PERSONAL DATA PROCESSING POLICY

PERSONAL DATA PROTECTION POLICY

The company TECNAS S.A. is a legally incorporated commercial company with its main headquarters located at Carrera 50G No. 12 Sur 29 of the Municipality of Itagüí, Department of Antioquia, Republic of Colombia; it is to comply with the provisions of Law 1581 of 2012, regulated by Decree No. 1377 of 2013, concerning the protection of personal data, issues the following regulation for its proper treatment, in compliance with the legal norms and philosophy of our society.

What is stated in this Regulation constitutes a clear application of the regulations regarding the protection of the information entrusted to us, with our intention being to exclusively collect the information voluntarily provided by our visitors, customers, employees, employees, employees, contractors, and suppliers, among others.

Our company obtains information about personal data in different ways. By providing or submitting any personal information, it is understood and assumed that its owner has agreed that it will be used in accordance with these regulations. In the event that such personal information is used for other purposes, it must be fully kept within the exceptions provided by the regulations or must have prior and express authorization from the owner of such information.

CHAPTER I

GENERAL PROVISIONS

1. APPLICABLE LAW. These policies are developed in application of the provisions contained in the National Constitution, in article 15 of Law 1266 of 2008, Law 1581 of 2012, Regulatory Decrees 1727 of 2009 and 2952 of 2010, and Partial Regulatory Decree No. 1377 of 2013 and judgments of Constitutional Court C – 1011 of 2008, and C – 748 of 2011 and other current and consistent rules on the matter.

2. APPLICATION SCOPE. This regulation applies to the processing of personal data that the company obtains, retains, handles, and supplies within the ordinary turn of its business activity and only for purposes relevant to the development of the company’s social object.

3. OBJECT. This regulation aims to regulate the procedures for the collection, handling, supply, and processing of personal data carried out by the company TECNAS S.A. in order to guarantee and protect the fundamental right of habeas data within the framework of the same law.

4. DEFINITIONS. For the purposes of the application of the rules contained herein and in accordance with Article 3 of Law 1581 of 2012:

a) Authorization: Prior, express, and informed consent of the holder to carry out the processing of personal data.

b) Database: Organized set of personal data to be processed.

c) Personal data: Any information linked to or that may be associated with one or more determined or determinable natural persons.

d) Private data: This is the data that by its intimate or reserved nature is only relevant to the holder.

(e) Sensitive Data: Meaning data that affect the privacy of the holder or whose misuse may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social organizations, or human rights organizations, that promote the interests of any political party, or that guarantee the rights and guarantees of opposition political parties, as well as data on health, sex life, and biometric data.

f) Public data: It is data that is not private or sensitive.

g) Processor: Natural or legal person, public or private, who by him or herself or in association with others, performs the processing of personal data on assistance of the controller.

(h) Data Controller: Natural or legal person, public or private, who by him or herself or in association with others, decides on the basis of data and/or the processing of the data.

(i) Holder: A natural person whose personal data are processed.

j) Processing: Any operation or set of operations on personal data, such as the collection, storage, use, circulation, or deletion thereof.

5. PRINCIPLES. The principles set out below are the general parameters that will be respected by society in the processes of collection, use, and processing of personal data.

a) Principle of purpose: The processing of personal data collected by the company must obey a legitimate purpose, which must be informed to the owner.

b) Legality. The processing of personal data in Colombia is a rule activity; therefore, the business processes and recipients of this regulation must be subject to the provisions of this regulation.

c) Principle of Freedom: The processing can only be carried out with the prior, express, and informed consent of the holder. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that renews consent.

d) Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and comprehensible.

e) Principle of transparency: During the processing, the right of the holder to obtain information about the existence of the data concerning them must be guaranteed in the processing.

(f) Principle of access and restricted movement: Personal data, except public information, may not be available on the Internet or other means of disclosure or mass communication, unless access is technically controllable to provide restricted knowledge only to authorized holders or third parties.

(g) Safety principle: Information subject to processing by TECNAS S.A. should be protected through the use of the technical, human, and administrative measures that are necessary to provide security to the records avoiding their unauthorized or fraudulent adulteration, loss, consultation, use, or access.

h) Principle of confidentiality: All persons involved in the processing of personal data are obliged to guarantee the reservation of the information even after the end of their relationship with any of the tasks that comprises the processing.

CHAPTER II

SPECIAL AUTHORIZATION

1. AUTHORIZATION. Without prejudice to the exceptions provided for in the Law, the processing of personal data requires the prior and express authorization of the holder, by any means that may be the subject of further consultation.

Authorization will not be required in the following cases:

1.1. When required by public or administrative entity in compliance with its legal functions, or by court order.

1.2. In the case of data of public nature.

1.3. In cases of medical emergency.

1.4. Where it is information processing authorized by law for historical, statistical, and/or scientific purposes.

1.5. In the case of personal data relating to the personal civil registration.

2. FORM AND MECHANISMS FOR GRANTING AUTHORIZATION. The authorization may consist of a physical, electronic document, or any other format that allows for the guarantee of its subsequent consultation or by an appropriate technical or technological mechanism by which it can be concluded unequivocally, which if no authorization conduct of the holder has been taken, the data have never been captured and stored in the database.

With the consented authorization procedure, it is guaranteed that the owner of the personal data has been made aware of the fact that his personal information will be collected and used for specific and known purposes and that he or she has the option to know of any alternation made to them and the specific use that has been given of them. This is so the owner can make informed decisions regarding his/her personal data and control the use of his/her personal information.

CHAPTER III

PROCESSING OF PERSONAL DATA

Transactions that constitute the processing of personal data by the company, as responsible or responsible for them, will be governed by the following parameters.

1. Personal data related to the management of the human resource.

1.1. Data processing in the employment linking process: THE company TECNAS S.A. must inform in advance the persons interested in participating in a selection process to link as an employee of the company to the rules applicable to the processing of personal data provided by the data subject, as well as those obtained during the selection process and will request the corresponding authorization for the application of the processing to your personal data.

When the company contracts personnel selection processes with third parties, it will regulate in the contracts the processing to be given to the personal data provided by the interested parties, as well as the destination of the personal information obtained from the respective process.

The purpose of the processing of the data provided by the interested parties in the vacancies of staff in the company and the personal information obtained from the selection process, is limited to: (i) classification, storage, and filing of personal data, (ii) delivery of the information to third parties in charge of the selection processes, (iii) verify, compare, and evaluate the work and personal competences of the aspirants with respect to the selection criteria of the company , (iv) in the event that the company contracts cloud technology-based platforms, the data may be transferred to the countries where the service’s data centers are located and delivered to the third party in charge of the processing of personal data, and (v) comply with the company’s legal obligations.

The company TECNAS S.A. may consult, compare, and evaluate all the information that the applicant for charge is stored in the databases of judicial or security history legitimately constituted, state or private, national or foreign, or any commercial or service database that allows for it to establish in a comprehensive way the behavior that as a provider, user, client, guarantor, endorser, taxpayer, and/or as holder of financial, commercial, or other services.

1.2. Data Processing during the employment relationship: TECNAS S.A. will inform the rules applicable to the processing of personal data provided by the collaborators and request the corresponding authorization for the application of the processing of their personal data. The use of employee information for purposes other than the administration of the contractual relationship is prohibited by the company TECNAS S.A. The different use of data and personal information of collaborators shall only proceed on the order of competent authority, provided that such power is expressed there. It shall be for the company to assess the competence and effectiveness of the order of the competent authority, in order to prevent an unauthorized transfer of personal data.

The purposes of the personal data processing provided by employees of the company are: (i) to comply with Colombian or foreign law and the orders of judicial, administrative, or private authorities in the exercise of public services, (ii) classification, storage, and filing of personal data, (iii) delivery of the information to third parties in charge of evaluation processes, training, certification, and other processes required in the development of the contractual relationship, (iv) verify, compare, and evaluate the work and personal competencies of employees, (v) in the event that the company contracts platforms are based on cloud technology, the data may be transferred to the countries where the service provider’s data centers are located, (vi) if this technology is used, it may provide the personal data to the provider who will act as the processor of the same, (vii) issuance of certifications relating to the relationship of the data subject with the company, (viii) sending information to social security entities, (ix) delivery of personal data to suppliers for work welfare programs, and (x) sending information of interest.

The company TECNAS S.A. may consult, compare, and evaluate all the information that is stored on the databases of judicial or security history legitimately constituted, state or private, national or foreign, or any commercial or service database that allows to establish in a comprehensive way the behavior that as a supplier, user, client, guarantor, endorser, taxpayer, and/or as holder of financial, commercial, or other services.

2. Processing of personal data of suppliers: The company TECNAS S.A. will inform the suppliers of the policies applicable to personal data processing that they provide in compliance with the contractual relationship and will request the corresponding authorization for the application to process such information. The purposes of the personal data processing provided by the company’s suppliers are:

(i) order, catalog, classify, store, and separate the information provided by suppliers for easy identification, (ii) consult, compare, and evaluate all information stored on the supplier’s legitimately constituted judicial or security background databases, state or private, national or foreign, or any commercial or service database that makes it possible to establish in a comprehensive manner the behavior that as a supplier, user, customer, guarantor, endorser, taxpayer, and/or as a holder of financial, commercial, or other services, (iii) analyze, process, evaluate, process, or compare the information provided by suppliers, (iv) consult on the lists for prevention and control of money laundering and financing of terrorism, (v) sending information of interest and invitations to campaigns, promotions, and events scheduled by the company or its business partners, (vi) complying with Colombian or foreign law and the orders of judicial, administrative or private authorities in the exercise of public services; in the event that the company contracts platforms based on cloud technology, the data may be transferred to the countries where the data centers of the service provider are located, (vii) if using this technology, may deliver the personal data to the provider who will act as the processor of the same, (viii) issuance of certifications regarding the relationship of the data subject with the company, (ix) delivery of the personal data to third parties who are entrusted with the processing of the same, and (x) circulation of the data with commercial partners, such as ALICO S.A., CI TALSA., INTAL FOUNDATION, among others, in order for them to communicate information of interest and make invitations to their campaigns, promotions, and events.

3. Processing of personal data of visitors, potential customers who visit the different administrative and commercial facilities of the company TECNAS S.A.: The company will inform visitors, potential customers, and its current customers of the policies applicable to personal data processing they provide in compliance with the pre-contractual, contractual, and post-contractual relationship and will request the corresponding authorization for the application of the processing to such information.

The purposes of the delivery of the personal data provided to the company are: (i) to order, catalog, classify, store, and separate the information provided for easy identification, (ii) consult, compare, and evaluate all information that is stored in the databases of any legitimately constituted judicial or security background center, (iii) analyze, process, evaluate, process, or compare the information provided , (iv) consult on the lists for the prevention and control of money laundering and financing of terrorism, (v) sending information of interest and invitations to campaigns, promotions, and events scheduled by the company or its commercial partners (vi) complying with Colombian or foreign law and the orders of judicial, administrative, or private entities in the exercise of public services; in the event that the company contracts technology-based platforms in the cloud, the data may be transferred to the countries where the data centers of the service provider are located, (vii) if this technology is used, it may deliver the personal data to the provider who will act as the processor of the same, (viii) issuance of certifications relating to the relationship of the data subject with the company, (ix) delivery of the personal data to third parties those who are tasked with treating them, and (x) circulation of data with commercial partners, such as ALICO S.A., CI TALSA., INTAL FOUNDATION, among others; in order for them to communicate information of interest and make invitations to their campaigns, promotions and events.

4. Processing of personal data of the community in general: The collection of data of natural persons that the company TECNAS S.A. deals within the development of actions related to the community will be subject to the provisions of this policy. For this purpose, previously the company TECNAS S.A. will inform and obtain the authorization of the data subjects in the documents and instruments that it uses for this purpose and related to these activities.

5. Rules common to the processing of biometric data. TECNAS S.A. in cases where it must collect BIOMETRICA information, such as fingerprints, graphic, and audiovisual records, among others; therefore, it warns its holders that they are not required to supply them, in accordance with the requirements of Article 6 of Law 1581 of 2012. However, covered by the literal a) of the aforementioned article, the company TECNAS S.A. may request its express authorization to give you treatment in order to verify the identity of the owner, comply with legal and contractual obligations, and promote security within our company.

CHAPTER IV

RIGHTS AND DUTIES

  1. RIGHTS OF INFORMATION OWNERS. In accordance with Article 8 of Law 1581 of 2012, the owner of the personal data has the following rights:

a) Know, update, and rectify your personal data in front of the company as the controller.

b) Request proof of the authorization granted to the company in its capacity as controller.

c) Be informed by the company, upon request, regarding the use that has been given to your personal data.

d) File complaints with the Superintendency of Industry and Commerce for alleged violations of The Provisions of Law 1581 of 2012 once the consultation or complaint to the controller has exhausted.

e) Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights, and guarantees.

f) Access your personal data that has been processed free of charge.

2. DUTIES OF THE COMPANY TECNAS S.A.: In accordance with the provisions of Article 17 of Law 1581 of 2012, the company must comply permanently with the following duties in connection with the processing of personal data:

(a) To guarantee the holder, at all times, the full and effective exercise of the right of habeas data.

b) Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.

c) Perform the updating, rectification, or deletion of the data in a timely manner.

d) To process consultations and claims made by holders in the terms rated in Article 14 of Law 1581 of 2012.

e) Insert into the database the legend “information in judicial discussion” once notified by the competent authority about judicial processes related to the quality or details of personal data.

(f) Refrain from circulating information that is being disputed by the holder and whose blocking has been ordered by the Superintendency of Industry and Commerce or by another legitimate authority.

(g) Allow access to information only to persons who may have access to it.

(h) Inform the Superintendency of Industry and Commerce when security code violations occur and there are risks in the administration of the information of the holders.

(i) Comply with the instructions and requirements of the Superintendency of Industry and Commerce.

CHAPTER V

ACCESS, CONSULTATION, AND CLAIM PROCEDURES

The company TECNAS S.A., in compliance with the constitutional and legal provisions of protection of personal data, publishes for the interested parties the following procedure:

1. The data subject and/or his representative shall prove this condition by copy of the relevant document and his/her identification, which he or she may provide by physical means or by email if the documents have been scanned. In the event that the owner is represented by a third party, the respective power of authority must be close, which must have recognition of the content before a notary. The proxy must also prove his/her identity in the terms indicated.

2. The request to exercise any of the above rights shall be submitted in writing, either physical means or by e-mail if the documents have been scanned. Such a request may be addressed to the offices of the administration, located in Carrera 50G No. 12 Sur 29 of the city of Itagüí or to the e-mail [email protected] The company may have other means for the owner of the personal data to exercise his rights.

3. To consult about the information related to the procedures, the holder may contact the phone 285 42 90 of the city of Itagüí or the e-mail [email protected], or on the website: www.tecnas.com.co

4. The application for the exercise of any of the above rights shall contain at least the following information:

4.1. Full name of the holder of the personal data and of his representatives or special agents.

4.2. Specific and accurate request for information, updating, rectification, or revocation of consent and/or deletion of the data. In each case, the request must be reasonably substantiated for the company to proceed as responsible for the processing of the database to give timely and complete response to it.

4.3. Physical and/or electronic address to make notifications to which it takes place.

4.4. Documents supporting the application, as indicated in the above numerals.

4.5. Signature of the application by the owner of the personal data.

If any of these requirements are not met, the company TECNAS S.A. will inform the interested party within five (5) days of receipt of the application, so that they are remedied, then proceeding to respond to the request for data submitted. If two (2) months have elapsed without the data subject presenting the required information, it shall be understood that the application has been rejected. The company TECNAS S.A. may have physical and/or digital formats for the exercise of this right and in them will indicate whether it is a consultation or a claim of the interested party.

The company TECNAS S.A., when responsible for the processing of the personal database contained in its information systems, will respond to the request within ten (10) working days if it is a query and fifteen (15) business days if it is a claim. In the same term, the company will decide when it verifies that in its information systems it has no personal data of the data subject exercising any of the rights indicated.

The company TECNAS S.A. will document and store the requests made by the data subjects or by those interested in exercising any of the rights, as well as the responses to such requests. In order to go to the Superintendency of Industry and Commerce in the exercise of the legal actions contemplated for data subjects or interested parties, the processing of consultations and/or complaints, in the form now recorded, must be exhausted in advance.

CHAPTER VI

INFORMATION SECURITY

1. SAFETY MEASURES. In development of the security principle established in Law 1581 of 2012, the company will take the necessary technical, human, and administrative measures to provide security to the records avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access.

2. IMPLEMENTATION OF SECURITY MEASURES. The company will maintain mandatory security protocols for staff with access to personal data and information systems.

CHAPTER VII

FINAL PROVISIONS

1. RESPONSIBILITIES IN COMPLIANCE WITH THE PROTECTION OF PERSONAL DATA. Responsibility for the proper processing of personal data within the company lies at the head of all its employees and managers. Consequently, within the areas that process personal data, the rules and procedures for the application and compliance with these regulations should be adopted, taking into account their status as processors and/or controllers of the personal data contained in the information systems and databases of the company.

2. SPECIAL PROHIBITIONS: In the development of this regulation, the following prohibitions and sanctions are established as a result of their non-compliance.

2.1. Access, use, management, transfer, communication, storage, and any other processing of sensitive personal data is prohibited without the authorization of the owner of the personal data and/or the company.

Failure by employees of the company to comply with this prohibition shall be regarded as a serious misconduct in the performance of the office, which may structure a just cause for the unilateral termination of the employment contract by the company and without prejudice to any additional legal actions to which it occurs.

Failure of this prohibition by suppliers contracting with TECNAS S.A. will be considered as a serious cause to terminate the respective contract and without prejudice to any additional actions that may occur.

2.2. TECNAS S.A. prohibits the transfer, communication, or movement of personal data without the consent of the data subject or without the authorization of the company.

2.3. TECNAS S.A. prohibits the processing of personal data of children and underage adolescents, unless expressly authorized by their parents or legal representatives.

3. VALIDITY OF THE DATABASES. The bases will be valid for twenty (20) years, counted from the moment of obtaining the respective data.

4. PUBLICATION. This policy is published as of April 05, 2018 on our company’s website www.tecnas.com.co and in our offices. However, since April 01, 2014 we have implemented a Personal Data Protection Policy.

5. EFFECTIVE. Amendments to this Regulation apply 30 working days after publication, socialization, and communication with the data subjects who are also requested for authorization.

“TECNAS S.A.”

LUZ MARINA JARAMILLO HENAO

Legal Representative