To comply with the laws and the respective regulatory decrees on the protection of personal data. Among the obligations contained within current regulations is the adoption of an internal manual of policies and procedures to ensure adequate compliance with the law and, in particular, to respond to questions and complaints from data owners. In this way, the organization protects the right of habeas data.
This policy applies to Argentina, Chile, Brazil, Ecuador and Colombia, and is based on Colombian standards for its development and fulfillment. Although the necessary and specific requirements of each country will be met, this policy was based on Colombian mechanisms since the website, through which personal data will be received, is managed from computers located in Colombia.
This Commitment is applicable to GeoPark Colombia and its subsidiaries, affiliates and/or controlled companies (GeoPark Colombia S.A.S, GeoPark Colombia E&P S.A. Sucursal Colombia, Amerisur Exploración Colombia Limitada, Petrodorado South America S.A. Sucursal Colombia, Fenix Oil & Gas Limited Sucursal Colombia); GeoPark Chile S.p.A. and its subsidiaries GeoPark TdF S.p.A., GeoPark Fell S.p.A., and GeoPark Magallanes Ltda.; GeoPark Argentina SAU; GeoPark Brasil Exploracao y Producao de Petóleo e Gas Ltda., GeoPark Perú S.A.C, Sucursal Ecuador, and El Consorcio GeoPark-Frontera Bloque Espejo, hereinafter “the organization,” and its employees and third parties hired by such companies.
The member companies of the organization, through the adoption of this document, comply with the requirements established in Law 1581 of 2012, Decree 1377 of 2013 Law 25,326/2000 of Protection of Personal Data (PDPA) of Argentina, law of protection of personal data (law 19,628) of Chile, the Organic Law of Protection of Personal Data of Ecuador, Law 13,709 of 2018 Federal Data Protection of Brazil and other applicable regulations that modify, add or complement the Protection of Personal Data in each of the countries in which the organization has a presence. The Commitment has certain special requirements, in line with the countries in which the organization has a presence. This Privacy Commitment regulates everything pertinent to the collection, storage, use, circulation and deletion of personal data.
Scope. This Privacy Commitment applies to the handling of personal data that the organization collects by any means depending on the development of its corporate purpose and to databases containing personal data, as defined by law. Likewise, this Privacy Commitment is extended, as appropriate, to the companies of the group and/or third parties linked or to be linked, located inside and outside the national territory, as applicable.
Authority: Refers to the corresponding personal data authority, depending on the country where the information is collected.
Authorization: Prior, expressed and informed consent of the owner to handle personal data.
Database: Organized set of personal data that is subject to handling.
Confidentiality: Handling of information in a way that ensures access only by authorized personnel or, in the case of personal data, by the data owner.
Personal data: Any data connected with or that can be associated with one or more specific or determinable individuals.
Public data: Data that is not semi-private, private, or sensitive. Public data is considered to include, among others, data related to the marital status of persons, their profession or trade and their status as a trader or public servant. By its nature, public data may be found, among other places, in public registers, public documents, gazettes and official bulletins, and duly enforceable court judgments that are not reserved.
Public Personal Data: Any personal data that is freely known and open to the general public.
Private personal data: Any personal data that is of restricted knowledge, and in principle private to the general public.
Semi-private data: Data that is not personal, reserved, or public and whose knowledge or disclosure may interest not only its owner but a certain sector or group of people or society in general.
Sensitive information: Information that affects the privacy of the Owner or whose improper use may generate discrimination, such as that revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social or human rights organizations, or which promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data, among others, the capture of still or moving images, fingerprints, photographs, iris, voice, facial or palm recognition, etc.
Person in charge of data handling: An individual or organization, public or private, who alone or in association with others handles personal data on behalf of the person responsible for the handling.
Data Protection Officer: Person or area that is designated to assume the function of personal data protection.
Person responsible for data handling: An individual or organization, public or private, who alone or in association with others, makes decisions on the database and/or the handling of data.
Risk: Possibility of occurrence of potential harm or harm to persons, units or organizations, with respect to which preventive or control actions are taken, at their own initiative or on instructions or measures from authorities.
Information Security: Set of preventive and reactive measures that allow the organization to safeguard and protect information to maintain the confidentiality, availability, and integrity of data.
Owner: Individual whose personal data is handled.
Transfer: Data transfer takes place when the person responsible and/or in charge of the processing of personal data, sends the information or personal data to a recipient, who in turn is responsible for its handling and is located within or outside the country from which the information was sent.
Transmission: Handling of personal data that involves it being sent within or outside the country it originates from to be processed by the person in charge of the handling on behalf of the person responsible.
Handling: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
Access and Restricted Circulation. Handling is subject to limits deriving from the nature of personal data and from the provisions in the current regulations. In this sense, data can only be handled by persons authorized by the owner and/or by persons accounted for in law. Personal data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or third parties authorized by law.
Confidentiality. All persons involved in the handling of personal data that is not public are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the handling, able to make provision or communication of personal data only when this corresponds to the development of the activities authorized by law and its terms.
Purpose. Handling must obey a legitimate purpose in accordance with the Constitution and the Law, about which the owner must be informed.
Legality. Data handling is a regulated activity that must be executed in accordance with the provisions of the law and other applicable provisions.
Freedom. Handling requires the prior, expressed, and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that replaces consent.
Security. Information must be handled with the technical, human, and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access.
Transparency. In the handling, the right of the owner to obtain from the person responsible for handling or the person in charge, at any time and without restrictions, information about the existence of data that concerns him/her is preserved.
Veracity or Quality. Truthful, complete, accurate, up-to-date, verifiable, and understandable information.
Prior to or at the same time as the information is requested by the organization from the owners, they will be informed of the specific purposes for which their data will be treated in accordance with what a reasonable person would consider appropriate within the given circumstances.
If in the normal course of business carried out by the organization, sensitive data, data for security studies and data concerning minors is collected and processed, the organization will explicitly reiterate to the owners of such sensitive data or their representatives that the information they provide is absolutely optional and that in no way are they obliged to provide it.
Therefore, the holders or their representatives understand that by granting authorization they are explicitly and unequivocally allowing data to be processed. Notwithstanding, when data concerning minors is processed, it will always be done within the parameters and requirements required by law, which are listed below:
a) That it responds to and respects the best interests of children and adolescents.
b) That it ensures respect for their fundamental rights.
c) In line with the maturity of the child or adolescent, that their opinion is considered.
Once these requirements are met, the legal representative of the child or adolescent shall grant the minor’s prior authorization to exercise his or her right to be heard, an opinion that will be assessed considering their maturity, autonomy, and capacity to understand the matter.
3.1. To know, update and rectify their personal data. This right may be exercised for reasons including partial, inaccurate, incomplete, fractional, or misleading data, or data whose handling is expressly prohibited or has not been authorized.
3.2. To request proof of the authorization of handling, except when it is expressly excepted as a requirement for handling.
3.3. To be informed of the handling, upon request, regarding the use given to their personal data.
3.4. To submit complaints to the Industry and Commerce Regulator for violations of the provisions of current regulations and other regulations that modify, add to or complement them.
3.5. To revoke the authorization and/or request the deletion of data when the handling does not respect principles, rights and constitutional and legal guarantees. The revocation and/or deletion will proceed when the Industry and Commerce Regulator has determined that in the handling the person responsible or in charge has acted contrary to the law and the Constitution.
3.6. To access, at no financial cost, their personal data.
5.1. To guarantee the owner, at all times, the full and effective exercise of the right of habeas data.
5.2. To request and keep, under the conditions provided for by law, a copy of the respective authorization granted by the owner.
5.3. To duly inform the owner about the purpose of the data collection and the rights that by virtue of the authorization granted correspond to the owner.
5.4. To keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
5.5. To ensure that the information provided to the person in charge, if any, is truthful, complete, accurate, up-to-date, verifiable and understandable.
5.6. To update the information, communicating in a timely manner to the person in charge of data handling, if any, all information regarding previously provided data and adopting other necessary measures so that the information provided to the person in charge is updated.
5.7. To rectify information when incorrect and appropriately inform the person in charge of data handing, if any.
5.8. To provide to the person in charge of data handling, if any and as appropriate, only data whose handling is previously authorized in accordance with the provisions of the law.
5.9. To require the person in charge of data handling, if any, to respect the security and privacy of owners’ information at all times.
5.10. To process the questions and complaints formulated in the terms indicated by law.
5.11. To adopt an internal policy and procedure manual to ensure compliance with the law, and in particular to respond to questions and complaints.
5.12. To inform the person in charge of data handling, if any, when certain information is under discussion by the owner, from the complaint being submitted to the respective procedure being completed.
5.13. To inform the owner on request about the use given to their data.
5.14. To inform the data protection authority when there are violations of the security codes and there are risks in the administration of owners’ information.
5.15. To comply with instructions and requirements issued by Authorities.
6.1. To guarantee the owner the full and effective exercise of the right of habeas data at all times.
6.2. To keep information under the security conditions necessary to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
6.3. To update, rectify or delete data in a timely manner and according to the terms of the law.
6.4. To update the information reported by the person responsible for data handling within five (5) working days of its receipt.
6.6. To adopt an internal policy and procedure manual to ensure compliance with the law, and in particular to respond to questions and complaints from the owners.
6.7. To register “complaint in process” in the database in the way it is regulated by law.
6.8. To insert in the database “information under judicial discussion” once notified by the relevant authority about judicial processes related to the quality of personal data.
6.9. To refrain from circulating information that is being disputed by the owner and has been ordered by Authorities to be blocked.
6.10. To allow only authorized people to access information.
6.11. To inform Authorities when there are violations of the security codes and there are risks in the administration of owners’ information.
6.12. To comply with instructions and requirements issued by Authorities.
When the responsibilities of the person responsible of handling data and person in charge of handling coincide, the duties foreseen for each one will be fulfilled, without generating duplication of actions.
Questions about information and complaints must contain the following:
Questions about information and complaints must observe the following procedures:
7.1. Questions. Queries about Personal Data will be dealt with within a maximum period of ten (10) business days from their filing. When it is not possible to respond to the query within said term the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be answered, which in no case may exceed five (5) business days following the expiration of the first term.
7.2. Complaints. Complaints shall be made by means of a request that includes a description of the facts, the address and annexes with evidence. If the complaint is incomplete, the interested party will be required within five (5) days of receipt of the complaint to provide what is missing. If after two (2) months from the date of the request for further information the party has not submitted the information, it will be understood that the complaint has been withdrawn.
If the person that receives a complaint is not competent to resolve it, (s)he will transfer it to the corresponding person within a maximum period of two (2) working days and will inform the interested party of the situation.
Once the complete complaint has been received, a note will be included in the database stating “complaint in process” and the reason for it, within no more than two (2) working days. This note must be maintained until the complaint is resolved within no more than fifteen (15) working days, which may be extended for up to eight (8) working days from the expiration of the first term.
13.1. Name or business name and contact details of the controller.
13.2. The treatment to which the data will be subjected and the purpose of this.
13.3. The rights of the information owner.
When sensitive personal data is collected, the privacy notice must expressly indicate the optional nature of the answer to the questions that deal with this type of data.
The organization will keep the model of the privacy notice addressed to information owners.
Applicable only to Argentina
Sending Personal Data to Third Parties: Third parties with whom we may share information may be located inside or outside Argentine territory, including countries with lower levels of data protection than those required in the Argentine Republic. Notwithstanding, the organization guarantees that it has adopted the necessary measures to ensure the security and confidentiality of its personal data. Consequently, the organization guarantees that it has adopted the necessary technical and organizational measures to ensure the security and confidentiality of its personal data, in compliance that stipulated by Provision 60/2016.
The Personal Data subject to processing may only be transferred (i) for the fulfillment of the purposes directly related to the legitimate interest of the assignor and the assignee and (ii) with the prior consent of the Owner. Such consent may be revoked. The Owner must be informed about the purpose of the assignment and identify the assignee or the elements that allow it to be done.
Access to data by the Owner: The owner of the personal data can exercise the right of access to data free of charge at intervals of not less than six months, unless a legitimate interest is demonstrated for this purpose in accordance with the provisions of article 14, paragraph 3 of Law No. 25,326 (Provision 14/2018, Article 2, B.O. 06/03/2018). To this end, the owner of the personal data may send a letter by email to firstname.lastname@example.org, requesting access to their data and, where appropriate, require the update, modification or deletion of the data that they consider to be erroneous. The Agency for Access to Public Information, the Control Body of Law No. 25,326, has the power to deal with complaints and cases that are filed in relation to non-compliance with the rules on the protection of personal data.
Use of Personal Data for Advertising Purposes: (Law 25,326, Article 27 Paragraph 3.) In any communication for advertising purposes that is made by mail, telephone, email, internet or other remote means, the possibility of the data owner to request the total or partial withdrawal or blocking of his/her name from the database must be expressly and prominently indicated.
Filing of Petitions, Queries, Complaints or Cases: If they are personal data of an Argentine national, they should be addressed to email@example.com.
Applicable only to Brazil
Scope of Application: i) Data processing in the territories of Brazil; ii) Processing of data of individuals who are located within the territories of Brazil; (iii) regardless of where in the world the data processor is located; iv) Processing of data collected in Brazil.
Filing of Petitions, Queries, Complaints or Cases: If they are personal data of a Brazilian national, they should be addressed to firstname.lastname@example.org.
Applicable only to Chile
Withdrawal of authorization for marketing purposes: Once the aforementioned request has been made, sending new communications is prohibited. Additionally, the organization undertakes that communication sent by electronic means for marketing purposes indicate (i) the subject or subject matter to which it relates; (ii) the identity of the sender; and (iii) a valid address or means for the recipient to request the suspension of the sending of such communications.
Filing of Petitions, Queries, Complaints or Cases: If they are personal data of a Chilean national, they should be addressed to email@example.com.
Applicable only to Ecuador
Filing of Petitions, Queries, Complaints or Cases: If they are personal data of an Ecuadorian national, they should be addressed to firstname.lastname@example.org.
The present commitment is the responsibility of the People and Legal areas of the organization.