PERSONAL DATA PROTECTION POLICY

1. Scope

This Personal Data Protection Policy will apply to all Databases and/or Files that contain Personal Data that are subject to Treatment by Heinsohn Business Technology SA and Heinsohn Human Global Solutions SAS each individually considered as responsible for the processing of Personal Data, (hereinafter, “THE COMPANY”).

2. Identification of the Person Responsible for the Processing of Personal Data

Heinsohn Business Technology S.A. and Heinsohn Human Global Solutions S.A.S. Entities domiciled at Carrera 13 No. 82-49 in the city of Bogotá DC, Colombia.

Email protecciondedatos@heinsohn.com.co , Telephone +57 (1) 6337070.

3. Definitions

• Authorization: Prior, express and informed consent of the Holder to carry out the Processing of Personal Data.
• Privacy Notice: Verbal or written communication generated by the Responsible, addressed to the Owner for the Treatment of their Personal Data, through which they are informed about the existence of the Information Treatment Policies that will be applicable, the way to access to them and the purposes of the treatment that is intended to give personal data.
• Database: Organized set of Personal Data that is subject to Treatment.
• Clients: Natural or legal person, public or private, with whom THE COMPANY has a commercial relationship. Includes stores, supermarkets, mini-markets, among others.
• Consumers: Natural person who consumes the goods produced by THE COMPANY.
• Personal Data: Any information linked or that can be associated with one or more specific or determinable natural persons. Some examples of personal data are the following: name, citizenship card, address, email, telephone number, marital status, health data, fingerprint, salary, assets, financial statements, etc.
• Sensitive data: Information that affects the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data, among others, the capture of still or moving images , fingerprints, photographs, iris, voice, facial or palm recognition, etc.
• Treatment Manager: Natural or legal person, public or private, that by itself or in association with others, performs the Treatment of Personal Data on behalf of the Treatment Manager. In the events in which the person in charge does not act as person in charge of the database, the person in charge will be expressly identified.
• Responsible for the Treatment: Natural or legal person, public or private, that by itself or in association with others, decides on the Database and/or the Treatment of the data.
• Claim: Request from the Owner of the data or from the persons authorized by it or by the Law to correct, update or delete their personal data or to revoke the authorization in the cases established by Law.
• Terms and Conditions: general framework in which the conditions for the participants of promotional or related activities are established.
• Holder: Natural person whose Personal Data is subject to Treatment.
• Transfer: The transfer of data takes place when the Person in Charge and/or Person in Charge of the Processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is Responsible for the Treatment and is inside or outside from the country.
• Transmission: Processing of Personal Data that implies the communication of the same inside or outside the territory of the Republic of Colombia when its purpose is to carry out a Treatment by the Manager on behalf of the Responsible.
• Treatment: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.

4. Principles Applicable to the Processing of Personal Data

For the Treatment of Personal Data, THE COMPANY will apply the principles mentioned below, which constitute the rules to follow in the collection, handling, use, treatment, storage and exchange of personal data:

• Legality: The processing of personal data will be carried out in accordance with the applicable legal provisions (Statutory Law 1581 of 2012 and its regulatory decrees).
• Purpose: The personal data collected will be used for a specific and explicit purpose which must be informed to the Owner or permitted by Law. The Holder will be informed in a clear, sufficient and prior manner about the purpose of the information provided.
• Freedom: The collection of Personal Data may only be exercised with the prior, express and informed authorization of the Owner.
• Veracity or Quality: The information subject to the Processing of Personal Data must be truthful, complete, exact, updated, verifiable and understandable.
• Transparency: In the Processing of Personal Data, the Holder’s right to obtain, at any time and without restrictions, information about the existence of data that concerns him is guaranteed.
• Restricted access and circulation: The processing of personal data may only be carried out by the persons authorized by the Owner and/or by the persons provided for in the Law.
• Security: The Personal Data subject to Treatment will be handled adopting all the security measures that are necessary to avoid its loss, adulteration, consultation, use or unauthorized or fraudulent access.
• Confidentiality: All officials who work at THE COMPANY are required to keep confidential the personal information to which they have access on the occasion of their work at THE COMPANY.

5. Treatment and Purposes to which the Personal Data processed by THE COMPANY will be submitted

THE COMPANY, acting as Responsible for the Treatment of Personal Data, for the proper development of its commercial activities, as well as for the strengthening of its relations with third parties, collects, stores, uses, circulates and deletes Personal Data corresponding to natural persons with who has or has had a relationship, such as, without the enumeration meaning limitation, workers and their families, shareholders, consumers, customers, distributors, suppliers, creditors and debtors, for the following purposes or purposes:

5.1. General purposes for the processing of Personal Data

• Allow the participation of the Holders in marketing and promotional activities (including participation in contests, raffles and raffles) carried out by THE COMPANY;
• Evaluate the quality of the service, carry out market studies on consumption habits and statistical analysis for internal uses;
• Control access to the offices of THE COMPANY and establish security measures, including the establishment of video-monitored areas;
• Respond to queries, requests, complaints and claims that are made by the Holders and control bodies and transmit the Personal Data to the other authorities that under the applicable law must receive the Personal Data;
• To eventually contact, via email, or by any other means, natural persons with whom you have or have had a relationship, such as, without the enumeration meaning limitation, workers and their families, shareholders, consumers, customers, distributors, suppliers , creditors and debtors, for the aforementioned purposes.
• Transfer the information collected to different areas of THE COMPANY and its related companies in Colombia and abroad when necessary for the development of its operations (portfolio collection and administrative collections, treasury, accounting, among others);
• For the attention of judicial or administrative requirements and the fulfillment of judicial or legal mandates;
• Register your personal data in the information systems of THE COMPANY and in its commercial and operational databases;
• Any other activity of a similar nature to those described above that are necessary to develop the corporate purpose of THE COMPANY.

5.2. Regarding the personal data of our Clients and Consumers:

• To fulfill the obligations contracted by THE COMPANY with its Clients and Consumers at the time of acquiring our products;
• Send information about changes in the conditions of the products offered by THE COMPANY;
• Send information about offers related to our products offered by THE COMPANY and its related companies;
• To strengthen relationships with its Consumers and Clients, by sending relevant information, taking orders and evaluating the quality of the service;
• For the determination of pending obligations, the consultation of financial information and credit history and the report to information centers of unfulfilled obligations, regarding its debtors;
• To improve, promote and develop its products and those of its related companies worldwide;
• Train sellers and agents in basic aspects of commercial management of the products offered by THE COMPANY;
• Allow companies linked to THE COMPANY, with which it has entered into contracts that include provisions to guarantee the security and proper treatment of the personal data processed, to contact the Owner with the purpose of offering goods or services of interest to them;
• Control access to the offices of THE COMPANY and establish security measures, including the establishment of video-monitored areas;
• Use the different services through the websites of THE COMPANY, including downloading content and formats;

5.3. Regarding the personal data of our employees:

• Manage and operate, directly or through third parties, the personnel selection and hiring processes, including the evaluation and qualification of the participants and the verification of work and personal references, and the performance of safety studies;
• Develop the activities of Human Resources management within THE COMPANY, such as payroll, affiliations to entities of the general social security system, occupational health and well-being activities, exercise of the sanctioning power of the employer, among others;
• Make the necessary payments derived from the execution of the employment contract and/or its termination, and the other social benefits that may be applicable in accordance with the applicable law;
• Hire employment benefits with third parties, such as life insurance, medical expenses, among others;
• Notify authorized contacts in case of emergencies during work hours or on the occasion of the development of the same;
• Coordinate the professional development of employees, employee access to the employer’s computer resources and support their use;
• Plan business activities;

5.4. Regarding Supplier Data:

• To invite them to participate in selection processes and events organized or sponsored by THE COMPANY;
• For the evaluation of the fulfillment of its obligations;
• To make the registration in the systems of THE COMPANY;
• To process your payments and check outstanding balances;

5.5. Regarding the personal data of our shareholders:

• For the recognition, protection and exercise of the rights of the shareholders of THE COMPANY;
• For the payment of dividends;
• To eventually contact, via email, or by any other means, the shareholders for the aforementioned purposes;

6. Rights of the Holders of Personal Data

Natural persons whose Personal Data are subject to Treatment by THE COMPANY have the following rights, which they may exercise at any time:

6.1 Know the Personal Data on which THE COMPANY is carrying out the Treatment. In the same way, the Owner may request at any time that their data be updated or rectified, for example, if they find that their data is partial, inaccurate, incomplete, fractioned, misleading, or those whose Treatment is expressly prohibited or not. has been authorized.

6.2 Request proof of the authorization granted to THE COMPANY for the Processing of your Personal Data.

6.3 Be informed by THE COMPANY, upon request, regarding the use that it has given to your Personal Data.

6.4 Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of the Personal Data Protection Law.

6.5 Request THE COMPANY to delete your Personal Data and/or revoke the authorization granted for the Treatment thereof, by submitting a claim, in accordance with the procedures established in number 13 of this Policy. However, the request for deletion of the information and the revocation of the authorization will not proceed when the Owner of the information has a legal or contractual duty to remain in the Database and/or Files, nor while the relationship between the Holder and THE COMPANY, by virtue of which their data was collected.

6.6 Free access to your Personal Data that has been processed.

The rights of the Holders may be exercised by the following persons:

• By the Holder;
• By their successors in title, who must prove such quality;
• By the representative and/or proxy of the Holder, prior accreditation of the representation or power of attorney;
• By stipulation in favor of another or for another.

7. Duties of THE COMPANY as Responsible for the Processing of Personal Data

THE COMPANY bears in mind that the Personal Data are the property of the people to whom they refer and only they can decide on them. In this sense, THE COMPANY will use the Personal Data collected only for the purposes for which it is duly empowered and respecting, in any case, the current regulations on the Protection of Personal Data.

THE COMPANY will attend to the duties provided for the Treatment Managers, contained in article 17 of Law 1581 of 2012 and the other regulations that regulate, modify or replace it.

8. Area Responsible for the Implementation and Observance of this Policy

The information security area of Heinsohn Business Technology SA is in charge of developing, implementing, training and observing this Policy. For this purpose, all the officials who carry out the Processing of Personal Data in the different areas of THE COMPANY are obliged to report these Databases to the information security area and to transfer it immediately, of all requests, complaints or claims received from the Holders of Personal Data.

The Customer Service area of Heinsohn Business Technology SA has been designated by THE COMPANY as the area responsible for handling requests, queries, complaints and claims before which the Owner of the information may exercise their rights to know, update, rectify and delete the data and revoke the authorization. This area is located at the address: Carrera 13 N° 82-49 Piso 6 in the city of Bogotá DC, Colombia, and can be contacted by email: protecciondedatos@heinsohn.com.co .

9. Authorization

THE COMPANY will request prior, express and informed authorization from the Holders of the Personal Data on which the Treatment is required.

This manifestation of the Holder’s will can occur through different mechanisms made available by THE COMPANY, such as:

• In writing, filling out an authorization form for the Processing of Personal Data determined by THE COMPANY.
• Orally, through a telephone conversation or by videoconference.
• Through unequivocal behaviors that allow concluding that you granted your authorization, through your express acceptance of the Terms and Conditions of an activity within which the authorization of the participants is required for the Treatment of their Personal Data.

IMPORTANT: In no case THE COMPANY will assimilate the silence of the Holder to an unequivocal conduct.

10. Special Provisions for the Processing of Personal Data.

10.1 Treatment of Personal Data of a Sensitive Nature

The Treatment of Personal Data of a sensitive nature is prohibited by law, unless there is express, prior and informed authorization from the Owner, among other exceptions enshrined in Article 6 of Law 1581 of 2012.

In this case, in addition to complying with the requirements established for the authorization, THE COMPANY will inform the Holder:

• that since it is sensitive data, it is not obliged to authorize its Treatment.
• which of the data that will be subject to Treatment are sensitive and the purpose of the Treatment.

Additionally, THE COMPANY will treat the sensitive data collected under security and confidentiality standards corresponding to its nature. To this end, THE COMPANY has implemented administrative, technical and legal measures contained in its Manual of Policies and Procedures, mandatory for its employees and, as applicable, for its suppliers, related companies and business partners.

10.2 Treatment of Personal Data of Children and Adolescents

According to the provisions of Article 7 of Law 1581 of 2012 and article 12 of Decree 1377 of 2013, THE COMPANY will only carry out the Treatment, corresponding to children and adolescents, as long as this Treatment responds to and respects the best interests of children and adolescents and ensure respect for their fundamental rights.

Once the above requirements have been fulfilled, THE COMPANY must obtain the Authorization of the legal representative of the child or adolescent, prior to the exercise of the minor’s right to be heard, an opinion that will be valued taking into account the maturity, autonomy and ability to understand the matter.

11. Procedure for Attention and Response to Requests, Queries, Complaints and Claims of the Owners of Personal Data

The Holders of Personal Data processed by THE COMPANY have the right to access their Personal Data and the details of said Processing, as well as to rectify and update them if they are inaccurate or to request their deletion when they consider that they prove to be excessive or unnecessary for the purposes that justified their obtaining or oppose their Treatment for specific purposes.

The ways that have been implemented to guarantee the exercise of said rights through the presentation of the respective request are:

• Communication addressed to Heinsohn Business Technology SA Customer Service area, Carrera 13 No. 82-49, Bogotá DC Colombia.
• Application submitted to the email: protecciondedatos@heinsohn.com.co
• Request submitted by calling +57 (1) 6337070 to the Customer Service area.

These channels may be used by Holders of personal data, or third parties authorized by law to act on their behalf, in order to exercise the following rights:

11.1 Procedure for making requests and queries

(i) The Owner may consult their personal data at any time. For this purpose, you may submit a request indicating the information you wish to know, through any of the mechanisms indicated above.

(ii) The Holder or his successors in title must prove his identity, that of his representative, the representation or stipulation in favor of another or for another. When the request is made by a person other than the Holder and it is not proven that the same acts on behalf of the former, it will be considered as not submitted.

(iii) The query and/or request must contain at least the name and contact address of the Holder or any other means to receive the response, as well as a clear and precise description of the personal data with respect to which the Holder seeks to exercise the right of consultation and/or petition.

(iv) If the query and/or request made by the Owner of the data is incomplete, THE COMPANY will require the interested party within five (5) business days following receipt of the query and/or request to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn his query.

(v) Requests and/or queries will be attended by THE COMPANY within a maximum term of ten (10) business days counted from the date of receipt thereof. When it is not possible to attend to the request or query within said term, this fact will be reported to the applicant, stating the reasons for the delay and indicating the date on which the query request will be attended to, which in no case may exceed five (5 ) business days following the expiration of the first term.

11.2 Procedure for making complaints and claims

In accordance with the provisions of Article 14 of Law 1581 of 2012, when the Owner or his successors in title consider that the information processed by THE COMPANY should be corrected, updated or deleted, or when it should be revoked due to the alleged breach. of any of the duties contained in the Law, may submit an application to THE COMPANY, which will be processed under the following rules:

(i) The Holder or his successors in title must prove his identity, that of his representative, the representation or stipulation in favor of another or for another. When the request is made by a person other than the Holder and it is not proven that the same acts on behalf of the former, it will be considered as not submitted.

(ii) The request for rectification, updating, deletion or revocation must be submitted through the means authorized by THE COMPANY indicated in this document and contain, at a minimum, the following information:

• The name and address of the Holder or any other means to receive the response.
• The documents that prove the identity of the applicant and, if applicable, that of his representative with the respective authorization.
• The clear and precise description of the personal data with respect to which the Holder seeks to exercise any of the rights and the specific request.

(iii) If the application is submitted incomplete, THE COMPANY must require the interested party within five (5) days of receipt to correct the faults. After two (2) months from the date of the request, without the applicant submitting the required information, it will be understood that he has withdrawn his application.

(iv) In the event that the person receiving the request is not competent to resolve it, it will be transferred to the Legal area of Heinsohn Business Technology SA, within a maximum term of two (2) business days, and the interested party will be informed of the situation.

(v) Once the request is received, a legend will be included in the Database that says “claim in process” and the reason for it, in a term not exceeding two (2) business days. This legend must be maintained until it is decided.

(vi) The maximum term to attend to this request will be fifteen (15) business days counted from the day following the date of its receipt. When it is not possible to attend to it within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be dealt with, which in no case may exceed eight (8) business days following the expiration of the first term. .

12. Passively Obtained Information

When the services contained within the websites of THE COMPANY are used, the COMPANY may collect information passively through information management technologies, such as “cookies”, through which information about the hardware is collected. and computer software, IP address, browser type, operating system, domain name, access time, and referring website addresses; Through the use of these tools, Personal Data of users is not collected directly. Information will also be collected about the pages that the person visits most frequently on these websites in order to know their browsing habits. However, the user of the websites of THE COMPANY has the possibility of configuring the operation of “cookies”, in accordance with the options of their internet browser.

13. Personal Data Security

THE COMPANY, in strict application of the Principle of Security in the Processing of Personal Data, will provide the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access. The obligation and responsibility of THE COMPANY is limited to having the appropriate means for this purpose. THE COMPANY does not guarantee the total security of your information nor is it responsible for any consequence derived from technical failures or improper entry by third parties to the Database or file in which the Personal Data subject to Treatment by THE COMPANY rest. and their Managers. THE COMPANY will require the service providers it contracts to adopt and comply with the appropriate technical, human and administrative measures for the protection of Personal Data in relation to which said providers act as Processors.

14. Transfer, Transmission and Disclosure of Personal Data

THE COMPANY may disclose to its related companies worldwide, the Personal Data on which it performs the Treatment, for its use and Treatment in accordance with this Personal Data Protection Policy.

Likewise, THE COMPANY may deliver Personal Data to third parties not linked to THE COMPANY when:

• In the case of contractors executing contracts for the development of THE COMPANY’s activities;
• By transfer to any title from any line of business to which the information relates.

In any case, when THE COMPANY wishes to send or transmit data to one or more Managers located inside or outside the territory of the Republic of Colombia, it will establish contractual clauses or enter into a contract for the transmission of personal data in which, among others, it is agreed the next:

(i) The scope and purposes of the treatment.

(ii) The activities that the Manager will carry out on behalf of THE COMPANY.

(iii) The obligations that must be fulfilled by the Person in Charge with respect to the Owner of the data and THE COMPANY.

(iv) The duty of the Processor to treat the data in accordance with the authorized purpose for the same and observing the principles established in Colombian Law and this policy.

(v) The obligation of the Processor to adequately protect personal data and databases, as well as to maintain confidentiality regarding the treatment of transmitted data.

(vi) A description of the specific security measures that are going to be adopted both by THE COMPANY and by the person in charge of the data at their place of destination.

THE COMPANY will not request authorization when the international transfer of data is covered by any of the exceptions provided for in the Law and its Regulatory Decrees.

15. Applicable legislation

This Personal Data Protection Policy, the Privacy Notice, and the Authorization Format Annex that is part of this Policy, are governed by the provisions of current legislation on the protection of Personal Data referred to in Article 15 of the Political Constitution of Colombia, Law 1266 of 2008, Law 1581 of 2012, Decree 1377 of 2013, Decree 1727 of 2009 and other regulations that modify, repeal or replace them.

16. Validity

This Personal Data Protection Policy is in force since February 23, 2018.