Glidewell Colombia S.A.S. (hereinafter, “Glidewell”) a business corporation identified by Tax ID No. 900.931.308-2, by virtue of the provisions defined in Law 1581 of 2012, Decree 1377 of 2013 and our personal data protection policy, hereby informs you that the personal data provided by clients, suppliers, officials, intermediaries and other interested parties, will be processed in compliance with the regulations mentioned above as well as with other standards that amend and/or supplement them.
Glidewell, with registered offices in the capital city of Bogotá [Colombia], at Carrera 22 No. 81-95 of said city, is the party responsible for your personal data and will collect and process your personal data with the aim of fulfilling its corporate purpose, including but not limited to the following: a. To provide information about our promotions, offers, new developments, products and services, partnerships, contests, current and future content related to events, contests, promotional activities or other commercial purposes directly or indirectly related to our activity; b. To provide information about new products or services related to those contracted or acquired or changes thereto; c. To fulfill the obligations undertaken with our clients, suppliers and employees who are Data Subjects; d. To evaluate service quality; e. To perform internal studies on consumption habits and statistical studies that allow us to design improvements to the products and/or to the services provided; f. To facilitate the proper execution of our purchases and provision of the services contracted; e. To manage basic administrative tasks.
The database is intended to contain updated information so that our relationships with clients, suppliers, contracting parties and/or other interested third parties may be conducted in an appropriate manner. Personal data Processing is not limited to the aforementioned events; rather, Processing will take place generally so as to further Glidewell’s corporate purpose and to fulfill the corresponding obligations.
You are entitled to exercise your rights as a Data Subject, pursuant to the policies and procedures provided by Glidewell for these purposes, which you can find in our Personal Data Protection Policy and Procedure Manual, which can be consulted on our web site at http://co.glidewelldental.com. For questions and concerns related to these subjects, you can write us at: firstname.lastname@example.org. It is important to mention that the exercise of your rights is not a pre-requisite or an impediment to exercising another right. You will be notified of any change to this notice via the means at Glidewell’s disposal for such purpose. In the event that sensitive data is to be compiled, the answers to the questions that relate to this type of data shall be optional.
The purpose of Statute Law 1581 of 2012, which prescribes general provisions for the protection of personal data, is to regulate the constitutional right of all persons to access, update and correct information about them that has been collected in databases or files, as well as other rights, liberties and constitutional guarantees referred to in Article 15 of the political constitution, as well as the right to information stipulated in Article 20 thereof.
The principles and provisions contained in Law 1581 of 2012, Decree 1377 of 2013 and other standards that amend and/or supplement them, apply to personal data recorded in any database where they may be subject to processing by Glidewell Colombia S.A.S. (hereinafter, “Glidewell”) a business corporation identified by Tax ID No. 900.931.308-2. Therefore, any data processing performed by Glidewell must be governed by the personal data protection regime established in the aforementioned regulations.
Glidewell abides by the general provisions contained in Law 1581 of 2012 and Decree 1377 of 2013, as well as all other standards amending the subject, and has thus adopted this internal policy and procedure manual in order to comply with the provisions of the aforementioned regulations and, in particular, with subparagraph k of Article 17 of Law 1581 of 2012.
Tax ID No.: 900.931.308-2
Head Office: Bogotá, Colombia
Address: Carrera 22 No. 81 – 95
Telephone: 01-800-950-6028 – 301-413-3162
Web site: http://co.glidewelldental.com
Article 1. Identification.
This internal manual of policies and procedures for the protection of personal data (hereinafter the “Manual”) was drawn up by Glidewell, a business corporation with its registered office in the capital city of Bogotá, Colombia.
Article 2. Applicable Law.
This Manual was drawn up in accordance with Articles 15 and 20 of the Political Constitution of the Republic of Colombia and with the provisions of Law 1581 of 2012 and Decree 1377 of 2013.
Article 3. Scope of Application.
This Manual applies to the processing of data of a personal nature that may be collected and managed by Glidewell.
Article 4. Purpose.
This Manual fulfills the provisions of subparagraph k) of Article 17 of Law 1581 of 2012, which regulates the duties to which parties responsible for personal data are subject, including the requirement to adopt an internal policy and procedures manual to guarantee proper compliance with said law and in particular to handle inquiries and complaints.
In addition, it aims to regulate procedures for the collection, handling and processing of personal data by Glidewell in order to guarantee and protect the fundamental right of habeas data within the framework of the provisions of the law itself.
Article 5. Definitions.
In order to facilitate understanding of this Manual, the following is a transcript of the definitions included in Law 1581 of 2012 and Decree 1377 of 2013:
a. Definitions from Article 3 of Law 1581 of 2012
i. Authorization: Prior, express and informed consent of the Data Subject to perform the processing of personal data;
ii. Database: An organized set of personal data that undergoes processing;
iii. Personal datum: Any information that is linked or can be associated with one or more identified or identifiable natural persons;
iv. Data Processor: A natural person or legal entity, public or private which, alone or in association with others, processes personal data on behalf of the Party Responsible for the Data;
v. Party Responsible for the Data: A natural person or legal entity, public or private which, alone, or in association with others, makes decisions about the database and/or the processing of the data;
vi. Data Subject: A natural person whose personal data undergo processing;
vii. Processing: Any operation or set of operations performed on personal data, such as the collection, storage, use, distribution or deletion of data.
b. Definitions included in Article 3 of Decree 1377 of 2013
i. Privacy notice: An oral or written communication issued by the Party Responsible and addressed to Data Subjects for the Processing of their personal data, informing them of the existence of Information Processing policies that will apply to them, how to access them and the purposes for the intended Processing of their personal data.
ii. Public datum: An item of information that is not semi-private, private or sensitive. Public data is deemed to be, but not limited to, the data related to a person’s marital status, their profession or activity and their status as a merchant or public servant. Due to their nature, public data may be contained in, but not limited to, public records, public documents, official gazettes or bulletins and duly executed judicial rulings not subject to confidentiality.
iii. Sensitive data: Sensitive data is understood to be data that relates to the private life of the Data Subject or the improper use of which could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social organizations, human rights organizations, or those organizations that promote the interests of any political party or that ensure the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometrics.
iv. Transfer: Data transfer takes place when the Party Responsible for the Data and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is, in turn, a Party Responsible for the Data, whether within or outside of the country.
v. Transmission: Personal data processing that involves communication of said data within or outside of the territory of the Republic of Colombia when it is meant for Processing by the Data Processor on behalf of the Party Responsible for the Data.
Article 6. Principles.
The principles listed below are the guidelines to be followed by Glidewell when collecting, storing, using and processing personal data, as well as with regard to the development, interpretation, and application of this Manual:
a. Principle of lawful data processing: The Processing referred to in this Manual is a regulated activity subject to the stipulations of Law 1581 of 2012, of Decree 1377 of 2013 and to all the other provisions that regulate them, as well as to those in this Manual;
b. Principle of intended purpose: Processing must be performed for a specified purpose in accordance with the Constitution and the law, and the Data Subject must be informed of said purpose;
c. Privacy principle: Processing may only be performed with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal mandate or court order that replaces such consent;
d. Veracity or quality principle: The information subject to Processing must be true, complete, accurate, up to date, verifiable and understandable. The Processing of partial, incomplete, inconsistent or misleading data is prohibited;
e. Transparency principle: Processing must guarantee the Data Subject’s right to obtain from the Party Responsible for the Data or the Data Processor, at any time and without restriction, information about the existence of the data concerning said Subject;
f. Access and restricted distribution principle: Processing is subject to the limitations arising from the nature of the personal data, the provisions of Law 1581 of 2012 and the Constitution. In this regard, Processing shall only be performed by persons authorized by the Data Subject and/or by the persons specified in Law 1581 of 2012 and other standards that amend or supplement it;
Personal data, with the exception of public information, may not be made available on the Internet or in other mass media, unless access is technically controllable to ensure access is available only to the Data Subjects or authorized third parties pursuant to Law 1581 of 2012 and other standards that modify or supplement it;
g. Security principle: The information subject to Processing by the Party Responsible for the Data or the Data Processor referred to in Law 1581 of 2012 must be managed using the technical, human and administrative means necessary to ensure that the records are secure, preventing their adulteration, loss, or unauthorized or fraudulent inquiries, use of or access to said data;
h. Confidentiality principle: All persons involved in the Processing of personal data that is not public in nature have an obligation to guarantee the confidentiality of the information, even when they are no longer performing a Processing task, and may only supply or communicate personal data when doing so corresponds to performance of the activities authorized by Law 1581 of 2012 and under the terms thereof.
Article 7. Authorization.
The processing of personal data by Glidewell requires the prior, free, express and informed consent of the Data Subject to whom they belong. Glidewell, as the Party Responsible for the personal data, has established the mechanisms necessary to obtain the consent of the data subjects, ensuring that, whenever possible, said consent will be granted, and will take place no later than at the time their data is collected.
Article 8. Method and Mechanism for Granting Consent.
Consent may consist of any mechanism that ensures that it can be viewed at a later date. Consent may be given:
i) in writing,
iii) by unequivocal behavior by the data subject by which it can be reasonably concluded that consent was granted; silence shall not, in any case, be equated with unequivocal behavior.
The authorized consent process guarantees that Data Subjects have been made aware that their personal information will be collected and used for specific, known purposes, and that they have been informed of their option to be informed of any change or modification to the information or the specific use attributed to it. This is so that Data Subjects can make informed decisions with regard to their personal data and control the use of their personal information.
b. The consent shall contain the following:
i) Who is obtaining it (party responsible or processor)
ii) What is being compiled (data being collected)
iii) Why the data is being collected (the purposes of the processing)
iv) How to exercise the right to access, correct, update or remove the personal data provided
v) Whether sensitive data is being collected, and the option to not have them disclosed.
Article 9. Proof of Consent.
Glidewell shall adopt all appropriate and necessary mechanisms for the purpose of keeping a record of when and how consent was obtained from the data subjects to process their personal data.
Article 10. Privacy Notice.
The privacy notice is the hard or electronic copy of the document that will be made available to Data Subjects informing them of the existence of the Information Processing policies that will be applied to their personal data, how to access them and what type of Processing will be performed. The privacy notice shall contain the following information:
a) Name or company name and contact details of the Party Responsible for the Data.
b) The Processing the data will undergo and its purpose.
c) The Data Subject’s rights.
d) The mechanisms established by the Party Responsible for the Data so that Data Subjects may be made aware of the Information Processing policy and substantial changes made to it or to the corresponding Privacy Notice. In all cases, the Data Subject will be informed of how to access or view the Information Processing policy.
Notwithstanding the foregoing, when sensitive personal data are collected, the privacy notice must expressly state that answering questions related to this type of data is optional. In any case, disclosure of the Privacy Notice shall not waive the Party Responsible for the Data’s obligation to inform Data Subjects of the Information Processing policy in accordance with the stipulations of Decree 1377 of 2013.
RIGHTS AND DUTIES
Article 11. Rights of the Data Subject.
Pursuant to the stipulations of Article 8 of Law 1581 of 2012, Data Subjects shall have the following rights:
a) To contact the Party(ies) Responsible for the Data or Processors to access, update and correct their personal data. This right may be exercised for, but not limited to, partial, inaccurate, incomplete, inconsistent, or misleading data, or those for which Processing is expressly prohibited or consent has not been given;
b) To request from the Party Responsible for the Data proof of the consent granted unless expressly exempted as a Processing requirement, in accordance with the stipulations of Article 10 of Law 1581 of 2012;
c) To receive information from the Party Responsible for the Data or the Data Processor, upon request, about how their personal data have been used;
d) To present complaints to the Superintendency of Industry and Commerce of infractions to the provisions of Law 1581 of 2012 and other standards that modify, add to or supplement it;
e) To revoke consent and/or request the deletion of a datum when constitutional and legal principles, rights and guarantees are not respected. The revocation and/or deletion shall proceed when the Superintendency of Industry and Commerce has determined that the Party Responsible for the Data or the Processor engaged in behavior during Processing that contravened Law 1581 of 2012 and the Constitution;
f) To access, free of charge, their personal data that were subject to Processing.
In addition, Data Subjects shall have the rights enshrined in Law 1581 of 2012 and Decree 1377 of 2013.
Article 12. Glidewell’s Duties in Relation to the Processing of Personal Data.
Glidewell, as the Party Responsible for the Data, shall strictly comply with the obligations contained in Article 17 of Law 1581 of 2012; it is also aware of the importance of observing the policies and protocols aimed at protecting the personal data of the Data Subjects since it knows that the data belongs to the Data Subjects and that the latter are the only ones who may make decisions regarding said data. Consequently, Glidewell undertakes to fulfill the following duties in relation to the processing of personal data:
a) To guarantee Data Subjects, at all times, full and effective exercise of the right of habeas data;
b) To request and keep, under the conditions set forth in Law 1581 of 2012, a copy of the respective consent granted by the Data Subject;
c) To duly inform Data Subjects of the purpose of data collection and their rights by virtue of the consent granted;
d) To keep the information under the security conditions necessary to prevent their adulteration, loss, unauthorized inquiries, use of or access thereto;
e) To guarantee that the information provided to the Data Processor is true, complete, accurate, updated, verifiable and comprehensible;
f) To update the information, notifying the Data Processor in a timely manner of any new information with regard to the data previously provided and to adopt any other measures necessary to ensure that the information provided to the Data Processor is kept up to date;
g) To rectify the data when it is incorrect and to communicate pertinent information to the Data Processor;
h) To provide to the Data Processor, as appropriate in each case, only the data that was previously authorized for Processing, in accordance with the stipulations of Law 1581 of 2012;
i) To demand that the Data Processor respect the security and privacy of the Data Subject’s information at all times;
j) To handle inquiries and complaints presented under the terms set forth in Law 1581 of 2012;
k) To adopt an internal manual of policies and procedures to guarantee proper compliance with Law 1581 of 2012 and, in particular, for handling inquiries and complaints;
l) To inform the Data Processor when specific information is being disputed by the Data Subject, whenever a complaint has been submitted and the respective process has not been completed;
m) To inform Data Subjects about the use made of their data, upon their request;
n) To inform the data protection authority when violations to security codes occur and administration of the Data Subjects’ information is at risk;
o) To carry out the instructions and meet the requirements set forth by the Superintendency of Industry and Commerce.
PROCESSING TO WHICH THE DATA WILL BE SUBJECT AND ITS PURPOSE
Article 13. Processing and Purpose of the Data.
The Processing of personal data will be undertaken in order to fulfill Glidewell’s corporate purpose, including but not limited to:
a. Providing information about our promotions, offers, new developments, products and services, partnerships, contests, current and future content related to the events, contests, promotional activities or other commercial purposes directly or indirectly related to our activity;
b. Providing information about new products or services related to those contracted or acquired or changes thereto;
c. Fulfilling the obligations undertaken with our clients, suppliers and employees who are Data Subjects;
d. Evaluating service quality;
e. Performing internal studies on consumption habits and statistical studies allowing us to design improvements to the products and/or to the services provided;
f. Facilitating proper execution of our purchases and provision of services contracted;
e. Managing basic administrative tasks.
The database is intended to contain updated information so that our relationships with clients, suppliers, contracting parties and/or any other interested third parties may be conducted in an appropriate ,manner. Personal data Processing is not limited to the aforementioned events; rather, Processing will take place generally so as to further Glidewell’s corporate purpose and to fulfill the corresponding obligations.
PERSON OR AREA RESPONSIBLE FOR HANDLING REQUESTS, INQUIRIES AND COMPLAINTS
Article 14. Person or area responsible for handling requests, inquiries and complaints.
Glidewell has designated its alternate legal representative, or the person appointed by said representative, as the person responsible for ensuring compliance with this policy.
This person in charge shall be conscientious about resolving requests, inquiries and complaints from Data Subjects and in undertaking any updating, correction or deletion of personal data, and may be contacted at: email@example.com.
Article 15. Contact information of the person in charge of Data Processing.
Name: Glidewell Colombia S.A.S.
Corresponding address: Carrera 22, No. 81-95, Bogotá, Colombia.
PROCEDURE FOR HANDLING INQUIRIES, COMPLAINTS AND REQUESTS
Article 16. Inquiries.
In application of the provisions of Article 14 of Law 1581 of 2012, Data Subjects or their successors may access the personal information of the Data Subject that is stored in databases managed by Glidewell.
Data Subjects can request access to their information in writing, or electronically by e-mailing firstname.lastname@example.org; in these cases, in order to protect the personal data, a copy of identity documents must be attached.
When successors wish to access the information, their request should be sent in writing or via e-mail, attaching a document that demonstrates their kinship and an identity document.
Once the documents and the name of the Data Subject have been provided, checked and have been found to be free of inconsistencies, a response will be issued within ten (10) working days of the date the request for access was received. In the event Glidewell deems that more time is needed to reply to the request for access, the Data Subject will be informed of said situation and the reasons for the delay, and given the date on which their request for access will be processed, and Glidewell will provide a response within a period not to exceed five (5) working days after the expiration of the first period.
Article 17. Claims.
In accordance with the provisions of Article 15 of Law 1581 of 2012, any Data Subject or successors who believe that the information contained in a database should be corrected, updated or deleted, or when they notice an alleged non-compliance of any duty contained in the law, may submit a complaint to Glidewell that will be processed as follows:
1. The complaint shall be addressed to Glidewell or to the Data Processor, along with the identity of the Data Subject, a description of the facts that gave rise to the complaint, the address, and the documents pertinent to the complaint.
2. If the complaint is incomplete, the interested party will be asked, within five (5) days following receipt of the complaint, to remedy the deficiencies.
3. Once two (2) months have passed since the date of the request and the person presenting the complaint has not submitted the required information, it will be understood that the complaint has been abandoned.
4. In the event that the person receiving the complaint is not competent to resolve it, said person will transfer it to the appropriate person within a maximum period of two (2) working days and will inform the interested party of the situation.
5. Once the complete complaint has been received, a call-out will be added to the database within two (2) working days that says “complaint being processed” along with the reason for the complaint. Said call-out must remain in place until the complaint has been resolved.
6. The maximum time frame for handling a complaint shall be fifteen (15) working days, counted from the day following the date it was received. When it is not possible to handle the complaint within said period, the interested party will be informed of the reasons for the delay and the date on which the complaint will be handled, which shall under no circumstances exceed eight (8) working days following the expiration of the first time frame.
Article 18. Request to Update, Correct or Delete Data.
Glidewell, at the request of a Data Subject, will correct and update said subject’s information when it is incomplete or inaccurate, in accordance with the aforementioned procedure and terms. To this end, Data Subjects may submit their requests in writing, or electronically via email@example.com, indicating the information to be updated or corrected and attaching documentation supporting their requests.
Article 19. Revoking Consent and/or Deletion of Data.
Personal Data Subjects may revoke their consent to process their personal data at any time, provided no legal or contractual provision prevents this; to do so, the data subject may revoke consent in writing, or electronically by e-mail at firstname.lastname@example.org.
If, within the legally allowed time frame, Glidewell, depending on the case, has not deleted the personal data, the Data Subject will have the right to submit a request to the Superintendency of Industry and Commerce to order that the consent be revoked and/or that the personal data be deleted. To these ends, the procedure described in Article 22 of Law 1581 of 2012 will apply.
Article 20. Purpose.
Glidewell will collect the data that are strictly necessary to achieve the purposes sought and will retain them in order to meet the need for which they were recorded; in addition, it will respect Data Subjects’ freedom to provide or withhold consent for the use of their personal data, and therefore, the mechanisms it uses to gain consent will allow Data Subjects to unequivocally show that they have granted such consent.
Article 21. Security Measures.
Glidewell will adopt the technical, human, and administrative measures necessary to guarantee the security of the personal data to be processed, preventing unauthorized inquiries, access, adulteration or fraudulent use.
Article 22. Reference to and application of additional regulations.
The provisions contained in Law 1581 of 2012, Decree 1377 of 2013 and other regulations that supplement them and/or add to them form part of this Manual. Judgment C – 748 – 11 of the Constitutional Court will also form part of this Manual and will be used for its interpretation.
DATE THE MANUAL TAKES EFFECT
Article 23. Effective date.
Our work team has been informed about the significant aspects of this Manual and the obligation to comply with each and every aspect of it; accordingly, this Manual will take effect on October 28, 2016. The databases subject to Processing will remain active while necessary for the purposes established in this Manual.
Glidewell Laboratories (“the lab”) warrants that all dental devices (a “device”) are made according to your specification and approval in the belief that the device will be useful and MAKES NO OTHER WARRANTIES INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Subject to the return of a device that is placed and then fails, the lab will repair or replace the device without charge for the cost of materials and workmanship or refund the original price paid, at the lab’s option, as follows: All ceramic crowns up to seven years. This Warranty is exclusively for your benefit, is not transferable and does not extend to any patients. You agree to pay all other costs of adjustment, repair and replacement of a device. Except where prohibited by law, the lab WILL NOT BE LIABLE FOR ANY LOSS OR DAMAGES ARISING FROM THE USE OF A DEVICE, WHETHER DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL, regardless of the theory asserted, including warranty, contract, negligence or strict liability and if such disclaimer is not permitted by law, the duration of any implied warranty is limited to 90 days from the date of delivery. In the event of a dispute and absent an amicable resolution the parties mutually agree to waive class actions in favor of mandatory individual arbitration of claims under this limited warranty in and in accordance with the laws of California. The lab does not guarantee the performance of independent carriers.
“We strive to drive down restorative costs and expand patient access to affordable dentistry.”
— Jim Glidewell, CDT, President/CEO