PERSONAL DATA PROCESSING POLICY

  1. INTRODUCTION OF THE POLICY
  2. LEGAL FRAMEWORK
  3. MAIN OBJECTIVE
  4. SPECIFIC OBJECTIVES
  5. SCOPE
  6. DEFINITIONS
  7. DEVELOPMENT OF THE POLICY
  • DESCRIPTION OF THE DATA
  • REFERRING TO THE PERSONAL INFORMATION OF THE DATA SUBJECTS
  • SPECIAL PURPOSES FOR THE TREATMENT OF PERSONAL DATA OF PATIENTS AND/OR RESPONDENTS:
  • AUTHORIZATION OF THE HOLDER LA CLINICA DEL OCCIDENTE S.A.
  • USE OF IMAGES AND VIDEO SURVEILLANCE
  • RIGHTS OF THE OWNERS
  • RIGHTS OF CHILDREN AND ADOLESCENTS
  • DUTIES OF THOSE RESPONSIBLE AND THOSE IN CHARGE OF THE PROCESSING OF PERSONAL DATA
  • DUTIES OF THOSE RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
  • REVOCATION OR DELETION REQUESTS
  • PROVISION OF INFORMATION
  • PERSONS TO WHOM THE INFORMATION
  • MAY BE PROVIDED ∙ QUERIES
  • CLAIMS
  • TEMPORALITY OF THE PROCESSING OF PERSONAL DATA
  • INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA
  • INFORMATION SECURITY
  • VALIDITY OF THE INFORMATION
  • PROCESSING POLICY
  • MODIFICATIONS
  • PRIVACY NOTICE
  • DATA CONTROLLER
  • RIGHTS OF THE HOLDER OF PERSONAL DATA
  • RIGHTS OF THE HOLDER OF PERSONAL DATA
  • MECHANISMS TO KNOW THE PERSONAL
  • DATA PROCESSING POLICY

INTRODUCTION
According to Law 1581 of 2012 and Decree 1377 of 2013, through which provisions are issued for the protection of personal data and in the development of the constitutional right that all persons have to know, update and rectify the information that has been collected about them in databases or files, CLINICA DEL OCCIDENTE S.A. as IPS as responsible for the processing of personal data of stakeholders consisting of users, families, employees, contractors, students, entities responsible for payment and inspection, monitoring and control entities, information that has been obtained in the development of its mission activity of providing health services, so it is committed to compliance with the aforementioned regulations and the protection of the rights of individuals and informs its stakeholders that adopts the following policies on the collection, processing and use of personal data.

CLINICA DEL OCCIDENTE S.A., identified with the NIT. 860.090.566-41, domiciled in the city of Bogotá, at Avenida de las Américas No. 71C-29, Telephone (1) 4254620, makes available THE PERSONAL DATA PROCESSING POLICY as responsible and in charge of the handling of such information; which succinctly states the scope and purpose of the use of personal data by THE CLINICA, if the Holder grants express, prior and informed authorization.

LEGAL FRAMEWORK
POLITICAL CONSTITUTION OF COLOMBIA
Law 1581 of 2012 Decree 1377 of 2013

MAIN OBJECTIVE
The purpose of the creation of this policy is to fully comply with the provisions of paragraph k) of Article 17 of Law 1581 of 2012, which refers to the adoption of an internal manual of policies and procedures to ensure the proper handling of claims or queries and the proper treatment of information under the purposes established for it. a) The adequate rendering of the services offered by LA CLINICA DEL OCCIDENTE S.A. b) To be contacted for renewals, offering of products and services, to be informed and invited to participate in different benefits or events. c) To send commercial and promotional information, invitations, or attentions of LA CLINICA DEL OCCIDENTE S. A. d) Conduct surveys and/or opinion polls about products and contents. e) Perform market segmentation, consumption analysis, and preferences. f) Evaluate the quality of products and services. g) Answer, manage and follow up improvement requests, petitions, and suggestions. If you wish your data to be deleted from our databases, we ask you to expressly state so within thirty (30) working days from the publication of this communication to atencionalusuario@clinicadeloccidente.com, direccion@clinicadeloccidente.com otherwise, it will be considered that you authorize us to use them for the purposes previously described. In advance, you may consult the substantial changes in our Personal Data Treatment Policy, as well as the changes in our privacy notice on the website of LA CLINICA DEL OCCIDENTE S.A.

Law 1581 of 2012 establishes the general regime for the protection of Personal Data, which aims to develop the constitutional right that all individuals must know, update and rectify the information that has been collected about them in databases or files, and the other constitutional rights, freedoms, and guarantees related to the right to privacy.

Decree 1377 of 2013 regulates Law 1581 of 2012 and regulates the authorization, revocation, policies, and procedures for the protection of personal data.

SPECIFIC OBJECTIVE
LA CLINICA DEL OCCIDENTE S.A. as specific objective aims to ensure the preservation and confidentiality of the information collected and stored and when using personal data of patients, donors, users, among others; which is collected to provide health services under the provisions of Article 15 of the National Constitution, Law 23 of 1981, Decree 1377 of 2013 and Resolution1995 of 1999, and following the guidelines of Law 23 of 1981 and Resolution 2546 of July 2, 1998.

When collecting personal data, to send information to the different entities that have interference and competence to do so, it requires obtaining authorization and/or legalizing the procedures so that in a free, prior, express, voluntary, and duly informed manner, it allows THE CLINIC to collect, collect, store, use, circulate, suppress, process, compile, exchange, update and dispose of the data that have been provided and that have been incorporated in different databases or databanks.

Based on article 10 of Decree 1377 of 2013, CLINICA DEL OCCIDENTE S.A. is expressly and unequivocally authorized to maintain and handle all information as provided herein, unless there is an express manifestation in writing, directly and unequivocally within thirty (30) working days from the receipt of this communication at the premises of THE CLINICA in the reception of correspondence.

Additionally, at any time you have the right to object to the sending of information and you can rectify or update the data if they are erroneous or have changed. In future communications that we send you by e-mail, we will remind you of your rights to know, rectify or delete your data or to request the revocation of your authorization for the processing of the same.

This Policy refers exclusively to the above and does not relate to the information contained in the medical records, because the data and information contained therein remain reserved, confidential, and totally private (Resolution 1995 of 1999).

SCOPE
This DATA PROCESSING POLICY is made known by LA CLINICA DEL OCCIDENTE S.A.A. to its employees, users, patients, family members, contractors, contractors, suppliers, donors, and other persons who provide personal information to LA CLINICA, in order to effectively comply with legal and regulatory obligations related to the protection and proper processing of personal information that the company manages from third parties.

DEFINITIONS:
ADAPT: To modify or make the personal data obtained, perform functions other than those for which it was constructed.
STORAGE: To gather, save or register the personal data necessary for the provision of health services. CONSERVATION: To maintain and take care of the personal data so that it does not lose its characteristics and properties with the passage of time.
AUTHORIZATION: Prior and informed consent of the holder to carry out the processing of personal data.
PRIVACY NOTICE: Verbal or written communication generated by the Controller, addressed to the Data Subject for the processing of his personal data, by means of which he is informed about the existence of the information processing policies that will be applicable to him, the way to access them and the purposes of the processing that is intended to be given to the personal data.
DATABASE: Organized set of personal data that is subject to processing. CONSOLIDATE: To gather, integrate or assemble the personal data obtained.
PUBLIC DATA: Data that is not semi-private, private, or sensitive. Public data are considered, among others, the data related to the marital status of individuals, their profession or trade, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.
SENSITIVE DATA: Sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
SEMI-PRIVATE DATA: Data that is not of an intimate, reserved, or public nature and whose knowledge is of interest to the owner and to a certain sector or group of persons or to society in general. PRIVATE DATA: Data that, due to its intimate or reserved nature, is only relevant to the owner of the information.
EXTRACT: To separate or filter the personal data obtained, in order to obtain and create useful information for LA CLINICA DEL OCCIDENTE S.A. based on the personal data of the owner.
FILTER: Select from the personal data obtained the necessary aspects to configuring the information required by the Data Controller.
PROCESS: To submit the personal data to a series of programmed operations, with a specific purpose for the provision of the Health service. FILING: Keeping personal data in a certain order.
COLLECT: To gather the personal data that the Data Controller acquires in the development of its object.
REPRODUCE: To obtain a copy, in one or many copies, of the personal data that are obtained in the provision of the Health service.
PROCESSING: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.
TRANSFER: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, send the information or personal data to a recipient, which in turn is the Controller of the Processing and is located inside or outside the country.
TRANSMISSION: Processing of personal data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose of the Processing is carried out by the Processor on behalf of the Controller.
CONTROLLER: Natural person whose personal data is the object of processing. Transmit: To transmit or disseminate personal data when the purpose of the Processing is carried out by the Processor on behalf of the Controller.

DEVELOPMENT OF THE PERSONAL DATA PROCESSING POLICY
The guidelines contained in this document are applicable to personal data that have been recorded in the databases and are susceptible to the treatment required by THE CLINIC in compliance with the provisions of Law 1581 of 2012 by which general provisions for the protection of personal data are issued.
This policy is mandatory for LA CLINICA, as responsible for data processing, as well as for those in charge of processing personal data on behalf of the institution. Both the person in charge and the persons in charge must safeguard the security of the databases containing personal data and keep confidentiality with respect to the processing of such data.

GENERAL
The National Government through Law 1581 of 2012, issued the General Regime for the Protection of Personal Data determining that every institution shall guarantee the full exercise of the right of habeas data. As responsible for the processing of personal data, LA CLINICA DEL OCCIDENTE S.A. guarantees to the holders of personal data, that the processing will be carried out in accordance with the data protection policy in harmony with the regulations provided for such purpose, it will also manage the personal data of the holders in accordance with the guiding principles of the regulatory framework. In order to facilitate the implementation of the rules, LA CLINICA DEL OCCIDENTE, issues this policy, which will be mandatory for all employees of the institution.

DESCRIPTION OF THE DATA THAT REFER TO THE PERSONAL INFORMATION OF THE OWNERS
The personal data of the holders that are collected in the different services may include, but are not limited to:
1) Full names and surnames.
2) Class and number of the identity document (civil registry, identity card, citizenship card, passport, foreigner’s card, or diplomatic card).
3) Place and date of birth, nationality.
4) Age, sex, marital status, spoken languages, and religious beliefs.
5) Schooling, profession, and occupation.
6) Usual physical address, e-mail address, fixed telephone number, cell phone number, and fax number. g) Employer, its location, and contact information.
7) Patient’s clinical information including personal, family, and epidemiological history, results of diagnostic support tests, consultations performed, medications received diagnoses, medical and health team assessments, surgical procedures, etc.
8) Contact information of family members, caregivers, or legal representatives. 9) Personal habits.
10) Your Benefits Plan Administration Entity (EPS, EPS-S, ARL, Complementary Care Plan -PAC-, Prepaid Medicine, Health Policy, etc.).
11) Use of our services.
12) Personal information obtained during the review of your requests or complaints. 13) Personal information provided through surveys or other institutional instruments.

TREATMENT OF PERSONAL DATA
The Information provided by the holder to LA CLINICA DEL OCCIDENTE S.A. is required to collect, collect, store, use, circulate, suppress, process, compile, exchange, update and dispose of, with or without the aid of information technology, without restriction or limitation and in general for:
1) The adequate provision of the services offered by LA CLINICA DEL OCCIDENTE S.A. 2) Be contacted for renewals, offering of products and services, be informed, and invited to participate in different benefits or events.
3) Send commercial and promotional information, invitations, or services from LA CLINICA DEL OCCIDENTE S.A. d) Carry out surveys and/or opinion polls about products and contents. 4) To carry out market segmentation, consumption, and preference analysis.
5) Evaluate the quality of products and services.
6) Answer, manage and follow up improvement requests, petitions, and suggestions. In addition to the general purposes, there are particular purposes, according to the relationship that the individuals have with LA CLINICA DEL OCCIDENTE S.A., as described below:

SPECIAL PURPOSES FOR THE PROCESSING OF PERSONAL DATA OF PATIENTS AND/OR RESPONDENTS:

a) Achieve efficient communication related to our services and alliances, by different means. b) Inform and invite to marketing campaigns, promotion of services, and patient education. c) Conduct a satisfaction survey of services and care provided. d) Send to physical mail, electronic, cellular or mobile device, via text messages (SMS and/or MMS) or through any other analog and/or digital means of communication created or to be created, information about the services it provides, the events it schedules, in order to promote, invite, direct, execute and inform. e) Obtain fundamental data for clinical and epidemiological research. f) Identification of clinical, scientific, and technological advances. g) Comply with the laws applicable to private and public health in Colombia, including but not limited to, any requirement of the Ministry of National Health, District Secretary of Health, judicial or administrative authorities. Special purposes for the processing of employees’ personal data: a) Internal and external publications. b) Opening access to the organization’s own technological platforms. c) Providing information to companies that request to verify employees’ labor data for authorization of money or commercial credits. (Subject to verification of source and authorization of the owner – use of data, it should focus on the verification but not on the provision of information). d) Be contacted directly if required, because of their functions. e) Inform the calls and invitations to events. f) Inform and shape processes of election and internal promotion. g) Support internal or external auditing processes. h) Detect training needs and implement actions that allow an excellent provision of the institution’s services. Special purposes for the processing of student data a) Carry out internal and external publications. b) Inform and conform internal election and promotion processes. c) To carry out marketing of educational programs both undergraduate and graduate and surveys related to education to those who voluntarily wish to participate. a) To comply with the laws applicable to private education in Colombia, including but not limited to, any requirement of the Ministry of National Education or judicial or administrative authorities. Special purposes for the processing of the personal data of applicants. a) Carrying out the selection and internal promotion processes. b) Special purposes for the processing of the personal data of applicants. Special purposes for the processing of personal data of suppliers and contractors, agreements, and alliances: a) Evaluation of goods and services provided by the parties. b) Monitoring and management of the contractual relationship.

AUTHORIZATION OF THE OWNER LA CLINICA DEL OCCIDENTE S.A.

In accordance with the provisions of Law 1581 of 2012 and Regulatory Decree 1377 of 2013, the use, collection, and storage of personal data by LA CLINICA DEL OCCIDENTE S.A. must have the authorization of the holder in which their prior, express, and informed consent for LA CLINICA to carry out the processing of their personal data is expressed.
However, THE CLINICA will make use of the provisions of Article 10 of Regulatory Decree 1377 of 2013 which refers to data collected before June 27, 2013. LA CLINICA, at the time of requesting the authorization to the Holder, clearly and expressly informs the following:

a) The processing to which the personal data are subject and the purpose thereof. b) The optional nature of the response to the questions that are asked, when they deal with sensitive data or data of children and adolescents. c) The rights to which you are entitled as Data Subject. d) The identification, email address, and telephone number of the Data Controller. e) How to revoke the authorization and/or deletion of the data. Cases in which the authorization of the owner of the personal data is not required: In the following cases the authorization of the owner of the personal data will not be required: a) Information required by a public or administrative entity in the exercise of its legal functions or by court order. b) Data of a public nature. LA CLINICA DEL OCCIDENTE S.A. e) data related to the Civil Registry of Persons. Authorization for the treatment of sensitive personal data: In the treatment of sensitive personal data, when such treatment is possible according to the provisions of article 6 of Law 1581 of 2012, LA CLINICA DEL OCCIDENTE S.A., shall comply with the following obligations: a) Inform the holder that since it is sensitive data, he/she is not obliged to authorize its processing. b) Inform the holder explicitly and previously, in addition to the general requirements of authorization for the collection of any kind of personal data, which of the data to be processed are sensitive and the purpose of the processing, as well as obtain his/her express consent. No activity may be conditioned to the holder providing sensitive personal data. In compliance with the regulations in force on Personal Data Protection, within the Institution the processing of sensitive data is prohibited, except when: a) The Data Subject has given his/her explicit authorization to such Processing, except in cases where, by law, the granting of such authorization is not required; b) The Processing is necessary to safeguard the vital interest of the Data Subject and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization; c) The Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association, or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that it refers exclusively to its members or to persons who maintain regular contacts due to its purpose. In these events, the data may not be provided to third parties without the authorization of the Data Controller; d) The Processing refers to data that is necessary for the recognition, exercise, or defense of a right in a judicial process; e) The Processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Controllers must be adopted.

USE OF IMAGES AND VIDEO SURVEILLANCE
CLINICA DEL OCCIDENTE S.A. informs about the existence of security mechanisms adopted through the diffusion of video surveillance advertisements in visible places. THE CLINICA has a video surveillance system installed in different places inside and outside its facilities, which is used for security purposes as rights of each of the patients, companions, employees, and any other natural person.

The information collected will be used for security purposes of the patients, accompanying employees, and any other natural person, as well as the property and facilities. This information may be used as evidence before any authority or organization; and will be stored by THE CLINIC, for a period of 30 days, according to the technical specifications of each video camera. As the images are of a general nature, only a competent authority may request them.

RIGHTS OF THE HOLDERS
The holder of the personal data will have the following rights:
1) To know, update and rectify their personal data before LA CLINICA DEL OCCIDENTE S.A. or before the designated Data Processor. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or unauthorized in writing.
2) Request proof of the authorization granted to LA CLINICA DEL OCCIDENTE S.A., except when expressly excepted. except when expressly exempted as a requirement for data processing.
3) Be informed by LA CLINICA DEL OCCIDENTE S.A. or by the designated data processor, upon written request, regarding the use given to their personal data.
4) File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other rules that modify, add, or supplement it.
5) To revoke the authorization and/or request the deletion of the data when the processing does not respect the principles, rights, and constitutional and legal guarantees. The revocation and/or suppression will proceed when the Superintendence of Industry and Commerce has determined that in the Processing of personal data, LA CLINICA DEL OCCIDENTE S.A. or the designated manager, have incurred in conduct contrary to Law 1581 of 2012 and the Constitution.
6) Access free of charge under the conditions defined in this document, to their personal data that have been subject to processing.

RIGHTS OF CHILDREN AND ADOLESCENTS

In the treatment of personal data in charge of LA CLINICA DEL OCCIDENTE S.A., respect for the prevailing rights of children and adolescents, who are admitted for emergencies shall be ensured; therefore, the treatment of personal data of children and adolescents is forbidden, except for those data that are of public nature, authorized by legal regulations in force and when such treatment complies with the following parameters and requirements: a) That it responds and respects the best interest of children and adolescents. b) That it ensures respect for their fundamental rights. c) That the opinion of the minor is taken into account in accordance with their maturity, which is not directly related to their age, but to their degree of discernment. d) That it complies with the requirements of the law for the processing of personal data, such as authorization, purpose, explanation of the duties and rights of the owners. Once the above requirements are fulfilled, the legal representative of the child or adolescent will grant the authorization to LA CLINICA DEL OCCIDENTE S.A.

DUTIES OF THOSE RESPONSIBLE AND THOSE IN CHARGE OF THE TREATMENT OF PERSONAL DATA.

The data collection carried out by LA CLINICA DEL OCCIDENTE S.A. will be limited to those personal data that are relevant and adequate for the purpose for which they are collected or required according to the current regulations. shall comply with the duties foreseen for those responsible for the Personal Data Processing, such as a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data; b) Request and keep, under the conditions foreseen by the law, a copy of the respective authorization granted by the Data Subject. c) Duly inform the Data Subject about the purpose of the collection and the rights he/she is entitled to by virtue of the authorization granted. d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use, or access. e) Ensure that the information provided to the Data Processor is truthful, complete, accurate, current, verifiable, and understandable. f) Update the information, communicate in a timely manner to the Data Processor, all developments regarding the data previously provided, and take other necessary measures to ensure that the information provided to this is kept up to date. g) Rectify the information when it is incorrect and communicate the pertinent to the Data Processor. h) Provide the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of the law. i) Require the Data Processor at all times, to respect the security and privacy conditions of the Data Subject’s information. j) To process the queries and claims formulated in the terms set forth in the law; k) To inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed. l) Inform at the request of the Data Subject about the use given to his/her data. m) Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the data subject’s information. n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

o) Adopt the necessary procedures to request, at the latest at the time of data collection, the authorization of the Data Subject for the Processing thereof, and inform the personal data to be collected as well as all the specific purposes of the processing for which consent is obtained. It is clarified that personal data that are in publicly accessible sources, regardless of the means by which they are accessed, meaning those data or databases that are available to the public, may be processed by LA CLINICA DEL OCCIDENTE S.A. as long as, by their nature, they are public data. p) Communicate substantial changes in the content of the Processing Policies, referring to the identification of the Controller and the purpose of the processing of personal data, which may affect the content of the authorization. This communication must be made before or at the latest at the time of implementing the new policies, and a new authorization shall be obtained from the Data Controller when the change refers to the purpose of the Processing. For the communication of changes and authorization, technical means may be used to facilitate this activity. q) Guarantee the integrity, confidentiality, and quality of the proper form in which the collection of sensitive data that are necessary for the timely care of each patient is carried out.

DUTIES OF THE PERSONS IN CHARGE OF THE PROCESSING OF PERSONAL DATA

Data Processors shall comply with the following duties: a) Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data; b) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access; c) Timely update, rectify or delete the data under the terms of this law; d) Update the information reported by the Data Controllers within five (5) working days from its receipt; e) Process the queries and claims made by the Data Controllers in the terms set forth in the present law; f) Adopt and comply with the policies, manuals, and procedures that in compliance with the rules on data protection have been provided by the national government and have been implemented by LA CLINICA DEL OCCIDENTE S. A. g) to give the corresponding processing to the queries and claims made by the owners for the attention of queries and claims. h) Register in the database the legend “claim in process” in the way regulated by the present law; i) Insert in the database the legend “information in judicial discussion” once notified by the competent authority about judicial processes related to the quality of the personal data; j) Refrain from circulating information that is being disputed by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce; k) Allow access to the information only to the persons who may have access to it; l) Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Data Holders; m) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce. Note: If the qualities of the Data Controller and Data Processor concur in the same person, the fulfillment of the duties foreseen for each of them shall be enforceable.

REQUESTS FOR REVOCATION OR DELETION

The holders may at any time request LA CLINICA DEL OCCIDENTE S.A. to delete their personal data and/or revoke the authorization granted for the Processing thereof, by submitting a written request, in accordance with the provisions of Article 15 of Law 1581 of 2012by means of one of the following options: ∙ By physical means, request filed in Correspondence at Avenida de las Americas No. 71c-29 office hours 07:00 AM to 05:00 PM Monday to Friday. ∙ By electronic means to atencionalusuario@clinicadeloccidente.com, direccion@clinicadeloccidente.com LA CLINICA DEL OCCIDENTE S.A. will answer the request by the same means it was formulated. The request for suppression of the information and the revocation of the authorization will not proceed when the holder has a legal or contractual duty to remain in the database of LA CLINICA DEL OCCIDENTE S.A.

PROVISION OF INFORMATION

In the event that the holder requests information regarding the treatment of his/her personal data, it will be provided by LA CLINICA DEL OCCIDENTE S.A. by the same means by which the request was made, and it will correspond entirely to the information contained in the managed database.

PERSONS TO WHOM THE INFORMATION MAY BE SUPPLIED

The information about the personal data that have been processed by LA CLINICA DEL OCCIDENTE S.A. may be provided to the following persons:

To the Holders, their successors in title or their legal representatives, upon presentation of the document granting the right.
To public or administrative entities in the exercise of their legal functions or by court order, upon presentation of the respective official document.
To third parties authorized by the Data Subject or by law, upon presentation of the document granting the right.

CONSULTATIONS

The Data Controllers or their assignees may consult the personal information contained in the databases of LA CLINICA DEL OCCIDENTE S.A., who will provide the applicant with all the information contained in the individual record or that is linked to the identification of the Data Controller. The holder will be able to consult his/her personal data free of charge every time there are substantial modifications to the Information Processing Policies, which motivate new consultations. For the purpose of answering the queries, LA CLINICA DEL OCCIDENTE S.A. has a maximum term of ten (10) working days from the date of receipt thereof. When it is not possible to answer the consultation within such term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the consultation will be answered, which in no case may exceed five (5) working days after the expiration of the first term

CLAIMS
The Holder who considers that the information contained in the database of LA CLINICA DEL OCCIDENTE S.A. should be subject to correction, updating, deletion or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, may submit a request to LA CLINICA DEL OCCIDENTE S.A. which will be processed under the following conditions:

a). The claim shall be formulated using a written request addressed to LA CLINICA DEL OCCIDENTE S.A. with at least the following information:

  • Name of the petitioner or applicant
  • Identification number of the petitioner or applicant
  • Facts on which the request is based.
  • Object of the request
  • Correspondence delivery address
  • Provide the documents required to validate or support the request.

If the request is incomplete, within five (5) working days after receipt, the area where it was filed shall request the interested party to correct the faults and complete the information; if after two (2) months from the date of the request made by LA CLINICA DEL OCCIDENTE S.A. without the applicant submitting the required information, it shall be understood that the claim has been withdrawn. Once LA CLINICA DEL OCCIDENTE S.A. confirms the receipt of the request, it will be verified that the information is complete and will proceed to start the process of attending the request, for which the receiving areas rely on the legal office before issuing the answer. The maximum term to attend the request will be fifteen (15) working days from the day following the date of its receipt. When it is not possible to attend the request within such term, the interested party shall be informed of the reasons for the delay and the date on which the request will be attended, which in no case may exceed eight (8) working days following the expiration of the first term. If the person receiving the claim is not competent to resolve it, he/she will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.

b). Once the complete claim has been received, a legend will be included in the database stating, “claim in process” and the reason for the claim, within a term no longer than two (2) business days. Said legend shall be maintained until the claim is decided.

c). The maximum term to attend the claim shall be fifteen (15) working days from the day following the date of its receipt. When it is not possible to address the claim within such term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. 10. PROCEDURAL REQUIREMENT. The Data Subject may file a complaint before the Superintendency of Industry and Commerce once he/she has exhausted the consultation or complaint process before the Controller or the Person in Charge of the Processing of Personal Data.

TEMPORALITY OF PERSONAL DATA PROCESSING

The permanence of the personal data collected by LA CLINICA DEL OCCIDENTE S.A. will be determined by the purpose of the processing for which they have been collected. Once the purpose of the processing has been fulfilled, LA CLINICA DEL OCCIDENTE S.A. will proceed to delete the personal data collected. Notwithstanding the above, personal data shall be kept when required to comply with a legal or contractual obligation.

INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA

For the transmission and transfer of personal data, the following rules shall apply a) International transfers of personal data shall observe the provisions of Article 26 of Law 1581 of 2012; that is, the prohibition of transfer of personal data to countries that do not provide adequate levels of data protection and the exceptional cases in which such prohibition does not apply. b) The international transfers of personal data that are made between a controller and a processor to allow the processor to carry out the processing on behalf of the controller, will not require to be informed to the holder or have his consent when there is a contract under the terms of Article 25 of Law 1581 of 2012. On an exceptional basis, LA CLINICA DEL OCCIDENTE S.A. may transfer personal data in the following cases: (a) Information in respect of which the Data Subject has granted his/her express and unequivocal authorization for the transfer; (b) Exchange of medical data, when so required by the Treatment of the Data Subject for health or public hygiene reasons; (c) Banking or stock exchange transfers, in accordance with the applicable legislation; d) Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity; e) Transfers necessary for the execution of a contract between the Data Subject and LA CLINICA DEL OCCIDENTE S. A. or for the execution of pre-contractual measures as long as the authorization of the Data Subject is obtained; f) Transfers legally required for the safeguarding of the public interest, or for the recognition, exercise or defense of a right in a judicial proceeding; g) Transfers required by law to protect the public interest, or for the recognition, exercise or defense of a right in a judicial proceeding.

INFORMATION SECURITY

LA CLINICA DEL OCCIDENTE S.A. guarantees the use of technical, human, and administrative measures necessary to provide security to personal data and other information subject to processing, avoiding its adulteration, loss, consultation, use, or unauthorized or fraudulent access. According to the guidelines established in the information security policy.

MODIFICATIONS

CLINICA DEL OCCIDENTE SA. reserves the right to modify these Information Treatment Policies, in whole or in part. In case of substantial changes in the Processing Policies referring to the identification of CLINICA DEL OCCIDENTE and the purpose of the personal data processing, which may affect the content of the authorization, CLINICA DEL OCCIDENTE S.A. will communicate these changes to the holder at the latest at the moment of implementing the new policies.

VALIDITY OF THE INFORMATION TREATMENT POLICY

This Personal Data Treatment Policy is in force from the date of publication and shall be mandatory for LA CLINICA DEL OCCIDENTE S.A., its employees, and collaborators. All databases will be kept for an indefinite period of time to ensure compliance with Law 1581 of 2012 and Decree 1377 of 2013 and the provisions of other regulations that amend and/or repeal the present.

 

Version

Date: 05/03/2015

Prepared by:

Gloria Inés Aguillón

Legal Office

Reviewed by:

Maria Claudia Fuentes

Systems Engineer

Approved by:

Dr. Edgar Alirio Ruiz Luengas

Director