INTRODUCTION

Prolíficos SAS, a private institution known as Carlos Acevedo Dentistry, is dedicated to providing specialized dental services, offering a warm, timely, and effective service, reflected in excellent results and confidence in the oral health of its patients.

In compliance with the provisions of Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, Prolíficos SAS adopts this policy for the processing of personal data, which will be informed to all owners of the data collected or that may be obtained in the future in the exercise of commercial or labor activities. In this way, Prolíficos SAS declares that it guarantees the rights to privacy, intimacy and good name of patients, employees, clients and suppliers, in the processing of personal data, and consequently all its actions will be governed by the principles of legality, purpose, freedom, veracity, quality, transparency, restricted access and circulation, security and confidentiality. 

All persons who, in the course of various contractual, commercial, or employment activities, whether permanent or occasional, provide Prolíficos SAS with any type of personal information or data, may access, update, and rectify it.

I. IDENTIFICATION OF THE DATA CONTROLLER 

NAME OF THE INSTITUTION: Prolíficos SAS, hereinafter referred to as THE ORGANIZATION, a private company with Tax Identification Number 900086150-

ADDRESS AND HOME: THE ORGANIZATION is domiciled in the city of Barranquilla and its main office is located at Calle 106 No. 50-67 Local 405. 

EMAIL: administracion@35.227.29.149 PHONE: (57-5) 3775809

II. LEGAL FRAMEWORK 

Political Constitution, article 15. 

Law 1266 of 2008 Law 1581 of 2012 

Regulatory Decrees 1727 of 2009 and 2952 of 2010

Partial Regulatory Decree 1377 of 201

Judgments C – 1011 of 2008, and C – 748 of 2011, of the Constitutional Court.

III. OBJECT: This document describes the parameters for regulating, processing, and managing the personal data of patients, clients, employees, and suppliers. It establishes the responsibilities of those responsible for processing this information and adopts policies and procedures to ensure proper compliance with the law, while respecting the integrity of the human person at all times.

IV. SCOPE OF APPLICATION 

These regulations will be immediately applicable to each and every personal and sensitive data that THE ORGANIZATION may know and collect in the proper exercise of its corporate purpose.

The policies, procedures and contents of this policy apply to THE ORGANIZATION's databases, registered in accordance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013, without prejudice to the need that assists it as an Institution Providing Health Services, in the compilation, processing, disclosure and transfer of personal data that it is obliged to execute to safeguard the physical integrity of patients.

1. DEFINITIONS^[1]:
2. Authorization: Authorization previously issued by the owner of the information, expressly allowing THE ORGANIZATION to carry out the processing of personal data.
3. Privacy Notice: A physical, electronic, or other format document generated by THE ORGANIZATION and made available to the data subject for the processing of their personal data, in order to communicate the existence of the information processing policies applicable to them, how to access them, and the characteristics of the processing intended to be given to the personal data.
4. Database: Organized set of personal information subject to processing, custody and care by THE ORGANIZATION.
5. Personal data: All information and data linked to or that can be associated with one or more specific or determinable natural persons.
6. Public data: This is data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to a person's marital status, their profession or occupation, and their status as a merchant or public servant. By its nature,

Public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.

1. Sensitive data: Data that affects (personal) privacy, the misuse of which may lead to discrimination.
2. Data Controller: Natural or legal person, public or private, who, by itself or in association with others, carries out the processing of personal data on behalf of THE ORGANIZATION as Data Controller.
3. Holder: Natural person whose personal data is being processed, whether a client, supplier, employee or any third party who, by reason of a commercial or legal relationship, provides personal data to THE ORGANIZATION.
4. Transfer: It refers to the sending by THE ORGANIZATION as Data Controller or Data Processor, to a third agent or natural/legal person (receiver), within or outside the national territory for the effective processing of personal data;
5. Transmission: refers to the communication of personal data by the Controller to the Processor, located within or outside the national territory, so that the Processor, on behalf of the Controller, processes personal data;
6. Treatment: Any operation or set of operations involving personal data, such as collection, storage, use, circulation, or deletion. For the understanding of terms not included in the list above, you should refer to current legislation, specifically Law 1581 of 2012 and Decree 1377 of 2013, giving the meaning used in said law to terms whose definition is unclear.

VI. PRINCIPLES

In accordance with the provisions of Article 4 of Law 1581 of 2012, THE ORGANIZATION, through the principles indicated below, determines the parameters on which the processes of collection, use and processing of personal data will be based.²

1. to) LEGALITY IN THE PROCESSING OF PERSONAL DATA: In compliance with the provisions of the legislator, THE ORGANIZATION adopts the policies for the protection of personal data of patients, clients, employees, suppliers and any person linked to THE ORGANIZATION.

² 2 The principles included in this document are taken from the regulations in force in Colombia that govern the protection of personal data.

1. PURPOSE: Data processing must comply with and be directed toward a purpose, characterized by legitimacy and, at all times, adhere to the constitutional postulates and the Law. Therefore, the processing must be reported to the Owner, so that he may authorize it.
2. FREEDOM: The processing of personal data may only be carried out with the prior consent of the data subject, without prejudice to the data necessary and relevant to consultations or any type of medical care. If authorization is not possible, a legal mandate (power of attorney) or a court order must be obtained.
3. TRUTHFULNESS OR QUALITY: All information referred to in this manual must be truthful, complete, accurate, up-to-date, verifiable, and understandable. THE ORGANIZATION, through its various support services and administrative department, prohibits the processing of partial, incomplete, fragmented, or misleading data.
4. TRANSPARENCY: THE ORGANIZATION will guarantee the Data Subject's right to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him or her, in accordance with the protocols established for this purpose.
5. RESTRICTED ACCESS AND CIRCULATION: Except for public information, the data covered by this regulation may not be made available on the internet or other means of dissemination or mass communication. Processing will be subject to the limits arising from the nature of the personal data and the healthcare services offered by THE ORGANIZATION, the provisions of the Law, and the Constitution.

In this regard, processing may only be carried out by persons authorized by the Data Controller or in accordance with the exceptions and persons authorized by law. 

1. SECURITY: Information subject to processing or receipt by THE ORGANIZATION will be protected through the use of all technological means and the necessary technical, human and administrative measures, in order to provide security to the records, preventing their adulteration, loss, consultation, use or unauthorized or fraudulent access.
2. CONFIDENTIALITY: All natural or legal persons involved in the processing of personal data of patients, users, beneficiaries, contractors, collaborators, and any other person associated with THE ORGANIZATION are required to guarantee the confidentiality of this information, even after their relationship with any of the tasks involved in the processing has ended.

VII. AUTHORIZATION: The collection, storage, use, circulation, transmission or deletion of personal data by THE ORGANIZATION will require the prior, free, informed and express consent of the Data Owner, except in the events expressly established in Article 6, 10 and 26 of Law 1581 of 2013 and Article 4 of Decree 1377 of 2013, among which the following exceptions stand out:

1. Emergency medical care.
2. Transmission of data of a scientific nature or for the execution of a contract.
3. Processing of statistical, historical or scientific data.
4. Others contemplated by the Law.

THE ORGANIZATION has integrated mechanisms for obtaining authorization from data subjects into its patient and user care processes.

VII. TYPE OF INFORMATION SUBJECT TO PROCESSING 

THE ORGANIZATION recognizes that its patients, employees, clients, and suppliers have the right to a reasonable expectation of privacy, always taking into account their responsibilities, rights, and obligations to THE ORGANIZATION. 

A patient is understood to be any natural person who requires diagnostic or interventional procedures by a Health Service Provider Institution.

From the Patients

1. Personal identification data, surnames and first names, identification, date of birth, age, sex, marital status, occupation, home address and telephone number, place of residence, guardian or guardian, address and telephone number of the guardian, relationship, insurance company and type of relationship;
2. Medical history, medical background, diagnostic aids, health status, medical study information.

Medical records are regulated by Law 23 of 1981, Resolution 1995 of 1999, and Resolution 00839 of 2017, regarding the processing, administration, preservation, custody, and confidentiality of medical records, in accordance with the parameters of the Ministry of Health and the National Archives.

If the information collected includes sensitive data, THE ORGANIZATION will inform you of the nature of such sensitive data and the purpose of its processing. It will only be processed with your prior, express, and informed consent. Please note that since this data is sensitive, you are not required to authorize its processing.

Use and purpose of the treatment.

Personal data is used for: 

1. Execution of the contract signed with THE ORGANIZATION.
2. Billing for services.
3. Sending information to government or judicial entities at their express request.
4. Support in external/internal audit processes.
5. Sending/Receiving messages for commercial, advertising and/or customer service purposes.
6. Contact with clients to send information related to the contractual, commercial, and obligatory relationship that takes place.
7. Conduct surveys related to LA services or goods

ORGANIZATION 

1. Collection of data for the fulfillment of duties that, as

The person responsible for the information and personal data is the ORGANIZATION. 

1. To provide you with effective customer service.
2. Any other purpose resulting from the development of the contract or relationship between you and THE ORGANIZATION.

A client is understood to be any natural or legal person who, in exchange for payment, receives services from someone who provides them for that purpose.

From the Clients

1. Client name or company name, identification number or NIT with verification digit, place of residence, address, telephone numbers, fax, email;
2. Name of the general manager or legal representative and address, telephone numbers, fax, email;
3. Name of the person assigned to collect the portfolio, email;
4. Tax information;
5. Banking information including bank account holder name, bank account number, and bank name or code.

If the information collected includes sensitive data, THE ORGANIZATION will inform you of the nature of such sensitive data and the purpose of its processing. It will only be processed with your prior, express, and informed consent. Please note that since this data is sensitive, you are not required to authorize its processing.

Use and purpose of the treatment.

Personal data is used for: 

1. Execution of the contract signed with any of THE ORGANIZATION.
2. Billing for services.
3. Sending information to government or judicial entities at their express request.
4. Support in external/internal audit processes.
5. Sending/Receiving messages for commercial, advertising and/or customer service purposes.
6. Contact with clients to send information related to the contractual, commercial, and obligatory relationship that takes place.
7. Conduct surveys related to LA services or goods

ORGANIZATION 

1. Data collection for the fulfillment of the duties that, as the Controller of information and personal data, corresponds to THE ORGANIZATION.
2. To provide you with effective customer service.
3. Any other purpose resulting from the development of the contract or relationship between you and THE ORGANIZATION.

A supplier is understood to be any natural or legal person who provides a service to THE ORGANIZATION by virtue of a contractual/obligational relationship.

From the Suppliers

1. Supplier name or company name, identification number or NIT with verification digit, place of residence, address, telephone numbers, fax, email, name and telephone number of the contact person;
2. Name of the general manager or legal representative and address, telephone numbers, fax, email;
3. Tax information;
4. Banking information including bank account holder name, bank account number, and bank name or code.

Use and purpose of the Treatment.

Personal data is used for: 

1. Execution of the contract signed with THE ORGANIZATION.
2. Payment of contractual obligations.
3. Sending information to government or judicial entities at their express request.
4. Support in external/internal audit processes.
5. Sending/Receiving messages for commercial, advertising and/or customer service purposes.
6. Contact with suppliers to send information related to the contractual, commercial, and obligatory relationship that takes place.
7. Collection of data for the fulfillment of duties that, as

THE ORGANIZATION is responsible for the information and personal data. 

1. Comply with the regulations applicable to suppliers and contractors, including, but not limited to, tax and commercial regulations
2. Fulfill all contractual commitments.
3. For security or fraud prevention purposes.
4. To provide you with effective customer service.
5. Any other purpose resulting from the development of the contract or relationship between you and THE ORGANIZATION.

Employees are understood to be any natural person who provides a service to THE ORGANIZATION by virtue of an employment contract.

From the Employees 

1. Worker and Family Group: name, ID, address, phone number, name of spouse and children, name and ID of children, medical history, social security affiliations, medical insurance policy, age, date of birth, education information, health status;
2. Resume, education, experience, links to entities, links to companies;
3. Salary and other payments;
4. Balance of debts contracted with Dragados or release;
5. Memberships with payroll deduction;
6. Pension contributions;
7. Establishment and contributions to voluntary pension funds, food stamps, etc.;
8. Legal proceedings, seizure;
9. Discount authorizations;
10. Benefits throughout your working life;
11. Employment contract;
12. Changes in the employment contract;
13. Connection with previous employers;
14. Work history of the worker;
15. Payment of aid and benefits;
16. Beneficiaries of the worker for the purpose of paying aid and benefits;
17. EPS affiliation, pension fund, ARL, Compensation Fund;

Training received; 

1. Detail of the characterization;
2. Demographic report of workers;
3. Occupational medical history of the worker;
4. Workplace accidents;
5. Overtime;

Use and purpose of the Treatment  

Personal data is used for:

1. Execution of the contract signed with THE ORGANIZATION.
2. Payment of contractual obligations.
3. Sending information to government or judicial entities at their express request.
4. Support in external/internal audit processes.
5. Contact with candidates, clients, employees, or suppliers to send information related to the contractual, commercial, and obligatory relationship that takes place.
6. Data collection for the fulfillment of the duties that correspond to the ORGANIZATION, as the Controller of information and personal data.
7. For security or fraud prevention purposes.
8. Any other purpose resulting from the development of the contract or relationship between you and the ORGANIZATION.

Sensitive data

In the case of sensitive personal data, THE ORGANIZATION may use and process them when: 

1. The owner has given his or her explicit authorization, except in cases where the granting of such authorization is not required by law.
2. The processing is necessary to safeguard the vital interests of the Data Subject, and the Data Subject is physically or legally incapacitated. In these cases, the Data Subject's legal representatives must provide their authorization.
3. The processing is carried out in the course of legitimate activities and with due safeguards by a foundation, NGO, association, or any other non-profit organization whose purpose is political, philosophical, religious, or trade union, provided that it relates exclusively to its members or to individuals with whom it maintains regular contact due to its purpose. In these cases, the data may not be provided to third parties without the data subject's authorization.
4. The Processing refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.
5. The processing is for historical, statistical, or scientific purposes. In this event, measures must be taken to erase the identity of the data subjects. Without prejudice to the exceptions provided by law, the processing of sensitive data requires the prior, express, and informed authorization of the data subject, which must be obtained by any means that can be subsequently consulted and verified.

If you provide us with Personal Data, this information will be used only for the purposes stated herein, and we will not sell, license, transmit or disclose it outside of THE ORGANIZATION unless (i) you expressly authorize us to do so, (ii) it is necessary to allow our contractors or agents to provide the services we have entrusted to them, (iii) in order to provide you with our products or services, (iv) it is disclosed to entities that provide marketing services on our behalf or to other entities with which we have joint marketing agreements, (v) in connection with a merger, consolidation, acquisition, divestiture or other restructuring process, or (vi) as required or permitted by law. In order to implement the purposes described above, your personal data may be disclosed for the purposes set out above to human resources personnel, managers, consultants, advisors and other persons and offices as appropriate. 

THE ORGANIZATION may subcontract certain functions or information to third parties. When we do subcontract the processing of your personal information to third parties or provide your personal information to third-party service providers, we warn those third parties of the need to protect such personal information with appropriate security measures, prohibit them from using your personal information for their own purposes, and prevent them from disclosing your personal information to others. Likewise, THE ORGANIZATION may transfer or transmit (as appropriate) your personal data to other organizations abroad for reasons of security, administrative efficiency, and improved service, in accordance with the authorizations of each of these parties. THE ORGANIZATION has adopted appropriate measures to ensure that these organizations implement, in their jurisdiction and in accordance with the laws applicable to them, standards of security and protection of personal data that are at least similar to those provided for in this document and, in general, in THE ORGANIZATION's policy on the matter. In the case of the transmission of personal data, the applicable transmission contract will be signed in accordance with the terms of Decree 1377/13.

Additionally, we inform you that once the need to process your data ceases, they may be deleted from THE ORGANIZATION's databases or

archived securely so that they are only disclosed when legally required. Such data will not be deleted, despite the data subject's request, when its retention is necessary for the fulfillment of an obligation or contract.

VIII. RIGHTS OF INFORMATION OWNERS

Pursuant to Article 8 of Law 1581 of 2012, the owner of personal data has the following rights:

• Know, update, and rectify your personal data with those responsible for processing or those in charge of processing.

The Data Subject may also exercise this right with respect to data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or unauthorized.

• Request proof of the authorization granted to THE ORGANIZATION or the data processor as the controller. This is without prejudice to legally established exceptions. ^[2] 3) To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been given to your personal data.
• Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of this Law 1581 of 2012 and other regulations that modify, add to, or supplement it.
• Revoke authorization and/or request the deletion of data when the processing does not respect constitutional and legal principles, rights, and guarantees.

In any case, the revocation and/or deletion will only proceed when the Superintendency of Industry and Commerce has determined that in the Processing the Controller or the Processor has incurred in conduct contrary to this law and the Constitution.

• Access your personal data that has been processed free of charge at least once every calendar month, and whenever there are substantial modifications to this policy that motivate new inquiries.

These rights may be exercised by: 

• The owner, who must sufficiently prove his identity by the different means made available to him by THE ORGANIZATION
• The successors in title of the owner, who must prove such status.
• The representative and/or attorney of the owner, upon prior accreditation of the representation or power of attorney.
• Another in favor of or for which the owner has stipulated.

Without prejudice to the inherent protocols and current regulations regarding the management of medical records.

IX. DUTIES OF THE ORGANIZATION IN THE PROCESSING OF PERSONAL DATA

THE ORGANIZATION recognizes that individuals hold ownership of personal data, and therefore, they alone have sole discretion over such data. Therefore, THE ORGANIZATION will use personal data for the purposes expressly authorized by the data subject or by applicable regulations. In the processing and protection of personal data, THE ORGANIZATION shall have the following obligations, without prejudice to any other obligations set forth in the provisions that regulate or may regulate this matter: 

• Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
• Keep information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.
• Use the data subject's personal data only for those purposes for which it is duly authorized and in all cases respecting current regulations on personal data protection.
• Properly inform the data subject about the purpose of the collection and the rights to which they are entitled by virtue of the authorization granted.
• Request and retain a copy of the respective authorization granted by the owner for the processing of personal data.
• Use only data whose processing has been previously authorized in accordance with the provisions of Law 1581 of 2012.
• Carry out the updating, rectification or deletion of data in a timely manner.
• Process queries and complaints made by the Owners.
• Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.
• Allow access to information only to those who are authorized to do so, as established by current and applicable regulations.
• Inform the Superintendency of Industry and Commerce when security code violations occur and when there are risks in the management of the Data Subjects' information.
• Comply with the instructions issued by the Superintendency of Industry and Commerce on the specific matter.
• Inform the owner, upon request, about the use given to their data.

X. AUTHORIZATION AND CONSENT OF THE OWNER 

THE ORGANIZATION requires the free, prior, express and informed consent of the owner of the personal data for the processing of such data, except in cases expressly authorized by law, namely: 

1. Information required by a public or administrative entity in the exercise of its legal functions or by court order.
2. Data of a public nature.
3. Cases of medical or health emergencies.
4. Processing of information authorized by law for historical, statistical or scientific purposes.
5. Data related to the Civil Registry of Persons

Manifestation of authorization

Authorization to THE ORGANIZATION for the processing of personal data will be granted by:

• The owner, who must sufficiently prove his identity by the different means made available to him by THE ORGANIZATION
• The successors in title of the owner, who must prove such status.
• The representative and/or attorney of the owner, upon prior accreditation of the representation or power of attorney.
• Another in favor of or for which the owner has stipulated.

Means of granting authorization 

THE ORGANIZATION will obtain authorization through various means, including physical or electronic documents, data messages, the Internet, websites, or any other format that allows for subsequent consultation. This may also be documented in the patient's admission questionnaire, in the event of a consultation, or through a suitable technical or technological mechanism that can be used to conclude with certainty that the Data Subject has received the information. This will, in any case, allow consent to be obtained through unequivocal conduct that concludes that, had the same information not been provided by the Data Subject or the person authorized to do so, the data would not have been stored or captured in the database. THE ORGANIZATION will request authorization prior to processing the personal data. 

In the event that the information and personal data could be used by THE ORGANIZATION for a treatment other than the ordinary course of its corporate purpose, it will have to obtain a special authorization from the owner stating:

1. Purpose of the authorization.
2. Purpose of the Processing of Personal Data.
3. Personal data of children and adolescents.
4. Those responsible for and in charge of information.

Proof of authorization 

THE ORGANIZATION will retain proof of the authorization granted by the owners of their personal data for processing, for which it will use the mechanisms currently available to it and will adopt the necessary measures to maintain a record of the manner, date, and manner in which it obtained this authorization. Consequently, THE ORGANIZATION may establish physical archives or electronic repositories, either directly or through third parties contracted for this purpose. THE ORGANIZATION will implement this manual and, through operational coordination with the support of the administrative area, will adopt the necessary measures to maintain records or appropriate technical mechanisms of when and how it obtained the Owner's authorization for the Processing of Data.

Revocation of authorization. 

Personal data subjects may at any time revoke the authorization granted to THE ORGANIZATION for the processing of their personal data or request its deletion, provided that this is not prevented by a legal or contractual provision. THE ORGANIZATION will establish simple and free mechanisms that allow the subject to revoke their authorization or request the deletion of their personal data, at least by the same means by which it was granted. For this purpose, it should be noted that the revocation of consent may be expressed, on the one hand, fully in relation to the authorized purposes, in which case THE ORGANIZATION must cease any data processing activities; and on the other hand, partially in relation to certain types of processing, in which case processing activities will cease for these purposes, such as for advertising purposes, among others. In the latter case, THE ORGANIZATION may continue processing the personal data for those purposes for which the subject has not revoked their consent.

XI. PRIVACY NOTICE

The Privacy Notice is the physical, electronic, or other format document made available to the data subject to inform them about the processing of their personal data. This document communicates to the data subject information related to the existence of THE ORGANIZATION's data processing policies that will apply to them, how to access them, and the characteristics of the intended processing of their personal data. The privacy notice must contain, at a minimum, the following information:

1. The identity, address and contact details of the data controller.
2. The type of processing to which the data will be subjected and its purpose.
3. The rights of the owner.
4. The general mechanisms established by the data controller to ensure that the data subject is aware of the information processing policy and any substantial changes to it. In all cases, the data subject must be informed how to access or consult the information processing policy.
5. The optional nature of the response to questions about sensitive data

THE ORGANIZATION will retain the privacy notice template while personal data is being processed and the obligations arising from it continue.

XII. GUARANTEES OF THE RIGHT OF ACCESS

To guarantee the data subject's right of access, THE ORGANIZATION will make the respective personal data available to the data subject, upon verification of their identity, legitimacy, or the legal status of their representative, free of charge and without any expense, in a detailed and comprehensive manner, through all means, including electronic means that allow the data subject direct access to the data. Such access must be offered without any limits and must allow the data subject the opportunity to view and update the data online.

XIII. PROCEDURE FOR HANDLING QUERIES, COMPLAINTS, REQUESTS FOR RECTIFICATION, UPDATING AND DELETION OF DATA 

2013. Inquiries: THE ORGANIZATION, in order to guarantee the data subject's access to the information being processed, is obliged to allow the data subject access to the information being processed, provided that the data subject complies with the protocols adopted for this purpose prior to the entry into force of Law 1581 of 2013.

Therefore, the owner may submit to THE ORGANIZATION a written request requesting in a precise and timely manner access to his/her information, which must be sent to the email address Coordinator@35.227.29.149

For the attention of consultation requests, they will be attended to within a maximum period of ten (10) business days counted from the date of receipt. If it is not possible to attend to the consultation within the term established above, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the consultation will be attended to, which in no case may exceed five (5) 

1. Claims: The Owner or his successors in title who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged non-compliance with any of the duties contained in the law, may file a claim with THE ORGANIZATION, which will be processed under the following rules:

1. The claim of the Holder will be made by means of a request addressed to THE ORGANIZATION at the email address Coordinator@35.227.29.149 or by written communication addressed to Operational Coordination, with the identification of the owner, the description of the facts that give rise to the claim, the address to respond, and accompanying the documents that are required to assert the claim. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not present the required information, it will be understood that he has withdrawn the claim. In the event that the person who receives the claim is not competent to resolve it, he will forward it to the corresponding person within a maximum period of two (2) business days and inform the interested party of the situation.
2. Once the complete claim has been received, it will be categorized with the label "claim in process" and the reason for it, within a period of no more than two (2) business days. This label will remain in effect until the claim is resolved.
3. The maximum period for addressing the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
4. If you are submitting the claim on behalf of or representing another person, you must attach the power of attorney authorizing the claimant. If the capacity in which the claimant is submitted cannot be verified, THE ORGANIZATION will consider the claim not submitted.
5. THE ORGANIZATION may implement application forms if it deems it necessary, without the submission of the claim being conditioned on said form.

1. Request for update and/or correction: THE ORGANIZATION will correct and update, at the request of the owner, any information that is incomplete or inaccurate, in accordance with the procedure and terms indicated above, for which the following will be taken into account:
2. The owner must send the request to the email address

Coordinator@35.227.29.149 or in physical form addressed to the Institutional Marketing Department indicating the update and/or correction to be made and providing the documentation that supports your request.

2. THE ORGANIZATION may enable mechanisms to facilitate the exercise of this right for the data subject, provided that they benefit the data subject. Consequently, electronic or other means it deems relevant may be enabled, which will be disclosed in the privacy notice and made available to interested parties on the website.
3. Request for data deletion The owner of personal data has the right to request THE ORGANIZATION to delete (eliminate) it in any of the following cases:
4. When you consider that they are not being treated in accordance with the principles, duties and obligations provided for in current regulations.
5. When they are no longer necessary or relevant for the purpose for which they were collected.
6. The period necessary for the fulfillment of the purposes for which it was collected has been exceeded. This deletion entails the total or partial elimination of personal information, as requested by the data subject, from the records, files, databases, or processing operations carried out by THE ORGANIZATION. However, this right of the data subject is not absolute, and consequently THE ORGANIZATION may deny the exercise of this right when:
   1. The owner has a legal or contractual obligation to remain in the database.
   2. The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
   3. The data may be necessary to protect the legally protected interests of the data subject; to carry out an action in the public interest; or to comply with a legal obligation of the data subject.

In any case, the total or partial deletion will be subject to the regulations in force and applicable to the medical records. This is a reason for preventing access to the data subject's request, since the total or partial deletion of personal information could be an integral part of the documents included in the medical procedure, without prejudice to the other persons to whom this manual is addressed.

Likewise, THE ORGANIZATION may deny the deletion request when the data is necessary, in accordance with the legal or contractual obligation it has, or if the deletion request hinders judicial or administrative proceedings, or when the data is necessary to protect the legally protected interests of the Data Subject.

THE ORGANIZATION will delete the data in such a way that the deletion does not allow the recovery of the information.

• REVOCATION OF AUTHORIZATION: Data subjects may revoke their consent to the processing of their personal data at any time, provided that this is not prevented by a legal or contractual provision, through the procedure established in this Manual.

1. SAFETY MEASURES: THE ORGANIZATION will continue to implement mandatory security protocols for personnel with access to personal data and information systems. These procedures will meet at least the following requirements:
   1. Scope of the procedure with detailed specification of the protected data.
   2. Measures, norms, procedures, rules, and standards aimed at ensuring the level of security required by Law 1581 of 2012.
   3. Functions and obligations of the staff.
   4. Procedures for making backup copies and recovering data.
   5. Periodic checks that must be carried out to verify compliance with the provisions of the security procedure.

• AREA IN CHARGE OF DATA PROTECTION: THE ORGANIZATION., designates the Operational Coordination of the same as responsible for the protection of personal data.

XVII. INFORMATION SECURITY AND SECURITY MEASURES 

In compliance with the security principle established in current regulations, THE ORGANIZATION will adopt the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, 

XVIII. VALIDITY

PROLIFICOS SAS reserves the right to modify this Personal Data Processing Policy at any time. Any changes will be promptly notified and published on the website. www.carlosacevedo.co.

The Personal Data Processing Policy is effective as of January 25, 2017.

[1] The definitions included in this document are taken from current Colombian regulations governing the protection of personal data.

[2] Law 1581 of 2012. Article 10. Cases in which authorization is not required. The Data Subject's authorization will not be required in the case of: a) Information required by a public or administrative entity in the exercise of its legal functions or by court order; b) Data of a public nature; c) Cases of medical or health emergencies; d) Processing of information authorized by law for historical, statistical, or scientific purposes; e) Data related to the Civil Registry of Persons. Anyone who accesses personal data without prior authorization must in all cases comply with the provisions contained in this law.