The ASOCIACIÓN COALICIÓN COSTARRICENSE DE INICIATIVAS DE DESARROLLO (“CINDE”) is a private, non-profit, non-political organization that provides consulting services in the investment process. CINDE is a company domiciled in the Republic of Costa Rica, Mata Redonda, Sabana Sur, Torre Universal, 22nd Floor, that has corporate identification number 3-002-056152. If you would like to contact us to obtain additional information, you may call the following telephone number: +506 2201-2800 or send us an email to the following email address: firstname.lastname@example.org
In conformity with the Costa Rican regulations on personal data protection, this Policy is meant to define the general CINDE guidelines related to protecting personal data as well as to regulate the control procedures and mechanisms that should be followed to properly manage, treat, and protect information. By issuing this Policy, CINDE integrates personal data privacy and protection into all its organization’s processes. Compliance with this policy is vitally important for the organization to function normally and to match the current regulations.
This Policy is applicable to the databases and/or files that contain personal data that are subject to treatment by CINDE.
The provisions in this document always should be applied when CINDE, its representatives, agents, and/or employees of any range proceed to handle personal data. This includes, among other things, collection, storage, use, circulation, suppression, transmission, and/or transfers except in those cases that are not included in the law.
Any actions that begin, process, or end personal data treatment are subject to the contents of this document. In addition, the provisions in this policy should be applied whenever CINDE performs as the party responsible for and/or in charge of that treatment.
The following are the definitions consecrated in the Personal Data Handling Protection Law, number 8968 and its bylaws, Executive Decree No. 37554-JP:
- Database: Any file, roster, record, or any other structured set of personal public or private data that are subject to treatment, whether automated or manual, on-site or on the cloud, under the control or direction of a responsible party, no matter what the mode is for preparing, organizing, or accessing it.
- Personal data owner consent: Any statement of express, free, unequivocal, informed, or specific will that is set forth in writing or digitally for a determined purpose that is used by the personal data owner or his or her representative to consent to treating his or her personal data. If the consent is expressed within the framework of a contract for other purposes, that contract must have a specific, independent clause about consent for personal data treatment.
- Personal data: any information relative to a person who may or may not be identified or identifiable.
- Sensitive data: information related to a person’s intimate realm, e.g., data that reveal racial origin, political opinions, religious or spiritual convictions, socio-economic condition, bio-medical or genetic information, sexual life and orientation, etc.
- Confidentiality duty: obligation of the parties responsible for personal databases in their charge to keep information confidential when exercising the powers provided by the regulations, primarily to access information about personal, sensitive data. This obligation will remain in place even after the relationship with the database has ended.
- Party in charge: This is any individual or company, whether a private or public entity, or any other personal data treatment body that is responsible for the database.
- Guarantee of confidentiality: Obligation of any individual or company, whether public or private, who has a share in treating or storing personal data to comply with the confidentiality duty that is required by the regulations.
- Technological or Service Provider Broker: Any individual or company, whether public or private, that provides infrastructure, platform, software, or other types of service.
- Disassociation procedure: The action or effect of disassociating personal data so the information that may be obtained cannot be associated or linked to a determined or determinable person.
- Responsible Party: Any individual or company, whether public or private, that administers or manages, is in charge of, or is the owner of one or more public or private databases that is competent for, based on the regulations, deciding what the purpose of the database is, in which personal data categories the data should be registered, and what type of treatment is to be applied.
- Suppression or deletion: Procedure used by the party who is responsible or in charge of the database for erasing or totally or partially finally destroying the owner’s personal data in his or her database.
- Owner or Interested Party: The individual who owns the personal data or his or her representative.
- Personal Data Transfer: Action used to transfer the personal data belonging to the responsible party from a personal database to any third party other than the party that is responsible, from his or her economic interest group, of the party in charge, the service provider, or technological broker in those cases provided that the recipient does not use the data for distribution, broadcasting, or merchandising.
- Data treatment: Any operation or set of operations that are carried out using automated or manual procedures and applied to personal data, such as collection, registration, organization, conservation, modification, extraction, consultation, usage, communication via transmission, broadcasting, distributing, or any other way that provides access thereto, to the comparison or interconnection, as well as any blockage, suppression, or destruction, etc.
- Automated data treatment: Any operation, set of operations or procedures applied to personal data by using hardware, software, networks, services, applications, whether on-site or in on the cloud, or any other information technology that makes it possible to collect, register, organize, preserve, modify, extract, consult, use, communicate by transmission, broadcasting, distribution or by any other means that makes it possible to access them, compare them, or to interconnect them as well as any block, suppression or destruction, exchange or digitalization of personal data, etc.
- Economic interest group: a group of companies that make statements in the form of a single decision, i.e., a meeting of all of the business command or direction elements through an operation center that is exteriorized by two basic movements: the criterion of unity of direction, i.e. through subordination or collaboration by companies, or the criterion of economic dependence of the companies that are grouped together, regardless of the legal status of the companies that are affected or whose assets are subject to transfer, regardless of the domicile and business name.
In all the actions that imply any sort of personal data treatment as well as interpreting the provisions in this Policy by CINDE, its representatives, agents, and/or employees no matter what the range, the principles that guide them should be observed as they pertain to:
- Informative self-determination. Everybody has the right to informative self-determination, which includes a set of principles and guarantees related to legitimate personal data treatment. Informative self-determination is also recognized as a fundamental right to control the flow of information concerning each person as derived from the right to privacy by keeping any discriminatory actions from being encouraged.
- Principal of informed consent.
2.1 Obligation to inform. When personal data is requested, first the owners or their representatives must be informed expressly, precisely, and without any mistake:
- Of the existence of a personal database.
- For the purposes that are sought when collecting this data.
- Of the people who receive the information as well as who may consult it.
- Of the mandatory or optional nature of their answers to the questions that are provided while collecting the data.
- Of how the requested data will be treated.
- Of the consequences of refusing to supply the data.
- Of the possibility of exercising any rights that are applicable.
- Of the address and identity of the party responsible for the database.
- When questionnaires or other media are used to collect personal data, these warnings must be clearly legible.
2.2 Provision of consent.
The party who compiles the personal data must obtain the express consent of the person who owns the data or of that person’s representative. This consent must be provided in writing, either in a physical or electronic document, which may be revoked the same way, without any retroactive effect.
Express consent will not be necessary when: a) A well-founded order exists issued by the competent judicial authority or by means of an agreement adopted by a special research commission of the Legislative Assembly in exercising its position; b) It has to do with personal data with unrestricted access that are obtained from sources with general public access; c) The data must be provided by a constitutional or legal provision.
3. The principle of information quality. Personal information may only be collected, stored, or used for automated or manual treatment when this information is current, truthful, exact, and appropriate for the purpose for which that information was collected.
- Timeliness: The personal data must be up to date. The party responsible for the database will delete information that is no longer pertinent or necessary based on the purpose for which that information was received and registered. In no case will any personal data be kept that may affect, in any fashion, any owner, once ten (10) years have passed since the date that the registered events have occurred except due to a special regulatory provision that states otherwise. Should it be necessary to keep it beyond the stipulated deadline, the data must be disassociated from the owner.
- Truthfulness: The personal data must be truthful. The party responsible for the database must modify or repress any information that is not truthful. Likewise, the party responsible will be sure that the information is treated faithfully and legally.
- Accuracy: The personal data must be accurate. The party responsible for the database will take any measures needed for any inaccurate or incomplete data, in relation to the purposes for which the information was collected or that were treated afterwards, to be repressed or corrected. If any personal data that has been recorded turns out to be inaccurate in full or in part, or incomplete, it will be removed or replaced officially by the party responsible for the database with the rectified data that has been updated or complemented. Likewise, this data will be removed if there is no informed consent available or if collection of this data is prohibited.
- Adjustment for purpose. Any personal data will be compiled for the determined, explicit and legitimate purposes and will not be treated afterwards in a fashion that is incompatible with said purposes. Later treatment of the data will be considered to be incompatible with historic, statistical, or scientific purposes provided that the proper guarantees are established to safeguard the rights included in the regulations. Databases may not have any purposes other than legal or public moral purposes.
6. DUTIES AS THE RESPONSIBLE PARTY
Provided that CINDE engages in operations that imply treatment of personal data as the responsible party, it will understand that the data is the property of the individuals to which the data refers. As a consequence, CINDE pledges to observe and comply with the following obligations:
- Request and keep a copy of the pertinent consignment that was issued by the Owner.
- Properly inform the Owner about the purpose for collecting the data and the associated rights.
- Keep the information under the necessary security conditions to avoid any adulteration, loss, inquiry, use, or access that is not authorized or that is fraudulent.
- Report it as pertinent to the Party in Charge, the Technological Broker, or the Service Provider for the treatment.
- Require the Technological Broker in Charge or the Service Provider for the treatment to respect the Owner’s information security and privacy conditions.
- Process any inquiries and claims formulated under the terms set forth in the regulations.
- Adopt this Policy to ensure that the applicable law is properly met.
- Implement the specific Privacy Policies for each database and/or file when needed to report the personal information to the Owner in an effective fashion.
- Limit access to the information solely to people who should have access to it to fulfill the agreed-upon purposes.
7. INFORMED CONSENT.
Any capture, collection, use, and storage or processing of personal data performed by CINDE while carrying out its activities, requires the owners to provide free, prior, express, unequivocal, and informed consent unless any of the exceptions included in the regulations may be applicable.
CINDE may keep the consent obtained for treating the personal data in custody, whether as a physical file or web forms where any treatment acceptance traceability is possible.
8. RIGHTS OF INFORMATION OWNERS.
CINDE guarantees everybody’s right to access their personal data, and to correct or delete the information and to consent to assign the data.
- Information access. The right to access personal information guarantees the following powers for the interested party:
- At reasonable intervals, obtain confirmation or not of the existence of their data in files or databases without delay and free of charge. Should their data exist, the data must be reported to the interested party accurately and in an understandable fashion.
- Receive the information related to the Owner as well as the purposes for which the information was compiled and how their personal data has been used. The report must be complete, clear, and free of any coding. It must be accompanied by an explanation of the technical terms that are used.
- Be fully informed in writing by physical or electronic media about all of the information belonging to the Owner even when the requirement only includes one aspect of the personal data. In no case will this report reveal data pertaining to third parties even when the information is associated with the interested party, except when said data is meant to back up a criminal process.
- Have knowledge of the system, program, method, or process used in treating their personal data.
- Right to correction. If applicable, the right is guaranteed to be able to correct the personal data and to update or delete that personal information when dealing with an infraction of the provisions in the regulations, in particular due to the data being incomplete or inaccurate or when the data has been compiled without authorization from the owner.
- All owners may request that the party responsible for the database correct, update, cancel, or delete the data in compliance with the guarantee of confidentiality in relation to their personal data and have that request fulfilled.
- For data belonging to deceased individuals, their successors or assigns will have the right to exercise these rights
9. PROCEDURE TO EXERCISE THE OWNERS’ RIGHTS.
The procedures to exercise the owners’ rights will be the following:
- Inquiries: The owner of the data or their representatives may consult their information and personal data from the database in which case we will provide them with the requested information, after verifying that they have the right to file such a request. The inquiry will be fulfilled within a maximum period of five (5) business days after the date that it is received. When it is impossible to fulfill the inquiry by said deadline due to the need for additional information, CINDE may require the owner, for a single time and within the five (5) business days after receipt of the request, to provide any information or documents needed to be able to process the request. The owner will have a period of five (5) business days after the date after it has been received to fulfill the requirement. If no response is provided by that deadline, the pertinent request will be held to have not been submitted. Should the Participant fulfill the requirement for information, the deadline for CINDE to respond to the request will be five (5) business days that will begin on the day after the Participant has fulfilled the requirement.
- Complaints: If the Data Owner or its representatives consider that the information and personal data contained in the database must be corrected, updated, or deleted, or when there is apparent breach of any of the rights contained in the Costa Rican legal system, a complaint may be filed with CINDE to be processed following these rules:
- The complaint must be formulated by means of an application sent to CINDE with the identification, description of the underlying rights to the complaint, the address, and by attaching any documents that need to be enforced. If the complaint is not complete, we will require the information within five (5) days after receiving the complaint to rectify the situation. Once five (5) business days have passed since the date of the requirement, without you providing the required information, we will understand that the complaint is no longer in effect.
- Should CINDE not be competent to settle your claim, it will be transferred to the responsible party within a maximum period of five (5) business days and it will be reported in a timely fashion.
- The maximum period to settle the complaint will be five (5) business days after the day after the date when receipt of the complaint was properly documented.
- Any request to delete the information and cancellation of the authorization or request for limited use and release of the personal data will not be applicable when the Data Owner has the legal or contractual duty to remain in the database under the terms that the applicable laws set forth.
10. SECURITY MEASURES.
CINDE must adopt the technical and organizational measures needed to guarantee the security of the personal data and to keep that data from being altered, destroyed accidentally, or illicitly, lost, or treated or accessed without authorization as well as any action that may go against the regulations.
These measures must include, at least, the most appropriate physical and logical security mechanisms based on the current technological development to guarantee that the stored information is protected.
No personal information will be recorded in databases that do not meet the conditions that fully guarantee that it is secure and integral. This includes any treatment centers, teams, systems, and programs.
CINDE will maintain the mandatory security protocols to be followed by the staff members who have access to personal data and information systems.
CINDE and anybody who is involved in the personal data treatment phase must maintain the professional or functional secrecy even after their relationship with the database has ended. The party with the obligation may be relieved of the duty of secrecy due to a legal decision or as strictly necessary within the lawsuit being heard.
12. FORCE AND EFFECT:
This manual will go into full force and effect as of December 2020.