TOWER CONSULTINGWORDWIDE S.A.S. (hereinafter “The Company”), is a simplified joint stock company, legally constituted by public deed no. 0003017, duly registered in the Chamber of Commerce of Bogotá, whose registered office is in the city of Bogotá, at Carrera 7 #127-48 office 1107. Company identified for tax purposes under NIT 800.180.241-1.

The Company, in order to guarantee the constitutional right of habeas data, as well as the good name, privacy, intimacy and good name of its customers, suppliers, workers, contractors, whether active or inactive, occasional or permanent, has created the following Manual, which contains the policies of use and management of the information that the Company has in its databases, in order to allow the proper exercise and protection of the rights of the owner of the information, so that at any time, may request the correction, clarification, modification and/or deletion of the same.

The present Manual of Policies of Treatment of the Information that The Company possesses, will be ruled by the following principles:

• Principle of truthfulness or quality. The information contained in the database must be truthful, complete, accurate, updated, verifiable and understandable. The registration and disclosure of partial, incomplete, fractioned or misleading data is prohibited;
• Principle of purpose. The processing must obey a legitimate purpose in accordance with the constitution and the law, which must be informed to the owner.
• Principle of legality: The processing referred to in this policy must be subject to the provisions set forth herein and in the other provisions that develop it.
• Principle of temporality of the information. The holder’s information may not be provided to users or third parties when it ceases to serve the purpose of the database;
• The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited;
• Principle of transparency. The right of the Data Subject to obtain from The Company or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the Processing;
• Principle of restricted access and circulation. Processing is subject to the limits derived from the nature of the personal data, the Constitution and the Law. Personal data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holders or authorized third parties.
• Security Principle: The information subject to processing by the Company or the Data Processor shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access;
• Principle of confidentiality. All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized in the regulations in force.

For the purposes of interpretation of these Personal Data processing policies, the following definitions shall be adopted:

• Authorization: Prior, express and informed consent of the Data Controller to carry out the Processing of Personal Data.
• Privacy Notice: Verbal or written communication generated by the Controller, addressed to the Data Subject for the Processing of his personal data, by means of which he is informed about the existence of the information Processing policies that will be applicable to him, the way to access them and the purposes of Processing that is intended to be given to the personal data.
• Database: Organized set of personal data that is subject to Processing.
• Personal data: Any information linked or that may be associated to one or several determined or determinable natural persons. These data may be of a public, semi-private and/or private nature.
• Public data: Data that is not semi-private, private or sensitive. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court rulings that are not subject to confidentiality.
• Semi-private data: Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as financial and credit data of commercial or service activity.
• Private data. It is data that, due to its intimate or reserved nature, is only relevant to the owner.
• Sensitive data: Sensitive data is understood as that which affects the privacy of the Holder or whose improper use may generate discrimination, such as that which reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data.
  Owner of the information. It is the natural or legal person to whom the information contained in a database refers. This person is subject to the right of habeas data.
• Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, which in turn is the Data Controller and is located inside or outside the country.
• Transmission: Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when the purpose is the performance of a Processing by the Processor on behalf of the Controller.
• Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.

The data processing policy of TOWER CONSULTING WORDWIDE S.A.S., is developed based on the following legal guidelines.

• Political Constitution, Article 15
• Law 1266 of 2008
• Law 1581 of 2012
• Regulatory Decree 1727 of 2009
• Regulatory Decree 2952 of 2010
• Partial Regulatory Decree No. 1377 of 2013
• Constitutional Court Rulings C-1011 of 2008 and C-748 of 2011.

5.1.Sensitive data.

According to what is established in the Definitions section, Sensitive Data are those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life and biometric data.

The Company may only process this type of data in the following cases:

5.1.1. The Data Subject has given his/her explicit authorization to such Processing, except in those cases where by law the granting of such authorization is not required;

5.1.2. The Processing is necessary to safeguard the vital interest of the Data Subject and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization;

5.1.3. The Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or to persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the authorization of the Data Controller;

5.1.4. The Processing refers to data that are necessary for the recognition, exercise or defense of a right in a judicial process;

5.1.5. The processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Controllers must be adopted.

In any case, and given the nature of this type of data, The Company must comply with the following obligations:

5.1.6. To inform the Data Subject that since it is sensitive data, he/she is not obliged to authorize its processing.

5.1.7. Inform the Data Subject explicitly and in advance, in addition to the general requirements of authorization for the collection of any type of personal data, which of the data to be processed are sensitive and the purpose of the processing, as well as obtain their express consent.

5.2.Public Data

According to what is established in the definitions section, public data are those that are not semi-private, private or sensitive. Public data are considered, among others, data relating to the civil status of persons, their profession or trade, and their status as merchants or public servants. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court judgments that are not subject to confidentiality.

Whenever data of this nature are involved, The Company may process them in accordance with the legal requirements in force.

5.3.Data

Semi-private and Private Data

For the treatment of this type of data, The Company must have the corresponding authorization from the owner of the information, given its nature. This authorization will be made based on the provisions of the Constitution and current regulations, as well as as as determined in paragraph 5.4 of this Policy Manual for the Treatment of Information.

5.4.Holder’s Authorization

Notwithstanding the exceptions provided by law, the processing requires the prior and informed authorization of the Data Subject, which must be obtained by any means that may be subject to consultation and subsequent verification.

5.4.1. Cases in which the Card Holder’s authorization is not required:

5.4.1.1.Information required by a public or administrative entity in the exercise of its legal functions or by court order;

5.4.1.2. Data of a public nature;

5.4.1.3.Cases of medical or sanitary emergency;

5.4.1.4.Processing of information authorized by law for historical, statistical or scientific purposes;

5.4.1.5.Data related to the Civil Registry of Persons.

In the processing of data on the rights of children and adolescents, when permitted, The Company shall comply with the following requirements and shall be subject to the following guidelines:

6.1. That the treatment responds to and respects the best interests of children and adolescents.

6.2. That treatment ensures respect for their fundamental rights.

6.3. The Company must have the authorization of the legal representative of the minor.

6.4. The Company must listen to the minor, respecting his or her opinion, which must be assessed taking into account his or her maturity, autonomy and capacity to understand the matter.

Now, in order for the Data Controller to be able to know in which cases it is possible to process the data of children and adolescents, such cases are the following:

6.5. Data of a public nature, which are defined in the definitions section of this Manual.

Purposes.

Whenever The Company, as the data controller of The Data Subject, has information that may be subject to modification, verification, rectification, consultation and/or deletion, it shall:

7.1. Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data;

7.2. Request and keep a copy of the respective authorization granted by the Holder;

7.3. Duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted;

7.4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

7.5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable;

7.6. Update the information, communicating in a timely manner to the Data Processor, all developments regarding the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date;

7.7. Rectify the information when it is incorrect and communicate the pertinent to the Data Processor;

7.8. To provide to the Data Processor, as the case may be, only data whose Processing is previously authorized;

7.9. To require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information;

7.10. Process queries and claims made by the Owner of the Information.

7.11. Inform the Data Processor when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed;

7.12. Inform upon request of the Data Subject about the use given to his/her data;

7.13. Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Holders.

7.14. Inform the Holder, the changes, additions and / or modifications to these policies of use of the information contained in their databases.

The Owners of the information contained in the Company’s databases may exercise the following rights at any time:

8.1. To know, update and rectify their personal data before the Company or before the Data Processor. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized;

8.2. Request proof of the authorization granted to The Company except when expressly exempted as a requirement for the Processing, in accordance with the provisions of section 5.5.1 of this Policy Manual.

8.3. Be informed by The Company or the Data Processor, upon request, regarding the use that has been made of your personal data;

8.4. Go to the Superintendence of Industry and Commerce to file complaints for infringements of the provisions of the regulations in force, provided that the internal complaint or consultation process referred to in this Policy Manual is previously exhausted, which according to the provisions of the law, is a requirement for proceeding.

8.5. Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights and guarantees.

8.6. Be aware that the review of their personal data may be consulted free of charge, under the conditions set forth in this Policy Manual and the law.

8.7. The right not to be conditioned in any case, for the development of any activity with the Company, to be obliged to provide sensitive personal data.

All the information that The Company may collect, store, circulate, use, modify, rectify and/or delete regarding the owners of the same, must have the express, prior, free and informed consent of the Owner of the Information.

It shall be understood for all purposes that the authorization by the Holder of the information may be recorded in any physical, electronic, or any means or instrument that may be considered in light of current regulations as a data message, which is why the authorization may come from any of the following sources: web pages, emails, phone calls, text messages or any other format that allows guaranteeing its subsequent consultation. The above in accordance with the provisions of Law 527 of 1999, as well as the rules that modify, supplement, regulate, repeal or replace it.

Once the authorization has been granted by the Holder of the information, based on any of these mechanisms, The Company shall guarantee the Holder of the information the possibility of verifying the status of the same at any time.

10.1. Procedure for making inquiries

The Data Controllers or their assignees may consult the personal information of the Data Subject contained in any database owned by The Company. On the other hand, The Company or the Data Processor shall provide them with all the information contained in the individual record or that is linked to the identification of the Data Subject.

The consultation shall be made by the means enabled by The Company or the Data Processor, as long as proof of such consultation can be kept.

The query will be answered within a maximum term of ten (10) working days from the date of receipt thereof. When it is not possible to attend the consultation within such term, the interested party will be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

10.2. Procedure for making claims

The Data Subject or his/her assignees who consider that the information contained in a database should be corrected, updated or deleted, may file a claim with the Company or the Data Processor, which will be processed under the following rules:

10.2.1. The claim shall be formulated by means of a request addressed to the Company or the Data Processor, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that the claimant wishes to assert. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned.

10.2.2. In the event that the person who receives the claim is not competent to resolve it, he/she will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.

10.2.3. Once the complete claim has been received, a legend will be included in the database stating “claim in process” and the reason for the claim, within a term no longer than two (2) business days. Said legend shall be maintained until the claim is decided.

10.2.4. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

10.3. Information Suppression

The Data Subject may, at any time, request the Company to delete his/her personal data, provided that:

10.3.1. The treatment does not respect constitutional and legal principles, rights and guarantees.

10.3.2. When the Superintendence of Industry and Commerce so determines,

Notwithstanding the above, it is necessary to take into consideration that the Company may only delete the information of the Data Subject, provided that this does not lead to the breach of legal regulations and/or obligations that are incumbent upon it according to the regulations in force. In other words, the data of the Data Subject may not be subject to deletion, whenever:

10.3.3. The owner of the information has a legal or contractual duty with the Company and, in order to achieve its full compliance, the information contained in the database is required.

10.3.4. The suppression of the data by the Company, implies the obstruction of the development of judicial investigations to be carried out by the competent authorities.

10.4. Revocation of Authorization

The Owner of the Information may, at any time, revoke the authorization granted to The Company for the processing of his/her personal data. For these purposes, The Company will create mechanisms that allow the Data Subject to revoke the authorization granted. These mechanisms shall be of easy access and shall be free of charge in the cases established by law.