×
You are here: Soluciones
    See all solutions for this segment

    Do you want to transform your business?

    Explore our solutions
    You are here: Recursos
    You are here: Company
    Evertec

    Privacy Policy Colombia

    Last Updated: January 14, 2025

    This policy should be read in conjunction with Evertec Inc.’s modified and amended privacy policy, which applies to all of its subsidiaries. These policies represent a commitment by Evertec PlacetoPay S.A.S. and Evertec Colombia S.A.S. to comply with all laws and regulations applicable to its operations, as well as to being a secure and robust organization, with the fundamental goal of protecting its clients, suppliers, collaborators, partners, allies, and other counterparties, as well as the integrity of the institution, its people, and its reputation.

    1. GENERAL CONSIDERATIONS

    1.1. INTRODUCTION

    Evertec Colombia SAS and Evertec PlacetoPay SAS (hereinafter, “EVERTEC”) are companies incorporated under Colombian laws, domiciled in Colombia, with more than 20 years of experience managing payment methods, electronic channels and financial products, in the outsourcing modality, as well as providing transaction processing services, with a focus on simplifying trade for businesses, financial institutions, government agencies and consumers, within the framework of the development of the business purpose of each company maintain safe practices by implementing international security standards, based on the requirements of the PCI – DSS (Evertec PlacetoPay SAS) standard and on compliance with ISO 27001 (Evertec Colombia SAS), which allow to ensure transparency and proper use of personal data collected and managed both from clients and suppliers, shareholders, collaborators, allies and other counterparties, even those with which commercial or contractual relationships have not yet been established.

    EVERTEC acknowledges that the processing of personal information of its counterparts will take place in accordance with the principles and provisions contained in Law 1581 of 2012, known as the General Personal Data Protection Law, Law 1266 of 2008 “which dictates the general provisions of habeas data and regulates the handling of information contained in personal databases, especially in financial, credit, commercial, services, and coming from third countries and dictates other provisions,” and the applicable laws in the jurisdictions where we operate, such as Ecuador, Puerto Rico, Costa Rica, Panama, Mexico, among others, and that the principles contained therein will govern the processing of personal information collected or managed. 

    Accordingly, EVERTEC’s Boards of Directors established and approved policies and procedures for the protection of personal data, which are detailed in this document.

    1.2. OUR IDENTIFICATION

    EVERTEC may act as party RESPONSIBLE or IN CHARGE of the personal data, for such cases the identification data of each company are listed below.

    Corporate Name: EVERTEC PLACETOPAY S.A.S.
    TIN: 900299228-0
    Address: Street 16 #55-129. Guayabal, Medellín, Piso 3 Riwi coworking
    Email: protecciondedatos@evertecinc.com
    Position: Personal Data Protection Officer

    Corporate Name: EVERTEC COLOMBIA S.A.S.
    TIN: 830136065 -4
    Address: Avenue street 26 96 J 90 Office 601 and 602 Optimus Project Building Business and Hotel Complex P.H., Bogotá, CO
    Email: protecciondatoscolombia@evertecinc.com
    Position: Personal Data Protection Officer
    Phone: +57 (601) 3278000

    1.3. SCOPE

    This policy is a rule of conduct that steers the actions of employees, collaborators, shareholders, Boards of Directors, Country Managers, Legal Representatives, administrators, suppliers, contractors, strategic allies, investors and other related parties or interested parties that collect, use, exchange, administer or process databases containing personal data that are under the administration of EVERTEC, or that may be known, by virtue of the contractual and commercial relationships developed with the other companies that are part of the Business Group to which it belongs, of commercial alliances, agreements or advertising events. In the first case, EVERTEC acts as the party RESPONSIBLE, in the other cases it may have the status of IN CHARGE or RESPONSIBLE. Likewise, it is applicable when the data processing is carried out in Colombian territory, as well as when the party RESPONSIBLE or IN CHARGE does not reside in Colombia, but Colombian legislation and/or the jurisdiction of the OWNER of the data is applicable under international standards or treaties.

    If any of the above third parties fail to comply with this Policy or applicable Law, EVERTEC will take appropriate disciplinary action to enforce the privacy responsibilities set forth in the Evertec Code of Ethics and the Rules of Conduct in the Collaborator Handbook.

    Under the personal data protection regime, the guidelines described herein do not apply:

    Colombia

    • To databases or files maintained in an exclusively personal or domestic environment.
    • To databases and files aimed at national security and defense, as well as the prevention, detection, monitoring and control of money laundering and the financing of terrorism.
    • To databases intended for and containing intelligence and counterintelligence information.
    • To databases and files of journalistic information and other editorial content.
    • To databases and files regulated by Law 1266 of 2008.
    • To databases and files regulated by Law 79 of 1993.

    Ecuador

    • To natural persons who use the data for family or domestic activities.
    • To deceased persons, notwithstanding the provisions of article 28 of the Organic Law of Personal Data Protection.
    • To anonymized data, as long as it is not possible to identify its OWNER.
    • To journalistic activities and other editorial content.
    • To personal data whose processing is regulated in specialized regulation of equal or greater hierarchy in matters of natural disaster risk management; and, security and defense of the State, in any of these cases, compliance with international standards in the field of human rights and the principles of this law must be observed, and the criteria of legality, proportionality and necessity, at the very least.
    • To data or databases established for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal sanctions, carried out by the competent State agencies in the performance of their legal functions. In any of these cases, compliance with international standards in the field of human rights and the principles of this law must be observed, and the criteria of legality, proportionality and necessity, at the very least.
    • To data that identifies or makes identifiable legal entities.

    Costa Rica

    • To databases maintained by natural persons or legal entities, public or private, for exclusively internal, personal or domestic purposes provided that they are not marketed in any way.
    • To databases of financial institutions that are subject to control and regulation by the General Superintendence of Financial Institutions (SUGEF), which will not require registration with the PRODHAB (Agencia de Proteccion de Datos de los Habitantes – Data Protection Agency of Inhabitants). Notwithstanding the foregoing, the Agency shall have full competence to regulate and monitor the protection of the rights and guarantees covered under Law No. 8968, and to exercise all actions granted for this purpose on such databases.
    • To data concerning natural persons in their capacity as professionals, provided that this is done for purposes specific to the profession or in compliance with legal provisions.

    México

    • To data contained in publicly available sources.
    • To personal data subject to a prior dissociation procedure.
    • To data that have the purpose of fulfilling obligations arising from a legal relationship between the OWNER and the party RESPONSIBLE.
    • When there is an emergency that could potentially harm an individual in their person or property.
    • To data that are indispensable for medical care, prevention, diagnosis, the provision of health care, medical treatments or the management of health services, as long as the OWNER is not in a position to grant consent, under the terms established by the General Health Law and other applicable legal provisions and that such data processing is carried out by a person subject to professional secrecy or equivalent obligation.
    • To decisions of competent authorities.
    • To data concerning legal entities.
    • To data of natural persons as traders and professionals.
    • To data of natural persons who provide their services for any legal entity or natural person with business activities and/or provision of services, consisting only of their first and last name, the functions or positions performed, as well as some of the following labor data: physical address, e-mail address, telephone and fax number, provided that this information is processed for the purposes of representing the employer or contractor.

    Panamá

    • To personal data for personal or domestic activities.
    • To personal data processed by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or enforcement of criminal sanctions.
    • To data processed for financial intelligence analysis and relating to national security in accordance with international legislation, treaties or conventions governing these matters.
    • To processing of data related to international organizations, in compliance with the provisions of existing treaties and conventions ratified by the Republic of Panama.
    • To information obtained through a previous procedure of dissociation or anonymization, so that the result cannot be associated with the OWNER of personal data.

    Chile

    • To data collected from sources accessible to the public, with economic, financial, banking or commercial nature, contained in lists relating to a category of persons that merely indicate background such as the individual’s membership of that group, profession or activity, degrees, address or date of birth.
    •  To data that is necessary for direct response commercial communications or direct marketing or sale of goods or services.
    • To processing of personal data by private legal entities for the exclusive use of themselves, their associates, and the entities with which they are affiliated, for statistical, charging or other purposes of general benefit to them.

    Uruguay

    • To databases maintained by natural persons in the exercise of exclusively personal or domestic activities.
    • To databases covering public security, defense, State security and its activities in criminal matters, investigation, and suppression of crime.
    • To databases created and regulated by special laws.

    2. POLICIES

    2.1. GUIDING PRINCIPLES

    EVERTEC is committed with understanding and developing, harmoniously, the principles established in the applicable Laws, depending on the role it fulfills as party RESPONSIBLE or IN CHARGE of the processing and which are related below:

    • Principle of legality or loyalty.
    • Principle of purpose or informed consent.
    • Principle of freedom or informed consent or lawfulness.
    • Principle of truthfulness or quality and accuracy.
    • Principle of transparency.
    • Principle of access and restricted movement.
    • Principle of security.
    • Principle of confidentiality or reservation.
    • Principle of necessity and proportionality or relevance and minimization of personal data.
    • Principle of temporality or expiration or preservation.
    • Portability principle.

    2.2. OWNERS’ RIGHTS

    The rights of data OWNERS are:

    • To give or deny prior, express, and informed consent so that EVERTEC, as the party RESPONSIBLE, can process personal data.
    • To request at any time proof of the authorization granted to EVERTEC as the party RESPONSIBLE, unless it is expressly excluded as a requirement for the processing, in accordance with applicable laws.
    • To be informed about the use that EVERTEC, as the party RESPONSIBLE or IN CHARGE, has given to personal data.
    • To know the purposes for which EVERTEC, as the party RESPONSIBLE or IN CHARGE, captures or manages personal data.
    • To file complaints with the appropriate regulator or authority he or she deems relevant to assert its right to habeas data or data protection.
    • To revoke the authorization and/or request the deletion of any data when he or she deems it necessary or prudent.
    • To access for free the personal data voluntarily shared with EVERTEC.
    • To know, update and rectify personal data with the party RESPONSIBLE or IN CHARGE of the processing. This right may be exercised, inter alia, against partial, inaccurate, incomplete, divided, misleading data, or data whose processing is expressly prohibited or not authorized.

    2.3. AUTHORIZATION

    Notwithstanding the exceptions provided in the law for the processing of personal data and its regulatory decrees, EVERTEC requires prior and informed authorization of the OWNER, which must be obtained by any means that may be the subject of subsequent consultation.

    Authorization for the processing of personal data is not necessary when it is:

    • Information required by a public or administrative entity in the exercise of its legal functions or by court order, under this criterion the data of users who make payments using EVERTEC’s services will be processed to respond to legal requirements in judicial or administrative investigations to comply with the contracts.
    • Data of a public nature.
    • Data collected within the framework of specific functions of the public administration.
    • Medical or health emergencies.
    • Processing of information authorized by law for historical, statistical or scientific purposes, in most cases these data must be anonymized or dissociated.
    • Cases of epidemiological studies of public interest, complying with international human rights standards, and criteria of legality, proportionality and necessity. Processing should preferably be anonymized.
    • Data related to the civil registry of people.
    • Data derived from contractual, scientific, or professional relationships that are necessary to fulfill the object of these relationships.

    EVERTEC obtains authorizations for the collection of personal data as follows:

    • Users. Through the website, transactional channels or payment and consultation tools enabled.
    • Clients and their beneficial owners. Through the website, email, signed contracts and/or REG-CMP-004 Client/Supplier Registration-Update.
    • Suppliers and their beneficial owners. Through email, signed contracts, and/or REG-CMP-004 Client/Supplier Registration-Update.
    • Employees and their families. Through employment contracts, annexes and/or REG-CMP-003 Employment Registration and Update of Personnel Information.
    • Partners and Board Members. Through the authorization format for the processing of personal data of shareholders and/or REG-CMP-005 Partner and Board of Directors’ Declarations.
    • Pertaining to the use of personal data specifically unrelated to the development of the legal or contractual relationship between EVERTEC and the OWNER, but that relates to the delivery of commercial or advertising information, the OWNER of the data can simply and expeditiously deliver their data (for example, names and surnames, emails, cell numbers, telephone numbers, etc.) to EVERTEC as well as to opt out, at any time, from being contacted for such purposes.

    2.4. PURPOSES AND DATA SUBJECT TO PROCESSING

    EVERTEC processes personal data as detailed below.

    • Users: Information received by users directly or through any third party for the processing of transactions and/or authentications, and to evaluate their behavior, is used for the following purposes:
      • To process transactions by forwarding the information to payment processors and/or financial institutions legitimately constituted under applicable law.
      • To perform security analysis of transactions, directly or through specialized third parties as parties IN CHARGE. In no case, may such third parties use the information for purposes other than those mentioned herein or those defined in the contracts entered with EVERTEC.
      • To perform security analysis to authenticate users, directly or through third parties specialized as parties IN CHARGE. In no case, may such third parties use the information for purposes other than those mentioned herein or those defined in the contracts entered with EVERTEC.
      • To update data for security purposes and to comply with regulations to Counter Money Laundering, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction, corruption, and bribery.
      • To make contact in cases of fraud alerts.
      • To contact third party requests in cases of exceptions.
      • To authenticate users to manage personal data protection requests.
      • To perform statistical analysis to identify global behaviors, consumption trends, payments or user behavior. To respond to administrative, judicial or any other requirements that we are required to comply with.
    • Suppliers: Information received from EVERTEC’s suppliers is considered confidential and is only disclosed with the express authorization of the OWNER, or when requested by a competent authority. The purposes of this data are:
      • To guarantee the commercial relationship, this includes sending out invitations to contract and arrangements for the pre-contractual, contractual, and post-contractual stages.
      • To issue an invoice.
      • To update relevant information regarding administrative procedures.
      • To send invitations to events scheduled by EVERTEC or its affiliates.
      • To update data for security purposes and to comply with regulations to Counter Money Laundering, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction, corruption, and bribery.
      • To respond to audits carried out by internal or external entities.
      • To allow suitable work environments for the safe development of activities within the company.
      • Others specifically set out in the authorizations granted by the suppliers themselves.
      • To verify the suitability and competence of Supplier’s employees who will provide services to EVERTEC; once this requirement has been verified, EVERTEC will return such information to the Supplier, unless expressly authorized to retain it.
      • To report to the credit bureau and information operators, the compliance with my financial obligations
      • In any case, the information is not processed for a period longer than the duration of the Supplier’s relationship with EVERTEC, and the additional time required in accordance with the legal or contractual circumstances that make the handling of the information necessary.
    • Prospective clients: Information received from potential clients of EVERTEC is used for the following purposes:
      • For the Contact Us Form, to exchange information daily, deliver business cards at meetings or events and communication channels: to manage the presentation of our services (directly or through our partners) to the person who has completed or delivered the data or to its delegate.
      • To update the general database where information can be shared for educational purposes on digital processes.
    • Current clients: Information received by EVERTEC clients is considered confidential and is only disclosed with the express authorization of the OWNER or when requested by a competent authority. The purposes of this information are:
      • To perform management (directly or through our partners) for the pre-contractual, contractual, and post-contractual stages, which includes commercial monitoring and customer maintenance.
      • To update relevant information regarding the contracted service.
      • To send information of general interest to develop the exercise of electronic commerce or digital transactions.
      • To notify in case of any interruption in services or products.
      • To request information on how to improve or develop services or products, and other effective ways to communicate.
      • To provide help desk and troubleshooting.
      • To communicate or send notifications relating specifically to the services or products we offer.
      • To collect information about customer satisfaction, regarding the service provided.
      • To send invitations to events scheduled by EVERTEC.
      • To corroborate any requirements arising in the development of the contract concluded.
      • To comply with the object of the contract concluded, including shipping activities, fulfillment, and processing of guarantees, among others.
      • To verify cases of non-compliance of any party.
      • To onboard each client.
      • To undertake customer loyalty activities and marketing operations.
      • To update data for security purposes and to comply with regulations to Counter Money Laundering, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction, corruption and bribery.
      • To respond to audits carried out by internal or external entities.
      •  To report to the credit bureau and information operators, the compliance with my financial obligations
      • In any case, the information is not processed for a period longer than the duration of the customer’s relationship with the company, and the additional time that is required according to the legal or contractual circumstances that make the handling of the information necessary.
    • Subscribers to content of interest
      • To alert about failures in StatusPage services to receive information about the status of EVERTEC PLACETOPAY connections and services. In case of opting out of receiving these notifications, it is possible to unsubscribe at the link at the end of the email that says Unsubscribe. Additionally, you can unsubscribe by requesting it at servicepostventa@placetopay.com.
      • To send commercial information and services. In case of opting out of receiving these notifications, it is possible to unsubscribe at the link at the end of the email that says Unsubscribe.
      • To position the EVERTEC brand through social networks. In case of opting out of receiving these notifications, you can unsubscribe by unfollowing the social network account you wish to disable.
      • To send newsletters with general information about trends and products that may be of interest to audiences. In case of opting out of receiving these notifications, it is possible to unsubscribe at the link at the end of the email that says Unsubscribe.
      • To send invitations to virtual or face-to-face events. For events led by EVERTEC and intended to offer content of value to users. In case of opting out of receiving these notifications, it is possible to unsubscribe at the link at the end of the email that says Unsubscribe.
    • Evertec work applicants: Its information is considered confidential and is only disclosed by EVERTEC with the express authorization of the OWNER. This data has the following purposes:
      • To participate in the selection process for which you registered.
      • To contact you during the selection process.
      • To store your data in our databases for a period of three (03) years to contact you regarding future job opportunities or vacancies.
      • To manage and assess any type of risk associated with initiating or continuing a contractual relationship. It includes the prevention and detection of risks related to money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction, corruption, and bribery.
      • To conduct background checks on the individuals listed in the onboarding form.
      • To verify identity by any means. It includes the use of any legitimate external source, such as: third parties, public or private databases, public registries, financial, commercial, or other information providers.
      • To conduct a psychological interview, security assessment, home visit, and use a polygraph. Telephone calls, emails, surveys, photographs, videos, audio recordings, photocopies, and other documents will be submitted upon request.
      • To determine whether the candidate meets the previously established requirements, objectives, and specific conditions for the position for which are applying.
    • Collaborators, employees, officials: The information received is considered confidential and is only disclosed by EVERTEC with the express authorization of the OWNER or when requested by a competent authority. Data are for the following purposes:
      • To share corporate information relevant to the performance of functions.
      • To keep the internal public informed about processes, progress, performance, events, and internal information.
      • To ensure the relationship between employees and EVERTEC.
      • To comply with human resources processes established by EVERTEC, such as: (i) respond to any request from competent national or foreign judicial or administrative authority, (ii) carry out judicial or extrajudicial collection of any obligation in charge of the Owner, (iii) comply with any request, complaint or demand, (iv) carry out social security affiliations, (v) carry out welfare activities, (vi) pay the payroll, (vii) record payroll discounts authorized by law or by the employee, (viii) include information according to the performance of the employee, (ix) report in a timely manner modifications that occur in development of the employment contract and (x) evaluate the quality of the services offered by the Employee Owner of the information.
      • To comply with the obligations imposed by the Colombian Labor Law on employers or orders issued by competent Colombian authorities.
      • To issue certifications regarding the relationship of the data OWNER with EVERTEC.
      • To comply with obligations imposed on the company as an employer, in relation to Occupational Safety and Health standards, and the so-called Occupational Safety and Health Management System (OSHS).
      • To manage the functions developed by employees.
      • To manage memos, wake-up calls, or disciplinary processes.
      • To contact family members in emergencies.
      • To update data for security purposes and to comply with regulations to Counter Money Laundering, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction, corruption, and bribery.
      • To carry out epidemiological surveillance activities under the occupational safety and health program.
      • To keep a register of entry dates and age of collaborators to the AFP (Pension Fund Administrator), to support the pension request process.
      • To offer support to collaborators in healthcare insurers proceedings, due to inconsistencies in personal and beneficiary care or affiliation.
      • To provide support to employees in proceedings before the Family Compensation Fund, due to inconsistencies in personal and beneficiary care or membership.
      • For decision-making in labor matters regarding the execution and termination of the employment contract either by the legal area of the company or its external adviser.
      • To conduct psychological interviews, security studies, home visits, polygraph tests, phone calls, emails, surveys, photographs, videos, audios, photocopies and other documents delivered as requested.
      • For audits carried out by internal or external entities.
      • The folder of each collaborator can only be accessed and processed by Human Resources, to manage the contractual relationship between EVERTEC and the employee.
      • Upon termination of the employment relationship, EVERTEC will store all personal data obtained from the selection process and documentation generated in development of the employment relationship, in a central archive with restricted access, subjecting the information at all times to appropriate security measures and levels, since the employment information may contain sensitive data.
      • In any case, the information is not processed for a period longer than twenty (20) years from the end of the employment relationship, or according to the legal or contractual circumstances that make the handling of the information necessary.
    • Partners and Shareholders, and members of the Board of Directors: Personal data of shareholders, their representatives and members of the Board of Directors are stored in a database considered confidential, and which is only disclosed by the company with the express authorization of the OWNER or when requested by a competent authority. The purposes for which the data are used are:
      • To allow the exercise of the duties and rights deriving from the status of Shareholder.
      • To send invitations to events scheduled by EVERTEC and to contact the Shareholder or Board member.
      • To issue certifications regarding the relationship of the OWNER with the Company.
      • To update data for security purposes and to comply with regulations to Counter Money Laundering, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction, corruption, and bribery.
      • To respond to audits carried out by internal or external entities.
      • For others specifically set forth in the authorizations granted by the Shareholders or members of the Board of Directors.
      • In any case, the information is not processed for a period longer than the time the person is a Shareholder or member of the Board of Directors of EVERTEC, and the additional time that is required in accordance with the legal or contractual circumstances that make the handling of the information necessary.
      • Finally, access to such personal information is made in accordance with the provisions of the Commercial Code and other rules that regulate the matter.
    • Visitors, Personal data of visitors are stored in a Database considered confidential and are only disclosed by the company with the express authorization of the OWNER or when requested by a competent authority. The purposes for which these personal data is used are:
      • To ensure access to company facilities for people with free transit authorization and restrict passage to those without authorization.
      • To guarantee security in the monitored environments.
      • For audits carried out by internal or external entities.
      • In any case, the information is not processed for a period of more than one (1) year, counted from its collection according to the legal or contractual circumstances that make the handling of the information necessary.
    • Registration of Video Surveillance: Biometric data (listed as sensitive) of employees, collaborators, officials and visitors are collected through surveillance cameras and stored in a database considered confidential and are only disclosed with the express authorization of the OWNER or when requested by a competent authority. The purposes for which they are used are:
      • To ensure safety in working environments.
      • To allow suitable work environments for the safe development of company work activities.
      • To control the entry, stay and exit of employees and contractors at company facilities.
      • To respond to audits carried out by internal or external entities.
      • To comply with the duty of information, corresponding to EVERTEC as party RESPONSIBLE, Privacy Signs are placed in areas where images that involve processing of personal data will be captured.
      • In any case, the information is not processed for a period longer than ninety (90) days from its collection according to the legal or contractual circumstances that make the handling of the information necessary.
    • Accounting records: Personal data from accounting records and documents are collected and stored in a database which, although composed mostly of public data, is classified as confidential, and are only disclosed with the express authorization of the OWNER or when requested by a competent authority. The purposes for which the personal data are used are:
      • To manage accounting, tax and administrative issues.
      • To manage collections and payments.
      • To manage billing.
      • To manage economic and accounting issues.
    • Legal proceedings: Personal data of supporting documents related to legal actions owned by the business are considered confidential and will only be disclosed with the express authorization of the OWNER or when requested by a competent authority. The purposes are:
      • For legal proceedings: labor, commercial.
    • Users to whom the GDPR applies: Data collected by EVERTEC for the processing of a transaction and compliance with legal obligations arising from to whom the GDPR applies are:
      • Full name of the person making the transaction.
      • Identification document of the buyer and/or payer.
      • Financial information of the cardholder: PAN, CVV (never stored), card expiration date.
      • IP address from where the transaction is being made, information that is used only as a control policy to validate that a transaction can be made for a specific merchant.
      • Email used to send proof of payment for the transaction.
      • Landline or mobile phone numbers.
      • These data are necessary for the recognition, exercise, or defense of a right in judicial proceedings, under this criterion the data of users who make payments using EVERTEC’s services are processed for the following purposes:
      • To respond to legal requirements in judicial or administrative investigations.
      • To comply with the contracts or agreements of affiliation of the credit card systems signed between the merchants and the entities representing each of the franchises.
      • To properly process transactions.
      • To perform transactional security validations to prevent cardholder fraud.
      • To share the OWNER’s information with the financial networks for the processing of the transaction, with regulatory bodies according to requests of Law, and with the respective merchants providing the product and/or service purchased for the resolution of the purchase with the delivery of the product.
    • Processing of sensitive data: Sensitive data is understood as data that affect the privacy of the OWNER or those that misused could lead to discrimination. Sensitive data are those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometrics. To process these data for the purposes detailed below, EVERTEC undertakes to request the respective authorization from the OWNER, and to inform the OWNER of the optional nature of the requested authorization and to establish controls for the security of the information.
      • To safeguard the vital interest of the OWNER, if the latter is physically or legally incapacitated. In these events legal representatives must grant their authorization.
      • To be processed by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they relate exclusively to its members or to persons who maintain regular contacts for their purpose. In these events, the data cannot be provided to third parties without the authorization of the OWNER.
      • To recognize, exercise or defend a right in judicial proceedings, under this criterion the data of users who make payments and/or authentications using EVERTEC’s services will be processed with the following aim:
        • To respond to legal requirements in judicial or administrative investigations.
        • To comply with the contracts or agreements of affiliation of the credit card systems signed between the merchants and the entities that represent each of the franchises that EVERTEC processes.
        • To enable biometric authentication.
      • For historical, statistical, or scientific purposes. In this event the measures leading to the deletion of the identity of the OWNERS should be implemented.
    • Data of children and adolescents: EVERTEC collects and processes personal data of minor children of its employees, with the only purpose:
      • To comply with the obligations imposed by the law on employers in relation to affiliation to social security and parafiscal systems, and to enable children to enjoy their fundamental rights to health and recreation.
      • In any case, EVERTEC collects, where appropriate, the respective authorization for its processing, always considering the best interests of the minor and respect for the prevalent rights of children and adolescents, as well as the security measures of this information.
    • Data collected prior to the issuance of Colombian Decree 1377 of June 23, 2013, in compliance with the provisions of Article 10 of Decree 1377 of 2013, through which the Statutory Law 1581 of 2012 is regulated, EVERTEC undertakes to accept the legal provisions and to safeguard users’ rights regarding the protection of the information contained in the payment gateway PlacetoPay. Pursuant to the above, EVERTEC under article 10 of Decree 1377 of 2013 notified users who have used and use the PlacetoPay payment gateway, of the protection, processing of data and the way the personal data processing policy will be enforced, for which it stated:
      • “Article 10. Data collected prior to the issuance of this decree. For data collected prior to the issuance of this decree, the following shall be considered: 1. The parties RESPONSIBLE must request the authorization of the OWNERS to continue with the processing of their personal data in the way provided in article 7 above, through efficient communication mechanisms, as well as inform them of their policies of processing of the information and the way of exercising their rights. 2. For the purposes of the provisions of numeral 1, efficient communication mechanisms will be considered those that the party RESPONSIBLE or IN CHARGE uses in the ordinary course of their interaction with the OWNERS registered in their databases. 3. If the mechanisms mentioned in numeral 1 impose a disproportionate burden on the party RESPONSIBLE  or it is impossible to ask each OWNER for consent to the processing of their personal data and to inform them of the policies of processing of the information and the way of exercising their rights, the party RESPONSIBLE may implement alternate mechanisms for the effects provided in numeral one (1), such as newspapers with wide national circulation, local newspapers or magazines, website of the party RESPONSIBLE, information posters, among others, and inform the Superintendence of Industry and Commerce within five (5) days of its implementation. 4. If within thirty (30) working days from the implementation of any of the communication mechanisms described in numeral 1, 2 and 3, the OWNER has not contacted the party RESPONSIBLE or IN CHARGE to request the deletion of your personal data in the terms of this decree, the party RESPONSIBLE or IN CHARGE may continue to process the data contained in its databases for the purpose or purposes indicated in the data processing policy, brought to the attention of the OWNERS through such mechanisms, notwithstanding the right that the OWNER has at any time to exercise its right and request the deletion of the data. 5. In any case, the party RESPONSIBLE and IN CHARGE must comply with all applicable provisions of Law 1581 of 2012 and this Decree. Likewise, it will be necessary that the purpose or purposes in force are the same, analogous, or compatible with the one or those for which the personal data were initially collected.”
      • In any case, EVERTEC is subject to industry laws and changes, and must keep users informed about data protection.

    2.5. INFORMATION SECURITY

    • Information provided as part of processes that require personal data should be delivered following the means and criteria set forth in the Information Security Policy, preferably encrypted and with a password to ensure its protection.
    • The owner of the process that delivers data to another party must secure its chain of custody until the final delivery of the personal data to the owner of the receiving process.
    • Transfer of personal data to parties IN CHARGE (third parties outside the company) must comply with the security measures set forth in the Information Security Policy.
    • Storage of information containing personal data is carried out considering the Information Security Policies to prevent falsification, loss, consultation, use or unauthorized or fraudulent access. Storage of personal data may take any of the following forms:
      • Electronic media.
      • Physical media such as folders containing information under lock and key or password, as defined in the Information Security Policy.
    • Storage of information containing personal data in personal emails, USB drives, CD or any other means other than those set out in the Information Security Policies for storing information is prohibited.
    • Information storage with third parties, processes may store personal data with third parties outside the Company, they will act as parties IN CHARGE of the information for storage. Parties IN CHARGE must meet the highest security standards and comply with the Security Policies defined by EVERTEC.

    2.6. EVERTEC’s DUTIES

    • To register personal databases (either in physical medium or magnetic storage) in its possession as party RESPONSIBLE with the competent authority, such as the SIC, PRODHAB, INAI, ANTAI or others applicable to our operation.
    • To report known security incidents to the competent authority, such as the SIC, PRODHAB, INAI, ANTAI or others applicable to our operation, and in the times defined by regulations.
    • To report complaints received to a competent authority, such as the SIC, PRODHAB, INAI, ANTAI or others applicable to our operation, in the times established by regulations (for example, semi-annually).
    • To keep the personal data processed up to date; for this purpose, the Company establishes updating procedures which must be communicated to all processes of the Company. Any new developments identified regarding outdated data should be reported to the Personal Data Protection Officer, as appropriate.
    • As party RESPONSIBLE:
      • To guarantee the OWNER, always, full and effective exercise of the right of Habeas Data.
      • To request and retain a copy of the respective authorization granted by the OWNER.
      • To duly inform the OWNER about the purpose of the collection and the rights that assist him/her under the authorization granted.
      • To keep the information under the security conditions necessary to prevent its falsification, loss, consultation, use or unauthorized or fraudulent access.
      • To ensure that the information provided to the party IN CHARGE of the processing is true, complete, accurate, up-to-date, verifiable, and understandable.
      • To update the information when new developments have been reported with respect to the data previously provided by the OWNER, and to take the other necessary measures to keep the information provided to the OWNER updated.
      • To correct the information when it is incorrect.
      • To provide the party IN CHARGE only with data for which processing has been previously authorized.
      • To demand from the party IN CHARGE respect for the conditions of security and privacy of the information of the OWNER, at all times.
      • To process consultations and complaints made.
      • To inform on the use made of his/her data at the request of the OWNER
      • To inform cases of breach of security codes and risks in the administration of the OWNERS information to the data protection authority.
    • As party IN CHARGE:
      • To update the information in accordance with commitments agreed with the party RESPONSIBLE.
      • To comply with the Company’s security policies and principles and with those that bind it to the party RESPONSIBLE, in compliance with the protection of personal data.
      • To correct the information when it is incorrect, and to communicate relevant matters to the party RESPONSIBLE of the processing.
      • To use the data for the purpose it was delivered by the party RESPONSIBLE of the processing.
      • To process consultations and complaints made that apply to it.
      • To inform the party RESPONSIBLE for data protection and/or the SIC cases of breach of security codes and risks in the administration of the information of the OWNERS.

    2.7. TRANSFER OF PERSONAL DATA

    • EVERTEC transfers Personal Data by virtue of its status as a subsidiary of Evertec Group, LLC. Likewise, it processes, transmits, and stores user data in level 1 data centers, with which it has confidentiality agreements and legal and technical restrictions in place to prevent misuse of information. EVERTEC PLACETOPAY SAS hosts user data in data centers located in the United States, in compliance with the international PCI standard. In these cases, suppliers have updated their data protection and processing policies in order to comply with European Union regulations under the GDPR legal framework. EVERTEC COLOMBIA SAS hosts its counterparts’ data in the data center located in Costa Rica.
    • To conduct the international transfer of Personal Data, aside from having express and unequivocal authorization by the OWNER, EVERTEC makes sure that the action provides appropriate levels of data protection and meets the requirements set in applicable regulations and its regulatory decrees.
    • Transferring personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it meets the standards on the matter set by the competent authority, such as the SIC, PRODHAB, INAI, ANTAI or others applicable to our operation. This prohibition shall not apply where:
      • Information for which the OWNER granted its express and unequivocal authorization for the transfer.
      • Exchange of medical data, when required by the processing of the OWNER based on health or public hygiene reasons.
      • Bank or stock transfers, in accordance with applicable legislation.
      • Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
      • Transfers necessary for the execution of a contract between the OWNER and the party RESPONSIBLE, or for the execution of pre-contractual measures provided that the OWNER has given authorization.
      • Transfers legally required for the protection of the public interest, or for the recognition, exercise or defense of a right in judicial proceedings.

    2.8. TRANSMISSION OF PERSONAL DATA

    • EVERTEC transmits Personal Data to third parties as parties IN CHARGE to fulfill some of the purposes established in this policy and/or in the contracts signed with each counterparty.
    • To conduct the transmission of Personal Data, aside from informing and having authorization by the OWNER, EVERTEC makes sure that the action provides the appropriate levels of data protection and meets the requirements set in the applicable regulations and its regulatory decrees.
    • Transmission of personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it meets the standards on the matter set by the competent authority, such as the SIC, PRODHAB, INAI, ANTAI or others applicable to our operation.

    2.9. RETENTION OF INFORMATION

    Data collected by EVERTEC will be stored only for as long as it is reasonable and necessary in accordance with the purposes that justified the processing, following the provisions applicable to regulations for the processing transactions and administrative, accounting, tax, and legal aspects. In any case, indications in the Information Security Policy Manual and the Documentary Retention policy and schedule must be followed.

    3. POLICIES FOR THE PARTIES IN CHARGE

    This section presents the guidelines of EVERTEC for third parties in charge of processing of personal data, in accordance with the guidelines of the competent authority, such as the SIC, PRODHAB, INAI, ANTAI or others applicable to our operation, and under the commercial and contractual relationship with EVERTEC.

    For EVERTEC, it is essential that parties IN CHARGE are aware of their obligations and rights, as well as the overall guidelines that should govern their actions as parties IN CHARGE.

    3.1. WHO IS IN CHARGE OF PERSONAL DATA?

    The party IN CHARGE performs the processing of personal data on behalf of EVERTEC, in accordance with the guidelines related to the processing (use, collection, storage, circulation or deletion) of personal data specified by EVERTEC at the time of contracting.

    3.2. RESPONSIBILITY OF THE PARTY IN CHARGE

    • According to the regulations applicable to the protection of personal data and the case law related to the subject, the party RESPONSIBLE of the processing of the personal data, i.e. EVERTEC, and the party IN CHARGE of the processing, will respond jointly and severally to the OWNER of the personal data. The aforementioned regarding the veracity, integrity, purpose and incorporation of the personal data, as well as in its processing (use, collection, storage, circulation and deletion) with the understanding that any use must be made with authorization of the OWNER.
    • The party IN CHARGE commits with EVERTEC to verify the delivery status of personal data, as well as to offer the necessary security measures to guarantee the security of the data, as per its contractual agreements with EVERTEC.
    • The party IN CHARGE of the processing must have all the necessary physical and technological measures in place to ensure the security of personal data. As well as give due diligence in the execution of its work regarding the protection and security of personal data, both in digital and physical databases.

    The party IN CHARGE is liable for any conduct contrary to the policies set forth herein, or its omission.

    3.3. AUTHORIZATION

    It is the duty of both EVERTEC and the party IN CHARGE to have the authorizations required by law to process (use, collect, circulate, store, and delete) personal data.

    3.4. OBLIGATIONS OF THE PARTY IN CHARGE

    • a. To immediately inform about communications received regarding the personal data IN CHARGE to EVERTEC.
    • To inform about any complaint or consultation made by the OWNER of the personal data to EVERTEC.
    • To implement an internal manual of policies and procedures, as well as appropriate controls to safeguard the security of personal data provided.
    • To use the utmost diligence in the processing of personal data provided by EVERTEC.
    • To ensure that adequate security measures (whether physical or digital) for the processing of personal data are in place.
    • To timely perform updates, rectification, or deletion of data, as instructed by EVERTEC.
    • To update information reported by EVERTEC within 5 working days of its reception, whether updating data, revoking authorization, provisions regarding complaints or requests, etc.
    • To ensure that the processing of personal data is in accordance with the purpose established by EVERTEC.
    • To comply at all times with the instructions given by EVERTEC regarding the processing of personal data.
    • To safeguard the privacy, good name, and other similar rights of the data OWNER at all times.
    • To sign non-disclosure agreements with contractors or employees who, due to or in connection with their work with the party IN CHARGE, process personal data.
    • To report immediately after detecting any incident or breach of the personal data provided by EVERTEC.
    • Not to deliver the personal data sent by EVERTEC to third parties, unless stipulated by EVERTEC.
    • To destroy the information once the contract with EVERTEC comes to an end. Under no circumstances can the party IN CHARGE keep copies of personal data.
    • To return information containing personal data as stipulated by EVERTEC.
    • To comply with the provisions of this policy.

    4. POLICIES FOR DEALING WITH CONSULTATIONS AND COMPLAINTS

    At any time and free of charge, the OWNER, his/her successors-in-interest or legal representatives, may request EVERTEC to rectify, update or delete their personal data, subject to verification of the identity of the OWNER.

    4.1. WHO MAY RECEIVE THE INFORMATION?

    Information meeting the conditions laid down may be provided to the following people:

    • To the OWNERS, their successors-in-interest or their legal representatives, after due authentication.
    • To public or administrative entities in the exercise of their legal functions or by court order.
    • To third parties authorized by the OWNER or by law.

    4.2. WHO TO SUBMIT YOUR REQUESTS TO

    Corporate Name: EVERTEC PLACETOPAY S.A.S.
    TIN: 900299228-0
    Address: Street 16 # 55-129. Guayabal, Medellín, CO. Piso 3 Riwi coworking
    Email: protecciondedatos@evertecinc.com
    Position: Personal Data Protection Officer

    Corporate Name: EVERTEC COLOMBIA S.A.S.
    TIN: 830136065-4
    Address: Avenue street 26 96 J 90 Office 601 and 602 Optimus Project Building Business and Hotel Complex P.H., Bogotá, CO
    Email: protecciondatoscolombia@evertecinc.com
    Position: Personal Data Protection Officer
    Phone: +57 (601) 3278000

    4.3. CONSULTATIONS

    The OWNERS, their successors-in-interest or legal representatives can consult the information filed in EVERTEC, who will provide the information contained in the individual registration or that is linked with the identification of the OWNER.

    The consultation, once received by EVERTEC, will be dealt with within ten (10) working days from the date of reception. When it is not possible to answer the consultation within that period, the interested party will be informed of the reasons why and a new date will be provided to answer the consultation, which in no case may exceed five (5) working days following the expiration of the first term.

    EVERTEC may undertake identity verification activities such as security questions, CONFRONTA validation at risk centers or such, in order to protect the information of the OWNERS, thus avoiding risks of information leakage through social engineering or other forms of illegal information collection.

    4.4. COMPLAINTS

    The OWNER, his/her successors-in-interest or legal representatives who consider that the information contained in a database should be subject to correction, update or deletion, or when they notice the alleged breach of any of the duties contained in the law, can submit a complaint through the channels enabled by EVERTEC, attaching the following information:

    • Full name.
    • Type and identification number.
    • Type of relationship with EVERTEC.
    • Description of the facts giving rise to the request.
    • Address (physical and/or electronic – email) to which a reply may be sent.
    • Documents deemed necessary.
    • When the request is made by a person other than the OWNER, the person or mandate must be duly authorized, if it not, the request will be considered as not submitted.

    For the procedure, the following rules are considered:

    • If the complaint is incomplete, the interested party must correct it within five (5) business days of reception. If two (2) months from the date of the request go by and the required information is not submitted, it is understood that the complaint has been withdrawn.
    • In the event that EVERTEC receives a complaint which doesn’t fall under its competence, it will forward it to the corresponding person within a maximum of two (2) working days, and it will also inform the OWNER.
    • Once the complete complaint has been received, EVERTEC will include in the respective database a legend that says: “complaint in process”, as well as its reason, in a term not exceeding two (2) business days. EVERTEC will keep this legend in the data under discussion until the complaint is decided.
    • The maximum period for dealing with the complaint is fifteen (15) business days from the day following the date of reception. When it is not possible to deal with the complaint within this period, EVERTEC will inform to the OWNER the reasons for the delay and the new date on which the complaint will be dealt with, which in no case can exceed eight (8) working days following the expiration of the first term.
    • In case of requests for rectification, update or deletion: In accordance with the request of the OWNER, EVERTEC will rectify and update information that proves to be incomplete or inaccurate, following the provisions of literals “a” to “c” above. In this regard, the following are considered:
      • In case of requests for rectification and update of personal data, the OWNER must indicate the corrections to be made and provide the documentation to support it.
      • Accordingly, electronic or other means deemed relevant to the correction of the data may be enabled.
    • In case of requests for data deletion: The OWNER of the personal data has the right, at any time, to request EVERTEC to delete (erase) his/her personal data when:
      • He/she considers that data are not being treated in accordance with the principles, duties and obligations provided in current regulations.
      • Data are no longer necessary or relevant for the purpose for which they were collected.
      • The period necessary to fulfill the purposes for which they were collected has passed.
    • The deletion implies total or partial erasing of personal information as requested by the OWNER from the records, files, databases or processing performed. It is important to note that data may not be deleted when:
      • The OWNER has a legal or contractual duty to remain in the database.
      • The deletion of data hinders judicial or administrative proceedings linked to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
      • The data are necessary to protect the OWNER’S legally protected interests; to undertake an action based on public interest, or to fulfill an obligation legally acquired by the OWNER.

    4.5. COMPLAINTS TO THE COMPETENT AUTHORITY

    The OWNER, successor-in-interest or legal representative must first exhaust the procedure of “consultation” or “complaint” with the party RESPONSIBLE of the processing, before filing a complaint to the competent authority.

    4.6. CONSULTATIONS AND COMPLAINTS WITH PARTIES IN CHARGE

    • Consultation: OWNERS of personal data, their successors-in-interest or legal representatives, can request the “consultation” of their personal data to the channels indicated in the authorizations and privacy policies of EVERTEC, therefore the party IN CHARGE of the processing, who by the execution of the contract receives a “consultation” by an OWNER of personal data, must refer it within two (2) days to the Personal Data Protection Officer designated by EVERTEC. The request must contain all the data attached by the OWNER and the current status of the personal data of the OWNER who is consulting.
    • Complaints: When the OWNER, his/her successors-in-interest, or legal representatives, consider that the information contained in the database should be subject to correction, authorization, deletion or revocation of authorization, they can submit a complaint through the channels provided by EVERTEC. Once the party IN CHARGE has received a “complaint”, it must forward it to the Personal Data Protection Officer designated by EVERTEC within two (2) days. The request must contain all the data attached by the OWNER and the current status of the personal data of the OWNER who is consulting, as well as the mechanism of collection of that personal data, either because it was initially delivered by EVERTEC or collected by the party IN CHARGE of the processing.

    5. COOKIE POLICY

    5.1. USE OF OWN COOKIES IN EVERTEC PLACETOPAY SAS APPLICATIONS

    • EVERTEC PLACETOPAY SAS applications use session cookies to ensure that it is humans use the applications and not automated applications, and to prevent possible brute force attacks logging into the applications.
    • Session cookies are used to generate personalized content for authenticated users in compliance with segregation and session policies stipulated in PCI DSS v 3.2.1.
    • EVERTEC PLACETOPAY SAS has its own cookies that do not collect personal information from users without their consent.

    5.2. USE OF THIRD-PARTY COOKIES

    • Google Analytics: Stores cookies to compile statistics on visits’ traffic and volume from this website. Using this website, you consent to the processing of your data by Google. Therefore, the exercise of any right in this regard must be directly communicated to Google.
    • Facebook: Information on Likes.
    • Explanatory note on the use of third-party cookies. EVERTEC PLACETOPAY SAS is not liable for the content, nor the veracity of the privacy policies associated with third-party cookies, the links below are attached.
      • Google’s cookie policy and technical information on cookies in Google Analytics
      • Facebook’s cookie policy.

    5.3. DELETION OF OWN AND THIRD-PARTY COOKIES

    Users who enter an EVERTEC PLACETOPAY SAS platform can delete the cookie information on their respective device at any time if they wish following each browser’s guidelines. Links to some of them are as follows:

    • Google Chrome.
    • Microsoft Edge.
    • Microsoft Internet Explorer.
    • Mozilla Firefox.
    • Safari

    6. VALIDITY OF THE POLICY ON THE PROTECTION OF PERSONAL DATA

    This policy applies from the date of its publication and nullifies other provisions that are contrary to it.

    Any substantial changes to it will be reported through the website and subsequently, in any other means deemed relevant.

    EVERTEC may modify the terms and conditions of this document at any time.

    All changes are reported by publishing a new version on the website (www.evertecinc.com).

    Natural persons that are subject to this policy should make sure to frequently check the website (www.evertecinc.com) to verify the changes.

    Tabla de contenidos

    Your
    all-in-one     fintech partner in Latam
    Controle de idioma

    2025 © Reservados todos los derechos
    X-twitter Instagram Youtube Linkedin-in Facebook-f
    This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.