Menu
Menu
Your Cart
Cart0 item(s) - $0 0

  • Your shopping cart is empty!

0

Privacy Policy

PRIVACY NOTICE

In compliance with Statutory Law 1581 of 2012 on Data Protection (LEPD) and related regulations, the purpose of this Privacy Notice is to inform the Data Subject about the processing of the data stored in our databases and whether they will be transmitted and/or transferred to third parties. The conditions of processing are as follows:

1.   VITAL QUIRURGICOS HEALTH SAS, identified with NIT No. 901 634 551, will be responsible for the processing of your personal data.

2. In order to provide comprehensive customer service, the personal data collected will be processed for the following purposes: customer loyalty, marketing, commercial prospecting, advertising, market segmentation, and customer management.

3.     It is optional to provide information that relates to Sensitive Data, understood as that which affects privacy or generates any type of discrimination, or that relates to minors.

4.       The Data Controller's data processing policy, as well as any substantial changes that may occur, can be consulted at the following email address: CONTABILIDAD@VITALQUIRURGICOS.COM and/or VENTAS@VITALQUIRURGICOS.COM

5.       The Data Subject may exercise their rights of access, correction, deletion, revocation, or infringement of their data by writing to VITAL QUIRURGICOS HEALTH SAS at the email addresses CONTABILIDAD@VITALQUIRURGICOS.COM and/or VENTAS@VITALQUIRURGICOS.COM, indicating the right they wish to exercise in the subject line; or by mail sent to Calle 74 AN 81 A – 69 in Bogotá.

 

 

DATA PROCESSING POLICY

 

1. Objective

Establish the general guidelines for the treatment of personal information collected and managed by VITAL QUIRURGICOS HEALTH SAS

 

2. Scope

This internal manual applies to the processing of personal data contained in the Company's databases.

 

3. Definitions

The terms used in this Policy, listed in alphabetical order, shall have the meaning set forth below:

 

Authorization: Prior, express and informed consent of the Owner to carry out the processing of personal data.

Database: Organized set of personal data that is the object of processing.

Legal successor: Person who, by succession or substitution, acquires the rights of another person.

Consultation: This is the Data Subject's right to be informed by the data controller, upon request, regarding the origin, use, and purpose of their personal data.

Personal data: Any information linked to or that can be associated with one or more specific or identifiable natural persons.

Public data: Data that is not private or sensitive. Public data includes, among others, data relating to a person's marital status, their profession or occupation, and their status as a merchant or public servant. By its nature, public data may be contained in, among other things, public registries, public documents, official gazettes and bulletins, and duly enforceable court rulings that are not subject to confidentiality.

Private data: Personal data that, due to its intimate or confidential nature, is of interest only to its Data Subject and requires prior, informed, and express authorization for its processing. It may be contained in databases containing personal telephone numbers and email addresses, employment data, administrative or criminal offenses, managed by tax, financial, management, and common service entities of Social Security; databases on financial solvency or creditworthiness, databases with sufficient information to evaluate the Data Subject's personality, and databases of managers of operators that provide electronic communication services.

Semi-private data: Data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to its Owner but also to a certain sector or group of people or to society in general, such as: databases containing financial, credit, commercial, service information and information from third countries.

Sensitive data: Sensitive data is understood to be that which affects the privacy of the Data Subject or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data.

Data processor: A natural or legal person, public or private, who, either alone or in association with others, processes personal data on behalf of the data controller.

 

Incident: Incidents refer to any event in information systems or manual or systematized databases that threatens the security of the personal data stored therein.

Data Protection Officer: This is the natural person responsible for coordinating the implementation of the legal framework for personal data protection and processing data subjects' requests to exercise the rights referred to in Law 1581 of 2012.

Data controller: A natural or legal person, public or private, who, either alone or in association with others, decides on the database and its processing.

Database Manager: Collaborator in charge of controlling and coordinating the proper application of the Data Processing Policy once stored in a specific database, as well as putting into practice the guidelines dictated by the Data Controller and the Data Protection Officer.

Correction claim: The right of the Owner to have partial, inaccurate, incomplete, fragmented, or misleading data updated, rectified, or modified.

Infringement claim: The Data Subject's right to request that the breach of data protection regulations be remedied.

Revocation request: The Data Subject's right to revoke the authorization previously granted for the processing of his or her personal data.

Deletion request: The Data Subject's right to have data that is inadequate, excessive, or does not respect constitutional and legal principles, rights, and guarantees deleted.

Data subject: Natural person whose personal data is being processed.

Processing: Any operation or set of operations on the Data Subject's personal data, such as collection, storage, use, circulation or deletion.

Privacy Notice: Verbal or written communication generated by the data controller, addressed to the Data Subject for the processing of their personal data, through which they are informed of the existence of the Information Processing Policy that will be applicable to them, how to access it, and the purposes of the processing intended to be given to their personal data.

Data transfer: Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is also the controller and is located within or outside the country. Transmission: Processing of personal data that involves communicating the data within or outside the territory of the Republic of Colombia, when the purpose is to carry out a specific processing on behalf of the controller.

 

4. General provisions

4.1 Introduction

VITAL QUIRURGICOS HEALTH SAS (hereinafter the Company), a Colombian company identified with NIT 901 634 551, in compliance with current regulations governing the protection of personal data and establishing the legal guarantees that protect all persons in Colombia to ensure the proper processing of their data, establishes the following Policy for the processing of personal data.

 

4.2. Applicable regulations

The following are the current regulations, based on which this Policy will be conceived: Colombian Political Constitution of 1991, articles 15 and 20. Law 1581 of 2012. Decree 1074 of 2015: chapters 25 and 26, compilation of Decrees 1377 of 2013 and 886 of 2014. External Circular 005 of 2017. Decree 1115 of 2017 (Database registration deadlines).

 

4.3. Principles of data protection

The principles that will govern the processing and protection of personal data in the Company are:

Legality: Data processing is a regulated activity that must comply with the provisions of Law 1581 of 2012, Decree 1377 of 2013 compiled in Chapter 25 of Decree 1074 of 2015 and other provisions that develop it.

Purpose: The processing must comply with a legitimate purpose in accordance with the Constitution and the Law, which must be communicated to the Data Subject.

Freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial order establishing consent.

Truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

Transparency: Data processing must guarantee the right of the Data Subject to obtain from the Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him or her.

Restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of Law 1581 of 2012, and the Constitution. In this regard, processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for in the Law. Personal data, except for public information, may not be made available on the internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the data subjects or third parties authorized in accordance with the Law.

 

Security: Information subject to processing by those in charge must be handled with the necessary technical, human, and administrative measures to ensure the security of records and prevent their alteration, loss, unauthorized or fraudulent access, use, or consultation.

Confidentiality: All persons involved in the processing of personal data that are not public in nature are required to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended. They may only provide or communicate personal data when this corresponds to the development of the activities authorized by Law 1581 of 2012 and under the terms thereof.

 

4.4. Functions of the Data Protection Officer

The Company will have a Personal Data Protection Officer who will perform the following functions:

Control the database inventory, classify it by type, update it, and register it with the Superintendency of Industry and Commerce.

Report information security incidents to the Superintendency of Industry and Commerce and follow up on established action plans.

Ensure that database managers report their relationships with data processors and monitor that these relationships are supported by the corresponding data transmission contracts.

Report to the General Management on a semi-annual basis the update of data security risks, audit results, and any security incidents that occurred during the period.

Conduct an annual training program on policies, procedures, and controls related to the processing of personal data.

Serve as a liaison with other areas of the Company to ensure and coordinate a cross-functional implementation of this manual.

Obtain declarations of compliance from the Superintendency of Industry and Commerce in the case of international data transfers or transmissions, if required.

Ensure the implementation of internal audit programs to verify compliance with the Personal Data Policy.

Diligently respond to requests and complaints from personal data owners within the terms of the law.

 

5. Processing of personal data

5.1. Responsible

In this Manual of Policies and Procedures, the Controller of the personal databases will be VITAL QUIRURGICOS HEALTH SAS, whose general and contact information is indicated below:

NIT: 901 634 551

Address: CARRERA 26 No. 63G - 09

Email: CONTABILIDAD@VITALQUIRURGICOS.COM and/or VENTAS@VITALQUIRURGICOS.COM

Cell: 3183911117 - 3155373790

 

5.2. Purposes

In the course of its business activities, the Company may collect, use, and process personal data in accordance with the Personal Data Processing Policy contained herein and the purposes authorized by each Data Subject, who shall be informed of these in advance and expressly in compliance with the legal requirements set forth by law and the Political Constitution.

5.3 Authorization of the Owner of the personal data

In accordance with current regulations, the processing of personal data by the Company requires prior and informed authorization from the Data Subject, which will be obtained by any means prior to processing and may be subject to subsequent consultation, except in cases expressly excluded by law. The Company will obtain the aforementioned authorization by using physical, audio, or digital authorization request forms, in which the Data Subject will be informed:

The processing to which your personal data will be subjected and its purpose.

The optional nature of the response to questions asked when they relate to sensitive data or the data of minors.

The rights you have as a Data Subject and the channels of service.

The Company's identification, physical or electronic address, and telephone number. The Company will retain physical and/or digital records of the authorizations completed by the holders to respond to requests from them or from regulatory entities.

5.4 Data of minors

In the event that the Company, in the course of its business activities or in compliance with any legal regulation, needs to obtain personal data from minors, it will request authorization from the minor's Legal Representative for the processing of such data, after validating their accreditation as a representative or attorney-in-fact. The Company will ensure the lawful and appropriate use of data belonging to minors, ensuring that their interests and fundamental rights are respected.

 

5.5 Biometric data

The biometric data stored in the databases will be collected and processed strictly for security reasons, to verify personal identity and control access for employees, clients, and visitors. Biometric identification mechanisms capture, process, and store information related to, among other things, a person's physical characteristics (fingerprints, voice recognition, and facial features) to establish or "authenticate" the identity of each individual. The management of biometric databases will be implemented with security measures that guarantee due compliance with the principles and obligations derived from the Statutory Law on Data Protection, while also ensuring the confidentiality and confidentiality of the data subjects' information.

 

5.6. Security of personal data

Risk Management The Company will periodically identify and assess risks to the security of the personal data being processed, based on their likelihood of occurrence and impact, establishing controls that reasonably mitigate such risks. The effectiveness of these controls will be regularly monitored so that corrective and improvement actions can be implemented.

Information Security: To protect and preserve the integrity, confidentiality, and availability of personal data, the Company has established information security procedures and standards, which may be updated to meet new needs or changes in applicable regulations. The Company implements and documents the security measures applicable to the protection of personal data.

Document Management The Company will establish procedures and security measures for non-automated databases containing personal data, applying criteria that ensure their safekeeping, conservation, location, and final disposal, and that allow data subjects to exercise their right to access and/or file complaints. Additionally, it will implement the necessary controls to reasonably mitigate the risks of unauthorized access, tampering, loss, deterioration, and indiscriminate reproduction.

 

5.7. Transmission of personal data

By virtue of the existence of a contractual relationship with a third party, and if it is necessary to provide personal data, the Company will sign a Personal Data Transfer Agreement duly endorsed by the Legal Department and signed by the Company's Legal Representative, in which we will require our Data Processor to:

Have a formal policy for the management of personal data that guarantees compliance with current regulations regarding the protection of personal data and the timely response to inquiries and complaints from data subjects.

 

Keep information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.

Timely update, rectify, or delete data, in accordance with regulatory and contractual requirements.

Update the information reported by the Company, within five (5) business days from receipt.

Timely record in the database provided by the Company the legends "Claim in process" and/or "Information under judicial discussion", as applicable.

Process, on behalf of the Controller, personal data in accordance with the principles that protect them.

Safeguard the security of databases containing personal data.

Maintain confidentiality regarding the processing of personal data.

Other obligations contained in Law 1581 of 2012.

Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. Likewise, in these contracts, the Company shall:

Ensure that the information provided to the Data Controller is truthful, complete, accurate, up-to-date, verifiable and understandable.

Update the information, promptly communicating to the Controller any new developments regarding the data previously provided and adopting any other measures necessary to ensure that the information provided remains up-to-date.

Correct information when it is incorrect and notify the Manager accordingly.

provide the Controller, as the case may be, only with data whose processing has been previously authorized by the Owner, in accordance with current regulations.

Other obligations contained in Law 1581 of 2012. International transfers of personal data carried out between the Company and a Data Processor to allow the latter to process the data on behalf of the Company will not require the Owner to be informed or to obtain their consent, provided that the Personal Data Transfer Agreement has been signed.

 

5.8 Transfer of personal data

In the event that the Company decides to transfer personal data to countries that do not provide adequate security and protection standards, the Company will comply with the provisions contained in Title VIII of Law 1581 of 2012, External Circular 005 of 2017, and other applicable regulations.

 

5.9 Provision of personal data to official authorities

When a public or administrative entity, in the exercise of its legal functions or by court order, requests the Company to access and/or provide personal data contained in any of its databases, the legality of the request and the relevance of the data requested in relation to the purpose expressed by the authority will be verified, and a record of the delivery of the requested personal information will be signed, specifying the obligation to guarantee the rights of the Owner, both to the official who makes the request, to the person who receives it, as well as to the requesting entity.

5.10 Registration with the National Database Registry (RNBD)

The deadline for registering databases with the RNBD will be the one established by law. Databases created after this deadline must be registered within two (2) months from their creation.

 

5.11. Incident notification, management, and response procedure

The Company will establish a procedure for reporting, managing, and responding to incidents to ensure the confidentiality, availability, and integrity of the information contained in the databases under its responsibility.

All users and those responsible for procedures, as well as anyone involved in the storage, processing, or consultation of the databases included in this document, must be familiar with the procedure for responding to an incident. The incident notification, management, and response procedure is as follows:

When a person becomes aware of an incident (loss, theft and/or unauthorized access) that affects or may affect the confidentiality, availability and integrity of the company's protected information, one of the Managers must immediately notify the Data Protection Officer, describing in detail the type of incident that occurred, indicating the people who may have been related to it, the date and time it occurred, the person who notified the incident, the person to whom it was communicated and the effects it has produced.

Once the incident has been reported, the Data Protection Officer must be asked for an acknowledgment of receipt confirming the notification of the incident with all the requirements listed above.

The Company will maintain an incident log that must contain: the type of incident (internal or external fraud, damage to physical assets, technological failures, process execution and management), date and time of the incident, the person reporting it, the person to whom it was reported, the effects of the incident, and corrective measures, where appropriate. This log is managed by the Data Protection Officer and will be included in the incident report along with the action plan.

 

Likewise, you must implement procedures for data recovery when applicable, indicating who performed the process, the data restored, and, where applicable, the data that required manual recording during the recovery process.

Additionally, the Data Protection Officer will inform the Superintendency of Industry and Commerce, through the RNBD, within 15 business days of its detection.

Finally, the Company will notify the holders of the incident when it is determined that they may be significantly affected.

 

5.12. Validity of the treatment

The databases under the Company's control will be processed for as long as is reasonable and necessary for the purpose for which the data is collected, in compliance with legitimate interests. If the consent granted is revoked, the Company will delete the personal data in its possession, unless there is a legal or contractual obligation requiring its retention, of which the Data Subject will be notified.

 

6. Rights of the holders and procedure to exercise them

The rights of data subjects regarding the protection of their personal data are established by law and relate to the right to consult, access, and/or provide information, proof of authorization for the processing of their data, and to lodge complaints. These rights may be asserted by the Data Subject, their successors in title, or duly accredited representatives and/or legal agents.

The Company will handle inquiries and complaints made by data subjects free of charge. The Company's Data Protection Officer will be responsible for handling requests, inquiries, and complaints and can be contacted at Calle 74 AN 81 A – 69 and/or by email:

ACCOUNTING@VITALQUIRURGICOS.COM and/or SALES@VITALQUIRURGICOS.COM

 

Once the consultation or complaint procedures have been exhausted, the Owner, successor in title, representative and/or legal representative may file complaints with the Superintendency of Industry and Commerce.

 

6.1 Consultations, access and provision of information

The Data Subject may submit their query to VITAL QUIRURGICOS HEALTH SAS through the following channels: email CONTABILIDAD@VITALQUIRURGICOS.COM and/or VENTAS@VITALQUIRURGICOS.COM indicating the request in the subject line; in the administration area of any of our stores nationwide where the request, complaint and claim form (PQR) is available; in the Contact Us section of our website www.VITALQUIRURGICOS.COM or by regular mail sent to our offices at Calle 74 AN 81 A – 69 in the city of BOGOTÁ DC

 

The application must contain the following information:

Name and surname of the Holder.

Petition in which the request for access or consultation is specified.

Address for notifications, date and signature of the applicant.

Supporting documents for the request made, where applicable.

In accordance with the provisions of the Law, the Company has a period of ten (10) business days to resolve these inquiries, counting from the date of receipt thereof, and will respond via regular or electronic mail. When it is not possible to address the inquiry within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their inquiry will be addressed, which in no case may exceed five (5) business days following the expiration of the first term.

 

6.2 Claims

In data processing, four types of complaints are initially distinguished: Correction complaints, Deletion complaints, Revocation complaints, and Infringement complaints, which are defined in Section 3 of this document.

The Data Owner may make a claim to VITAL QUIRURGICOS HEALTH SAS through the following channels: email CONTABILIDAD@VITALQUIRURGICOS.COM and/or VENTAS@VITALQUIRURGICOS.COM indicating the request in the subject, in the administration area of any of our stores nationwide where the form for requests, complaints and claims (PQR) is available, in the Contact Us section of our website www.VITALQUIRURGICOS.COM or by regular mail sent to our offices at Calle 74 AN 81 A – 69 in the city of BOGOTÁ DC

 

The application must contain the following information:

Name and surname of the Holder.

Description of the facts and request specifying the request for correction, deletion, revocation or infringement.

Address for notifications, date and signature of the applicant.

 

Supporting documents for the petition filed that is to be asserted, where applicable. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be deemed that the claim has been withdrawn.

 

Once the complete claim has been received, a legend stating "Claim in process" and the reason for the claim will be added to the database within a period of no more than two (2) business days. This legend must remain in effect until the claim is decided.

In accordance with the provisions of the Law, the Company has a period of fifteen (15) business days to resolve these claims, counting from the date of receipt thereof, and will respond via regular or electronic mail. When it is not possible to address the query within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

 

6.3 Validity and disclosure of this Policy

This Policy is effective from January 15, 2025.