DATA LIFECYCLE REGULATION POLICY
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.
In compliance with the provisions of Statutory Law 1581 of 2012, its Regulatory Decree 1377 of 2013, Article 15 of the Political Constitution, and the recommendations issued by the Personal Data Protection Delegation of the Superintendency of Industry and Commerce, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. has adopted this policy to regulate the various stages of the data lifecycle it processes, in its capacity as the data controller.
PURPOSE
To establish the parameters under which all personal data must be processed and managed at each stage of the data lifecycle.
OBJECTIVES
This policy serves to implement procedures for the collection, processing, storage, and final disposition of personal data in order to guarantee control, parameterization, and traceability in the processing and protection of such data. The policy aims to create an organized framework to safeguard private, semi-private, public, and sensitive data belonging to data subjects.
ACCESS TO THE POLICY
This policy must be presented and made visibly available on the official sites of CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. and on the website www.coa.com.co for easy access and consultation by the general public.
LEGAL AND REGULATORY FRAMEWORK
The regulatory framework governing the processing of personal data includes:
• Political Constitution, Article 15
• Law 1266 of 2008
• Law 1581 of 2012
• Regulatory Decree 1727 of 2009
• Regulatory Decree 2952 of 2010
• Regulatory Decree 1377 of 2013
• Constitutional Court Rulings C-1011 of 2008 and C-748 of 2011
• Circular 03 of November 3, 2015
RIGHTS OF THE DATA SUBJECT
According to the applicable regulations on data protection, data subjects have the following rights:
• To access, know, update, and rectify their personal data held by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S., as the data controller. This right may be exercised with regard to partial, inaccurate, incomplete, misleading, or unauthorized data.
• To request proof of the authorization granted to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. for data processing, by any valid means, except in cases where such authorization is not required.
• To file complaints with the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and related regulations, after first submitting a consultation or request to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.
• To revoke the authorization and/or request the deletion of the data when the processing does not comply with constitutional and legal principles, rights, and guarantees.
• To access their personal data free of charge at least once per calendar month, and each time there are substantial changes to this policy that prompt further consultation.
DATA CONTROLLER
For the purposes of this policy, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. is the data controller of personal data and databases.
The processing of personal data must be carried out under the terms and scope of the authorization given by the data subject or under applicable legal exceptions. Any request related to the rights and obligations outlined in this policy may be submitted through the following communication channels enabled to receive complaints, claims, inquiries, and/or requests related to personal data processing: Carrera 48 #48A Sur-107, Envigado – Antioquia, Phone: (+57) 604 322 1024, Email: informacion.coa@quironsalud.com. Any communication channels not listed above, including institutional websites and social media platforms, are not considered valid for this purpose.
DATA COLLECTION
Data will be collected depending on the nature of the data subject, through the following methods:
• For patients: data will be collected through information provided by the patient, their companions, or their health insurance provider (EPS or other).
• For suppliers and contractors: data will be collected through a form they must complete, mainly including public data.
• For employees: data will be collected through a form and their employment résumé.
• For business partners: data will be collected through the necessary exchanges for executing the corresponding contracts.
DATA PROCESSING
The processing of data will be carried out in accordance with the specific purposes set forth in the entity’s personal data processing policy.
DATA STORAGE
Data will be stored in compliance with the highest information security standards applicable to the sector. For clinical records, the strictest preservation and security measures will be applied.
For other databases, the storage duration will be determined by the applicable legal minimum retention periods.
SPECIFIC PURPOSES
The specific purposes for the processing of collected data will be those established in the personal data processing policy or in the relevant privacy notices used to request authorization from data subjects.
DATA TRANSFER
Data may be processed by a data processor under a data transfer agreement, in accordance with Article 25 of Decree 1377 of 2013.
FINAL DISPOSITION
Data will remain in the custody of the entity for the legally required minimum period. Data will not be deleted if there is a contractual relationship or a legal obligation requiring its retention. If the entity is authorized to permanently delete data, such deletion may proceed upon express request or authorization from the data subject. This excludes temporary databases where long-term retention is not necessary.
VALIDITY, VERSIONS, AND UPDATES TO THE POLICY
This personal data processing policy is effective as of April 21, 2023, and complements any related policies with indefinite validity. Any substantial changes to this policy will be communicated in a timely manner to data subjects through standard contact methods and/or the website, in accordance with Law 1581 of 2012, its regulatory decrees, and other applicable laws.