INVERSIONISTAS DE CAMELLANDO PEREIRA SAS By means of the present, the company INVERSIONISTAS DE CAMELLANDO PEREIRA SAS, establishes the Personal Data Treatment Policy that will be applied in compliance with Law 1581 of 2012 and its Regulatory Decree 1377 of 2013, applying the mechanisms to be used to adequately and ideally guarantee the personal data collected to date and in the future in their databases, in development of their contractual, labor, commercial activities, among others, in order to allow the holders to exercise the right of Habeas Data , guaranteeing the rights that the law grants to the holders of personal data for their treatment. This data processing policy is governed by the principles of legality, purpose, freedom, veracity or quality, transparency, access and restricted circulation, security and confidentiality. 1. IDENTIFICATION. COMPANY NAME: INVERSIONISTAS DE CAMELANDO PEREIRA SAS, a commercial company, duly incorporated before the Pereira Chamber of Commerce, identified by Nit. 901250808 – 4 and commercial registration No.02493669.Address: Carrera 17 #9 – 70 local 2 Avenida Pinares - (urban nomenclature of Pererira) Telephone: 3147402891, E-mail: mariajose.tobon@camellandohw.com 2. LEGAL FRAMEWORK  Constitution Policy.  Law 1266 of 2008.  Law 1581 of 2012.  Regulatory Decree 1727 of 2009  Regulatory Decree 2952 of 2010  Regulatory Decree 1377 of 2013  Constitutional Court Ruling C – 1011 of 200 8  Ruling of the Constitutional Court C - 748 2011 3. GENERAL INVESTORS OF CAMELLANDO PEREIRA SAS (hereinafter CAMELLANDO or the Company), is committed to the protection of information that is private and confidential, obtained within the framework of the development of its commercial and legal activities. In compliance with current regulations regarding the processing of personal data, the purpose of this document is to establish the CAMELANDO procedure, on issues related to the protection of entrusted information, seeking to limit the processing of personal data collected to exclusively obtain that information that has been provided voluntarily by our customers, contractors, suppliers, employees, former employees, visitors and any person who has any kind of relationship with the Company. Information of a private or confidential nature can be obtained by Camellado, through, but not limited to, the following channels: a) Commercial or professional relationship with the respective client, supplier or third parties related to the Company. b) Labor relationship with employees and former employees. c) Application to selection processes. d) Attendance at trainings, seminars, talks or courses. e) Sending emails requesting or sending information. Through this document, it is made clear that when providing any type of personal information to CAMELLANDO, the Owner of the personal data accepts that said information will be used in accordance with this Policy for its Treatment, highlighting that the Company will not use the data provided for purposes other than those established in this document. The use of personal data for a purpose other than that indicated in this Policy must be framed within the regulatory or jurisprudential exceptions that may apply or have the express authorization of the Holder. The exceptions to which a relationship is made will be defined in this Policy. 4. DEFINITIONS. a) Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data. b) Privacy Notice: It is the verbal or written communication generated by the Responsible Party, addressed to the Owner for the Processing of their personal data, through which they are informed about the existence of the Information Processing policies that will be applicable to them, the way to access them and the purposes of the Treatment that is intended to be given to personal data. c) Database: Organized set of personal data that is subject to Treatment. d) Channels to exercise rights: These are the means of receiving and attending to requests, queries and claims that the Treatment Manager and the Treatment Manager must make available to the Holders of the information. e) Personal data: Any information linked or that can be associated with one or several determined or determinable natural persons. f) Public data: It is the data that is not semi-private, private or sensitive. Public data is considered, among others, the data related to the marital status of people, their profession or trade and their quality as merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality. g) Sensitive data: Sensitive data is understood to be those that affect the Owner's privacy or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data. h) Manager: Natural or legal person, public or private, that by itself or in association with others, performs the Processing of personal data on behalf of the controller. i) Habeas Data: It is a fundamental right, it is enshrined in article 15 of the Political Constitution and allows all people to know, update and rectify the information that has been collected about them in data banks of public and private entities . j) Principle of legality: The Processing of personal data is a regulated activity that must be subject to the provisions of the law and the other provisions that develop it. k) Principle of purpose: The Treatment must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Holder. l) Principle of freedom: Treatment can only be exercised with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent. m) Principle of veracity or quality: The information subject to Treatment must be truthful, complete, exact, updated, verifiable and understandable. The Processing of partial, incomplete, fractional or misleading data is prohibited. n) Principle of transparency: In the Treatment, the right of the Holder to obtain from the Treatment Manager or the Treatment Manager, at any time and without restrictions, information about the existence of data that concerns him must be guaranteed. o) Principle of access and restricted circulation: The Treatment is subject to the limits that derive from the nature of the personal data, the provisions of the law and the Constitution. In this sense, the Treatment can only be carried out by persons authorized by the Owner and/or by persons provided for by law. Personal data, except for public information, may not be available on the Internet or other means of mass disclosure or communication, unless access is technically controllable to provide restricted knowledge only to Owners or third parties authorized by law. p) Principle of security: The information subject to Treatment by the Treatment Manager or Treatment Manager must be handled with the technical, human and administrative measures that are necessary to grant security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. q) Principle of confidentiality: All persons involved in the Processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks included in the Treatment, being able to supply or communicate personal data only when it corresponds to the development of the activities authorized by law and in its terms. r) Responsible: Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data. s) Owner: Natural person whose personal data is subject to Treatment. t) Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. u) PQR: Request of the Data Owner or of the persons authorized by it or by the Law to correct, update or delete their personal data or to revoke the authorization in the cases established by Law. v) Client: Natural or legal person to which the Company provides professional services considering a business relationship. w) Supplier: Natural or legal person that supplies goods and/or services to the Company taking into account a commercial relationship. x) Employee: Natural person who provides personal services to the Company under an employment contract. y) Owner: Natural person whose personal data is processed by the Company. Qadrico. z) Third Party: Any natural person who does not have the status of Employee, Client, Supplier and has a commercial or training relationship. aa) National Registry of Databases: It is the public directory of the databases subject to Treatment that operate in the country. The registry will be administered by the Superintendence of Industry and Commerce and will be freely consultable by citizens. 5. CONTENT OF THE DATABASES CAMELLANDO will store general information such as full name, number and type of identification, gender and contact information (email, physical address, landline and mobile phone). In addition to these, and for the proper development of its commercial activities, as well as to strengthen its relationships with third parties, it collects, stores, uses, circulates and deletes Personal Data of natural and legal persons with whom they have or have had a relationship, especially, but without limitation, customers, distributors, suppliers, creditors, debtors, workers. However, depending on the nature of the database, CAMELLANDO may have specific data required for the treatment to which the data will be submitted. In the databases of employees and contractors, additional information on employment history and sensitive data is included. required by the nature of the contractual relationship. In the databases, sensitive information may be stored with the prior authorization of its owner, in compliance with the provisions of articles 5 and 7 of Law 1581 of 2012. The information of the users that are supplied through the access of the page Internet through the URL: http://www.camellandohw.com (hereinafter website), which will be treated in accordance with the content of this data policy, and by which users authorize and accept that from the same moment in which you access the website fully and without any type of reservation each and every one of the clauses included in the use of the same through the TERMS OF USE OF THE WEBSITE, THE PARTICULAR TERMS OF USE associated with each one of the TRAINING PROGRAMS. 6. PURPOSES OF PERSONAL DATA. CAMELLANDO, for the adequate development of its commercial activities, as well as for the strengthening of its relations with third parties, collects, stores, uses, circulates and deletes Personal Data about clients, suppliers, employees, among others, it is stored in order to comply to the activities of its corporate purpose. CAMELLANDO may carry out the Treatment of personal information about its clients, suppliers, employees, former employees, collaborators and related third parties, for the purposes of developing the activities of providing services that the company offers, within the normal course of business. of their businesses. For this reason, the contracts that are entered into, regardless of their nature, will be governed by the provisions of this Policy or will include a clause that regulates the Treatment of the information accessed by virtue thereof. The data obtained by CAMELLANDO by virtue of the development of its commercial activities, may eventually be shared with third parties or judicial and/or administrative authorities that exercise control and surveillance, so that they carry out quality reviews, carry out audits, supervision activities or simply references for future business. In any case, the personal data of third parties whose Responsible is not CAMELLANDO, will be processed within the framework of the purpose of the services provided or contracted, in order to comply with the commercial or legal relationship that has been established. In the same way, CAMELLANDO may carry out the treatment of the personal information of its clients, suppliers, contractors, employees, former employees, natural or legal persons with whom its commercial relationship has ended and with third parties related to the company. in order to send commercial information that may be of interest to you, which includes, but is not limited to, invitations to events, sending newsletters, industry reports, or publications and, in general, using the data for the development of activities included ordinary course of business of the Company. a) Purpose of the Treatment of photos and videos. a) It is possible that all people who enter CAMELLANDO facilities or attend events such as but not limited to training, forums, talks, workshops, courses, etc., whether or not they are employees, may be photographed or filmed and said material It may be used for the following purposes: b) Maintain and guarantee the security of CAMELLANDO's facilities, as well as of the people and goods found therein. Eventually, the data collected may be transferred to expert private security companies in accordance with the protocols established for this purpose by the rules that regulate said activity and/or the best market practices. c) Preparation of, but not limited to, videos, brochures, reports on contracted services, POP material of an institutional nature, which may be presented or disseminated and/or sent to employees, suppliers, current or potential clients, as well as third parties. , for loyalty, information and promotion purposes. Notwithstanding the foregoing, people who enter CAMELANDO facilities may not authorize their personal data, including photographic or video records, to have the aforementioned treatment. For which you must fill out the form of non-authorization for the treatment of personal data established, with the guarantee of being destroyed, in accordance with the respective practices of private security companies or current regulations. Rights of the owner of the information. In accordance with the provisions of article 8 of Law 1581 of 2012, the owners may: a) Right of access. The owner has the power to obtain all the information regarding their own personal data, whether partial or complete, the treatment applied to them, the purpose of the treatment, the location of the databases and about communications and/or assignments. made on your information, whether authorized or not. In addition to requesting proof of the authorization granted to CAMELLANDO, except when expressly excepted as a requirement for Treatment, in accordance with the provisions of article 10 of Law 1581. CAMELLANDO must guarantee the Owner free access to the information object of treatment. b) Right to update. The owner will have the right to update their personal data when they have had any variation. c) Right of rectification. This right empowers its owner to rectify information that turns out to be inaccurate, incomplete or non-existent. d) Right of cancellation. The owner has the power to cancel, at any time, their personal data when they are excessive, irrelevant or the treatment is contrary to regulations. e) Right to revoke consent. Revoke the authorization and/or request the deletion of the data when the Treatment does not respect the constitutional and legal principles, rights and guarantees. The revocation and/or deletion will proceed when the Superintendency of Industry and Commerce has determined that CAMELLANDO has engaged in conduct contrary to this law and the Constitution. f) Right to present complaints and claims or to exercise actions. Submit complaints to the Superintendence of Industry and Commerce for violations of the provisions of this law and other regulations that modify, add or complement it. Cases in which authorization from the owner is not necessary. - Information required by a public or administrative entity in the exercise of its legal functions or by court order. - Databases of a public nature. - Cases of medical or health urgency. - Treatment of information authorized by law for historical, statistical or scientific purposes. - Data related to the Civil Registry of People. In these cases, although the authorization of the Holder is not required, the other principles and legal provisions on the protection of personal data will apply. These rights may be exercised by: 1. The owner. 2. The assignees of the holder. 3. The representative and/or proxy of the owner. 4. Other in favor or for which the owner had stipulated. All those mentioned above must accredit by the necessary means and their quality before CAMELLANDO. 7. OBLIGATIONS OF CAMELANDO. CAMELLANDO must comply with the following duties without prejudice to the other provisions provided by law. a) Guarantee the owner, at all times, the full and effective exercise of the right of Habeas Data. b) Inform the owner of the information, the purpose of the collection and the rights that assist him by virtue of the authorization. It must be guaranteed that the information provided is fully authorized by the owner according to the parameters established by law. CAMELLANDO undertakes to respect the security and privacy conditions of the information. c) For its part, the owner of the information will guarantee that the information provided to CAMELLANDO is true, complete, accurate, updated, verifiable or understandable. d) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access. e) Request and keep, following the guidelines of the law, a copy of the respective authorization granted by the owner. f) Timely update, rectify or delete the data under the terms of the law. g) Update the information reported by those responsible for treatment within five (5) business days from its receipt. h) Inform the data protection authority when there are violations of security codes and there are risks in the administration of information. i) Process the queries and claims made by the owners in the terms indicated in this Manual and in the law on the information that was granted to CAMELLANDO. j) Adopt an internal manual of policies and procedures to guarantee adequate compliance with the law and, especially, for the attention of queries and claims by the Holders. CAMELLANDO complies with this obligation with the promulgation of the following manual. k) Refrain from circulating information that is being controversial by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce or by another competent authority. l) Allow access to information only to people who may have access to it. m) Comply with the instructions or requirements issued by the Superintendence of Industry and Commerce. n) Delivery of personal data to the authorities when the legality of the request and the relevance of the requested data in the possession of CAMELLANDO is verified. The delivery of the requested personal information will be documented, providing that it complies with all its attributes (authenticity, reliability and integrity), and noting the duty of protection of this data, both to the official who makes the request, to the person who receives it, as well as as well as the entity for which they work. The authority that requires the personal information will be warned about the security measures that apply to the personal data delivered and the risks that its improper use and inappropriate treatment entail. 8. AREA RESPONSIBLE FOR THE DATA PROCESSING POLICY. Any request, complaint or claim related to the handling of personal data, in application of the regulations in force, Law 1580 of 2012 and Decree 1377 of 2013, must be sent to: Address: Carrera 17 #9 – 70 local 2 Avenida Pinares - ( Pererira urban nomenclature) Telephone: 3147402891 E-mail: mariajose.tobon@camellandohw.com 9. DATA PROTECTION PROCESSING PROCEDURE. Any request, complaint or claim, related to the handling of personal information must be made in writing or by email and must include at least the following information. 1. Identification of the owner, where the right to the information is accredited. to. Full name b. Identification number, with a copy of it. c. Address d. Phone e.g. Email 2. Description of the facts that give rise to the claim. 3. Documentation that serves as proof of the facts. If the claim is incomplete, the interested party will be required within the following five (5) business days to correct the failures. If the interested party does not show up within the month following the request, it will be understood that he has withdrawn the claim. The term of response to the request by CAMELLANDO is fifteen (15) business days from the day after receipt of the request, complaint or claim. When it is not possible to meet the request within the term, the interested party will be informed of the reasons for the delay and the date on which a response will be given. 10. PROCESSING OF PERSONAL DATA The operations that constitute processing of personal data by CAMELLANDO, as the person in charge, will be governed by the following parameters: The respective verification forecast will be included in the document that legitimizes the relationship where the authorization will be requested and with it will verify and control that the requested data is necessary, pertinent and not excessive with respect to the purpose of the treatment. In relation to the treatment of personal data of the community in general, the data collection will be subject to the provisions contained in this document, prior to its authorization so that the holders of the information enjoy the rights contained in the manual. In each of the cases described above, the areas of the organization that develop business processes in which personal data is involved must consider in their action strategies the formulation of rules and procedures that allow compliance and make effective the provisions adopted herein, in addition to preventing possible legal sanctions. 11. SENSITIVE DATA: The current regulations establish that it is any data that could affect the privacy of the owner or whose improper use can generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions. belonging to unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties data related to health, sexual life and biometric data. In accordance with the foregoing, CAMELLANDO suggests not providing sensitive data to the company, unless the Holder considers that it is necessary to do so in order to comply with the activities that are carried out or will be carried out jointly with the company. Therefore, we request that in the event that any person sends sensitive data to the Company through any channel, they be sent with the proper authorization for treatment, for the legitimate purposes of the business and the purposes established in this document. 11.1. OBTAINING SENSITIVE DATA. CAMELANDO will not obtain information classified by current regulations as sensitive data, except in the following events: a. When the Holders give their authorization expressly and prior or concurrently at the time of data collection. b. When the Treatment of the data is necessary to safeguard a vital interest of the Owner, in which case the prior authorization of the person exercising the legal representation of the Owner will be required; c. When the Treatment is carried out in the course of legitimate activities and with due guarantees. In these events, this type of data may not be provided to third parties without the prior authorization of the Holder. When it refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process. d. When it has a historical, statistical or scientific purpose, for which all measures leading to the elimination of the identity of the Holders must be taken. 12. TREATMENT OF PERSONAL DATA OF MINORS In accordance with the provisions of the Code for Children and Adolescents, CAMELLANDO will process the data of minors, taking into account the prevailing rights of children and adolescents, therefore, The treatment of this type of data will be carried out only when there is the express authorization of their legal representatives and that it complies with the requirements demanded by law. All the opinions of minors will be taken into account when making use of their personal data. 13. INTERNATIONAL DATA TRANSFER. In the event that international data transfer is required, CAMELLANDO, in accordance with article 26 of Law 158 of 2012, undertakes not to transfer data to third countries that do not comply with the personal data protection standards required by the Superintendency of Industry. and Commerce, except for the exceptions indicated below: a.) Information in respect of which the Holder has granted his express and unequivocal authorization for the transfer; d) Exchange of medical data, for reasons of health or public hygiene. e) Bank or stock transfers, in accordance with the legislation that is applicable to them, in the event that CAMELLANDO carries out this type of transaction. f) Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity. g) Transfers necessary for the execution of a contract between the Owner and the Treatment Manager, as long as the Owner's authorization is obtained; h) Transfers legally required to safeguard the public interest, or for the recognition, exercise or defense of a right in a judicial process. 14. SECURITY In accordance with article 19 of Decree 1377 of 2013, Qadrico undertakes to adopt and abide by the guidelines issued by the Superintendence of Industry and Commerce regarding all issues related to the security of personal data obtained. Qadrico will use its best efforts to improve the security standards that protect the personal information collected. 15. PROHIBITIONS a) CAMELLANDO prohibits the access, use, management, assignment, communication, storage and any other processing of personal data of a sensitive nature without the authorization of the owner of the personal data and the Company. b) CAMELLANDO prohibits the recipients of this policy from processing personal data that may give rise to any of the behaviors described in the computer data law 1273 of 2009. Unless it has the authorization of the data owner and/or the Company, as the case may be. 16. ROLES AND RESPONSIBILITIES IN COMPLIANCE WITH THE PROTECTION OF PERSONAL DATA. The responsibility for the proper processing of personal data within CAMELLANDO is the responsibility of all members. Consequently, within each area that manages business processes that involve the processing of personal data, they must adopt the rules and procedures for the application and compliance with the Manual, given their status as custodians of personal information. In case of doubt, send an email to mariajose.tobon@camellandohw.com to process the request. 17. TEMPORALITY OF PERSONAL DATA The processing of personal data carried out by CAMELLANDO, the permanence of the data will be determined by the purpose of said processing. Consequently, once the purpose for which the data was collected has been exhausted, CAMELANDO will proceed to destroy or return it, as the case may be, or to keep it as provided by law, adopting technical measures that prevent inappropriate treatment. 18. COOKIES A “Cookie” is understood as a small electronic file with a series of characters sent to the computer equipment, including mobile phones, of the person who enters a website, allowing user preferences to be stored. Although it is possible that the user, despite not allowing the use of cookies in his browser, can access the CAMELLANDO website, it is within the probabilities that the operational systems of the Company and this information are fed anonymously. may be included in the Webmasters, with the aim of providing a better experience to whoever uses the website www.camellandohw.com. 19. VALIDITY OF THE DATA POLICY The personal information protection policy of CAMELLANDO will be in force from the promulgation of personal data until its termination. Any modification to it will be made at the discretion of CAMELLANDO, being clear that they must be in accordance with the law. The information that is collected by CAMELLANDO will be kept indefinitely as long as its purpose is developed and as long as it is necessary to ensure compliance with legal, labor and accounting obligations. This without affecting the right of the owner to request its removal, as long as it does not go against CANELLANDO's own obligations. This is in accordance with the rights of the owner of the information. CAMELLANDO may modify this Policy for the Treatment of Personal Data at the time they deem it necessary, in accordance with the regulatory changes made regarding this matter. All updates must be recorded at the end of the document for publicity purposes to third parties. CAMELANDO recommends and requests its clients, suppliers, consultants, users and all persons who have or wish to have any relationship with the Company to periodically review this Policy, and thus remain informed about the mechanisms of data protection that the company executes the protection of personal information. 20. VALIDITY This policy is effective as of its publication. 21. Updates Version 1: November 22, two thousand and nineteen (2019)