Data Processing Policy

 

PERSONAL DATA PROCESSING POLICY

In compliance with the provisions of Statutory Law 1581 of 2012 and its Regulatory Decrees, the company establishes the General and Special Policies applicable to the Processing and Protection of Personal Data within the organization.

 

1 IDENTIFICATION OF THE DATA CONTROLLER

 

IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S.: A commercial company identified with NIT No. 900.537.021-5, constituted as a Colombian company, whose corporate purpose is the wholesale trade and rental of other types of machinery and equipment not classified elsewhere.

• PHYSICAL ADDRESS: Calle 92 #11-51, Office 202
• CONTACT EMAIL: admin@imexhs.com
• PHONE: 031-3164890
  
  

 

 

2 OBJECTIVE

This Policy establishes the general guidelines for the protection and processing of personal data within the Company, thereby strengthening the level of trust between the Controller (IMEXHS S.A.S) and the Data Subjects regarding the processing of their information. It also aims to inform Data Subjects about the purposes and transfers to which their personal data is subjected, as well as the mechanisms and procedures available for exercising their rights.

 

3 SCOPE

This Personal Data Processing and Protection Policy shall apply to all databases and/or files that include personal data processed by IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. in its capacity as the data controller.
 

 

4 DEFINITIONS 

• Habeas Data: The right of every individual to know, update, and rectify the information collected about them in public or private records and databases.
• Personal Data: Any information linked to or that may be associated with one or more specific or identifiable natural persons.
• Database: An organized collection of personal data that is subject to processing.
• Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
• Authorization: The prior, explicit, and informed consent given by the Data Subject to carry out the processing of their personal data.
• Privacy Notice: The physical, electronic, or other format document, whether currently known or to be developed, that is made available to the Data Subject in order to provide information about the processing of their personal data.
• Data Subject: A natural person whose personal data is subject to processing.
• Successor: A person who, through succession or transmission, acquires the rights of another individual.
• Data Controller: A natural or legal person, public or private, who on their own or in association with others, decides on the database and/or the processing of the data.
• Data Processor: A natural or legal person, public or private, who on their own or in association with others, carries out the processing of personal data on behalf of the Data Controller.
   

 

5 GUIDING PRINCIPLES APPLICABLE TO PERSONAL DATA

In matters of personal data protection, the following guiding principles shall apply:

 

1. Principle of Legality in Data Processing: The processing referred to in the Habeas Data Law is a regulated activity that must comply with the provisions established therein and in the other implementing regulations.
2. Principle of Purpose: Processing must be carried out for a legitimate purpose in accordance with the Constitution and the law, and this purpose must be communicated to the Data Subject.
3. Principle of Freedom: Processing may only be carried out with the prior, explicit, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that exempts the need for consent.
4. Principle of Accuracy or Quality: The information subject to processing must be true, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented data, or data that may lead to error, is prohibited.
5. Principle of Transparency: Processing must guarantee the Data Subject’s right to obtain, at any time and without restrictions, information from the Data Controller or the Data Processor regarding the existence of data concerning them.
6. Principle of Restricted Access and Circulation: Processing is subject to limitations derived from the nature of personal data as well as the provisions of the law and the Constitution. In this regard, processing may only be carried out by persons authorized by the Data Subject and/or those provided for by law.
   
   Except for public information, personal data shall not be available on the Internet or other mass communication or disclosure media unless access is technically controlled to restrict knowledge exclusively to the Data Subjects or to authorized third parties in accordance with the law.
   
   
7. Principle of Security: The information processed by the Data Controller or Data Processor as referred to in the Habeas Data Law must be managed with the necessary technical, human, and administrative measures to ensure the security of the records, preventing their alteration, loss, unauthorized consultation, use, or fraudulent access.
   
   
8. Principle of Confidentiality: All individuals involved in the processing of personal data that is not of a public nature are obligated to ensure the confidentiality of the information, even after their relationship with any of the processing activities has ended. Personal data may only be supplied or communicated when it is pertinent to the development of activities authorized by law and under its terms.

6 RIGHTS OF DATA SUBJECTS

Data Subjects shall enjoy the following rights, as well as any others provided by law:

1. The right to know, update, and rectify their personal data held by the Data Controller or Data Processors. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented data, data that may lead to error, or data whose processing is expressly prohibited or has not been authorized.
2. The right to request proof of the authorization granted to the Data Controller, except when such proof is expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of the law.
3. The right to be informed by the Data Controller or Data Processor, upon request, about the use made of their personal data.
4. The right to file complaints with the Superintendence of Industry and Commerce for violations of the provisions of the law and any other rules that amend, add to, or complement it.
5. The right to revoke the authorization and/or request the deletion of their data when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion shall be implemented when the Superintendence of Industry and Commerce determines that the Data Controller or Processor has engaged in conduct contrary to the law and the Constitution.
6. The right to access, free of charge, their personal data that has been processed.

7 DATA SUBJECT AUTHORIZATION

Notwithstanding the exceptions provided in Statutory Law 1581 of 2012, as a general rule in the processing of personal data, IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. will obtain the prior and informed authorization from the Data Subject, which may be secured by any means that allows for subsequent verification.

 

• Events in Which Authorization Is Not Required

Authorization from the Data Subject will not be necessary when dealing with:

1. Information requested by a public or administrative entity in the exercise of its legal functions or by court order;
2. Data of a public nature;
3. Cases of medical or health emergency;
4. Processing of information authorized by law for historical, statistical, or scientific purposes;
5. Data related to the Civil Registry of Persons.

8 DUTIES OF IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. AS THE DATA CONTROLLER
IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S., as the data controller, shall fulfill the following duties:

1.  Ensure that the Data Subject may exercise their habeas data rights fully and effectively at all times.
2. Request and maintain, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject. 
3. Adequately inform the Data Subject about the purpose of data collection and the rights available to them by virtue of the authorization granted.
4. Safeguard the information under the necessary security conditions to prevent its alteration, loss, unauthorized consultation, use, or fraudulent access.
5.  Ensure that any information provided to the Data Processor is true, complete, accurate, up-to-date, verifiable, and understandable.
6. Update the information by promptly communicating to the Data Processor all changes regarding the data previously supplied and taking the necessary measures to keep the information provided up to date.
7. Rectify any incorrect information and communicate the pertinent corrections to the Data Processor. 
8. Provide the Data Processor, as applicable, only with data whose processing has been previously authorized in accordance with this law. 
9. Demand that the Data Processor always respects the security and privacy conditions of the Data Subject's information.
10. Process inquiries and complaints in the manner set forth in Statutory Law 1581 of 2012.
11. Implement an internal manual of policies and procedures to ensure proper compliance with the law, especially regarding the handling of inquiries and complaints.
12. Notify the Data Processor when certain information is under dispute by the Data Subject, once a claim has been filed and the corresponding procedure has not yet been completed.
13. Inform the Data Subject, upon request, about the use made of their data. 
14. Notify the data protection authority when security breaches occur and there are risks in the management of the Data Subjects’ information.
15. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

9 SPECIFIC POLICIES FOR THE PROCESSING OF PERSONAL DATA.

• • Processing of Employees’ Personal Data

IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. collects the personal data of its Employees, which the company classifies as confidential, and such data will only be disclosed by the company with the express authorization of the Data Subject or upon request by a Competent Authority.

The purposes for which the employees' personal data are used are as follows:

1. To comply with the obligations imposed on employers by Colombian labor law or the orders issued by the competent Colombian authorities.
2. To issue certifications regarding the relationship between the Data Subject and the company.
3. To fulfill the obligations imposed on the company as an employer in relation to Occupational Safety and Health standards, as well as the Occupational Safety and Health Management System (SG-SST).
4. To manage the functions performed by the employees.
5. To review memoranda or notices of reprimand.
6. To control the distribution of uniforms and equipment.
7. To develop and implement the disciplinary process.
8. To manage and control payroll.
9. To contact family members in cases of emergency.
10. To manage and control requests, complaints, and claims.

 IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. almacena los datos personales de sus empleados, incluidos los que hayan sido obtenidos en desarrollo del proceso de selección, y los conserva en un archivador independiente en carpetas A-Z verticales separados por pestañas identificada con el nombre de cada uno de ellos.

A tal carpeta solo tendrá acceso y será tratada por el Área de Recursos Humanos, con la finalidad de administrar la relación contractual entre IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. y el empleado.

MAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. stores the personal data of its employees, including that which has been obtained during the selection process, and keeps it in an independent filing cabinet in vertically arranged A-Z folders, each labeled with the employee's name.

Access to each folder is limited exclusively to the Human Resources Department, which processes the data for the purpose of managing the contractual relationship between IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. and the employee.

IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. processes sensitive data of its employees. For this purpose, the respective authorization is collected, which will be expressly and optionally granted, clearly indicating the sensitive data subject to processing and its purpose.

Furthermore, the company employs advanced security systems to handle and safeguard such sensitive data, understanding that these data will only be used by IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. for the aforementioned purposes.

Upon termination of the employment relationship, IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. will proceed to store all personal data obtained during the selection process, as well as the documentation generated during the employment relationship, in a central file with restricted access. At all times, the information will be subject to appropriate security measures and levels, given that employment data may contain sensitive information.

In any event, the information will not be processed for a period exceeding twenty (20) years from the termination of the employment relationship, or in accordance with legal or contractual circumstances that necessitate the handling of the information.

• Personal Data Processing of Clients

IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. collects its Clients' personal data and stores it in a database that the company classifies as confidential. Such data will only be disclosed with the express authorization of the Data Subject or upon request by a Competent Authority.

The purposes for which the Clients' personal data are used include:

1. Managing the pre-contractual, contractual, and post-contractual stages.
2. Sending invitations to events organized by the company.
3. Verifying any requirements that arise during the execution of the contracted services.
4. Fulfilling the purpose of the contract, including activities such as shipment of merchandise, compliance with and processing of guarantees, among others.
5. Verifying instances of non-compliance by either party.
6. General client engagement and relationship management.
7. Conducting customer loyalty activities and marketing operations.
8. Managing and controlling invoicing.
9. Administering various collections and payments.
10. Handling products such as software based on data tables that compile client and product information.
11. Providing maintenance and support through remote access to software containing information on our clients’ users.
12. Managing and controlling various legal processes.
13. Managing and controlling requests, complaints, and claims.

In any event, the information will not be processed for a period exceeding the duration of the client’s relationship with the company, plus any additional time required in accordance with legal or contractual circumstances that necessitate the handling of the information.

• Personal Data Processing of Suppliers and Contractors

 IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. collects the personal data of its suppliers and contractors, which is stored in a database that, although mostly composed of public data, is classified by the company as confidential. In cases involving private data, such data will only be disclosed by the company with the express authorization of the Data Subject or upon request by a Competent Authority.

The purposes for which the personal data of IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S.'s suppliers and contractors are used include:

1. Sending invitations to tender and managing the pre-contractual, contractual, and post-contractual stages.
2. Sending invitations to events organized by the Company or its affiliates.
3. Other purposes specifically established in the authorizations granted by the suppliers themselves.

 IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. will only collect from its suppliers and contractors the data that is necessary, pertinent, and not excessive for the purpose of selecting, evaluating, and executing the contract in question.

The collection of personal data of employees of suppliers and contractors by IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. will, in all cases, serve the purpose of verifying the suitability and competence of such employees; that is, once this requirement has been verified,   will return the information to the Supplier, unless explicit authorization for its retention is provided.

In any event, the information will not be processed for a period exceeding the duration of the Supplier’s relationship with the company, plus any additional time required in accordance with legal or contractual circumstances that necessitate the handling of the information.

 

10. INTERNATIONAL TRANSFER AND TRANSMISSION OF PERSONAL DATA

The company currently carries out the international transfer of personal data, including the accounting and financial information of the company, to its headquarters, IMAGING EXPERTS AND HEALTHCARE SERVICES PTY LTDA, identified by ACN 624.772.756 and located at 122 O’Riordan Street, Mascot NSW 2020, Australia. This is done in compliance with the requirements to safeguard semi-confidential personal data. Likewise, the information will be managed confidentially, with prior authorization obtained from the Data Subjects when deemed appropriate. However, no data transmission is carried out. In the event that the company decides to engage in the international transmission of personal data, in addition to obtaining the Data Subject's express and unequivocal authorization, IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. will ensure that the action provides the appropriate levels of data protection and complies with the requirements set forth in Colombia by the Statutory Law and its regulatory decrees, safeguarding the security of the information, confidentiality, and the conditions governing the scope of data processing, in accordance with Article 10 of Law 1581 of 2012.

 

11. DATA OF CHILDREN AND ADOLESCENTS
    

 IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. does not directly process the personal data of minors. However, the company does collect and process the personal data of the minor children of its employees, solely for the purpose of fulfilling the obligations imposed on employers by law regarding social security and parafiscal contributions, and in particular to ensure the fundamental rights of children to health and recreation.

In any event,  IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. will obtain the respective authorization for such processing when applicable, always considering the best interests of the minor and respecting the prevailing rights of children and adolescents.

 

12. PROCEDURE FOR HANDLING INQUIRIES, COMPLAINTS, AND REQUESTS, AND MECHANISMS FOR EXERCISING THE RIGHTS OF DATA SUBJECTS

 

 

The Data Subject, their successors, representative and/or attorney, or any person designated by stipulation on behalf of another, may exercise their rights by contacting us through written communication addressed to the department responsible for personal data protection at the company, ADMINISTRATIVE. Such communication may be sent to the following email address: sugerencias@imexhs.com, or by means of written correspondence delivered to Calle 92 #11-51 OF 202 in Bogotá.
12.1 Inquiries

The Data Subject's personal information stored in the databases of IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. may be consulted, and the company will provide all the information contained in the individual record or linked to the identification of the applicant.

Once the inquiry is received by the company, it will be addressed within a maximum period of ten (10) business days from the date of receipt.

If it is not possible to address the inquiry within that period, the interested party will be informed, with an explanation of the reasons for the delay and an indication of the new date on which the inquiry will be addressed, which in no case may exceed five (5) business days beyond the expiration of the initial term.

• When it is determined that the information contained in a database of IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. should be corrected, updated, or deleted, or when there is evidence of the alleged non-compliance with any of the obligations established in the Habeas Data Law, a claim may be submitted to IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. This claim will be processed under the following rules:
  
• Claims:
  

1. The claim shall be submitted through written communication addressed to IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S., including the Data Subject’s identification, a description of the events giving rise to the claim, their address, and any documents the claimant wishes to submit in support.

If the claim is found to be incomplete, the interested party will be requested to remedy the deficiencies within five (5) days following the receipt of the claim. If, after two (2) months from the date of such request, the applicant does not provide the required information, it will be understood that they have withdrawn their claim.

In the event that IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. receives a claim for which it is not competent to resolve, the company will forward it to the appropriate party within a maximum of two (2) business days and will inform the Data Subject accordingly.

2. Once the complete claim is received, the company will add a notation to the corresponding database indicating “claim in process” along with the reason for the claim, within no more than two (2) business days. The company will maintain this notation on the data in question until the claim is resolved.
3. The maximum term for addressing the claim shall be fifteen (15) business days counted from the day following the receipt of the claim. If it is not possible to address the claim within that period, the company will inform the Data Subject of the reasons for the delay and the new date on which the claim will be addressed, which in no case may exceed eight (8) business days after the expiration of the initial term.

MINIMUM CONTENT OF THE REQUEST

Requests submitted by the Data Subject for the purpose of making an inquiry or claim regarding the use and management of their personal data must include the following minimum specifications, in order to provide the Data Subject with a clear and coherent response to their request. The requirements of the request are:

1. It must be addressed to IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S.
2. It must contain the Data Subject’s identification (name and identification document).
3. It must include a description of the events that motivate the inquiry or claim.
4. It must state the purpose of the request.
5. It must indicate the Data Subject’s notification address, either physical and/or electronic (e-mail).
6. It must include the documents the Data Subject wishes to submit in support (especially for claims).

In the event that the inquiry or claim is submitted in person, the Data Subject must provide their request or claim in writing, meeting only the requirements specified above.

12.3 Requirement for Exhausting Internal Procedures

The Data Subject, their successors, representative and/or attorney, or any person designated by stipulation on behalf of another, may only file a complaint with the Superintendence of Industry and Commerce regarding the exercise of their rights after having exhausted the inquiry or claim procedure directly with the company.

 

12.4 Request for Update and/or Correction

 IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. will update and correct, at the request of the Data Subject, any information that is inaccurate or incomplete, in accordance with the procedure and terms previously outlined. For this purpose, the Data Subject must submit the request through the channels provided by the company, indicating the specific updates and corrections needed, and must also supply the supporting documentation for such request.

 

• Revocation of Authorization and/or Data Deletion

The Data Subject may revoke at any time the consent or authorization given for the processing of their personal data, provided that no legal or contractual provision prevents it.

In addition, the Data Subject has the right to request the deletion or removal of their personal data from IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. at any time when:

1. They consider that such data is not being processed in accordance with the principles, duties, and obligations set forth in the applicable regulations.
2. The data is no longer necessary or pertinent for the purpose for which it was obtained.
3. The required period for achieving the purposes for which the data was obtained has been fulfilled.

Such deletion implies the total or partial removal of the personal information, as requested by the Data Subject, from the records, files, databases, or processing carried out by the company.

The right to cancellation is not absolute; therefore, IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. may deny the revocation of authorization or the deletion of personal data in the following cases:

1. The Data Subject has a legal or contractual obligation to remain in the database.

2. The deletion of the data would hinder judicial or administrative proceedings related to fiscal obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.

3. The data is necessary to protect the Data Subject's legally protected interests; to carry out an action in the public interest; or to comply with a legally acquired obligation on the part of the Data Subject.

    

• MODIFICATION OF THE POLICIES 

 IMAGING EXPERTS AND HEALTHCARE SERVICES S.A.S. reserves the right to modify the Personal Data Processing and Protection Policy at any time. However, any modifications will be communicated in a timely manner to the Data Subjects through the usual contact channels, with ten (10) business days’ notice prior to their effective date.

In the event that a Data Subject does not agree with the new General or Special Policy, and has valid reasons that constitute just cause for not continuing with the authorization for personal data processing, the Data Subject may request the removal of their information from the company through the channels indicated in Chapter 12. However, Data Subjects may not request the removal of their personal data when the company is under a legal or contractual obligation to process such data.

 

• VALIDITY

This Policy is effective as of November 22, 2018.