Personal data processing policy

For the purposes of this Policy, it is understood:

Authorization: Prior, express and informed consent of the Holder to carry out the processing of personal data. The authorization must be obtained through a physical or electronic document, text message, Internet, website, or also in a verbal or telephone format or any other format that allows its subsequent consultation in order to unequivocally verify that without consent, the data would never have been obtained. captured and stored on electronic or physical media. Likewise, it may be obtained through a clear and unequivocal conduct of the Holder that allows it to reasonably conclude that he gave his consent for the handling of his Personal Data.

Database: Organized set of personal data, either in physical or electronic form, that are subject to Treatment.

Personal data: Any information linked or associated with one or more specific or determinable natural persons.

Public Data: Data that is not semi-private, private or sensitive, which can be processed by anyone, without authorization. They are public, among others, the data on the civil status of the people and the contents in public documents, public records, bulletins and official gazettes and executed judicial decisions that are not subject to reservation.

Semi-private personal data: These are data that are not intimate, reserved or public and whose knowledge or disclosure may be of interest not only to the owner, but to a group of people or society in general. For its treatment, the express authorization of the owner of the information is required, for example, financial and credit data.

Sensitive Data: Are those that affect the privacy of the owner or whose improper use may

generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership of unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition parties political data, as well as data related to health, sex life and biometrics.

Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, carries out the processing of personal data on behalf of the Responsible for Treatment.

Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the database and / or the treatment of the data.

Habeas Data: Right of everyone to know, update and rectify the information that has been collected about them in data banks and in files of public and private entities.

Owner: Natural person whose personal data are subject to Treatment.

Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.

Transfer: The transfer of data occurs when the person in charge and / or person in charge of the processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the treatment and is inside or outside the country.

Transmission: Treatment of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when it is intended to carry out a treatment by the person in charge on behalf of the person in charge.

Legality: Treatment is a regulated activity that must be subject to the provisions of the Law.

Purpose: The Treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Holder.

Reasonable limit: The storage and processing of personal data will be limited to what is essentially necessary to fulfill the purposes of the previously specified business relationship, as well as the fulfillment of the purposes authorized by the Holder.

Freedom: Treatment can only be exercised with the prior, express and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that exempts consent.

Truthfulness or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.

Transparency: The right of the Holder to obtain information from the Treatment Manager or Treatment Manager, at any time and without restrictions, on the existence of their staff.

Access and restricted circulation: The Treatment may only be carried out by persons authorized by the Holder or by persons provided for in the Law. Personal data, except for public information, may not be available on the Internet or other mass communication media, unless access is technically Controllable to provide restricted knowledge only to Holders or authorized third parties in accordance with this law.

Security: The information must be handled with the human and administrative technical measures necessary to provide security to the records and prevent their adulteration, loss, consultation, use or unauthorized or fraudulent access.

Confidentiality: Personal data that is not public is reserved, even once its relationship with any of the tasks included in the Treatment has ended, and the provision or communication of personal data can only be carried out when it corresponds to development. of the activities authorized in this law and in the terms of the same.

Systematic incorporation: The principles of Personal Data Protection will be implemented in all business processes and procedures.

Holders of personal data have the right to:

• Know, update and rectify your personal data with the Treatment Managers or those in charge of the Treatment. This right may be applied to all those partial, inaccurate, incomplete, fractioned, misleading data or whose Treatment is expressly prohibited or has not been authorized.
• Request proof of the authorization granted to the Person Responsible for the Treatment, unless it is expressly excepted as a requirement for the Treatment or as established by the applicable regulations.
• Be informed by the Person in Charge of Treatment or Responsible, upon request, about the use that has been given to your personal data.
• Present before the Superintendency of Industry and Commerce complaints for infractions to the Data Protection Law or those that modify, add or complement it.
• Revoke the authorization and / or request the deletion of the data when: (i) In the Treatment the constitutional and legal principles, rights and guarantees are not respected, provided that the Superintendency of Industry and Commerce has determined that in the Treatment, the Responsible has incurred in conduct contrary to the ordinance; Me (ii) voluntarily request it, unless there is a legal or contractual obligation that imposes the obligation to remain in the database.
• Free access to your personal data that has been processed.

When DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS is responsible for the treatment of the owner’s data, it must comply with the following obligations:

• Guarantee the holder at all times, the full and effective exercise of the right to habeas data;
  Request Authorization to the Holder informing:
  – The Treatment to which your personal data will be submitted and the purpose thereof.
  – The optional nature of the answer to the questions that are posed, in the case of sensitive data or data of children and adolescents.
  – The rights that assist as Holder.
  – The identification, physical or electronic address and telephone number of the Data Controller.

• Keep a copy of the Authorization granted by the Holder.
• Deliver a copy of the Authorization when the Holder or whoever is authorized requests it.
• Inform the Holder about the purpose of the collection and the rights that assist him on the occasion of his Authorization.
• Maintain the information in the security conditions necessary to avoid its adulteration, loss, consultation, use or unauthorized or fraudulent access.
• Ensure that the information provided to the Treatment Agent is true, complete, accurate, updated, verifiable and understandable.
• Update the information, communicating in a timely manner to the Person in Charge of Treatment, all the updates of the Data that you have previously provided and take the necessary measures to ensure that the information provided is kept up-to-date.
• Correct the information when it is incorrect and communicate the pertinent information to the Data Controller.
• Supply to the Person in Charge of Treatment, only Data whose Treatment is previously authorized.
• Require the Treatment Manager to respect the security and privacy conditions of the Owner’s information.
• Process the queries and claims made by the owners of the data in the terms established in this Policy.
• Inform the Data Controller when the Holder is discussing certain information, once the complaint has been submitted and the respective procedure has not been completed.
• Inform at the request of the Owner the use that is given to their data.
• Inform the Superintendency of Industry and Commerce, or whoever is the data protection authority, when there are violations of the security codes and there are risks in the handling of the Holder’s information.
• Comply with the instructions and requirements of the Superintendency of Industry and Commerce.

When DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS acts as Treatment Manager, that is, it performs the treatment on behalf of a third party, it will fulfill the following functions:

• Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
• Maintain the information in the security conditions necessary to avoid its adulteration, loss, consultation, use or unauthorized or fraudulent access.
• Timely update, rectify or delete the data in the terms established in this policy.
• Update the information reported by the Treatment Managers within five (5) business days of receipt.
• Address the queries and claims made by the Holders.
• Register in the database the legend “complaint in process”, when appropriate.
• Insert in the database the legend “information in judicial discussion” once it is notified by the competent authority about the judicial processes related to the quality of personal data.
• Refrain from circulating information that is being controversial by the Holder and whose blocking has been ordered by the Superintendency of Industry and Commerce.
• Allow access to information only to those who can access it.
• Inform the Superintendency of Industry and Commerce when there are violations of the security codes and there are risks in the administration of the information of the Holders.
• Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

Dr. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS will deliver the information on the Owner’s Data to the following people:

• Holders, their assignees, their legal representatives or proxies.
• Public or administrative entities in the exercise of their legal functions or by court order.
• Third parties authorized by the Holder or by Law.

The owners may exercise their rights to consult, know, update, rectify and delete their personal data by sending their request to the email drjaime4zapata@hotmail.com or at jaimezapatamd.com, said request must contain at least:

• Application date.
• Photocopy of DNI (citizenship card, institutional card, etc.).
• Address for notification purposes.
• Signature of the person requesting the information.

7.1 Procedure to Respond to Requests and Queries related to the Processing of Personal Data.

Once the holder submits the request by the means indicated in this Policy, it will be attended within ten (10) business days from the date of receipt. When it is not possible to attend the consultation within the aforementioned period, DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS will inform the interested party, stating the reasons and indicating the date of the consultation, no later than five (5) business days after the expiration of the first.

7.2 Procedure for answering complaints related to the processing of personal data

Through this procedure, the Holder or whoever is authorized may make claims for:

• Update, modify, rectify or delete the Owner’s data.
• Revoke the Authorization of the Data Processing Owner, without prejudice to the rules that DR must comply with. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS regarding the preservation of documents. Consequently, DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS will delete the data or suspend its use when it is done, respecting the applicable document conservation regulations.
• File a complaint when you consider that there is an alleged breach of DR’s duties. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS related to the Processing of Personal Data, in accordance with the provisions of these Policies or the Personal Data Protection Law and the regulations that complement or modify it.

The claim must be submitted in writing and must contain at least the following points:

• Complete identification (name, notification address, identification document).
• Description of the facts that give rise to the query / complaint.
• Documents that support the facts.
• Through which you want to receive the answer to your query / claim.
• In the absence of the above information, it will be understood that the claim is not complete, in which case DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS will request the interested party to correct the faults or send the information or documentation that is required.

Dr. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS will respond to the claim within fifteen (15) business days from the day following the date of receipt. When it is not possible to attend to the claim within that term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which will not exceed eight (8) business days after expiration. of the first trimester.

8.1 Purpose of the processing of personal data of which DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS is responsible

a) Patients and clients:

The information will be used to develop DR’s corporate purpose. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS, including the provision of medical care, the sending of diagnostic test results, the provision of corporate, commercial and / or promotional information on DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS, always related to its corporate purpose in the health sector. . As well as surveys to carry out satisfaction studies, news or corporate announcements that DR. JAIME ALBERTO ZAPATA AND ZAPATA JIMÉNEZ SAS consider interesting.

In particular, the main purposes of the Personal Data Processing that DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS will carry out in order to develop its corporate purpose are:

• Schedule appointments
• Processing of medical authorizations
• Delivery of medicines and medical equipment
• Responses to requests for improvements, requests and complaints.
• Generation of certifications in general
• Verification of the affiliation status and services related to social security
• Educational campaigns for users
• Marketing and / or promotion activities of DR services. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS or its business partners for the provision of health services.
• Information about new products and services
• Information on campaigns and special programs
• Analysis of the general and individual population risk of the data subjects
• Analysis of healthcare spending
• Definition of demand and analysis of services provided by DR. JAIME ALBERTO ZAPATA AND ZAPATA JIMÉNEZ SAS
• Audits
• Updating of data and identification documents

Data related to the health of patients will be strictly protected by DR staff. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS due to its sensitive nature, so the following will be taken into account when processing data of this nature:

The health personnel will access the sensitive data because the owner previously and voluntarily expressed this information, likewise, through his professional practice, he will have knowledge of the patient’s medical history. Taking into account the protection required for this type of data, this information will be used for the exclusive purposes of providing the health service and any other use must be expressly authorized. DR employees are informed. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS on the sensitivity of health data, the obligations and sanctions associated with its inappropriate use and the procedure to follow in its treatment, the right of access by third parties outside the Owner, and how they are classified, communicated and delivered. They also know the importance of not exposing medical results that may affect the privacy of the person and not using the personal data of the owner and its affiliates outside of the established medical or administrative purpose. Therefore, in DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS, the protection of information will not only be the responsibility of the medical-assistance staff, but also of all the people who have access to it in the exercise of their functions. DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS has a mechanism to prevent the leakage of sensitive information such as restriction on the use of removable media (CD, DVD), email monitoring with attached files, real-time analysis of documents with malicious code (virus ) via antivirus, DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS has a high-level CRM, called ZOHO, which meets all global security requirements; Which offers a hierarchical system that allows the management of roles controlling access to different sources of information for our employees. We also have a server with a local connection, which prevents access to information outside our facilities.

In order to deliver the medical results safely, it is essential that, when the holder cannot appear in person to obtain his results, he sends a written authorization indicating the name of the authorized person, accompanied by a photocopy of the holder’s ID as authorized. person or present it personally for future occasions. The owner may also authorize its sending by email or certified mail.

b) Contractors and Suppliers:

Your personal data will be used to carry out the development of the corresponding contracts for the provision of services or other types of contracts, supervising their compliance and execution. They will also be used to exchange information and publish the DR portfolio. JAIME ALBERTO ZAPATA AND ZAPATA JIMÉNEZ SAS. In addition, the data will be used to comply with the laws applicable to commercial relations between DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS and its contractors and suppliers.

The main purposes for which the personal data of the providers and providers will be processed are:

• Reports and requirements of control entities
• Generation of certifications in general
• Updating of data and identification documents

c) Collaborators and workers:

The personal data of former workers, current workers and candidates of DR. JAIME ALBERTO ZAPATA AND ZAPATA JIMÉNEZ SAS will be used to have a perception, both objective and subjective, about the staff. Said information will be transferred and / or transmitted to other entities only when necessary to comply with the applicable legal provisions, if required by public, administrative and / or supervisory bodies in labor matters in the exercise of their legal functions or by court order.

The processing of personal data of Collaborators and Workers will be carried out for verification of personal, commercial and labor information; Labor and Social Security aspects and those related to the contract that they enter into or intend to enter into with DR. JAIME ALBERTO ZAPATA AND ZAPATA JIMÉNEZ SAS, as well as will be used to control and prevent fraud.

8.2 Sensitive data DR. JAIME ALBERTO ZAPATA Y ZAPATA JIMÉNEZ SAS is responsible for

Law 1581 of 2012 prohibits the processing of sensitive data except in the following cases:

• When the Holder gives his consent expressly and in advance. In this case, in addition to the general authorization requirements for the collection of any type of personal data, it must be established which of the data that will be processed are sensitive and the purpose that will be given to them. The health data of the holder will be considered part of his medical history and will have the reserve established by law for this.
• The Treatment is necessary to safeguard the vital interest of the Holder and he is physically or legally incapacitated. In these events the representatives must grant their authorization.
• The treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit entity whose object is political, philosophical, religious or union, provided that they refer exclusively to their members or people who maintain regular contact by reason of their purpose.
• The treatment refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
• The Treatment has a historical, statistical or scientific purpose, in the latter case the measures that lead to the suppression of the identity of the Holders must be adopted.

8.3 Treatment of personal data of children and adolescents

Law 1581 of 2012 prohibits the processing of personal data of children and adolescents, except those that by their nature are public. However, the Constitutional Court pointed out that regardless of the nature of the data, it can be processed as long as:

• The objective pursued with such treatment is the best interest of children and adolescents.
• Guarantee, without exception, respect for their fundamental rights in force.

This Policy is available to data subjects as of June 2017.

Any substantial modification of the same related to the identification of the Responsible and with the purpose of the Treatment must be communicated before implementing said change to the Holders through the website www.jaimezapatamd.com or any other effective mechanism.