Data Processing Policy – Asteri S.A.S.

ASTERI S.A.S., a company duly incorporated under the laws of the Republic of Colombia, identified with Tax ID No. 901035851-0, with its principal place of business at Calle 64A No. 02-32, Bogotá D.C., email address info@asterilaw.com and telephone +57 601 721 6785 (“Asteri”), hereby adopts this Data Processing Policy (the “Policy”) in order to ensure compliance with Article 15 of the Political Constitution of Colombia, Law 1581 of 2012, Decree 1377 of 2013, and any other regulations that amend, supplement, or replace them. Any data processing carried out by Asteri in its capacity as Data Controller shall be governed by this Policy and applicable law.

1. Definitions

In accordance with the provisions of Article 3 of Law 1581 of 2012 and Article 3 of Decree 1377 of 2013, the following terms shall apply to this Policy:
  1. Authorization: The prior, express, and informed consent granted by the Data Subject for the Processing of their Personal Data.
  2. Database: The organized set of Personal Data that is subject to Processing.
  3. Personal Data: Any information that may be associated with or linked to an identified or identifiable natural person.
  4. Public Data: Information that (i) by its nature is contained in public records, public documents, final and enforceable judicial decisions not subject to confidentiality, among others, and (ii) does not qualify as semi-private, private, or sensitive data.
  5. Sensitive Data: Information that (i) affects the privacy of the Data Subject, (ii) may lead to discrimination if misused, (iii) reveals political party affiliations or interests, (iv) relates to the rights and guarantees of opposition political parties, or (v) is related to health, sexual life, or biometric data.
  6. Data Processor: A natural or legal person who, individually or jointly with others, carries out the Processing of Personal Data on behalf of the Data Controller.
  7. Data Controller: A natural or legal person who, individually or jointly with others, determines the purposes and means of the Processing and/or the Database.
  8. Data Subject: A natural person whose Personal Data is subject to Processing.
  9. Data Transfer: The transfer of Personal Data by the Data Controller or the Data Processor, located in the Republic of Colombia, to a recipient located within or outside the country, who also has the status of Data Controller.
  10. Data Transmission: The Processing by which Personal Data is communicated to the Data Processor so that such processor may carry out an operation on Personal Data on behalf of the Data Controller.
  11. Processing: Any operation or set of operations performed on Personal Data, such as collection, storage, use, circulation, deletion, or any other form of processing.

2. Processing and Purpose

2.1. Personal Data Collected by Asteri Through Its Website

Asteri states that the Processing consists of operations performed on the Personal Data of Data Subjects who voluntarily provide their information. Such Processing may include the collection, storage, use, circulation, or deletion of Personal Data obtained through Asteri’s website.
The Personal Data collected by Asteri through its website includes the following: (i) the name of the natural or legal person, (ii) a contact email address, and (iii) any information or comments that the Data Subject chooses to include in the section entitled “Message.”
The purposes of the Processing are as follows:
  1. To contact the Data Subject via email in order to offer the legal and multidisciplinary services provided by Asteri to its clients.
  2. To provide Data Subjects with information regarding Asteri, its services, and the activities related to its ordinary and extraordinary course of business.
  3. To send information related to areas of law and other services provided by Asteri.
  4. To conduct analyses aimed at identifying: (i) the frequency with which Data Subjects provide their Personal Data through the website to obtain potential legal advice from Asteri; (ii) the effectiveness of Asteri’s marketing efforts through the website; (iii) the matters referred to in Data Subjects’ messages; and (iv) market analyses related to Asteri’s clients and potential clients.

2.2. Personal Data Collected by Asteri to Evaluate the Submission of Fee Proposals to Potential Clients

Asteri states that the Processing consists of operations performed on the Personal Data of Data Subjects who voluntarily provide information related to the matters for which they seek legal or multidisciplinary advice that may potentially be provided by Asteri and/or its affiliates. Such Processing may include the collection, storage, use, circulation, or deletion of Personal Data for the fulfillment of the purposes described below.
The Personal Data and other information provided may include, among others, contracts, policies, processes, communications, business plans, corporate and corporate governance documents, business structures, wills, and information of a family, corporate, and investment nature.
The purposes of the Processing are as follows:
  1. To conduct due diligence on the potential client, in compliance with Asteri’s Anti-Money Laundering and Counter-Terrorism Financing Risk Management System (SAGRLAFT).
  2. To conduct research in restrictive lists and official databases regarding potential clients, their beneficial owners, directors, and/or counterparties.
  3. To carry out conflict-of-interest verification processes, in compliance with Law 1123 of 2007.
  4. To review the feasibility and suitability of a potential business relationship with the prospective client
  5. Drafting and design of fee proposals.
  6. Structuring work teams that may potentially provide services.
  7. Preliminary analysis to request additional information from the Data Subject in order to carry out the purposes described above.
  8. Implementation of the purposes set forth in Section 2.1 above.
Asteri states that the collection and analysis of Personal Data for the purpose of evaluating the submission of fee proposals does not obligate Asteri to effectively submit a proposal for services to potential clients. This is due to the fact that, in order to do so, (i) the results derived from the purposes set forth in items (a), (b), and (c) of this Section must be satisfactory to Asteri, and (ii) the matters and practice areas related to the specific case must comply with the services and suitability standards required by Asteri to enter into service agreements with potential clients.
Asteri carries out the reviews and analyses described above on a discretionary basis.

2.3. Personal Data Collected by Asteri for the Provision of Its Services

If Asteri decides to submit a fee proposal to a potential client and the service agreement is perfected through the express acceptance of the offer, the Personal Data and other information provided to or otherwise known by Asteri may be processed for the purpose of executing operations exclusively related to the provision of services by Asteri and/or its affiliates.
The purposes of the Processing are as follows:
  1. To provide the professional services of Asteri and/or its affiliates to its clients.
  2. To carry out the administrative, tax, accounting, and internal activities required by Asteri.
  3. To manage, administer, control, monitor, and supervise Asteri’s SAGRLAFT policies or manuals.
  4. To archive client information and case files, unless Asteri is expressly required by the client to return such information.
  5. To transmit and transfer Personal Data to Asteri’s affiliates or third parties for the purpose of executing services, carrying out internal Asteri activities, marketing, and/or operational activities.
  6. To implement the purposes set forth in Sections 2.1 and 2.2 above.

2.4. Legal Assumptions

  1. Asteri assumes that the information provided by natural and legal peoplefor the purposes described in Sections 2.1, 2.2, and 2.3 of this Policy is truthful, complete, sufficient, and lawfully obtained.
  2. Asteri assumes that the signatures contained in the documents delivered by its potential clients and clients are authentic and reliable.
  3. Asteri presumes the legality of the documents provided by potential clients and clients.
  4. Asteri assumes that any photocopies delivered by potential clients or clients are true copies of the originals.
  5. Asteri assumes that the information provided by potential clients and clients is sufficient to: (i) understand the actual status of the matters for which Asteri and/or its affiliates may potentially provide services; (ii) carry out due diligence on the potential client, in accordance with Asteri’s SAGRLAFT system; and (iii) perform conflict-of-interest verification processes.

2.5. Confidentiality

The information received by Asteri in connection with service agreements shall be treated as confidential information, unless the Data Subject expressly instructs otherwise. Asteri shall not disclose, reproduce, or disseminate confidential information to third parties, unless required by a formal request from a competent authority or a legal obligation.
All documents, Personal Data, and information supplied, transmitted, or delivered by Asteri to its clients by any means shall be protected by attorney-client privilege. Any person who becomes aware of the contents of such documents shall refrain from reproducing, copying, or disclosing them without prior authorization.

2.6. Optional Nature of Responses

In accordance with Article 12(b) of Law 1581 of 2012, Asteri has the duty to inform Data Subjects of the optional nature of their responses to questions related to Sensitive Data or to the Personal Data of children and adolescents.

2.7. Processing of Personal Data of Children and Adolescents

As established in Article 7 of Law 1581 of 2012 and Article 12 of Decree 1377 of 2013, the Processing of Personal Data of children and adolescents is prohibited, except where (i) Personal Data is of a public nature and (ii) the Processing complies with the following requirements:
  1. Respect for the best interests of children and adolescents.
  2. Guarantees of fundamental rights.
Accordingly, Asteri assumes that when it receives Personal Data of children or adolescents, the provider of such Personal Data (i) is the legal representative of the child or adolescent, (ii) has verified compliance with the requirements set forth above to enable Asteri to carry out the relevant Processing, and (iii) has granted the Authorization, following the exercise of the minor’s right to be heard.
The Data Controller, the Data Processor, and the family must ensure that (i) the use of the Personal Data is appropriate and (ii) the obligations and principles set forth in the applicable law are complied with.

2.8. Processing of Sensitive Data

Pursuant to Article 6 of Law 1581 of 2012, Asteri shall not process Sensitive Data, except in the following cases:
  1. Where the Data Subject has been granted express Authorization for such Processing.
  2. Where the applicable law does not require Authorization for Processing.
  3. Where the Processing is necessary to protect a vital interest of the Data Subject and the Data Subject is physically or legally incapable. In such cases, Authorization must be granted by an authorized representative.
  4. Where the Processing is carried out during legitimate activities and with appropriate safeguards by a foundation, non-governmental organization, association, or any other non-profit entity with political, philosophical, religious, or trade union purposes, provided that Personal Data relates exclusively to its members or people with whom it has regular contact. In such cases, the data may not be transferred to third parties without the Data Subject’s Authorization.Que el Tratamiento sea realizado dentro del trámite de actividades legítimas y con garantías por parte de una fundación, organización no gubernamental, asociación o cualquier otro organismo sin ánimo de lucro, cuya finalidad sea política, filosófica, religiosa o sindical.
  5. Where the Processing is necessary for the recognition, exercise, or defense of a right in judicial proceedings.
  6. Where the Processing has a historical, statistical, or scientific purpose.

3. Data Subject Rights

Within the framework of applicable law, the rights of Data Subjects are as follows:
  1. To know, update, and rectify their Personal Data held by the Data Controller or Data Processor. This right may be exercised with respect to data that is (i) partial, (ii) inaccurate, (iii) incomplete, (iv) fragmented, (v) misleading, or (vi) processed without authorization or in violation of the law.
  2. To request proof of the Authorization granted for Processing, except where such Authorization is not required pursuant to Article 10 of Law 1581 of 2012.
  3. Upon request, to receive information regarding the use given to Personal Data by the Data Controller or Data Processor.
  4. To file complaints with the Superintendence of Industry and Commerce for violations of applicable data protection laws.
  5. To revoke the Authorization and/or request the deletion of Personal Data when constitutional and legal principles, rights, and guarantees applicable to Processing are violated, provided that the Superintendence of Industry and Commerce has determined that the Data Controller or Data Processor has failed to comply with the law and the Political Constitution of Colombia.
  6. To access Personal Data subject to Processing free of charge.

3.1. Standing to Exercise Data Subject Rights

The rights described above may be exercised by:
  1. The Data Subject, upon proof of identity to the Data Controller.
  2. The Data Subject’s heirs, upon proof of such status.
  3. The Data Subject’s representative or attorney-in-fact, upon proof of representation or power of attorney.
  4. By stipulation in favor of or on behalf of another.
The rights of children and adolescents shall be exercised by the legally authorized people to represent them.

4. Persons to Whom Asteri May Provide Personal Data 

In accordance with Article 13 of Law 1581 of 2012, Asteri may provide Personal Data to:
  1. The Data Subjects, their heirs, or legal representatives.
  2. Public or administrative authorities in the exercise of their legal functions or by court order.
  3. Third parties are authorized by the Data Subject or by law.

5. Inquiries, Claims, and Complaints

The rights to (i) know, update, rectify, and delete Personal Data and (ii) revoke Authorization may be exercised by duly authorized persons through the inquiry and claim procedures set forth in this Section.

5.1. Inquiries

Data Subjects or their heirs may submit inquiries regarding Personal Data contained in Asteri’s Databases. Asteri or the Data Processor shall provide all information contained in the individual record or associated with the Data Subject’s identification.
The department responsible for handling inquiries will be Asteri’s Management, composed of its General Manager and Deputy Manager. Inquiries must be submitted by email to info@asterilaw.com and include at least the following information:
  1. Full name of the Data Subject or heir.
  2. Copy of the Data Subject’s identification document.
  3. Copy of documents evidencing their status, if applicable.
  4. Specific inquiry.
Inquiries shall be addressed within ten (10) business days following receipt of the complete request. If it is not possible to respond within such period, Asteri shall inform the Data Subject or heir of the reasons for the delay and the date on which the inquiry will be addressed.
Asteri shall not be required to respond to inquiries where the identity of the Data Subject or the status of the heir is not duly proven.

5.2. Claims

Data Subjects or their heirs may file claims when they consider that (i) Personal Data contained in Databases should be corrected, updated, or deleted, or (ii) the Data Controller or Data Processor has failed to comply with its Processing obligations.
Claims shall be subject to the following rules:
  1. Claims must be submitted by the Data Subject or heir through a request addressed to the Data Controller or Data Processor, including (i) identification of the Data Subject, (ii) a description of the facts, (iii) address, and (iv) any other relevant information. Claims must be submitted by email to info@asterilaw.com.

    If a claim is incomplete, Asteri shall request the claimant to remedy the deficiencies within five (5) business days following receipt. If more than two (2) months elapse without correction, the claim shall be deemed withdrawn.
  2. Once a complete claim is received, Asteri shall include a note in the Database stating “claim under review” and the relevant reason, within no more than two (2) business days. Such note shall remain until the claim is resolved.
  3. The maximum term to address a claim shall be fifteen (15) business days from the day following its receipt. If it is not possible to respond within such period, Asteri shall inform the claimant of the reasons for the delay and the date on which the claim will be addressed.

5.3. Complaints

Data Subjects or their heirs may file a complaint with the Superintendence of Industry and Commerce once the inquiry or claim procedures before the Data Controller or Data Processor have been exhausted.

5.4. Competent Area and Mechanisms

Inquiries and claims shall be submitted to Asteri’s Management, composed of its General Manager and Deputy Manager, in writing via email to info@asterilaw.com, in accordance with Sections 5.1 and 5.2 above.

6. Term and Amendments to the Policy 

This Policy shall enter into force on September 1, 2020, and shall remain in effect for an indefinite term, as shall the Databases containing Personal Data.
Asteri reserves the right to amend this Policy at its discretion and shall timely notify Data Subjects of any amendments prior to their implementation.
Last updated: January 9, 2026.

Asteri S.A.S.

Contact us

Engagement process

Fee structures

We offer flexible fee arrangements tailored to matter type and client needs: hourly, fixed fee, hybrid, or contingency (for qualifying matters).

Contact information

Address:

Calle 64 A # 2-32
Bogotá 110231, Colombia

Phone:

+57 601 721 6785

Email:

info@asterilaw.com

Whatsapp:

+57 310 688 4615

Let's talk, contact us:

Form succesfully sent!

Our team will get in touch with you.
⚠️

Something went wrong!

Please check all fields and try again.
Asteri Law - Logo

Asteri Law Firm

Independent arbitration and asset recovery counsel. Boutique expertise. Global reach. Partner attention.
Information is general in nature and does not constitute legal advice. Prior results do not guarantee similar outcomes.

Index

Home
Our Team
International Arbitration
Complex Litigation
Asset Recovery
Insolvency
Recognitions

Languages

English
Español

Contact

Calle 64 A # 2-32
Bogotá 110231, Colombia
+57 601 721 6785
info@asterilaw.com
+57 310 688 4615
Data Processing Policy
Data Processing Policy
© 2025 Asteri Law. All rights reserved.
© 2025 Asteri Law. All rights reserved.