Responsible for the processing of personal data
GRUPO ODONTOS SAS is a health care institution whose main corporate purpose is the provision of dental services under the trade name GRUPO ODONTICS, located at Calle 18 # 77 – 67 office 303 – 304 Mall empresarial y comercial Meridiano 13 del este barrio la felicidad in the city of Bogotá DC, cell phone: 3014520171, main email: grupodontos@gmail.com.
Regulatory provisions
Article 15 of the Constitution of the Republic of Colombia establishes that any person has the right to know, update and rectify the personal data that exists about him/her in data banks or files of public or private entities and orders those who have personal data of third parties to respect the rights and guarantees provided in the Constitution when collecting, processing and circulating this kind of information.
Subsequently, Law 1266 of 2008 regulated the right to financial habeas data and in 2009 Law 1273 established the “violation of personal data” as a crime.
Likewise, the Statutory Law 1581 of 2012, Decree 1377 of 2013 and Decree 1074 of 2015, established the minimum conditions to carry out the legitimate and appropriate processing of personal data and obliges those responsible for the processing of such data to adopt internal policies to ensure proper compliance with the regulations in force in this area.
Definitions.
a) Authorization: Prior, express and informed consent of the Data Subject to carry out the Processing of personal data;
b) Database: Organized set of personal data that is the object of Processing;
c) Personal data: Any information linked or that may be associated to one or several determined or determinable natural persons;
d) Data Processor: Natural or legal person, public or private, that by itself or in association with others, carries out the Processing of personal data on behalf of the Data Controller;
e) Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of the data;
f) Data Subject: Natural person whose personal data is the object of Processing;
g) Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
Principles for the processing of personal data.
In the development, interpretation and application of this law, the following principles shall be applied in a harmonious and integral manner:
a) Principle of legality in data processing: The Processing referred to in this law is a regulated activity that must be subject to the provisions set forth therein and in the other provisions that develop it;
b) Principle of purpose: The Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject;
c) Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent;
d) Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited;
e) Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed;
f) Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of this law and the Constitution. In this sense, the Processing may only be carried out by persons authorized by the Holder and/or by the persons provided for in this law;
Personal data, except for public information, may not be made available on the Internet or other means of mass dissemination or communication, unless access is technically controllable in order to provide restricted knowledge only to Data Holders or third parties authorized in accordance with this law;
g) Principle of security: The information subject to Processing by the Data Controller or Data Processor referred to in this law, shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access;
h) Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when this corresponds to the development of the activities authorized in this law and under the terms of the same.
Personal data collected
Personal data provided voluntarily to Grupo Odontos SAS may belong to the following categories:
- Identification Data: Name, address, telephone, e-mail, citizenship card, date of birth, age, nationality, image, photograph, country of residence, affiliations to the General System of Social Security in Health, signature.
- Third Party Data: Names and surnames of family members, references and/or emergency contacts, age, telephone, email, relationship.
- Labor Data: Salary, type of salary, affiliations to the SGSS, position, work address, telephone, work history, labor certifications.
- Education Data: Professional registration, school career, professional degree, certificates of studies, universities and dates of graduation.
- Banking and Billing Data: Bank account number, billing data, financial statements, identification number (NIT), unique tax registration number (RUT).
- Health Data: Health status, medical history, fingerprints, blood type, results of laboratory and radiographic tests, and other data required for your care.
Sensitive data.
For the purposes of this law, sensitive data are understood as those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sex life and biometric data.
Processing of sensitive data.The processing of sensitive data is prohibited, except when:
a) The Data Subject has given his/her explicit authorization to such Processing, except in those cases in which by law the granting of such authorization is not required;
b) The Processing is necessary to safeguard the vital interest of the Data Subject and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization;
c) The Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that it refers exclusively to its members or to persons who maintain regular contacts by reason of its purpose. In these events, the data may not be provided to third parties without the authorization of the Data Controller;
d) The Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial proceeding;
e) The Processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Controllers must be adopted.
Rights of children and adolescents.
Treatment shall ensure respect for the prevailing rights of children and adolescents.
The processing of personal data of children and adolescents is prohibited, except for data of a public nature.
It is the task of the State and educational entities of all kinds to provide information and train legal representatives and guardians on the possible risks faced by children and adolescents regarding the improper processing of their personal data, and to provide knowledge about the responsible and safe use by children and adolescents of their personal data, their right to privacy and protection of their personal information and that of others. The National Government shall regulate the matter within six (6) months following the enactment of this law.
Rights of Owners.
The Data Subject shall have the following rights:
a) To know, update and rectify their personal data with respect to the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized;
b) Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of Article 10 of this law;
c) Be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been made of their personal data;
d) File before the Superintendence of Industry and Commerce complaints for violations to the provisions of this law and other regulations that modify, add or complement it;
e) To revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the Processing. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the processing the responsible or processor has incurred in conduct contrary to this law and the Constitution;
f) Access free of charge to your personal data that have been subject to Processing.
Holder’s Authorization.Notwithstanding the exceptions provided by law, the processing requires the prior and informed authorization of the Data Subject, which must be obtained by any means that may be subject to subsequent consultation.
Cases in which authorization is not required.The authorization of the Holder shall not be necessary in the case of:
a) Information required by a public or administrative entity in the exercise of its legal functions or by court order;
b) Data of a public nature;
c) Cases of medical or sanitary emergency;
d) Processing of information authorized by law for historical, statistical or scientific purposes;
e) Data related to the Civil Registry of Persons.
Whoever accesses personal data without prior authorization must in any case comply with the provisions contained in this law.
Provision of information. The requested information may be provided by any means, including electronic means, as required by the Holder. The information shall be easy to read, without technical barriers that prevent its access and shall correspond in its entirety to the information contained in the database.
The National Government shall establish the manner in which the data controllers and data processors shall provide the data subject’s information, according to the nature of the personal data. This regulation shall be issued no later than one year after the enactment of this law.
Duty to inform the Holder.The Data Controller, at the time of requesting the authorization to the Data Subject, shall clearly and expressly inform him/her of the following:
a) The processing to which your personal data will be submitted and its purpose;
b) The optional nature of the answer to the questions asked, when they deal with sensitive data or with the data of children and adolescents;
c) The rights you have as Holder;
d) The identification, physical or electronic address and telephone number of the person responsible for the processing.
The Data Controller shall keep proof of compliance with the provisions of this Article and, upon request of the Data Subject, provide him/her with a copy thereof.
Persons to whom the information may be disclosed. Information that meets the conditions set forth in this law may be provided to the following persons:
a) To the Holders, their successors in title or their legal representatives;
b) To public or administrative entities in the exercise of their legal functions or by court order;
c) To third parties authorized by the Holder or by law.
Processing of personal data of minors
The processing of data of minors will be done strictly under the prior consent of their parents or legal representatives. The processing of this personal data will be carried out in accordance with Colombian data protection regulations, guaranteeing their fundamental rights at all times.
Use of information
Sensitive data collected by GRUPO ODONTOS SAS commercially GRUPO ODONTICS will be used for the following purposes:
- Communication related to services and alliances through different media.
- Verify the veracity of the data provided.
- Provide information on campaigns, research and/or special programs.
- Inform and invite to marketing campaigns, promotion of services and user education.
- Conducting service satisfaction surveys.
- Response, management and follow-up to requests for improvement, petitions and suggestions.
Purposes for which the information is used
- Purposes for the treatment of patient data: To obtain fundamental data for clinical and epidemiological research, identification of clinical and technological advances, achieve efficient communication related to our services and alliances, provide information on campaigns and special programs, user education campaigns, know the state of satisfaction of services and care provided.
- Purposes for the processing of personal data of employees: To inform of calls and invitations to health events, internal and external publications, opening and management of access to the organization’s own technological platforms, provide information to companies that request to verify labor data of employees for authorizations of money or commercial credits. Detecting training needs, informing and shaping election and internal promotion processes.
- Purposes for the processing of suppliers’ personal data: Verification of the information provided by suppliers in order to guarantee the development of the corporate purpose, execution of the commercial relationship, compliance with legal obligations, compilation of accounting, historical and/or statistical records, reports to control and surveillance authorities, adoption of measures aimed at the prevention of illicit activities.
In accordance with the purposes described above, the scope of the treatment to which GRUPO ODONTOS SAS , commercially known as GRUPO ODONTICS, is subject to is:
- To know, store and process all the information provided by the owners in one or several databases, in the format deemed convenient.
- Verify, corroborate, check, validate, investigate or compare the information provided by the holders, with any information legitimately available to them.
- Access, consult, compare and evaluate all the information of the owners that is stored in the databases of any credit, financial, judicial or security risk center, legitimately constituted, of state or private, national or foreign nature.
Transfer and transmission of personal data
GRUPO ODONTOS SAS commercially GRUPO ODONTICS may transfer data to other data controllers to fulfill the purposes described in this policy, but refrains from transferring personal data of data subjects to other countries that do not have equal or higher standards of protection. Additionally, it is possible that, from time to time, data may be transferred to data processors
such as auditors, lawyers, external consultants and our customers and / or suppliers of products or services.
Validity and modifications of the policy
This policy will be effective from the date of its publication GRUPO ODONTOS SAS commercially GRUPO ODONTICS will collect, use or circulate personal data for the time necessary to fulfill the purposes described in this policy. This policy may be modified unilaterally to comply with legal requirements or to comply with the internal provisions of GRUPO ODONTOS SAS commercially GRUPO ODONTOS or in accordance with Colombian law. GRUPO ODONTOS SAS commercially GRUPO ODONTICS undertakes to communicate in a timely manner about modifications to this policy.
