1. OBJECTIVES

Regulate the processing of personal data carried out by Corporación Parque Explora.
Provide a prompt and lawful response to requests and claims made by Data Subjects, their successors, or any other person with proper authorization.
Comply with the requirements of current regulations on the Protection of Personal Data, as well as any requirements arising from the principle of accountability.
Provide due protection to the interests and needs of the data subjects whose personal information is processed by Corporación Parque Explora.

2. SCOPE

These provisions apply to all types of information that allow linking or associating one or more identified or identifiable natural persons, and that are processed by Corporación Parque Explora, as Data Controller and/or as Data Processor, in accordance with Law 1581 of 2012 and related regulations.

All processes at Corporación Parque Explora that involve the processing of personal data must adhere to this Policy and Procedure.

Corporación Parque Explora prohibits access, use, management, transfer, disclosure, storage, and any other processing of personal data without the authorization of the data subject.

3. GLOSSARY

3.1 Authorization

The Data Subject’s prior, express, and informed consent to carry out the processing of personal data.

3.2 Privacy Notice

Verbal or written communication from the Controller and/or Processor, addressed to the Data Subject, informing them about the existence of the information processing policies applicable to them, how to access such policies, the purposes of the processing, their rights, among others.

3.3 Personal Data Base

Any organized set of personal data subject to processing.

3.4 Database Custodian

The natural person who has custody of the personal data base within Corporación Parque Explora.

3.5 Sensitive Personal Data

A special category of personal data that affects the privacy of the Data Subject or whose misuse may cause discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social or human rights organizations, or that promotes interests of any political party or guarantees the rights of opposition parties, as well as data related to health, sex life, and biometric data.

3.6 Semi-private Personal Data

Data that are not intimate, reserved, or public, whose knowledge may interest not only the data subject but also a certain sector or group of people or society in general, such as financial and credit data on commercial or service activity.

3.7 Private Personal Data

Data that, due to their intimate or reserved nature, are only relevant to the Data Subject.

3.8 Personal Data

Any data and/or information that identifies a natural person or makes them identifiable. It may be numeric, alphabetic, graphic, visual, biometric, audio, profile data, or of any other type.

3.9 Public Data

Data that are neither private nor semi-private, or those classified as such by law, such as the civil status of individuals.

3.10 Data Processor

The natural or legal person, public or private, who, by itself or in association with others, processes personal data on behalf of the Data Controller.

3.11 Habeas Data

The fundamental right of every person to know, update, rectify, and/or delete the information and personal data collected about them and/or processed in public or private databases, in accordance with the law and applicable regulations.

3.12 Data Controller

The natural or legal person, public or private, who, by itself or in association with others, decides on the database and/or the Processing of data.

3.13 Personal Data Subject (“Data Subject”)

The natural person whose data are subject to processing.

3.14 Data Processing

Any operation or set of operations on personal data, such as collection, storage, use, circulation, and deletion.

4. Policy Description

In compliance with Article 15 of the Political Constitution of Colombia, which establishes the constitutional right of all persons to know, update, and rectify information collected about them in databases or files of public and private entities, as well as Law 1581 of 2012 and its regulatory decrees, Corporación Parque Explora adopts this Personal Data Processing Policy and Procedure.

4.1 Audience

This Policy and Procedure applies and is binding on the following persons:

Data Subjects of personal data.
Those who acquire the status of Data Controllers and Data Processors.
Employees of Corporación Parque Explora, regardless of position.
Natural or legal persons, public, private, or mixed, with whom there is or has been a legal relationship of a commercial, contractual, conventional, or similar nature.
Any other persons established by law.
Employees, contractors, and partners of Corporación Parque Explora, in the course of their activities, must comply with the data protection regime, which is included in individual employment or similar, civil, commercial, conventional, and other contracts.

Corporación Parque Explora will carry out educational and/or training campaigns it deems pertinent so that the areas that process personal data understand the law and the measures adopted to ensure compliance.

4.2 Data Controller

The Data Controller is:

Corporación Parque Explora, NIT 900145472, located at Carrera 52 # 73-75, Medellín, Antioquia.

Such processing may be manual and/or automated.

4.3 Roles and Responsibilities for Personal Data Protection Compliance

The Executive Directorate is primarily responsible for ensuring proper personal data processing within Corporación Parque Explora and must implement all necessary actions to comply with the regulatory framework for personal data protection.

4.4 Principles Applicable to Personal Data Processing

Corporación Parque Explora must guarantee compliance with and observance of the principles described below in the processing of personal data.

These principles are those set out in international standards, Colombian laws, and the case law of the Constitutional Court regarding fundamental rights linked to personal data, including:

4.4.1 Purpose Principle

Data Processing must serve a legitimate purpose in accordance with the Constitution and the Law, which must be specifically and precisely communicated to the Data Subject in advance so that they can give consent.

4.4.2 Accuracy/Quality Principle

Corporación Parque Explora will endeavor to ensure that the information collected is truthful, complete, accurate, up-to-date, verifiable, and understandable.

4.4.3 Transparency Principle

The Data Subject’s right to obtain from the Data Controller or Data Processor, at any time and without restrictions, information regarding the existence of data concerning them must be guaranteed.

4.4.4 Relevance Principle

The personal data obtained by Corporación Parque Explora must be adequate, relevant, and not excessive, taking into account the purpose of processing.

4.4.5 Restricted Access and Circulation Principle

Processing is subject to the limits derived from the nature of personal data and the provisions of Law 1581 of 2012, the Political Constitution of Colombia, and other rules that modify, add to, or complement them.

Personal data may only be used for the purposes that have been informed to the data subject. Processing may only be carried out by persons authorized by the Data Subject and/or by persons provided for by said Law and its regulatory decrees.

Personal data accessed or obtained by Corporación Parque Explora, except public information, may not be available on the Internet or other mass disclosure or communication media, unless access is technically controllable to provide restricted knowledge only to Data Subjects or authorized third parties.

4.4.6 Security Principle

Information subject to Processing by the Data Controller or Data Processor must be handled with the technical, human, and administrative measures necessary to provide security to the data and prevent its accidental or unlawful destruction, alteration, loss, consultation, use, disclosure, or unauthorized or fraudulent access, in accordance with Law 1581 of 2012, its regulatory decrees, and other applicable rules.

4.4.7 Storage Limitation (Temporality) Principle

Corporación Parque Explora may only process personal data for as long as is reasonable and necessary, according to the purposes that justified the processing, taking into account applicable provisions and the administrative, accounting, tax, legal, and historical aspects of the information.

Once the purpose for which the personal data were collected and/or processed has been fulfilled, Corporación Parque Explora must cease its use and adopt the pertinent security measures and archival instruments.

4.4.8 Confidentiality Principle

Corporación Parque Explora and all persons involved in the Processing of personal data that are not public are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks comprising the processing has ended. Disclosure or communication of personal data may only be made when it corresponds to the development of activities authorized by law.

4.5 Data Subject Rights

Corporación Parque Explora recognizes that personal data subjects enjoy the fundamental right to Habeas Data and that the exercise of this right is free of charge, which materializes in the following:

Know, update, and rectify their personal data with the Data Controllers or Data Processors. This right may be exercised, among others, with respect to partial, inaccurate, incomplete, fragmented data, data that lead to error, or those whose Processing is expressly prohibited or has not been authorized.
Request proof of the authorization granted to the Data Controller, except when authorization is expressly exempted as a requirement for Processing, in accordance with Article 10 of Law 1581 of 2012, its regulatory decrees, and other applicable rules.
Be informed by the Data Controller or the Data Processor, upon request, regarding the use given to their personal data.
File complaints with the Superintendence of Industry and Commerce for violations of Law 1581 of 2012 and other applicable rules.
Revoke authorization and/or request deletion of the data when the Processing does not respect constitutional and legal principles, rights, and guarantees.
Access free of charge the personal data that have been subject to Processing.
Request proof of authorization from the Controller. In keeping with the principle of informed consent, the Data Subject has the right to grant or withhold authorization by any means that can be subject to subsequent consultation.

By way of exception, and in accordance with Law 1581 of 2012 and Decree 1377 of 2013, the Data Subject’s authorization is not required in the following cases:

Information required by a public or administrative entity in the exercise of its legal functions or by court order.
Data of a public nature.
Cases of medical or sanitary emergency.
Processing of information authorized by law for historical, statistical, or scientific purposes.
Data related to the Civil Registry of Persons.

Nevertheless, Corporación Parque Explora will comply with the principles and other legal provisions on personal data protection.

4.6 Duties for Personal Data Protection

4.6.1 Duties of the Data Controller

Guarantee the Data Subject, at all times, the full and effective exercise of the right to Habeas Data.
Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject, where applicable.
Properly inform the Data Subject about the purpose of the collection and the rights conferred by the authorization granted or by the corresponding privacy notice.
Keep information under the security conditions necessary to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.
Ensure that the information supplied to the Data Processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
Update the information, promptly communicating to the Data Processor all changes to the data previously supplied and adopt any other measures necessary to keep the information up to date.
Rectify the information when it is incorrect and inform the Data Processor accordingly.
Supply the Data Processor, as applicable, only with data whose Processing has been previously authorized in accordance with the law.
Require the Data Processor at all times to respect the Data Subject’s information security and privacy conditions.
Handle queries and claims within the timeframes set by law.
Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, for addressing queries and claims.
Inform the Data Processor when certain information is under dispute by the Data Subject, once a claim has been filed and the respective procedure has not yet concluded.
Inform the Data Subject, upon request, about the use made of their data.
Inform the Superintendence of Industry and Commerce of security breaches and any risks in the administration of Data Subjects’ information.
Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

4.6.2 Duties of the Data Processor

Guarantee the Data Subject, at all times, the full and effective exercise of the right to Habeas Data.
Keep information under the security conditions necessary to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.
Timely update, rectify, or delete data under the terms provided by law.
Update information reported by Data Controllers within five (5) business days from receipt.
Handle queries and claims filed by Data Subjects within the timeframes set by law.
Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, to address queries and claims by Data Subjects.
Refrain from circulating information under dispute by the Data Subject and whose blocking has been ordered by the Superintendence of Industry and Commerce.
Allow access to the information only to persons who may access it.
Inform the Superintendence of Industry and Commerce of security breaches and any risks in the administration of Data Subjects’ information.
Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

If a single person concurrently acts as both Controller and Processor, they must comply with the duties established for each role.

4.6.3 Common Duties of Controllers and Processors

Apply security measures consistent with the classification of personal data processed by Corporación Parque Explora.
Adopt backup procedures for databases containing personal data.
Manage databases containing personal data securely.
Regulate third-party access to databases containing personal data in contracts.

4.7 Processing of Personal Data

4.7.1 Collection and Use

In compliance with the Political Constitution of Colombia, Statutory Law 1581 of 2012, and related regulations, Corporación Parque Explora comprehensively guarantees the protection and exercise of the fundamental right of Habeas Data of all Data Subjects.

To this end, it collects data as described in this document and will request personal data for purposes related to its corporate purpose, such as:

Participation in events, workshops, courses, admission to and/or use of facilities.
Sending communications, calls for participation, promotions, event invitations, or other advertising purposes related to the Corporation’s purpose.
Managing petitions, requests, complaints, inquiries, commendations, reports, or claims from data subjects.
Acquiring products or services required for the Corporation’s corporate purpose.
Negotiation and/or execution of contracts, agreements, alliances, proposals, statements of execution, suspension, resumption, liquidation, or similar legal relationships.
Applying for and/or carrying out employment contracts, apprenticeship contracts, service contracts, or similar.
Applying for and/or carrying out activities of the Corporation’s Governance Bodies.
Participating in community, social, territorial, business, and other projects promoted and/or executed by the Corporation, in which data are collected for population sampling, evaluation of results, impact measurements, among others.

If data are to be processed for a purpose different from those stated above, such purpose must be clearly and precisely included in the corresponding authorization for personal data processing and must be consistent with the Corporation’s purpose.

In line with these purposes, Corporación Parque Explora collects personal data from different areas, as follows:

Data Collection by Directorate/Area

Directorate/Area	Purposes	Types of Data	Collection Method
Talent and Organizational Culture	Hiring, affiliations, socio-demographic profile surveys, surveys and follow-ups for remote work or telework, payroll and/or social benefits payments, workplace wellness programs, among others. Also includes management of employees’ beneficiaries (dependents, minors, others). Training and competency assessment of employees. Carrying out the selection process for vacancies.	Public, private, semi-private, sensitive, financial, minors’ data	Physical and electronic
Purchasing and Contracting	Contracting goods and services to carry out the Corporation’s purpose.	Public, private, semi-private, financial	Electronic
Projects	Execution of projects with partners.	Public, private, semi-private, sensitive, financial, minors’ data	Physical and electronic
Operations	Handling of petitions, complaints, inquiries, claims, requests, commendations, reports, and similar. Visitor management through the ticket office.	Public, private, semi-private	Physical and electronic (chatbot)
Marketing	Management of prospects, customers and beneficiaries, sponsors, and donors.	Public, private, semi-private	Physical and electronic
Occupational Health and Safety	Contractor program.	Public, semi-private	Electronic
Corporate Governance and Executive Directorate	Conducting meetings of Governance Bodies: Board of Directors and General Assembly.	Public, private, semi-private	Electronic
Communications; Education and School Transformation; and Content and Public Engagement with Science	Development and promotion of events, courses, projects, programs, workshops, among others.	Public, private, semi-private, and sensitive	Physical and electronic

The areas mentioned are responsible for complying with data processing as set forth in this policy.

4.7.2 Storage

In order to prevent alteration, loss, consultation, use, or unauthorized or fraudulent access to Data Subjects’ information, digital and physical information is stored in media or environments with appropriate controls for data protection.

This includes physical and IT security controls, technological and environmental controls in restricted areas, generally at own facilities.

In accordance with the General Policies of the Information Security Management System, Corporación Parque Explora has implemented the following internal security measures for personal data processing:

Confidentiality agreements with persons who have access to personal information.
Security controls when outsourcing services for personal information processing.
Risk management tools for personal data processing.
Access control to personal information, both at physical facilities and at the technological level.
User management for access to personal information, including sensitive data.
Implemented backup platform policy.
Controls for remote access to personal information.
Information security controls during maintenance (change control) of personal information systems.
Information Security Incident Management for personal data breaches.

4.7.3 Deletion

For the personal data processing carried out by Corporación Parque Explora, the retention of data will be determined by the purpose of said processing.

Consequently, once the purpose for which the data were collected has been fulfilled, Corporación Parque Explora will proceed to delete or retain them, depending on claims received from data subjects and the provisions of the document retention schedules and complementary archival instruments.

When, for legal compliance, documents must be retained and such documents contain personal data that are the subject of a claim by the data subject, the personal data must be anonymized.

The destruction of physical and electronic media will be carried out using mechanisms that do not allow reconstruction and will only be performed when it does not violate any legal rule, always leaving traceability of the action.

4.8 Processing of Special Categories of Data

4.8.1 Sensitive Data

Corporación Parque Explora will only collect sensitive personal data when necessary and pertinent to its activity and in accordance with Article 6 of Law 1581 of 2012.

In each case, express authorization from the data subject must be obtained, fully complying with the requirements established in Law 1581 of 2012 and related regulations.

Sensitive personal information will be protected through high-level security measures.

4.8.2 Data of Minors

Processing personal data of children and adolescents is prohibited, except when the data are of a public nature, in accordance with Article 7 of Law 1581 of 2012, and when such processing meets the following parameters and requirements:

Responds to and respects the best interests of children and adolescents.
Ensures respect for their fundamental rights.
Every controller and processor involved in processing the personal data of children and adolescents must ensure appropriate use.

Corporación Parque Explora recognizes that children and adolescents require special protection regarding their personal data.

To this end, it will ensure that processing respects their fundamental and prevailing rights and that such information is only used in response to their best interests.

It will apply the principles and obligations set out in Law 1581 of 2012 and Chapter 25, Title 2, Part 2, Book 2 of Decree 1074 of 2015.

For children and adolescents, authorization for processing must be given by their legal representative, after the minor has exercised their right to be heard; the opinion of the minor will be assessed taking into account their maturity, autonomy, and capacity to understand the matter.

4.9 Identification of Databases

In compliance with the principle of necessity, Corporación Parque Explora manages the personal databases reported each year through the National Registry of Databases, which can be consulted at:

👉 https://rnbd.sic.gov.co/sisi/consultaTitulares/consultas/

4.10 Procedure for Handling Habeas Data Inquiries or Claims

In compliance with the constitutional right to Habeas Data, Corporación Parque Explora establishes the procedure for handling Habeas Data inquiries or claims made by the Data Subject or their successors.

4.10.1 Response Times

Ten (10) business days to answer inquiries, counted from the date of receipt.
- When it is not possible to respond within this term, the interested party will be informed of the reasons for the delay and given a date on which their request will be addressed, which will not exceed five (5) business days following the end of the first term.
Fifteen (15) business days to answer claims, counted from the day following the date of receipt.
- If it is not possible to address the claim within the stipulated term, the applicant will be informed of the reasons for the delay and the date on which the claim will be addressed, which may not exceed eight (8) business days following the first term.

These timeframes may vary depending on the nature of the personal data and the provisions of special laws or regulations issued by the National Government.

The claim must be submitted by means of a request, including:

Identification of the Data Subject.
Description of the facts giving rise to the claim.
Address and supporting documents to be asserted.

If the claim is incomplete, the applicant will be asked within five (5) business days following receipt to correct the deficiencies.

If the missing information is not provided within two (2) months from the request, it will be understood that the claim has been withdrawn.

When Corporación Parque Explora is neither the Controller nor the Processor of the personal data and a request is received, it will have two (2) business days to forward the inquiry or claim to the competent entity and send a communication to the data subject informing them of the referral.

4.10.2 Internal Procedure

The channels available to receive inquiries or claims are:

Email: servicioalcliente@parqueexplora.org
Phone: 6045168300
Physical service point: Carrera 52 # 73-75 Medellín, Antioquia.

Once the inquiry or claim is received, it will be analyzed by the Operations area and, if necessary, forwarded to the corresponding internal area for a substantive response.

4.11 Disclosure of Personal Data to Authorities

When State authorities request that Corporación Parque Explora grant access to and/or deliver personal data contained in any of its databases, the following will be verified:

The legality of the request.
The relevance of the requested data in relation to the purpose expressed by the authority.
Documentation of the delivery of the requested personal information, ensuring that it meets all its attributes (authenticity, reliability, and integrity).

The duty of protection regarding these data will be communicated both to the official making the request and to the recipient, as well as to the entity for which they work.

Likewise, the authority requesting personal information will be advised of the security measures applicable to the personal data delivered and of the risks entailed by improper use and inadequate processing.

4.12 International Transfer of Personal Data

The transfer of personal data to countries that do not provide adequate levels of protection is prohibited.
Safe countries are understood to be those that meet the standards set by the Superintendence of Industry and Commerce.

As an exception, Corporación Parque Explora may carry out international transfers of data when:

The data subject has given their prior, express, and unequivocal authorization for the transfer.
The exchange of medical data is required when the Data Subject’s Processing demands it for health or public hygiene reasons.
The transfer is necessary for the execution of a contract between the data subject and Corporación Parque Explora as Controller and/or Processor.
Banking and stock market transfers, in accordance with the legislation applicable to such transactions.
Transfers of data within the framework of international treaties that are part of the Colombian legal system.
Transfers legally required to safeguard the public interest or for the recognition, exercise, or defense of a right in a judicial process.
In cases not contemplated as exceptions, the Superintendence of Industry and Commerce will issue the conformity declaration concerning the international transfer of personal data.

When an international transfer or transmission of personal data occurs, prior to sending or receiving such data, Corporación Parque Explora will execute agreements that detail the obligations, burdens, and duties arising for the parties involved.

Any agreements or contracts must comply with this policy and with applicable legislation and case law on personal data protection.

4.13 International Transmission of Personal Data

A transmission of personal data occurs when processing involves communicating such data within or outside the territory of the Republic of Colombia for the purpose of Processing by the Processor on behalf of the Controller.

International transmissions of personal data carried out between a Controller and a Processor to allow the Processor to process data on behalf of the Controller do not require informing the Data Subject or obtaining their consent when there is a personal data transmission agreement, which must comply with Article 25 of Decree 1377 of 2013 and related rules.

📌 Last review: The most recent review of the Personal Data Processing Policy of Corporación Parque Explora was carried out on May 10, 2024, and applies from that date.