1. OBJETIVE.
Ensure the privacy and security of our stakeholders’ personal data, complying with applicable privacy laws and regulations in all jurisdictions where we operate. Our primary goal is to protect the confidentiality, integrity, and availability of personal data, as well as to promote transparency in the collection, processing, and storage of such data.
2. SCOPE.
This personal data processing policy covers all activities related to the collection, processing, storage and use of personal data carried out by:
TBTB ANDEAN
Email: contactenos@tbtbglobal.com
Phone: (+57-1) 7900264.
Mailing address: Calle 116 #9-72, Edif. Global Medical Center, Consultorio 505. Bogota, Colombia. ZIP Code 110111.
TBTB PERU
Email: contactenos@tbtbglobal.com
Phone: +51959611891
Mailing address: Av. General Álvarez de Arenales 1475 Int. 104. Santa Beatriz Lima
TBTB GLOBAL LAB
Email: contactenos@tbtbglobal.com
Phone: 3158839359
Mailing address: Calle 116 # 9-72 Edificio Global Medical Center, Consultorio 402 Código Postal 110111.
TUDO BEM TUDO BOM AMERICA
Email: contactenos@tbtbglobal.com
Phone: +507 62928290
Mailing address: Av La Rotonda, Financial Park, 35th Floor. Costa del Este, Panama
TUDO BEM TUDO BOM USA
Email: contactenos@tbtbglobal.com
Phone: +1 7862997532
Mailing address: 3583 SW 17TH ST
MIAMI, FL 33145-1720
TUDO BEM TUDO BOM EUROPA S.L
Email: contactenos@tbtbglobal.com
Phone: +34 644 233086
Mailing Address 333 Lepant Street, 1st
Barcelona, Catalonia 8025 ES
It will apply to all databases and/or files containing personal data that are subject to processing by the companies mentioned above and that we will hereinafter refer to as TBTB, in which they are considered as responsible and/or in charge of the processing of personal data.
3. GENERAL
3.1 EXECUTIVE SUMMARY.
TBTB’s Personal Data Processing Policy reflects our companies’ unwavering commitment to protecting the privacy, confidentiality, and security of the personal information of their customers, patients, employees, and other stakeholders. This policy stands as a unified document that consolidates the practices and guidelines aimed at managing personal data, ensuring compliance with current regulations and promoting transparency in all TBTB operations.
3.2 BASIC TERMINOLOGY
For the purposes of this policy and in accordance with current regulations on the protection of personal data, the following terminology will be taken into account:
Database and/or Database: An organized set of personal data that is processed by a company. It may include information stored in physical or electronic formats.
Data Subject: Individual to whom the personal data belongs and who has rights over their information stored in the company’s databases.
Processing: Any operation or set of operations carried out on personal data, such as collection, storage, processing, modification or deletion, in order to fulfil the established purposes.
Data Controller: entity or organization that decides on the purpose and means of processing personal data. It is responsible for ensuring regulatory compliance.
Data Processor: External entity or person who processes personal data in the name and on behalf of the Data Controller, following its instructions.
User: A person authorized to access and use personal data stored in databases, either for internal or external purposes.
Personal Data: Any information relating to an identified or identifiable person, such as name, address, telephone number, among others.
Private Data: Personal information that, by its nature, can only be known by the data subject and the data controller, protected by additional security measures.
Public Data: Information that is available to the general public or that can be accessed by anyone without restriction.
Sensitive Data: Information that affects the privacy of the owner or whose improper use may generate discrimination. Examples include health data, sexual orientation, or religious beliefs.
Transmission: Sending personal data from one controller to another, either within the same organization or to third parties.
Transfer: Sending personal data to a recipient located outside the territory in which the controller operates.
Privacy Notice: A document that informs data subjects about the policies and practices regarding the processing of their personal data, including purposes, rights, and contact mechanisms.
3.3 LEGAL FRAMEWORK
United States: The policy conforms to personal data protection regulations in the United States, considering relevant federal and state laws governing information privacy, such as the California Consumer Privacy Act (CCPA), the Electronic Communications Privacy Protection Act (ECPA), the Security Breach Reporting Act (SBR):
European Union: TBTB is committed to complying with the European Union’s General Data Protection Regulation (GDPR), ensuring respect for the fundamental rights of individuals in relation to the processing of their personal data.
Colombia: In line with Law 1581 of 2012 and its regulatory decrees, the policy ensures compliance with Colombian regulations on personal data protection.
Peru: TBTB adjusts its practices to Law 29733 in Peru, as amended by Legislative Decree number 1353, ensuring respect for the rights of personal data holders.
3.4 GUIDING PRINCIPLES
TBTB’s personal data processing policy is based on fundamental principles that safeguard the privacy and fundamental rights of individuals. These pillars seek to ensure that the collection, processing and storage of personal data is carried out in an ethical, legal and transparent manner.
Informed Consent: TBTB is committed to obtaining informed consent from data subjects before collecting any personal information. This process ensures that individuals are fully aware of and in agreement with the purpose for which their data is collected.
Legitimate Purpose: Personal data is collected and processed for clearly defined and legitimate purposes. TBTB ensures that each use of the information is aligned with its business functions and activities, avoiding any manipulation that could deviate from the originally stated purpose.
Data Minimization: Rigorous measures are implemented to collect only the minimum and necessary amount of personal data to achieve the stated purpose. TBTB is committed to avoiding excessive or unnecessary collection of information, promoting efficiency and limiting the risk associated with data handling.
Data Integrity: The integrity of personal data is essential. TBTB ensures that the information collected is accurate, up-to-date, and relevant to the purpose for which it was collected. Mechanisms are in place to correct any inaccuracies and ensure the quality and reliability of the data.
3.5 STATEMENT OF THE INFORMATION PROCESSING AND PERSONAL DATA PROTECTION POLICY
At TBTB, our commitment to the protection of personal information and data is paramount. We recognize the importance of safeguarding the confidentiality, integrity, and availability of information for our customers, employees, and other stakeholders. We are committed to complying with all applicable data processing laws and regulations, ensuring that confidential information is handled with the highest degree of care. We maintain data accuracy and integrity, implement measures for data availability, and strive to follow industry best practices. In addition, we provide ongoing training to our staff to strengthen awareness of the importance of information security and personal data protection. This commitment reflects our ongoing dedication to operational excellence and the trust of our stakeholders.
4. DEVELOPMENT
4.1 SOURCE OF INFORMATION
The personal information that TBTB processes may originate from a variety of sources, including business negotiations, the conclusion of contracts, and/or the collection of forms duly authorized by the holders, all for the purpose of fulfilling specific business purposes.
4.2 RIGHTS OF DATA SUBJECTS
At the international and local levels, personal data subjects enjoy fundamental rights that ensure the control and safeguarding of their information. On a general level, TBTB recognises the right of access to confirm data processing and obtain related information, as well as the right of rectification to correct inaccurate data. In addition, data subjects have the right to be forgotten, allowing them to request the deletion of their data under specific conditions, and the right to portability to receive their information in a transferable format. Likewise, the right to object, empowering the owners to limit the processing of their data in particular circumstances.
4.2.1 RIGHTS OF CHILDREN AND ADOLESCENTS
In the processing of personal data, respect for the prevailing rights of minors will be ensured. The processing of children’s personal data, except for those data that are of a public nature, must comply with the following parameters:
- Respond to and respect the best interests of children.
- Ensure respect for the fundamental rights of minors.
- For the processing of a child’s or adolescent’s personal data, prior authorization for such processing must be granted by the minor’s legal representative, holders of parental authority or their guardians.
4.3 DUTIES AS A RESPONSIBLE OR MANAGER
- In the processing and protection of personal data, TBTB will have the following duties, without prejudice to others provided for in the provisions that regulate or will regulate this matter:
- Guarantee to the holder all the rights mentioned and recognized in national legal systems, enshrined in the Constitution, the law and regulations.
- Request and keep, under the conditions provided for by law, a copy or proof of the authorization granted by the holder.
- To keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
- Comply with the guiding principles for the processing of personal data.
- Use the owner’s personal data only for those purposes for which it is duly authorized and respecting in all cases the current regulations on the protection of personal data.
- Ensure the proper use of the personal data of children and adolescents, in those cases in which the processing of their data is authorized.
- To have service channels in place in order to respond to the requests of the owners of personal data, especially those related to the modification, rectification, exclusion or inclusion of such data.
4.4 TREATMENT
Through this policy, TBTB, in compliance with its legal and regulatory duty, intends to make effective the constitutional guarantee of protection of the personal and family privacy of all citizens, establishing instruments and expeditious controls in order to give adequate treatment to the information it administers.
This policy establishes the terms, conditions and purposes under which TBTB, as responsible for the personal data obtained through its different service channels, processes the information of all persons who, at any time due to the activity carried out by the entity, have provided personal data.
The owner of the data registers or delivers his/her information freely and voluntarily, and acknowledges that he/she has read and expressly accepts these terms and conditions.
TBTB is directly responsible for the processing of personal data; However, it reserves the right to delegate such processing to a third party, to which it will be responsible or in charge of the processing.
The databases and/or database that TBTB obtains are not sold or rented to third parties and are kept as private as possible, access restricted with username, password and administrator.
4.5 PURPOSES
The personal data stored within TBTB’s databases and/or database may be used to:
- The development of various procedures directly related to its corporate purpose.
- To keep the holders informed about the conditions of provision of services.
- Report updates to our products or services.
- Provide additional relevant information about our products or services.
- To maintain communication with its holders, with a view to providing a better service.
- By virtue of the development of the contractual relationship between the company and the client.
- For portfolio collection.
- Develop the process of selection, evaluation, and employment linkage.
- In order to adopt measures to prevent the development of illegal activities and for other tax purposes in accordance with the provisions of the Law.
- Provide, share, send or deliver your personal data to affiliates, affiliates, or subordinates of TBTB in the event that such companies require the information for the purposes indicated herein.
- Support internal or external audit processes.
- Send commercial, advertising or promotional information about products and/or services, events and/or promotions, whether commercial or non-commercial or non-commercial, advertising or non-commercial mail, email, email in order to promote, invite, direct, execute, inform and, in general, carry out campaigns, promotions or contests of a commercial or advertising nature, carried out by TBTB and/or by third parties.
- Carry out the entire coordination process for the collection, management or extraction of biological samples or diagnostic support procedures and/or risk monitoring according to medical criteria.
- Ensure the correct identification and subsequent analysis or processing of biological samples by authorized providers in accordance with the request of a medical professional.
- Verify that the results of the tests requested by the medical professionals and issued by the analysis centers correspond to the biological samples sent according to the patient’s data.
4.6 DURATION OF THE TREATMENT
The processing of personal data will be valid for the same period as the purpose or purposes are maintained, or the period of validity specifically indicated by a legal, contractual or jurisprudential regulation.
4.7 AUTHORIZATIONS
In situations that require the prior authorization of the owner, TBTB will manage this authorization during the collection of the information. The authorisation must be explicit, either orally or in writing, and must be clear and informed, including the specific purposes of the processing for which consent is requested. This authorization will be obtained by any means that allows it to be consulted later.
4.8 TRANSFERS OF PERSONAL DATA
In view of the legal nature and corporate structure of TBTB, it reserves the right-duty regulated in national legislation to transfer the information provided by the owners to the subsidiary and/or parent companies domiciled abroad, in order to comply with the object and purpose of this personal data processing policy. ensuring the guiding principles of national legal systems, in particular by ensuring the traceability of the means and forms of transmission of such information.
5. INFORMATION SECURITY
TBTB has implemented a comprehensive approach to protecting personal data, addressing information security through technological controls, operating procedures, and organizational measures. Role-based access restrictions, encryption for data confidentiality, and physical safeguards apply. Regular vulnerability assessments and penetration testing are conducted, along with ongoing staff training in safe practices. Security policies are kept up-to-date to comply with best practices and regulations.
5.1 SECURITY BREACHES
At TBTB, the process for the reporting and management of potential security breaches has been established. In the event that a security breach is identified, the predefined procedures will be followed, which includes the immediate assessment of the situation, timely notification to the affected parties and the relevant authorities, as well as the implementation of corrective measures to mitigate risks and prevent future incidents.
6. TRAINING & AWARENESS
TBTB conducts ongoing training initiatives for its staff, with the aim of ensuring understanding and adherence to data processing policies and practices. These initiatives include training sessions on the latest updates in information security, highlighting the importance of personal data protection.
7. CHANNEL FOR INQUIRIES AND COMPLAINTS
In accordance with the legislation on the protection of personal data and in congruence with the purpose of this policy, the rights of the owner are recognized and respected, which include the knowledge, access, rectification, updating, inclusion, opposition and/or deletion of their personal data. The owner may exercise these rights in whole or in part by sending a written request to the e-mail contactenos@tbtbglobal.com.
Applications received will be resolved within the deadlines established by the corresponding law or regulation. The Data & Technology Lead will be designated to receive, process and channel these requests to the processes responsible for the processing. These, in turn, will be responsible for protecting personal data and will process requests in chronological order and within the legal deadlines.
The modalities and procedures for the holder’s applications are detailed below:
a.Consultations
The owners or their successors in title may consult the personal information of the owner that resides in TBTB, who as appropriate will provide all the information contained in the individual registry or that is linked to the identification of the owner.
Inquiries will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to respond to the query within this period, the interested party will be informed before the expiry of the ten (10) days, stating the reasons for the delay and indicating the date on which the query will be addressed, which, in no case, may exceed five (5) business days following the expiration of the first period.
b. Claims
When the owner or his/her successors consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, they may file a claim with TBTB, as appropriate, which will be processed under the following rules:
The owner’s claim will be made by means of a request addressed to the e-mail address contactenos@tbtbglobal.com, with the identification of the owner, the description of the facts that give rise to the claim, the address, and attaching the documents that are to be asserted. If the complaint is incomplete, the interested party will be required within five (5) days of receipt of the complaint to correct the defects. If, after two (2) months from the date of the request, the applicant does not submit the required information, it will be understood that the claim has been withdrawn.
In the event that the person receiving the claim is not competent to resolve it, it will be forwarded to the appropriate party within a maximum period of two (2) business days and will inform the interested party of the situation.
The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend to the claim within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
c.Request for update and/or rectification:
TBTB, as appropriate, will rectify and update, at the request of the owner, the information of the latter that turns out to be incomplete or inaccurate, in accordance with the regulations.
For this procedure, the holder must identify themselves with their ID card and full names and surnames. When submitting your request, you must indicate the update and/or rectification to be made and provide the documentation that supports your request.
d. Request for revocation of consent and/or deletion of data
The owner of the personal data has the right to request from TBTB as appropriate the deletion (deletion) of his/her personal data in any of the following events:
- When it considers that they are not being treated in accordance with the principles, duties and obligations provided for in the regulations in force.
- When they are no longer necessary or relevant for the purpose for which they were collected.
- When the period necessary for the fulfilment of the purposes for which they were collected has been exceeded.
This deletion implies the total or partial deletion of the personal information in accordance with the request of the owner in the records, files, databases or treatments carried out by TBTB as appropriate. However, this right of the holder is not absolute and consequently the TBTB may, as appropriate, deny the exercise of this right when:
- The owner has a legal or contractual duty to remain in the database.
- The deletion of data hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
8. POLICY REVIEW AND UPDATE:
TBTB recognises the importance of keeping its data processing policy up-to-date in order to adapt to regulatory and technological changes. The policy will be reviewed on a regular basis, at least annually, or in the event of significant changes in data protection legislation. The review process will involve information security officers and data processors, ensuring that the policy reflects best practices and meets current standards. Relevant updates will be communicated to employees and other interested parties.
9. PENALTIES FOR NON-COMPLIANCE WITH THE POLICY:
Failure to comply with this personal data processing policy at TBTB carries serious consequences. Sanctions will be applied in proportion to the severity of the violation, following the procedures and guidelines established in the internal regulations and other relevant internal regulations. These measures may include disciplinary action, corrective action, legal action, and, in extreme cases, termination of the employment contract. In addition. The implementation of sanctions seeks to ensure consistency and effectiveness in the application of corrective measures, thus contributing to the preservation of integrity and trust in the responsible handling of information by TBTB.