INTERNAL MANUAL OF POLICIES AND PROCEDURES TO ENSURE ADEQUATE COMPLIANCE WITH LAW 1581 OF 2012 AND THE OTHER RULES REGULATING THE MATTER OF PERSONAL DATA PROTECTION

1. Introduction

By virtue of the provisions of articles 17 line k) and 18 line f) of Law 1581 of 2012, as well as of articles 13 to 19 of Decree 1377 of 2013 and the provisions of Decree 886 of 2014 and Circular No. 2 of the Superintendency of Industry and Commerce, the Policies for the Treatment of Personal Data are established below, which will be mandatory for all employees of PALM ERA Marketing Inc (or “Company”) They will be responsible in turn for ensuring that they are known by third parties, customers, suppliers and contractors that on the occasion of a contractual or commercial relationship may have access to information from personal databases against which PALM ERA Marketing Inc is responsible or in charge of the treatment. These policies are mainly understood to be applicable to data that Palmera Marketing S.A.S. is responsible for handling, such as: the databases of applicants in selection processes, the databases of the workers, the databases of potential customers and the databases of customers and suppliers.

2. Area of application

The Policies will be applicable to the personal data of natural persons, registered in any database, built before or after after the effective date of the regulations on the processing of personal data.

The Policies will not be applicable to data that, due to their generality, become anonymous by not allowing to identify or individualize a specific owner.

3. Definitions

a) Authorization: Prior, expressed and informed consent of the owner to carry out the processing of personal data.
b) Notice of Privacy: Verbal or written communication generated by the Responsible Party, addressed to the owner of the personal data, through which they are informed about the existence of the privacy policies that will be applicable and how to access them.
c) Database: Organized set of personal data that is subject to treatment.
d) Personal Data: Any information linked to or that may be associated with one or more specific or determinable natural persons.
e) Private Data: It is the data that due to its intimate or reserved nature is only relevant for the owner.
f) Semi-private data: The data that is not intimate, reserved, or public in nature and whose knowledge or disclosure may be of interest not only to its owner but to a certain sector or group of people or to society in general.
g) Public Data: It is the data that is not semi-private, private or sensitive. Public data, among others, is data related to the marital status of individuals, their profession or trade and their status as a merchant or public servant. By its nature, public data may be contained, among others, in public records, public documents, gazettes and official gazettes and duly enforceable judicial decisions that are not subject to reservation.
h) Sensitive Data: Sensitive data is understood to be that which affects the privacy of the Owner or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership of unions, social organizations, of human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
j) Data Controller: Natural or legal person, public or private, that alone or in association with others, carries out the processing of personal data on behalf of the Data Manager.
k) Data Manager: Natural or legal person, public or private, that alone or in association with others, presides over the database and / or the treatment of the data.
l) Owner: Natural person whose personal data is subject to treatment.
m) Treatment: Any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.
n) Transmission: Treatment of personal data that implicates the communication of it within or outside the territory of the Republic of Colombia when it is intended to be carried out by the Data Manager on behalf of the Owner.
o) Transfer: The data transfer takes place when the Data Manager of personal data, located in Colombia, sends the information or personal data to another Data Manager located inside or outside the country.

4. Principios Rectores

a) Principle of Legality: This principle refers to the following: The treatment referred to in Law 1581 of 2012, is a regulated activity that must be subject to what is established in it and in the other provisions that develop it.
b) Principle of Purpose: It is defined in the following terms: The treatment must obey a legitimate purpose in accordance with the constitution and the Law, which must be informed to the owner.
c) Principle of Liberty: It refers to the fact that the treatment can only be exercised with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
d) Principle of Validity or Quality: It establishes that the information subject to treatment must be truthful, complete, exact, updated, verifiable and understandable. The processing of partial, incomplete or misleading data is prohibited.
e) Principle of Transparency: the right of the Owner to obtain information about the existence of data that concerns them from the Data Manager or the Data Controller, at any time and without restrictions, guaranteed.
f) Principle of Access and Restricted Circulation: Treatment is subject to the limits derived from the nature of the personal data, the provisions of Law 1581 of 2012 and the Constitution. In this sense, the treatment can only be done by persons authorized by the Owner and / or by the persons provided for in Law 1581 of 2012. Personal data, except for public information, may not be available on the internet or other means of dissemination or mass communications , unless the access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties according to Law 1581 of 2012.
g) Principle of Safety: The information subject to treatment by the Data Manager or the Data Controller referred to in Law 1581 of 2012, must be managed with the technical, human and administrative measures that are necessary to provide security to the records avoiding their doctoring, loss, unauthorized or fraudulent consultation, use or access.
h) Principle of Confidentiality: All persons who intervene in the Treatment of personal data that are not public are obliged to guarantee the privacy of the information, even after the end of their relationship with any of the tasks carried out in the Treatment, supply or communication of personal data when this corresponds to the development of the activities authorized in Law 1581 of 2012 and in the terms thereof.

5. Identification of the Data Controller

Business name: Palmera Marketing S.A.S.
Registered in: Bogotá D.C., Colombia
Nit: 900.924.386-8
Address: Carrera 7 No. 156-78, Torre North Point, oficina 1401, en la ciudad de Bogotá D.C.
Email: carina@palmera.marketing
Telephone: +571 317 6474158

6. About the Databases

The following is the treatment of the databases of Palmera Marketing S.A.S. depending on whether they are in charge or responsible for the treatment
6.1. As Data Controller: The Company will process personal data in the terms and scope of the authorization given by the Owner of the information, on the following bases:
a) Employee databases: It comprises the data of active workers of the Company for the following purpose: collection, storage, copying, delivery, updating, ordering, classification, transfer, correction, verification, use for statistical purposes and in general use and use of all data supplied with the purpose of correctly managing the employment relationship between the Company and the Company’s employees. The Company may share the data of the Company’s workers with its current or potential clients, in the development of its commercial relationship and in order to comply with its commercial and / or contractual obligations.
b) Client databases: Comprised of all clients to whom products or services are sold, and will have the following purpose: collection, storage, copying, delivery, updating, ordering, classification, transfer, correction, verification, use for statistical purposes and, in general, employment and use of all the data provided for the purpose of business development of the Company and the provisions of the respective contracts and / or commercial documents signed between the parties as well as to correctly manage the commercial relationship between the Company and its clients.
c) Suppliers databases: Collection, storage, copying, delivery, updating, ordering, classification, transfer, correction, verification, use for statistical purposes and in general use and use of all the data provided for the purpose of the business development of the Company and what is stipulated in the respective contracts and / or commercial documents signed between the parties as well as to correctly manage the commercial relationship between the Company and its suppliers.
d) Databases of event attendees: Comprised of all potential clients to whom products or services are sold, and will have the following purpose: collection, storage, copying, delivery, updating, ordering, classification, transfer, correction, verification, use for statistical purposes and in general employment and use of all the data provided for the purpose of the business development of the Company and what is stipulated in the respective contracts and / or commercial documents signed between the parties as well as to correctly manage the commercial relationship between the Company and its clients.
6.2. Data Manager: Eventually, the Company may process personal data in the terms and scope of the authorization given by the Owner of the information:
a) Databases owned by the Company’s clients: Collection, storage, copying, delivery, updating, use, ordering, classification, transfer, correction, verification and use for statistical purposes of databases owned by corporate clients of The Company, which will at all times be subject to the policies and instructions to be agreed between the parties. In contracts made with the Company’s clients, the positions of Data Manager and Data Controller will be detailed along with the duties and practices of each. The bases delivered by the clients will only be used according to the purpose established in the respective contracts, and for this reason, they will be returned to the Responsible once the contractual obligations of Palmera Marketing S.A.S. as manager.

7. Authorization

The Company will obtain prior and informed authorization from the Holder at the time of data collection. Said authorization for the Treatment thereof will inform the Owner of the personal data that will be collected as well as all the specific purposes of the treatment for which consent is obtained.
Likewise, the Company will comply with the obligations contained in article 6 of Decree 1377 of 2013 regarding the authorization for the processing of sensitive personal data.

8. Information Security

The mechanisms through which the Company makes use of personal data are safe and confidential, since it has the appropriate technological means to ensure that they are stored in such a way as to prevent unwanted access by third parties, ensuring confidentiality thereof.
The personal data contained in the databases will be kept as long as there is a commercial relationship between Palmera Marketing S.A.S. and third parties.

9. Rights of the Information Owners

The Owners of the information have the following rights:
a) Know, update and rectify your personal data in front of the Data Manager or Data Controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or those whose Treatment is expressly prohibited or has not been authorized;
b) Request proof of the authorization granted to the Data Manager or Data Controller except when expressly excluded as a requirement for the Treatment, in accordance with the provisions of article 10 of Law 1581 of 2012;
c) Be informed by the Data Manager or Data Controller, upon request, regarding the use of your personal data;
d) Present complaints before the Superintendent of Industry and Commerce in accordance to the law and the other regulations that modify, add or complement it;
e) Revoke the authorization and / or request the deletion of the data when the treatment does not respect the principles, rights and constitutional and legal guarantees. The revoking and / or deletion will proceed when the Superintendency of Industry and Commerce has determined that the Data Manager or Controller have conducted contrary to the law and the Constitution;
f) Free access to your personal data that has been subject to Treatment. In exercising the rights listed above, you may make the pertinent queries and make any claims that you deem necessary.
g) The other rights that are listed in the current regulations regarding the matter.

10. The Duties of the Company

10.1. Duties of Data Manager: Palmera Marketing S.A.S. when acting as Data Manager, must fulfill the following duties:
a) Guarantee the Owner, at all times, the full and effective exercise of the right to habeas data.
b) Request and keep a copy of the respective authorization granted by the Owner.
c) Properly inform the Owner about the purpose of the collection and the rights given by virtue of the authorization granted.
d) Keep the information under the security conditions necessary to prevent its adulteration, loss, unauthorized use or fraudulent access.
e) Guarantee that the information provided to the Data Manager is true, complete, accurate, updated, verifiable and understandable.
f) Update the information, communicating in a timely manner to the Data Manager, any news regarding the data previously provided and any other necessary measures so that the information provided is kept up to date.
g) Correct any information that is incorrect and communicate immediately to the Data Manager.
h) Provide the Data Manager only the data for which Treatment has previously been authorized.
i) Require the Data Manager, at all times, to respect the security and privacy conditions of the Owner’s information.
j) Process inquiries and claims formulated in the terms indicated in the law.
k) Inform the Data Manager when certain information is under discussion of the Owner, once the claim has been submitted and the respective process has not been completed.
l) Inform the Owner upon the request of the use given to their data.
m) Inform the data protection authority when there are violations of the security codes and there are risks to the information of the Owners.
n) Comply with the instructions and requirements issued by the Superintendent of Industry and Commerce.
o) The others provided for in the Law.

10.2. Duties of the Data Controller: Palmera Marketing S.A.S. As Data Controller must fulfill the following duties:

a) Guarantee the Owner, at all times, the full and effective exercise of the right to habeas data.
b) Request and keep the information under proper secure conditions to prevent its adulteration, loss, unauthorized use or fraudulent access and according to the conditions established in the contract signed with the Data Controller.
c) Timely update, rectify or delete the data.
d) Update the information reported by the Data Managers within five (5) business days from receipt.
e) Process inquiries and claims made by the Owners.
f) Register any “claim in process” in the database according to the way that is regulated by law.
g) Record in database any “information in judicial discussion” once notified by the competent authority about judicial processes related to the quality of personal data.
h) Refrain from circulating information that is being contested by the Owner and whose blocking has been ordered by the Superintendent of Industry and Commerce.
i) Allow access to information only to authorized people.
j) Inform the Superintendent of Industry and Commerce when there are violations of the security codes and there are risks to the information of the Owners.
k) Comply with the instructions and requirements issued by the Superintendent of Industry and Commerce.
l) Store the information of the Owners according to the terms established in the respective contracts. In the event that a particular term is not indicated, the Company will keep the information for a maximum period of 1 year.

10.3. Concurrency of Qualities: In the event that the qualities of Data Controller and Data Manager concur, the Company will be required to comply with the duties provided for each one.

11. On Sensitive data and minors

The Company does not process sensitive data or data on minors. Notwithstanding the foregoing, it agrees to fully comply with Title III of Law 1581 of 2012, which establishes sensitive data and data on children and adolescents.

12. Procedure for the exercise of rights by the Owners of the information.

The Owners of the information may exercise the rights to know, update, rectify and delete information, revoke the authorization initially granted, consult information, file claims and in general the other rights established in article 8 and other concordant ones of Law 1581 of 2012 , through the following means:
Email: carina@palmera.marketing or by sending your communication to Carrera 7 No. 156-78, Torre North Point, office 1401, in the city of Bogotá D.C. addressed to Carina Rojas, who will be the compliance officer at the Company.
Palmera Marketing S.A.S., within their legal rights, will address the claims or requests made by the Owners of the information through the Compliance Officer.
The Owners must understand that according to Article 9 of Decree 1377 of 2013, “the request for information and revocation of the authorization will not proceed when the holder has a legal or contractual duty to remain in the database.”

13. Areas responsible for the attention of requests, queries and claims of the holders of the information in the exercise of their rights.

Any process related to the handling of personal data will be coordinated and supervised by the Compliance Officer, Carina Rojas.
Email: carina@palmera.marketing
Address: Carrera 7 No. 156-78, Torre North Point, office 1401, in the city of Bogotá D.C.

14.Database treatment security measures

The Company will apply the best practices, the greatest effort and diligence in order to guarantee the security and confidentiality in the Treatment of the databases.

15.Transfer and transmission of personal data

The Company carries out transmission but not transfer of personal data contained in the databases for which it is responsible.

16.Prevalence of substantive rules on the matter

Taking into account that this document seeks to comply with the norms that regulate the protection of the right to habeas data enshrined in the constitution, the statutory laws on the matter and the regulations issued by the National Government for that purpose, the interpretation of the policies of the entity will be at all times subordinate to the content of such superior provisions, so that in the event of incompatibility or contradiction between these Policies for the Treatment of Personal Data Bases and the higher regulations, the latter will be applicable.

17. Effective date of the information treatment policy.

This version of the Personal Data Protection Policy manual goes into effect upon its publication by the Company, and will be subject to updates as new legal provisions on the matter are modified or issued.
In the event that the Company updates its Personal Data Protection Policy, it will inform the Holders through the most suitable means.

18. Notice of Privacy

As stipulated in Article 14 of Decree 1377 of 2013, if it is not possible to make the Personal Data Bases Treatment Policies available to the Owner, the Responsible Parties must inform the Owner about the existence of a Privacy Notice of such Policies and the way to access them, in a timely manner and in all cases at the latest at the time of collection of personal data. The Privacy Notice will be issued in physical, electronic or any other format, where it will be made available to the Owners, in addition to the existence of the Treatment Policies for Personal Databases, the way to access them, the purpose that is intended to give the information; The notice will be sent to the email or physical address when such information is available. Otherwise, it will be published on the Company’s website.
The Privacy Notice that may be used by the Company is transcribed below. However, the Company may adjust these notices for their application in the different types of authorizations, but without breaching the provisions of current regulations.

Notice of Privacy:

Palmera Marketing S.A.S. (hereinafter the “Company”), a company incorporated under the laws of Colombia, identified with NIT. 900.924.386-8 and with its main address in the city of Bogotá DC, in compliance with Law 1581 of 2012, as well as Decree 1377 of 2013, informs that it is Responsible for the Treatment of personal data included in its databases and archived in development of its object.
In order to inform all the people whose personal data are in our databases, and taking into account the impossibility of requesting or obtaining authorization for the use of their personal data, the Company informs that it makes use of the mechanism established in Decree 1377 of 2013 and states that the personal data included in our databases have been collected for the purpose of (i) developing the company’s corporate purpose, (ii) complying with obligations contracted with our clients, suppliers and employees. , (iii) inform about new products or services related to the contracted or acquired (s), (iv) provide our services, and (v) obtain statistical data.
The Company informs that it is committed to the protection of personal data. Through this notice you are informed of our Protection of

Personal Data Policy, describes the treatment to which the data will be subjected and its purpose, the rights of the owners, the security measures and the means to make inquiries, requests and claims.
The company will process personal data in the terms and scope of the authorization given by the owner of the information, on the following bases:

a) Employee databases.
b) Customer databases.
c) Supplier databases.
d) Databases of event attendees.
The owners of personal data have the right to know, update, rectify or delete in front of those responsible for the treatment, the information collected in the databases, in the terms established in the current regulation and in the Treatment Policies of Personal Databases of the Company, which may be consulted at any time on the website: www.palmera.marketing
If you wish to consult information or request the deletion of your personal data from our databases, please contact us within 30 days of the publication of this notice to the address Carrera 7 No. 156-78, Torre North Point, office 1401, in the city of Bogotá DC or to the email carina@palmera.marketing. If you decide not to do so, after the aforementioned period has expired, the Company will understand that you authorize the processing of your personal data.

19. Rights of Owners and Process to Make Rights Effective

The Holders have the rights expressed in the current data protection regulations and at any time they can contact the Company by writing to the email carina@palmera.marketing where they can also request the sending of the data protection policy
The Company will respond to the claim as soon as possible without exceeding the maximum term established by the Law.