GENERAL PERSONAL DATA POLICY:  

                                               Personal data held by the ORTOCONEXIÓN IPS Dental Clinic will be processed in accordance with this Personal Data Processing Policy, in compliance with current regulations.

Marco NormativoDefinicionesFinalidadPrincipios DerechosDerechos de los Titulares de Datos PersonalesDeberesPrivacidadLimitacionesProcedimientoEntregaSeguridadVigencia

Regulatory Framework

This policy is governed by the legal and regulatory provisions in force in the Republic of Colombia regarding the protection of personal data and the management of information in the health sector, among which the following stand out:

  • Law 1581 of 2012, which establishes the General Regime for the Protection of Personal Data.
  • Regulatory Decree 1377 of 2013, which partially regulates Law 1581 of 2012.
  • Constitutional Court Ruling C-748 of 2011, which declared the Statutory Bill on the Protection of Personal Data constitutional.
  • Resolution 1995 of 1999 of the Ministry of Social Protection, which establishes the rules for the management of the Medical Record.
  • Resolution 3374 of 2000, which regulates the basic data that must be reported by health service providers and the entities that manage benefit plans regarding the health services provided.
  • Single Regulatory Decree 1074 of 2015, which establishes general provisions for the protection of personal data.

The above provisions, as well as the rules that modify, add or complement them, will be applied by the ORTOCONEXIÓN IPS Dental Clinic in relation to the collection, storage, use, circulation, deletion and, in general, all those activities that constitute the processing of personal data.

Definitions

For the purposes of this policy, the following definitions are adopted:

  • Authorization: Prior, express and informed consent of the data subject to carry out the processing of personal data.
  • Database: An organized set of personal data that is subject to processing.
  • Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.
  • Public data: This refers to data classified as such according to the mandates of the law or the Political Constitution, and any data that is not semi-private, private, or sensitive. Public data includes, among others, information relating to a person's marital status, profession or occupation, status as a merchant or public servant, and any data that can be obtained without restriction. By their nature, public data may be contained in public registries, public documents, official gazettes, and bulletins.
  • Private data: This is data that, due to its intimate or confidential nature, is only relevant to the owner.
  • Sensitive data: These are data that affect the privacy of the data subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or that promote the interests of political parties, as well as data relating to health, sex life and biometric data.
  • Data Subject: Natural person whose personal data is being processed.
  • Data controller: Natural or legal person, public or private, who alone or jointly with others decides on the database and/or the processing of personal data.
  • Data processor: Natural or legal person, public or private, who, alone or in association with others, carries out the processing of personal data on behalf of the data controller.
  • User: Natural or legal person who has an interest in the use of personal information.
  • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation or deletion.
  • Medical record: A private, mandatory and confidential document in which the patient's health conditions, medical acts and other procedures performed by the health team involved in their care are recorded chronologically.
  • Health status: A set of data and reports related to the patient's somatic, mental, social, cultural, economic, and environmental condition, which may affect their health status.
  • Health team: A group of professionals, technicians and assistants in the health field who provide direct clinical care to the user, as well as the medical auditors from insurers and providers responsible for evaluating the quality of the service provided.
  • Management file: File where the medical records of active users and those who have not used the service for five (5) years following the last care are kept.
  • Historical archive of medical records: Archive to which medical records are transferred that, due to their scientific, historical or cultural value, must be preserved permanently.

Purpose

The ORTOCONEXIÓN IPS Dental Clinic, as the entity responsible for the treatment, collects and processes personal data for the following purposes:

  • To provide health care services to its patients and to provide care to their families, in accordance with its corporate purpose.
  • To comply with legal, contractual and regulatory obligations involving the processing of personal data of its stakeholders.
  • To execute and maintain the existing contractual relationship with clients, suppliers and workers, including the payment of contractual and labor obligations.
  • To inform about new products or services, as well as changes or updates to them.
  • Evaluate the quality of services provided and continuously improve the care offered.
  • Conduct internal studies related to consumption habits and market analysis.
  • Sending information via physical mail, email, cell phone or mobile device, through text messages (SMS and/or MMS), related to commercial, advertising or promotional information about products and/or services, scheduling and cancellation of appointments, events and promotions, in order to inform, invite or advance commercial or advertising campaigns of the institution and/or authorized third parties.

Beginning

Principles applicable to the processing of personal data

The processing of personal data carried out by ORTOCONEXIÓN IPS will be governed by the following principles:

a) Principle of purpose:

The processing of personal data must be for a legitimate purpose, which must be communicated to the data subject beforehand.

b) Principle of freedom:

The processing of personal data may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, unless there is a legal or judicial mandate that waives such consent.

c) Principle of data quality or veracity:

The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. Partial, incomplete, fragmented, or misleading data will not be processed.

d) Principle of transparency:

The processing must guarantee the right of the data subject to obtain from ORTOCONEXIÓN IPS, at any time and without restrictions, information about the existence of personal data concerning him or her.

e) Principle of restricted access and circulation:

The processing of personal data is subject to the limitations arising from the nature of the data, current legal provisions, and the Political Constitution. Personal data, except for public information or as provided in the authorization granted by the data subject, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to ensure that it is restricted solely to the data subjects or authorized third parties.

f) Safety principle:

The information subject to processing by ORTOCONEXIÓN IPS will be protected through the adoption of technical, human and administrative measures necessary to ensure the security of the records, preventing their alteration, loss, consultation, use or unauthorized or fraudulent access.

g) Principle of confidentiality:

All individuals involved in the processing of personal data are obligated to guarantee the confidentiality of the information, even after their involvement in any of the processing activities has ended. In cases where sensitive personal data is collected, the data subject may refuse to authorize its processing.

Rights

Rights of Personal Data Holders

Data subjects, either directly or through their duly accredited representative and/or attorney, may exercise the following rights with respect to the personal data that is processed by the ORTOCONEXIÓN IPS Dental Clinic, in accordance with current regulations:

a) Right of access:

Conocer, actualizar y consultar de manera gratuita los datos personales que se encuentren bajo el control de ORTOCONEXIÓN IPS, al menos una (1) vez cada mes calendario, y cada vez que existan modificaciones sustanciales en las Políticas de Tratamiento de la Información que motiven nuevas consultas.

b) Right to update and rectify:

Request the updating, correction or rectification of personal data when it is partial, inaccurate, incomplete, fragmented, misleading or does not correspond to reality.

c) Right to request proof of authorization:

Request proof of the authorization granted for the processing of personal data, except in cases where, in accordance with the law, such authorization is not required.

d) Right to be informed about the use of personal data:

To be informed by ORTOCONEXIÓN IPS, upon request, regarding the use that has been made of your personal data.

e) Right to file complaints with the Superintendency of Industry and Commerce:

To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of the current regulations on the protection of personal data, once the consultation or claim process before ORTOCONEXIÓN IPS has been exhausted.

f) Right to require compliance with orders issued by the Superintendency of Industry and Commerce:

Request compliance with the orders and requirements issued by the competent authority regarding the protection of personal data.

g) Right of erasure or cancellation:

Request the deletion or cancellation of personal data when it is excessive, irrelevant or when the processing is contrary to current regulations, except in cases where there is a legal or contractual obligation that prevents its deletion.

To exercise the rights described above, both the holder and the person representing him must prove their identity and, where applicable, the capacity in which they act.

The rights of children and adolescents will be exercised by the persons who are legally authorized to represent them, in accordance with the provisions of current regulations. 


Homework

Duties of the ORTOCONEXIÓN IPS Dental Clinic

All persons required to comply with this policy must bear in mind that ORTOCONEXIÓN IPS, as the controller and/or processor of personal data, is required to comply with the duties imposed on it by current regulations.

Duties when acting as Data Controller

As the data controller responsible for processing personal data, ORTOCONEXIÓN IPS undertakes to comply with the following obligations:

a) Request and keep, under the conditions provided in this policy, a copy of the authorization granted by the holder.

b) Guarantee to the holder, at all times, the full and effective exercise of the right of Habeas Data.

c) Inform the data subject clearly, sufficiently and promptly about the purpose of the data collection and the rights they have under the authorization granted.

d) To inform, at the request of the data subject, about the use given to their personal data.

e) Process inquiries and complaints made by the holders in accordance with the terms set out in this policy.

f) Ensure compliance with the principles of truthfulness, quality, security and confidentiality established in current regulations.

g) Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use or unauthorized or fraudulent access.

h) Update the information when necessary.

i) Rectify personal data when appropriate.

Duties when acting as Data Processor

When ORTOCONEXIÓN IPS processes personal data on behalf of another entity or organization acting as the data controller, it must also comply with the following obligations:

a) Verify that the data controller is legally authorized to provide the personal data that will be processed.

b) Guarantee to the holder, at all times, the full and effective exercise of the right of Habeas Data.

c) Keep the information under security conditions that prevent its alteration, loss, consultation, use or unauthorized or fraudulent access.

d) To promptly update, rectify or delete personal data.

e) Update the information reported by the data controllers within ten (10) business days from receipt.

f) Process inquiries and complaints made by the holders in accordance with the terms set out in this policy.

g) Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.

h) Allow access to the information only to persons authorized by the owner or empowered by law.

i) Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the management of the information of the holders.

j) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

k) Securely manage access to personal databases contained in information systems in which it acts as controller or processor.

Duties towards the Superintendency of Industry and Commerce

ORTOCONEXIÓN IPS must:

a) Inform the Superintendency of Industry and Commerce of any violations of security codes and the existence of risks in the management of the information of the holders.

b) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce in the exercise of its legal functions.


Privacy

Privacy Notice

When it is not possible to make the Information Processing Policies available to the data subject, the ORTOCONEXIÓN IPS Dental Clinic, as the data controller, will promptly inform the data subject, through a privacy notice, about the existence of said policies and how to access them.

This privacy notice will be made known to the data subject no later than the time of collection of personal data, guaranteeing compliance with the principles of information and transparency established in current regulations.

Limitations

Temporary limitations on the processing of personal data

The ORTOCONEXIÓN IPS Dental Clinic will only collect, store, use or circulate personal data for as long as is reasonable and necessary, in accordance with the purposes that justified its processing, taking into account the applicable legal provisions and the administrative, accounting, tax, legal and historical aspects of the information.

Once the purpose or purposes of the processing have been fulfilled, and without prejudice to any legal regulations that provide otherwise, ORTOCONEXIÓN IPS will proceed to delete the personal data in its possession.

Notwithstanding the foregoing, personal data may be retained when required for compliance with a legal or contractual obligation.

Procedure

Procedure for exercising the rights of personal data subjects

The data subject or their duly accredited representative may submit requests, complaints or claims related to the processing of their personal data, from Monday to Friday, from 8:00 a.m. to 5:00 p.m., through the website of the ORTOCONEXIÓN IPS Dental Clinic, in the Contact Us menu, or in person at the following address:

CRA 14 #18N-40

Contents of the application

The request, complaint or claim must contain at least:

  • Identification of the owner of the personal data.
  • Clear description of the facts that give rise to the request.
  • Physical or electronic address for receiving notifications.
  • Documents that you wish to use, when applicable.

Claim process

If the claim is incomplete, ORTOCONEXIÓN IPS will require the interested party within ten (10) business days following its receipt to correct the identified faults.

If one (1) month has passed since the date of the request without the applicant submitting the required information, it will be understood that he has withdrawn the claim.

The maximum term to address the claim will be ten (10) business days, counted from the day after the date of its receipt.

When it is not possible to address the claim within that period, the interested party will be informed of the reasons for the delay and the date on which it will be addressed, which in no case may exceed eight (8) business days following the expiration of the first period.


Delivery

Delivery of personal data to authorities

When state authorities request access to and/or delivery of personal data contained in any of the databases of the ORTOCONEXIÓN IPS Dental Clinic, the legality of the request and the relevance of the data required in relation to the purpose expressed by the competent authority will be verified beforehand.

The delivery of the requested personal information will be duly documented and will be carried out guaranteeing that the data complies with the principles of authenticity, reliability, and integrity. Furthermore, the duty to protect personal data will be expressly communicated to both the official making the request and the person receiving the information, as well as to the entity for which they provide their services.

Additionally, the requesting authority will be informed about the security measures applicable to the personal data provided and the risks associated with its misuse or inadequate processing, in accordance with current regulations.

Security

Security measures

In accordance with the security principle established in Law 1581 of 2012, ORTOCONEXIÓN IPS will adopt physical, logical and administrative security measures aimed at protecting personal data against alteration, loss, consultation, use or unauthorized or fraudulent access.

These security measures will be classified into high, medium and low levels, according to the level of risk that may arise from the nature, criticality and sensitivity of the personal data processed.

In compliance with the security principle, ORTOCONEXIÓN IPS will establish general guidelines on the implementation and application of these measures, which will be mandatory for all collaborators, contractors and third parties involved in the processing of personal data.

Vigencia

This Personal Data Processing Policy is effective from June 1, 2017.

Any modification or update made to this policy will be promptly communicated through the website of the ORTOCONEXIÓN IPS Dental Clinic:

www.ortoconexion.co

PQRSF
CITAS