Personal Data Policy

Personal Data Processing Policy

PAPELERÍA LA COMUNA (PATIÑO Y CIA SAS), identified with NIT 900.241.288-2, domiciled at Carrera 5 No 13-18, Ibagué, Tolima, in compliance with Law 1581 of 2012, Decree 1074 of 2015 (chapters 25 and 26), Circular Externa 005 of 2017 and other applicable regulations, adopts this Policy for the processing of personal data.

1. Objective

Establish the general guidelines for the processing of personal information collected and managed by PAPELERÍA LA COMUNA, ensuring the rights of data subjects and promoting transparency in all commercial operations, including online purchases, newsletter subscriptions, and loyalty programs.

2. Scope

Applicable to all databases containing personal data under the Company’s responsibility, whether automated or not, including the website https://papelerialacomuna.com, physical stores, and customer service channels.

3. Definitions

  • Authorization: Prior, express, and informed consent of the Data Subject.
  • Database: Organized set of personal data subject to processing.
  • Personal Data: Information linked to an identified or identifiable natural person.
  • Public Data: Non-private or sensitive information (e.g., marital status, profession).
  • Private Data: Intimate information of interest only to the Data Subject.
  • Semi-private Data: Financial, credit, or commercial information.
  • Sensitive Data: Racial origin, political orientation, health, biometric data, etc.
  • Data Processor: Third party that processes data on behalf of the Data Controller (only if required by law).
  • Data Controller: PATIÑO Y CIA SAS.
  • Data Subject: Natural person whose data is being processed.
  • Processing: Any operation on data (collection, use, deletion, etc.).
  • Transfer: Sending data to a recipient who is a Data Controller (only if required by law).
  • Transmission: Communication of data for processing on behalf of the Data Controller (only if required by law).
  • Privacy Notice: Communication to the Data Subject about the existence and access to this policy.

4. General Provisions

4.1. Introduction

In compliance with the Colombian Constitution (Articles 15 and 20), the Company guarantees proper processing of personal data, aligning its practices with trusted standards such as those implemented by Almacenes Éxito and Falabella in Colombia.

4.2. Applicable Regulations

  • Law 1581 of 2012
  • Decree 1074 of 2015 (chap. 25 and 26)
  • Circular Externa 005 of 2017
  • Decree 1115 of 2017
  • Law 1266 of 2008 (financial data)

4.3. Guiding Principles

  • Legality · Purpose · Freedom · Accuracy
  • Transparency · Restricted Access · Security · Confidentiality

4.4. Data Protection Officer

Appointed to oversee compliance. Functions:

  • Maintain inventory and RNBD registration.
  • Report incidents to SIC within 15 business days.
  • Train staff annually.
  • Handle inquiries and claims.
  • Coordinate internal audits.

Contact: planeacion@papelerialacomuna.com

5. Personal Data Processing

5.1. Data Controller

5.2. Purposes

  • Process orders, invoicing, shipping, and warranties.
  • Manage user accounts and loyalty programs.
  • Send commercial communications (only with consent, with opt-out option).
  • Comply with legal obligations (DIAN, fraud prevention).
  • Conduct anonymous statistical analysis to improve services.
  • Handle customer inquiries, complaints, and claims.

5.3. Authorization

Obtained prior, express, and informed through web checkboxes (with link to this policy), physical signatures, or verbal recordings. Proof is retained for at least 5 years. The Data Subject may revoke it at any time.

5.4. Minors’ Data

Processed only with the legal representative’s authorization, prioritizing the best interests of the child. No marketing is directed to minors.

5.5. Biometric Data

(Currently not applicable). If implemented, it will require special authorization and enhanced security measures.

5.6. Security

  • SSL/TLS protocols for online transactions.
  • Restricted access with multi-factor authentication.
  • Encryption of data at rest and in transit.
  • Periodic risk assessments and internal audits.

Full credit card numbers are not stored (tokenization is used).

5.7. Data Transmission

No data is transmitted to third parties, except when required by law. In such cases, it is strictly documented and limited.

5.8. International Transfer

No international data transfers are made, except under legal mandate.

5.9. Delivery to Authorities

Data is provided only in response to valid judicial or administrative requests, with verification of authority and documented record.

5.10. RNBD

All databases are registered in the National Database Registry (RNBD) of the SIC.

5.11. Incidents

Procedure: Detection → Record → Containment Plan → Report to SIC (15 business days) → Notification to data subjects if high risk (within 72 hours).

5.12. Data Retention Period

Data is retained only as long as necessary for the purpose or until authorization is revoked, except for legal obligations (e.g., 5 years for tax purposes). Afterward, it is deleted or anonymized.

6. Rights of Data Subjects (ARCO)

  • Access your data (free monthly access).
  • Update and rectify inaccurate information.
  • Delete data (unless legally required to retain).
  • Revoke authorization for specific processing.
  • Obtain proof of authorization.
  • File complaints with the SIC.

6.1. Inquiries

Channels: email, web form, or in-person. Response within 10 business days.

6.2. Claims

Include ID, description, and supporting documents. Response within 15 business days, with notice “Claim in Progress”. If unresolved, you may escalate to the SIC (www.sic.gov.co).

7. Closed-Circuit Television (CCTV)

All our locations operate closed-circuit surveillance for security, monitoring, and control. Recordings:

  • Are stored for a maximum of 30 days (unless legally required longer).
  • Access is restricted to authorized personnel only.
  • Are not used for commercial purposes or shared without a court order.
  • Surveillance areas are clearly signposted.

Entering our facilities implies acceptance of this security measure.

8. Cookies and Similar Technologies

We use essential cookies (cart, login), analytics (anonymized), and marketing cookies (only with consent via banner). You can manage preferences in your browser or at Privacy Center. See Cookie Policy.

9. Validity

This policy is effective as of November 13, 2025. Significant changes will be notified via email or website banner with 15 days’ notice. Current version: https://papelerialacomuna.com/en/content/2-personal-data-policy.

Contact Channels

Papelería La Comuna: Your privacy is our priority since 1982.