GILMEDICA SAS, a commercial company legally registered in the Cali Chamber of Commerce and identified with the NIT. No. 890.317.417-9, with registered address in the municipality of Yumbo (Valle del Cauca) and with the email address gerencia@gilmedica.com, (hereinafter “Gilmedica” or the “Company”), in order to strictly comply with current regulations on the protection of Personal Data, in accordance with the provisions of Law 1581 of 2012, Regulatory Decree 1377 of 2013, the provisions of Article 15 of the Political Constitution of Colombia, the regulatory compendium of Decree 1074 of 2015 and other regulatory provisions that modify, add to, complement or repeal them, hereby makes known to the public, its clients, employees, shareholders, collaborators and suppliers its Personal Data Processing Policy (hereinafter the “Policy”), through which general provisions are issued for the protection of information linked to, or that may be related to, the processing of personal data. to associate with one or more specific or identifiable natural persons (the “Personal Data”), by virtue of the prior authorization that has been granted by them to a personal data controller.

This Policy will apply to all Data Subjects who have a relationship with Gilmedica and/or whose Personal Data has been collected and processed in any way as a consequence of or in connection with a relationship established with the Company, whether such Processing is carried out by Gilmedica or by third parties acting on its behalf.

This Policy will apply to all Processing carried out by Gilmedica and, where applicable, by those third parties with whom all or part of the performance of any activity relating to, or related to, the Processing of Personal Data is agreed.

In this Personal Data Processing Policy, Gilmedica details the general corporate guidelines that are taken into account in order to protect the Personal Data of the Data Subjects, the purposes of the Processing of the information, the rights of the Data Subjects, the area responsible for handling complaints and claims, and the procedures that must be exhausted to know, update, rectify and delete the information.

Gilmedica, in compliance with the constitutional right to Habeas Data, only collects and processes Personal Data when it has been previously authorized by its Owner, implementing for this purpose, clear measures on confidentiality and privacy of Personal Data.

1. LEGAL FRAMEWORK OF GILMEDICA'S DATA PROCESSING POLICY.

The legal framework for this Personal Data Protection and Processing Policy is primarily determined by the Colombian Constitution, particularly Articles 15 and 20, which establish the right to information, freedoms, and guarantees for all citizens regarding their personal data and their right to privacy. The provisions of Statutory Law must also be taken into account.

1581 of 2012, through which general provisions are issued for the protection of information and personal data.

Similarly, the regulations established by the National Government in Decrees 1377 of 2013, 886 of 2014, and the regulatory compendium of Decree 1074 of May 26, 2015, as well as Regulatory Decrees 1727 of 2009 and 2952 of 2010, and all other regulations that repeal, amend, or supplement the aforementioned laws, articles, and decrees, are also relevant. In conclusion, the regulations cited here constitute the legal framework governing all aspects related to the processing of personal data by Gilmedica, including its purposes, regulations, the rights of data subjects whose data is processed, and the associated duties of those responsible for and in charge of such processing.

2. OBJECT.

This document contains the policy that governs the processing of personal data collected by Gilmedica and its employees in relation to the intended purposes for which personal data and sensitive information of each data subject are processed. This data processing policy is duly aligned with the provisions of Articles 17 and 18 of Law 1581 of 2012, as well as with the provisions of Articles 2.2.2.25.3.1, 2.2.2.25.3.2, and 2.2.2.25.3.3 of Decree 1074 of 2015. Therefore, the purpose of this document and the regulations stipulated herein is to establish the parameters for the handling and intended purposes of personal data processing by Gilmedica, ensuring that all data subjects are fully aware of the processing and purposes for which their data is used once obtained by any of our departments or the Company's web platform, thus guaranteeing data subjects the exercise of their rights and privileges. that derive from its quality.

The Personal Data Protection Policy of GILMEDICA SAS will apply to all databases and/or files containing personal data that GILMEDICA SAS processes as the controller and/or processor of personal data.

3. DEFINITIONS.

For the purposes of this Policy, both the definitions set forth in Law 1581 of 2012 and the following shall be taken into account, as indicated below:

a) Personal Data: Any information linked to or that can be associated with one or more identified or identifiable natural persons.

b) Data Subject: A natural person whose Personal Data is subject to Processing.

c) Sensitive Data: Data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or organizations that promote the interests of any political party or guarantee the rights of opposition political parties, as well as data concerning health, sexual life, and biometric data.

d) Data Processor: A natural or legal person, public or private, who, by itself or in association with others, processes Personal Data on behalf of the Data Controller.

e) Data Processing Policies regarding Personal Data Protection: Refers to this document.

f) National Database Registry: The public directory of databases subject to Processing operating in Colombia.

g) Data Controller: Refers to Gilmedica or the natural or legal person, public or private, who, by itself or in association with others, decides on the purposes of the Databases and/or the Processing of Personal Data.

h) Processing: Any operation or set of operations performed on Personal Data, such as collection, storage, use, circulation, or deletion, as well as its Transfer and/or Transmission to third parties through communications, consultations, interconnections, assignments, or data messages.

i) Transfer: The transfer of Personal Data occurs when the Data Controller and/or Data Processor located in Colombia sends Personal Data information to a recipient, who is also responsible for processing and is located within or outside the country.

j) Transmission: Processing of Personal Data that involves communicating such data to a third party within or outside the territory of the Republic of Colombia, when such communication is intended for the Data Processor to carry out Processing on behalf of the Data Controller, in order to fulfill the purposes established by the latter.

k) Authorization: Refers to the prior, express, and informed consent given by the Data Subject for the processing of their personal data, which must be granted to Gilmedica so that it may carry out the purposes established in its Personal Data Protection and Processing Policy.

l) Database: An organized set of Personal Data that will be subject to processing by Gilmedica, in accordance with the provisions of this Personal Data Protection and Processing Policy.

m) Public Data: Data that is not classified by the Constitution, law, or jurisprudence as semi-private, private, or sensitive. Public data includes, among others, data related to a person’s marital status, profession or occupation, and status as a merchant or public servant. In general, any data that can be obtained without restriction is considered public. Public data may be contained, among others, in public records, official documents, gazettes, bulletins, and duly executed court rulings that are not subject to confidentiality by legal provision.

n) Semi-private Data: Data that, while personal, is known and of interest only to the Data Subject and a specific group or sector of society, without being classified as private, reserved, or public.

o) Private Data: Personal data that, due to its confidential and intimate nature, is exclusively within the personal sphere of the Data Subject.

p) Privacy Notice: A verbal or written communication generated by the Data Controller and addressed to the Data Subject, informing them about the existence of the Personal Data Protection and Processing Policy applicable to them, how to access it, and the purposes for which their personal data and information will be processed by Gilmedica.

4. GUIDING PRINCIPLES OF GILMEDICA'S PERSONAL DATA PROCESSING POLICY.

In accordance with Article 4 of Law 1581 of 2012, the principles governing the Processing of Personal Data at Gilmedica are:

a) Principle of legality in matters of Data Processing: The Processing of Personal Data is a regulated activity that must comply with the provisions of Law 1581 of 2012 and Decree 1074 of 2015 and other provisions that develop, add to or modify it.
b) Principle of purpose: The Processing must obey one or more legitimate purposes in accordance with the Constitution and the Law, which must be informed to the Data Subject.
c) Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives the requirement for consent.
d) Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited.
e) Principle of transparency: In the Processing, the right of the Data Subject to obtain from the Controller or the Processor, at any time and without restrictions, information about the existence of data concerning him or her must be guaranteed.
f) Principle of restricted access and circulation: The Processing is subject to the limits derived from the nature of the Personal Data. In this sense, the Processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for in Law 1581 of 2012.
g) Security Principle: Information subject to Processing by the Data Controller or Data Processor must be handled with the technical, human and administrative measures necessary to ensure the security of the records, preventing their alteration, loss, consultation, use or unauthorized or fraudulent access.
h) Principle of confidentiality: All persons involved in the Processing of Personal Data that is not of a public nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks that comprise the Processing has ended, and may only supply or communicate Personal Data when it corresponds to the development of the activities authorized in Law 1581 of 2012 and in the terms thereof.

5. AUTHORIZATION, PROCESSING AND STORAGE OF PERSONAL DATA.

From the date this Policy comes into effect, Gilmedica, at the time of collecting Personal Data, will request prior authorization from the Data Subjects, informing them about the specific purposes of the Processing for which said consent is obtained.

Gilmedica will process the Personal Data that the Data Subject voluntarily provides, which may only be used by Gilmedica, its employees, consultants, advisors, subsidiaries of the business group, and commercial and strategic partners expressly authorized by the Company. In any case, Gilmedica, upon the Data Subject's request, will provide complete information on the authorized persons and/or third parties who process their Personal Data.

Gilmedica may request Sensitive Data at any time, informing the Data Subject at the time of collection that the requested data is sensitive and that its provision to Gilmedica is optional, and indicating what type of Sensitive Data will be collected. In all cases, Gilmedica will strictly observe the legal limitations on the Processing of Sensitive Data. Gilmedica will not, under any circumstances, condition any activity on the provision of Sensitive Data. Sensitive Data will be processed with the utmost diligence and with the highest security standards. Limited access to Sensitive Data will be a guiding principle to safeguard its privacy, and therefore, only authorized personnel will have access to this type of information.

The authorization of the Holders may be expressed by the means indicated in this Policy.

Gilmedica will keep proof of these authorizations in an appropriate manner, respecting the principles of confidentiality and privacy of information.

6. SCOPE OF APPLICATION OF THE PERSONAL DATA PROCESSING POLICY.

This Personal Data Processing Policy applies to the processing of personal information and data managed by Gilmedica by all its officers, collaborators, employees, partners, and shareholders. However, branches, subsidiaries, and third parties who have access to the databases for the purposes of their use must also comply with the parameters established in this Personal Data Processing Policy. All of the above is without prejudice to the legal and regulatory provisions that generally govern these procedures in Colombia.

PURPOSES OF PERSONAL DATA PROCESSING.

Personal Data collected by Gilmedica is stored in Databases to which authorized personnel and third parties of the Company have access in the performance of their duties. Under no circumstances is the processing of such information authorized for purposes other than those described herein and communicated to the Data Subject no later than at the time of collection. In any case, through this Policy governing the processing of personal data and information by Gilmedica, it is guaranteed that the information and Personal Data collected and managed will be used exclusively for activities directly related to the Company’s corporate purpose. Specifically, for the following purposes:

7.1. Purposes for the collection and Processing of Personal Data of Gilmedica’s shareholders:

a) Miscellaneous purposes – Administrative procedures.
b) Payment of dividends.
c) Compliance with judicial, administrative, and legal decisions related to their status as shareholders.
d) Enabling the exercise of rights related to their shareholding.

7.2. Purposes for the collection and Processing of Personal Data of Gilmedica’s clients:

Contact Data Subjects to send information related to contractual and legal obligations.
Collect, store, and process all information provided by Data Subjects in one or more databases in the format deemed most appropriate.
Contact clients via electronic means, phone, SMS, or email to conduct satisfaction surveys regarding products and services offered by Gilmedica.
Execute contracts entered into with Data Subjects.
Manage, maintain, develop, and control the contractual relationship; respond to information requests; handle complaints; and process contract termination or revocation of consent.
Manage inquiries made by Data Subjects.
Organize, classify, segment, or separate the information provided.
Update personal data.
Perform accounting, tax, and administrative management, including billing, collections, and payments.
Collect information for commercial research and marketing purposes.
Register or evaluate clients as potential customers.
Analyze financial risk and risks related to money laundering and terrorism financing (AML/CFT).
Report to data banks or authorities regarding compliance or non-compliance with financial obligations, credit applications, and socio-economic information.
Send commercial, marketing, and promotional information about Gilmedica’s products and services through any physical or electronic means.

7.3. Purposes for the collection and Processing of Personal Data of Gilmedica’s suppliers:

Monitor and ensure proper execution of contractual relationships.
Manage administrative, accounting, financial, operational, and logistical aspects.
Carry out administrative and tax procedures.
Manage supply of goods and provision of services.
Handle billing and related processes.
Send information related to the Company’s corporate purpose.
Manage document flow and record-keeping.
Update personal data and related information.
Maintain accounting and financial records and commercial history.
Verify legal, technical, and financial requirements.
Conduct tax and collection processes.
Perform opinion surveys.
Verify background, reputation, and AML/CFT risks.
Consult and report to credit bureaus regarding obligations and financial behavior.
Carry out any other activities necessary to develop the commercial relationship.

7.4. Purposes for visitors, authorized personnel, and contractors:

Maintain necessary information for emergency management within Gilmedica’s facilities.
Ensure security of facilities and individuals داخل them.
Control entry and exit of equipment, vehicles, visitors, and personnel.
Record and use CCTV footage for security, investigation, or disciplinary purposes.

7.5. Purposes for employees, interns, and candidates:

Conduct audits and manage systems and databases.
Maintain communication regarding contractual relationships.
Store and process personal data.
Fulfill employment obligations, including salary and benefits.
Implement occupational health and safety programs.
Provide training and development programs.
Manage contractual relationships and related processes.
Handle inquiries and disciplinary procedures.
Maintain backup records and organize information.
Offer corporate wellness programs.
Comply with legal and regulatory requirements.
Verify information provided in resumes.
Prevent fraud or misuse of services.
Manage recruitment, selection, and hiring processes.
Administer access control and security systems.
Report and consult credit and financial information when necessary.

7.6. Purposes for contractors:

Conduct audits and manage databases.
Maintain communication regarding contractual obligations.
Store and process personal data.
Fulfill contractual payment obligations.
Execute and manage contracts.
Handle inquiries and contractual processes.
Organize and update information.
Comply with legal requirements and authority requests.
Control access to company facilities.
Prevent fraud and comply with AML/CFT regulations.
Verify and validate information provided.
Use CCTV recordings for investigations if required.
Manage administrative, financial, and operational aspects of contracts.
Conduct billing, reporting, and financial management.
Consult and report to credit bureaus.
Perform any additional activities necessary to support the contractual relationship.

IN GENERAL

The information provided by the Data Subject will only be used for the purposes set forth herein. Once the need for processing Personal Data ceases, such data will be deleted from Gilmedica’s databases or archived, in accordance with the retention period established in the authorization.[1]

If Gilmedica requests sensitive data, it is understood that providing such information is not mandatory under any circumstances. In the event that the Data Subject does not grant authorization, Gilmedica will not take any retaliatory action. Such data will be processed with the highest level of diligence and under the strictest security standards.

Gilmedica may transmit and/or transfer Personal Data to third parties located in Colombia or abroad, including in countries that may not provide adequate levels of data protection, provided that prior and explicit authorization has been obtained from the Data Subject.

RIGHTS OF THE DATA SUBJECT.

In accordance with Article 8 of Law 1581 of 2012, the Data Subject shall have the following rights:

To know, update, and rectify their Personal Data before the Data Controller or Data Processor. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented data, data that may lead to error, or data whose processing is expressly prohibited or has not been authorized.
To request proof of the authorization granted to the Data Controller, except where such authorization is not required for processing, in accordance with Article 10 of Law 1581 of 2012.
To be informed by the Data Controller or Data Processor, upon request, regarding the use given to their Personal Data.
To file complaints before the Superintendence of Industry and Commerce for violations of Law 1581 of 2012 and any regulations that modify, add to, or complement it.
To revoke authorization and/or request the deletion of data.
To access their Personal Data that has been subject to processing, free of charge.

In accordance with Article 2.2.2.25.4.1 of Decree 1074 of 2015, the exercise of the aforementioned rights may be carried out by:

The Data Subject, who must sufficiently prove their identity through the means provided by the Data Controller.
The Data Subject’s successors, who must prove such status.
The Data Subject’s representative and/or attorney-in-fact, upon proof of representation or authorization.
In the case where the Data Subject is a minor, their rights may only be exercised by persons legally authorized to represent them.

DUTIES OF THE DATA CONTROLLER.

In accordance with Article 17 of Law 1581 of 2012, the Data Controller shall have the following duties:

Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data.
Request and retain a copy of the respective authorization granted by the Data Subject.
Properly inform the Data Subject about the purpose of data collection and the rights they have under the granted authorization.
Preserve the information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.
Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable.
Update the information, promptly communicating to the Data Processor any changes regarding the data previously supplied, and adopt all necessary measures to keep such information up to date.
Rectify information when it is incorrect and communicate the relevant updates to the Data Processor.
Provide the Data Processor, as applicable, only with data whose processing has been previously authorized.
Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.
Process inquiries and claims in accordance with the terms established in this Policy.
Adopt an internal manual of policies and procedures to ensure proper compliance with personal data protection regulations, especially for handling inquiries and claims.
Inform the Data Processor when certain information is under dispute by the Data Subject, once a claim has been filed and the process has not yet been completed.
Inform the Data Subject, upon request, about the use given to their data.
Notify the data protection authority when security breaches occur and there are risks in the administration of the Data Subject’s information.
Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

AUTHORIZATION OF DATA SUBJECTS AND PERSONAL INFORMATION

Gilmedica hereby certifies that any activity involving the collection, storage, use, management, updating, correction, deletion, and, in general, any activity intended to obtain and/or process personal data and information belonging to third parties, must be carried out with the prior, express, and free authorization of the respective Data Subjects.

By granting authorization for the collection and processing of personal data and information, the Data Subject is deemed to have read and approved this Personal Data Processing Policy or, alternatively, to have been previously informed through the privacy notice that such Policy is stored in the Company’s commercial records. For consultation purposes, Data Subjects may request it through the contact channel at habeas.data@gilmedica.com, where it may be accessed at any time without restriction.

Likewise, by granting authorization for the storage, management, collection, and processing of personal data, the Data Subject declares that such data is truthful, complete, accurate, up-to-date, verifiable, understandable, and corresponds to reality at the time it is provided.

Gilmedica will make available to all Data Subjects the document through which authorization was granted, solely for the purpose of allowing access upon request to verify the means and date on which such authorization was given. Authorization may be recorded in writing, whether in physical, digital, or magnetic formats, as well as in audio files, online data storage platforms, or any other suitable medium capable of evidencing the Data Subject’s consent.

Pursuant to Article 10 of Law 1581 of 2012, authorization from the Data Subject shall not be required in the following cases:

Information requested by a public or administrative entity in the exercise of its legal functions or by court order.
Data of a public nature.
Cases of medical or health emergencies.
Processing of information authorized by law for historical, statistical, or scientific purposes.
Data related to civil registry records.

In accordance with Articles 8 and 9 of Law 1581 of 2012, Data Subjects may at any time request the deletion of their data and/or revoke the authorization granted to Gilmedica for its processing. However, under Article 2.2.2.25.2.8 of Decree 1074 of 2015, such requests will not proceed when the Data Subject has a legal or contractual obligation to remain in the database.

If a request is submitted through the channels established in this Policy and Gilmedica fails to respond or does not delete the data, the Data Subject has the right to file a complaint before the Superintendence of Industry and Commerce, which may order the deletion of the data and/or the revocation of authorization, in accordance with Article 22 of Law 1581 of 2012.

According to Article 6 of Law 1581 of 2012, the processing of sensitive personal data is generally prohibited. However, under subsection (d) of the same article, such processing is permitted when it is directly related to specific and legitimate purposes.

In accordance with Article 2.2.2.25.2.3 of Decree 1074 of 2015, Gilmedica will request prior, express, and written authorization from the Data Subject for the processing of sensitive data, after clearly informing them that:

They are not obligated to authorize the processing of sensitive data.
Responding to questions regarding sensitive data is optional.
The specific sensitive data to be processed and its purpose will be disclosed.
Such data will be protected under professional confidentiality and safeguarded with appropriate security measures.

Gilmedica’s Personal Data Processing Policy recognizes that data relating to minors is highly sensitive and its processing is generally prohibited, except when authorized by legal representatives and when it serves the minor’s best interests without violating their fundamental rights. Parents or legal guardians who believe that Gilmedica has collected personal data from minors without authorization may request its deletion by contacting habeas.data@gilmedica.com.

Gilmedica guarantees that it will refrain from processing private or semi-private data of minors unless strictly necessary and duly authorized by their legal representatives. However, Gilmedica shall not be held responsible if minors access its web platform and provide inaccurate information to obtain services or products, bypassing the Company’s preventive measures.

Through this Policy and in compliance with Law 1581 of 2012, Gilmedica guarantees that the information contained in its databases will be used lawfully, for legitimate purposes, and in full respect of the right to habeas data as protected by the Constitution. The processing of personal data will be limited exclusively to collection, storage, and use in accordance with the purposes established herein.

Gilmedica guarantees that personal data will not be used for purposes other than those authorized by the Data Subjects, nor will it be commercialized or shared with third parties, nationally or internationally, without prior express authorization.

Notwithstanding the above, if the Data Subject revokes authorization but there exists a legal or contractual obligation requiring data retention, such revocation will not produce the intended effects.

11. INFORMATION AND MECHANISMS PROVIDED BY GILMEDICA AS THE DATA CONTROLLER

PROCEDURES THAT THE DATA SUBJECT MUST FOLLOW TO EXERCISE THEIR RIGHTS REGARDING PERSONAL DATA.

The Data Subject may exercise their rights regarding the Personal Data provided through the Complaints, Petitions, and Claims (PQR) area established for this purpose, as identified in this Policy, and through the following channels:

By electronic communication via email at habeas.data@gilmedica.com
By telephone communication at (032) 695 94 62

Procedure for submitting inquiries (requesting proof of authorization, accessing collected data, and understanding how such data has been processed).

The Data Subject, their successors, representatives, and/or attorneys-in-fact may submit inquiries regarding the Personal Data stored in Gilmedica’s Databases, in accordance with the following rules:

The request will be reviewed to verify the identity of the Data Subject. If the request is submitted by a person other than the Data Subject and it is not proven that they are acting on their behalf in accordance with applicable laws, or that they are legally authorized to do so, the request will be rejected.
All inquiries will be addressed within a maximum period of ten (10) business days from the date of receipt. If it is not possible to respond within this period, the interested party will be informed of the reasons for the delay and the date on which the inquiry will be addressed, which in no case may exceed five (5) additional business days after the expiration of the initial term.

Procedure for Filing Claims for the Update, Correction, Deletion, or Revocation of Authorization

The Data Subject, or their successors, who consider that the information contained in Gilmedica’s Databases should be corrected, updated, or deleted, or who identify a potential breach of any obligations, may file a claim in accordance with the following rules:

The request will be reviewed to verify the identity of the Data Subject. If the request is submitted by a person other than the Data Subject and it is not proven that they are acting on their behalf in accordance with applicable laws, or that they are legally authorized to do so, the request will be rejected.
The claim must include the following information:
(i) Identification of the Data Subject;
(ii) Contact details (physical and/or email address and phone numbers);
(iii) Documents proving the identity of the Data Subject or their representation;
(iv) A clear and precise description of the Personal Data with respect to which the Data Subject seeks to exercise their rights;
(v) A description of the facts giving rise to the claim;
(vi) Any supporting documents;
(vii) Signature and identification number.
If the claim is incomplete, Gilmedica will request the interested party, within five (5) days of receipt, to correct the deficiencies. If two (2) months pass from the date of the request without the required information being submitted, it will be understood that the claimant has withdrawn the claim.
If the area receiving the claim is not competent to resolve it, it will forward the claim to the appropriate area within a maximum of two (2) business days and inform the interested party.
Once a complete claim is received, a note stating “claim in process” and the reason for it will be included in the database within no more than two (2) business days. This note will remain until the claim is resolved.
The maximum term to resolve the claim will be fifteen (15) business days from the day following its receipt. If it is not possible to resolve within this term, the interested party will be informed of the reasons for the delay and the new response date, which may not exceed eight (8) additional business days after the initial deadline.
The Data Subject has the right at any time to request the deletion of their Personal Data. Deletion implies the total or partial removal of the data from the Databases, according to the request. However, this right is not absolute, and Gilmedica may deny it in the following cases:
(i) The Data Subject has a legal or contractual obligation to remain in the database, or the Data Controller has a legal or contractual obligation to retain the data;
(ii) Deletion of the data would hinder judicial or administrative actions related to tax obligations, criminal investigations, or enforcement of administrative sanctions;
(iii) The data is necessary to protect legally protected interests of the Data Subject, to carry out actions in the public interest, or to comply with a legal obligation of the Data Subject or the Data Controller.

PROCEDURAL REQUIREMENT

In accordance with the provisions of Article 16 of Law 1581 of 2012, its regulatory decrees, and this Personal Data Processing Policy, Data Subjects and the holders of processed information, as well as their successors, attorneys, or representatives, are hereby informed that any consultation, claim, petition, request, or complaint submitted under the procedure established in this Policy constitutes a prerequisite for filing a complaint before the Superintendence of Industry and Commerce regarding any alleged violation of Data Subjects’ rights. Therefore, such authority will not process complaints that have not first exhausted the aforementioned prior stage.

VALIDITY OF GILMEDICA’S PERSONAL DATA PROCESSING POLICY.

This Policy is effective as of May 4, 2023.

The Personal Data included in the Databases subject to Processing will be retained and processed based on the principle of temporality, for as long as required to fulfill the purposes set forth in this Policy, for the duration in which such purposes remain in force, plus any additional period established by law.

This Policy may be modified by Gilmedica as required without prior notice, provided that such modifications are not substantial. Any changes related to the purposes of Processing, the identification of the Data Controller, or any other substantial modifications will be communicated in advance to the Data Subjects.