CONTENTS

I. Objective of the Processing Policy

II. Definitions for the purposes of the Personal Data Processing Policy

III. Principles for Personal Data Processing

IV. Authorization for Personal Data Processing

V. Purposes of Personal Data Processing

VI. Type of personal data included in the firm’s databases

VII. Procedures for Personal Data Processing

VIII. Information and mechanisms provided by UH ABOGADOS S.A.S. as Data Controllers

IX. Person responsible for Personal Data Processing

X. Rights of the Data Subject

XI. Transfer of Personal Data

XII. Duties of the Data Controller

XIII. Effectiveness and Modification of the Personal Data Processing Policy

XIV. Other provisions

I. OBJECTIVE OF THE PROCESSING POLICY

UH ABOGADOS S.A.S. (hereinafter the “Firm”), for the purpose of strictly complying with current regulations on the protection of personal data, especially as established in Law 1581 of 2012, Decree 1377 of 2013, and other provisions that modify, add to, or complement them, and committed to the security of the personal information of its clients, suppliers, contractors, users, employees, and the general public, hereby presents the Information Processing Policy regarding the protection of Personal Data (hereinafter the “Policy”) of the Firm, in relation to the collection, use, and transfer of the same, by virtue of the authorization granted by the Data Subjects.

In this Policy, the Firm details the general corporate guidelines taken into account to protect the personal data of the Data Subjects, such as the purpose of the information collection, the rights of the Data Subjects, the area responsible for handling queries, petitions, and claims, as well as the procedures that must be followed to know, update, rectify, and delete the information.

The Firm, in compliance with the constitutional right of Habeas Data, only collects personal data when previously authorized by its Data Subject, implementing for this purpose clear measures on confidentiality and privacy of personal data.

II. DEFINITIONS FOR THE PURPOSES OF THE PROCESSING POLICY

For the purposes of this Policy, the definitions indicated in Law 1581 of 2012 shall be taken into account, which are outlined below:

1. Data Subject: A natural or legal person whose personal data is subject to Processing.

2. Data Controller: A natural or legal person, public or private, who by themselves or in association with others, decides on the database and/or the Processing of the data. In this specific case, the Firm shall be considered the Data Controller.

3. Data Processor: A natural or legal person, public or private, who by themselves or in association with others, performs the Processing of personal data on behalf of the Data Controller.

4. Personal Data: Any information linked or that can be associated with one or more specific or determinable natural persons.

5. Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

6. Processing Policies regarding Personal Data Protection: refers to this document.

7. Sensitive Data: Data that affects the Data Subject’s intimacy or whose improper use may lead to their discrimination.

III. PRINCIPLES FOR PERSONAL DATA PROCESSING

In accordance with Article 4 of Law 1581 of 2012, the principles governing the Processing of personal data are:

1. Principle of legality in Data Processing: The Processing referred to in Law 1581 of 2012 is a regulated activity that must be subject to what is established therein and in the other provisions that develop it.

2. Principle of purpose: The Processing must adhere to a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.¹

    

3. Principle of freedom: Processing can only be carried out with the prior, express, and informed consent of the Data Subject. Personal data² may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that exempts consent.

    

4. Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable, and understandable. The Processing of partial, incomplete, fragmented, or misleading data is prohibited.

5. Principle of transparency: In Processing, the Data Subject’s right to obtain from the Data Controller or Data Processor, at any time and without restrictions, information about the existence of data concerning them must be guaranteed.

6. Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of the personal data. In this sense, Processing may only be done by persons authorized by the Data Subject and/or by the persons provided for by law.

7. Principle of security: The information subject to Processing by the Data Controller or Data Processor referred to in Law 1581 of 2012 must be handled with the technical, human, and administrative measures necessary to ensure the security of the records, avoiding their alteration, loss, consultation, use, or unauthorized or fraudulent access.

8. Principle of confidentiality: All persons involved in the Processing of personal data that is not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the Processing has ended, and may only supply or communicate personal data when it corresponds to the development of activities authorized by law and in the terms established by it.

IV. AUTHORIZATION FOR PERSONAL DATA PROCESSING

The Firm, at the time of collecting personal data, shall request authorization from the Data Subjects, informing them of the specific purposes of the Processing for which said consent is obtained.

In accordance with the principle of freedom established by Law 1581 of 2012, the authorization of the Data Subjects may be expressed in writing. The Firm shall keep adequate proof of said authorizations, respecting the principles of confidentiality and privacy of the information.

Considering that the Firm has collected personal data prior to the publication date and entry into force of this Policy, the following measures will be implemented for the purpose of obtaining authorization and protecting Personal Data:

1. The Firm shall request authorization from the Data Subjects to continue Processing their personal data, through efficient written communication mechanisms, such as email, as well as making them aware of the Policy and the way to exercise their rights before the Firm and the Data Processors.

2. Additionally, a link entitled “Personal Data Protection” will be published on the Firm’s website www.uhabogados.com, where users can view the Policy and the way to exercise their rights before the Firm and the Data Processors.

V. PURPOSES OF PROCESSING

1. Purposes of Personal Data Processing

   The personal data of the Data Subjects are collected by the Firm in the development of its corporate purpose, in order to:

   1. Comply with the commercial, labor, corporate, and accounting obligations of the Firm.

   2. Provide its services according to the particular needs of the Firm’s clients, in order to fulfill the contracts signed by it, send commercial information about new services offered by the Firm, and send newsletters with relevant legal information.

   3. Comply with the Firm’s internal processes for supplier and contractor management.

   4. The process of archiving, updating systems, protecting and safeguarding information and databases of the Firm.

   5. Registration of information of Employees, suppliers, and clients in the Firm’s database.

   6. The transmission of data to third parties with whom contracts have been celebrated for this object, for commercial, contractual, administrative, marketing, and/or operational purposes.

   7. For security or fraud prevention purposes.

   8. Any other purpose that may arise in the development of the contract or the commercial relationship between the Firm and the Data Subject.

The information supplied by the Data Subject will only be used for the purposes indicated herein, and once the need for Processing the personal data ceases, they may be deleted from the Firm’s databases or archived securely, only to be disclosed when required by law.

VI. TYPE OF PERSONAL DATA INCLUDED IN THE FIRM’S DATABASES

The Firm, within its corporate purpose and in order to carry out the activities described above, collects from its Data Subjects information regarding their personal data, for example: name, address, phone number, identity document, email, employment data, occupation, among others.

This is justified because the Firm’s main corporate purpose is to provide legal advisory services and legal support in matters related to commerce, litigation, regulation, and real estate.

VII. PROCEDURES FOR PERSONAL DATA PROCESSING

The personal data included in the Firm’s Database come from information compiled in the exercise of activities carried out due to: (i) commercial; (ii) contractual; (iii) labor, or any other type of relationship with its users, clients, suppliers, contractors, employees, and/or the general public.

The collection of personal data is carried out through commercial and labor contracts, written documents, among others. This activity implies the prior, express, and informed authorization of the Data Subject.

1. Procedure to know, update, rectify, or delete information related to Personal Data

   In order to protect and maintain the confidentiality of the Data Subjects’ personal data, the Firm determines that the procedure to know, update, rectify, and delete information requires the Data Subject to submit their request to the Firm through the means provided for it, namely: (i) Via email to administracion@uhabogados.com, sending the request accompanied by a copy of the Data Subject’s identity document; or (ii) By sending a written request to the Firm’s registered address, Carrera 29 C No. 10 C 125, Ed. Select, office 401, which must be accompanied by a copy of the Data Subject’s identity document.

   The Firm’s Administrative Coordination will be the area in charge of personal data processing, and will respond to the queries, petitions, and claims of the Data Subject, complying with current regulations on the matter via the email administracion@uhabogados.com.

2. Procedure to delete information and revoke Authorization for Personal Data Processing

   Data Subjects may, at any time, request the Firm to delete their data and/or revoke the authorization, by submitting a claim in accordance with the provisions of Article 15 of Law 1581 of 2012.

   The Firm will make the email administracion@uhabogados.com and its website www.uhabogados.com available to Data Subjects for these purposes.

   It is essential to note that the request for deletion of information and the revocation of authorization will not proceed when the Data Subject has an existing legal or contractual duty with the Firm.

VIII. INFORMATION AND CONTACT MECHANISMS PROVIDED BY THE FIRM AS DATA CONTROLLERS

Business Name: UH Abogados S.A.S

NIT (Tax ID): 900.668.911 – 7

Domicile: Medellín, Antioquia, Colombia

Address: Carrera 29 C No. 10 C 125, Edificio Select, office 401

Phone: (57 4) 322 4365

Email: administracion@uhabogados.com

Website: www.uhabogados.com

IX. PERSON RESPONSIBLE FOR PERSONAL DATA PROCESSING

The responsible person at the Firm, the Administrative Coordination, will be in charge of receiving the petitions, queries, or claims from the Data Subjects. This person will be responsible for carrying out the necessary internal procedure to guarantee a clear, efficient, understandable, and timely response to the Data Subject.

X. RIGHTS OF THE DATA SUBJECT

In accordance with Article 8 of Law 1581 of 2012, the Data Subject shall have the following rights:

1. Know, update, and rectify their personal data before the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, or misleading data, or data whose Processing is expressly prohibited or has not been authorized;³

    

2. Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for ⁴Processing, in accordance with the provisions of Article 10 of Law 1581 of 2012;

    

3. Be informed by the Data Controller or the Data Processor, upon request, regarding the use given to their personal data;

4. File complaints with the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other norms that modify, add to, or complement it;

5. Revoke the authorization and/or request the deletion of their personal data when the Processing does not respect constitutional and legal principles, rights, and guarantees. The revocation and/or deletion shall proceed once the Superintendence of Industry and Commerce has determined that the Controller or Processor has engaged in conduct contrary to the law and the Constitution;

6. Access their personal data that has been subject to Processing, free of charge.

In accordance with Article 20 of Decree 1377 of 2013, the exercise of the aforementioned Rights may be carried out:

1. By the Data Subject, who must sufficiently prove their identity by the different means made available by the Controller.

2. By their successors (in interest), who must prove such status.

3. By the representative and/or proxy of the Data Subject, upon proof of representation or power of attorney.

4. By stipulation in favor of or for another.

The rights of children or adolescents shall be exercised by the persons empowered to represent them.

XI. TRANSFER OF PERSONAL DATA

The Firm may transfer the personal data of the Data Subjects among themselves, and to other companies or entities that belong to or may come to belong to the same control group and/or financial group, domiciled in Colombia and/or abroad, in strict compliance with the provisions of this Policy and the regulations governing the matter.

XII. DUTIES OF THE DATA CONTROLLER

In accordance with Article 17 of Law 1581 of 2012, the Data Controller shall have the following duties:

1. Guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data;

2. Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject;

3. Duly inform the Data Subject about the purpose of the collection and the rights they have by virtue of the authorization granted;

4. Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access;

5. Guarantee that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable, and understandable;

6. Update the information, communicating in a timely manner to the Data Processor all new developments regarding the data previously supplied and take other necessary measures so that the information provided to them remains updated;

7. Rectify the information when it is incorrect and communicate the relevant information to the Data Processor;

8. Provide the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of the law;

9. Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information;

10. Process queries, petitions, and claims formulated in the terms set forth by law;

11. Adopt an internal manual of policies and procedures to ensure adequate compliance with the law and, especially, for handling queries and claims;

12. Inform the Data Processor when certain information is under dispute by the Data Subject, once the claim has been filed and the respective process has not been completed;

13. Inform the Data Subject, upon request, about the use given to their personal data;

14. Inform the data protection authority when security breaches occur and there are risks in the administration of the Data Subjects’ information;

15. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

XIII. EFFECTIVENESS OF THE POLICY

This Information Processing Policy regarding Personal Data Protection of the Firm is effective as of its publication.

This Policy may be modified by the Firm at any time, for the purpose of adapting it to new legislation or jurisprudence, as well as to best practices that are developed on the subject, in which case the Data Subjects will be informed in a timely manner.

Any modification or update to this Policy will be informed through the website www.uhabogados.com, where the latest version of the Policy will be made available to the Data Subjects, indicating the effective date of the corresponding modification or update, as the case may be.

The use or acquisition of the products or services offered by the Firm by the Data Subject, or their non-disassociation from them, after the new Policy is made available, constitutes acceptance of it.

The personal data or databases subject to Processing will remain in effect for the contractual term that the Data Subject has the product or service, plus the term established by law.

XIV. OTHER PROVISIONS

1. For the purposes of Processing personal data of children and adolescents, the Firm will respond to and respect their best interests, and will also ensure respect for their fundamental rights. Additionally, the Firm will request authorization from the Representative of the child or adolescent i⁵n order to Process their Personal Data.

    

2. The Firm will collect, store, use, or circulate personal data for which it has due authorization, for a term that is reasonable and necessary, which in any case may not be less than the duration term of the Firm.

Date: March 20, 2021

UH ABOGADOS S.A.S