Logo Header
Logo Header
Lumm MDT

Lumm data processing policies

Regenerative Path S.A.S, identified with NIT 901.768.492.-5, located in the city of Medellin, in the career 32#12a -11 Las Lomas, Nock building, 8th floor, is responsible for the processing of personal data to which it has access through the development of its activity. Likewise, it is the guarantor of the administration of the databases in which such information is stored.

The guidelines contained in this document are applicable to personal data that have been recorded in the databases and that are susceptible to the treatment required by Regenerative Path S.A.S. in compliance with the provisions of Law 1581 of 2012, Decree 1074 of 2015 and other applicable provisions on the subject, by which general provisions for the protection of personal data are issued.

This policy is mandatory for Regenerative Path S.A.S. in its capacity as data controller, as well as for those responsible for the processing of personal data on behalf of the institution. Both the person in charge and the persons in charge must safeguard the security of the databases containing personal data and keep confidentiality with respect to the processing of such data.

Decree 1074 of 2015 regulated Law 1581 of 2012 and regulated the authorization, revocation, policies and procedures for the protection of personal data, determining that every institution shall guarantee the full exercise of the right of habeas data. Likewise, within the personal data protection regime and applicable to the health sector, provisions such as Statutory Law 1266 of 2008, Decree 1727 of 2009, Regulatory Decree 1377 of 2013, Resolution 839 of 2017 and also the jurisprudential developments on the matter dictated by the Constitutional Court, such as through Ruling C-748 of 2011, Ruling T- 176 A of 2014 and Ruling T- 358 of 2014, among others, must be considered.

  1. objective

Define the necessary guidelines to guarantee the exercise of the right to privacy of individuals, through the protection of personal data contained in the different databases of the institution so that they receive the treatment in accordance with the intended purposes.

  1. Scope

This policy is applicable to the personal data contained in the databases under the responsibility of Regenerative Path S.A.S. and that are susceptible to any access or treatment by Regenerative Path S.A.S. Regenerative Path S.A.S.S.A.S., its personnel or third parties entrusted by it.

  1. Validity

This This institutional policy will be effective as of the date of signature and publication, and will be reviewed every two years or according to applicable regulatory changes.



  1. Responsibilities

Any person who has access to consult and carry out any kind of processing of personal data contained in databases under the responsibility of Regenerative Path S.A.S.is personally responsible, for which he/she must comply with this Policy.

  1. Guiding principles of the personal data processing policy

In order to ensure the protection of personal data, this policy is governed by compliance with the following principles for the processing (collection, storage, use, circulation or suppression, transfer and transmission) of personal data to which access is gained.

  • Principle of legality in matters of data processing: The processing of personal data referred to in this law is a regulated activity that must be subject to the provisions in force and in the other provisions developed therein.

  • Principle of purpose: The data processing carried out by Regenerative Path S.A.S. will obey a legitimate purpose in accordance with the constitution and the law, which will be informed to the holders of the personal data.

  • Principle of freedom: The processing of personal data carried out by Regenerative Path S.A.S., and its personnel in charge, or any third party that comes to have access to the databases of Regenerative Path S.A.S., can only be exercised with the prior, express and informed consent of the holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.

  • Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.

  • Principle of transparency: Regenerative Path S.A.S. guarantees the holder in the processing of personal data the right to obtain at any time and without restriction, information about the existence of data concerning him/her.

  • Principle of restricted access and circulation: The processing of personal data is subject to the limits derived from the nature of the personal data, the provisions of the law and the constitution. In this sense, the processing may only be carried out by persons authorized by the owner and/or by the persons provided by law. Personal data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or third parties authorized by law.

  • Principle of security: The information that is subject to treatment by Regenerative Path S.A.S., its personnel and any third party that may have access to the databases of Regenerative Path S.A.S., must be handled with the technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

  • Principle of confidentiality: All Regenerative Path S.A.S. personnel or external personnel who for some reason have to intervene in the processing of personal data from the databases of Regenerative Path S.A.S., which do not have the nature of public; are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks that comprise the treatment, being able to only perform supply or communication of personal data when it corresponds to the development of the activities authorized by law and under the terms of the same.

  1. Description of the data referring to the personal information of the owners

Personal data collected by Regenerative Path S.A.S. about its owners may include, but is not limited to:

  1. First and last names.
  2. Type and number of identity document (civil registry, identity card, citizenship card, passport, foreigner’s card or diplomatic card).
  3. Place and date of birth, nationality.
  4. Age, sex, marital status, languages spoken and religious beliefs.
  5. Schooling, profession and occupation.
  6. Usual physical address, e-mail address, telephone number, cell phone number.
  7. Employer, its location and contact information.
  8. Patient’s clinical information including personal, family and epidemiological history, results of diagnostic support tests, medical orders, consultations made, medications received, diagnoses, medical and health team assessments, surgical procedures, etc.
  9. Contact information of their relatives, responsible or legal representatives, who have been delivered to Regenerative Path S.A.S., in connection with the process of patient care.
  10. Personal habits.
  11. Your Benefit Plan Administrator (EPS, EPS-S, ARL, Complementary Care Plan -PAC-, Prepaid Medicine, Health Policy, etc.).
  12. Use of our services.
  13. Personal information obtained during the review of your requests or complaints.
  14. Personal information provided through surveys or other institutional instruments.
  15. Any other that is not specifically indicated in the above list, but that falls under the category of personal data in accordance with Law 1581 of 2012, this Policy and other provisions that define personal data.



  1. Purposes of data processing

The general purposes for the processing of personal data that corresponds Regenerative Path S.A.S., develop in the exercise of its corporate purpose are related to the following activities:

  • Provision of health services
  • Scheduling of medical appointments, diagnostic tests, therapies, orientation of services and other medical and/or surgical procedures that are required for the patient’s care, as well as for the performance of administrative procedures.
  • Compliance with regulatory and contractual requirements.
  • Be contacted for renewals, product and service offerings.
  • Be informed and invited to participate in different benefits or events of Regenerative Path S.A.S. and its third parties.
  • Clinical, scientific, epidemiological and technological research.
  • Evaluate the quality of products and services.
  • Response, management and follow-up to requests for improvement, petitions and suggestions.
  • Education in health promotion, disease prevention and patient care.
  • Quality improvement and evaluation of the external positioning of the institution and its activities.
  • Exchange of information for the operation of the General Social Security Health System.
  • Send to the physical mail, electronic mail, cell phone or mobile device, via text messages (SMS and/or MMS) or through any other analog and/or digital means of communication created or to be created, information about the services it provides and the events it schedules, in order to promote, invite, direct, execute and inform.
  • Communication and sending of information of interest related to the health services offered; advances and scientific research; academic and business events; health conferences; current events in the sector; publications, regulations related or related to the health sector, among others.
  • Prospective knowledge of the needs of its stakeholders in order to innovate in the provision of its health services, as well as their quality and efficiency.
  • Provision of information to the authorities and/or cooperation with them when required to do so.
  • Send commercial, promotional information, invitations or Regenerative Path S.A.S. attentions.
  • Conduct surveys and/or opinion polls on products and content.
  • Management of the security of people, goods and information assets in custody of the organization.
  • Development of corporate social responsibility activities.
  • Relationship with the institution’s stakeholders.
  • Portfolio management originated in the provision of health services.
  • Operational and/or administrative risk management
  • Only share personal identification and location data with the institution’s strategic allies.
  • Monitoring and management of the contractual relationship with patients and third parties.

  1. Responsible for the protection of personal data

Regenerative Path S.A.S. has designated the Administrative and Legal Management area as responsible for the processing of personal data within the organization. This area will be responsible for processing the requests submitted by the owners, ensure the implementation of this policy, keep updated legal guidelines, and coordinate the actions required to ensure compliance with the rights of habeas data. Holders may communicate with this area through the following e-mail address: [email protected].

  1. Rights and duties

9.1 Rights of the holders of personal data processed in Regenerative Path S.A.S.

The holder of the personal data processed in Regenerative Path S.A.S., will have the following rights:

  • To know, update and rectify their personal data against those responsible for the treatment or in charge of the treatment. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.

  • Request proof of the authorization granted to the data controller except when expressly exempted as a requirement for the processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.

  • Be informed by the controller or processor, upon request, regarding the use that has been made of their personal data.

  • To file before the Superintendence of Industry and Commerce complaints for violations of the provisions of this law and other regulations that modify, add or complement it.

  • To revoke the authorization and/or request the deletion of the data when the treatment does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the treatment the responsible or in charge have incurred in conduct contrary to this law and the Constitution.

  • Access free of charge to your personal data that has been processed.

  • The holder may consult his personal data free of charge at least once every calendar month, and every time there are substantial modifications to the Personal Data Processing Policy that motivate new consultations.

  • For consultations whose periodicity is greater than one per calendar month, the person in charge may only charge the holder for the costs of mailing, reproduction and, if applicable, certification of documents. Reproduction costs may not exceed the cost of retrieving the corresponding material.

  • Consult the personal information contained in any Regenerative Path S.A.S. database.

  • Request Regenerative Path S.A.S. the correction, updating or deletion, when they notice the alleged breach of any of the duties contained in the law 1581 of 2012.
  • Request Regenerative Path S.A.S. the deletion of your personal data and/or revoke all or part of the authorization granted for the processing of the same, by filing a claim.



9.2 Duties of data controllers and processors of personal data

The collection of data by Regenerative Path S.A.S. will be limited to those personal data that are relevant and adequate for the purpose for which they are collected or required in accordance with current regulations.

By virtue of the above, Regenerative Path S.A.S. will comply with the duties foreseen for those responsible for the processing of personal data, such as:

  1. Guarantee the holder, at all times, the full and effective exercise of the rights.
  2. Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the holder.
  3. Duly inform the owner about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
  4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  5. Ensure that the information provided to the data processor is truthful, complete, accurate, up-to-date, verifiable and understandable.
  6. To update the information, communicating in a timely manner to the data processor, all the news regarding the data previously provided and to adopt the other necessary measures so that the information provided to the data processor is kept up to date.
  7. Rectify the information when it is incorrect and communicate the pertinent to the person in charge of the treatment.
  8. To provide to the data processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of the law.
  9. To require the data processor at all times to respect the security and privacy conditions of the owner’s information.
  10. To process queries and claims formulated in the terms set forth in the law.
  11. Inform the data processor when certain information is under discussion by the owner, once the claim has been filed and the respective process has not been completed.
  12. Inform upon request of the owner about the use given to their data.
  13. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the owners.
  14. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
  15. Adopt the necessary procedures to request, at the latest at the time of data collection, the authorization of the owner for the processing of such data, and inform the personal data to be collected, as well as all the specific purposes of the processing for which consent is obtained. It is clarified that personal data that are in publicly accessible sources, regardless of the means by which access is gained, meaning those data or databases that are available to the public, may be processed by Regenerative Path S.A.S. provided that, by their nature, they are public data.
  16. Communicate substantial changes in the content of the Processing Policies, referring to the identification of the person responsible and the purpose of the processing of personal data, which may affect the content of the authorization. This communication must be made before or at the latest at the time of implementing the new policies, and a new authorization will be obtained from the holder when the change refers to the purpose of the processing. For the communication of changes and authorization, technical means may be used to facilitate this activity.
  17. To ensure the integrity, confidentiality and quality of the way in which the collection of sensitive data necessary for the timely care of each patient is carried out..



9.3 Duties of controllers of personal data processors

  1. Guarantee the holder, at all times, the full and effective exercise of the right of habeas data.
  2. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
  3. Timely update, rectification or deletion of data under the terms of this law.
  4. Update the information reported by the data controllers within five (5) business days of receipt.
  5. To process the consultations and claims formulated by the owners under the terms set forth in this law.
  6. Adopt and comply with the policies, manuals and procedures that in compliance with the rules on data protection have been provided by the national government and have been implemented by Regenerative Path S.A.S.
  7. To give the corresponding processing to the queries and claims by the holders for the attention of queries and claims.
  8. Register in the database the legend “claim in process” in the form regulated in the present law.
  9. Insert in the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of the personal data.
  10. Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce.
  11. Allow access to information only to those who can access it.
  12. Inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the owners.
  13. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

9.4 Joint duties of controllers and data processors and personal data handlers

They must establish simple and agile mechanisms that are permanently available to the owners so that they can access the personal data under their control and exercise their rights over them.

Reasonable measures shall be taken to ensure that the personal data contained in the databases are accurate and sufficient and, when requested by the owner or when the controller has been able to notice it, are updated, rectified or deleted, in such a way as to satisfy the purposes of the processing.

They must designate a person or area that assumes the function of personal data protection, which will process the requests of the Data Controllers, for the exercise of the rights referred to in Law 1581 of 2012 and Decree 1377 of 2013.

  1. Authorization of the holder of personal data

Regenerative Path S.A.S., for the processing of personal data requires the prior, express and informed authorization of the owner of the same, whether in physical or electronic media, except in the following cases authorized by law 1581 of 2012.

10.1 Information that does not require authorization for processing

  • Information required by a public or administrative entity in the exercise of its legal functions or by court order.
  • Data of a public nature.
  • Cases of medical or sanitary emergency.
  • Processing of information authorized by law for historical, statistical or scientific purposes.
  • Data related to the civil registry of persons.

10.2 Means of obtaining and granting authorization

Regenerative Path S.A.S., in order to comply with the provisions of Law 1581 of 2012 will obtain prior to the processing of personal data, the authorization of the owners or those who are legitimized to do so through different mechanisms such as: Subscription of physical format, email, website, data message, privacy notice, Intranet or any other mechanism that allows to conclude unequivocally that the authorization was granted.

*In no case may silence be assimilated to unequivocal conduct.



10.3 Processing of sensitive data and data of minors

Regenerative Path S.A.S. may collect and process sensitive data, including those related to health, biomedical condition, personal habits, and beliefs, only when there is express and informed authorization of the owner, and provided that such treatment is necessary for the proper provision of health services and other legitimate purposes.

Likewise, the processing of personal data of children and adolescents will be carried out respecting their prevailing rights, and only when such processing is permitted by law and responds to the best interests of the minor. In these cases, the express authorization of the legal representative of the minor will be requested and the appropriate and safe use of the information collected will be ensured.

  1. Inquiries, claims and requests for revocation or suppression

11.1 Queries

The holders or their successors in title may consult the personal information contained in the databases of Regenerative Path S.A.S., who will provide the applicant with all the information contained in the individual record or that is linked to the identification of the holder.

The holder may consult his personal data free of charge, each time there are substantial modifications to the Information Processing Policies, which motivate new consultations. For the purpose of answering the queries, Regenerative Path S.A.S., has a maximum term of ten (10) working days from the date of receipt of these. When it is not possible to answer the consultation within this term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the consultation will be answered, which in no case may exceed five (5) working days following the expiration of the first term.

11.2 Claims

The holder who considers that the information contained in the database of Regenerative Path S.A.S, should be subject to correction, updating, deletion or when they notice the alleged breach of any of the duties contained in Law 1581 of 2012, may submit a request to Regenerative Path S.A.S, which will be processed under the following conditions:

a). The claim shall be formulated by means of a written request addressed to Regenerative Path S.A.S. through the following e-mail address [email protected] and must contain the following information:

  • Name of the petitioner or applicant.
  • Identification number of the petitioner or applicant.
  • Facts on which the request is based.
  • Object of the request.
  • Mailing address.
  • Provide the documents that support the petition.

If the request is incomplete, within five (5) business days of receipt, the interested party will be requested to correct the faults and complete the information; if two (2) months have elapsed from the date of the request made by Regenerative Path S.A.S., without the applicant submitting the required information, it will be understood that the claim has been withdrawn.

Once Regenerative Path S.A.S. confirms receipt of the request, the area in charge will verify that the information is complete and will proceed to initiate the process of attention to the requirement, for which the receiving areas are supported by the legal office before issuing the response. The maximum term to respond to the request will be fifteen (15) working days from the day following the date of receipt.

When it is not possible to respond to the request within said term, the interested party will be informed of the reasons for the delay and the date on which the request will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. In the event that the person receiving the claim is not competent to resolve it, he/she will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.

b). Once the complete claim is received, a text will be included in the database stating “claim in process” and the reason for it, within a term not exceeding two (2) business days, which must be maintained until the claim is decided.

c). The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

11.3 Revocation or cancellation requests

The holders may at any time request Regenerative Path S.A.S., the deletion of their personal data and / or revoke the authorization granted for the treatment of these, by submitting a written request, in accordance with the provisions of Article 15 of Law 1581 of 2012 through one of the following options:

  • By physical means, application filed in correspondence at Carrera 32#12a -11 Las Lomas, Nock building, 8th floor, from 08:00 AM to 05:00 PM from Monday to Friday.
  • By e-mail to [email protected].

The application must contain the following information:

  • Full name and surname.
  • Notification address or e-mail
  • Attach a copy of a personal identification document.
  • Indicate in the subject line: request for personal data
  • Specify whether the request is an inquiry or complaint, make a description of the facts and other details that you consider relevant.
  • The type of holder: patient, collaborator, pensioner, applicant, contractor or provider, or user in general. In the case of a contractor or provider, the company to which he/she belongs must be indicated.

Regenerative Path S.A.S., will respond to the request by the same means in which it was formulated. The request for deletion of information and the revocation of the authorization will not proceed when the holder has a legal or contractual duty to remain in the Regenerative Path S.A.S. database.

  1. Procedural requirement

The holder may file a complaint before the Superintendence of Industry and Commerce once the consultation or complaint process has been exhausted before the responsible party or before the person in charge of the processing of personal data.

  1. Provision of information

The information that meets the conditions set forth in this policy may be provided by Regenerative Path S.A.S., to the following persons:

  1. To the owners, their successors in title or their legal representatives.
  2. To public or administrative entities in the exercise of their legal functions or by court order.
  3. To third parties authorized by the owner or by law.



  1. Temporality of the processing of personal data

The permanence of the personal data collected by Regenerative Path S.A.S., will be determined by the purpose of the treatment for which they have been collected. Once the purpose of the treatment is fulfilled, Regenerative Path S.A.S., will proceed to the deletion of the personal data collected. Notwithstanding the foregoing, personal data must be retained when required for compliance with a legal or contractual obligation.

  1. International transfer and transmission of personal data

For the transmission and transfer of personal data, the following rules shall apply:

  • International transfers of personal data shall observe the provisions of Article 26 of Law 1581 of 2012; that is, the prohibition of transferring personal data to countries that do not provide adequate levels of data protection and the exceptional cases in which such prohibition does not apply.
  • The international transmissions of personal data that are made between a controller and a processor to allow the processor to carry out the processing on behalf of the controller, shall not require to be informed to the holder or to have his consent when there is a contract under the terms of Article 25 of Law 1581 of 2012.
  • The transfer of personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it complies with the standards set by the Superintendence of Industry and Commerce.
  • Exceptionally, Regenerative Path S.A.S., may transfer personal data in the following cases:
  1. Information with respect to which the holder has given express and unequivocal authorization for the transfer.
  2. Exchange of medical data, when required by the treatment of the holder for reasons of public health or hygiene.
  3. Bank or stock exchange transfers, in accordance with the applicable legislation.
  4. Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
  5. Transfers necessary for the execution of a contract between the holder and Regenerative Path S.A.S., or for the execution of pre-contractual measures as long as the holder’s authorization is obtained.
  6. Transfers legally required to safeguard the public interest, or for the recognition, exercise or defense of a right in a judicial proceeding.

  1. Information security

Regenerative Path S.A.S., guarantees the use of technical, human and administrative measures necessary to provide security to personal data and other information subject to treatment, avoiding its adulteration, loss, consultation, use or unauthorized or fraudulent access.

Periodic risk assessment

Regenerative Path S.A.S. undertakes to conduct periodic risk assessments associated with the processing of personal data, especially those classified as sensitive. These assessments will identify potential vulnerabilities and take the necessary corrective measures to ensure the security, confidentiality, availability and integrity of the personal information of the owners. Such measures will be updated according to technological evolution and emerging threats.

  1. Operationalization of the policy

In order to achieve effectiveness in the application of the Policy for the Treatment of Personal Data, the Institutional internal procedures must be adjusted to guarantee the protection of the rights of the holders of personal data and the confidentiality of the information.

In addition to the above, there must be a single internal procedure for the processing of personal data, which must comply with the provisions of current legislation, this policy and with the documentation requirements established in Regenerative Path S.A.S.

As an integral part of this Policy, Regenerative Path S.A.S. has standardized forms of authorization for the processing of personal data and privacy notices, both for physical and digital media. These documents are designed in accordance with the principles of legality, purpose and transparency, and are applicable to different types of owners: patients, collaborators, contractors and third parties in general. The formats are available for consultation at the administrative headquarters and on the institutional portal when applicable.

As an integral part of this Policy, Regenerative Path S.A.S. has standardized forms of authorization for the processing of personal data and privacy notices, both for physical and digital media. These documents are designed according to the principles of legality, purpose and transparency, and are applicable to the different types of owners: patients, collaborators, contractors and third parties in general.

  1. Modifications

Regenerative Path S.A.S. reserves the right to modify this Personal Data Processing Policy, in whole or in part. In case of substantial changes in the policy referring to the identification of Regenerative Path S.A.S., and the purpose of the processing of personal data which may affect the content of the authorization, Regenerative Path S.A.S., will communicate these changes to the holder at the latest at the time of implementing the new policies.