POLICY FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA
ALAN ALBEIRO GONZÁLEZ VARELA
Nit: C.C. 79.553.547.
In accordance with Law 1581 of 2012, which regulates the collection and processing of personal data and establishes the legal guarantees that all individuals in Colombia must comply with for the proper handling of such information, partially regulated by Decree No. 1377 of 2013, ALAN ALBEIRO GONZÁLEZ VARELA, hereinafter referred to as ALAN GONZÁLEZ VARELA, issues the following Policy Manual for the Protection and Processing of Personal Data (hereinafter the “Policy”):
I. CONSIDERATIONS
Article 15 of the Political Constitution of Colombia establishes that:
“All individuals have the right to their personal and family privacy and to their good name, and the State must respect them and ensure they are respected. Likewise, individuals have the right to know, update, and rectify information that has been collected about them in data banks and in the records of public and private entities (…)”.
This constitutional provision grants three independent fundamental rights: privacy, good name, and Habeas Data. The right addressed in this Policy Manual is “Habeas Data.”
Habeas Data is the right that guarantees and protects all matters related to the access, updating, and correction of personal information contained in databases and records, as established and protected under Law 1581 of 2012 and its regulatory Decree 1377 of 2013.In compliance with the obligation of ALAN ALBEIRO GONZÁLEZ VARELA, as the data controller of its personal data records, it is necessary to issue a policy that sets forth the rules applicable to the processing of personal data under its responsibility.
It is the duty of the management of ALAN ALBEIRO GONZÁLEZ VARELA, including its partners, executives, and collaborators, to observe, follow, and comply with the directives and instructions specifically issued by ALAN ALBEIRO GONZÁLEZ VARELA regarding personal data, in compliance with the rights enshrined in Article 15 of the Political Constitution of Colombia.
Law 1581 of 2012, its regulatory Decree 1377 of 2013, and any other applicable regulations.
The legislation related to personal data establishes financial, commercial, and even criminal sanctions. Therefore, cooperation between ALAN ALBEIRO GONZÁLEZ VARELA and the recipients of this Manual is essential in order to ensure the protection of the rights to privacy, Habeas Data, and the protection of personal data.
Based on the above considerations that support the protection of personal data, ALAN ALBEIRO GONZÁLEZ VARELA establishes the following provisions for its processing, which are mandatory for all recipients of this Manual.
This policy shall apply to the processing of personal data contained in the databases of ALAN ALBEIRO GONZÁLEZ VARELA.
II. DATA CONTROLLER
ALAN ALBEIRO GONZÁLEZ VARELA, identified with Tax ID (C.C.) No. 79.553.547, with principal address in the city of Cali, located at Carrera 100 No. 5 – 169, Unicentro Oasis Office 405 D, email: ag@alangonzalez.com, and mobile numbers: 3167439896 and 3188889990, is the entity responsible for the processing and protection of the data obtained from its stakeholders.
III. DEFINITIONS
For the purposes of this document, the following terms shall have the meanings assigned below, whether used in singular or plural:
i. Personal Data Database: Any organized set of personal data, regardless of the form or manner in which it is created, stored, organized, or accessed.
ii. Data Transfer: Processing of personal data that involves its disclosure to a person other than the data subject or someone other than the authorized recipient.
iii. Database Custodian: The natural person who has custody of the personal data database within ALAN ALBEIRO GONZÁLEZ VARELA.
iv. Public Data: Data that is considered public according to the mandates of the law or the Constitution, and all data that is not classified as semi-private or private, in accordance with Law 1581 of 2012. This includes, among others, data contained in public documents, enforceable court rulings not subject to confidentiality, and information related to the civil status of individuals.
v. Personal Data or Data: Any data and/or information that identifies or makes a natural person identifiable. This may include numerical, alphabetical, graphic, visual, biometric, audio, profile data, or any other type.
vi. Sensitive Personal Data: A special category of personal data subject to enhanced protection due to its potential impact on the data subject’s privacy or the risk of discrimination if misused. This includes, but is not limited to, data concerning health, sex, political orientation, race or ethnic origin, trade union membership, biometric data, etc.
vii. Data Processor: The natural or legal person, public or private authority, which processes personal data on behalf of the data controller, either independently or in association with others.
viii. Publicly Accessible Sources: Databases containing personal data that can be consulted as long as the information is limited to general data or data that contains legally established generalities. This includes printed media, official gazettes, and other media outlets.
ix. Habeas Data: The fundamental right of every individual to know, update, rectify, and/or delete personal information that has been collected and/or processed in public or private databases, in accordance with applicable laws and regulations.
x. Principles for Data Processing: The fundamental legal and jurisprudential rules that guide the processing of personal data, which help determine actions and criteria to resolve potential conflicts between the right to privacy, Habeas Data, and data protection, and the right to information.
xi. Database Owner: ALAN ALBEIRO GONZÁLEZ VARELA is the owner of the database and is responsible for its processing and management.
xii. Data Controller: The natural or legal person, public or private, who collects personal data and determines its purpose, content, and use. In this case, it refers to the Administrative Management of ALAN ALBEIRO GONZÁLEZ VARELA.
xiii. Data Subject: The natural person whose data is being processed. In the case of legal entities, the name is regarded as a constitutionally protected fundamental right.
xiv. Processing of Personal Data: Any operation or set of operations, whether automated or manual, performed on personal data, such as collection, recording, storage, preservation, use, circulation, modification, blocking, deletion, among others.
xv. User: The natural or legal person interested in using personal data.
xvi. Personal Data Breach: A criminal offense established by Law 1273 of 2009, Article 269F of the Colombian Penal Code. The prohibited conduct is as follows: “Anyone who, without authorization, for personal gain or the benefit of a third party, obtains, compiles, extracts, offers, sells, exchanges, sends, buys, intercepts, discloses, modifies, or uses personal codes or personal data contained in databases, files, or similar media, shall be punished with imprisonment from forty-eight (48) to ninety-six (96) months and a fine ranging from 100 to 1,000 legal monthly minimum wages in force.”
xvii. Security Breaches of Personal Data: Any situation that implies a violation of the security measures adopted by ALAN ALBEIRO GONZÁLEZ VARELA to protect the personal data entrusted to its custody, either as data controller or processor, as well as any conduct that results in the improper processing of personal data contrary to the provisions herein or the law. Any security incident affecting personal data under the custody of ALAN ALBEIRO GONZÁLEZ VARELA must be reported to the relevant supervisory authority.
IV. PURPOSE
To adopt and establish the rules applicable to the processing of personal data collected, processed, and/or stored by ALAN ALBEIRO GONZÁLEZ VARELA in the development of its corporate purpose, whether acting as data controller and/or data processor.
The rules contained in this Manual comply with the provisions of Law 1581 of 2012, its regulatory Decree 1377 of 2013, and Article 15 of the Political Constitution of Colombia, regarding the guarantee of individuals’ privacy, the exercise of Habeas Data, and the protection of personal data, in harmony with the right to information. These rights are proportionally regulated within ALAN ALBEIRO GONZÁLEZ VARELA to prevent their violation.
V. SCOPE OF APPLICATION
This policy shall apply to the processing of personal data carried out within Colombian territory, or when the applicable regulations apply to the data controller and/or processor located outside of Colombian territory, by virtue of international treaties, contractual relationships, among others.
The principles and provisions contained in this policy shall apply to any database containing personal data under the custody of ALAN ALBEIRO GONZÁLEZ VARELA, whether acting as data controller and/or as data processor.
VI. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
The protection of personal data within ALAN ALBEIRO GONZÁLEZ VARELA shall be governed by the following fundamental principles or rules:
i. Legality in Data Processing: The processing referred to in Law 1581 of 2012 and its regulatory decrees is a regulated activity that must adhere to the provisions set forth therein and in any other applicable regulations.
ii. Purpose: The processing must serve a legitimate purpose in accordance with the Constitution, the law, and its regulatory decrees, and this purpose must be informed to the data subject.
iii. Freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives the need for consent.
iv. Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.
v. Transparency: The data subject must be guaranteed the right to obtain, at any time and without restriction, information from the data controller or the data processor regarding the existence of data that concerns them.
vi. Restricted Access and Circulation: Processing is subject to the limits derived from the nature of personal data, the provisions of the Constitution, the law, and its regulatory decrees. Accordingly, data may only be processed by individuals authorized by the data subject and/or by persons designated by law. Except for public information, data may not be available on the Internet or other mass communication or dissemination media, unless access is technically controllable to provide restricted knowledge solely to the data subjects or third parties authorized under Law 1581 of 2012.
vii. Security: The information subject to processing by the data controller or data processor under Law 1581 of 2012 must be handled using the technical, human, and administrative measures necessary to ensure the security of the records and prevent their alteration, loss, unauthorized consultation, use, or fraudulent access.
viii. Confidentiality: All individuals involved in the processing of personal data that is not of a public nature are obliged to maintain the confidentiality of the information, even after their relationship with any of the activities involving the processing has ended. Disclosure or communication of personal data is permitted only when it aligns with authorized activities under the law and within the terms provided by the same.
VII. RIGHTS OF DATA SUBJECTS
The data subjects whose personal data is stored in the information systems of ALAN ALBEIRO GONZÁLEZ VARELA are entitled to the rights described in this section, in accordance with the fundamental guarantees set forth in the Political Constitution and the Law.
The exercise of these rights shall be free of charge and governed by the provisions of this policy, which in no case shall contravene applicable regulations.
The exercise of Habeas Data, as expressed through the following rights, is a strictly personal right and shall be exercised exclusively by the data subject, except for the exceptions provided by law.
i. Right of Access to Information
This right allows the data subject to obtain, free of charge, all information regarding their personal data, the processing applied to it, the purpose of the processing, and any disclosures and/or transfers made in relation to it.
ii. Right to Update
This right allows the data subject to update their personal data when any changes have occurred.
iii. Right to Rectification
This right allows the data subject to correct data that is found to be inaccurate, incomplete, or nonexistent.
iv. Right to Withdraw Consent and/or Request Data Deletion
Data subjects may, at any time, request the data controller or data processor to delete their personal data and/or revoke the consent or authorization granted for its processing, by submitting a formal request.
Requests for deletion or revocation will not be applicable when the data subject has a legal or contractual obligation to remain in the database.
v. Right to Submit Complaints and Claims or Take Legal Action
The data subject has the right to file complaints and claims before the Superintendence of Industry and Commerce or the competent authority, for violations of the provisions set forth in Law 1581 of 2012, or in the regulations that supplement or amend it.
VIII. AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA
Without prejudice to the exceptions established by law, the processing of personal data requires the prior and express authorization of the data subject, by any means that allows for subsequent consultation.
Exceptionally, this authorization shall not be required in the following cases:
i. When requested by a public or administrative entity in the exercise of its legal functions, or by court order.
ii. When the data is of a public nature.
iii. In cases of medical or health emergencies.
iv. When the processing is authorized by law for historical, statistical, or scientific purposes.
v. When the personal data is related to the Civil Registry of individuals.
In these cases, although the data subject’s authorization is not required, all other legal principles and provisions regarding the protection of personal data shall still apply.
IX. PROCEDURE FOR EXERCISING DATA SUBJECT RIGHTS
In compliance with constitutional and legal provisions on the protection of personal data, ALAN ALBEIRO GONZÁLEZ VARELA informs interested parties of the following procedure:
i. The data subject and/or their representative must prove their identity by providing a copy of the relevant document and a valid identification document, either physically or by email if the documents are digitized. If the data subject is represented by a third party, a duly notarized power of attorney must be provided. The representative must also prove their identity as indicated above.
ii. The request to exercise any of the aforementioned rights must be submitted in writing or via email. It may be addressed to the main office located at Carrera 100 No. 5 – 169, Unicentro Oasis, Office 405 D, Cali, or via email to ag@alangonzalez.com, within thirty (30) business days from the date the authorization was issued.
iii. For inquiries related to procedures, the following customer service phone numbers are available: (+57) 318 888 99 95, (+57) 318 888 99 94, and (+57) 318 888 99 90.
iv. The request to exercise any of the aforementioned rights must include the following information:
Full name of the data subject and, where applicable, of their representative.
A specific and clear request for information, updating, rectification, revocation of consent, and/or deletion of the data. Each request must be reasonably justified for ALAN ALBEIRO GONZÁLEZ VARELA, as the data controller, to respond accordingly.
Physical and/or email address for notifications.
Supporting documents as described in the previous items.
Signature of the data subject submitting the request.
If any of the required elements are missing, ALAN ALBEIRO GONZÁLEZ VARELA will notify the requester within five (5) business days following receipt of the request so that the deficiencies can be corrected. If two (2) months pass without the required information being provided, it will be understood that the request has been withdrawn.
ALAN ALBEIRO GONZÁLEZ VARELA may provide physical and/or digital forms for the exercise of these rights, indicating whether the submission concerns a query or a claim.
Within two (2) business days of receiving a complete request, ALAN ALBEIRO GONZÁLEZ VARELA will indicate that the claim is being processed. The relevant database must include a field that notes the following statuses: “Claim in process” and “Claim resolved.”
When ALAN ALBEIRO GONZÁLEZ VARELA acts as the data controller for the personal data stored in its information systems, it shall respond to the request within ten (10) business days if it is a query, and within fifteen (15) business days if it is a claim. The same timeframe applies if ALAN ALBEIRO GONZÁLEZ VARELA verifies that it does not possess the data of the individual exercising any of the stated rights.
If a query cannot be answered within ten (10) business days, the individual will be informed of the reasons for the delay and the date on which the query will be addressed, which must not exceed five (5) business days after the original deadline.
In the case of claims, if a response cannot be provided within fifteen (15) business days, the individual will be informed of the reasons for the delay and the date on which the claim will be addressed, which must not exceed eight (8) business days after the original deadline.
ALAN ALBEIRO GONZÁLEZ VARELA will document and store the requests made by data subjects or interested parties in the exercise of their rights, as well as the responses provided to such requests.
In order to file a legal action before the Superintendence of Industry and Commerce, the procedures for queries and/or claims described herein must first be exhausted.
X. DUTIES OF THE RECIPIENTS OF THIS POLICY REGARDING PERSONAL DATA DATABASES WHEN ACTING AS CONTROLLERS OR PROCESSORS
i. Duties of Data Controllers
When ALAN ALBEIRO GONZÁLEZ VARELA assumes the role of Data Controller, they must fulfill the following duties, without prejudice to other obligations established by Law or applicable regulations:
a) Guarantee the data subject, at all times, the full and effective exercise of the right to Habeas Data.
b) Request and retain, under the conditions provided by Law 1581 of 2012, a copy of the authorization and consent granted by the data subject.
c) Properly inform the data subject of the purpose of the data collection and the rights granted to them through the authorization.
d) Store the information under appropriate security measures to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.
e) Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable, and understandable.
f) Update the information, communicating promptly to the processor any changes regarding the data previously provided, and take the necessary steps to ensure that the information remains current.
g) Rectify the information when it is incorrect and notify the data processor accordingly.
h) Provide the processor only with data whose processing has been previously authorized in accordance with Law 1581 of 2012.
i) Require the processor to always respect the security and privacy conditions of the data subject’s information.
j) Address inquiries and complaints submitted by data subjects as outlined in this policy and Law 1581 of 2012.
k) Adopt an internal manual of policies and procedures to ensure proper compliance with Law 1581 of 2012, especially for addressing inquiries and complaints.
l) Inform the data processor when any information is under dispute by the data subject, once a complaint has been submitted and is pending resolution.
m) Inform the data subject, upon request, of how their data is being used.
n) Notify the data protection authority when there are breaches of security codes and risks related to the management of the data subjects’ information.
o) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
ii. Duties of Data Processors
When ALAN ALBEIRO GONZÁLEZ VARELA or any recipient of this policy assumes the role of Data Processor, they must comply with the following duties, without prejudice to any other applicable legal provisions:
a) Guarantee the data subject, at all times, the full and effective exercise of the right to Habeas Data.
b) Store the information under appropriate security measures to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.
c) Timely update, correct, or delete the data as required by law.
d) Update the information reported by the controller within five (5) business days from receipt.
e) Handle inquiries and complaints submitted by data subjects in accordance with this policy and the law.
f) Adopt an internal manual of policies and procedures to ensure proper legal compliance, especially in handling data subject inquiries and complaints.
g) Record in the database the label “Claim in process” as regulated by law, for unresolved complaints submitted by data subjects.
h) Add to the database the label “Information under judicial review” once notified by the competent authority about judicial proceedings regarding the data.
i) Refrain from sharing information that is being disputed by the data subject and has been ordered to be blocked by the Superintendence of Industry and Commerce.
j) Allow access to the information only to individuals authorized to do so by the relevant department vice president.
k) Notify the Superintendence of Industry and Commerce in the event of breaches of security codes and when there are risks in managing data subjects’ information.
l) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
To ensure compliance with these duties and the other obligations established in this policy, ALAN ALBEIRO GONZÁLEZ VARELA may establish the necessary internal bodies and assign them appropriate responsibilities.
XI. FORM AND MECHANISMS FOR GRANTING AUTHORIZATION
The data subject’s authorization will be documented through each of the data collection channels and mechanisms established by ALAN ALBEIRO GONZÁLEZ VARELA. This authorization may be provided in physical, electronic, or any other format that ensures future consultation.
Committed to the protection and proper management of personal data, ALAN ALBEIRO GONZÁLEZ VARELA has established various reception channels through which the data subject may provide their personal information. These channels include:
Website: https://alangonzalez.com/
Facebook
Instagram: @alangonzalezmd
WhatsApp:
Bogotá: +(571) 318 888-9995 / +(57) 318 222-5770
Cali: +(572) 318 888-9994
Cartagena: +(575) 318 888-9996
Landline (Switchboard):
Bogotá: +(57) 1 316-3360 / +(57) 1 622-4123
Cali: +(57) 2 332-2038
Mobile Phone:
Bogotá: +(571) 318 888-9995 / +(57) 318 222-5770
Cali: +(572) 318 888-9994
Cartagena: +(575) 318 888-9996
Email: ag@alangonzalez.com
Each established channel will have a designated person in charge who must ensure that the data subject has been informed that their personal data will be collected and used for specific and known purposes. They must also ensure that the data subject is aware of their right to access, update, and be informed about any changes and the specific use of their data. This is to enable the data subject to make informed decisions regarding their personal data and to exercise control over how their personal information is used.
In the event of doubts regarding the processing of personal data, the person in charge of each reception channel or the information security officer—namely, the Communications Department of ALAN ALBEIRO GONZÁLEZ VARELA—shall be consulted to determine the appropriate procedure to follow in each case.
XII. CENTRAL REGISTRY OF PERSONAL DATA DATABASES
ALAN ALBEIRO GONZÁLEZ VARELA, as the data controller in the processing of personal data within the scope of his business activities, as well as in cases where he acts as a data processor, will maintain a central registry listing each personal data database contained in his information systems.
The central registry of personal data databases will allow for:
i. The registration of all personal data databases contained in the information systems of ALAN ALBEIRO GONZÁLEZ VARELA. Each database will be assigned a registration number.
ii. The registration of personal data databases will include:
(I) The type of personal data contained;
(II) The purpose and intended use of the database;
(III) Identification of the department within ALAN ALBEIRO GONZÁLEZ VARELA responsible for processing the database;
(IV) The processing system used (automated or manual);
(V) The level and type of security measures applicable to the database based on the type of data it contains;
(VI) The physical or digital location of the database within the information systems of ALAN ALBEIRO GONZÁLEZ VARELA;
(VII) The group of individuals or stakeholders whose personal data is included in the database;
(VIII) Whether ALAN ALBEIRO GONZÁLEZ VARELA acts as the data controller or processor;
(IX) Authorization for communication or transfer of the database, if applicable;
(X) The origin of the data and the method by which consent was obtained;
(XI) The designated data custodian within ALAN ALBEIRO GONZÁLEZ VARELA;
(XII) Any additional requirements applicable under the relevant data protection regulations.
iii. On a monthly basis, updates to the personal data databases will be recorded for compliance and auditing purposes. If no updates have occurred, this will be noted by the database custodian.
iv. Any security incidents involving personal data databases held by ALAN ALBEIRO GONZÁLEZ VARELA will be documented in this central registry, including their history.
v. The registry will include any penalties imposed in relation to the use of personal data databases, identifying the origin of such penalties.
vi. The deletion or cancellation of a personal data database will be recorded, along with the reasons and technical measures implemented by ALAN ALBEIRO GONZÁLEZ VARELA to ensure effective cancellation.
XIII. PROCESSING OF PERSONAL DATA
The operations that constitute the Processing of Personal Data by ALAN ALBEIRO GONZÁLEZ VARELA, in his capacity as data controller or processor, shall be governed by the following parameters:
i. Processing of Personal Data from the general community:
The collection of data from natural persons carried out by ALAN ALBEIRO GONZÁLEZ VARELA in the development of community-related actions—whether resulting from social responsibility, political initiatives, or any other activity—shall be subject to the provisions set forth in this Policy Manual. For this purpose, ALAN ALBEIRO GONZÁLEZ VARELA will inform and obtain prior authorization from the data subjects through the documents and instruments used for such activities.
In general terms, the processing of personal data provided by the different stakeholders of ALAN ALBEIRO GONZÁLEZ VARELA shall have the following purposes:
a. To register and update information provided by the data subject.
b. To provide healthcare services.
c. To characterize and monitor the population for health risk management, using data derived from healthcare services.
d. To submit mandatory public health reports.
e. To respond to requests from oversight authorities.
f. To evaluate timeliness and quality indicators of the services.
g. To assess the quality of healthcare products and services offered by the institution.
h. To carry out personnel selection processes based on suitability for a role or task.
i. To establish a contractual relationship.
j. To comply with the enrollment process to the General System of Social Security (health promoting entities, occupational risk administrators, pension and severance funds, and family compensation funds).
k. To assess employee performance, job satisfaction, personal development, well-being, occupational safety, and health.
l. To offer training opportunities.
m. To process remuneration.
n. To share institutional developments in research, academics, and clinical areas.
o. To make financial recognition for service delivery.
p. To present reports to educational institutions.
q. To invite individuals to clinical and academic events.
r. For commercial purposes.
s. To assess the knowledge acquired during training.
t. To provide information to competent authorities when requested.
u. To comply with judicial requirements.
v. To exercise and defend legal actions.
w. To provide information for verification against restricted lists under the Money Laundering and Terrorism Financing Risk Management System (SARLAFT).
ii. Disclosure of personal data to authorities:
When government authorities request access to and/or delivery of personal data held in any of ALAN ALBEIRO GONZÁLEZ VARELA’s databases, the legality of the request will be verified, the relevance of the requested data in relation to the stated purpose will be assessed, and the delivery of the requested personal information will be properly documented. This is to ensure the data’s authenticity, reliability, and integrity, and to advise both the requesting official and the recipient, as well as the requesting entity, of their responsibility to safeguard the data.
The authority requesting the personal data will be warned about the applicable security measures and the risks involved in the misuse or improper handling of such data.
XIV. EFFECTIVE DATE
This is version 01 of the Personal Data Processing Policy. It shall take effect from the date of its publication and shall remain in force for as long as the purpose of the processing of personal data aligns with the legal nature and objectives of ALAN ALBEIRO GONZÁLEZ VARELA.