principles set forth in the Law and in this Policy, in order to guarantee the right to habeas data of the Holders/Owners. These principles are:

Principle Description
Restricted access The Entity may not make access to Personal Data available over the Internet or via other means of communication, unless technical and security measures are in place that control access and restrict it only to Authorized individuals.
Personal Data may not be made available over the Internet or via other means of mass dissemination or communication, unless access can be technically controlled and provides knowledge restricted only to Authorized Holders/Owners or authorized third parties or if the information is public.
Restricted circulation Personal Data may only be processed by Entity personnel who need to perform such actions in order to comply with their duties. No Personal Data may be provided to third parties within or outside the Republic of Colombia, without Authorization or without signing an agreement in the event of a Transmission.
Confidentiality The confidentiality of the Personal Data must be preserved and therefore the individuals involved in Processing must maintain this information confidential, even after the ties originating the Processing have been terminated.
Consent Processing requires Authorization by way of any means amenable to subsequent consultation, including unequivocal conduct in accordance with what is established in Decree 1377.
Purpose All Processing activities must comply with the legitimate purposes stated in this Policy, and must be reported to the Holder/Owner when his/her authorization is obtained.
Integrity The Personal Data submitted for Processing must be true, complete, accurate, updated, verifiable and comprehensible. Whenever the Entity holds Personal Data that are partial, incomplete, fractioned or misleading, it must abstain from processing it or request the Holder/Owner to complete or correct that information. The Entity agrees to make its best efforts to maintain the integrity of the Personal Data contained in its Databases and the veracity of same, implementing measures to verify and update the Personal Data.
Security The Entity must always carry out the Processing by arranging the technical, human and administrative security measures required to maintain the confidentiality and security of the Personal Data. This in order to prevent any alteration, modification, consultation, use, access, deletion or disclosure of Personal Data by/to unauthorized third parties. The Entity agrees to adjust Processing to any safety standards that may in the future be regulated by the competent authorities.
Separability of Databases The Entity agrees to keep the Databases containing the capacity of Party in Charge separate from those containing the status of Responsible Party.
Temporality The Entity shall not use the Personal Data beyond the reasonable term required by the purpose reported to the corresponding Holder/Owner and agrees to implement measures to ensure deletion of the Personal Data when the latter no longer meets the purposes for which it was collected.
Transparency Upon request by the Holder/Owner, the Entity agrees to provide information about the existence of Personal Data concerning the Holder/Owner or which the latter may Legitimately be entitled to request. The answer provided to the request must be made via the same means or at least via similar means as those used by the Holder/Owner to request information and within the terms established by Law.
Postprocessing All Personal Data that is not Public Data must be treated by the Responsible Party and the Party in Charge as confidential and subject to the security parameters established by the Superintendence of Industry and Commerce. Upon termination of such ties, said Personal Data must continue to be treated in accordance with the Policy, the Manual and the Law.

IV. Authorization

All Processing must be preceded by obtaining Authorization. To this end, the Entity, its employees and those Authorized agree to obtain, prior to collecting Personal Data, an Authorization signed by the Holder/Owner and shall keep a copy of this document for future reference.

No authorization from the Holder/Owner is required when:

  1. The information is required by a public or administrative entity in the exercise of its legal functions or by court order;
  2. The data are public in nature;
  3. In the event of a medical or sanitary emergency;
  4. The processing of information has been authorized by law for historical, statistical or scientific purposes (as long as the information is rendered anonymous);
  5. The data concern the Civil Registry of Individuals.

V. Treatment and Purposes

In the pursuit of its activities, the Entity shall collect, use, manage, store, transmit, transfer and perform various operations with the Personal Data, for the purposes set forth below or those accepted by the Holder/Owner at the time Personal Data are collected. Likewise, Party in Charge or the third parties who may access the Personal Data by Law, by contract or by any other binding document, shall undertake Processing for the following purposes:

Registration of the Holder/Owner in the FELABAN database in order to send Newsletters.
For filing purposes or system updates and to protect and undertake custody of the information and databases.
When performing campaigns to update Personal Data to ensure their integrity.
When sending out modifications made to this Policy, as well as to request new authorizations to Process Personal Data.
To supplement information and in general to perform activities required to manage the requests, complaints and claims filed by the Entity’s clients and third parties, and to direct these to the areas responsible for issuing the corresponding responses.
To transmit or transfer personal data subject to current regulations, for trade, contractual, commercial, administrative and/or operational purposes. For example, when transmitting or transferring personal information to FELABAN member banking associations for the purposes of organizing congresses and events.
Conducting customer satisfaction and service quality surveys and in order to strengthen our customer service channels.
For the other purposes determined by the Responsible Party in the process of obtaining Personal Data for Processing, in order to comply with the legal and regulatory obligations of the Entity.
In relation to the organization and logistics of all FELABAN events, meetings, congresses and other academic activities.
In order to carry out activities that are part of the purpose of FELABAN or to provide information about them.
When analyzing and verifying counterparty information in order to control and prevent fraud, money laundering and terrorist financing, including but not limited to consulting publicly accessible lists and credit risk information agencies.
In order to produce reports to authorities as required by law.
From the FELABAN Website
Registration of the holder/owner of the information contained in the FELABAN marketing database in order to access or send out holder/owner and third party information and notifications about events, publications, studies of interest to the Latin American financial sector, news, novelties, general information, congresses, training programs, business rounds, contests, awards and other academic, social and trade association activities and promotions, among others.
Performing marketing activities and sending information about events, publications, studies of interest to the Latin American financial sector, news, news, general information, conferences, training programs, business rounds, contests, awards and other holder/owner and third party academic, social and trade association activities and promotions, among others.
For the FELABAN Central Registration platform for Congresses and Meetings ("Registration")
Creation and feeding of the Registration database
Enrollment of holder/owner information in the Registry
Holding events, seminars, congresses, Annual Meetings and other academic activities.
Sending information, invitations and advertising for participation in events, seminars, congresses, annual meetings, business rounds and other academic activities, as attendee, sponsor, lecturer or in a different capacity.
For registration as a participant in events, seminars, congresses, annual meetings, business rounds and other academic activities, as attendee, sponsor, lecturer or in a differerent capacity.
In relation to the organization and logistics of all FELABAN events, meetings, congresses and other academic activities.
In order to complete transactions, obtain billing data and issue invoices.
For Employees
In order to obtain prior judicial, fiscal and disciplinary information and to carry out security studies and home visits.
In order to perform performance evaluations.
To perform annual general medical exams.
To carry out campaigns to update Personal Data.
When reporting information to third parties for social welfare and occupational health programs.
In order to provide certificates and job references.
When managing and updating resumes.
In order to manage and make payroll payments and pay payroll taxes as well as social security and all other payments required by law, as well as to prepare reports for authorities as required by the relevant regulations.
In order to draft the respective employment agreement
To manage and administer the information contained in files.
To conduct video surveillance activities inside and outside the facilities.
In order to become acquainted with information about the family and the household.
Perform user activations and provide personal passwords.
Verify, access and monitor computer equipment and the technology tools to which access is provided.
For attendees and sponsors of events and trainings
When making contacts via any means for participation in events, seminars, congresses, annual meetings, forums, talks, seminars, business rounds and other academic activities, as attendee, sponsor, lecturer or in a different capacity (for oneself or for a third party).
When sending information and publicity about events, seminars, congresses, annual meetings, forums, talks, seminars, business rounds, contests, prizes and other types of FELABAN social and academic activities (for oneself or for a third party).
In order to collect payments owed
To perform attendance studies, statistics and surveys within the context of the purposes of FELABAN.
In order to forward publications and studies of interest to the Latin American financial sector, including news, novelties and general information.
For Members of the Board of Governors, Board of Directors and Technical Committees
When issuing calls to the respective meetings of the Board of Governors, Board of Directors and Technical Committees.
When undertaking various trade association activities as part of the corporate purpose of FELABAN undertaken in coordination with or via said instances according to their competencies, as well as in order to inform about them.
In order to coordinate management and activities which according to the bylaws correspond to said instances.
In order to forward publications and studies of interest to the Latin American financial sector, including regulations, news, novelties and in general, information, documents and publications of interest to the Latin American financial sector.
In order to coordinate and send information about events, congresses, training programs, seminars, annual meetings, forums, talks, seminars, business rounds, contests, awards and other FELABAN academic, social and trade association activities or those in which it participates.
For officials of regional Financial Institutions, multilateral organizations and other individuals, entities or authorities with which FELABAN has a relationship as part of its trade association activities
In order to deliver information relevant to the Latin American financial sector such as economic, legal and technical studies, among others, including regulations, news, novelties and general documents and publications of interest to the regional financial sector.
When establishing contact via any means in order to report about events, congresses, training programs, seminars, annual meetings, forums, talks, seminars, business rounds, contests, awards and other FELABAN academic, social and trade association activities or those in which FELABAN participates.
To carry out activities as part of the purpose of FELABAN or to provide information about them.
To conduct surveys about matters of importance to the Latin American financial sector.
For Suppliers
To contact potential suppliers of goods and services
To register the information of FELABAN goods and services providers.
When contacting and carrying out formalities regarding the fulfillment of obligations.
In order to create the accounting records of transactions performed with suppliers.

VI. The Rights of Holders/Owners of Personal Data

In accordance with the provisions of Law 1581 of 2012, FELABAN informs you that as a Holder/Owner of Personal Data, you have the following rights:

  1. [The right to] know, update and correct your Personal Data;
  2. Request proof of the authorization granted for the processing of your personal data;
  3. Enjoy free access to the Personal Data that are subject to Processing;
  4. [The right to] be informed about the Processing that your Personal Data are subject to;
  5. [The right to] fully or partially revoke the Authorization, provided the Holder/Owner is under no legal or contractual obligation to the Entity whereby said Personal Data must remain in Entity Databases and/or be Processed by the Entity.
  6. Request deletion of Personal Data from the Entity Databases, provided the Holder/Owner is under no legal or contractual obligation to the Entity whereby said Personal Data must remain in Entity Databases.
  7. Submit complaints to the Superintendence of Industry and Commerce regarding violations of the Law when the admissibility requirement has been exhausted and you have already gone before the Entity in the first instance.

Holders/Owners may exercise their rights under the Law and carry out the procedures set forth in this Policy by presenting their citizenship card or any other ID. Minors may exercise their rights in person or by way of their parents or adults with parental authority, who must demonstrate this capacity by means of the relevant documentation. Likewise, all Holder/Owner rights may be exercised by whoever is deemed Legitimate by presenting the respective document.

VII. Personal Data Protection Officer

The Entity has appointed someone to be in charge of receiving and servicing Consultations and Claims regarding Personal Data, and that is Mr. Deiby Ramírez, the FELABAN Communications Advisor. Mr. Ramírez will process queries and claims regarding Personal Data in accordance with the Law, the Manual and this Policy. His contact details are as follows:

Contact details of the person and/or area in charge
Unit, individual and/or area responsible for data protection matters Deiby Ramírez
Physical address Cra 7 No. 71-21 Oficina 401-2 Torre A
E-mail address [email protected]
Telephone 7451187
Position of the contact person Press and Communications Advisor

VIII. Procedure for exercising your rights

Any query or complaint regarding Personal Data will be handled by the area in charge, which may be contacted at the following email address: [email protected].

A. Queries/Consultations

Holders/Owners, those who are Legitimate, and the representatives of minors may submit queries/consultations regarding:

  • Holder/Owner Personal Data contained in FELABAN Databases
  • The Processing these are subject to
  • The purposes they are intended to fulfill

The person responsible for servicing the consultation shall answer the individual making the request provided the latter is entitled to that owing to his/her capacity as Holder/Owner, as someone who is Legitimate or as legal representative of a minor. This response shall be sent within ten (10) business days from the date the request is received by FELABAN.

If the request is not answered within ten (10) business days, you will be contacted by FELABAN to inform you of the reasons why your query cannot be serviced and the date by which it will be answered, date which in no case may exceed five (05) business days following the expiration of the first term. To this effect the same means used to submit the consultation, or a similar one, shall be used.

The final response to all requests must be provided at the latest within fifteen (15) business days from the date on which the initial request was received by FELABAN. For this reason, FELEBAN will conduct follow up of the consultations presented.

B. Claims

Claims may be filed by Holders/Owners, parties who are deemed Legitimate or by the representatives of minors, regarding the following:

  • Personal data processed by FELABAN that need to be corrected, updated or deleted;
  • Alleged breach of the duties and obligations of FELABAN.

Claims must be filed by the Holder/Owner, a party recognized as Legitimate or by a representatives if the Holder/Owner is a minor, as follows:

  • Deiby Ramirez should be contacted be email at [email protected]
  • The claim must include the name and ID document of the Holder.
  • The claim must contain a description of the facts giving rise to the claim and the objective pursued (an update, correction or deletion, or compliance with duties).
  • It should include the address, contact information and identification of the claimant.
  • It must be accompanied by all the documentation that the claimant wishes to assert. Complaints must contain the following information:

If the claim or additional documentation is incomplete, FELABAN will require you to remedy deficiencies within five (5) business days after receipt of the communication. If you do not submit the required documentation and information within two (2) months of the date of the initial claim, you will be deemed to have waived the initial claim.

The maximum term allowed to address the claim is fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to service the claim within said term, the interested party shall be informed of the reasons for the delay and the date by which the claim will be serviced, and in no case may this exceed eight (8) working days following the expiration of the first term.

Once the claim with complete documentation has been received, it will be included in the FELABAN Database containing the Personal Data of the Holder/Owner that are subject to the claim, together with a caption reading "claim in process" and the reason for same, within a period of not more than two (2) business days. This caption must be held until the claim is decided.

You may revoke your consent at any time by means of a written notice sent to Mr. Deiby Ramirez, FELABAN Communications Advisor, at the above address.

If the claim specifically consists of a request to delete Personal Data, this shall proceed if the deletion does not hinder judicial or administrative actions related to fiscal obligations, the investigation and prosecution of crimes or updates regarding administrative sanctions, and when there is no legal or contractual obligation for them to remain in the Database.

IX. Transfers and Transmissions

FELABAN will only use Personal Data in the manner in which you authorize their use, and will Transmit them to third parties for the purposes described herein, and to the competent judicial and administrative authorities, when required by them.

For the transfer or transmission of Personal Data to Responsible third parties located abroad or in Colombia, FELABAN shall obtain an express and unequivocal authorization from the Holder/Owner to that effect, or will do so based on any other of the hypotheses that may be contemplated in applicable legislation for this, including those set forth in Law 1581 of 2013 and Decree 1377 of 2013.

FELABAN shall apply the remaining regulations regarding the Transfer and Transmission of Personal Data.

X. Sensitive Data

Within the framework of its activities, the Entity may collect and Process Sensitive Data, such as medical information and images, photographs and/or voice recordings. In such cases the Data Holders/Owners will be informed so they may freely provide their independent consent to the Processing of such Sensitive Data.

Sensitive Data shall be processed with the greatest possible diligence and the highest security standards. For this purpose, the Entity area in charge shall internally develop procedures to maintain at all times the confidentiality and integrity required by said Sensitive Data. Limiting access to Sensitive Data will be a guiding principle in safeguarding the privacy of Sensitive Data, so that only authorized personnel may access such information.

The Authorization for the Processing of Sensitive Data is optional and entirely dependent on the discretion of the Holder/Owner, and therefore a Holder/Owner may choose to not Authorize the Processing of his/her Sensitive Data, and this decision shall be respected by the Entity, except if there is a legal duty to provide them.

XI. Security Policy

FELABAN agreed to take effective, appropriate and reasonable measures to protect your Personal Data and the information obtained from you from loss, undue and unauthorized use or alteration.

XII. Links to Other Websites

The portal may contain links to other websites owned by third parties (such as for example the websites of FELABAN banking association members). If you decide to visit any of these websites, you should be aware that each portal has a different privacy policy, and for this reason we accept no responsibility for the information or Personal Data you may provide outside our site.

XIII. Validity of the Personal Data Processing Policy

This Policy shall be in force as long as FELABAN performs the same functions it currently performs, in accordance with its corporate purpose.

XIV. Policy Modifications

Any changes to this Policy shall be posted on this same website.