Processing of personal data

Applicable Standards: This Privacy Policy (the “Policy”) has been prepared in accordance with Article 15 of the Constitution, the Statutory Law 1581 of 2012 and the Regulatory Decree 1377 of 2013 and other rules that modify or complement them ( the “Regulations”).

Purpose: The Policy complies with the Regulations to regulate the procedures for the collection, handling and Processing of Personal Data carried out by the Company to guarantee and protect the fundamental right of habeas data.

Scope of application: The Policy applies to the Processing of Personal Data collected and handled by Castillo & Asesores Sociedad por Acciones Simplificada, a commercial company incorporated by means of Private Document of sole shareholder on November 28, 2011, registered in the Chamber of Commerce of Bogotá on November 29 of the same year, under number 01531419 of Book IX, with address at Avenida Carrera 7 No. 155C – 20, Torre E North Point, Bogotá D.C.

Definitions: For purposes of this Policy and by the Regulations, the following terms shall have the following meaning:

(a) Authorization: Prior, express and informed consent of the Data Controllers to carry out the Processing of Personal Data.

(b) Database(s): Organized set of Personal Data that is subject to Processing.

(c) Personal Data: Any information linked or that may be associated with one or several determined or determinable natural persons.

(d) Responsible for the Protection of Personal Data: The Responsible for the Protection of Personal Data is the finance area of the Company, which may be contacted as follows:

 comunicaciones@castilloyasesores.co

(e) Data Controller: Person who by himself or in association with others decides on the Databases and/or the Processing of Personal Data. The Data Controller is the Company, domiciled at Avenida Carrera 7 No. 155C – 20, Torre E North Point, Bogotá D.C, e-mail: comunicaciones@castilloyasesores.co.

(f) Data Controllers: Natural persons whose Personal Data are subject to Processing.

(g) Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.

(h) Integrity: Property of safeguarding the accuracy and completeness of the information assets.

(i) Availability: Property that the information is accessible and usable by request of an authorized entity.

(j) Confidentiality: Property that determines that the information is not available or disclosed to unauthorized individuals, entities or processes.

PRINCIPLES: Castillo & Asesores S.A.S in its Policy of treatment and protection of data, is governed by the following principles in accordance and compliance with current regulations:

a) Principle of legality in matters of data processing: The Processing referred to in this law is a regulated activity that must be subject to the provisions of this law and other provisions that develop it.

b) Principle of purpose: The Processing must obey a legitimate purpose by the Constitution and the Law, which must be informed to the Data Subject.

c) Principle of freedom: Processing may only be carried out with the Data Subject’s prior, express and informed consent. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that relieves the consent.

d) Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. The Processing of partial, incomplete, fractioned or misleading data is prohibited.

e) Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her must be guaranteed in the Processing.

f) Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data, the provisions of this law and the Constitution. In this sense, the Processing may only be carried out by persons authorized by the Holder and/or by the persons provided for in this law.

Except for public information, personal data may not be available on the Internet or other means of dissemination or mass communication unless access is technically controllable to provide limited knowledge only to the Data Controllers or third parties authorized following this law.

g) Principle of security: The information subject to Processing by the Data Controller or Data Processor referred to in this law shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

h) Principle of confidentiality: All persons involved in the Processing of personal data that are not public are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the Processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized in this law and under the terms of the same.

SECURITY: The Company has security protocols and access to its information systems, storage and Processing, including physical security measures for this purpose. (ANNEX No. 1)

AUTHORIZATION: The Processing of Personal Data by the Company requires the Authorization of the Data Subject, which must be requested at the latest at the time of collection of the Personal Data.

The collection of Personal Data shall be limited to those Personal Data that are relevant and adequate for the purpose for which they are collected or required under the terms of Section 4.

The Company shall take the necessary measures to maintain proof of the authorization granted by the Data Subjects and when and how it obtained such authorization.

The Company shall only collect, store, use, or circulate the Personal Data for the reasonable and necessary time, according to the purposes that justified the Processing.

RIGHTS OF THE OWNERS: In accordance with the provisions of the Regulations, the Owners have the following rights:

(a) To know, update and rectify their Personal Data.

(b) Request proof of the authorization granted to the Company.

(c) To be informed by the Company, upon request, regarding the use it has made of their Personal Data.

(d) File complaints before the Superintendence of Industry and Commerce for violations of the provisions of the Regulations once they have exhausted the consultation or complaint process before the Company.

(e) To revoke the authorization and/or request the deletion of their Personal Data when the Processing does not respect the constitutional and legal principles, rights and guarantees.