POLICY FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA
PREAMBLE
Thank you for contacting the companies of the Quirónsalud Business Group. The following companies are part of the business group: Cedimed S.A.S., Clínica Medellín S.A.S., Clínica Del Prado S.A.S., Clínica de la Mujer S.A.S., Oftalmoservicios IPS S.A.S., Centro Oncológico de Antioquia – COA, Clínica Imbanaco S.A.S., Inversiones Médicas de Antioquia S.A. – Clínica Las Vegas, and Clínica Oftalmológica de Antioquia S.A.S. – Clofán.
We inform you that this Privacy Notice establishes the terms and conditions under which the companies of the Quirónsalud Group, hereinafter referred to as “The Company,” in its capacity as the data controller pursuant to Statutory Law 1581 of 2012 on the Protection of Personal Data, will process your personal data.
Accordingly, The Company hereby informs you that your personal data may be collected, stored, organized, used, processed, deleted, anonymized, dissociated, transmitted, and transferred to third parties within and outside the national territory and, in general, be subject to processing, in order to fulfill the purposes described below:
a) Ensure the proper provision of the services offered by the company;
b) Handle orders, requests, or any type of petition made by you as a user or client of our services through any means of contact;
c) Respond to requests or petitions made by you through any of our communication channels.
The aforementioned activities may be carried out by sending emails, SMS, MMS, messages through social media, instant messaging services, and applications, as well as by phone calls. Your personal data may also be transferred to third-party business partners, affiliates, parent companies, and subsidiaries of The Company, in order to fulfill the purposes mentioned above.
DATA SUBJECTS’ RIGHTS
As the owner of your personal data, you have the right to:
(i) Freely access the personal data you have provided that has been subject to processing.
(ii) Know, update, and rectify your information regarding partial, inaccurate, incomplete, or misleading data, or data whose processing is prohibited or unauthorized.
(iii) Request proof of the authorization granted.
(iv) File complaints before the Superintendence of Industry and Commerce (SIC) for violations of the current data protection regulations.
(v) Revoke the authorization and/or request the deletion of your data, provided there is no legal or contractual obligation preventing their deletion.
(vi) Refrain from answering questions about sensitive data. Responses regarding sensitive data or the data of children and adolescents shall be optional.
You may exercise your rights at any time by sending an email to the following address: protecciondedatos@quironsalud.com, indicating or stating in the subject line: “Consultation or Complaint – Statutory Law 1581 of 2012.”
MECHANISMS TO ACCESS THE DATA PROCESSING POLICY
The Data Subject may access our Personal Data Processing Policy, which is published on the homepage of the websites of the companies that are part of the Quirónsalud Group.
In compliance with the provisions of Statutory Law 1581 of 2012, Regulatory Decree 1377 of 2013, and Article 15 of the Colombian Political Constitution, the company CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. adopts this manual for the processing of personal data. In doing so, the company affirms its commitment to guaranteeing the rights to privacy, intimacy, and good name in the handling of personal data. Consequently, all its actions will be governed by the principles of legality, purpose, freedom, truthfulness or quality, transparency, restricted access and circulation, security, and confidentiality.
RETROACTIVE EFFECT OF THE MANUAL
The databases of CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall be adjusted and configured so that they can be categorized and grouped based on the use of personal data, in accordance with the scope of the authorization granted for the processing of such data, and any other requirements established by applicable regulations. This manual replaces and nullifies any previous manual, agreement, policy, or convention issued by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.
VALIDITY, VERSIONS, AND UPDATES OF THE POLICY
This policy for the processing of personal data has been in effect since April 21, 2023, and complements associated policies, with indefinite validity. Any substantial changes to the personal data processing policies will be promptly communicated to the data subjects through customary contact channels and/or via the website, in accordance with Law 1581 of 2012, its regulatory decrees, and any other applicable regulations.
NATURE OF PROTECTION
The fundamental right of habeas data seeks to guarantee citizens the power of decision and control over their personal information—specifically, over how it is used and managed. The right to personal data protection grants individuals various powers to maintain control over their personal data. These include the right to know who holds their data, how it is being used, and to define who can access it. The law also grants them the ability to object to such possession and use. This ensures that databases are properly aligned with legal requirements.
Law 1581 of 2012 establishes a series of guarantees and mechanisms to ensure the effective exercise of this fundamental right. Accordingly, the purpose of this manual is to address such guarantees and mechanisms, particularly considering the role of CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. as a data controller, as outlined in item (k) of Article 17 of the aforementioned law.
The right to data protection allows each data subject to know who holds their information, how it is being used, and to define who may access it.
The law gives data subjects the power to consult, modify, delete, and recover their information and establishes guarantees and tools to uphold this fundamental right.
PURPOSE
To define the parameters under which all personal data of natural and legal persons provided to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. must be processed and managed, including third-party databases managed by the organization as part of its corporate purpose.
GOAL
This manual is intended to implement the procedures for collecting and processing personal data in accordance with legal provisions. It aims to establish an organized framework for safeguarding private, semi-private, public, and sensitive data of its subjects.
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will implement a comprehensive data management manual based on the guidelines established by the Superintendence of Industry and Commerce and under the principle of demonstrated accountability.
SCOPE OF APPLICATION
This manual must be known and applied by all employees, officials, and departments of CENTRO ONCOLÓGICO ANTIOQUIA S.A.S., as well as by its clients and independent contractors—particularly those who handle personal data and manage the company’s databases.
DATABASES
The policies and procedures outlined in this manual apply to all databases managed by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. and shall be registered in accordance with the law, as soon as the procedures and conditions for registration before the Data Protection Delegation of the Superintendence of Industry and Commerce are regulated.
PRINCIPLES
All processing of personal data carried out by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall adhere to the principles established in the Colombian general data protection regime, particularly the following:
• Principle of Legality in Data Processing: The processing of personal data by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. must comply with the applicable Colombian legal framework, including this policy and all relevant provisions under the General Regime for the Processing of Personal Data.
• Principle of National Jurisdiction: The processing of personal data by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. is aligned with the purposes established in this policy, which are in accordance with Colombian law. In matters not regulated by this policy, the applicable higher-ranking legal norms shall prevail, including any that amend, supplement, or repeal it.
• Principle of Freedom: CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. processes personal data based on the prior, express, and informed consent of the data subject.
• Principle of Truthfulness or Quality: The data processed by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. must be accurate, complete, updated, verifiable, and understandable.
• Principle of Transparency: CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. guarantees that data subjects may access information about their personal data at any time and without restrictions, according to the procedures described in this manual.
• Principle of Restricted Access and Circulation: CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. ensures that personal data processing is carried out only by individuals authorized by the data subject and/or those permitted by law.
• Principle of Security: CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall implement all necessary technical, human, and administrative measures to protect the personal data in its databases, preventing unauthorized or unintended access, alteration, loss, or consultation.
• Principle of Confidentiality: The processing of personal data in the organization’s databases shall be carried out with strict confidentiality and discretion, in accordance with the purposes described in this policy.
POLICY AVAILABILITY
This policy must be displayed and made available in a visible location on CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.’s official premises and main website, for easy consultation and public access.
DATA CATEGORIES
In line with the principle of private autonomy and based on the types of data processed, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. classifies data as follows, in accordance with applicable legislation:
• Personal Data: Any information that can be linked to one or more natural persons.
• Public Data: Information found in public documents, such as civil status, profession, and status as a public servant or merchant. Examples include data on a national ID card, public records, and final court rulings not subject to confidentiality.
• Semi-private Data: Information that concerns both the data subject and a specific group or sector, such as commercial or professional activity.
• Private Data: Information of an intimate and reserved nature, of exclusive interest to the data subject.
• Reserved Data: Information of a confidential nature or that holds significant commercial value by itself.
• Sensitive Data: Information that affects the privacy of the data subject or may lead to discrimination. This includes data regarding sexual orientation, political opinions, ethnic or racial origin, religious or philosophical beliefs, and participation in unions, human rights organizations, or other social groups.
DEFINITIONS
• Authorization: Permission granted by the data subject to process their personal data. It must be express, granted prior to data processing, and retrievable afterward. It may be granted through any known or future means, provided it meets the required characteristics.
• Privacy Notice: A communication from the data controller to the data subject informing them of the existence of data processing policies, how to access them, and the purposes of the processing.
• Database: An organized set of personal data processed by the data controller or processor.
• Data Processor: A natural or legal person, public or private, who processes personal data on behalf of the data controller.
• Minor: Any person under the age of 18, including children and adolescents (whether pubescent or not).
• Regulations: The body of laws and decrees governing a specific subject matter. In this case, it refers to personal data protection laws.
• Data Controller: A natural or legal person, public or private, with the legal authority to decide on the processing of personal data or the database itself.
• Data Subject: The natural person to whom the personal data refers.
• Data Transfer: The act of a data controller or processor sending personal data to another controller located within or outside of Colombia.
• Data Transmission: The communication of personal data by a data processor on behalf of the controller, either within or outside Colombia.
• Personal Data Processing: The full range of operations performed on personal data, such as collection, storage, and use.
LEGAL AND REGULATORY FRAMEWORK
The following is the set of regulations governing the processing of personal data:
• Colombian Political Constitution, Article 15
• Law 1266 of 2008
• Law 1581 of 2012
• Regulatory Decree 1727 of 2009
• Regulatory Decree 2952 of 2010
• Regulatory Decree 1377 of 2013
• Constitutional Court Rulings C-1011 of 2008 and C-748 of 2011
• Circular 03 dated November 3, 2015
DATABASE STORAGE
Data subjects are informed that the databases of CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. are stored on the company’s own computers and/or servers. Additionally, some databases may be stored physically. The type of storage for each database will be clearly specified in its corresponding registration in the National Database Registry (RNBD).
DATA SUBJECT RIGHTS
According to current data protection regulations, data subjects are entitled to the following rights:
• To access, know, update, and rectify their personal data held by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S., in its capacity as data controller. This right may be exercised, among others, in the case of partial, inaccurate, incomplete, misleading data, or when the processing is explicitly prohibited or unauthorized.
• To request proof of the authorization granted to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. for the processing of personal data, by any valid means, except in cases where authorization is not required.
• To file complaints before the Superintendence of Industry and Commerce for violations of Law 1581 of 2012 and any other regulations that modify, add to, or complement it, after submitting a prior query or request to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.
• To revoke consent and/or request the deletion of data when the processing does not comply with constitutional and legal principles, rights, and guarantees.
• To access their personal data free of charge, at least once per calendar month, and every time there are substantial changes to this policy that warrant further consultation.
These rights may be exercised by:
• The data subject, who must properly prove their identity through the mechanisms made available by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.
• The data subject’s successors, who must provide proof of such status.
• The data subject’s representative and/or attorney, with proper documentation of representation or authorization.
• Any person acting in the interest of or on behalf of the data subject, provided they can demonstrate a legally protected interest, at least preliminarily.
DATA CONTROLLER
For the purposes of this manual, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S., legally represented by Vadin Ángel Ramírez Agudelo, located at Carrera 48 #46A Sur-107, Envigado – Antioquia, phone (+57) 604 322 1024, email informacion.coa@quironsalud.com, shall be the data controller responsible for the processing of personal data and databases.
The processing of personal data shall be carried out in accordance with the scope and terms of the authorization granted by the data subject or, when applicable, under the provisions of special regulations that establish legal exceptions.
Any request related to the exercise of the rights and duties outlined in this manual may be submitted through the following contact channels:
Carrera 48 #46A Sur-107, Envigado – Antioquia
Phone: (+57) 604 322 1024
Email: informacion.coa@quironsalud.com
DATA PROCESSING OFFICER
For the purposes of this manual, all those responsible—according to each case—for the areas or administrative departments from which the request for personal data processing originates, or for the databases containing personal data subject to the rights, obligations, or actions established in this manual, shall be considered data handlers under the commitment of CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.
Mrs. Alejandra María Isaza López is appointed as the Data Processing Officer, representing all areas of the organization. The communication channels through which data subjects may contact the officer are:
Address: Carrera 48 #46A Sur-107, Envigado – Antioquia
Phone: (+57) 604 322 1024
Email: alejandra.isaza@quironsalud.com
All employees of CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. are required to comply with this policy and the instructions and procedures issued for its proper implementation, ensuring at minimum the standards established by Law 1581 of 2012 and its complementary or regulatory norms. All personnel must be familiar with their respective duties regarding personal data protection.
Among the responsibilities of the data processing officer is appointing an individual within the organization to perform the following functions:
• Promote the creation and implementation of a system to manage risks associated with the processing of personal data.
• Coordinate the definition and implementation of controls within the Comprehensive Personal Data Management Manual.
• Act as liaison and coordinator with other departments to ensure cross-organizational implementation of the manual.
• Promote a culture of data protection within the organization.
• Maintain an inventory of the organization’s personal databases and classify them by type.
• Register the organization’s databases in the National Database Registry and update the reports according to the guidelines issued by the Superintendence of Industry and Commerce (SIC).
• Obtain the SIC’s compliance declarations when required.
• Review the content of international data transfer contracts signed with processors outside Colombia.
• Analyze the responsibilities of each position in the organization to design specific data protection training manuals.
• Conduct general data protection training for all employees.
• Provide necessary training to new employees who, by the nature of their role, will have access to personal data managed by the organization.
• Integrate data protection policies into the activities of all departments (human resources, security, call centers, vendor management, etc.).
• Measure participation and assess performance in data protection training.
• Ensure that successful completion of data protection training is considered in employee performance evaluations.
• Ensure the implementation of internal audit plans to verify compliance with data protection policies.
• Assist the organization during visits and requests from the Superintendence of Industry and Commerce.
• Monitor the application and effectiveness of the Comprehensive Personal Data Management Manual.
CONTINUOUS EVALUATION AND REVIEW BY THE DATA PROCESSING OFFICER
The person responsible for data processing, acting as the guardian and protector of the rights of data subjects and the lawful and proper use of their personal information, shall carry out the following ongoing evaluation and review activities:
• Continuously control and update the inventory of personal data to identify and assess new data collection, usage, and disclosure.
• Review policies in light of audit results or evaluations.
• Maintain historical documentation of impact assessments, security threats, and risk evaluations.
• Periodically review and update the training and education provided to all employees, based on ongoing evaluations, and communicate any changes to the manual’s controls.
• Review and adjust response protocols for handling security breaches and incidents, incorporating best practices, recommendations, and lessons learned from post-incident reviews.
• Review and, if necessary, amend the requirements set out in contracts with data processors.
• Update and clarify external communications to ensure clear explanation of the organization’s data processing policies.
• Submit a semiannual report to the organization’s legal representative detailing risk evolution, implemented controls, monitoring activities, and overall progress and results of the data management manual.
REGISTRATION IN THE NATIONAL DATABASE REGISTRY (RNBD) OF THE SUPERINTENDENCE OF INDUSTRY AND COMMERCE
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will comply with all obligations established by applicable regulations regarding the registration and reporting of its databases to the competent authorities. The registration of databases in the RNBD will be conducted in accordance with the parameters set forth in Circular 03 of November 3, 2015.
For the purpose of registering its databases, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will prepare an inventory considering the following parameters:
• Number of databases containing personal information.
• Number of data subjects per database.
• Detailed information on the communication channels or mechanisms available to attend to data subjects.
• Type of personal data contained in each database, including identifying, contact, socioeconomic, or sensitive data, among others.
• Physical location of each database (e.g., stored in company archives or servers, whether on internal or external premises).
• If data processing is carried out by one or more data processors, the identification and contact details of said processors will be required.
• Security measures and/or controls implemented in the database to minimize the risk of misuse of personal data.
• Confirmation of whether the company has obtained the authorization of data subjects for the use of their personal information.
• How the data was collected (whether directly from the data subject or through third parties).
• If any international transfer or transmission of the database has occurred, basic information about the recipient will be requested.
• If the database has been assigned to a third party, basic information about the assignee will be requested.
COMPREHENSIVE PERSONAL DATA MANAGEMENT MANUAL
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will implement a Comprehensive Personal Data Management Manual, based on the guidelines issued by the Superintendence of Industry and Commerce, following the principle of demonstrated accountability.
POLICY STANDARDS
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will include in its data processing policy specific rules covering, among others, the following aspects:
• Collection, storage, use, circulation, and deletion or final disposal of personal data, including the requirements for obtaining authorization from the data subjects.
• Access to and correction of personal data.
• Retention and elimination of personal information.
• Responsible use of information, including administrative, physical, and technological security controls.
• Inclusion of a confidentiality and information handling clause in all company contracts, acknowledging knowledge and acceptance of the company’s policy and allowing the company to use such information responsibly.
• Filing of complaints, claims, and reports.
MONITORING IMPLEMENTATION MEASURES
To this end, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will undertake the following actions:
• Establish an effective monitoring process to promptly detect and correct deficiencies in the management of identified risks.
• Set indicators to demonstrate the effectiveness of the adopted risk management system.
• Ensure that controls are operating in a timely, effective, and efficient manner.
• Ensure that residual risks remain within the established acceptable levels.
• Maintain a record of incidents that includes: affected database, compromised data, data subjects involved, date of the incident and of its discovery, corrective actions taken, and those responsible.
• Entities subject to this policy must periodically assess their risks and implement these evaluations throughout the organization, especially in new projects involving personal data.
• It is necessary to develop procedures for conducting these evaluations and to establish a review and approval process involving the person or department responsible for data protection, to ensure their participation in the design of new initiatives, services, or manuals.
AUTHORIZATION FOR USE OF PERSONAL DATA
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall request authorization from data subjects for the processing of their personal data. In this regard, the following principles shall apply:
• The data subject has the right to authorize the processing of their data.
• The authorization must be prior, express, and free of defects in consent.
• CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall inform the data subject of the use or purpose of the data processing, and this shall be the only permitted use by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. as the data controller, and likewise by any data processors involved.
The data subject has the right to revoke the authorization unless there is a legal or contractual obligation to the contrary. In contracts with CENTRO ONCOLÓGICO ANTIOQUIA S.A.S., the collection of personal data is necessary for the provision of the contracted services and shall be used exclusively for those purposes. Data processing shall always be based on the user’s consent and limited by both purpose and duration.
CONFIDENTIALITY AND SECURITY OF DATABASES
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall apply best practices to ensure the security, discretion, and confidentiality of data subjects’ personal data. Where applicable, the company shall verify the existence of legal exceptions before disclosing personal data to authorities or in other relevant situations.
Reserved or confidential data may be provided in written, oral, electronic, magnetic, or digital form, or through access to books, files, or documents.
In addition to data that is clearly and evidently confidential, information shall also be considered reserved or confidential if it is labeled with any of the following terms: “Confidential,” “Reserved,” “Secret,” “Private,” “Privileged,” “Special,” or “Exclusive.”
Protection of confidential, reserved, or privileged information under the custody of CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall be governed by information security protocols and confidentiality framework agreements established by the company. Disclosure of such information is strictly subject to the terms set forth in these legal instruments. Therefore, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. has the obligation to uphold and enforce confidentiality stipulations with third parties and shall maintain absolute secrecy regarding any data protected by these provisions.
Under no circumstances shall data involving industrial or commercial secrets be disclosed.
INFORMATION SECURITY
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. declares that it has implemented various information security measures, including:
• An Information Security Policy.
• A Contingency Procedure Manual for Information Security.
• Confidentiality framework agreements signed by all clinic employees.
• Special security measures for the storage of databases containing sensitive data.
DATA SUBJECT’S AUTHORIZATION AND CONSENT
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. requires the free, prior, express, and informed consent of the data subject to process their personal data, except in cases expressly authorized by law, such as:
• Information required by a public or administrative entity in the exercise of its legal functions or by court order.
• Publicly available data.
• Processing authorized by law for historical or statistical purposes.
• Data related to the Civil Registry of Persons
MEANS OF GRANTING AUTHORIZATION
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall obtain the data subject’s authorization through various means, including physical documents, electronic means, data messages, websites, or any other format that allows for the consent to be obtained through unequivocal actions. Such actions must clearly demonstrate that without the data subject’s or legally authorized person’s consent, the data would not have been stored or captured in the database. Authorization will be requested by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. prior to any data processing.
REVOCATION OF AUTHORIZATION
Data subjects may revoke the authorization granted to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. at any time for the processing of their personal data or request the deletion of such data, provided that no legal or contractual provision prevents this. CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall establish simple and free mechanisms that allow data subjects to revoke their authorization or request the deletion of their personal data, at least through the same means by which the authorization was initially granted.
Revocation of consent may be expressed either:
• Totally, in relation to all authorized purposes, in which case CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. must cease all data processing activities; or
• Partially, for specific types of processing, in which case only the corresponding processing activities will be suspended.
GUARANTEES OF THE RIGHT TO ACCESS
To ensure the data subject’s right of access, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall provide, upon verification of identity, legitimacy, or the legal authority of a representative, free and unrestricted access to the subject’s personal data in a detailed and clear manner, using any appropriate means, including electronic channels that allow for direct access. This access must be offered without limitations and allow for online viewing and updating.
IDENTIFICATION OF DATABASES
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. has identified the following databases:
• Public Information Database:
The data in public records originates from the fulfillment of regulated functions, with forms and procedures designed to ensure publicity and enforceability. These are considered public data by law and do not require prior authorization for processing. Any similar records delegated to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. in the future will be considered of the same nature.
• Health Users and Patients Database:
These are manual or automated databases containing public and private data of natural or legal persons who are users of the health services provided by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. These users voluntarily authorize the organization through clauses in forms, posted notices, and requests. The data is provided to access healthcare rights and benefits, and will be used solely for relevant purposes. These databases may contain sensitive data, which will only be used for the purposes entrusted.
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall issue notices requesting authorization to continue managing databases created prior to the enforcement of Law 1581 of 2012 via email.
• Employee, Member, and Healthcare Provider Databases:
These are manual or automated databases containing data of natural persons linked by employment or service contracts, partnerships, or other agreements. Processing of this data is required to comply with legal and regulatory obligations and includes public, private, sensitive, and minor-related data. Processing for the purposes of such employment or service relationships requires prior authorization from the data subject or their legal representative, which is included in the respective agreement clauses.
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. shall provide notice requesting authorization to continue processing the data of current or former employees whose data is in databases created prior to the enforcement of Law 1581 of 2012.
• Contractor and Supplier Databases:
These manual or automated databases contain data of natural persons with contractual and commercial relationships with the organization. The purpose of processing is to fulfill contractual terms and manage the procurement of goods and services necessary for the organization’s social and economic objectives. These databases may contain public, private, and sensitive data, and require prior authorization from the data subject for any processing beyond contract fulfillment or legal obligations.
• Strategic Partner Databases:
These manual or automated databases contain personal data of individuals in relationships, agreements, or partnerships with CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. Processing is intended to support strategic partnerships for achieving the organization’s objectives. These databases may contain public, private, and/or sensitive data. Prior authorization is required for processing this data for any purpose beyond the maintenance of the established alliance.
PROCESSING TO WHICH THE DATA WILL BE SUBJECTED AND ITS PURPOSE
The processing of data from data subjects with whom CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. has or may establish a permanent or occasional relationship will be carried out in accordance with the applicable legal framework and will include all actions necessary to fulfill its corporate purpose. In any case, personal data may be collected and processed for the following purposes:
Purpose of the Contractors and/or Suppliers Database:
• Maintain communication with the data subjects regarding the development of institutional activities, in accordance with the profiles of each type of database held by the company.
• Conduct informational marketing activities to improve the services provided by the company and enhance customer knowledge.
• Maintain a consolidated record of users of the web domain, and produce statistics and other activities aimed at obtaining indicators or relevant information to fulfill the corporate purpose.
• Comply with legal and contractual obligations that require the collection of personal information by creating databases for control, supervision, audits, and company projects.
• Evaluate the quality of the services offered by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.
• Carry out the corporate purpose of CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. in accordance with its bylaws.
• Offer informational services through email communication.
• Comply with the storage of fiscal, accounting, financial, and tax information for payments and deposits to suppliers and/or contractors.
• Request and receive personal, financial, and social security information from public institutions and/or private companies.
• Execute contracts and commercial agreements.
• Analyze and mitigate risks related to:
• Money Laundering (ML),
• Terrorist Financing (TF),
• Financing of the Proliferation of Weapons of Mass Destruction (FPWMD),
• Corruption, Opacity, Fraud, and Bribery (COFB).
• Conduct profiling of suppliers and contractors.
Purpose of the Employees and Former Employees Database:
• Comply with Colombian legal regulations regarding labor and social security, among others, applicable to employees, former employees, temporary staff, current employees, and potential job candidates.
• Store information related to the résumés of each employee and former employee.
Purpose of the Health Users and Patients Database:
• Preserve and retain clinical and medical records for the legally required duration or as mandated by competent authorities.
• Store information contained in the patient’s medical record for the provision of medical and hospital services.
• Obtain key data for medical, clinical, and epidemiological research, as well as for identifying clinical, scientific, and technological advances.
• Provide information on educational campaigns and special Manuals related to health promotion and disease prevention.
• Maintain communication with data subjects regarding clinic-related activities.
• Process data provided by the patient’s health insurance provider (EPS) for medical record contact and control purposes.
• Comply with legal and contractual obligations that require the collection of personal information via database creation for control, supervision, audits, and institutional projects.
• General user service.
• Provide information about our products and services.
• Loyalty and data update programs for patients, members, suppliers, employees, distributors, and other third parties; communicate changes to our products, prices, or services.
• Send account statements.
• Carry out collection, payment processing, inquiries, verifications, and activation of payment methods.
• Comply with the guidelines established by the National Ministry of Health and the Health Department of Antioquia, as well as the company’s biosafety protocols and epidemiological surveillance according to the guidelines set forth in Resolution 0666 of 2020 of the Ministry of Health and Social Protection.
Purpose of the Strategic Partners Database:
• Maintain communication with the data subjects.
• Carry out the corporate purpose of CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. in accordance with its bylaws.
Note: Without prejudice to the purposes mentioned above, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. may publish on its website a consolidated list of the specific purposes of each of its databases, which may be freely consulted by data subjects to inquire about each specific purpose and use of the data processed by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.
UPDATE OF DATABASES
Information must be updated as new data is obtained, in accordance with Law 1581 of 2012 and the provisions of this manual’s interim measures.
PROOF OF AUTHORIZATION
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will retain proof of the authorization granted by the data subjects for the processing of their personal data. The organization will use available mechanisms and take necessary actions to record the manner and date of such authorization. Therefore, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. may establish physical files or electronic repositories, either directly or through third-party contractors.
PROCESSING OF CHILDREN’S AND ADOLESCENTS’ DATA
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will process minors’ data under the following guidelines: Personal data processing shall ensure respect for the prevailing rights of minors (children and adolescents). When data is collected, Article 7 of Law 1581 of 2012 must be followed. The processing of minors’ personal data is prohibited unless the data is public in nature, in which case the processing must:
• Uphold and respect the best interests of the child.
• Ensure the protection of the minor’s fundamental rights.
• Involve only non-sensitive, non-private, and non-semi-private data with limited impact.
• Involve only data strictly necessary for clinical and medical procedures.
Note: Authorization for processing minors’ data will always be requested from their parents or legal representatives.
REGISTRATION IN THE DATABASE REGISTER OF THE SUPERINTENDENCE OF INDUSTRY AND COMMERCE
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will comply with the obligations imposed by law regarding the registration and reporting of its databases to the appropriate authorities.
VALIDITY OF THE POLICY
This policy takes effect from the date of its publication and overrides any institutional provisions that are contrary to it. Matters not addressed in this manual will be governed by Colombia’s current General Data Protection Regime.
PROCESSING OF SENSITIVE DATA
The processing of sensitive data from individuals with whom CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. has or may establish a permanent or occasional relationship will be carried out in accordance with applicable law and will be limited to what is necessary to fulfill the company’s corporate purpose. In any case, personal data may be collected and processed for the following purposes:
• Maintain ongoing communication with data subjects regarding the company’s institutional activities, based on the profile of each database.
• Preserve and retain clinical and medical records for the duration established by law or mandated by competent authorities.
• Maintain a consolidated record of website users, and conduct statistics, surveys, and other activities to gather indicators or information relevant to fulfilling the corporate purpose.
• Comply with legal and contractual obligations that require the collection of personal information by creating databases for audits, supervision, and internal projects.
• Evaluate the quality of services offered by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.
• Fulfill the company’s corporate purpose in accordance with its bylaws.
• Comply with Colombian labor and social security regulations, applicable to employees, former employees, temporary staff, current employees, and future job applicants.
PROCESSING OF FINANCIAL AND COMMERCIAL DATA
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. may process commercial and financial information necessary to fulfill its corporate purpose and to enter into contracts with third parties. The data will be processed in full compliance with Colombia’s statutory financial habeas data law. Such processing will be limited to the company’s regular business activities, and the data will not be used for profit.
PROCESSING OF DATA FROM DIRECT EMPLOYEES
The data provided by the employee will be compiled, stored, consulted, used, shared, exchanged, transmitted, and transferred by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S., in order to fulfill the obligations arising from the employment relationship and the exercise of the company’s rights as the EMPLOYER. These purposes include, but are not limited to: hiring, active personnel management, payroll processing and payment of other labor-related compensation, enrollment in the comprehensive social security system, family compensation fund, collective life insurance (if applicable), handling of wage garnishments, employee fund or cooperative deductions, salary management, vacations, surcharges, social benefits, extralegal benefits, severance, bonuses (settlement or retirement), employee oversight and disciplinary actions, employee evaluations, professional development coordination, employee access and assistance with the company’s IT systems, business activity planning, and in general to comply with all legal obligations as an employer, including termination processes with labor and social security authorities. All employee or former employee information will be retained to ensure the company can meet its employer obligations and exercise its legal rights under Colombian labor law.
EMPLOYEE SENSITIVE DATA
The data subject acknowledges, accepts, and freely and voluntarily authorizes the processing of sensitive data related to membership in social organizations, health, lifestyle, intellectual aptitude, and similar matters, for the purposes established in this policy and for compliance with legal and contractual obligations. The employee may contact the employer directly to request changes, deletions, updates, or confirmations of any sensitive data held by the company.
DATA TRANSFERS FOR PROCESSING BY NATIONAL OR INTERNATIONAL THIRD PARTIES
Acceptance of this policy implies the data subject’s acceptance that CENTRO ONCOLÓGICO ANTIOQUIA S.A.S., in accordance with applicable legal provisions, may transmit or transfer their data to third parties within Colombia or abroad.
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. may transfer or transmit all personal data internationally, provided legal requirements are met. By accepting this policy, the data subject expressly authorizes such transfers and transmissions for any relationship established with the institution.
For international transfers, the company will take necessary measures to ensure third parties are aware of and commit to this policy, under the condition that personal information may only be used for purposes directly related to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. and only for the duration of the relationship. Article 26 of Law 1581 of 2012 will apply.
Data transmissions performed by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. do not require prior notification or consent from the data subject when carried out under a data transmission contract, as per Article 25 of Decree 1377 of 2013. The company may also share personal data with governmental or public authorities (including but not limited to judicial, administrative, tax, criminal, civil, or disciplinary authorities), and with third parties involved in legal proceedings, including their accountants, auditors, lawyers, and other advisors or representatives, for the following purposes:
• To comply with applicable laws, including those outside the data subject’s country of residence
• To comply with legal proceedings
• To fulfill contracts, alliances, or agreements
• To meet fiscal or tax audit requirements
• To comply with certification and/or quality entity requirements
• To respond to requests from government and public authorities, including those from outside the data subject’s country of residence
• To enforce internal company terms and conditions
• To protect company operations
• To protect the company’s and third parties’ rights, privacy, security, or property
• To obtain applicable indemnifications or limit damages affecting the company
First Paragraph:
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will only transfer medical data internationally when the patient resides or is domiciled permanently in another country and such transfer is required for verification with the respective health insurer.
Second Paragraph:
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will not sell or transfer its databases to third parties under any circumstances. The company will implement all necessary measures to prevent improper use of its databases.
Third Paragraph:
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. may transmit data to health insurance providers (EPS), clinical laboratories, and blood banks in order to provide comprehensive patient care. In these cases, it will sign the appropriate transmission and data protection agreements, specifying confidentiality, data safeguarding, and protection obligations for each data processor. The company will remain the data controller in all such cases.
PROCEDURES FOR THE EXERCISE OF PERSONAL DATA SUBJECTS’ RIGHTS
The following procedures may only be exercised by the data subject, their successors, legal representatives, or authorized agents, provided that their identity or representation is duly verified in advance.
In all procedures, the data subject or their representative must at least provide their full name, identification number, and contact details, including: an email address, a physical address for correspondence, and a telephone or mobile number. They must also state whether they are acting on their own behalf or on behalf of someone else, in which case they must present a duly granted power of attorney. Additionally, they must specify the personal data to which the request pertains and provide supporting documents or other elements relevant to the request. Lastly, in any request, the data subject or representative must provide information about the medium, event, or any other reference that can help identify the database containing the requested data.
REQUESTS REGARDING DATA PROCESSING
Data subjects or their successors may request to consult the personal information held by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S., who will provide all the information contained in the individual record or any data associated with the data subject’s identification. To facilitate such requests, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. guarantees:
• The availability of electronic communication channels or other methods deemed appropriate.
• The implementation of forms, systems, or simplified procedures, which must be communicated through the privacy notice.
• The use of existing customer service or complaints services.
Regardless of the method used to process data access requests, they will be answered within a maximum of fifteen (15) business days from the date of receipt. If it is not possible to respond within that time, the requester will be informed before the expiration of the 15 days, stating the reason for the delay and the date on which the request will be addressed. This additional period must not exceed five (5) business days from the end of the original deadline.
PROCEDURE TO ACCESS PERSONAL DATA PROCESSED BY CENTRO ONCOLÓGICO ANTIOQUIA S.A.S.
The data subject or their representatives may submit a request to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. and/or to the data processor to access their personal data collected, stored, or used by the company.
The data subject must send a written request to the following email address: informacion.coa@quironsalud.com, clearly indicating the purpose of the request and a brief explanation. The request must also include the data subject’s full name, ID number, and contact information, including at least one email address, a physical mailing address, and a telephone or mobile number. If the request is submitted on behalf of someone else, proof of representation must be provided through a duly granted power of attorney.
If the request does not meet the required conditions, the company will notify the applicant within five (5) days of receipt, requesting that the missing information be provided. If the applicant fails to respond within one (1) calendar month from the date of the request for additional information, it will be understood that the request has been withdrawn.
CENTRO ONCOLÓGICO ANTIOQUIA S.A.S., through its appointed officer, will forward the request to the person responsible and/or the data processor, who must respond within ten (10) business days from the date of receipt.
If the data controller or processor is unable to respond within 15 business days, they must inform the data subject of the reason for the delay and the date the request will be fulfilled. This extension must not exceed five (5) business days after the expiration of the initial period.
PROCEDURE TO CORRECT, UPDATE, RECTIFY, OR DELETE PERSONAL DATA
The data subject or their legal representatives may submit a request to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. and/or to the person in charge of data processing, to correct, update, or delete their personal data processed by the institution, if they so wish or if they believe that there has been a breach of any obligation contained in the General Regime for the Protection of Personal Data or in these policies. The following procedure should be followed:
The data subject or their representative must submit a request addressed to the data controller or data processor, including the following information:
| Full name of the data subject |
| Identification of the data subject (citizenship ID) |
| Description of the facts that give rise to the complaint |
| Address and other contact information of the data subject |
| Description of the procedure being requested (correction, update, or deletion) |
| Clarification as to whether the request is made on their own behalf or on behalf of a third party |
| Any documents supporting the request (optional) |
If the stated requirements for filing the claim are not met, The data controller or processor will request the interested party to correct the deficiencies within five (5) business days from the date the claim is received. If one (1) calendar month passes from the date of the request without the requirements being fulfilled, it will be understood that the interested party has withdrawn the request or claim.
Once the request is received, and within a period not exceeding two (2) business days from the date of receipt, the phrase “claim in process” and the reason for it will be included in the database. This phrase will remain in the database until the request has been resolved. Likewise, if the person receiving the request is not authorized to respond, they will have two (2) business days to forward it to the competent party.
The data controller or processor will have fifteen (15) business days, counted from the day following the date of receipt of the request, to respond.
If the request cannot be processed within the established time frame, CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will inform the data subject of the delay, explaining the reasons and providing a new date for the resolution of the request. This new date shall not exceed eight (8) business days following the expiration of the initial period.
The procedure within the company will be as follows:
| PROCEDURE | TERM |
| Preliminary analysis of the request | 5 days |
| (Possibility to correct deficiencies) – This term is for the data subject | 30 days |
| Claim in process | 2 days |
| Fulfillment of the request and delivery of confirmation to the data subject | 8 days |
| Regardless of the type of request, it must be resolved within 15 business days following its submission. | |
Paragraph:
The deletion of personal data at the request of the data subject or their representative cannot be granted when there is a legal or contractual obligation for the personal data to remain in the respective database.
PROCEDURE TO REVOKE THE AUTHORIZATION GRANTED TO CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. FOR THE PROCESSING OF PERSONAL DATA
The data subject or their representative may revoke the authorization previously granted to CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. for the processing of their personal data by submitting a request addressed to the data controller or data processor, clearly stating the purpose of the request.
To process such a request, the same procedure established for correcting, updating, rectifying, or deleting personal data processed by CENTRO ONCOLÓGICO ANTIOQUIA S.A.S. will be followed.
COMMON SECURITY MEASURES FOR ALL TYPES OF DATA AND DATABASES
| Document and support Management | Access Control | Personnel |
| Measures to prevent unauthorized access to or retrieval of discarded, deleted, or destroyed data. | User access limited to only the data necessary for the performance of their duties. | Definition of roles and responsibilities or users with access to the data. |
| Restricted access to the location where the data is stored. | Updated list of authorized users and access permissions. | Definition of control funtions and delegated authorizations by the data controller. |
| Authorization from the data controller is required for the physical or electronic removal of documents or media. | Mechanisms to prevent access to data by unauthorized parties (e.g., firewall activation). | Communication to personnel of rules and consequences for non-compliance. |
SECURITY MEASURES FOR SENSITIVE DATA AND AUTOMATED DATABASES
| Document and Media Management | Access Control | Data Transmission |
| Database registration system. | Access logs indicating user, date, and time. | Data transmission through secure electronic networks. |