Personal Data Protection Policy Peña Mancero Abogados S.A.S.


This Data Protection Policy (hereinafter the “Policy”) reflects the parameters under which PEÑA MANCERO ABOGADOS S.A.S. (hereinafter “THE COMPANY”) performs the processing of personal data in compliance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013 and other rules applicable to the subject.

The Policy is applicable to all Databases and / or Files that contain Personal Data that are subject to treatment by THE COMPANY considered to be Responsible for the Processing of Personal Data.


Prior, express and informed consent of the Data Subject to carry out the Processing of Personal Data.


Organized set of Personal Data that is subject to Processing.

Personal Data

Any information that may be related to one or several individuals determined or determinable, such as name, citizenship card, address, email, telephone number, marital status, fingerprint, etc.
Individual or legal entity, public or private with whom THE COMPANY has a business relationship.

Sensitive data.

Information that affects the privacy of the owner whose undue use may generate discrimination. Among them are those that reveal political, religious or philosophical convictions, membership in trade unions, social organizations, as well as data related to health, among others, fingerprints, photographs, etc.

In charge of the Processing.

Individual or legal entity, public or private, that by itself or in association with others, performs the Processing of Personal Data on behalf of the Party Responsible for the Processing . For the specific case, it will be any third party designated by THE COMPANY that performs the processing of data on its behalf and on behalf of the COMPANY. In the events in which the Responsible Party does not act as the Data Base Manager , the person in charge will be explicitly identified.

Responsible for the Processing

Individual or legal entity, public or private, that by itself or in association with others, decides on the Database and / or the processing thereof. For the purposes of this Policy, the Party Responsible for the Processing of Personal Data is Peña Mancero Abogados S.A.S. with address in Bogotá. Email: info@pmabogados.co. Phone +(57) 1 3000 222.

Request by the Data Subject of the information, whoever authorizes or by law, to correct, update or delete their Personal Data or to revoke the Authorization in the cases established in law.

Individuals whose Personal Data is subject to Processing.

The data transfer is carried out when the Party Responsible for and / or Manager of the Processing of Personal Data, located in Colombia, sends the information or Personal Data to a receiver, who is the Party Responsible for the Processing and is located inside or outside the country.


Processing of Personal Data that implies the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out Processing by the Manager on behalf of the Responsible Party. Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion of the same.

Principles Applicable to the Processing of Personal Data

In the Processing of Personal Data, THE COMPANY will apply the principles defined below, which make up the rules to follow regarding the handling, use, processing, storage and exchange of personal data:

The Processing of Personal Data will be carried out in accordance with the applicable legal provisions (Statutory Law 1581 of 2012, as well as its regulatory decrees).

The Personal Data will be used for a specific purpose which must be informed to the Data Subject or permitted by Law. The Data Subject must be sufficiently informed in advance and in a clear manner about the purpose of the information provided.

The collection of Personal Data may only be exercised with the prior, express and informed Authorization of the Data Subject.

Truthfulness or Quality.

The information subject to the Processing of Personal Data must be truthful, complete, accurate, updated, verifiable and understandable.
In the Processing of Personal Data, the right of the Data Subject to obtain at any time and without restrictions, information about the existence of data that concerns him, is guaranteed.

Access and restricted circulation.

The Processing of Personal Data may only be carried out by the authorized persons on behalf of the Data Subject and / or by the persons provided for in law.

The Personal Data subject to processing will be carried out adopting all the security measures that are necessary to avoid its loss, adulteration, consultation, use or unauthorized or fraudulent access.

All officers working in THE COMPANY are required to keep the personal information they have access to during their work confidential.
Processing and Purposes to which the Personal Data used by THE COMPANY will be submitted.

THE COMPANY, acting as responsible for the Processing of Personal Data, for the proper development of its commercial activities, as well as for the strengthening of its relations with third parties, stores, uses, circulates and suppresses Personal Data corresponding to individuals with whom it has or has had a relationship, such as customers, suppliers, creditors and debtors, for the following purposes.
General purposes for the processing of Personal Data.

The COMPANY performs the Processing of Personal Data with the following purposes:

  • Deliver or send advertising or marketing information about the services provided by THE COMPANY.
    Transfer the information collected to different areas of THE COMPANY and abroad when it is necessary for the development of its operations.
  • Comply with the obligations contracted between THE COMPANY and the Data Subjects of the Personal Data, as well as comply with the tax obligations and corporate and accounting records of the firm.
  • Carry out the management and administration of the Human Resources of THE COMPANY.
  • For the attention of judicial or administrative requirements and compliance with judicial or legal mandates and comply with the orders made by virtue of the services provided by THE COMPANY;
  • Register your personal data in the information systems of THE COMPANY and its commercial and operational databases.
  • Any other activity of a nature similar to those previously described that are necessary to develop the corporate purpose of THE COMPANY.

Rights of Data Subjects

Individuals whose Personal Data are subject to Processing by THE COMPANY, enjoy the following rights, which may be exercised at any time, communicating with the area responsible for the Processing of Personal Data, the exercise of rights must be performed in accordance with the requirements established in the Applicable Rules:

  • To know the Personal Data on which THE COMPANY is performing the Processing. Likewise, you may request at any time, that your data be updated or rectified, if you find that your data are partial, inaccurate, incomplete, fractioned, that may lead to error or those whose processing is expressly prohibited or has not been authorized.
  • Request proof of the authorization granted to THE COMPANY for the Processing of Personal Data, except when THE COMPANY, is exempt from obtaining such authorization, under the provisions of Law 1581 of 2012.
  • Be informed by THE COMPANY, upon request, regarding the use that it has made with your Personal Data.
  • Submit to the Superintendency of Industry and Commerce complaints about breaches of the provisions of the regulations that regulate the subject.
  • Access free of charge to your Personal Data that have been subject to Processing.
  • Revoke the authorization for the Processing of Personal Data and / or request the deletion of the data when, in the processing, the principles of the Processing, the Rights of the Data Subject and other guarantees established in law are not respected.

Refusal of THE COMPANY to access, rectify or cancel Personal Data.

THE COMPANY may deny full or partial access to Personal Data or the performance of rectification, cancellation or opposition to the Processing of Personal Data, in the event that the applicant is not the Data Subject or its duly accredited representative; when the rights of a third party are breached; when the rectification has been previously made, when Personal Data of the applicant is not found in the COMPANY Databases; when there is a legal impediment or resolution of an authority.

In accordance with the provisions of article 9 of Decree 1377 of 2013, THE COMPANY will not be obliged to delete the Personal Data or to access the request for revocation of the Authorization when the established budgets are met.

Duties of THE COMPANY as Responsible Party for the Processing of Personal Data.

THE COMPANY is aware that Personal Data is the property of the people to whom it refers and only they can decide on it. Therefore,

THE COMPANY will use the Personal Data only for the purposes for which it is duly empowered, respecting the current regulations on the Protection of personal data, for which it will comply with the duties set forth in article 17 of Law 1581 of 2012 and the other regulations that regulate, modify or replace it.


THE COMPANY will request prior, express and informed authorization to the data subjects of the personal data on which it requires to carry out the Processing.

The expression of the Data Subject’s consent can occur through different mechanisms made available by THE COMPANY, such as:
In writing, filling out an authorization form for the Processing of Personal Data determined by THE COMPANY.
Orally, through a telephone conversation or videoconference.

Special Provisions for the Treatment of Personal Data.

THE COMPANY at all times will comply with this policy, which was made in accordance with the rules applicable to the Protection of Personal Data. It will be available to the data subjects or third parties who wish to consult it.

THE COMPANY does not perform data processing of children and adolescents. However, in the event that personal information is collected regarding a child or adolescent, this information will be used to contact the child’s parent or guardian to obtain the respective Authorization for this. If it is not possible to contact you within a reasonable time or authorization is not obtained from the parent or guardian, the minor’s information will be removed from the COMPANY’s Databases.

The Treatment of Personal Data of a sensitive nature as a rule is prohibited by Law, however THE COMPANY may carry out Personal Data Processing, provided that it has prior and informed Authorization of the Data Subject. In the Authorization, the Data Subject must be informed of the optional nature of responding to Sensitive Data, which of the data provided are considered Sensitive Data and the purposes of the Processing.

Personal Data may be stored outside the Republic of Colombia, even in countries that do not provide adequate levels of protection, so that the Data Subjects authorize that their Personal Data be processed in those countries, taking into account that THE COMPANY will take all necessary measures to guarantee the security and confidentiality of Personal Data.
Security of Personal Data.

THE COMPANY, in application of the Principle of Security in the processing of personal data, will provide the administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. THE COMPANY does not guarantee the total security of your information nor is it responsible for any consequence of technical failures or improper entry by third parties to the Database or to the files on which the Personal Data subject to Processing rests.

Transfer and Transmission of Personal Data.

THE COMPANY may deliver the Personal Data to third parties not linked to THE COMPANY when:

-They are contractors executing contracts for the development of the activities of THE COMPANY; By transfer to any title of any line of business with which the information is related.

-In any case, when THE COMPANY wishes to send or transmit data to one or more Managers located inside or outside the territory of the Republic of Colombia, it will establish contractual clauses or execute a contract for the transmission of Personal Data in which, among others, the following is agreed:

  • The scope and purposes of the Processing.The activities that the Manager will perform on behalf of THE COMPANY.
  • The obligations that the Manager must fulfill with respect to the Data Subject and THE COMPANY.
  • The duty of the person in charge of processing the data in accordance with the purpose authorized for it and observing the principles established in Colombian Law and this policy.
  • The obligation of the person in charge of adequately protecting Personal Data and databases as well as keeping confidentiality regarding the processing of transmitted data.
  • A description of the specific security measures that will be adopted both by THE COMPANY and by the person in charge of the data at its destination.
  • THE COMPANY will not request the Authorization when the International transfer of data is covered by any of the exceptions provided by the Law and its Regulatory decrees.

Procedure for attention to inquiries and complaints.

In exercising their rights as Data Subjects, they may submit requests to THE COMPANY in order to consult or make a claim.
Queries and claims can be made at the following email: info@pmabogados.co, telephoning the helpline 3002222 or sending correspondence to the following address: Carrera 11 # 86 – 32 office 301.

The procedure that will be followed in the attention of the consultations and claims is the following:

  • When the Data Subject, his representative or successor requires to consult the Personal Data contained in the Databases of THE COMPANY, the Company will have a period of ten (10) working days, starting from the date of receipt of the query.
  • If it is not possible to respond within the aforementioned period, THE COMPANY will inform the applicant, stating the reasons for the delay and the date on which his inquiry will be handled. The additional period for any reason may not exceed five (5) working days following the expiration of the first term.


If the Data Subject, his representative or successor wishes to request the correction, update or deletion by means of a claim, they must submit the request in writing indicating:

a. Identification of the Data Subject;

b. Description of the facts that give rise to the claim

c. Address of correspondence of the Data Subject.

d. Documents supporting the application.

In the event that THE COMPANY considers that the request is incomplete, it will require the applicant to provide additional documents within five (5) calendar days following receipt of the claim. The applicant will have up to sixty (60) calendar days to respond to the request, a period that will not be taken into account in order to calculate the response period of the COMPANY. If after this period, THE COMPANY has not received a response from the applicant, it will be understood that the claim has been abandoned.

Within two (2) working days following the receipt of the claim, THE COMPANY will enter a note in the Database that identifies that there is a claim in progress on the particular data.

THE COMPANY has a period of fifteen (15) working days following the receipt of the claim, to address it. If it requires more time, THE COMPANY must inform the applicant the reasons for the delay and will have an additional maximum term of eight (8) working days.

Applicable legislation.

This policy of protection of personal data and the annex of the authorization form that is part of it, are governed by the provisions of current legislation on protection of personal data referred to in Article 15 of the Constitution, the Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013, Decree 1727 of 2009 and other regulations that modify, repeal or replace them.

Validity and modification.

This policy shall take effect from its publication date on the website of THE COMPANY, against which the processing is carried out in any of our databases, remain in them as long as necessary for the purposes mentioned in this policy and for which they were collected.

THE COMPANY reserves the right to make modifications to this policy.  In the event that the changes made are substantial or relate to the identification of the Responsible Party  and the purpose of the processing, which affects the content of the authorization, in accordance with the established in article 5 of Decree 1377, THE COMPANY will communicate these changes to the Data Subject and obtain a new authorization.