DATA PROTECTION AND CONFIDENTIAL INFORMATION POLICY BY PHOENIX TRAVEL GROUP SAS

Effective Date: June 15th, 2017

Last Updated: July 23, 2025

In compliance with Colombian Law: Act 1581 of 2012, “by which general dispositions are dictated for the protection of personal data”; Decree 1377 from 2013, “by which Act 1581 from 2012 is partially regulated”; and any other related legal provisions concerning personal data processing, PHOENIX TRAVEL GROUP SAS, identified with NIT 901506264-9, currently located at CALLE 137 # 55-42 in Bogotá, acts as the Data Controller (Responsable del Tratamiento) and Data Processor (Encargado del Tratamiento) of personal information.

This policy outlines the scope and purpose of our use of your personal information, which will only be processed with your explicit prior authorization.

1. Definitions

For a comprehensive understanding of this Data Protection Policy (DPP), the following definitions, consistent with Article 3 of Act 1581 of 2012 and Regulatory Decree 1377 of 2013, are provided:

  • Authorization: Your explicit consent for PHOENIX TRAVEL GROUP SAS to process your personal information in accordance with the principles and purposes established in this DPP.

  • Data Controller (Responsable del Tratamiento): The natural or legal person, public or private, who decides on the database and/or the processing of data. PHOENIX TRAVEL GROUP SAS is the Data Controller for the information in its databases, particularly concerning its clients, employees, suppliers, and any other third party who has provided information.

  • Data Processor (Encargado del Tratamiento): The natural or legal person, public or private, who performs the processing of personal data on behalf of the Data Controller.

  • Database: Any organized set of personal data that is subject to Processing, whether physical or digital.

  • Personal Data: Any information that identifies you or that could, alone or in conjunction with other information, identify you. Personal data is classified into:

    • Public Personal Data: Information concerning general interest, found in public documents, public registries, and legally executed sentences that are not classified as private. This may include, but is not limited to, your name, ID number, marital status, profession, or work.

    • Private Personal Data: Information that is intimate and reserved for the Data Subject. This includes, but is not limited to, your home address, phone number, and health issues.

    • Semiprivate Personal Data: Private information that, at some point, may be of interest to a specific group of people. This includes, among others, information concerning compliance or non-compliance with financial obligations.

    • Sensitive Personal Data: Intimate information whose use could lead to discrimination. This includes, but is not limited to, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or biometric data (e.g., fingerprints, photographs, DNA). The processing of sensitive personal data requires explicit consent from the Data Subject.

  • Data Subject (Titular de la Información): The natural person whose personal data is subject to Processing. This includes our clients, employees, suppliers, and any other third party who provides PHOENIX TRAVEL GROUP SAS with their information.

  • Processing: Any operation or set of operations that PHOENIX TRAVEL GROUP SAS conducts with data, including, but not limited to, collection, storage, use, circulation, transfer, or suppression of said data, according to the defined purposes for the database.

2. Privacy Notice and Personal Data Processing

Whenever you register information on the PHOENIX TRAVEL GROUP SAS website, submit personal data for booking processes, or engage in any other interaction requiring personal data, you will receive a link to this DPP. This allows you to grant PHOENIX TRAVEL GROUP SAS authorization to use your information for the following specific purposes:

  • a. To establish and maintain the contractual relationship between the Data Subject and PHOENIX TRAVEL GROUP SAS.

  • b. To notify you of any changes to services purchased (for clients) or services requested (for suppliers).

  • c. To process the Data Subject’s requests, including activities related to management, clarifications, research, and market statistics.

  • d. To conduct marketing activities to promote PHOENIX TRAVEL GROUP SAS products or services.

  • e. To send notifications about new products or services similar to those previously purchased.

  • f. To perform any additional activity necessary to provide the contracted service.

  • g. To conduct research to determine consumption habits.

  • h. To perform periodic evaluations of our products and services to ensure and improve quality.

  • i. To assess the quality of our service and, in general, to fulfill the obligations for which the Data Subject contracted PHOENIX TRAVEL GROUP SAS.

  • j. To send newsletters or physical information containing technical, operational, and commercial details about our products and services.

  • k. To send customer satisfaction surveys (participation is optional for customers) and other types of surveys or requests for information (for suppliers, employees, or third parties) that may sometimes be mandatory for service operations or legal/regulatory compliance.

3. Rights of the Data Subjects

In accordance with this DPP and the regulatory guidelines it is based upon, Data Subjects whose information is held by PHOENIX TRAVEL GROUP SAS have the following rights:

  • a. The right to know whether their information will be processed.

  • b. The right to know, update, and rectify their personal data when it is incorrect, inaccurate, incomplete, fragmented, misleading, or when its processing is expressly prohibited or unauthorized.

  • c. The right to request the deletion of their information if they no longer wish their data to be kept in PHOENIX TRAVEL GROUP SAS’s database, thereby ceasing its processing, provided there is no legal or contractual obligation to retain it.

  • d. The right to grant or revoke authorization for PHOENIX TRAVEL GROUP SAS to process their information.

  • e. The right to be informed of any modifications made to their information.

  • f. The right to revoke authorization if the Superintendence of Industry and Commerce of Colombia declares that PHOENIX TRAVEL GROUP SAS is not fit to process the information.

  • g. The right to file complaints with the Superintendence of Industry and Commerce for possible infringements by PHOENIX TRAVEL GROUP SAS of the legal provisions protecting the use of personal information.

  • h. The right to be granted access to PHOENIX TRAVEL GROUP SAS’s database to exercise their right to information.

  • i. The right to know the data processing policies.

  • j. The right to know who is responsible for the processing of their data.

  • k. The right to free access to their personal data that has been processed.

4. Responsibilities of PHOENIX TRAVEL GROUP SAS

In accordance with Article 17 of Law 1581 of 2012, PHOENIX TRAVEL GROUP SAS must fulfill the following duties as the Data Controller:

  • a. Ensure the Data Subject has, at all times, the full and effective exercise of the right of habeas data.

  • b. Store and maintain a copy of the authorization granted by the Data Subject, as provided in this Act.

  • c. Duly inform the Data Subject about the purpose of data collection and the rights granted by virtue of the authorization.

  • d. Maintain the information under necessary security conditions to prevent tampering, loss, unauthorized viewing or use, or fraudulent access.

  • e. Update information by communicating in a timely manner to the Data Processor all additional notes to the data previously supplied by the Data Subject, and take other necessary steps to ensure that the information provided is kept updated.

  • f. Rectify incorrect information when relevant and communicate this to the Data Processor.

  • g. Address inquiries and complaints made under the terms stated in the Law.

  • h. Inform the Data Processor about the application and use of the given data.

  • i. Inform the data protection authority (Superintendence of Industry and Commerce) when security code violations are present and when there are risks to the management of Data Subjects’ information.

  • j. Comply with the instructions and requirements provided by the Superintendence of Industry and Commerce.

  • k. Fulfill any other duties of the Data Controller according to Law 1581 of 2012.

5. Person or Area Responsible for Data Protection

Personal information processing will be managed solely by PHOENIX TRAVEL GROUP SAS.

For any information, to update, rectify, delete data, revoke authorization of personal data, or for any request or claim, please contact:

Email: info@phoenixdmc.co

6. Policy Effective Date and Duration

This Data Protection Policy (DPP) is effective from June 15th, 2017, and will remain in force for the entire duration that PHOENIX TRAVEL GROUP SAS carries out its mission.

Scroll to Top