Personal Data Processing and Protection Policy of WESTERN DENTAL SAS – MALO DENTAL

1. Introduction and Regulatory Framework

WESTERN DENTAL SAS – MALO DENTAL, in its capacity as a Health Service Provider Institution (IPS), is committed to protecting the privacy, honor, and personal data of its patients, employees, suppliers, and other data subjects.

This policy is developed in compliance with the fundamental right to habeas data, enshrined in Article 15 of the Political Constitution of Colombia, and is governed by Law 1581 of 2012, Decree 1377 of 2013, Resolution 1995 of 1999 (regarding the management of medical records), and any other regulations that modify, add to, or complement them.

The purpose of this document is to inform data subjects about the data collected, the purposes of processing, their rights, and the mechanisms established by WESTERN DENTAL SAS – MALO DENTAL to guarantee them.

2. Key Definitions

For the correct interpretation of this policy, the following legal definitions apply:

Personal Data: Information linked or that may be associated with one or more identified or identifiable natural persons.
Sensitive Data: Data that affect the privacy of the data subject or whose misuse may result in discrimination, such as health, biometric, or political, religious, or sexual orientation data. Medical records and health data are considered sensitive data.
Data Subject: The natural person whose personal data is subject to processing.
Data Controller: WESTERN DENTAL SAS – MALO DENTAL, as the legal entity that decides on databases and/or the processing of personal data.
Processing: Any operation performed on personal data, such as collection, storage, use, circulation, or deletion.
Authorization: The prior, express, and informed consent of the data subject for the processing of their personal data.

3. Guiding Principles

The processing of personal data at WESTERN DENTAL SAS – MALO DENTAL shall be governed by the following principles:

Legality: Processing shall comply with the provisions of Law 1581 of 2012 and other applicable regulations.
Purpose: Data shall be processed for legitimate purposes, previously informed to the data subject.
Freedom: Data processing shall only be carried out with the prior, express, and informed authorization of the data subject.
Veracity or Quality: The information must be truthful, complete, accurate, updated, verifiable, and understandable.
Transparency: The data subject may access their information at any time and without restriction.
Restricted Access and Circulation: Personal data shall not be available indiscriminately; access will be controlled and limited to authorized parties.
Security: Technical, human, and administrative measures shall be adopted to protect data against alteration, loss, or unauthorized access.
Confidentiality: Any person involved in data processing shall guarantee confidentiality, even after their relationship with the entity ends.

4. Purposes of Data Processing

WESTERN DENTAL SAS – MALO DENTAL collects, stores, uses, and deletes personal data, including sensitive data, for the following purposes:

4.1 Patients

Creation, management, and updating of medical records in accordance with current regulations.
Provision of dental services: diagnosis, treatment, follow-ups, and controls.
Billing, collection, and payment management.
Scheduling, confirmation, and reminders of appointments.
Processing before EPS, insurers, and other entities of the healthcare system.
Communication of examination results and discharge summaries.
Satisfaction surveys and service improvement studies.
Statistical, scientific, or research purposes, with data anonymization.
Sending information about prevention campaigns and new services, subject to explicit authorization.

4.2 Employees and Contractors

Fulfillment of obligations derived from employment or service contracts.
Payroll management, payments, and registration with the Social Security System.
Occupational medical examinations.
Workplace wellness, training, and performance evaluation programs.
Attendance control and issuance of employment certificates.

4.3 Suppliers

Contractual, commercial, and payment management.
Selection, evaluation, and monitoring processes.
Compliance with tax and legal obligations.
Request and receipt of products or services.

5. Rights of Data Subjects

According to Article 8 of Law 1581 of 2012, data subjects have the right to:

a) Know, update, and rectify their personal data.
b) Request proof of the authorization granted.
c) Be informed about the use given to their data.
d) File complaints with the Superintendence of Industry and Commerce (SIC) for legal violations.
e) Revoke authorization and/or request data deletion when legal principles and guarantees are not respected.
f) Access their personal data free of charge.

6. Authorization and Processing of Sensitive Data

The processing of personal data requires the free, prior, express, and informed authorization of the data subject.

In the case of sensitive data (such as health data contained in medical records), authorization shall be explicit, and the data subject shall be informed of its sensitive nature and their right not to authorize its processing.

However, data subjects shall be informed that such data are essential for the proper provision of dental services, diagnosis, and treatment planning. Failure to provide them may prevent service delivery.

Authorizations may be obtained through physical, electronic, or verbal means, provided that they allow verification of consent, in accordance with External Circular 02 of 2015 issued by the SIC.

Authorization shall not be required when information is requested by a public or judicial entity in the exercise of its legal functions, as established in Article 10 of Law 1581 of 2012.

7. Procedure for Exercising Rights

7.1 Contact Channels

Email: atencionalpaciente@malodental.com.co
In-person service: Calle 100 #19A – 30
Phone: +57 (601) 3571364

The data controller is WESTERN DENTAL SAS – MALO DENTAL.

7.2 Inquiries

Inquiries will be addressed within a maximum of 10 business days from the date of receipt.
If it is not possible to respond within this period, the interested party will be informed of the reasons for the delay and the new response date, which shall not exceed 5 additional business days.

7.3 Claims (Update, Rectification, Deletion, or Revocation)

Claims will be resolved within 15 business days from the day following their receipt.
If the claim is incomplete, the interested party will be requested to correct it within 5 business days.
If two months elapse without a response, the claim shall be deemed withdrawn.

8. Security and Confidentiality Measures

WESTERN DENTAL SAS – MALO DENTAL has implemented technical, human, and administrative security measures to protect personal data, especially sensitive data, from unauthorized access, loss, or misuse:

Physical Security: Restricted access to archives and servers.
Logical Security: User and password controls, encryption of sensitive information, backups, and security software.
Confidentiality: All personnel sign confidentiality agreements and receive training on secure data handling and professional secrecy.
Retention of Medical Records: Maintained according to the minimum period established in Resolution 1995 of 1999 or subsequent regulations.

9. Transfer and Transmission of Data to Third Parties

Information will only be shared when strictly necessary for the purposes described and in compliance with legal obligations, including:

Entities of the Social Security Health System (EPS, ARL).
Clinical and pathology laboratories.
Competent judicial or administrative authorities.
Providers of technological or administrative services, who are contractually bound to maintain confidentiality and data security.

All data transfers or transmissions will be carried out under the security and confidentiality standards required by law.

10. Policy Validity and Availability

This policy is effective as of January 1, 2025.

Any substantial modification will be duly communicated to data subjects through the website or other suitable means.