Demo Reset’s Privacy and Personal Data Policy

Demo.Reset is a project of the Open Policy Institute (Extituto de Política Abierta), a Colombian multi-party think tank working towards more innovative and accessible politics. Extituto de Política Abierta manages the information related to this project. Project employees are committed to complying with this privacy and data protection policy. For Extituto de Política Abierta, the protection, integrity, and confidentiality of the personal data of Demo.Reset project participants is paramount. Therefore, we have designed this policy for the storage and processing of data entered into the Demo.Reset project and are committed to the protection and proper handling of this data, in accordance with the legal framework for the protection of personal data applicable in Colombia.

DemoReset’s Privacy and Personal Data Processing Policy specifically establishes how such data will be protected and processed in accordance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013 on data protection, as well as with other regulations that modify, regulate or expand said regulation.

CHAPTER I – GENERAL PROVISIONS

ARTICLE 1. DEFINITIONS. For the application of the provisions of this policy, in accordance with the provisions of Article 3 of Law 1581 of 2012 and Article 3 of Decree 1377 of 2013, the following definitions shall apply:

1. Authorization: Prior, express and informed consent of the data subject to carry out the processing of personal data.
2. Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the Processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, how to access them and the purposes for which the personal data will be processed.
3. Database: An organized set of personal data that is subject to processing.
4. Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.
5. Sensitive personal data: Information that affects a person’s privacy or whose misuse could lead to discrimination, such as data revealing racial or ethnic origin, political affiliation, religious or philosophical beliefs, trade union membership, membership in social or human rights organizations, or data that promotes the interests of any political party or guarantees the rights and protections of opposition political parties, as well as data related to health, sex life, and biometric data (fingerprints, among others). For the purposes of this policy, the Open Policy Institute advises that the data subject has the right to provide their personal data when requested.
6. Public data: Data that is neither semi-private, private, nor sensitive. Public data includes, among other things, data related to a person’s marital status, profession or occupation, and their status as a merchant or public servant. By their nature, public data may be contained in, among other sources, public registries, public documents, official bulletins, and duly executed court judgments that are not subject to confidentiality.
7. Data Processor: A natural or legal person, public or private, who, alone or jointly with others, processes personal data on behalf of the Data Controller. For the purposes of this DemoReset Privacy and Personal Data Processing Policy, the data processors will be Extituto de Política Abierta. In particular, individuals under the responsibility of this organization who, by virtue of the authorization and the Data Policy, are legitimately entitled to process the data subject’s personal data. Individuals expressly authorized by Extituto de Política Abierta to process data will be so authorized under a confidentiality agreement, which also entails the obligation to use such data in accordance with this Policy.
8. Authorized Parties: These are individuals within the Open Policy Institute who, by virtue of their authorization and the Policy, are legitimately authorized to transfer the data subject’s personal data. The term “Authorized Party” includes the data subject’s gender.
9. Authorization or being Authorized: This is the legitimization that the Open Policy Institute expressly grants to third parties, in compliance with applicable legislation, for the processing of personal data, making said third parties responsible for the processing of the personal data provided or made available.
10. Complaint : Request from the data subject or persons authorized by the data subject or by law to correct, update or delete their personal data or when they notice that there is an alleged violation of the data protection regime, in accordance with article 15 of Law 1581 of 2012.
11. Data Controller: A natural or legal person, public or private, who, alone or jointly with others, determines the purposes and means of the processing of personal data. Extituto de Política Abierta is responsible for managing the DemoReset platform database.
12. Data Subject: Natural person whose personal data is being processed.
13. Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation or deletion.
14. Transfer: Data transfer occurs when the Data Controller or Data Processor, located in Colombia, sends the information or personal data to a recipient, who in turn is the Data Controller and is located inside or outside the country.
15. Transmission : Processing of personal data that involves the communication of said data within or outside the territory of the Republic of Colombia when its purpose is to carry out a Processing on behalf of the Controller.
16. DemoReset: DemoReset is a Global South Deliberation Network that seeks to strengthen the capacities of organizations, communities, and democracy professionals to improve citizen participation in governance through deliberative practices.

The data collected will be used to enable the project to be carried out in accordance with regulations.

ARTICLE 2. PURPOSE. The purpose of this document is to regulate the methods of collection, processing and handling of personal data collected within the framework of the implementation of DemoReset activities, as well as the use of information from organizations, participants and projects on social media and the project website.

ARTICLE 3. SCOPE OF APPLICATION. This manual shall apply to personal, organizational and project data registered in project calls, in the development of activities and in the analysis of Demo.Reset information.

ARTICLE 4. APPLICABLE LAW. This manual was prepared taking into account the provisions of Law 1581 of 2012, “By which general provisions are issued for the protection of personal data,” and Decree 1377 of 2013, “By which Law 1581 of 2012 is partially regulated.” The Demo.Reset Privacy and Personal Data Protection Policy specifically establishes how such data will be protected and processed in accordance with these provisions, as well as with other regulations that modify, regulate, or expand upon them. Matters not expressly established in this Policy are understood to be regulated and governed by the aforementioned regulations.

ARTICLE 5. PURPOSES OF THE PROCESSING OF PERSONAL DATA.

The information collected will be used within the framework of the Demo.Reset project, which seeks to strengthen the capacities of organizations, communities and democracy professionals to enhance citizen participation in governance through deliberative practices.

By accepting Demo.Reset’s Privacy and Personal Data Protection Policy , users authorize the processing of their data. Demo.Reset, in turn, undertakes to guarantee the anonymity of the data in the information generated during processing, in order to protect its owners. Demo.Reset is committed to providing appropriate credit and the necessary information about the processes carried out by collaborating organizations.

CHAPTER II

ARTICLE 6. AUTHORIZATION.

The collection, storage, use, circulation or deletion of personal data by Extituto de Política Abierta will require the free, prior, express and informed consent of the owner of said data from the Demo.Reset project databases, the project’s information repository, its website and social networks.

Exstituto de Política Abierta, as the data controller, has implemented the necessary mechanisms to obtain authorization from data subjects, ensuring in all cases that it is possible to verify its granting. By granting this authorization, the data subject accepts the policies and conditions established herein.

ARTICLE 7. FORM AND MECHANISMS FOR GRANTING THE AUTHORIZATION.

The authorization of the data subject must be included in each of the data collection channels and mechanisms of Demo.Reset

Therefore, it may be recorded in a physical or electronic document, or in any other format that allows for its subsequent verification. The authorization will be issued by the data subject before the processing of their personal data, in accordance with the provisions of Law 1581 of 2012. This consent-based authorization procedure ensures that the data subject has been informed that their personal information will be collected and used for specific and known purposes, and that they have the option to be informed of any modifications to it and the specific use made of it. This is so that the data subject can make informed decisions about their personal data and control the use of their personal information.

CHAPTER III RIGHTS AND DUTIES

ARTICLE 8. RIGHTS OF DATA SUBJECTS.

In accordance with the provisions of Article 8 of Law 1581 of 2012, the owner of the personal data has the following rights:

(a) To know, update and rectify your personal data before EXTITUTO DE POLICTICA ABIERTA, in its capacity as data controller.

1. b) Request proof of the authorization granted to EXTITUTO DE POLICÍTICA ABIERTA, in its capacity as Data Controller.

1. c) To be informed by EXTITUTO DE POLICÍTICA ABIERTA upon request, regarding the use given to your personal data.

1. d) To file complaints with the Superintendency of Industry and Commerce in Colombia for violations of the provisions of Law 1581 of 2012, once the consultation or claim process before the Data Controller has been exhausted.

1. e) Revoke the authorization and/or request the deletion of the data when the Processing does not respect the constitutional and legal principles, rights and guarantees.

1. f) Access your personal data that has been processed, free of charge.

ARTICLE 9. DUTIES IN RELATION TO THE PROCESSING OF PERSONAL DATA.

The Open Policy Institute will always bear in mind that personal data belongs to the individuals to whom it refers and that only they can decide how it is used. Therefore, it will only use it for the purposes for which it is duly authorized, always respecting Law 1581 of 2012 on the protection of personal data.

In accordance with the provisions of Article 17 of Law 1581 of 2012, the OPEN POLICY INSTITUTE undertakes to permanently comply with the following duties:

(a) Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data.

1. b) Maintain the information under the necessary security conditions to prevent its alteration, loss, consultation, use or unauthorized or fraudulent access.

1. c) Update, rectify or delete the data in a timely manner, that is, within the terms provided in articles 14 and 15 of Law 1581 of 2012.

1. d) Process the queries and claims made by the Data Subjects in accordance with the terms provided in article 14 of Law 1581 of 2012.

1. e) Insert the legend “information under judicial discussion” into the database once notified by the competent authority about legal proceedings related to the quality or details of personal data.

1. f) Refrain from circulating information that is being disputed by the Data Subject and whose blocking has been ordered by the Superintendency of Industry and Commerce in Colombia.

1. g) Allow access to the information only to those people who may have access to it.

1. h) Inform the affected parties and the Superintendency of Industry and Commerce in Colombia when violations of security codes occur and there are risks in the management of the information of the Holders.

1. i) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce in Colombia.
2. j) In accordance with the ethical recommendations on privacy and security of the principles of digital development, Demo.Reset will avoid disclosing, in the results shared with the public, content that may constitute fake news, disinformation, sexual content, or hate speech. It may make general reference to the receipt of such content, but without propagating it.

CHAPTER IV ACCESS, CONSULTATION AND COMPLAINT PROCEDURES

ARTICLE 10. RIGHT OF ACCESS.

The power of disposition or decision that the owner has over the information that concerns him necessarily entails the right to access and know if his personal information is being processed, as well as the scope, conditions and generalities of said processing.

Likewise, the holder has the right to request its rectification if it is inaccurate or incomplete and to cancel it when it is not being used in accordance with the legal or contractual purposes and terms or in accordance with the purposes and terms contemplated in this Privacy Policy.

The Open Policy Institute will guarantee the right of access when, after accreditation of the identity of the holder or their representative or agent, they request it in accordance with the provisions of Law 1581 of 2012. Holders and users may exercise their rights to know, update, rectify and delete their personal data by sending their request to the email addresses: contacto@extituto.org and demoreset@extituto.org in accordance with this Privacy Policy.

The following information must be included in the application:

– First and last names.

– Document type.

– Document number.

– Telephone number.

– Email address.

– Country.

– Subject.

ARTICLE 11. RESPONSE TO INQUIRIES. In any case, regardless of the mechanism implemented for handling inquiries, these must be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to respond to the inquiry within this period, the interested party will be informed before the expiration of the 10 days, indicating the reasons for the delay and the date on which the inquiry will be answered, which in no case may exceed five (5) business days following the expiration of the first period.

ARTICLE 12. COMPLAINTS. In accordance with the provisions of Article 14 of Law 1581 of 2012, the Owner of the Personal Data or their successors who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties provided for in Law 1581 of 2012, may file a complaint with the Data Controller, which will be processed in accordance with the following rules:

1. The data subject may submit a complaint via the email address provided by EXTITUTO DE POLICÍTICA ABIERTA. If the complaint received does not contain all the necessary information for processing, specifically the data subject’s identification, a description of the facts giving rise to the complaint, the address, and any supporting documents, the interested party will be notified within five (5) days of receipt to correct the deficiencies. If two (2) months elapse from the date of the request without the applicant submitting the required information, the complaint will be considered withdrawn. If, for any reason, the Corporation receives a complaint that should not be directed against it, it will forward it to the appropriate person within a maximum of four (4) business days and inform the interested party of the situation.

1. The maximum period for addressing the claim will be fifteen (15) business days, counted from the day following the date of receipt. If it is not possible to address it within this period, the interested party will be informed before the expiration of said period about the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first period.

ARTICLE 13: QUESTIONS OR SUGGESTIONS

If you have any questions or concerns about the collection, processing, or transfer of your personal information, or if you believe that the information in our database should be corrected, updated, or deleted, please send us a message to the following email addresses: contacto@extituto.org and demoreset@extituto.org

For more information about Demo.Reset and contact forms, please see the following address www.demoreset.org/es/ This website has applicable terms and conditions, which can be consulted for further information.