Privacy Policy and Treatment of Personal Data

CLÍNICA NEUROREHABILITAR LTDA identified with NIT N° 900.244.203-0 located at carrera 28A #76-36 in Bogotá, D.C., telephone number 7462085, (hereinafter «La Clínica») by means of the present policy of treatment of information and protection of personal data (hereinafter the «Policy») establishes the guidelines that regulate the collection, storage, use, circulation, treatment, administration, transfer, transmission, updating, rectification, suppression and protection of personal data of patients, employees, assigned physicians, contractors, suppliers, among others, through the different channels of collection (website, applications, in person, among others) of information that La Clínica has (hereinafter the «Personal Data»). The foregoing in accordance with the provisions of Article 15 and 20 of the Political Constitution and especially by the provisions of the Statutory Law 1581 of 2012 and Chapter 25 part 2 title 2 book 2 of Decree 1074 of 2015 and/or its complementary or amending decrees, and other applicable rules on the subject.

1. DEFINITIONS

a) Data Protection Authority: correspondence from the area of patient care and/or operation of promotional programs by us, you may opt out of being included in the distribution list from the beginning when you provide your information or each time you are sent an email or text message.

b) Authorization: Prior, express and informed consent by the Data Subject to carry out the Processing of personal data.

c) Privacy Notice: Verbal or written communication generated by the Controller addressed to the Data Subject for the processing of his personal data, by which he is informed about the existence of the information processing policies that will be applicable, how to access them and the purposes of the processing that is intended to be given to the personal data.

d) Database: Organized set of personal data that is subject to Processing.

e) Personal Data: Information associated or linked to one or several determined or determinable natural persons, which allows their identification, location, contact, etc. They have the following characteristics: (i) they refer to exclusive and proper aspects of a natural person; (ii) they allow the identification of the person, to a greater or lesser extent, thanks to the overview achieved with the same and other data; (iii) their ownership resides exclusively with the Holder thereof, a situation that is not altered by their collection by a third party in a lawful or unlawful manner, and (iv) their processing is subject to special rules (principles) regarding their collection, management and disclosure.

f) Private data: Information that is only relevant to the Data Subject.

g) Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data related to the marital status of individuals, their profession or trade, and their status as merchants or public servants. Due to their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.

h) Sensitive Data: Data that affects the privacy of the Data Subject or whose improper use may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or organizations that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life and biometric data.

i) Data Processor: Natural or legal person, public or private, who by himself or in association with others, carries out the Processing of personal data on behalf of the Data Controller.

j) Data Protection Officer: It is the person or area designated to assume the function of personal data protection and to process the requests of the Data Controllers, in the exercise of their rights. He/she ensures the effective implementation of the policies, procedures and good practices adopted by the company for the management of personal data.

k) Claim: Request of the Data Subject or of the persons authorized by him/her or by the Law to correct, update or delete his/her personal data or to revoke the authorization in the cases established by the Law.

l) Data Controller: Natural or legal person, public or private, who by himself or in association with others, decides on the database and/or the processing of the data.

m) Third Party: Natural or legal person, public or private, or administrative organization other than the Data Controller and the Data Processor.

n) Data Subject: Natural person whose personal data is the object of Processing.

o) Transfer: The transfer of data takes place when the data controller and/or person in charge of the Processing of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is responsible for the Processing and is located inside or outside the country.

p) Transmission: Processing of personal data that involves the communication thereof within or outside the territory of the Republic of Colombia when the purpose of the Processing is carried out by the processor on behalf of the Controller.

q) Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

2. PRINCIPLES

For the Processing of Personal Data, La Clínica will apply the principles mentioned below, which constitute the rules to be followed in the collection, handling, use, processing, storage and exchange of personal data:

a) Legality Principle: The Processing of Personal Data is a regulated activity that must be subject to the provisions of Law 1581 of 2012 and other provisions that develop, modify or replace it.

b) Principle of purpose: The processing of personal data must obey a legitimate purpose in accordance with the Constitution and the Law, previously informed to the Data Subject.

c) Principle of freedom: Processing may only be carried out with the prior, express and informed authorization of the Data Subject. No personal data may be obtained or disclosed without this authorization, unless legal or judicial provision that relieves the consent of the Data Subject.

d) Principle of truthfulness or quality: The information related to the Processing shall be complete, accurate, truthful, updated, verifiable and understandable. There shall be no partial, incomplete or fractioned or misleading data.

e) Principle of transparency: In the Processing, the Data Subject must be guaranteed the right to obtain from the Controller or the Data Processor, at any time and without restrictions, information about the existence of the data concerning him/her.

f) Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of the Law and the Constitution. In this sense, the Processing may only be carried out by persons authorized by the Holder and/or by the persons provided for in the Law.

g) Principle of security: The personal data subject to processing by the Controller or the Data Processor, must be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

h) Principle of confidentiality: All persons involved in the processing of personal data are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law and under the terms provided by law.