Data Protection
Personal data protection
1. Purpose
Establish the institutional guidelines for the correct management of the processing of personal data collected from users, clients and third parties to comply with current regulations and establish the rights to know, update and rectify the personal data that has been collected.
• Political Constitution, article 15
• Law 1266 of 2008
• Law 1581 of 2012
• Regulatory Decrees 1727 of 2009 and 2952 of 2010, and partial Regulatory Decree No. 1377 of 2013
• Decree 1074 of 2015
• External circular 003 of 2018
ANDThis policy applies to the person in charge of data processing, the administrator of personal data processing, the care and administrative processes, and those in charge of data processing at all locations.
• Treatment administrator: institutional process or position with the responsibility of leading, carrying out or managing all the procedures that the data protection activities give rise to.
• Authorization: prior, express and informed consent of the owner to carry out the processing of personal data.
• Privacy Notice: verbal or written communication generated by the person in charge, addressed to the owner for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the form of access them and the purposes of the treatment that is intended to be given to personal data.
• Database: organized set of personal data that is subject to treatment.
• Essential data: these are understood as those personal data of the holders that are essential to carry out the queries, procedures and interventions, as well as those that are required in the field of labor contracting and the commercial management of suppliers and contractors. The data of an essential nature must be provided by the owners thereof or those authorized to exercise these rights.
• Optional data: are those data that CLOFAN S.A. required to offer additional services in research and/or job offers, etc.
• Personal data: any piece of information linked to one or several determined or determinable persons or that can be associated with a natural or legal person.
• Public data: it is the data that is not semi-private, private or sensitive. Public data is considered, among others, data related to the marital status of people, their profession or trade and their quality as a user, businessman or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.
• Sensitive data: sensitive data is understood to be those that affect the privacy of the owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, union membership. , social, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.
• Processor: natural or legal person, public or private that by itself or in association with others, performs the processing of personal data on behalf of the controller. It is clarified that the person in charge of the treatment is a third party, outside the company, so it should not be confused with the collaborator who, within the organization, is the one who manages the database.
• Habeas data: the right of any person to know, update and rectify the information that has been collected about them in the data bank and in the files of public and private entities.
• Data Protection Law: Law 1581 of 2012 and its regulatory decrees or the regulations that modify, complement or replace them.
• Responsible for the treatment: natural or legal person, public or private that by itself or in association with others, decides on the database and/or treatment of the data.
• SIC: Superintendency of Industry and Commerce.
• Owner: natural person whose personal data is processed.
• Transfer: data transfer takes place when the person in charge and/or in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is located within or out of the country.
• Processing: any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
• Transmission: treatment of personal data that implies the communication of the same inside or outside the territory of the Republic of Colombia when its purpose is to carry out a treatment by the person in charge on behalf of the person in charge.
5. Description of the policy
The right to personal and family privacy and habeas data are fundamental rights established in article 15 of the National Constitution. At present, these rights are increasingly threatened by what is necessary and imperative to set limits to the information that those responsible for and those in charge of disseminating it can provide about a person. The national Government, aware that information is the most precious asset in this globalized world and that the right of habeas data requires autonomous treatment for its effective protection that guarantees it, issued Statutory Law 1581 of October 17, 2012, through which General provisions are issued for the protection of personal data, it regulates the fundamental right of Habeas Data.
The Constitutional Court through judgment C-748 of 2011 established the constitutional control of this Statutory Law, which is a Law of special hierarchy whose essential purpose is to safeguard fundamental rights and duties, as well as the procedures and resources for their protection.
For this reason, this proposal seeks to comply with the provisions set forth in literal k) of article 17 of Law 1581 of 2012, which regulates the duties of those Responsible for the Processing of personal data, among which are The adoption of an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for the attention of queries and claims, as well as article 13 of Decree 1377 of 2013, which establishes the obligation on the part of the Responsible Parties, stands out. of the Treatment to develop its policies for the treatment of personal data and ensure that the Treatment Managers fully comply with them.
In compliance with the above provisions, LA CLÍNICA OFLTAMOLÓGICA DE ANTIOQUIA S.A "CLOFAN S.A.S" informs the policy applicable to the entity for the processing and protection of personal data.
In accordance with what is stated in Law 1581 of 2012, the objective of this policy is: "Develop the constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files, and the other rights, freedoms and constitutional guarantees referred to in article 15 of the Political Constitution; as well as the right to information enshrined in article 20 of the same”.
In the same way, according to what is stated in regulatory decree 1377 of 2013 through it, it seeks to facilitate the implementation and compliance with the aforementioned law, regulating aspects such as the authorization of the Information Holder for the Treatment of their data. personal information, the Treatment policies of the Responsible and Processed Persons, the exercise of the rights of the Information Holders, the transfers of personal data and the demonstrated responsibility for the Treatment of personal data, this last issue referring to accountability.
6. Actions for compliance with the policy
For the due protection of personal data and the due application of the regulations that complement, modify or add to it, the following precepts will be applied in a harmonious and comprehensive manner:
RIGHTS OF THE HOLDER OF THE INFORMATION
The owner of the personal data will have the following rights:
to) Know, update and rectify your personal data against CLOFAN S.A.S. in its capacity as data controller. This right may be exercised, among others, against data that is partial, inaccurate, incomplete, divided, misleading, or whose processing is expressly prohibited or has not been authorized.
b) Request proof of the authorization granted to CLOFAN S.A.S. except when expressly excepted as a requirement for treatment (cases in which authorization is not necessary).
c) To be informed by CLOFAN S.A.S., upon request, regarding the use that has been given to your personal data.
d)Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it.
and) Revoke the authorization and/or request the deletion of the data when the Treatment does not respect the constitutional and legal principles, rights and guarantees.
F)Free access to your personal data that has been processed.
RIGHTS OF CHILDREN AND ADOLESCENTS
In the Treatment, respect for the prevailing rights of children and adolescents will be ensured.
The Processing of personal data of children and adolescents is prohibited, except for those data that are of a public nature, in accordance with the provisions of article 7 of Law 1581 of 2012 and when said treatment complies with the following parameters and requirements:
to) That responds and respects the best interest of children, children and adolescents.
b) That the respect of their fundamental rights be ensured.
DUTIES OF CLOFAN S.A.S.
By virtue of this personal data treatment and protection policy, CLOFAN S.A.S. the following, without prejudice to the provisions provided by law:
to) Guarantee the owner, at all times, the full and effective exercise of the right of habeas data.
b) Request and keep a copy of the respective authorization granted by the owner.
c) Duly inform the owner about the purpose of the collection and the rights that assist him by virtue of the authorization granted.
d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
and)Guarantee that the information is true, complete, exact, updated, verifiable and understandable.
F) Update the information, thus attending to all the news regarding the owner's data. Additionally, all necessary measures must be implemented so that the information is kept up to date.
g)Rectify the information when it is incorrect and communicate what is pertinent.
h) Respect the security and privacy conditions of the owner's information.
Yo)Process inquiries and claims formulated in the terms indicated by law.
j)Identify when certain information is under discussion by the owner
k)Inform at the request of the owner about the use given to their data.
l) Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the holders.
m) Comply with the requirements and instructions issued by the Superintendency of Industry and Commerce on the particular subject.
n)Use only data whose treatment is previously authorized in accordance with the provisions of Law 1581 of 2012.
either)CLOFAN SAS will make use of the owner's personal data only for those purposes for which it is duly empowered and in all cases respecting the current regulations on personal data protection.
AUTHORIZATIONS AND CONSENT OF THE HOLDER
Without prejudice to the exceptions provided for in the Law, in the processing of personal data of the owner, the prior and informed authorization of the latter is required, which must be obtained by any means that can be subject to subsequent consultation.
MEANS AND STATEMENT TO GRANT THE HOLDER'S AUTHORIZATION
CLOFAN SAS in the terms provided in the Law, it generated a notice in which the holders are informed that they can exercise their right to the processing of personal data through the page www.clofan.com and the email cad@clofan.com
EVENTS IN WHICH THE AUTHORIZATION OF THE HOLDER OF THE PERSONAL DATA IS NOT NECESSARY
The authorization of the owner of the information will not be necessary in the following cases:
to) Information required by a public or administrative entity in the exercise of its legal functions or by court order.
b)Data of a public nature.
c)Cases of medical or health urgency.
d) Treatment of information authorized by law for historical, statistical or scientific purposes. Data related to the Civil Registry of people.
LEGITIMATION FOR THE EXERCISE OF THE RIGHT OF THE HOLDER
The rights of the holders established in the Law may be exercised by the following persons:
to) By the owner, who must sufficiently prove their identity by the different means made available by CLOFAN S.A.S.
b) By the successors in title of the owner, who must prove such quality.
c)By the representative and/or attorney of the owner, prior accreditation of the representation or empowerment.
d)By stipulation in favor of another or for another.
and) The rights of children and adolescents will be exercised by the people who are empowered to represent them.
PROCEDURES SO THAT THE HOLDERS OF THE INFORMATION CAN EXERCISE THEIR RIGHTS
to) Queries:
The Holders or their successors in title may consult the personal information of the Holder that rests in CLOFAN S.A.S. who will provide all the information contained in the individual record or that is linked to the identification of the Owner. The consultation will be formulated through the email cad@clofan.com. The query will be answered within a maximum term of ten (10) business days from the date of receipt of the same, or according to times defined by current regulations. When it is not possible to answer the query within of said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.
b) Claims:
The Owner or his successors in title who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a claim with CLOFAN S.A.S. which will be processed under the following rules:
1.The Holder's claim will be made by means of a request addressed to CLOFAN S.A.S. by email cad@clofan.com with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that you want to assert. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the failures. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that the claim has been withdrawn.
2. In the event that the person receiving the claim is not competent to resolve it, they will transfer it to the appropriate person within a maximum term of two (2) business days and inform the interested party of the situation.
3. Once the email cad@clofan.com is received with the complete claim, it will be cataloged with the label "claim in process" and the reason for it within a term of no more than two (2) business days. Said label will be maintained until the claim is decided.
4.The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
c) Request for updating, rectification and deletion of data
CLOFAN SAS will rectify and update, at the request of the owner, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the procedure and the terms indicated above, for which the owner will submit the request to the email cad@clofan.com indicating the update , rectification and deletion of the data and will provide the documentation that supports your request.
d) Revocation of the authorization and/or deletion of the data
The holders of personal data can revoke the consent to the processing of their personal data partially or completely according to authorized items, at any time, as long as it is not prevented by a legal or contractual provision, for this CLOFAN S.A.S. will make the email cad@clofan.com available to the Holder.
If the respective legal term has expired, CLOFAN S.A.S., as the case may be, has not eliminated the personal data, the Owner will have the right to request the Superintendence of Industry and Commerce to order the revocation of the authorization and/or the deletion of the data. personal. For these purposes, the procedure described in article 22 of Law 1581 of 2012 will be applied.
TREATMENT TO WHICH THE DATA WILL BE SUBJECTED AND PURPOSE OF THE SAME
The treatment for the essential personal data of users, collaborators and suppliers will be framed in the legal order and by virtue of the condition of CLOFAN S.A.S. as a Health Provider Institution and will be all those necessary for the fulfillment of the institutional mission.
In the case of sensitive personal data, they may be used and processed when:
to) The Holder has given his explicit authorization to said Treatment, except in cases where the granting of said authorization is not required by law;
b) The Treatment is necessary to safeguard the vital interest of the Holder and he is physically or legally incapacitated. In these events, the legal representatives must grant their authorization;
c) The Treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or union, provided that they refer exclusively to to its members or to people who maintain regular contact by reason of its purpose. In these events, the data may not be provided to third parties without the authorization of the Owner;
d)The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process;
and)The Treatment has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Holders must be adopted.
The processing of personal data of children and adolescents is prohibited, except in the case of data of a public nature, and when such processing complies with the following parameters and/or requirements:
to) That they respond to and respect the best interest of children and adolescents.
b) That the respect of their fundamental rights be ensured.
Once the above requirements have been met, the legal representative of the children or adolescents will grant authorization, prior to the minor's exercise of his or her right to be heard, an opinion that will be assessed taking into account maturity, autonomy and ability to understand the matter.
CLOFAN SAS will ensure the appropriate use of the processing of personal data of children or adolescents.
The data processing is carried out, in addition to the other reported purposes, for video surveillance, security or traceability activities of the goods, facilities and people found in them, through cameras and recording devices established in the headquarters facilities. of the CLOFAN S.A.S. clinic, clarifying that no video surveillance device is located in places that may affect the privacy of the Holders. The images or videos will only be processed when they are pertinent in relation to the stated purposes and that have justified the installation of video surveillance devices.
PEOPLE TO WHOM THE INFORMATION MAY BE PROVIDED
The information that meets the conditions established by law may be provided to the following persons:
to)To the owners, their successors in title (when those are absent) or their legal representatives.
b) To public or administrative entities in the exercise of their legal functions or by court order
c)To third parties authorized by the owner or by law.
PERSON OR AREA RESPONSIBLE FOR HANDLING REQUESTS, QUERIES AND CLAIMS
CLOFAN SAS has designated the Document Management Center with the support of the legal adviser, Functional areas that handle the Personal Data of the Holders and professionals in Information Security as the administrative process and guarantor of ensuring compliance with this policy within the institution.
This unit will be attentive to resolve requests, queries and claims by the owners and to carry out any update, rectification and deletion of personal data, through the email cad@clofan.com
INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA
CLOFAN SAS In compliance with the institutional mission of teaching, research and extension and in consideration of its permanent or occasional links of an academic and administrative nature with international institutions, international government entities, international cooperation agencies, it may transfer and transmit the personal data of the holders.
For the international transfer of personal data of the holders, CLOFAN S.A.S. will take the necessary measures so that third parties are aware of and agree to observe this Policy, under the understanding that the personal information they receive may only be used for matters directly related to CLOFAN S.A.S. and only while it lasts and may not be used or destined for a different purpose or purpose. For the international transfer of personal data, the provisions of article 26 of Law 1581 of 2012 will be observed.
The international transmissions of personal data carried out by CLOFAN S.A.S., will not require the Owner to be informed or have his consent when there is a contract for the transmission of personal data in accordance with article 25 of Decree 1377 of 2013.
With the acceptance of this policy, the Owner expressly authorizes the transfer and transmission of Personal Information. The information will be transferred and transmitted, for all relationships that may be established with CLOFAN S.A.S.
CHANGE MANAGEMENT
In the event that substantial changes are made in the content, person in charge, person in charge or purpose of the data processing referred to in this policy, CLOFAN S.A.S. will notify the owners through the use of electronic means of the changes that have occurred. A new authorization by the owner is only necessary when the change refers to the purpose of data processing.
7. Exclusions
N/A
8. Measurable elements
• Claims index (analysis focused on personal data protection)