DATA PRIVACY AND INFORMATION HANDLING POLICIES
LAW 1581 OF 2012 AND REGULATORY DECREE 1377 OF 2013
DATA PROCESSING RESPONSIBLE

• NAME: HOTEL SORATAMA SA
• NIT: 800.156.522-5
• ADDRESS: CARRERA 7 NUMBER 19-20 PEREIRA, RISARALDA
• EMAIL: administracion@hotelsoratama.com
• WEBSITE: www.hotelsansimon.com
• PHONE: 57 (1) 3358650

1. OBJECTIVE: Establish and disseminate the Information Treatment and Protection of Personal Data Policies, implemented by the SORATAMA HOTEL, in order to guarantee adequate compliance with Law 1581 of 2012 and Decree 1377 of 2013 and other regulations that modify or complement them, which aim to develop the constitutional right that all people have to know, update and rectify the information collected in databases or files, and the other rights, freedoms and constitutional guarantees referred to in the article 15 of the Political Constitution “Habeas Data”; as well as the right to information enshrined in article 20 of the same.

2. SCOPE: This document applies to personal data, registered in any database managed by the company and that makes them susceptible to processing.

3. DEFINITIONS:

3.1 Authorization: Prior, express and informed consent used by the Soratama Hotel of the owner to confirm the processing of their personal data.

3.2 Database: organized set of personal data that is processed by the SORATAMA HOTEL

3.3 Inquiries: Request for the Owner's personal information that resides in any database, on which Hotel Soratama has the obligation to provide the owner with all the information contained in the individual record or that is linked to the identification of the owner.

3.4 Personal data: Any information linked or that can be associated with one or several specific or determinable natural or legal persons.

3.5 Sensitive data: These are personal data that reveal racial or ethnic origin, political opinions, religious or moral convictions, union membership, information regarding health or sexual life or any other data that may produce, due to its nature or context, any discriminatory treatment of the data owner. These data are specially protected.

3.6 Habeas data: It is the fundamental right that allows knowing, updating and rectifying the information stored about people in data banks and in files of public and private entities.

4. GENERAL GUIDELINES

4.1 The policies contemplated in this document are mandatory for the Soratama Hotel, as the source and person in charge of processing the data.

4.2 Both the person responsible and those in charge must safeguard the databases that contain personal data and maintain confidentiality regarding the treatment.

4.3 This policy applies to the general public, whether natural or legal persons who provide their personal data to Hotel Soratama and are legally the owners of the information and people who provide their personal data by any means. Therefore, the provisions of this policy will be applicable to personal data registered in any of our databases that make it susceptible to the established processing. Since, the Soratama Hotel is responsible and in charge of sources of information.

4.4 WHY IS THE SORATAMA HOTEL THE SOURCE AND PROCESSER OF THE INFORMATION? Hotel Soratama is an organization that is responsible for collecting personal and third-party information through the receipt of documentation, as well as the processing of said information, modifying it as requested by the owner and/or their representatives through any means. physical or technological and that allows the inclusion or change of personal data.

4.5 DUTIES OF HOTEL SORATAMA AS A SOURCE OF INFORMATION The sources of information must comply with the following obligations, without prejudice to compliance with the other provisions provided for in this law and in others that govern their activity:

• Guarantee that the information provided to data bank operators or users is true, complete, exact, updated and verifiable.

• Report, periodically and in a timely manner, to the operator, all the news regarding the data that has previously been provided and adopt the other necessary measures so that the information provided to it remains updated.

• Rectify the information when it is incorrect and inform the operators as pertinent.

• Design and implement effective mechanisms to timely report information to the operator.

• Request, when applicable, and keep a copy or evidence of the respective authorization granted by the owners of the information, and ensure not to provide the operators with any data whose supply is not previously authorized, when such authorization is necessary, in accordance with the provisions of this law.

• Certify, semiannually to the operator, that the information provided is authorized in accordance with the provisions of this law.

• Resolve the claims and requests of the owner in the manner regulated in this law.

• Inform the operator that certain information is under discussion by its owner, when the request for rectification or updating thereof has been submitted, so that the operator includes a mention in that regard in the data bank until that said process has been completed.

• Comply with the instructions issued by the supervisory authority in relation to compliance with this law.

4.6 DUTIES OF HOTEL SORATAMA AS DATA PROCESSOR

• Guarantee to the Holder, at all times, the full and effective exercise of the right of habeas data.

• Take measures to preserve the information under the security conditions necessary to prevent its adulteration, loss, unauthorized or fraudulent consultation, use or access.

• Timely update, rectify or delete data under the terms of this law.

• Update the information reported by those responsible for the treatment within five (5) business days from receipt.

• Process queries and claims made by the Owners in the terms indicated in the Law.

• Adopt a document that guarantees adequate compliance with the Law and, especially, for the attention of queries and claims by the Owners.

• Register in the database the legend “claim in process” in the manner regulated by the Law.

• Insert the legend “information under judicial discussion” in the database once notified by the competent authority about judicial processes related to the quality of personal data.

• Refrain from circulating information that is being controversial by the Owner and whose blocking has been ordered by the Superintendency of Industry and Commerce.

• Allow access to information only to people who can have access to it.

• Inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in the administration of the Owners' information.

• Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

• Safeguard databases containing personal data.

• Maintain confidentiality regarding the Processing of personal data.

5. PROCESSING OF PERSONAL DATA

5.1 Principles for the processing of personal data The following principles will be taken into account by the Hotel Soratama, in the process of managing personal data.

5.1.1 Legality regarding data processing Data processing must be subject to the provisions contained in Law 1581 of 2012 and in any rule that develops or regulates such provision.

5.1.2 Purpose and processing The data processing and the purpose of the information in the Hotel Soratama databases are based on the provision of the service, the contractual relationship, commercial and/or advertising purposes, Hotel Soratama may transmit information to third parties, suppliers and authorities.

5.1.3 Freedom Treatment can only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that requires consent.

5.1.4 Veracity or quality The information subject to processing must be true, complete, exact, updated, verifiable and understandable. The processing of partial, incomplete, fragmented or misleading data is prohibited.

5.1.5 Transparency In the treatment, the right of the Owner of the information collected by HOTEL SORATAMA must be guaranteed, to obtain from the person responsible for the treatment or the person in charge of the treatment, at any time and without restrictions, information about the existence of data that concerns him/her. .

5.1.6 Restricted access and circulation The processing is subject to the limits derived from the nature of the personal data, the provisions of Law 1581 of 2012 and the Constitution. In this sense, the treatment can only be carried out by people authorized by the Owner and/or by the people provided for in the Law.

5.1.7 Security The information subject to processing by the person responsible or in charge of the treatment must be handled taking reasonable technical, human and administrative measures to provide security to the records, trying to avoid their adulteration, loss, consultation, use or unauthorized access. authorized or fraudulent.

5.1.8 Confidentiality All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in said procedure has ended, and may only supply or communicate personal data when this corresponds to the development of the activities authorized in the Law and in the terms thereof.

5.2 Special categories of data

5.2.1 Sensitive data These are the data that affect the privacy of the Owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, organizations. social, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data

5.2.1.1 The processing of sensitive data is prohibited, except when:

• The Owner has given explicit authorization to said treatment, except in cases where the granting of said authorization is not required by law.

• The treatment is necessary to safeguard the vital interest of the Owner and the Owner is physically or legally incapacitated. In these events, legal representatives must grant their authorization.

• The treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or union, provided that they refer to exclusively to its members or to people who maintain regular contact due to its purpose. In these events, the data cannot be provided to third parties without the authorization of the Owner.

• The processing refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process.

• The treatment has a historical, statistical or scientific purpose. In this event, measures must be adopted leading to the deletion of the identity of the Holders.

• In the processing of sensitive personal data, when such processing is possible in accordance with the aforementioned exceptions contained in article 6 of Law 1581 of 2012, the following obligations must be met:

• Inform the Owner that since it is sensitive data, he is not obliged to authorize its processing.

• Inform the Owner explicitly and in advance, in addition to the general requirements of authorization for the collection of any type of personal data, which of the data that will be processed are sensitive and the purpose of the Treatment, as well as obtain their consent. express.

5.3 Data on children and adolescents

• Respect for the prevailing rights of children and adolescents will be ensured in the treatment.

• The processing of personal data of children and adolescents is prohibited, except for data that is public in nature.

6. CONDITIONS FOR DATA PROCESSING

6.1 Authorization In development of the principles of purpose and freedom, the collection of data carried out by HOTEL SORATAMA., must be limited to those personal data that are relevant and appropriate for the purpose for which they are collected or required in accordance with current regulations. except in cases expressly provided for in the Law.

6.2 Authorization of the Owner For HOTEL SORATAMA to carry out any action to process personal data, the prior and informed authorization of the Owner is required, which must be obtained by any means that can be subject to subsequent consultation. These mechanisms may be predetermined through technical means that facilitate the Owner's automated manifestation or may be in writing or orally.

6.3 Authorization of the Owner HOTEL SORATAMA, requests authorization for the processing of information from all its owners, as long as said collection implies the processing of information by HOTEL SORATAMA., or third parties (with prior authorization), this request Authorization is carried out at the time of generating commercial relationships with clients and hiring of personnel to perform the tasks inherent to the organization.

6.4 Supply of information The information requested from the Owner will be provided to HOTEL SORATAMA by any means; including electronic ones, as required by the Owner. The information must be easy to read, without technical barriers that prevent access, and must correspond entirely to that contained in the database.

6.5 Duty to inform the Owner HOTEL SORATAMA, when requesting authorization from the Owner, must clearly and expressly inform the Owner of the following:

• The processing to which your personal data will be subjected and the purpose of this.

• The optional nature of the response to the questions asked, when they deal with sensitive data or the data of children and adolescents.

• The rights that assist you as Owner.

• The identification, physical or electronic address and telephone number of the person responsible for the treatment.

6.6 Persons to whom the information can be provided The information about the personal data that has been the subject of Treatment by HOTEL SORATAMA may be provided to the following people:

• To the Owners or their legal representatives.

• To public or administrative entities in the exercise of their legal functions or by court order.

• To third parties authorized by the Owner or by law.

7. RIGHTS OF THE OWNER

7.1 Revocation of authorization and/or deletion of data:

• The Owners may at any time request HOTEL SORATAMA to delete their personal data and/or revoke the authorization granted for their processing, by submitting a claim, in accordance with the provisions of article 15 of the Law. 1581 of 2012.

• The request for deletion of information and revocation of authorization WILL NOT APPLY WHEN THE OWNER HAS A LEGAL OR CONTRACTUAL DUTY TO REMAIN IN THE SORATAMA HOTEL DATABASE.

• The procedure will be as established in this document to submit claims.

7.2 The Owner may consult their personal data free of charge:

• At least once (1) time each calendar month.

• Every time there are substantial modifications to the Information Processing Policies, which motivate new queries.

• For queries whose frequency is greater than one (1) per calendar month, HOTEL SORATAMA will only charge the costs of shipping, reproduction and, where applicable, certification of documents. The reproduction costs may not be greater than the recovery costs of the corresponding material.

7.3 Response to queries

• For the purposes of responding to queries, HOTEL SORATAMA has a period of ten (10) business days from the date of receipt thereof. However, when it is not possible to attend to the query within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be attended to, which in no case may exceed five (5) days. business days following the expiration of the first term.

8. DUTIES OF HOTEL SORATAMA IN DATA PROCESSING

• Guarantee to the Holder, at all times, the full and effective exercise of the right of habeas data.

• Request and keep, under the conditions provided for in the Law, a copy of the respective authorization granted by the Owner.

• Duly inform the Owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted.

• Take measures aimed at preserving the information under security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.

• Ensure that the information provided to the data processor is true, complete, exact, updated, verifiable and understandable.

• Update the information, communicating in a timely manner to the person in charge of the treatment, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to him remains updated.

• Rectify the information when it is incorrect and communicate the pertinent information to the person in charge of treatment.

• Provide the person in charge of processing, as the case may be, only data whose processing is previously authorized in accordance with the provisions of the Law.

• Demand that the data processor at all times respect the security and privacy conditions of the Owner's information.

• Process queries and claims made in the terms indicated in the law.

• Adopt an internal manual of policies and procedures to guarantee adequate compliance with this law and, especially, to respond to queries and complaints.

• Inform the person in charge of treatment when certain information is under discussion by the Owner, once the claim has been submitted and the respective process has not been completed.

• Inform at the request of the Owner about the use given to their data.

• Inform the data protection authority when violations of security codes occur and there are risks in the administration of the Owners' information.

• Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

9. SECURITY MEASURES HOTEL SORATAMA, takes all reasonable precautions and technical, administrative and organizational measures conducive to guaranteeing the security of the personal data of the Owners, mainly those intended to prevent its alteration, loss and treatment or access. Not authorized. Taking into account that the security measures apply to both the files and the treatments. The application of security measures is intended to ensure the conservation, confidentiality, integrity, and availability of data.

10. MODIFICATIONS HOTEL SORATAMA reserves the right to modify these Information Processing Policies, in whole or in part. In case of substantial changes in the Treatment Policies referring to the identification of HOTEL SORATAMA and the purpose of the Processing of personal data, which may affect the content of the authorization, HOTEL SORATAMA will communicate these changes to the owner no later than at the time of implementing the new policies.

11. FORMATS USED:

• Authorization format for consultation and reporting to risk centers.
• Information management authorization format.
• Authorization format for notification of inclusion of negative report to risk centers.

12. Law 1581 of 2012, Protection of Personal Data. For more information about the processing of your personal data, consult the Personal Data Processing Policy published at www.hotelesoratama.com - 606 3358650.

MARTHA CECILIA MONTOYA GUTIERREZ LEGAL REPRESENTATIVE