DATA PROCESSING POLICY

OVERVIEW

This document contains the description of the Policies of Treatment and Protection of personal data of the holders of the information (hereinafter Holders) contained in the personal databases on which THINK ROCK LAB decides and through which, the procedure for the attention and exercise of the powers related to the fundamental right of Habeas data and other obligations related to the protection of personal data is implemented.

With the adoption and implementation of this Policy Manual for the treatment of personal information, we comply with paragraph (k) of Article 17 of Law 1581 of 2012, under the terms of Articles 13 and 18 of Decree 1377 of 2013.

PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

In accordance with paragraph (e) of Article 3 of Law 1581 of 2012, THINK ROCK LAB, is responsible for the processing of personal data of its patients/clients/users, suppliers, third parties, contractors and other holders of personal information on which it collects, records, manages, modifies, shares and deletes personal information in the exercise of its main business activities and others related to the ordinary course of its business. The identification data of the person in charge are the following:

NAME OR COMPANY NAME: THINK ROCK LAB

C.C OR NIT: 71654440

ADDRESS: ENVIGADO (ANT)

EMAIL: info@thinrocklab.com

TELEPHONE: 123-456-7890

THINK ROCK LAB has appointed a Personal Data Protection Officer, who has the function of protecting the personal data of the owners and process the requests.

PERSONAL DATA PROCESSING AT THINK ROCK LAB

In THINK ROCK LAB the processing of personal information is limited to the collection, management and processing of personal information for the sole purpose of executing and carrying out commercial activities and others related to the ordinary course of its main activity. Among the general purposes of processing are:

i) Facilitate the commercial contact and carry out the activities of the contracts and other legal business entered into with the owners of the information, ii) Use the personal information for the due execution of the obligations contracted with the Holder, iii) carry out prospecting activities and commercial loyalty on events, services and products related to the ordinary course of business, iv) Send to the physical mail, electronic, mobile device via text messages (SMS and / or MMS) or through any other means of communication existing or that may come to exist, institutional, advertising or commercial information about the services provided, its business partners, projects or events in which they participate and are invited, v) To respond to inquiries, requests, complaints and claims that are made by the Owners and control bodies and transmit the Personal Data to other authorities that under the applicable law must receive the Personal Data, vi) Any other activity of a similar nature to those described above that are necessary to develop the corporate purpose of THINK ROCK LAB.

In the process of collecting personal data, THINK ROCK LAB acts taking into account the principle of freedom indicated in paragraph (c) of Article 4 of Law 1581 of 2012 according to which, the processing of personal data can only be exercised under the free, prior, express and informed consent of the holder and under the principle of necessity, according to which, the personal data collected will only be those strictly necessary for the fulfillment of the purposes pursued and previously indicated to the Holder.

The management, processing and use of personal information collected within THINK ROCK LAB will be carried out taking into account the principle of restricted access and circulation indicated in paragraph (f) of Article 4 of Law 1581 of 2012, which requires the duty of confidentiality on the part of the personnel delegated within THINK ROCK LAB for the processing of personal information in the exercise of their functions and the duty to adopt sufficient security measures to ensure limited access and restricted circulation of personal data that is managed, especially sensitive data for which THINK ROCK LAB is responsible for its treatment.

In accordance with paragraph (a) of article 10 of Law 1581 of 2012, THINK ROCK LAB may exchange personal data that it administers with governmental or public authorities such as administrative authorities, tax authorities, investigative agencies and judicial authorities, when requested by them in the exercise of their functions.

In accordance with the principle of confidentiality set forth in article 4 (h) of Law 1581 of 2012, any personal data collected by THINK ROCK LAB that is not public data – i.e., data relating to the marital status of the person, clinical or medical data, data contained in public documents or records (article 3, paragraph (f) of Law 1266 of 2008), those relating to the holder’s profession or trade and his or her status as a merchant or public servant (article 3, numeral 2 of Decree 1377 of 2013) or in general, those classified as such according to the Law – will be treated by THINK ROCK LAB as confidential data and the confidentiality of the information will be guaranteed for as long as its processing continues.

In accordance with the principle of temporality of information, paragraph (d) of article 4 of Law 1266 of 2008, THINK ROCK LAB will terminate the processing of the personal data it manages when the purpose for which they were collected is exhausted, except for personal data that by a legal or contractual obligation must remain in its database.

Therefore, the validity of the personal data base(s) managed by THINK ROCK LAB is determined according to the specific purposes for which its processing was authorized or permitted.

THINK ROCK LAB will implement due procedures to ensure compliance with its personal information processing policies through the procedure “Implementation of Habeas Data in THINK ROCK LAB” which will describe the actions, resources and methods to be carried out in the internal cycle of personal data management in the areas of the organization that perform personal data processing, especially considering three (3) structural moments: i) Collection, ii) Management, processing and use, and iii) Suppression of personal data.

In attention to the provisions of the applicable regulations, THINK ROCK LAB considers it necessary to make the following clarifications of scope, in relation to the processing of personal data subject of this policy:

Authorization:

The Processing of personal data must be authorized by the Holder, in a prior, express and informed manner. This authorization shall be made:

In written form
Orally
By means of unequivocal conducts that allow to reasonably conclude that the owner of the information granted the authorization.
Proof of this authorization must be kept.

The authorization of the Data Subject shall not be required when:

It is information of a public nature.

It is information required by a public or administrative entity in the exercise of its legal functions or by court order.
In cases of medical or health emergency.

Processing of information authorized by law for historical, statistical or scientific purposes.

Data related to the Civil Registry of persons.

Although the Treatment of this information does not require prior authorization, its disposition and use will be aligned with the law.

Revocation of authorization and/or suppression of personal data:

The holders of personal data may request at any time to THINK ROCK LAB, the revocation of the authorization and/or the partial or total removal of the information from its databases, provided that there is no legal mandate or contractual obligation that makes necessary the permanence of the data, in accordance with the provisions of Law 1581 of 2012 Article 15 and other concordant and complementary provisions on the matter.

Once the consultation or claim procedure has been exhausted, the Holder of the personal data may file a complaint before the Superintendence of Industry and Commerce in order to request the revocation of the authorization and consequently the elimination of the personal data from the THINK ROCK LAB databases.

Retention of data:

Personal data may only be processed for as long as the purpose for which they were registered remains in force. In this sense, THINK ROCK LAB may keep in its databases the personal data of the owners during the time that is reasonable and necessary, in accordance with the purposes of the treatment enshrined in the Policy, except for legal provisions that establish particular terms.

Once this time has elapsed, THINK ROCK LAB will proceed, in the case of manual documentation, to send it to the inactive file in accordance with the document retention tables; in the case of information contained in digital media, the guidelines established by THINK ROCK LAB for the definitive storage of the same and its eventual elimination will be applied. Notwithstanding the above, if necessary THINK ROCK LAB may request again the authorization to the owner of the personal data, in order to keep it for a period equal to that initially authorized.

PERSONAL INFORMATION

The information and/or personal data collected from Information Holders, specifically from customers/users, suppliers, third parties, contractors and other holders of personal information about which it collects, through the various sources may include, but is not limited to:

 

Name, gender and religious affiliation.

Place, date of birth and gender.

Physical address, e-mail address, telephone, cell phone, fax and pager numbers.

Employer, location and contact information.

Patient’s clinical information including history, test results such as pathological and clinical, consultations, formulations, diagnoses, general and special medical and nursing care, consultations between specialists, etc.

Family or legal guardian contacts.
Degree of basic, high school or university education. Occupation.

Information necessary to facilitate the provision of services, including family or employment information.

Identity card, passport or NIT number, nationality and country of residence.

Insurance company or health services provider.

Use of products and services.

In relation to the other holders of the information, only personal data required for the management of the labor, civil, commercial, etc. relationship is collected.

RIGHTS OF PERSONAL INFORMATION HOLDERS

The powers of the owners of the information as subjects of the fundamental right of Habeas Data are:

Access, know, update and rectify their personal data against the person responsible and/or in charge of the Treatment.

Submit complaints, suggestions or claims directly on the Policy for the protection of personal data and the form of its treatment.

Know this Manual of policies and procedures for the protection of personal data adopted by THINK ROCK LAB.

File complaints for violations of the provisions of the regulations in force before the Superintendence of Industry and Commerce.

Modify and revoke the authorization and / or request the deletion of personal data, when the treatment does not respect the principles, rights and constitutional and legal guarantees in force.

To know and access free of charge to their personal data that have been subject to processing.

THINK ROCK LAB’S DUTIES AS A CONTROLLER OF PERSONAL DATA

In accordance with Article 17 of Law 1581 of 2012, THINK ROCK LAB, as the party responsible for the processing of personal information, has the following duties:

 

Guarantee the Holder, at all times, the full and effective exercise of the right of habeas data.

Request and keep a copy of the respective authorization granted by the Data Subject.
Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted.

Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

Guarantee that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable.

Update the information, communicating in a timely manner to the Data Processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to this is kept up to date.

Rectify the information when it is incorrect and communicate the relevant information to the Data Processor.

To demand from the Data Processor at all times, respect for the security and privacy conditions of the data subject’s information.

Process queries and claims made under the terms set forth in this policy.
Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.

Inform at the request of the Data Subject about the use given to his/her data.

Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Subject.
Comply with the instructions and requirements given by the Superintendence of Industry and Commerce.

PROCEDURE FOR THE EXERCISE OF HABEAS DATA BY THE HOLDERS OF THE INFORMATION

To exercise the powers of the right of habeas data, the owner of the information must submit a written request to THINK ROCK LAB, submit your request via email to the following email: info@thinrocklab.com

attaching the information related to the request.

The applicant must make a personal presentation of his request by any suitable means that allows his full identification as the owner of the personal information on which he exercises his rights.

In order to receive, attend, process and respond to claims, rectification of information, deletion or revocation of authorization, the holder must indicate at least the following information in the diligence:

 

Date of request.

Photocopy of the identification document.

Contact address (physical or electronic).

Telephone number.

Detailed, clear and complete description of the facts, reasons and object of the request.

In requests for rectification and updating of personal data, the owner must indicate the corrections to be made and provide documentation to support the request.

The maximum term for processing and responding to queries is ten (10) business days from the date of receipt. In the event that a request for consultation cannot be processed within this term, the interested party shall be informed before the expiration of the term, stating the reasons for the delay in responding to the consultation. In any case, the maximum term of response may not exceed five (5) working days after the expiration of the first term.

The maximum term to respond to a claim shall be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned.

In the event that whoever receives the claim is not competent to resolve it, it will be transferred to the appropriate person within a maximum period of two (2) working days and will inform the interested party of the situation.

Once the complete claim has been received, a legend will be included in the database stating “claim in process” and the reason for the claim, within a term no longer than two (2) business days. Otherwise, the claim will be processed as a consultation and the response will indicate to the applicant the minimum requirements needed to proceed with the processing and response.

VALIDITY AND PUBLICITY

This Policy of treatment and protection of personal data was developed and approved by THINK ROCK LAB on 19/01/2024. HD – THINK ROCK LAB reserves the right to modify this policy at any time and without prior notice for which it will notify its clients, users, patients and other holders mentioned in this Policy, updating the content on www.thinkrocklab.com.

Date of publication on web page: 19/01/2024.

Effective date: 19/01/2024.

The different communication channels enabled to contact THINK ROCK LAB, are the following:

 

Telephone: 123-456-7890

 

Whatsapp: (+57) 324 3562409

By e-mail: info@thinkrocklab.com