CONTENT

1. Legal framework and scope of application
2. Definitions
3. Authorization of the data processing policy
4. Data controller
5. Treatment and purposes of databases
6. Navigation data
7. Cookies or Web bugs
8. Rights of data subjects
9. Attention to data subjects
10. Procedures for the exercise of data subjects' rights
    1. Right of access or consultation
    2. Right to file complaints and claims
11. Security measures
12. Data transfer to third countries
13. Validity

1. Legal Framework and Scope of application

This information treatment policy is based on articles 15 and 20 of the Political Constitution, as well as on articles 17(k) and 18(f) of Statutory Law 1581 of 2012 and article 13 of Decree 1377 of 2013, which partially regulates the aforementioned law.

This policy will apply to all personal data recorded in databases that are subject to processing by the data controller, in order to ensure compliance with the current regulations on personal data protection in Colombia.

2. Definitions

Established in Article 3 of Law 1581 of 2012 and Article 3 of Decree 1377 of 2013.

• Authorization: prior, express and informed consent of the Data Subject to carry out the processing of personal data.
• Privacy Notice: verbal or written communication generated by the data controller, addressed to the Data Subject for the processing of their personal data, through which they are informed about the existence of the information processing policies that will be applicable to them, the way to access them and the purposes of the processing that is intended to be given to the personal data.
• Database: organized set of personal data that is subject to processing.
• Personal Data: any information linked or that can be associated with one or more natural persons, whether determined or determinable.
• Public Data: it is the data that is not semi-private, private or sensitive. Public data includes, among others, those related to the civil status of people, their profession or occupation, and their status as a merchant or public servant. Due to their nature, public data may be contained, among others, in public records, public documents, bulletins and official gazettes, and judicial resolutions that are duly executed and not subject to reservation.
• Sensitive Data: sensitive data is understood to be those that affect the privacy of the Data Subject or whose misuse could generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, union affiliation, social organizations or human rights organizations or that promote interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.
• Data Controller: natural or legal person, public or private, who, either by itself or in association with others, carries out the processing of personal data on behalf of the data controller.
• Data subject: an individual whose personal data is subject to processing.
• Transfer: the transfer of data occurs when the data controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for the processing and is located within or outside the country.
• Transmission: the processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when processing is intended to be carried out by the processor on behalf of the controller.

• Processing: any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.

3. Authorization of the data processing policy

According to Article 9 of the Personal Data Protection Law (LEPD), the processing of personal data requires the prior and informed authorization of the data subject. By accepting this policy, every data subject who provides information regarding their personal data is expressly consenting to the processing of said information by HOTELES BOGOTÁ PLAZA S.A., under the terms and conditions established therein.

It is important to note that the data subject's authorization will not be necessary in cases where it concerns data required by a public or administrative entity in the exercise of their legal functions, or by court order.

• Public data.
• Cases of medical or health emergency.
• Processing of information authorized by law for historical, statistical, or scientific purposes. Data relating to the Civil Registry of individuals.

4. Data controller

The data controller responsible for the databases subject to this policy is HOTELES BOGOTÁ PLAZA S.A., whose contact information is as follows:

• Address: CL 100 N° 18A - 30 BOGOTÁ D.C.
• Email:mercadeo@hotelesbogotaplaza.com
• Phone:601 6322200

5. Treatment and purposes of databases

HOTELES BOGOTÁ PLAZA S.A., in the course of its business activity, carries out the processing of personal data related to natural persons that are contained and processed in databases intended for legitimate purposes, in compliance with the Constitution and the Law.

Each of the databases and the information and characteristics of each of them have been identified and registered with the Superintendence of Industry and Commerce.

6. Navigation data

The navigation system and the computer programs necessary for the proper functioning of the Website collect certain personal data that are implicitly transmitted through the Internet communication protocols.

It is important to note that, due to the nature of the information collected, it is possible that some of this data may allow the identification of users when associated with information from third parties, although such identification is not the main objective of its collection. Among this data are

The sole purpose of collecting this data is to obtain anonymous statistical information about the use of the Website or to monitor its proper technical functioning. This data is immediately deleted once it has been verified.

7. Cookies or Webbugs

The website does not collect personal data from the user through the use of cookies or web bugs, but their use is limited to facilitating the user's access to the website.

In the event that session cookies are used, these are not stored permanently on the user's computer and disappear once the browser is closed. The purpose of these cookies is to collect technical information to identify the session and allow secure and efficient access to the website.

If the user does not wish to allow the use of cookies, they have the option to reject or delete existing cookies through the browser settings and disabling JavaScript code in the security settings.

8. Rights of data subjects

In accordance with Article 8 of the Data Protection Act (LEPD) and Articles 21 and 22 of Decree 1377 of 2013, data subjects may exercise a series of rights in relation to the processing of their personal data. These rights may be exercised by the following individuals:

• By the data subject, who must sufficiently prove their identity through the various means made available by the data controller.
• By their legal heirs, who must prove such quality.
• By the representative and/or proxy of the data subject, after proving the representation or proxy.
• By stipulation in favor of another person and for their benefit.
• The rights of children and adolescents will be exercised by the individuals authorized to represent them.

The rights of data subjects are as follows:

• Right of access: this is the right of the data subject to be informed by the data controller, upon request, regarding the origin, use, and purpose given to their personal data.
• Right to file complaints and claims: the law distinguishes four types of claims:
• • Right to rectify: This is the right of the data subject to update, rectify, or modify partial, inaccurate, incomplete, or misleading data, or data whose processing is expressly prohibited or has not been authorized.
  • Right to erasure: This is the right of the data subject to have their data erased if it is inadequate, excessive, or does not comply with constitutional and legal principles, rights, and guarantees.
  • Right to revoke: This is the right of the data subject to revoke their previously granted authorization for the processing of their personal data.

• • Right to claim for infringement: This is the right of the data subject to request that any noncompliance with data protection regulations be rectified.
  • Right to request proof of authorization granted to the data controller, except when expressly exempted as a requirement for processing in accordance with Article 10 of the LEPD.
  • Right to file complaints with the Superintendence of Industry and Commerce for violations: The data subject or their legal heirs may only file this complaint once the consultation or claim process with the data controller or data processor has been exhausted.

9. Attention to data subjects

HOTELES BOGOTÁ PLAZA S.A. will be responsible for attending to requests, queries, and complaints submitted by data holders who wish to exercise their rights. To do so, the request will be managed internally with the corresponding database manager in order to provide an adequate response.

It is important to highlight that the company undertakes to respond promptly and efficiently to all requests received and to guarantee the effective exercise of the rights of data holders.

• Phone: 601 6322200
• Email: mercadeo@hotelesbogotaplaza.com

10. Procedures for the exercise of data subjects' rights
    1. Right of access or consultation

According to Article 21 of Decree 1377 of 2013, the data holder may consult their personal data for free in two cases:

At least once every calendar month.

Whenever substantial modifications to the information processing policies occur that motivate new inquiries.

For consultations whose periodicity is greater than one per calendar month, HOTELES BOGOTÁ PLAZA S.A. may only charge the data holder costs of shipping, reproduction, and, where applicable, documentary certification. The reproduction costs may not exceed the costs of recovering the corresponding material. For this purpose, the responsible party must accredit before the Superintendence of Industry and Commerce, when required, the support for such expenses.

The data holder may exercise their right of access or consultation of their data by sending a written request to HOTELES BOGOTÁ PLAZA S.A. via email at mercadeo@hotelesbogotaplaza.com, indicating in the subject line "Exercise of the Right of Access or Consultation," or by postal mail sent to CL 100 N° 18A - 30 BOGOTÁ DC, BOGOTÁ. The request must contain the following data:

• Name and surname of the representative.

• Photocopy of the Citizen's ID of the data holder and, where applicable, of the person representing them, as well as the document accrediting said representation.
• Petition specifying the request for access or consultation. Domicile for notifications, date, and signature of the applicant.
• Accrediting documents of the request made, where applicable.

The data holder may choose one of the following forms of database consultation to receive the requested information:

• On-screen.
• In writing, with a copy or photocopy sent by certified mail, mail, or other electronic means.
• Another system suitable for the configuration of the database or the nature of the processing, offered by HOTELES BOGOTÁ PLAZA S.A.

Once the request is received, HOTELES BOGOTÁ PLAZA S.A. will resolve the consultation request within a maximum period of ten (10) business days from the date of receipt. When it is not possible to respond to the consultation within this term, the interested party will be informed, indicating the reasons for the delay and the date on which the consultation will be answered, which in no case may exceed five (5) business days following the expiration of the first term. These deadlines are established in Article 14 of the LEPD.

After the consultation procedure has been exhausted, the data holder or successor may file a complaint with the Superintendence of Industry and Commerce.

1. 2. Right to file complaints and claims

The Holder may exercise their data protection rights by sending a written request to HOTELES BOGOTÁ PLAZA S.A., either by email to mercadeo@hotelesbogotaplaza.com, indicating "Exercise of the right of access or consultation" in the subject line, or by postal mail to CL 100 N° 18A - 30 BOGOTÁ D.C. The request must include the following information:

• Full name of the data subject.
• Copy of the national identification card of the data subject and, if applicable, of the representative, as well as the document proving such representation.
• Description of the facts and the request for rectification, cancellation, revocation, or opposition.
• Address for notifications, date, and signature of the requester.
• Supporting documents for the request, if applicable.

If the request is incomplete, the data subject will be notified and given a period of five (5) days to provide the missing information. If no response is received within two (2) months from the date of the notification, the request will be deemed withdrawn.

Once the complete request is received, a notice stating "request being processed" and the reason for it will be included in the database within two (2) business days. This notice must be kept until the request is resolved.

HOTELES BOGOTÁ PLAZA S.A. will respond to the request for consultation within a maximum period of fifteen (15) business days from the date of receipt. If it is not possible to respond within this period, the data subject will be informed of the reasons for the delay and the date by which the request will be fulfilled, which cannot exceed eight (8) business days after the expiration of the initial period.

If the data subject is not satisfied with the response, they may file a complaint with the Superintendence of Industry and Commerce.

11. Security measures

HOTELES BOGOTÁ PLAZA S.A., in order to comply with the security principle established in article 4, letter g) of the LEPD, has implemented the technical, human, and administrative measures necessary to ensure the security and confidentiality of records, preventing their adulteration, loss, consultation, use, or unauthorized or fraudulent access. With regard to the databases that are managed, confidentiality in the use of personal data is ensured through contractual clauses with the different interested parties, as well as technical support from the organization's Technology department.

For its part, HOTELES BOGOTÁ PLAZA S.A., through the subscription of corresponding transmission contracts, has required those responsible for processing with whom it works to implement the necessary security measures to guarantee the security and confidentiality of information in the processing of personal data.

From the induction process for personnel entering the Hotel, this Policy and its legal significance are made known. Access to the Hotel's PMS and other computer tools is controlled through the unique identification of users, with their respective password and expiration date.

In case of an incident, the Technology department handles it with a ticket, maintaining internal policies for computer security. Likewise, the information from the databases is kept on the server.

Partial or total information from automated databases is only used within the facilities. Guidelines are in place for the proper preservation, location, and consultation of physical documents.

If there is a need to take any equipment outside the facilities, with access to this information, the exit and entry are controlled through the security department's control.

All staff, guided by top management and under the leadership of each area manager, ensures the proper use of personal data through random verification in each of their processes and reporting of incidents if they occur.

12. Data transfer to third countries

According to Title VIII of the LEPD, the transfer of personal data to countries that do not offer adequate levels of data protection is prohibited. A country is considered to offer an adequate level of data protection when it meets the standards set by the Superintendence of Industry and