SERVICIO LEGAL S.A.S., a company domiciled in the city of Bogotá D.C., located at the physical address Carrera 30 No. 7AA-207 P2 of Medellín; or by telephone at the hotline (+57) 3124660974 (hereinafter “SERVICIO LEGAL” or “we”) informs the Holders of Personal Data that are processed in any way by SERVICIO LEGAL of this information processing policy (the “Policy”), thereby complying with Law 1581 of 2012 and Decree 1377 of 2013.

The main purpose of this Policy is to inform the owners of Personal Data of their rights, the procedures and mechanisms provided by SERVICIO LEGAL to enforce those rights, and to inform them of the scope and purpose of the Processing to which the Personal Data will be subjected in the event that the Owner grants express, prior and informed consent.

Capitalized expressions used in this Policy shall have the meaning given to them herein or the meaning given to them by applicable law or case law, as such law or case law may be amended from time to time.

• “Authorization”: It is the prior, express and informed consent of the Data Subject to carry out the Processing of his/her Personal Data.
• “Database”: The organized set of Personal Data that are subject to Processing, electronic or not, whatever the modality of its formation, storage, organization and access.
• “Financial Data”: Any Personal Data referring to the birth, execution and extinction of monetary obligations, regardless of the nature of the contract that gives rise to them, whose Processing is governed by Law 1266 of 2008 or the rules that complement, modify or add to it.
• “Personal Data”: Any information of any kind, linked or that may be associated to one or several determined or determinable natural or legal persons.
• “Public Data”: Personal Data qualified as such according to the mandates of the law or the Political Constitution and that which is not semi-private, private or sensitive. Among others, the data related to the marital status of persons, their profession or trade, their status as merchant or public servant and those that can be obtained without any reservation whatsoever, are public. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, duly executed court rulings that are not subject to confidentiality.
• “Sensitive Data: Personal Data that affects the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal union affiliations, racial or ethnic origin, political orientation, religious, moral or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life, and biometric data.
• “Data Processor”: The natural or legal person, public or private, that by itself or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller.
• “Authorized”: is LEGAL SERVICE and all persons under the responsibility of LEGAL SERVICE, which by virtue of the Authorization and these Policies have the legitimacy to treat the Personal Data of the Data Subject. The Authorized includes the gender of the Entitlees.
• “Enabling: It is the legitimacy expressly and in writing by contract or document that takes its place, granted by LEGAL SERVICE to third parties, in compliance with applicable law, for the processing of personal data, making such third parties in charge of the processing of personal data provided or made available.
• “Data Controller”: The natural or legal person, public or private, who by himself or in association with others, decides on the Database and/or the Processing of Personal Data.
• “Data Subject” of the Personal Data: The natural or legal person to whom the information contained in a Database refers, and who is the subject of the right of habeas data.
• “Transfer”: It is the Processing of Personal Data that involves the communication of the same within or outside the territory of the Republic of Colombia when its purpose is the performance of a Processing by the Processor on behalf of the Controller.
• “Transmission”: The Personal Data Processing activity by means of which the Personal Data is communicated, internally or with third parties, within or outside the territory of the Republic of Colombia, when such communication has as its purpose the performance of any Processing activity by the recipient of the Personal Data.
• “Processing of Personal Data”: It is any operation and systematic procedure, electronic or not, that allows the collection, conservation, ordering, storage, modification, relation, use, circulation, evaluation, blocking, destruction and in general, the processing of Personal Data, as well as its transfer to third parties through communications, consultations, interconnections, assignments, data messages.

LEGAL SERVICE, in the course of its business activities, will collect, use, store, transmit and perform various operations on the personal data of the Data Controllers. In all processing of Personal Data carried out by SERVICIO LEGAL, the Controllers, Processors and/or third parties to whom Personal Data is transferred must comply with the principles and rules established by law and in this Policy, in order to guarantee the right to habeas data of the Data Subject and to comply with SERVICIO LEGAL’s legal obligations. These principles are:

• Prior Authorization: All Processing of Personal Data will be carried out once the prior, express and informed Authorization of the Data Subject has been obtained, unless the law establishes an exception to this rule. In the event that the Personal Data have been obtained prior to the law, SERVICIO LEGAL will seek ordinary and alternative means to summon the Data Controllers and obtain their retroactive authorization, following the provisions of Decree 1377 and concordant regulations.
• Authorized Purpose: All Personal Data Processing activities must obey the purposes mentioned in this Policy or in the Authorization granted by the Data Subject, or in the specific documents where each type or process of Personal Data Processing is regulated. The purpose of the particular Processing of a Personal Data must be informed to the Data Subject at the time of obtaining his or her Authorization. Personal Data may not be processed for purposes other than those informed and consented to by the Data Subjects.
• Data Quality: Personal Data subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. When in possession of partial, incomplete, fractioned or misleading Personal Data, SERVICIO LEGAL shall refrain from processing them, or request the holder to complete or correct the information.
• Delivery of information to the Data Subject: When requested by the Data Subject, SERVICIO LEGAL shall deliver information about the existence of Personal Data concerning the applicant. This delivery of information will be carried out by the LEGAL SERVICE unit responsible for the protection of personal data (see point 7 of this Policy).
• Restricted Circulation: Personal Data may only be processed by LEGAL SERVICE personnel who are authorized to do so, or who, as part of their duties, are in charge of carrying out such activities. Personal Data may not be given to those who do not have Authorization or have not been Authorized by LEGAL SERVICE to carry out the Processing.
• Temporality: SERVICIO LEGAL will not use the owner’s information beyond the reasonable period of time required by the purpose for which the owner of the Personal Data was informed.
• Restricted access: Except for expressly authorized Data, LEGAL SERVICE shall not make Personal Data available for access through the Internet or other mass media, unless technical and security measures are put in place to control access and restrict it to Authorized persons only.
• Confidentiality: SERVICIO LEGAL must always carry out the processing by providing the technical, human and administrative measures necessary to maintain the confidentiality of the data and to prevent it from being adulterated, modified, consulted, used, accessed, deleted, or known by unauthorized persons or by Authorized and unauthorized persons in a fraudulent manner, or that the Personal Data is lost. Any new project involving the Processing of Personal Data shall be consulted this Processing Policy to ensure compliance with this rule.
• Confidentiality and Further Processing: All Personal Data that is not Public Data must be treated by the Controllers as confidential, even if the contractual relationship or the link between the Data Subject and LEGAL SERVICE has ended. Upon termination of such relationship, such Personal Data shall continue to be Processed in accordance with this Policy and the Law.
• Individuality: SERVICIO LEGAL shall maintain separately the databases for which it is the Data Controller from the databases for which it is the Data Controller.
• Necessity: Personal Data may only be Processed for the time and to the extent that the purpose of the Processing justifies it.

Personal Data processed by LEGAL SERVICE shall be strictly subject to the purposes set forth below. Likewise, the Processors or third parties that have access to the Personal Data by virtue of law or contract, shall maintain the Processing within the following purposes:

• Manage all information necessary for compliance with SERVICIO LEGAL’s tax obligations and commercial, corporate and accounting records.
• Comply with LEGAL SERVICE’s internal processes for vendor and contractor management.
• Fulfill the service contracts entered into with customers.
• To provide its services in accordance with the particular needs of LEGAL SERVICE’s clients, in order to fulfill the service contracts entered into, including but not limited to verifying memberships and entitlements of individuals to whom LEGAL SERVICE’s clients will provide their services, to use Personal Data for marketing and/or commercialization of new services or products.
• The other purposes determined by the Controllers in the process of obtaining Personal Data for its Processing and that are communicated to the Data Controllers at the time of collecting the personal data.
• The control and prevention of fraud and money laundering, including but not limited to the consultation in restrictive lists, and all the necessary information required for SARLAFT.
• The process of archiving, updating systems, protection and custody of information and databases of LEGAL SERVICE.
• Processes within SERVICIO LEGAL, for development or operational purposes and/or systems administration.
• The transmission of data to third parties with whom contracts have been entered into for this purpose, for commercial, administrative, marketing and/or operational purposes, including but not limited to the issuance of cards, personalized certificates and certifications to third parties, in accordance with the legal provisions in force.
• Maintain and process by computer or other means, any type of information related to the client’s business in order to provide the relevant services and products.
• Other purposes determined by the Controllers in processes of obtaining Personal Data for processing, in order to comply with legal and regulatory obligations, as well as the policies of LEGAL SERVICE.

In accordance with the law, Personal Data Holders have the following rights:

• To know, update and rectify your Personal Data before SERVICIO LEGAL or the persons in charge of its processing. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
• Request proof of the Authorization granted to LEGAL SERVICE, unless the law indicates that such Authorization is not required.
• Submit requests to SERVICIO LEGAL or the Data Processor regarding the use that has been made of your Personal Data, and that they deliver such information.
• To file complaints before the Superintendence of Industry and Commerce for violations of the law.
• To revoke your Authorization and/or request the deletion of your Personal Data from SERVICIO LEGAL’s databases, when the Superintendence of Industry and Commerce has determined by a final administrative act that SERVICIO LEGAL or the Data Processor has engaged in conduct contrary to the law or when there is no legal or contractual obligation to keep the Personal Data in the database of the Controller.
• Request access and access free of charge to your Personal Data that have been subject to Processing in accordance with Article 21 of Decree 1377 of 2013.
• To know the modifications to the terms of this Policy in a previous and efficient way before the implementation of the new modifications or, in its absence, of the new information treatment policy.
• Have easy access to the text of this Policy and its amendments.
• Easy and simple access to Personal Data under the control of LEGAL SERVICE to effectively exercise the rights granted by law to the Owners.
• To know the agency or person authorized by SERVICIO LEGAL to whom you may submit complaints, queries, claims and any other request regarding your Personal Data.

The Holders may exercise their legal rights and carry out the procedures established in this Policy, by presenting their citizenship card or original identification document. Minors may exercise their rights personally, or through their parents or the adults who have parental authority, who must prove it by means of the pertinent documentation. Likewise, the rights of the Holder may be exercised by the assignees who can prove such quality, the representative and/or attorney-in-fact of the holder with the corresponding accreditation and those who have made a stipulation in favor of another or for another.

SERVICIO LEGAL has designated the Customer Service Department to be responsible for the reception and handling of requests, complaints, claims and queries of all kinds related to Personal Data. The person in charge of Customer Service will process inquiries and complaints regarding Personal Data in accordance with the Law and this policy.

Some of the particular functions of this area in relation to Personal Data are:

1. Receive the requests of the Personal Data Holders, process and answer those that are based on the law or these Policies, such as: requests to update Personal Data; requests to know the Personal Data; requests to delete Personal Data when the Holder submits a copy of the decision of the Superintendence of Industry and Commerce in accordance with the provisions of the law, requests for information on the use given to their Personal Data, requests to update the Personal Data, requests for proof of the Authorization granted, when it has proceeded according to the law.
2. To respond to Personal Data Holders on those requests that do not proceed in accordance with the Law.

   Customer Service contact information is as follows:
   Physical address: Carrera 30 No. 7AA-207 P2 in Medellín; or by phone at (+57) 3124660974 (from 8AM to 5PM Monday to Friday).
   Contact Person Position: Customer Service Specialist.

Inquiries: SERVICIO LEGAL shall have mechanisms available for the Data Subject, his or her successors in title, his or her representatives and/or attorneys-in-fact, those who have stipulated in favor of or for another, and/or the representatives of minors, to make inquiries regarding the Personal Data of the Data Subject contained in SERVICIO LEGAL’s Databases.

These mechanisms may be physical as window procedures, electronic through the e-mail service@SERVICIO LEGAL.com or by telephone at the service line (+57) 3124660974, responsible for receiving requests, complaints and claims on the phones.

Whatever the means, SERVICIO LEGAL will keep proof of the consultation and its response.

• If the applicant has the capacity to make the query, in accordance with the accreditation criteria set forth in Law 1581 and Decree 1377, SERVICIO LEGAL will collect all the information about the Data Subject contained in the individual record of that person or linked to the identification of the Data Subject within SERVICIO LEGAL’s databases and will make it known to the applicant.
• If the applicant has the capacity to make the query, in accordance with the accreditation criteria set forth in Law 1581 and Decree 1377, SERVICIO LEGAL will collect all the information about the Data Subject contained in the individual record of that person or linked to the identification of the Data Subject within SERVICIO LEGAL’s databases and will make it known to the applicant.
• In the event that the request cannot be processed within ten (10) business days, the applicant will be contacted to communicate the reasons why the status of the request is being processed. For this purpose, the same or a similar means to the one used by the Data Subject to communicate his/her request will be used.

Claims: SERVICIO LEGAL has mechanisms for the Registrant, their assignees, representatives and/or attorneys-in-fact, those who stipulated by or for another, and/or the representatives of minors Registrants, to formulate claims regarding (i) Personal Data Processed by LEGAL SERVICE that must be corrected, updated or deleted, or (ii) alleged failure to comply with the legal duties of LEGAL SERVICE.

These mechanisms may be physical as window procedures, electronic through the e-mail service@SERVICIO LEGAL.com or by telephone at the service line (+57) 3124660974, responsible for receiving requests, complaints and claims on the telephones.

• The claim must be submitted by the Data Subject, their successors in title or representatives or accredited in accordance with Law 1581 and Decree 1377, as follows:

• You should contact SERVICIO LEGAL S.A.S. by e-mail at servicio@SERVICIO LEGAL.com or physically at Carrera 30 No. 7AA-207 P2 in Medellín; or by telephone at (+57) 3124660974 (from 8 AM to 5PM Monday through Friday).
• It must contain the name and identification document of the Holder.
• It must contain a description of the facts giving rise to the claim and the objective pursued (updating, correction or deletion, or fulfillment of duties).
• It should indicate the address and contact and identification data of the claimant.
• It must be accompanied by all documentation that the claimant wishes to assert.
• SERVICIO LEGAL will verify the identity of the Data Subject, his or her representative and/or proxy, or proof that there was a stipulation by or for another. For this purpose, it may require the original identification document of the Holder, and the special or general powers of attorney or documents required, as the case may be.

• If the claim or additional documentation is incomplete, SERVICIO LEGAL will require the claimant for one time only to remedy the deficiencies. If the claimant does not submit the required documentation and information within ten (10) business days from the date of the initial claim, it will be understood that the claim has been withdrawn.
• If for any reason the person receiving the complaint within SERVICIO LEGAL is not competent to resolve it, he/she shall refer it to the Customer Service Specialist, and shall inform the complainant of such referral.
• Upon receipt of the claim with complete documentation, a legend will be included in SERVICIO LEGAL’s database where the Data Subject to claim is stored, stating “claim in process” and the reason for the claim. This legend shall be maintained until the claim is decided.

This Policy is effective as of July 6, 2018. Personal Data that is stored, used or transmitted will remain in our Database, based on the criteria of temporality and necessity, for as long as it is necessary for the purposes mentioned in this Policy, for which it was collected.

[actualizado a 15 de Agosto de 2018]