top of page

Privacy Policy

Privacy and Personal Data Processing Policy – THE LOMDON GROUP

Preliminary Aspects

​

1. Identification

  • Institution Name: THE LOMDON GROUP (hereinafter referred to as "THE COMPANY")

  • Address: Calle 73 No 80 i30

  • Email: cc@lomdongroup.com

  • Responsible Contact Number: 3209208359

  • ​

2. Glossary

This glossary provides definitions for key terms under Law 1581 of 2012, Decree 1377 of 2013, and these policies:

​

  • Authorization: The prior, express, and informed consent of the Data Subject for the processing of personal data.

  • Database: A structured collection of personal data subject to processing.

  • Personal Data: Any information associated with an identified or identifiable natural person.

  • Data Processor: A natural or legal person, public or private, who processes personal data on behalf of the Data Controller.

  • Data Controller: The entity responsible for deciding how personal data is managed. In this case, THE COMPANY is the Data Controller.

  • Data Subject: The natural person whose personal data is processed.

  • Processing: Any operation performed on personal data, including collection, storage, use, circulation, or deletion.

  • Privacy Notice: A verbal or written communication informing the Data Subject of the existence of these policies.

  • Public Data: Data that is neither private nor sensitive, such as civil status, profession, or public service positions. Public data can be found in official records, documents, gazettes, and judicial rulings.

  • Semi-private Data: Information that is neither intimate nor public, with disclosure potentially affecting a specific group or society.

  • Private Data: Information of an intimate or reserved nature, relevant only to the Data Subject.

  • Sensitive Data: Information that affects a person’s privacy or may lead to discrimination, including health, sexual life, and biometric data.

 

3. Purpose of Personal Data Processing Policy

This policy outlines the legal framework governing THE COMPANY's processing of personal data. It details the objectives, rights, and procedures for Clients, Suppliers, Shareholders, Creditors, Debtors, Employees, Contractors, and Third Parties.

 

4. Scope of Application

This policy applies to all personal data, information, and records stored in THE COMPANY’s databases related to service, commercial, and labor relationships, ensuring proper management of contractual and business activities.

Compliance with this policy is mandatory for THE COMPANY.

4.1. Cases Where Authorization Is Not Required

Personal data may be processed without prior authorization in the following circumstances:

  • When required by a public or administrative entity in the exercise of legal functions or by court order.

  • When processing public data.

  • In cases of medical or public health emergencies.

  • When processing information for historical, statistical, or scientific purposes, as permitted by law.

  • When handling data related to Civil Registry records.

  • In other cases defined by Law 1581 of 2012 and its regulatory decrees.

4.2. Revocation of Authorization or Data Deletion

Clients, Suppliers, Shareholders, Creditors, Debtors, Employees, Contractors, and Third Parties may revoke consent for data processing at any time. Requests should be sent to cc@lomdongroup.com.

If THE COMPANY does not delete personal data within the legal timeframe, affected individuals may file a claim with the Superintendence of Industry and Commerce, requesting enforcement of data deletion or revocation, as outlined in Article 22 of Law 1581 of 2012.

​

Retention of Personal Data

Despite the revocation rights outlined, Clients, Suppliers, Shareholders, Creditors, Debtors, Employees, Contractors, and Third Parties acknowledge that while they maintain a service, contractual, or labor relationship with THE COMPANY, their personal data will not be deleted or revoked from the company's database.

4.3. Authorization for Processing Sensitive Data

The processing of sensitive personal data for Clients, Suppliers, Shareholders, Creditors, Debtors, Employees, Contractors, and Third Parties is strictly prohibited, except in explicitly stated cases.

When sensitive data processing is permitted under Law 1581 of 2012, the following obligations must be met:

  1. Inform Clients, Suppliers, Shareholders, Creditors, Debtors, Employees, Contractors, and Third Parties that they are not required to authorize the processing of sensitive data.

  2. Provide explicit prior notification of the types of sensitive data that will be processed, their purpose, and obtain express consent.

THE COMPANY cannot condition any activity on the provision of sensitive personal data.

 

5. Rights of Data Subjects

5.1. Who Can Exercise These Rights?

The rights of Data Subjects may be exercised by:

  • The Data Subject, who must verify their identity using available authentication methods.

  • Successors, who must provide proof of legal succession.

  • A legal representative or proxy, with validated proof of authorization.

  • A third party designated by stipulation in favor of another.

  • In the case of minors, their legal guardians or representatives.

5.2. Rights of Clients, Suppliers, Shareholders, Creditors, Debtors, Employees, Contractors, and Third Parties

According to Law 1581 of 2012, individuals have the following rights:

  • Access or retrieve their personal data under THE COMPANY’s control.

  • Request updates or corrections to personal data in THE COMPANY’s databases to ensure accuracy.

  • Request proof of authorization for data collection, where applicable.

  • Receive prior notification regarding THE COMPANY’s use of personal data.

  • File complaints with regulatory authorities regarding violations of data processing laws.

    • Complaints may be submitted to the Superintendence of Industry and Commerce, but only after exhausting consultation or complaints processes directly with THE COMPANY.

  • Submit legal claims against violations of Law 1581 of 2012.

  • Request revocation of authorization or data deletion if THE COMPANY fails to uphold constitutional and legal rights.

  • Access personal data free of charge through THE COMPANY’s designated data protection office.

 

5.3. Consultations, Complaints, and Requests

Consultations

Clients, Suppliers, Shareholders, Creditors, Debtors, Employees, Contractors, and Third Parties may request access to personal data via phone or in person.

THE COMPANY must respond within 10 business days. If additional time is required, notification must be sent, and a full response must be provided within five (5) additional business days.

Complaints

Individuals can request data corrections, updates, or deletions, or report non-compliance with Law 1581 of 2012.

Complaints follow these rules:

  1. Submission

    • Requests must be emailed to cc@lomdongroup.com, including supporting documents.

    • Incomplete complaints require correction within five (5) business days.

    • If the requester fails to correct deficiencies within two (2) months, the complaint is dismissed.

    • If THE COMPANY lacks jurisdiction, it must forward the complaint and notify the requester within two (2) business days.

  2. Processing

  • Complaints will be addressed within two (2) business days of submission.

  • Final response deadline: 15 business days from receipt.

  • If a delay occurs, THE COMPANY must explain the reason and provide the response within eight (8) additional business days.

Let me know if you need refinements!

​

REQUESTS: The COMPANY will rectify and update, upon request from CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES of the COMPANY, any incomplete or inaccurate information in accordance with the procedure and terms previously established. The interested party must send their request via email to [cc@lomdongroup.com] and provide the documentation supporting their petition.

If the request involves the deletion of Personal Data, it will be processed as long as there is no legal or contractual mandate allowing the COMPANY to continue handling the data directly.

​

5.4 DESIGNATED AREAS FOR HANDLING REQUESTS, INQUIRIES, OR CLAIMS:

CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES of the COMPANY, their successors, or other authorized individuals, who consider that the information in the database should be corrected, updated, or deleted, or who identify a possible non-compliance with the obligations contained in Law 1581 of 2012, may exercise their rights and file a claim with the COMPANY through the Administration department via email [cc@lomdongroup.com] or submit a formal request at the address specified in this privacy policy.

​

6. DUTIES

6.1. DUTIES OF THE COMPANY WHEN ACTING AS DATA CONTROLLER:

When acting as the Data Controller, the COMPANY must comply with the following obligations, without prejudice to other provisions stipulated in Law 1581 of 2012 or any other applicable regulations:

​

a) Guarantee CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES the full and effective exercise of their habeas data rights at all times. b) Request and store a virtual copy of the relevant authorization granted by CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES. c) Properly inform CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES about the purpose of data collection and their rights under the authorization provided. d) Keep the information secure to prevent its alteration, loss, unauthorized consultation, use, or fraudulent access. e) Ensure that any data provided to the Data Processor (if applicable) is truthful, complete, accurate, updated, verifiable, and understandable. f) Update the information accordingly with any changes regarding CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES, implementing all necessary measures to maintain data accuracy. g) Rectify incorrect information and communicate the relevant updates to the Data Processor, if applicable. h) Require the Data Processor (if applicable) to uphold security and privacy standards for CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES' data. i) Process inquiries and claims in accordance with the terms outlined in Law 1581 of 2012. j) Inform CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES, upon request, about the use of their data. k) Report security breaches and any risks in data management to the relevant data protection authority. l) Comply with instructions and requirements issued by the Superintendency of Industry and Commerce.

​

7. DATA PROCESSING AND COLLECTION

7.1 PROCESSING AND DATA COLLECTION:

Personal data processing for all CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES will adhere to the guidelines established in Law 1581 of 2012 and its regulatory decrees, considering the COMPANY’s mission and vision as a business dedicated to [lawful commercial activities, including furniture manufacturing and decorative items sales]. The following data categories are listed as examples and are not exhaustive:

For CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, CONTRACTORS, AND THIRD PARTIES, the COMPANY may request information such as full name, surname or business name, identification number, domicile, position, proof of social security contributions, bank certificates, address, phone numbers, email, bank account number, tax registration (RUT), account type, and bank name.

​

For EMPLOYEES, the COMPANY may request information such as full name, résumé, age, birth date, citizenship ID number, domicile, address, phone numbers, emails, education level, bank account number, names of affiliated social security entities, employment certificates, social security affiliation certificates, and occupational risk insurer (ARL) certification.

Internet Browsing Data: On our websites, we use both first-party and third-party cookies to generate statistical data and improve the services provided to users by offering tailored information based on their preferences. Through an analysis of browsing habits, user interest groups are determined, allowing for personalized content and an enhanced customer experience in relation to the company. Data collected via cookies will be processed following current regulations and this Privacy Policy.

​

7.2 COLLECTION OF SENSITIVE DATA – BIOMETRIC DATA

The COMPANY's premises have security cameras for video surveillance to ensure safety for employees, clients, suppliers, contractors, debtors, creditors, and third parties. Individuals present in the COMPANY's facilities may be recorded continuously, though cameras will not be installed in locations that compromise privacy or human dignity.

​

Additionally, biometric data, such as fingerprints, may be collected for access control to COMPANY premises, used for statistical purposes, security tracking, and quality assurance. In relation to employees, biometric data may also be used for monitoring overtime hours worked and processing salary adjustments.

Recorded footage and fingerprint data will only be accessed by authorized personnel designated by [[COMMERCIAL]]. The COMPANY will process requests from data subjects regarding how their biometric data is handled.

​

It is clarified that providing consent for sensitive data processing, such as biometric information, is voluntary, in accordance with Colombian legislation.

The COMPANY will apply legal limitations on Sensitive Data Processing, except in cases where: a) The Data Subject explicitly authorizes processing, except where legal exemptions apply. b) Processing is required to safeguard the vital interests of the Data Subject, who is physically or legally unable to provide consent. In such cases, legal representatives must provide authorization. c) Processing occurs as part of legitimate activities by a foundation, NGO, association, or other non-profit organization with political, philosophical, religious, or trade union purposes, provided it relates solely to members or regular contacts. In these cases, Personal Data may not be disclosed to third parties without the Data Subject’s consent. d) Processing is necessary for legal claims, defense, or recognition of rights in judicial proceedings. e) Processing is conducted for historical, statistical, or scientific purposes, with measures ensuring anonymity of Data Subjects.

​

8. PERSONAL DATA OF CHILDREN AND ADOLESCENTS

8.1 SPECIAL REQUIREMENTS FOR THE PROCESSING OF PERSONAL DATA OF CHILDREN AND ADOLESCENTS:

The processing of personal data of children and adolescents is prohibited, except when dealing with public data and when such processing complies with the following parameters and/or requirements: a) That it responds to and respects the best interests of children and adolescents. b) That it ensures respect for their fundamental rights. c) That the minor's opinion is considered when they have the maturity, autonomy, and ability to understand the matter.

Once these requirements are met, the representative of the children or adolescents may grant authorization, provided that the minor exercises their right to be heard, with their opinion being evaluated based on their maturity, autonomy, and ability to understand the matter.

​

9. PURPOSE OF THE PERSONAL INFORMATION COLLECTED AND PROCESSED BY THE COMPANY

i. Facilitate the execution of purchase, sale, and/or contracted services. ii. Registration, use, and storage in the COMPANY's databases. iii. Sending information related to purchases, sales, and/or contracted services. iv. Any type of communication aimed at strengthening relationships with customers. v. Customer service evaluation and invitations to events organized or sponsored. vi. Execution of customer service and marketing activities. vii. Execution of contractual relationships with suppliers. viii. Verification of balances with creditors. ix. Verification of outstanding obligations of debtors. x. Registration of customer, supplier, and contractor information. xi. Execution of past, current, or future employment contracts. xii. Registration of information on employees and contractors providing services to the COMPANY or their families. xiii. Conducting personnel selection processes. xiv. Providing information related to the rights of the COMPANY's shareholders. xv. Responding to judicial or administrative requirements and complying with legal and/or judicial orders. xvi. Contacting individuals with whom the COMPANY has or has had a relationship, such as workers and their families, shareholders, customers, suppliers, creditors, and debtors, in accordance with the purposes established in this document. xvii. In general, carrying out COMPANY activities in pursuit of its corporate objectives. xviii. When the COMPANY acts as an employer, it may provide personal data to social security entities to obtain coverage or benefits. xix. Ensuring the security of individuals and the COMPANY regarding the collection of biometric data, such as security camera recordings within the facilities. xx. Verifying entry and exit of individuals within the COMPANY's facilities through biometric data collection, such as fingerprints. xxi. Occasionally using biometric information contained in fingerprint records for payment of overtime and labor surcharges for workers. xxii. Carrying out relevant actions for the development of pre-contractual, contractual, and post-contractual stages concerning any product or service offered by the COMPANY, whether acquired or not, or any business or commercial relationship the COMPANY has, as well as compliance with Colombian and/or foreign laws and orders from judicial or administrative authorities. xxiii. Maintaining the database of customers who have received services offered by the COMPANY, in accordance with their particular needs, in order to provide relevant services and products. xxiv. Complementing information and, in general, undertaking necessary activities to manage requests, complaints, and claims made by COMPANY customers and/or third parties, directing them to the responsible areas to provide the corresponding responses. xxv. Sending commercial, advertising, or promotional information regarding products and/or services, events, and/or commercial or non-commercial promotions via physical mail, email, mobile phone, text messages, or any other analog and/or digital means of communication, to promote, invite, direct, execute, inform, and, in general, carry out marketing campaigns or commercial or advertising contests led by the COMPANY and/or third parties. xxvi. Sending invitations to events related to COMPANY products and services. xxvii. Conducting studies, statistics, surveys, and market trend analyses regarding COMPANY products and services. xxviii. Transmitting data to third parties with whom contracts have been signed for commercial, administrative, and/or operational purposes, as well as certifications to customers and/or third parties in compliance with applicable legal provisions. xxix. Verifying legal, financial, and technical information in contractual processes carried out by the COMPANY. xxx. Internal COMPANY processes for operational development and/or systems administration. xxxi. Conducting analysis for fraud and money laundering prevention, including but not limited to checking and reporting to restrictive lists and financial risk information centers. xxxii. Carrying out data update campaigns. xxxiii. Sending modifications to policies and requesting new authorizations for personal data processing. xxxiv. Studying digital behavior (social media, websites, applications) to provide comprehensive advisory on products and services and profile consumer interests and habits. xxxv. Any other purposes determined by the COMPANY in the process of obtaining personal data for its processing, in order to comply with legal and regulatory obligations and COMPANY policies.

​

10. TOOLS AND SECURITY MEASURES FOR PROTECTING PERSONAL DATA OF CUSTOMERS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES

10.1 TECHNOLOGICAL TOOLS AND MEASURES TO ENSURE SECURITY CONDITIONS AND PROTECT PERSONAL AND SENSITIVE DATA:

The COMPANY establishes the following tools for the protection of personal and sensitive data:

  • The COMPANY will guarantee the authenticity, confidentiality, and integrity of information.

  • The COMPANY will take all necessary technical measures to ensure the protection of existing databases. In cases where a third party needs to access personal data, the COMPANY will ensure that both the availability of information and the safeguarding of personal and sensitive data remain a fundamental objective.

  • The COMPANY will periodically conduct controls to ensure the correct implementation of Law 1581 of 2012 and its regulatory decrees.

  • The COMPANY will store the data of CUSTOMERS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, AND THIRD PARTIES. Access will only be granted to those in charge and responsible for data processing.

Responsibility of Employees, Suppliers, and Contractors

  • It is the responsibility of EMPLOYEES, SUPPLIERS, and CONTRACTORS providing services to THE COMPANY to report any incidents of information leakage, personal data breaches, data commercialization, use of personal data of children and adolescents, identity theft, or any conduct that may violate the privacy of CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, and THIRD PARTIES who are currently or have previously provided services to THE COMPANY.

  • To ensure the protection of personal data of CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, and THIRD PARTIES, THE COMPANY will adopt all mechanisms necessary to maintain confidentiality, implementing security models for the storage of collected data and the formats established for CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, and THIRD PARTIES to provide their personal information. Measures will be taken to restrict access to these databases by unauthorized third parties, including technological security measures.

  • THE COMPANY will train and educate EMPLOYEES, CONTRACTORS, SPONSORS, PARTNERS, and SUPPLIERS providing services to THE COMPANY to ensure proper implementation of these policies.

  • EMPLOYEES, CONTRACTORS, SPONSORS, PARTNERS, and SUPPLIERS providing services to THE COMPANY must identify and promote authorization from data subjects, as well as execute privacy notices, website notices (www.lomdongroup.com), awareness campaigns, claim legends, and other procedures to comply with Law 1581 of 2012 and its complementary, modifying, or repealing regulations.

10.2 Internal Manual of Policies and Procedures for Compliance with Data Protection Law

  • Responsible Party: In compliance with the legal duty established in Article 17 of Law 1581 of 2012, regarding the need to assign direct responsibilities within THE COMPANY, the [[commercial department]] is designated to coordinate all actions necessary for the effective implementation of the Personal Data Protection Policy.

  • Data Processors: Within THE COMPANY's structure, SUPPLIERS, EMPLOYEES, and CONTRACTORS providing services to THE COMPANY will be responsible for processing personal data, acting under the instructions of the designated responsible party.

  • It is mandatory to understand this policy and take all necessary actions for its compliance, implementation, and maintenance, which will be periodically verified by THE COMPANY.

THE COMPANY will self-regulate the principles and rules established in Law 1581 of 2012 and its regulatory decrees, specifically aimed at protecting the right to habeas data. This applies to individuals who complete and sign the informed consent form and whose information—whether physical or electronic—is managed by THE COMPANY, including both basic personal data and sensitive data.

The [[commercial department]] of THE COMPANY, as the entity responsible for compliance with the Data Protection Law and its regulatory decrees, will act in accordance with the duties outlined in this policy.

​

11. Modifications to the Personal Data Processing and Protection Policies

If substantial changes occur in the content of this Personal Data Processing Policy regarding (i) THE COMPANY's identification or (ii) the purpose of personal data processing, affecting the authorization content, these changes will be communicated to data subjects before or at the time of implementing the new policies.

12. Validity of THE COMPANY's Personal Data Processing and Protection Policies

12.1 Effective Date of the Personal Data Processing and Protection Policies:

This updated version of THE COMPANY's Personal Data Processing and Protection Policies for CLIENTS, SUPPLIERS, SHAREHOLDERS, CREDITORS, DEBTORS, EMPLOYEES, CONTRACTORS, and THIRD PARTIES is effective as of May 22, 2021.

THE LOMDON GROUP ensures the proper management and confidentiality of personal data provided for the development of its corporate purpose. In compliance with Law 1581 of 2012, Regulatory Decree 1377 of 2013, and its Personal Data Protection Policy, we inform you that any personal data you provide in connection with requested or executed operations with THE LOMDON GROUP will be processed using technical, physical, and administrative security measures to prevent unauthorized third-party access, in accordance with legal provisions.

You may exercise your rights under the law by following the procedures provided by THE LOMDON GROUP, which are detailed in the Personal Data Protection Policy available atwww.lomdongroup.com. For any questions or concerns related to this topic, you may contact us at cc@lomdongroup.com. It is important to note that exercising your rights is not a prerequisite nor does it prevent the exercise of other rights. Any modifications to this notice will be communicated through the channels provided by THE LOMDON GROUP.

Consent

​

By signing this document, I voluntarily and expressly authorize THE LOMDON GROUP to collect, store, confirm, refine, analyze, circulate, update, and generally process my personal information in accordance with the Personal Data Processing Policy. I also authorize THE LOMDON GROUP to modify or update its content to comply with legislative reforms, internal policies, or new requirements for service or product offerings, with prior notice via the company's website or email.

I declare that I have been informed by THE LOMDON GROUP that:

  1. THE LOMDON GROUP will act directly as the Data Controller and has provided me with the customer service line (3209208359) and email cc@lomdongroup.com, as well as the customer service office located at Calle 73 N 80 - 30, available from 8 AM to 4 PM, for inquiries related to personal data processing and the exercise of rights mentioned in this authorization.

  2. My data will be processed for pre-contractual, contractual, post-contractual, commercial, operational, registration, customer service, marketing, product and service information, processing, research, training, accreditation, consolidation, organization, updating, reporting, surveys, statistics, invitations, attention, processing, and payments, as well as compliance with Colombian or foreign laws and judicial or administrative orders.

  3. My rights as a data subject are those established in the Constitution and the law, including the right to access, update, rectify, delete my personal information, and revoke consent for personal data processing.

  4. It is voluntary to respond to questions regarding sensitive data or data of minors, and such data will be processed respecting their fundamental rights and best interests.

  5. As the data subject, I am responsible for informing in writing any changes to my personal information and periodically updating my data with THE LOMDON GROUP.

  6. THE COMPANY guarantees the security, accuracy, transparency, restricted access, and circulation of my data and reserves the right to modify its Personal Data Processing Policy at any time, with timely notification and publication.

  7. THE COMPANY may analyze digital behavior (social media, websites, applications) to provide comprehensive product and service advisory and profile consumer interests and habits.

Considering the above, and in accordance with Law 1581 of 2012 and Regulatory Decree 1377 of 2013, I voluntarily, explicitly, and unequivocally authorize THE LOMDON GROUP and any assignees of its rights to process my personal data in accordance with its Personal Data Processing Policy, for purposes related to its corporate purpose, including legal, contractual, and commercial purposes, as well as contact via telephone, electronic means (SMS, chat, email, and other electronic channels), physical, and/or personal interactions.

​

​

​

​

​

bottom of page