INTRODUCTION

The institution Prolíficos S.A.S. with the trade name of Carlos Acevedo Odontología is a private entity, dedicated to the provision of specialized dental services, offering a warm, timely and effective service, reflected in results of excellence and confidence in the oral health of their patients.

In compliance with the provisions of the Statutory Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, Prolíficos S.A.S. adopts this policy for the processing of personal data, which will be informed to all holders of the data collected or obtained in the future in the exercise of commercial or labor activities. In this way, Prolíficos S.A.S. states that it guarantees the rights of privacy, intimacy and good name of patients, employees, customers and suppliers, in the processing of personal data, and therefore all its actions will be governed by the principles of legality, purpose, freedom, truthfulness, quality, transparency, access and restricted circulation, security and confidentiality.

All persons who, in the development of different contractual, commercial, labor activities, among others, whether permanent or occasional, may provide Prolíficos S.A.S. with any type of information or personal data, may know, update and rectify it.

I. IDENTIFICATION OF THE DATA CONTROLLER

NAME OF THE INSTITUTION: Prolíficos S.A.S, hereinafter referred to as THE ORGANIZATION, a private company with Tax Identification Number 900086150-.

ADDRESS AND ADDRESS: THE ORGANIZATION has its domicile in the city of Barranquilla and its main office is located at Calle 106 No. 50-67 Local 405.

E-MAIL: administracion@35.227.29.149 TELEPHONE: (57-5) 3775809

II. LEGAL FRAMEWORK

Constitution, Article 15.

Law 1266 of 2008 Law 1581 of 2012

Regulatory Decrees 1727 of 2009 and 2952 of 2010

Partial Regulatory Decree 1377 of 201

Rulings C – 1011 of 2008, and C – 748 of 2011, of the Constitutional Court.

III. OBJECT: This document describes the parameters of regulation, treatment and handling of personal data of patients, customers, employees and suppliers; imposing the duties that assist those responsible for the treatment of information, adopting policies and procedures to ensure proper compliance with the law, respecting at all times the integrity of the human being.

IV. SCOPE OF APPLICATION

This regulation shall be immediately applicable to each and every one of the personal and sensitive data that THE ORGANIZATION may know and collect in the due exercise of its corporate purpose.

The policies, procedures and contents of this policy apply to the databases of THE ORGANIZATION, registered in accordance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013, without prejudice to the need that assists it as a Health Services Provider Institution, in the compilation, processing, disclosure and transfer of personal data that it is obliged to execute to safeguard the physical integrity of patients.

1. DEFINITIONS
   ^[1]
   :
2. Authorization: Authorization previously issued by the owner of the information, expressly allowing THE ORGANIZATION to carry out the processing of personal data.
3. Privacy Notice: Physical document, electronic or in any other format generated by THE ORGANIZATION available to the holder for the processing of personal data, in order to communicate the existence of the information processing policies that will be applicable, how to access them and the characteristics of the treatment that is intended to be given to personal data.
4. Data Base: Organized set of personal information subject to treatment, custody and care by THE ORGANIZATION.
5. Personal data: All information and data linked or, which can be associated to one or several determined or determinable natural persons.
6. Public data: Data that is not semi-private, private or sensitive. Data related to the marital status of individuals, their profession or trade, and their status as merchants or public servants, among others, are considered public data. By its nature,

public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.

1. Sensitive data: Data that affect (personal) privacy, whose improper use may lead to discrimination.
2. Data Processor: Natural or legal person, public or private, who by itself or in association with others performs the Processing of personal data on behalf of THE ORGANIZATION as Data Controller.
3. Data subject: Natural person whose personal data is subject to processing, whether client, supplier, employee or any third party who, due to a commercial or legal relationship, provides personal data to THE ORGANIZATION.
4. Transfer: Refers to the sending by THE ORGANIZATION as Data Controller or Data Processor, to a third party agent or natural/legal person (recipient), within or outside the national territory for the effective processing of personal data;
5. Transmission: refers to the communication of personal data by the Controller to the Processor, located within or outside the national territory, so that the Processor, on behalf of the Controller, processes personal data; – Transmission: refers to the communication of personal data by the Controller to the Processor, located within or outside the national territory, so that the Processor, on behalf of the Controller, processes personal data
6. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. For the understanding of the terms that are not included in the above list, you should refer to the legislation in force, especially to Law 1581 of 2012 and Decree 1377 of 2013, giving the meaning used in said regulation to the terms whose definition is in doubt.

VI. PRINCIPLES

In accordance with the provisions of Article 4 of Law 1581 of 2012, THE ORGANIZATION, through the principles indicated below, determines the parameters on which the processes of collection, use and processing of personal data will be based^.2

1. a) LEGALITY IN THE PROCESSING OF PERSONAL DATA: In compliance with the law, THE ORGANIZATION adopts policies for the protection of personal data of patients, clients, employees, suppliers and any person related to THE ORGANIZATION.

² 2 The principles included in this document are taken from the regulations in force in Colombia that govern the protection of personal data.

1. PURPOSE: The processing of data must obey and be aimed at a purpose, characterized by legitimacy and, at all times adhering to the constitutional postulates and the Law, therefore, the treatment will have to be informed to the Holder, so that he/she authorizes it.
2. FREEDOM: The processing of personal data may only be exercised with the prior consent of the owner, without prejudice to the necessary and relevant data for consultations or any type of medical care. If authorization is not possible, a legal mandate (power of attorney) or court order is required.
3. TRUTH OR QUALITY: All information referred to in this manual must be truthful, complete, accurate, updated, verifiable and understandable. THE ORGANIZATION, through its different assistance services and administrative area, prohibits the processing of partial, incomplete, fractioned or misleading data.
4. TRANSPARENCY: THE ORGANIZATION. guarantee the right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, in accordance with the protocols established for such purpose.
5. RESTRICTED ACCESS AND CIRCULATION: Except for public information, the data covered by this regulation may not be available on the Internet or other means of dissemination or mass communication. The Processing shall be subject to the limits derived from the nature of the personal data and the assistance services offered by THE ORGANIZATION, from the provisions of the Law and the Constitution.

In this sense, the Processing may only be carried out by persons authorized by the Data Subject or in accordance with the exceptions and persons empowered by the Law.

1. SECURITYThe information subject to treatment or reception by THE ORGANIZATION shall be protected through the use of all technological means and the necessary technical, human and administrative measures, in order to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
2. CONFIDENTIALITY: All natural or legal persons involved in the processing of personal data of patients, users, beneficiaries, contractors, collaborators and any person related to THE ORGANIZATION. are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing.

VII. AUTHORIZATIONThe collection, storage, use, circulation, transmission or deletion of personal data by THE ORGANIZATION shall require the prior, free, informed and express consent of the Data Subject, except in the events expressly established in Articles 6, 10 and 26 of Law 1581 of 2013 and Article 4 of Decree 1377 of 2013, among which the following exceptions stand out:

1. Emergency medical care.
2. Transmission of scientific data or, for the execution of a contract.
3. Statistical, historical or scientific data processing.
4. Others contemplated by law.

THE ORGANIZATION has integrated within its patient and user care processes the mechanisms for obtaining authorization from the owners.

VII. TYPE OF INFORMATION SUBJECT TO PROCESSING

THE ORGANIZATION recognizes that its patients, employees, clients and suppliers are entitled to have a reasonable expectation of privacy, taking into account their responsibilities, rights and obligations to THE ORGANIZATION.

A patient is understood to be any natural person who requires diagnostic or interventional procedures to be performed by a Health Service Provider Institution.

Of the Patients

1. Personal identification data, surname and first name, identification, date of birth, age, sex, marital status, occupation, address and telephone number, place of residence, guardian or person in charge, address and telephone number of the person in charge, relationship, insurance company and type of relationship;
2. Medical history, medical history, diagnostic aids, health status, information on medical studies.

The Clinical History, is regulated by Law 23 of 1981, by Resolution 1995 of 1999 and by Resolution 00839 of 2017, regarding the processing, administration, conservation, custody and confidentiality of clinical records, in accordance with the parameters of the Ministry of Health and the General Archive of the Nation.

If the information collected includes sensitive data, THE ORGANIZATION shall inform you of the quality of such sensitive data and the purpose of the processing, and shall only be processed with your prior, express and informed consent. Please note that since this is sensitive data, you are not obliged to authorize its processing.

Use and purpose of the treatment.

Personal data are used for:

1. Execution of the contract subscribed with THE ORGANIZATION.
2. Billing of services.
3. Sending information to governmental or judicial entities at their express request.
4. Support in external/internal audit processes.
5. Sending/receiving messages for commercial, advertising and/or customer service purposes.
6. Contact with customers to send information related to the contractual, commercial and obligatory relationship that takes place.
7. Conduct surveys related to LA’s services or goods.

ORGANIZATION

1. Collection of data for the fulfillment of the duties that, as a

The ORGANIZATION is responsible for the information and personal data.

1. To provide you with effective customer service.
2. Any other purpose resulting from the development of the contract or the relationship between you and THE ORGANIZATION.

A customer is understood to be any natural or legal person who, in exchange for payment, receives services from someone who provides them for that concept.

From Customers

1. Client’s name or company name, identification number or NIT with verification digit, place of domicile, address, telephone numbers, fax, e-mail;
2. Name of general manager or legal representative and address, telephone, fax, e-mail;
3. Name of the person assigned to collect the portfolio, e-mail address;
4. Tax information;
5. Bank information including bank account holder’s name, bank account number and bank name or code.

If the information collected includes sensitive data, THE ORGANIZATION shall inform you of the quality of such sensitive data and the purpose of the processing, and shall only be processed with your prior, express and informed consent. Please note that since this is sensitive data, you are not obliged to authorize its processing.

Use and purpose of the treatment.

Personal data are used for:

1. Execution of the contract subscribed with any of THE ORGANIZATION.
2. Billing of services.
3. Sending information to governmental or judicial entities at their express request.
4. Support in external/internal audit processes.
5. Sending/receiving messages for commercial, advertising and/or customer service purposes.
6. Contact with customers to send information related to the contractual, commercial and obligatory relationship that takes place.
7. Conduct surveys related to LA’s services or goods.

ORGANIZATION

1. Collection of data for the fulfillment of the duties that, as Responsible for the information and personal data, corresponds to THE ORGANIZATION.
2. To provide you with effective customer service.
3. Any other purpose resulting from the development of the contract or the relationship between you and THE ORGANIZATION.

A supplier shall be understood as any natural or legal person that provides any service to THE ORGANIZATION by virtue of a contractual/obligational relationship.

Suppliers

1. Supplier’s name or company name, identification number or NIT with verification digit, place of domicile, address, telephones, fax, e-mail, name and telephone number of the contact person;
2. Name of general manager or legal representative and address, telephone, fax, e-mail;
3. Tax information;
4. Bank information including bank account holder’s name, bank account number and bank name or code.

Use and purpose of the treatment.

Personal data are used for:

1. Execution of the contract subscribed with THE ORGANIZATION.
2. Payment of contractual obligations.
3. Sending information to governmental or judicial entities at their express request.
4. Support in external/internal audit processes.
5. Sending/receiving messages for commercial, advertising and/or customer service purposes.
6. Contact with suppliers to send information related to the contractual, commercial and obligatory relationship that takes place.
7. Collection of data for the fulfillment of the duties that, as a

Responsible for the information and personal data, corresponds to THE ORGANIZATION.

1. Comply with regulations applicable to suppliers and contractors, including, but not limited to, tax and commercial regulations.
2. Fulfill all its contractual commitments.
3. For security or fraud prevention purposes.
4. To provide you with effective customer service.
5. Any other purpose resulting from the development of the contract or the relationship between you and THE ORGANIZATION.

Employees are understood as any natural person who renders a service to THE ORGANIZATION by virtue of an employment contract.

Employees

1. Worker and Family Group: name, identification, address, telephone, name of spouse and children, name and identification of children, medical history, social security affiliations, medical policy, age, date of birth, education information, health status;
2. Resume, education, experience, links with entities, links with companies;
3. Salary and other payments;
4. Balance of debts contracted with Dragados;
5. Affiliations with payroll deduction;
6. Pension contributions;
7. Constitution and contributions to voluntary pension funds, food bonds, etc.;
8. Legal proceedings, seizure;
9. Discount authorizations;
10. Benefits throughout your working life;
11. Employment contract;
12. Changes in the employment contract;
13. Relationship with previous employers;
14. Work history of the worker;
15. Payment of assistance and benefits;
16. Beneficiaries of the employee for the purpose of payment of benefits and allowances;
17. EPS affiliation, pension fund, ARL, compensation fund;

Training received;

1. Detail of the characterization;
2. Worker demographics report;
3. Occupational medical history of the worker;
4. Occupational accidents;
5. Overtime;

Use and purpose of the treatment

Personal data are used for:

1. Execution of the contract subscribed with THE ORGANIZATION.
2. Payment of contractual obligations.
3. Sending information to governmental or judicial entities at their express request.
4. Support in external/internal audit processes.
5. Contact with candidates, clients, employees or suppliers to send information related to the contractual, commercial and obligatory relationship that takes place.
6. Collection of data for the fulfillment of the duties that, as Responsible for the information and personal data, corresponds to the ORGANIZATION.
7. For security or fraud prevention purposes.
8. Any other purpose resulting from the development of the contract or the relationship between you and the ORGANIZATION.

Sensitive Data

In the case of sensitive personal data, THE ORGANIZATION may use and process them when:

1. The owner has given his explicit authorization, except in cases where the law does not require the granting of such authorization.
2. The processing is necessary to safeguard the vital interests of the Data Subject and the Data Subject is physically or legally incapacitated. In these events, the legal representatives must give their authorization.
3. The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they relate exclusively to its members or to persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the owner’s authorization.
4. The Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process.
5. The processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the holders must be adopted. Notwithstanding the exceptions provided by law, the processing of sensitive data requires the prior, express and informed authorization of the owner, which must be obtained by any means that may be subject to consultation and subsequent verification.

If you provide us with Personal Data, this information will be used only for the purposes stated herein, and we will not proceed to sell, license, transmit or disclose it outside THE ORGANIZATION unless (i) you expressly authorize us to do so, (ii) necessary to enable our contractors or agents to perform the services we have engaged them to perform, (iii) in order to provide you with our products or services, (iv) is disclosed to entities that perform marketing services on our behalf or to other entities with which we have joint marketing agreements, (v) is in connection with a merger, consolidation, acquisition, divestiture or other restructuring process; or (vi) as required or permitted by law. In order to implement the purposes described above, your personal data may be disclosed for the purposes set forth above to human resources personnel, managers, consultants, advisors and other persons and offices as appropriate.

THE ORGANIZATION may subcontract third parties for the processing of certain functions or information. When we do outsource the processing of your personal information to third parties or provide your personal information to third party service providers, we advise such third parties of the need to protect such personal information with appropriate security measures, prohibit them from using your personal information for their own purposes, and prevent them from disclosing your personal information to others. Likewise, THE ORGANIZATION may transfer or transmit (as appropriate) your personal data to other organizations abroad for reasons of security, administrative efficiency and better service, in accordance with the authorizations of each of these persons. THE ORGANIZATION has adopted the necessary measures so that these organizations implement in their jurisdiction and according to the laws applicable to them, security and personal data protection standards similar to those provided for in this document and in general in the policy of THE ORGANIZATION on the matter. In the case of transfer of personal data, the appropriate transfer contract shall be signed in accordance with the terms of Decree 1377/13.

Additionally, we inform you that once the need for processing your data ceases, they may be removed from the databases of THE ORGANIZATION or

archived in secure terms so that they can only be disclosed when required by law. Such data will not be deleted despite the holder’s request, when the conservation of such data is necessary for the fulfillment of an obligation or contract.

VIII. RIGHTS OF THE OWNERS OF THE INFORMATION

In application of the provisions of Article 8 of Law 1581 of 2012, the Holder of the personal data has the following rights:

• To know, update and rectify your personal data with respect to the data controllers or data processors.

This right may also be exercised by the Data Subject with respect to partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.

• Request proof of the authorization granted to THE ORGANIZATION or, the person in charge of the treatment as responsible. Without prejudice to the legally established exceptions.
  ^[2]
  3) To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been made of their personal data.
• File before the Superintendence of Industry and Commerce complaints for violations of the provisions of this Law 1581 of 2012 and other regulations that modify, add or complement it.
• To revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees.

In any case, the revocation and/or suppression shall only proceed when the Superintendence of Industry and Commerce has determined that the Controller or Processor has incurred in conduct contrary to this law and the Constitution.

• Access free of charge to your personal data that have been subject to Processing at least once every calendar month, and each time there are substantial modifications to this policy that motivate new consultations.

These rights may be exercised by:

• The holder, who shall prove his/her identity sufficiently by the different means made available by THE ORGANIZATION.
• The assignees of the holder, who must prove their status as such.
• The holder’s representative and/or attorney-in-fact, upon proof of representation or power of attorney.
• Other in favor of or for which the holder has stipulated.

Without prejudice to the inherent protocols and current regulations regarding the management of medical records.

IX. DUTIES OF THE ORGANIZATION IN THE PROCESSING OF PERSONAL DATA

THE ORGANIZATION recognizes the ownership of personal data held by individuals and consequently they have the exclusive right to decide on such data. Therefore, THE ORGANIZATION will use the personal data for the fulfillment of the purposes expressly authorized by the holder or by the regulations in force. In the treatment and protection of personal data, THE ORGANIZATION shall have the following duties, without prejudice to others provided for in the provisions that regulate or come to regulate this matter:

• Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
• Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
• Use the holder’s personal data only for those purposes for which it is duly authorized and respecting in any case the current regulations on personal data protection.
• Duly inform the owner about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
• Request and keep a copy of the respective authorization granted by the holder for the processing of personal data.
• Use only data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012.
• Timely update, rectification or deletion of data.
• Process queries and claims formulated by the Holders.
• Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.
• Allow access to information only to those persons who may have access to it, as established in the current and applicable regulations.
• Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Holders.
• Comply with the instructions given by the Superintendence of Industry and Commerce on the particular subject.
• Inform upon request of the owner about the use given to their data.

X. AUTHORIZATION AND CONSENT OF THE HOLDER

THE ORGANIZATION requires the free, prior, express and informed consent of the owner of the personal data for the processing thereof, except in cases expressly authorized by law, namely:

1. Information required by a public or administrative entity in the exercise of its legal functions or by court order.
2. Data of a public nature.
3. Cases of medical or sanitary emergency.
4. Processing of information authorized by law for historical, statistical or scientific purposes.
5. Data related to the Civil Registry of Persons

Manifestation of authorization

The authorization to THE ORGANIZATION for the processing of personal data shall be granted by:

• The holder, who shall prove his/her identity sufficiently by the different means made available by THE ORGANIZATION.
• The assignees of the holder, who must prove their status as such.
• The holder’s representative and/or attorney-in-fact, upon proof of representation or power of attorney.
• Other in favor of or for which the holder has stipulated.

Means for granting authorization

THE ORGANIZATION shall obtain the authorization through different means, among them the physical document, electronic, data message, Internet, Websites, or in any other format that allows guaranteeing its subsequent consultation, including, it may be documented in the patient’s admission questionnaire, in case of consultation or, by means of a suitable technical or technological mechanism; with which it can be concluded with certainty, the manifestation of the reception of the information by the Holder, which in any case allows obtaining consent through unequivocal conduct through which it can be concluded that if the same had not been given by the holder or the person entitled to do so, the data would not have been stored or captured in the database. The authorization shall be requested by THE ORGANIZATION prior to the processing of personal data.

In case the information and personal data could be used by THE ORGANIZATION for a treatment different from the ordinary course of its corporate purpose, it will have to obtain from the owner a special authorization in which it is stated:

1. Object of the authorization.
2. Purpose of Personal Data Processing.
3. Personal data of children and adolescents.
4. Responsible and responsible for the information.

Proof of authorization

THE ORGANIZATION shall keep the proof of the authorization granted by the owners of the personal data for its treatment, for which it shall use the mechanisms currently available to it, as well as adopt the necessary actions to keep the record of the form and date in which it was obtained. Consequently, THE ORGANIZATION may establish physical files or electronic repositories made directly or through third parties hired for such purpose. THE ORGANIZATION shall implement this manual and shall adopt, through the Operational Coordination with the support of the administrative area, the necessary measures to keep records or suitable technical mechanisms of when and how it obtained the authorization of the Data Subject for the Processing of Data.

Revocation of authorization.

The holders of personal data may at any time revoke the authorization granted to THE ORGANIZATION for the processing of their personal data or request the deletion of such data, as long as it is not prevented by a legal or contractual provision. THE ORGANIZATION shall establish simple and free mechanisms that allow the holder to revoke its authorization or request the suppression of its personal data, at least by the same means by which it was granted. For the above, it should be taken into account that the revocation of consent may be expressed, on the one hand, in a total manner in relation to the authorized purposes, and therefore THE ORGANIZATION shall cease any data processing activity; and on the other hand, in a partial manner in relation to certain types of processing, in which case the processing activities shall cease, such as for advertising purposes, among others. In the latter case, THE ORGANIZATION may continue to process the personal data for those purposes in relation to which the holder has not revoked its consent.

XI. PRIVACY NOTICE

The Privacy Notice is the physical document, electronic or in any other format, made available to the holder to inform him/her about the processing of his/her personal data. This document communicates to the holder the information related to the existence of the information processing policies of THE ORGANIZATION that will be applicable to him/her, the way to access them and the characteristics of the processing that is intended to be given to the personal data. The privacy notice shall contain, at a minimum, the following information:

1. The identity, address and contact details of the data controller.
2. The type of processing to which the data will be subjected and its purpose.
3. The rights of the holder.
4. The general mechanisms provided by the responsible party so that the holder is aware of the information processing policy and the substantial changes that occur in it. In all cases, it must inform the holder how to access or consult the information processing policy.
5. The optional nature of the response to questions about sensitive data

THE ORGANIZATION. shall keep the model of the privacy notice even while the processing of personal data is carried out and the obligations deriving therefrom last.

XII. GUARANTEES OF THE RIGHT OF ACCESS

In order to guarantee the right of access of the owner of the data, THE ORGANIZATION shall make available to him/her, prior accreditation of his/her identity, legitimacy, or personality of his/her representative, at no cost or expense, in a detailed and itemized manner, the respective personal data through any type of media, including electronic media that allow the direct access of the owner to them. Such access must be provided without limit and must allow the holder the possibility of knowing and updating them online.

XIII. PROCEDURE FOR HANDLING QUERIES, CLAIMS, REQUESTS FOR RECTIFICATION, UPDATING AND DELETION OF DATA

2013. Consultations: THE ORGANIZATION, in order to guarantee the owner of the data, is obliged to allow access to the information subject to processing, as long as the owner complies with the protocols adopted for such purpose prior to the entry into force of Law 1581 of 2013.

Therefore, the holder may submit a written request to THE ORGANIZATION, requesting in a precise and timely manner access to his/her information, which must be formulated to the e-mail Coordinadora@35.227.29.149

For the attention of consultation requests, they will be answered within a maximum term of ten (10) business days from the date of receipt. If it is not possible to attend the consultation within the term established above, the interested party will be informed before the expiration of the 10 days, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) days.

1. Claims: The Holder or its assignees who consider that the information contained in a database should be subject to correction, updating or deletion, or when they notice the alleged breach of any of the duties contained in the law, may file a claim before THE ORGANIZATION, which shall be processed under the following rules:

1. The Holder’s claim shall be formulated by means of a request addressed to THE ORGANIZATION by e-mail to Coordinadora@35.227.29.149. or by means of written communication addressed to Coordinación Operativa, with the identification of the owner, the description of the facts that give rise to the claim, the address to respond, and accompanying the documents required to assert the claim. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that the claim has been abandoned. In the event that the person who receives the claim is not competent to resolve it, he/she will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.
2. Once the completed claim is received, it will be labeled “claim in process” and the reason for the claim, within a term not to exceed two (2) business days. This label will be maintained until the claim is decided.
3. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within said term, the interested party will be informed of the reasons for the delay and the date on which the claim will be attended, which in no case may exceed eight (8) working days following the expiration of the first term.
4. In case of filing the claim in the name or on behalf of another person, he/she must attach the mandate that empowers the claimant. In case of not proving the capacity in which the claim is being submitted, THE ORGANIZATION shall consider the claim as not submitted.
5. THE ORGANIZATION may implement the application forms if deemed necessary, without the presentation of the claim being conditioned to such model.

1. Request for update and/or rectification: THE ORGANIZATION shall rectify and update, at the request of the holder, the information of the holder that turns out to be incomplete or inaccurate, in accordance with the procedure and terms indicated above, for which purpose the following shall be taken into account:
2. The holder must send the request to the following e-mail address

Coordinadora@35.227.29.149 or in a physical medium addressed to the Institutional Marketing Department indicating the update and/or rectification to be made and providing the documentation supporting the request.

2. THE ORGANIZATION may enable mechanisms that facilitate the exercise of this right to the holder, as long as they benefit him/her. Consequently, electronic or other means may be enabled as deemed appropriate, which will be informed in the privacy notice and will be made available to interested parties on the website.
3. Request for suppression of data The holder of the personal data has the right to request to THE ORGANIZATION its suppression (deletion) in any of the following events:
4. When it considers that they are not being treated in accordance with the principles, duties and obligations set forth in the regulations in force.
5. When they are no longer necessary or relevant for the purpose for which they were collected.
6. The period necessary for the fulfillment of the purposes for which they were collected has been exceeded. This suppression implies the total or partial elimination of the personal information according to the holder’s request in the records, files, databases or treatments carried out by THE ORGANIZATION. However, this right of the holder is not absolute and consequently THE ORGANIZATION may deny the exercise thereof when:
   1. The holder has a legal or contractual duty to remain in the database.
   2. The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
   3. The data is necessary to protect the legally protected interests of the holder; to carry out an action in the public interest, or to comply with an obligation legally acquired by the holder.

In any case, the total or partial elimination will be subject to the regulations in force and applicable to what the medical records refer to. This is a cause of impediment to accede to the holder’s request, since the total or partial elimination of the personal information could be an integral part of the documents that form part of the medical act, without prejudice to the other persons to whom this manual is addressed.

Likewise, THE ORGANIZATION. may deny the request for deletion when the data is necessary, in response to a legal or contractual duty or, if the request for deletion hinders judicial or administrative proceedings or when the data is necessary to protect the legally protected interests of the Data Subject.

THE ORGANIZATION shall delete the data in such a way that the deletion does not allow the recovery of the information.

• REVOCATION OF AUTHORIZATION: Personal data owners may revoke their consent to the processing of their personal data at any time, provided that it is not prevented by a legal or contractual provision, through the procedure established in this Manual.

1. SECURITY MEASURES: THE ORGANIZATION will continue to implement security protocols of mandatory compliance for personnel with access to personal data and information systems. Procedures that will have at least the following requirements:
   1. Scope of application of the procedure with detailed specification of the protected data.
   2. Measures, norms, procedures, rules and standards aimed at ensuring the level of security required by Law 1581 of 2012.
   3. Personnel functions and duties.
   4. Data backup and recovery (back up) procedures.
   5. Periodic controls to be carried out to verify compliance with the provisions of the safety procedure.

• AREA IN CHARGE OF DATA PROTECTION: THE ORGANIZATION designates as responsible for the protection of personal data the Operational Coordination of the same.

XVII. INFORMATION SECURITY AND SECURITY MEASURES

In compliance with the security principle established in the regulations in force, THE ORGANIZATION shall adopt the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss,

XVIII. CURRENT

PROLIFICOS S.A.S. reserves the right to modify this Privacy Policy at any time. Any changes will be informed and published in a timely manner on the website www.carlosacevedo.co.

The Personal Data Processing Policy is effective as of January 25, 2017.

[1] The definitions included in this document are taken from the regulations in force in Colombia that govern the protection of personal data.

[2] Law 1581 of 2012. Article 10. Cases in which authorization is not required. The authorization of the Holder shall not be necessary in the case of: a) Information required by a public or administrative entity in the exercise of its legal functions or by court order; b) Data of a public nature; c) Cases of medical or sanitary emergency; d) Processing of information authorized by law for historical, statistical or scientific purposes; e) Data related to the Civil Registry of Persons. Whoever accesses personal data without prior authorization must in any case comply with the provisions contained in this law.