DATA PRIVACY AND INFORMATION MANAGEMENT POLICIES
LAW 1581 OF 2012 AND REGULATORY DECREE 1377 OF 2013
DATA CONTROLLER

• NAME: HOTEL SORATAMA SA
• NIT: 800.156.522-5
• ADDRESS: CARRERA 7 NUMBER 19-20 PEREIRA, RISARALDA
• EMAIL: administracion@hotelsoratama.com
• WEBSITE: www.hotelsansimon.com
• PHONE: 57 (1) 3358650

1. OBJECTIVE: To establish and disseminate the Information Processing and Personal Data Protection Policies implemented by HOTEL SORATAMA in order to ensure proper compliance with Law 1581 of 2012 and Decree 1377 of 2013 and other regulations that modify or complement them, which aim to develop the constitutional right of all persons to know, update and rectify the information collected in databases or files, and other rights, freedoms and constitutional guarantees referred to in Article 15 of the Political Constitution "Habeas Data"; as well as the right to information enshrined in Article 20 thereof.

2. SCOPE: This document applies to personal data recorded in any database managed by the company that makes them susceptible to processing.

3. DEFINITIONS:

3.1 Authorization: Prior, express and informed consent used by the Hotel Soratama of the owner to carry out the confirmation of the processing of his/her personal data.

3.2 Database: organized set of personal data that is subject to processing by HOTEL SORATAMA

3.3 Queries: Request for the personal information of the Holder that is stored in any database, for which Hotel Soratama is obliged to provide the holder with all the information contained in the individual record or that is linked to the identification of the holder.

3.4 Personal data: Any information linked to or that may be associated with one or more specific or identifiable natural or legal persons.

3.5 Sensitive data: These are personal data that reveal racial or ethnic origin, political opinions, religious or moral beliefs, trade union membership, information relating to health or sexual life or any other data that may, due to its nature or context, lead to discriminatory treatment of the data subject. These data are especially protected.

3.6 Habeas data: This is the fundamental right that allows people to know, update and rectify information stored about them in databases and in files of public and private entities.

4. GENERAL GUIDELINES

4.1 The policies set forth in this document are binding on Hotel Soratama, as the source and controller of the data.

4.2 Both the controller and those in charge must safeguard the databases containing personal data and maintain confidentiality regarding the processing.

4.3 This policy applies to all persons in general, whether natural or legal persons who provide their personal data to Hotel Soratama and are legally the owners of the information, or persons who provide their personal data by any means. Therefore, the provisions of this policy will be applicable to personal data registered in any of our databases that make it susceptible to the established treatment. Given that Hotel Soratama is responsible and in charge of sources of information.

4.4 WHY IS HOTEL SORATAMA THE SOURCE AND PERSON IN CHARGE OF THE PROCESSING OF THE INFORMATION? Hotel Soratama is an organization that is responsible for collecting personal and third-party information through the receipt of documentation, as well as the processing of said information, modifying it as requested by the owner and/or their representatives through any physical or technological means and that allows the inclusion or change of personal data.

4.5 DUTIES OF HOTEL SORATAMA AS A SOURCE OF INFORMATION Sources of information must comply with the following obligations, without prejudice to compliance with other provisions set forth in this law and in others that govern their activity:

• Ensure that the information provided to database operators or users is true, complete, accurate, up-to-date and verifiable.

• Report, periodically and in a timely manner, to the operator all new developments regarding the data previously provided and adopt other measures necessary to ensure that the information provided to the operator remains up to date.

• Correct information when it is incorrect and report the relevant information to the operators.

• Design and implement effective mechanisms to report information to the operator in a timely manner.

• Request, where appropriate, and retain a copy or evidence of the respective authorization granted by the owners of the information, and ensure that no data is provided to the operators whose supply has not been previously authorized, when such authorization is necessary, in accordance with the provisions of this law.

• Certify to the operator, on a semi-annual basis, that the information provided has the authorization in accordance with the provisions of this law.

• Resolve the claims and requests of the owner in the manner regulated in this law.

• Inform the operator that certain information is being discussed by its owner, when a request for rectification or updating of the same has been submitted, so that the operator includes a mention to that effect in the database until said procedure has been completed.

• Comply with the instructions issued by the supervisory authority in relation to compliance with this law.

4.6 DUTIES OF HOTEL SORATAMA AS DATA PROCESSOR

• Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.

• Take measures to preserve the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

• Carry out timely updating, rectification or deletion of data in accordance with the terms of this law.

• Update the information reported by those responsible for the treatment within five (5) business days from its receipt.

• Process queries and complaints made by the Owners in the terms indicated in the Law.

• Adopt a document that guarantees proper compliance with the Law and, in particular, for the handling of queries and complaints from the Holders.

• Register the legend “claim in process” in the database in the manner regulated by law.

• Insert into the database the legend “information under judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.

• Refrain from circulating information that is being disputed by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.

• Allow access to information only to people who can have access to it.

• Inform the Superintendency of Industry and Commerce when security code violations occur and there are risks in the management of the information of the Holders.

• Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

• Safeguard databases containing personal data.

• Maintain confidentiality regarding the processing of personal data.

5. PROCESSING OF PERSONAL DATA

5.1 Principles for the processing of personal data The following principles will be taken into account by Hotel Soratama, in the process of managing personal data.

5.1.1 Legality regarding data processing Data processing must be subject to the provisions contained in Law 1581 of 2012 and any regulations that develop or regulate such provision.

5.1.2 Purpose and processing The processing of data and the purpose of the information in the Hotel Soratama databases are based on the provision of the service, the contractual relationship, commercial and/or advertising purposes. Hotel Soratama may transmit the information to third parties, suppliers and authorities.

5.1.3 Freedom Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives consent.

5.1.4 Truthfulness or quality The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable and understandable. The processing of partial, incomplete, fractional or misleading data is prohibited.

5.1.5 Transparency In the processing, the right of the Owner of the information collected by HOTEL SORATAMA must be guaranteed to obtain from the data controller or the data processor, at any time and without restrictions, information about the existence of data that concerns him/her.

5.1.6 Restricted access and circulation The processing is subject to the limits arising from the nature of the personal data, the provisions of Law 1581 of 2012 and the Constitution. In this regard, processing may only be carried out by persons authorized by the Owner and/or by the persons provided for in the Law.

5.1.7 Security The information subject to processing by the person responsible for or in charge of processing must be handled by taking reasonable technical, human and administrative measures to provide security to the records, seeking to prevent their adulteration, loss, consultation, use or unauthorized or fraudulent access.

5.1.8 Confidentiality All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in said procedure has ended, and may only provide or communicate personal data when this corresponds to the development of the activities authorized by the Law and under the terms thereof.

5.2 Special categories of data

5.2.1 Sensitive data: Data that affects the privacy of the Holder or whose misuse may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometric data.

5.2.1.1 The processing of sensitive data is prohibited, except when:

• The Owner has given explicit authorization to such processing, except in cases where the granting of such authorization is not required by law.

• The processing is necessary to safeguard the vital interest of the Data Subject and the Data Subject is physically or legally incapacitated. In such events, the legal representatives must grant their authorization.

• The processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, the purpose of which is political, philosophical, religious or trade union, provided that it refers exclusively to its members or to people who maintain regular contact due to its purpose. In these events, the data may not be provided to third parties without the authorization of the Owner.

• The processing refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.

• The processing is for historical, statistical or scientific purposes. In this event, measures must be taken to erase the identity of the Data Subjects.

• In the processing of sensitive personal data, when such processing is possible in accordance with the exceptions cited above contained in Article 6 of Law 1581 of 2012, the following obligations must be met:

• Inform the Owner that since the data is sensitive, he/she is not required to authorize its processing.

• Inform the Owner explicitly and in advance, in addition to the general requirements for authorization to collect any type of personal data, which of the data that will be processed are sensitive and the purpose of the Processing, as well as obtain their express consent.

5.3 Data on children and adolescents

• Treatment will ensure respect for the prevailing rights of children and adolescents.

• The processing of personal data of children and adolescents is prohibited, except for data that is of a public nature.

6. CONDITIONS FOR DATA PROCESSING

6.1 Authorization In accordance with the principles of purpose and freedom, the collection of data carried out by HOTEL SORATAMA., must be limited to those personal data that are relevant and appropriate for the purpose for which they are collected or required in accordance with current regulations, except in cases expressly provided for in the Law.

6.2 Authorization of the Owner In order for HOTEL SORATAMA to carry out any action regarding the processing of personal data, the prior and informed authorization of the Owner is required, which must be obtained by any means that can be subject to subsequent consultation. These mechanisms may be predetermined through technical means that facilitate the Owner's automated declaration or may be in writing or orally.

6.3 Authorization of the Owner HOTEL SORATAMA requests authorization for the processing of information from all its owners, provided that said collection implies the processing of information by HOTEL SORATAMA, or third parties (with prior authorization). This authorization request is made at the time of generating commercial relations with clients and hiring personnel to perform the tasks inherent to the organization.

6.4 Supply of information The information requested from the Owner will be provided to HOTEL SORATAMA by any means, including electronic means, as required by the Owner. The information must be easy to read, without technical barriers that impede access and must correspond in all respects to that which is stored in the database.

6.5 Duty to inform the Owner HOTEL SORATAMA, at the time of requesting authorization from the Owner, must inform him clearly and expressly of the following:

• The processing to which your personal data will be subjected and the purpose thereof.

• The optional nature of the response to the questions asked, when these deal with sensitive data or the data of girls, boys and adolescents.

• The rights that you have as Owner.

• The identification, physical or electronic address and telephone number of the person responsible for the processing.

6.6 Persons to whom the information may be provided Information about personal data that has been subject to processing by HOTEL SORATAMA may be provided to the following persons:

• To the Holders or their legal representatives.

• To public or administrative entities in the exercise of their legal functions or by court order.

• To third parties authorized by the Owner or by law.

7. RIGHTS OF THE OWNER

7.1 Revocation of authorization and/or deletion of data:

• The Holders may at any time request HOTEL SORATAMA to delete their personal data and/or revoke the authorization granted for the processing of such data, by submitting a claim, in accordance with the provisions of article 15 of Law 1581 of 2012.

• The request for deletion of information and revocation of authorization WILL NOT PROCEED WHEN THE OWNER HAS A LEGAL OR CONTRACTUAL DUTY TO REMAIN IN THE HOTEL SORATAMA DATABASE.

• The procedure will be the one established in this document for filing claims.

7.2 The Owner may consult his/her personal data free of charge:

• At least once (1) every calendar month.

• Whenever there are substantial modifications to the Information Processing Policies, which motivate new consultations.

• For queries whose frequency is greater than one (1) per calendar month, HOTEL SORATAMA will only charge the costs of shipping, reproduction and, where applicable, certification of documents. Reproduction costs may not be greater than the costs of recovering the corresponding material.

7.3 Response to queries

• For the purpose of responding to queries, HOTEL SORATAMA has a term of ten (10) business days counted from the date of receipt of the same. However, when it is not possible to respond to the query within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the query will be responded to, which in no case may exceed five (5) business days following the expiration of the first term.

8. DUTIES OF HOTEL SORATAMA IN DATA PROCESSING

• Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.

• Request and retain, under the conditions provided by law, a copy of the respective authorization granted by the Owner.

• Properly inform the Owner about the purpose of the collection and the rights granted to him/her by virtue of the authorization granted.

• Take measures to preserve information under secure conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.

• Ensure that the information provided to the data controller is true, complete, accurate, up-to-date, verifiable and understandable.

• Update the information, communicating in a timely manner to the data controller all new developments regarding the data that you have previously provided and adopt the other measures necessary to ensure that the information provided to the controller remains up to date.

• Rectify information when it is incorrect and communicate the relevant information to the data controller.

• Provide the data controller, as appropriate, only with data whose processing has been previously authorized in accordance with the provisions of the Law.

• Demand that the person in charge of the treatment respects the security and privacy conditions of the Owner's information at all times.

• Process queries and complaints made in accordance with the terms set out in the law.

• Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, to address queries and complaints.

• Inform the data controller when certain information is being discussed by the Owner, once the claim has been submitted and the respective process has not been completed.

• Inform the Owner, upon request, about the use given to their data.

• Inform the data protection authority when security code violations occur and there are risks in the management of the information of the Holders.

• Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

9. SECURITY MEASURES HOTEL SORATAMA takes all reasonable precautions and technical, administrative and organisational measures to ensure the security of the personal data of the Owners, mainly those intended to prevent their alteration, loss and unauthorised processing or access. Taking into account that security measures apply to both files and processing. The application of security measures is intended to ensure the conservation, confidentiality, integrity and availability of data.

10. MODIFICATIONS HOTEL SORATAMA reserves the right to modify these Information Processing Policies, in whole or in part. In the event of substantial changes to the Processing Policies regarding the identification of HOTEL SORATAMA and the purpose of the Processing of personal data, which may affect the content of the authorization, HOTEL SORATAMA will communicate these changes to the owner at the latest when implementing the new policies.

11. FORMATS USED:

• Authorization format for consultation and reporting to risk centers.
• Information management authorization format.
• Authorization form for notification of inclusion of negative report to risk centers.

12. Law 1581 of 2012, Protection of Personal Data. For more information on the processing of your personal data, please consult the Personal Data Processing Policy published at www.hotelesoratama.com - 606 3358650.