1. Purpose: The purpose of this Policy is to guarantee the constitutional right of all persons to know, update and rectify the information that has been collected about them in the databases or files that ORTHO MÍA IPS has compiled.

For the purposes of this policy, ORTHO MÍA IPS will be considered as the Controller of the information, whose data is the following:

• Name: ORTHO MÍA IPS
• Identification: 900.872.890-4
• Address: PEREIRA CR 13 #14-42 AND CARTAGO STREET 7 #4-03
• City: PEREIRA AND CARTAGO
• PBX: PEREIRA (6) 345 1110 / 302 590 4400 CARTAGO (2) 209 4989 / 310 387 3068 
• Email: admiorthomia@gmail.com
• Website: https://orthomia.com/

2. Scope of application

The Policy will be applicable to personal data registered in any database that makes them susceptible to processing that is in the possession of ORTHO MÍA IPS

3. Reach

This Policy applies to the company, managers, employees, contractors, patients and visitors of ORTHO MÍA IPS and to all databases in the possession of ORTHO MÍA IPS. It applies to the relationships between ORTHO MÍA IPS as Controller and any of its managers.

4. Responsible administration

ORTHO MÍA IPS, committed to the correct application and compliance with the Personal Data Protection regulations, will have the Board of Directors as a forum for discussion of any proposal for modification, strengthening and improvement of the policy that is brought by the members of the board for analysis and approval.

5. Definitions:

a) Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data;

b) Database: Organized set of personal data that is subject to Processing;

c) Personal data: Any information linked to or that may be associated with one or more specific or identifiable natural persons;

d) Data Processor: Natural or legal person, public or private, who by itself or in association with others, carries out the processing of personal data on behalf of the Data Controller;

e) Responsible for the Treatment: Natural or legal person, public or private, who alone or in association with others, decides on the database and/or the Processing of the data;

f) Owner: Natural person whose personal data are subject to processing;

g) Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

6. Principles for the Processing of Personal Data

a) Principle of legality in matters of data processing: Processing is a regulated activity that must be subject to the provisions of the law and the other provisions that develop it;

b) Principle of purpose: The Treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Owner;

c) Principle of freedom: Treatment can only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that requires consent;

d) Principle of truthfulness or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited;

e) Principle of transparency: In the Treatment, the right of the Owner to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data that concerns him or her must be guaranteed;

f) Principle of restricted access and circulation: Treatment is subject to the limits derived from the nature of personal data, the law and the Constitution. In this sense,

The Treatment may only be carried out by persons authorized by the Owner and/or by persons authorized by law;

Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide knowledge restricted only to the Owners or authorized third parties;

g) Security principle: The information subject to processing by the Data Controller or Data Processor must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access;

h) Principle of confidentiality: All persons involved in the Processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the Processing has ended. being able to only supply or communicate personal data when this corresponds to the development of authorized activities.

7. Name and personal information collected.

The type of information collected varies according to the quality of the Owner in relation to ORTHO MÍA IPS and depending on their respective purposes, as indicated below: That ORTHO MÍA IPS has identified the following databases:
• Patients
• Visitors
• Suppliers and/or Contractors, Third Parties
• Employees

7.1 Information collected in the Patient database

•  Name last Name
•  Identification number
•  Place and date of birth
•  Phone number
•  Email address
•  Address
•  Information regarding Social Security
•  Job occupation
•  Genre
•  Civil status
•  Level of study
•  Disability
•  Diseases
•  surgical acts
•  Treatments Performed
•  Rh
•  Clinic history
•  Emergency contact

7.2 Information collected in the Visitor database.

•  Name
•  Identification number

7.3 Information collected in the database of Suppliers, Third Parties and/or contractors.

•  Company name / First name / Last name in case of a natural person
•  Identification number
•  Address
•  Phone number
•  Email address
•  Billing resolution
•  Professional card
•  Study level and degree certificate
•  Bank account number

7.4 Information collected in the Employee Database.

•  Name
•  Identification number
•  Date and place of birth
•  Address
•  Phone number
•  Email address
•  Information regarding Social Security
•  Civil status
•  Dependents
•  Study level and degree certificate
•  Resolution
•  Professional card
•  beef

8. Purposes of information processing.

In carrying out its administrative purpose, ORTHO MÍA IPS (THE COMPANY) may use and process the information collected for a variety of purposes in relation to the activities of the Horizontal Property Regime, within which are a list of general purposes. , and specific purposes according to each of the bases:

The databases with personal information on which ORTHO MÍA IPS carries out some treatment are collected for the following purposes, in accordance with the purposes indicated in the ORTHO MÍA IPS PERSONAL DATA PROTECTION POLICY:

8.1 General uses of databases:

a. Collection.
b. Storage.
c. Use.
d. Circulation.
e. Processing.
f. Disposal.

8.2 General purposes of the databases:

a. Complete and maintain the patient’s dental medical history.
b. Provide products and/or services purchased directly or with the participation of third parties.
c. Promote and advertise our activities.
d. Carry out transactions.
e. Make reports to the various national administrative control and surveillance authorities, police or judicial authorities, financial entities and/or insurance companies.
f. Internal administrative purposes such as: audits, accounting reports, statistical analysis or billing.
g. Accounting records
h. Correspondence
i. Carry out control, follow-up, monitoring, surveillance and in general facilitate the security of the COMPANY’s facilities, assets and personnel.

8.3 The Patient database will have the following purposes:

The databases with personal information on which ORTHO MÍA IPS carries out some treatment are collected for the following purposes, in accordance with the purposes indicated in the ORTHO MÍA IPS PERSONAL DATA PROTECTION POLICY:

to. Carry out a treatment plan for the patient, according to the information reported by the Owner and its corresponding diagnosis, information contained in the medical history.
b. Make summons by internal requirement.
c. Inform about new measures, decisions, regulations, etc.
d. Manage procedures (requests, complaints, claims).
and. Address service, technical, operational, risk or security needs that may be reasonably applicable.
F. Carry out satisfaction or other surveys regarding the administration of the COMPANY.
g. Contact the Owner via email to send statements, account statements or invoices in relation to the relevant obligations of the COMPANY.
h. Respond promptly to any type of security incident or calamity within the COMPANY.
Yo. Carry out pre-legal and legal collection processes.

8.4 The Visitor database will have the following purposes:

a. Carry out registration and control over third party access to the COMPANY’s facilities.
b. Systematization of information for the purposes of analysis or security studies.
c. Systematization of information for the purposes of projecting security incident prevention policies.
d. Comply with requests made by patients and/or by police, judicial and/or administrative authorities.
e. Generation of charges and/or invoices.

8.5 The database of Suppliers, Third Parties and/or Contractors will have the following purposes:

a. For business purposes.
b. Accounting.

c. Compliance with judicial decisions and administrative and legal, fiscal and regulatory provisions.
d. Prepare documents, contracts, agreements and receipts.
and. Compliance with contractual obligations, for which the information may be transferred to third parties, such as financial entities, notaries, OFAC and terrorism lists, lawyers, etc.
F. Comply with the obligations contracted by the COMPANY on the occasion of contractual relationships, especially in relation to the payment of invoices.
g. Inform the Supplier about any modification of the contractual relationship.
h. Evaluate the quality and performance of the Supplier in compliance with its functions derived from the contractual relationship.
Yo. Conduct audits under the contractual relationship.
j. Preparation of the company directory and ensuring compliance with confidentiality obligations.
k. Any other use of your information that the provider authorizes in writing.

8.6 The Employee Database will have the following purposes:

to. Carry out the pertinent procedures for the development of the labor contractual object.
b. Comply with the obligations contracted by the COMPANY on the occasion of employment relationships, especially in relation to the payment of salaries, social benefits and social security and others established by the COMPANY and enshrined in the employment contract.
c. Inform the employee about any modification to the contractual relationship.
d. Evaluate the quality and performance of the employee in compliance with their functions derived from the employment contract.
and. Make payroll deductions authorized by the employee.
F. Conduct internal audits.
g. Creation of work email accounts; preparation of the company directory; assign work tools; assign keys and passwords, ensure compliance with confidentiality obligations and other employment obligations;
h. Check personal and work references; Contact your family members, financial dependents and/or beneficiaries in case of emergency.
Yo. Offer jointly or separately with third parties or on behalf of third parties, financial, commercial, unemployment, social security and related services, as well as carry out promotional campaigns, social service charity or jointly with third parties.
j. The COMPANY may use your personal data for other purposes, as long as these purposes are compatible and can be considered analogous to the previous ones.

9. Obligations of ORTHO MÍA IPS

a) Guarantee to the Holder, at all times, the full and effective exercise of the right of habeas data;
b) Request and keep a copy of the respective authorization granted by the Owner;
c) Duly inform the Owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted;
d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access;
e) Guarantee that the information provided to the Data Processor is true, complete, exact, updated, verifiable and understandable;
f) Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it remains updated;
g) Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor;
h) Provide the Data Processor, as the case may be, only data whose Processing is previously authorized;
i) Demand that the Data Processor at all times respect the security and privacy conditions of the Owner’s information;
j) Process queries and claims made;
k) Inform the Data Processor when certain information is under discussion by the Owner, once the claim has been submitted and the respective process has not been completed;
l) Inform at the request of the Owner about the use given to his data;
m) Inform the data protection authority when violations of security codes occur and there are risks in the administration of the Owners’ information.
n) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

10. Duties of officials in charge of data processing

a) Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
b) Keep the information under the necessary security conditions to prevent its adulteration, loss, unauthorized or fraudulent consultation, use or access.
c) Carry out the timely updating, rectification or deletion of the data.

d) Update the reported information within five (5) business days from receipt.
e) Process queries and claims made by the Owners.
f) Adopt an internal manual of procedures to guarantee adequate compliance with the law and this policy and, especially, to respond to queries and complaints from Data Owners.
g) Register in the database the legend “claim in process”.
h) Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
i) Refrain from circulating information that is being controversial by the Owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.
j) Allow access to information only to people who can have access to it.
k) Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the administration of the Owners’ information.
l) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

11. Prohibitions

a) No personal data may be processed incompatible with the purpose authorized by the owner or by law, unless the owner’s unequivocal consent is obtained.
b) No partial, inaccurate, incomplete, fractional or misleading data may be processed, or data whose processing is expressly prohibited or has not been authorized.
c) Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties.
d) The processing of sensitive data1 is prohibited, except when the owner has given his or her explicit authorization for such processing.
e) The processing of personal data of children and adolescents is prohibited, except for data that is public in nature or for which prior, express and informed authorization is granted by the respective parents and/or legal representatives.

1 These are sensitive data. data that affects the privacy of the Owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, as well as data related to the health, sexual life and biometric data.

12. Rights of the Owners

a) Know, update and rectify your personal data.
b) Request proof of the authorization2 granted to ORTHO MÍA IPS except when it is expressly excepted as a requirement for the Treatment3.
c) Be informed by ORTHO MÍA IPS or by the Data Processor, upon request, regarding the use that has been given to your personal data;
d) Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add to or complement it;
e) Revoke the authorization and/or request the deletion of the data when the Treatment does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Treatment the responsible party or the Data Processor has incurred in conduct contrary to the law and the Constitution;
f) Access free of charge to your personal data that have been subject to Treatment.

13. Processing of data of minors.

ORTHO MÍA IPS processes the personal data of children and adolescents in order to complete and safeguard the medical history of the patient to whom a dental service and/or another specialty is provided, in accordance with the diagnosis and the treatment plan prepared. , as well as guaranteeing their safety within the company’s facilities. The Treatment will be carried out as long as:

a) The purpose of the treatment responds to the best interests of the children and adolescents.
b) The treatment used by ORTHO MÍA IPS ensures respect for your fundamental rights.
c) The minor’s right to be heard is respected, an opinion that will be valued taking into account their maturity, autonomy and ability to understand the processing of the data.
d) The requirements provided for in Law 1581 of 2012 for the processing of personal data are met.

14. Person or area responsible for handling requests, queries and complaints

ORTHO MÍA IPS informs the Information Holders that the person in charge of the attention

2 Law 1581 of 2012. Article 10. Cases in which authorization is not necessary. The authorization of the Owner will not be necessary when it comes to:
a) Information required by a public or administrative entity in the exercise of its legal functions or by court order;
b) Data of a public nature;
c) Cases of medical or health emergency;
d) Processing of information authorized by law for historical, statistical or scientific purposes;
e) Data related to the Civil Registry of Persons.

of requests, queries and claims and in general so that the Owners can exercise their rights, is the personal data protection officer, through the channels provided for this in this policy, in any case observing the procedure contemplated below. continuation.

15. Questions and complaints

15.1 Queries:

The Holders or their successors in title may consult the Holder’s personal information that is in the ORTHO MÍA IPS database.
The query must be made in writing, either by written communication to ORTHO MÍA IPS, at Carrera 14 No. 9-15, floor 2, local 2, in the city of Armenia Quindío or sent to the email address happyclinicadental@gmail.com.

If the query is incomplete, the interested party will be required within five (5) days following receipt of the query to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that he has withdrawn from the query.

The query will be answered within a maximum period of fifteen (15) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.

15.2 Claims:

The Owner or his successors who consider that the information contained in the ORTHO MÍA IPS database must be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in this document or in the law, may file a claim.
The claim will be made by request addressed to ORTHO MÍA IPS, at Carrera 14 No. 9-15 Floor 2 Local 2, in the city of Armenia Quindío during the administration’s business hours or sent to the email address admiorthomia@gmail.com, which must inform: Name and identification of the Owner, the description of the facts that give rise to the claim, the address, email, and accompanying the documents that you want to assert.
If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that

withdrawn the claim.

Once the complete claim has been received, a legend stating “claim in process” and the reason for it will be included in the database within a period of no more than two (2) business days. This legend must be maintained until the claim is decided.
The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within this period, the interested party will be informed of the reasons for the delay and the date on which his claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

16. Complaints to the Superintendency of Industry and Commerce.

As a procedural requirement, the Owner or successor in title may only file a complaint with the Superintendency of Industry and Commerce once he or she has exhausted the consultation or claim process with ORTHO MÍA IPS, the Data Processor.

17. Video Surveillance System.

ORTHO MÍA IPS, in carrying out its administrative activity and for the purposes of guaranteeing the security of the Company’s assets and those who enter its facilities, has a Closed Circuit Television, through which monitoring and observation activities are carried out. which involve the collection of images of people, that is, personal data in accordance with those established in literal c) of article 3 of Law 1581 of 2012.

Consequently, the processing of the data collected must comply with the principles established by law; namely, legality, freedom, quality or veracity, security, confidentiality, restricted access and circulation, and transparency, as well as the other principles contained in the Law on the Protection of Personal Data.

Thus, and by virtue of the principle of freedom, as a general rule it will be necessary for the Owner to grant authorization, which, in this specific case, will be determined by the unequivocal conduct3 adopted by the Owner with respect to the Video Surveillance Notice adopted by ORTHO MÍA IPS, published in a visible manner mainly in the entrance areas to the places that are being watched and monitored and inside them.

18. Data collected before the issuance of Decree 1377 of 2013.

3 Through which it is possible to reasonably conclude that the owner granted authorization. In no case can silence be assimilated to unequivocal conduct.

For the data collected before the issuance of Decree 1377 of 2013 subsequently compiled and repealed by the Single Regulatory Decree 1074 of 2015, ORTHO MÍA IPS has the information processing policies available to the Holders in its offices and on its page. website: https://www.orthomia.com/ as well as how to exercise your rights.

Likewise, these policies will be made known to each of the information holders, at the corresponding email address registered in our databases, which will be done through our channel.

If within thirty (30) days after sending the corresponding email, containing the Personal Data Processing Policies, the Owner has not contacted the person responsible to request the correction, deletion, or authorization of their personal data,

ORTHO MÍA IPS will continue to carry out the processing contained in its databases for the purposes indicated in the privacy notice.

19. Current national legislation

This Policy is governed by the provisions of Law 1581 of 2012, Law 1266 of 2008, Single Regulatory Decree 1074 of 2015 and other regulations that modify, repeal or replace them.

20. Validity of databases

The databases will be valid for the same period as the purpose or purposes of the processing in each database, or the period of validity indicated by a specific legal, contractual or jurisprudential cause.

21. Validity

This Policy modifies the previous version and will be effective as of January 15, 2021345 1102