EnglishSpanish

Certificated Surgeons

Database Manager: INTERNATIONAL BOARD OF COSMETIC SURGERY

Address: Vía della Camilluccia 643 – Rome, Italy

Email: adrianasolartecruz@gmail.com

Phone:

For the INTERNATIONAL BOARD OF COSMETIC SURGERY (IBCS), committed to the strictest compliance with the law and the protection of people’s rights, as well as the rights of all our users, the conservation, preservation, protection, and integrity of personal data that has been made available to us is very important. For this reason, we have designed these policies for the storage, processing, and use of personal data.

1.GENERAL PROVISIONS
ARTICLE 1. APPLICABLE LEGISLATION:

This document and the policy it contains were prepared in accordance with the mandates of the Political Constitution of Colombia (articles 15 and 20), Law 1581 of 2012 «which establishes general provisions for the protection of personal data» and Decree 1377 of 2013 «which partially regulates Law 1581 of 2012,» as it pertains to a Colombian company, but with scope and application extending to all places where content is downloaded, information generated by IBCS is viewed, and therefore local regulations that align with the aforementioned rules will apply.
ARTICLE 2. SCOPE OF APPLICATION: This document applies to the processing of personal data obtained and managed by IBCS.
ARTICLE 3. DATABASES: The policies and procedures contained in this document apply to the databases of CONSUMERS, USERS, USERS OF THE WEB PORTALS OWNED BY IBCS THAT THIS COMPANY ADMINISTERS; USERS OF THE FAN PAGES ON THE FACEBOOK/INSTAGRAM SITE, OF THE BRANDS AND PRODUCTS OWNED BY IBCS; FOLLOWERS OF THE TWITTER ACCOUNT(S) OF SCCP, ITS BRANDS AND PRODUCTS; FOLLOWERS OR CONTACTS OF ANY ACCOUNT ON ANY EXISTING OR FUTURE SOCIAL NETWORK THAT IBCS MAY HAVE.
These policies and the manual for data processing will also apply to the personal data of clients, suppliers, and employees, when the contact or processing of their data goes beyond the scope of the commercial and labor relationship they maintain with them.
ARTICLE 4. PURPOSE: This manual complies with the provisions of item k) of article 17 and item f) of article 18 of Law 1581 of 2012, which regulate the duties of the responsible parties and data processors, as well as the provisions of Chapter Three of Decree 1377 of 2013 on «Data Processing Policies,» which includes the obligation to adopt an internal manual of policies and procedures to ensure proper compliance with the law, especially in relation to queries and complaints, and to ensure that data processors comply with it. This document also aims to regulate the procedures for the collection, storage, and processing of personal data conducted by IBCS and/or its brands, in order to guarantee and protect the fundamental right to data protection (habeas data) that all natural persons have.

 

ARTICLE 5. DEFINITIONS

For the purposes of applying the rules contained in this manual, and in accordance with the provisions of Article 3 of Law 1581 of 2012, the following definitions apply:
a) Authorization: prior, express, and informed consent of the Data Subject to carry out the processing of personal data;
b) Privacy Notice: a physical, electronic, or any other format document generated by the Responsible Party, made available to the Data Subject for the processing of their personal data. The Privacy Notice communicates to the Data Subject information about the existence of the data processing policies that will apply to them, how to access them, and the characteristics of the processing intended for the personal data; c) Database: an organized set of personal data that is subject to processing; d) Personal Data: any information related to or that can be associated with one or more identified or identifiable natural persons; e) Private Data: data that by its nature is intimate or reserved and is only relevant to the Data Subject; f) Sensitive Data: data that affects the intimacy of the Data Subject or whose improper use could result in discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, union membership, social or human rights organizations, or that promotes the interests of any political party or guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data; g) Processor: a natural or legal person, public or private, who, alone or in association with others, carries out the processing of personal data on behalf of the Responsible Party;
h) Responsible Party: a natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the processing of the data;
i) Data Subject: the natural person whose personal data is subject to processing;
j) Processing: any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion of such data.

 

ARTICLE 6. PRINCIPLES

The principles established below constitute the general guidelines that will be respected by IBCS in the processes of data collection, use, and processing:
a) Purpose Principle: the processing of personal data collected by IBCS must serve a legitimate purpose, of which the Data Subject must be informed;
b) Freedom Principle: processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data cannot be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that relieves the need for consent;
c) Truthfulness or Quality Principle: the information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented data, or data that misleads, is prohibited;
d) Transparency Principle: during processing, the Data Subject’s right to obtain information about the existence of data related to them from IBCS at any time and without restrictions must be guaranteed;
e) Access and Restricted Circulation Principle: personal data, except for public information, cannot be made available on the Internet or other mass communication media, unless the access is technically controllable to provide restricted knowledge only to the Data Subjects or authorized third parties;
f) Security Principle: the information subject to processing by IBCS must be protected through the necessary technical, human, and administrative measures to ensure the security of records, preventing their alteration, loss, consultation, unauthorized or fraudulent use, or access;
g) Confidentiality Principle: all individuals involved in the processing of personal data are obligated to ensure the confidentiality of the information, even after their relationship with any of the tasks involved in the processing ends.

CHAPTER II – AUTHORIZATION

ARTICLE 7. AUTHORIZATION

The collection, storage, use, circulation, or deletion of personal data by IBCS requires the free, prior, express, and informed consent of the data subject. IBCS, as the data controller for the personal data contained in its databases and/or its brands, has put in place the necessary mechanisms to obtain the authorization of the data subjects, ensuring that the granting of such authorization can be verified at all times.

ARTICLE 8. FORM AND MECHANISMS TO GRANT AUTHORIZATION

Authorization may be provided in a physical document, electronically, via a form, an audio file, or any other existing or future format that guarantees its later consultation. The content of the authorization granted for the collection and processing of the data will be issued by IBCS and will be made available to the Data Subject prior to the processing of their personal data, in accordance with the provisions of Law 1581 of 2012.
Through the consent-based authorization procedure, it is ensured that the data subject has been informed that their personal data will be collected and used for specific, known purposes, and that they have the option to learn of any changes to that data and the specific use given to it. The purpose of this is for the data subject to make informed decisions regarding their personal data and to have control over the use made of their personal information.
The authorization IBCS will request from the data subject is a declaration that informs them about:
a) Who collects the data (controller or processor);
b) What data is being collected;
c) Why the data is being collected (the purposes of processing);
d) How to exercise rights of access, correction, update, or deletion of the personal data provided;
e) If sensitive data is collected, and the possibility of not disclosing such data.

ARTICLE 9. PROOF OF AUTHORIZATION

IBCS will take all necessary measures to maintain records of the authorization obtained from the data subjects for the processing of their personal data.

ARTICLE 10. PRIVACY NOTICE

The Privacy Notice is the physical, electronic, or any other format document made available to the Data Subject for the processing of their personal data. Through this document, the Data Subject is informed about the existence of the data processing policies that will apply to them, how to access them, and the characteristics of the processing intended for their personal data. IBCS’ Privacy Notice is available, among other means, on the website https://www.IBCS.COM.co.

ARTICLE 11. MINIMUM CONTENT OF THE PRIVACY NOTICE

The Privacy Notice must, at a minimum, contain the following information:
A. The identity, address, and contact details of the data controller;
B. The type of processing to which the data will be subject and the purpose of such processing;
C. The general mechanisms provided by the data controller for the data subject to know the data processing policies and any substantial changes to them. In all cases, it must inform the data subject how to access or consult the data processing policies.

ARTICLE 12. PRIVACY NOTICE AND DATA PROCESSING POLICIES

IBCS will retain the model of the Privacy Notice transmitted to the data subjects while personal data processing is ongoing and as long as the obligations arising from it persist. For storing the model, IBCS may use computer, electronic, or any other technology.

 

CHAPTER III – RIGHTS AND DUTIES

ARTICLE 13. RIGHTS OF THE DATA SUBJECTS

In accordance with Article 8 of Law 1581 of 2012, the data subject has the following rights:
a) To know, update, and rectify their personal data in relation to IBCS, as the data controller and processor; b) To request proof of the authorization granted to IBCS, in its capacity as the data controller and processor; c) To be informed by IBCS, upon request, about the use made of their personal data; d) To file complaints with the Superintendence of Industry and Commerce for violations of Law 1581 of 2012, once the consultation or complaint process with the data controller has been exhausted; e) To revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights, and guarantees;
f) To access, free of charge, their personal data that has been processed.

 

ARTICLE 14. DUTIES IN RELATION TO THE PROCESSING OF PERSONAL DATA
IBCS will always bear in mind that personal data belongs to the natural persons to whom it relates, and only they can decide about it. In this regard, IBCS will use the data only for the purposes for which it is duly authorized at the time the data is collected, respecting the mandates of the Constitution, Law 1581 of 2012 on personal data protection, and Decree 1377 of 2013 which regulates it.
In accordance with Article 17 of Law 1581 of 2012, IBCS commits to permanently comply with the following duties concerning the processing of personal data: a) Guarantee the data subject the full and effective exercise of the right to habeas data at all times; b) Safeguard the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access; c) Timely carry out the update, rectification, or deletion of data as per the terms outlined in Articles 14 and 15 of Law 1581 of 2012; d) Process the queries and complaints submitted by data subjects within the terms set out in Article 14 of Law 1581 of 2012;
e) Insert in the database the legend «information in judicial dispute» once notified by the competent authority about judicial processes related to the quality or details of the personal data;
f) Refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendence of Industry and Commerce; g) Allow access to the information only to those authorized to access it; h) Inform the Superintendence of Industry and Commerce when security breaches occur and there are risks in managing the data subject’s information; i) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

CHAPTER IV – PROCEDURES FOR ACCESS, CONSULTATION, AND COMPLAINTS

Law 1581 of 2012 grants all natural persons rights and guarantees aimed at providing tools to protect their personal data and the use given to it. Any right intended to be effective must have a known and efficient mechanism through which it can be enforced.

Below, IBCS presents the rights that you, as the data subject, can exercise, and the mechanisms we have in place for you to do so.

ARTICLE 15. RIGHT OF ACCESS: The power of disposal or decision that the data subject has over their information means the right to access and know if their personal data is being processed, as well as its scope. IBCS guarantees the data subject the right of access as follows:
a) The data subject can find out, upon request, whether their data is being processed by IBCS.
b) The data subject may access their personal data in possession of the data controller.
c) IBCS and/or the companies will inform the data subject, at the time of collecting the data, about the type of personal data processed and each of the purposes justifying the processing.

PARAGRAPH: IBCS will guarantee the right of access, upon verification of the identity of the data subject or their representative, providing them, free of charge, with the details of their personal data through physical or electronic means that allow the data subject to directly access them, so that the data subject can effectively exercise their right to rectify, correct, or request the deletion of all or part of their data.

ARTICLE 16. CONSULTATIONS: According to Article 14 of Law 1581 of 2012, data subjects or their heirs can consult the personal information of the data subject that resides in any database. Consequently, IBCS will guarantee the right to consultation by providing all the information contained in the individual record or related to the identification of the data subject.
For addressing personal data consultation requests, IBCS guarantees:

  • Availability of user or consumer service lines, via email at adrianasolartecruz@gmail.com, and other channels that may be deemed pertinent at the time and will be effectively announced through changes to the Privacy Notice.
  • In any case, regardless of the mechanism implemented to address consultation requests, these will be attended within a maximum of ten (10) business days from the receipt of the request. If it is not possible to attend to the consultation within this period, the data subject will be informed before the 10-day deadline, stating the reasons for the delay and indicating the date on which their consultation will be addressed, which may not exceed five (5) additional business days after the first period.

ARTICLE 17. COMPLAINTS: According to Article 14 of Law 1581 of 2012, the data subject or their heirs, who consider that the information in a database needs to be corrected, updated, or deleted, or if they notice a breach of any duty set forth in Law 1581 of 2012, may file a complaint with the Data Controller, which will be processed under the following rules:

  1. The complaint must be submitted through a request addressed to the Data Controller or the Data Processor, with identification of the data subject, a description of the facts that led to the complaint, the address, and inclusion of supporting documents. If the complaint is incomplete, the data subject will be required to correct the deficiencies within five (5) days after the complaint is received. If two (2) months pass without the requested information being provided, it will be assumed that the data subject has abandoned the complaint. If IBCS is not competent to resolve it, it will forward it to the appropriate party within a maximum of two (2) business days and inform the data subject of the situation.
  2. Once the complete complaint is received, a legend saying “Complaint in Process” will be added within no more than two (2) business days to the database, along with the reason for the complaint. This legend will remain until the complaint is resolved.
  3. The maximum term to address the complaint will be fifteen (15) business days from the day following the receipt of the complaint. If it is not possible to address it within this period, the data subject will be informed before the deadline, stating the reasons for the delay and the new date by which the complaint will be addressed, which may not exceed eight (8) additional business days after the first term.

ARTICLE 18. DATA DELETION: The data subject has the right to request IBCS to delete their personal data at any time when:

  • They consider that the data is not being processed according to the principles, duties, and obligations established in Law 1581 of 2012.
  • The data is no longer necessary or relevant for the purpose for which it was collected.
  • The period required for fulfilling the purposes for which the data was collected has expired.
    This deletion implies the total or partial removal of personal information from records, files, databases, or processing performed by IBCS. It is important to note that the right to deletion is not absolute, and the request may be denied in the following cases:
  • (i) The deletion request will not proceed if the data subject has a legal or contractual obligation to remain in the database.
  • (ii) It is not possible to delete the data due to an order from a judicial or administrative authority with jurisdiction within the national territory.
  • (iii) The data is necessary to protect legally protected interests of the data subject or to guarantee compliance with a legally acquired obligation by the data subject.

ARTICLE 19. IMPLEMENTATION OF PROCEDURES TO GUARANTEE THE RIGHT TO CONSULT AND FILE COMPLAINTS: At any time and free of charge, the data subject or their representative may request IBCS information on the use of their personal data, its correction, update, or deletion, upon verification of their identity. These rights can only be exercised by:

  • (i) The data subject or their heirs, upon verification of their identity.
  • (ii) Their representative, upon verification of their representation.
    When the request is made by someone other than the data subject and it is not verified that they act on their behalf, to protect personal data, the complaint will be considered as not submitted.
    Every request must be submitted through the channels provided by IBCS, as stated in the Privacy Notice, and must contain at least the following information:
  1. The name and address of the data subject, or any other means, such as an email address, for communicating the response.
  2. Documents verifying the identity or representation of the representative.
  3. A clear and precise description of the personal data concerning which the data subject intends to exercise their rights.
    IBCS guarantees that the means provided to the data subjects for exercising their rights will ensure a response within the timeframes established by Law 1581 of 2012.
    Each time IBCS makes a new tool available to facilitate the exercise of rights by data subjects or modifies existing ones, it will inform them through its website and Privacy Notice.

ARTICLE 20. REVOCATION OF CONSENT: Data subjects can revoke their consent for the processing of their personal data at any time, provided that there is no legal provision preventing it. The data subject must clearly state whether the revocation of consent applies to all the purposes initially consented to, meaning that IBCS should cease processing the data completely, or if the revocation pertains to specific types of processing, such as for advertising or market research purposes. In the second case, where consent is partially revoked, other purposes of processing, for which the data subject agrees, can still be carried out.
Thus, it is necessary for the data subject to specify whether the revocation they request is total or partial when submitting the revocation request to IBCS. In the second case, they should indicate which treatment they do not consent to.

 

CHAPTER V – INFORMATION SECURITY

ARTICLE 21. SECURITY MEASURES: In line with the security principle established in Law 1581 of 2012, IBCS will adopt the necessary technical, human, and administrative measures to ensure the security of data and avoid its alteration, loss, unauthorized access, or fraudulent use.

ARTICLE 22. IMPLEMENTATION OF SECURITY MEASURES: IBCS will maintain mandatory security protocols for its collaborators with access to personal data and information systems. The procedure must include, at a minimum, the following aspects:
a) Detailed specification of the databases it applies to. b) Measures, standards, procedures, rules, and guidelines to ensure the level of security required by Law 1581 of 2012. c) Roles and responsibilities of staff. d) Structure of personal data databases and description of information systems handling them. e) Notification, management, and response procedures for incidents. f) Procedures to ensure the retention of authorizations granted by data subjects. g) Periodic controls to verify compliance with the security procedure. h) Measures to take when transporting, disposing of, or reusing documents or supports. i) The procedure must be kept up to date and reviewed whenever significant changes occur in the information system or its organization.
j) The content of the procedure must comply with current regulations on personal data security.

CHAPTER VI – FINAL PROVISIONS

ARTICLE 23: IBCS designates Blanca Casas, email adrianasolartecruz@gmail.com, as responsible for processing requests, consultations, and complaints from data subjects related to the databases of IBCS. Requests submitted in writing should be directed to her, and she will manage the necessary information within IBCS to respond to the data subjects accordingly.

ARTICLE 24. VALIDITY: This document is effective from January 23, 2025, until it is explicitly revoked or modified.

 

Social Chat is free, download and try it now here!