Important notice
This document was prepared as part of a consultation and has an informational and reference character. Its content reflects the current regulatory status and does not constitute formal comprehensive legal advice.
The consultants responsible for its preparation assume no responsibility, direct or indirect, for actions or omissions deriving from compliance or non-compliance with this Policy by Dr. Tatiana Leal, her staff, contractors or any third party involved in its implementation.
This document is up to date as of the date and time of its formal delivery to the business owner. Regulations on personal data protection, healthcare and related sectors are subject to modifications by the legislature, the National Government, the Ministry of Health and Social Protection, the Superintendency of Industry and Commerce, and other competent authorities. Consequently, the consultants are not responsible for regulatory changes occurring after delivery of this document.
The consultants assume no responsibility for how Dr. Tatiana Leal implements this Policy, nor for the interpretation that the business owner, her staff or third parties make of the information contained herein. This document constitutes solely a suggestion prepared based on applicable regulations known at the time of delivery, and has no binding or imperative character for the recipient company.
Finally, it is noted that prior to the implementation of this Policy, the business owner must ensure training of all personnel involved in personal data processing, including staff, physicians and contractors, so that its application is conscious, informed and consistent with the principles and obligations described herein.
Data controller information
| Field | Information |
|---|---|
| Independent Professional | Tatiana Elixandra Leal Sandoval |
| ID Number | 52.973.417 |
| Activity | Aesthetic Medicine Services (Facial and Body) |
| Location | Bogotá D.C., Colombia |
| Address | CL 106 NO. 58 27 OF 601 |
| dratatianaleal@gmail.com | |
| Website | www.dratatianaleal.com |
| Version | 1.0 |
| Issue Date | September 20, 2023 |
1. Introduction
Dr. Tatiana Leal is an independent professional providing aesthetic medicine services (facial and body) in Colombia. In the course of her professional activities, she collects, stores, uses, circulates and generally processes personal data of her patients, users, suppliers, contractors and collaborators, including sensitive data such as health information, biometric data and medical records.
In compliance with Article 15 of the Political Constitution of Colombia, Law 1581 of 2012, Single Decree 1074 of 2015, Resolution 1995 of 1999, Resolution 839 of 2017 and Resolution 866 of 2021, Dr. Tatiana Leal has adopted this Data Processing Policy, which is mandatory for all staff, contractors, third parties and any person involved in personal data processing.
2. Purpose
This Policy aims to inform data subjects about the processing to which their information will be submitted, its purposes and their rights; to establish internal guidelines for collection, storage, use, circulation, transfer and deletion of personal data; to guarantee the effective exercise of habeas data rights and other constitutional and legal rights of the data subjects; and to ensure compliance with legal obligations regarding personal data protection, including special healthcare sector regulations.
3. Regulatory framework
This Policy is based on the Political Constitution of Colombia (Article 15, right to privacy and habeas data), Law 1581 of 2012 (General Personal Data Protection Regime), Single Decree 1074 of 2015 (regulation of Law 1581), Law 23 of 1981 and Resolution 1995 of 1999 (standards for proper medical record management), Resolution 839 of 2017 (healthcare sector regulations), Resolution 866 of 2021 (medical record interoperability) and Law 1273 of 2009 (computer crimes).
4. Guiding principles
Personal data processing is governed by the following principles:
| Principle | Description |
|---|---|
| Legality | Processing must comply with the provisions of Law 1581 of 2012 |
| Purpose | Processing must serve a legitimate purpose, communicated to the data subject at the time of collection |
| Freedom | Processing requires prior, express and informed consent from the data subject |
| Truthfulness | Information must be truthful, complete, accurate and current |
| Transparency | The data subject’s right to obtain information about the processing of their data is guaranteed at all times |
| Limited Access | Personal data is subject to legal limits and may not be disclosed without authorization |
| Security | Information must be handled with the necessary technical, human and administrative measures |
| Confidentiality | All involved in processing are obligated to guarantee the confidentiality of information |
| Temporal Limitation | Data is retained only for the reasonable and necessary period for the authorized purpose |
| Necessity | Only strictly necessary data for the authorized purpose is processed |
5. Special data categories
5.1 Sensitive data
Dr. Tatiana Leal processes sensitive data — that which affects the individual’s privacy or whose improper use may lead to discrimination. In the context of aesthetic medicine, this includes health-related data (diagnoses, medical history, allergies, medications, aesthetic procedures and examination results), biometric data (before and after photographs, clinical videos), and, when relevant to the medical-aesthetic treatment, data on the patient’s sexual life.
5.2 Authorization for sensitive data
Sensitive data processing is only carried out when the data subject has given explicit authorization, when it is necessary to safeguard the vital interests of an incapacitated person, when the data is needed for the recognition, exercise or defense of a legal right, or when it serves a historical, statistical or scientific purpose duly justified.
Data subjects are NOT obligated to authorize the processing of their sensitive data. No activity will be conditioned on providing sensitive data that is not strictly necessary.
5.3 Medical records
Medical records are private documents subject to strict confidentiality. Minimum retention is 20 years from the date of last treatment: at least 5 years in active management archive and at least 15 years in central archive, in accordance with Ministry of Health regulations.
6. Processing purposes
6.1 Patients and users
For patients and users of the clinic, data will be processed for: medical record creation and management; appointment scheduling, confirmation and follow-up; aesthetic medicine services provision; communication of results and recommendations; billing and service payment management; statistical and scientific studies; legal compliance; PQRS handling (petitions, complaints, claims and requests); authorized commercial communications; and the use of photographs with the data subject’s explicit authorization.
6.2 Staff and contractors
For staff and contractors, data processing is limited to the management of the employment or contractual relationship, facility access control, training and development activities, and compliance with applicable legal obligations.
6.3 Suppliers and third parties
For suppliers and third parties, processing is restricted to contractual management, billing and payments, and compliance with corresponding legal obligations.
7. Data processing authorization
Except in cases exempted by law, prior, express and informed authorization will be obtained from the data subject before any personal data processing begins. Such authorization may be granted in writing (through a physical or digital signed form), verbally (with audio recording), or through unequivocal conduct from which consent can reasonably be inferred.
Authorization is not required when information is requested by a public entity in the exercise of its functions, when the data is publicly available, when medical or health emergencies justify it, or when the processing serves a duly justified historical, statistical or scientific purpose.
8. Data transfer
Dr. Tatiana Leal may transfer personal data to laboratories, radiologists and other healthcare providers to ensure continuity of care; to health insurance entities for authorization or billing; to technology service providers acting as data processors; to health, judicial or administrative authorities when legally required; and to the Health System Interoperability Platform in accordance with applicable regulations.
9. ARCOP rights
Data subjects have the following rights regarding the processing of their personal data:
| Right | Description |
|---|---|
| Access | Know what data is being processed, its origin and the purposes of the processing |
| Rectification | Request correction or update of inaccurate, incomplete or outdated data |
| Cancellation | Request deletion of data when no longer necessary or when legal retention periods have expired |
| Opposition | Oppose processing for specific purposes or revoke the authorization granted |
| Portability | Request proof of the authorization granted and information on how data has been used |
10. Procedure for PQRS and ARCOP rights
10.1 Contact channels
Requests may be submitted through the following channels:
- Physical address: CL 106 NO. 58 27 OF 601 – Bogotá D.C.
- Email: dratatianaleal@gmail.com
- Website: www.dratatianaleal.com
10.2 Minimum requirements for requests
Every request must include: full name of the data subject; identity document; a clear description of the request; contact address and phone number; signature of the data subject; and supporting documents, if applicable.
10.3 Response deadlines
Queries will be answered within a maximum of 10 business days. Claims will be resolved within a maximum of 15 business days, extendable to 20 business days when circumstances so justify, with prior notification to the data subject.
11. Security measures
Dr. Tatiana Leal implements a set of technical, physical and administrative measures to protect personal data in her custody. These include sterilization and disinfection protocols in accordance with international standards, cleaning and disinfection procedures for clinical areas, proper management of biological waste, storage on media with physical and IT security controls, and systems that prevent unauthorized modifications after data has been recorded.
12. Video surveillance
Dr. Tatiana Leal operates video surveillance systems to ensure the physical security of the clinic’s facilities. Images obtained will be retained for a maximum of 90 calendar days, except when legal proceedings are underway that justify longer retention. The processing of these images is governed by the Video Surveillance Notice available at /en/video-surveillance-notice/.
13. Security incidents
In the event of a security incident affecting personal data, Dr. Tatiana Leal will follow this protocol: immediate report to the designated Data Protection Officer; adoption of containment and investigation measures; report to the Superintendency of Industry and Commerce within 15 business days of becoming aware of the incident; and complete documentation of the entire process, including any corrective actions taken.
14. Training
Dr. Tatiana Leal will develop periodic training programs on personal data protection, medical record management and information security, aimed at all staff, partners and contractors involved in data processing. Completion of training is a condition for access to and handling of any personal data within the clinic’s activities.
15. Duration
This Policy takes effect from its adoption and remains in force indefinitely. Any substantive changes to its content will be communicated in a timely manner to data subjects through the clinic’s usual contact channels.
16. National database registry
Dr. Tatiana Leal will register her databases in the National Database Registry administered by the Superintendency of Industry and Commerce (SIC), in accordance with the provisions of Decree 1074 of 2015.
17. Contact — Superintendency of Industry and Commerce
For complaints or reports to the data protection supervisory authority, contact the Superintendency of Industry and Commerce at www.sic.gov.co or by email at contactenos@sic.gov.co.