Data Protection Policy

POLICIES FOR PROCESSING PERSONAL INFORMATION OF GUESTS, CUSTOMERS AND USERS: FIRST: GENERALITIES We have special interest in protecting and respecting your information and personal data and that is why we have designed these information processing policies, within the framework of law 1581 of 2012 and regulatory decree 1377 of 2013. 1.1.- Introduction. The GHL SAS Logistics company and the affiliated companies, operators of the “a GHL experience” hotels and responsible for the processing of the information, may collect personal data from their users, guests or visitors, through the different means intended for access to the services provided by them. In any case, the collection will be done under the express authorization of the data owner and the processing of the data will be subject to what is established by law. The personal information subject to the considerations established here may be collected directly from the information provided and contained in the hotel registration card, through the website www.ghlhoteles.com, through the visit or acquisition of services offered on the website. platform, or directly in the hotels linked or associated with GHL. The considerations established here by the Information Owner will be understood to be accepted when signing the Hotel Registration Card with respect to the information contained therein, when visiting or making use of the website www.ghlhoteles.com and/or when entering data or information. personnel through the functions established for it, regardless of the purpose. 1.2- General principles. The obtaining and collection of personal data, as well as the use, treatment, processing, exchange, transfer and transmission of these, will always be guided by principles of legality, freedom, veracity, transparency, security, confidentiality, principle of access and circulation. restricted. 1.3- Legal definitions. In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions will govern the personal information processing policies. 1.3.1.- Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data. 1.3.2.- Database: Organized set of personal data that is subject to Treatment; 1.3.3.- Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons; 1.3.4.- Data Processor: The data processor is the natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller; 1.3.5.- Responsible for the Treatment: The person responsible for the treatment is the natural or legal person, public or private, who, by themselves or in association with others, decides on the database and/or the Processing of the data. ; 1.3.6.- Sensitive data: Sensitive data is understood to mean data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data. . 1.3.7.- Public data: It is data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade, and their status as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality. 1.3.8.- Owner: Natural person whose personal data is the subject of Treatment. 1.3.9.- Transfer: The transfer of data takes place when the Controller and/or Person in Charge of the Processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is Responsible for the Treatment and is located inside or outside the country. 1.3.10- Transmission: Processing of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out a Processing by the Processor on behalf of the Controller. 1.3.11.- Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. SECOND: AUTHORIZATION OF THE OWNER: The data provided will be subject to authorized processing, granted in advance, expressly and informed by the Owner thereof. By providing your data upon entering the hotel to complete the Hotel Registration Card, you are authorizing the treatment under the terms and conditions established in this policy. The visit, entry or use made of the website www.ghlhoteles.com constitutes in itself prior, express and informed authorization of the storage, collection and processing of information in accordance with the data processing policy here. contained. In any case, data collection will be limited to those personal data that are relevant and appropriate for the purpose pursued. THIRD: INFORMATION PROCESSING: 3.1- Data collected. The collection of data for the development of the Treatment and the purposes pursued by it will fall on the personal data that is received and stored on the occasion of the completion of the Hotel Registration Card, the information provided to us by our guests, clients, visitors and will include all the information that is provided or provided when visiting the website www.ghlhoteles.com, as well as all that related to the services or reservations made, and the accommodation and lodging data provided physically or virtually.

Without prejudice to the fact that in some cases it is public data, the information collected and processed will be that corresponding to the name, identification document number, whether citizenship card, passport or any other valid one, profession, nationality, date of birth, email address, personal preferences and interests, work or activity, spending habits or travel habits. If a reservation is made through the website www.ghlhoteles.com, the information corresponding to the credit card provided for the purposes of the reservation and stay will be collected. 3.2- Treatment to which the data will be subjected and its purpose. The data and information obtained will be used in the normal course of your commercial activities only for the purpose established in these information processing policies, so as to create direct and effective communication with the guest, client or user. that leads to establishing a closer bond and consolidating a business relationship. The treatment consists of sending digital information through different means of communication, with the intention of contacting the owner to send service surveys after each stay that allow the rating of the service provided, and communicating invitations, offers, promotions. , portfolio of services or information of the Hotel or hotels "a GHL experience", without at any time your data being provided, transferred or delivered to persons other than or unrelated to those responsible or in charge of processing the information. Additionally, through data collection we seek to: make, process, process and/or complete reservations or purchases of hotel nights or other services; carry out internal studies on tourism habits; evaluate the quality of our services; send surveys and questionnaires regarding the services provided; promptly respond to your requests, requests or needs; communicate invitations, offers, promotions, and information in general, about the portfolio of services offered by natural or legal persons that are directly linked to the hotel operation and specifically to the services provided. The authorization for the use of the information or data provided that is collected, collected or stored in accordance with these policies expressly includes the authorization for the data and information to be shared, processed, transmitted, transferred, updated and/or deleted with the purpose defined in these policies, to be used in the established manner. By entering the website www.ghlhoteles.com you authorize your information and data to be shared with the tourism providers to whom you refer and with whom your reservations and/or requests are processed. It is assumed that all information or data provided or deposited in the Hotel Registration Card or through the website www.ghlhoteles.com is true, accurate and complete, and may be withdrawn at any time in the event in which it is consider harmful or detrimental to your interests or the interests of a third party. The data and in general the information that is received when you enter the website www.ghlhoteles.com may be both yours and the computer from which you are entering. In order to optimize and make your experience more efficient when visiting the page www.ghlhoteles.com, cookies and/or web beacons may be used, as well as information on the Internet pages visited, your IP address, the operating system of the computer from which you are entering, through a recognition and tracking process that allows identifying your preferences and identifying you when you visit the page again and storing certain records, based on your IP address. The IP address is not associated or linked to your name or personal data. 3.3.- Sensitive data and data corresponding to children and adolescents. In no event and under any circumstances will data considered sensitive be processed, nor is data collection aimed at collecting sensitive information. The collection of data corresponding to minor children and adolescents, and the respective authorization, must always be given through their legal representative, prior to the minor's exercise of his or her right to be heard. The processing of data corresponding to children and adolescents must respond to and respect the best interests of children and adolescents, and their fundamental rights. In the event that for some reason a question may lead to the answer regarding sensitive data or data of children and adolescents, the answer to such question will be optional. 3.4.- Duties of the person responsible for processing the information. Those responsible for the information, and/or responsible and in charge of the processing of personal data, are obliged to: a) Guarantee to the Owner, at all times, the full and effective exercise of the right of habeas data; b) Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Owner; c) Duly inform the Owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted; d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access; e) Guarantee that the information provided to the Data Processor is true, complete, exact, updated, verifiable and understandable; f) Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it remains updated; g) Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor; h) Provide the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of this law; i) Demand that the Data Processor at all times respect the security and privacy conditions of the Owner's information; j) Process queries and claims made in the terms indicated in the law; k) Inform the Data Processor when certain information is under discussion by the Owner, once the claim has been submitted and the respective process has not been completed; l) Inform at the request of the Owner about the use given to their data; m) Inform the data protection authority when violations of security codes occur and there are risks in the administration of the Owners' information. n) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. FOURTH: RIGHTS AND POWERS OF THE OWNER: 4.1.- Rights of the owner. Once authorization has been granted by the Owner for the corresponding treatment, he has the right to: a) Know, update and rectify his personal data. This right may be exercised against partial, inaccurate, incomplete, fragmented, misleading data, or those whose Processing is expressly prohibited or has not been authorized; b) Request proof of the authorization granted, except when it is expressly excepted as a requirement for Treatment, in accordance with the provisions of article 10 of law 1581 of 2012; c) Be informed by the person responsible and/or in charge of personal data, upon request, of the use that has been given to your personal data; d) Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of the law; e) Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees. The revocation and/or suppression will proceed when the Superintendence of Industry and Commerce has determined that the Treatment has incurred conduct contrary to this law and the Constitution; f) Request, at all times, from the person responsible or in charge, the deletion of your personal data and/or revoke the authorization granted for the Treatment thereof, by submitting a claim, will not proceed when the Owner has a legal or contractual duty. to remain in the database. g) Access free of charge to your personal data that has been processed: (i) at least once every calendar month, and (ii) every time there are substantial modifications to the Information Processing Policies that motivate new queries. . In the case of requests whose frequency is greater than one for each calendar month, the person responsible and/or in charge may charge the Owner the costs of shipping, reproduction and, where appropriate, certification of documents. 4.2.- Legitimation for the exercise of the rights of the owner. The following people are also entitled to exercise the rights that assist the owner of the information: a). The owner himself, who must sufficiently prove his identity by the means made available to him by the person responsible; b). Their successors, who must prove such quality; c). The representative and/or attorney-in-fact of the Owner, prior accreditation of the representation or power of attorney; d). By stipulation in favor of another or for another; and). The rights of children or adolescents will be exercised by the people who are authorized to represent them, after accreditation of the power of representation. 4.3.- Procedure to exercise the rights to know, update, rectify or delete information and revoke authorization. The procedures for access, updating, deletion and rectification of personal data, and revocation of authorization, may be carried out through queries or complaints, addressed to the email contactenos@ghlhoteles.com or to the address Avenida Calle 72 No. 6 - 30 Bogotá, Colombia, according to the object pursued, establishing at least the legitimacy that is available to make the request and stating in a clear and concrete manner what is intended. All requests, suggestions and recommendations related to the processing of information must be sent to the email contactenos@ghlhoteles.com, and a response will be given no later than within ten (10) business days following receipt. The owner of the information or the legitimate person must accompany his/her writing with proof of the quality in which he/she acts, and must provide the data and documents necessary to account for his/her identity and quality. The email must specify the reason or object of the communication, and to do so it will be enough for the text to indicate that the right to know, update, rectify, delete or revoke the authorization granted is being exercised. 4.4.- Procedure for correcting, updating or deleting data and for submitting complaints and claims. Whoever is legitimized by law, and considers that the information contained must be corrected, updated or deleted; or when you consider that the treatment given to personal data violates legal regulations, you may submit, in accordance with article 15 of Law 1581 of 2012, complaints to the email contactenos@ghlhoteles.com. Complaints and claims will be processed under the following rules: 4.4.1.- The claim will be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Owner, the description of the facts that give rise to the claim and the address, accompanying the documents that you want to assert. . If the claim is incomplete, the interested party will be required within five (5) business days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claim has been abandoned. In the event that the person receiving the claim is not competent to resolve it, it will be transferred to the appropriate party within a maximum period of two (2) business days and the interested party will be informed of the situation. 4.4.2.- Once the complete claim is received, a legend that says "claim in process" and the reason for it will be included in the database, within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided. 4.4.3.- The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. 4.5.- Consultation and access to information. Personal data queries will be answered by written request via email contactenos@ghlhoteles.com. Queries will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed before the expiration of ten (10) business days, expressing the reasons for the delay and indicating the date on which the query will be attended to, which in no case may exceed five (5) business days following the expiration of the first term. FIFTH: SECURITY. 5.1.- Security in the management of information. The data collected will always be treated within a framework of confidentiality, so it will not be provided, transferred or delivered to persons other than or unrelated to those responsible or in charge of the treatment. 5.2.- Data transfer and transmission. In the event that a contract is signed with a third party who is professional and experienced in the management and use of databases, the person responsible will sign the contract for the transmission of personal data referred to in article 25 of decree 1377 of 2013. SIXTH: DISSEMINATION AND VALIDITY. 6.1.- Means of dissemination of the information processing policies and the privacy notice. This document, which establishes the policies for processing information on personal data collected, will be permanently published on the link www.ghlhoteles.com so that it can be consulted by whoever is interested. When requesting the Owner's express authorization for data processing, you will be informed of the specific purposes for which consent is obtained and you will be made aware of the Treatment Policy and the rights that assist you as the Owner. 6.2.- Entry into force of the information processing policies. The collection, storage, use and circulation of personal data, in development of the considerations established here, will be carried out and maintained as long as the needs and purposes established and proposed by the Treatment remain in force. If the purpose cannot be achieved through the Processing of personal data, they will be permanently deleted from the database. This document comes into force on February 22, 2016. 6.3.- Procedure for policy modification events. In the event that modifications are made to the personal data processing policies established here, they will be notified and communicated through this same website, prior to their entry into force. 6.4.- Incorporation of the conditions of use of the website www.ghlhoteles.com. In accordance with applicable regulations, the information processing policy is an integral part of the terms and conditions of use of the website www.ghlhoteles.com. 6.5. - Responsible for information. The company LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA, with NIT 90076001-06, is responsible and in charge of processing personal data. The companies will be responsible for the information and personal data collected. When the information has been received or collected by any of the companies listed, with express authorization to be transferred, LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA will be responsible for the treatment. Any communication can be directed to Calle 72 # 6-30, 13th floor of Bogotá, or to the email contactenos@ghlhoteles.com. PROCESSING POLICIES OF PERSONAL INFORMATION OF SUPPLIERS FIRST: GENERALITIES In developing our commercial relationships, we have a special interest in protecting and respecting your information and personal data and that is why we have designed these information processing policies, within the framework of law 1581 of 2012 and regulatory decree 1377 of 2013. 1.1.- Introduction. The GHL SAS Logistics company and the affiliated companies, operators of the “a GHL experience” hotels and responsible for the processing of the information, may collect personal data from their suppliers, and in general from whoever sells them goods or services, in the development of the commercial relationship to facilitate its execution and seek the greatest possible efficiency. The collection will be done under the express authorization of the data owner and the processing of the data will be subject to the provisions of the law and this policy. Personal information may be collected directly from suppliers or from the information contained in the certificate of existence and legal representation issued by the Chamber of Commerce, in the RUT, in contracts, quotes, proposals, invoices, purchase orders and in general. in any document that corresponds to the commercial relationship. It will be understood that the Information Owner has accepted the terms and conditions of these policies when issuing the proposal or quote and/or when signing the corresponding contract or equivalent document. 1.2- General principles. The obtaining and collection of personal data, as well as the use, treatment, processing, exchange, transfer and transmission of these, will always be guided by principles of legality, freedom, veracity, transparency, security, confidentiality, principle of access and circulation. restricted. 1.3- Legal definitions. In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions will govern the personal information processing policies. 1.3.1.- Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data. 1.3.2.- Database: Organized set of personal data that is subject to Treatment; 1.3.3.- Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons; 1.3.4.- Data Processor: The data processor is the natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller; 1.3.5.- Responsible for the Treatment: The person responsible for the treatment is the natural or legal person, public or private, who, by themselves or in association with others, decides on the database and/or the Processing of the data. ; 1.3.6.- Sensitive data: Sensitive data is understood to mean data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data. . 1.3.7.- Public data: It is data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade, and their status as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality. 1.3.8.- Owner: Natural person whose personal data is the subject of Treatment. 1.3.9.- Transfer: The transfer of data takes place when the Controller and/or Person in Charge of the Processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is Responsible for the Treatment and is located inside or outside the country. 1.3.10- Transmission: Processing of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out a Processing by the Processor on behalf of the Controller. 1.3.11.- Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. SECOND: AUTHORIZATION OF THE OWNER: The data provided will be subject to authorized processing, granted in advance, expressly and informed by the Owner thereof. By providing your data to carry out the legal transaction corresponding to the purchase of goods or services, you are authorizing the processing under the terms and conditions established in this policy. In any case, data collection will be limited to those personal data that are relevant and appropriate for the purpose pursued. THIRD: INFORMATION PROCESSING: 3.1- Data collected. The collection of data for the development of the Treatment and the purposes pursued by it will fall on the personal data received in the development or execution of the commercial relationship between the parties and specifically those received with respect to the purchase of goods or services. Without prejudice to the fact that in some cases it is public data, the information collected and processed will be that corresponding to the name, identification number (NIT, citizenship card, passport), contact information such as telephone number, physical address, email address. electronic, the information contained in the RUT, type of goods or services offered, category in which it is located, economic activity, commercial and personal references, bank references, bank account numbers for payments, and all the information that is necessary to comply with the contractually assumed obligations, with the legal obligations and with the correct execution and development of the commercial relationship between the parties. 3.2- Treatment to which the data will be subjected and its purpose. The data and information obtained will be used in the normal course of your commercial activities only for the purpose established in these information processing policies, so that the commercial relationship and as such the acquisition of food and goods and the provision of the services that are contracted are executed and developed properly. The treatment that will be given to the data consists of the management and disposition of the data to have the information that allows the administrative and accounting management of the suppliers to be carried out; control over the status of payments, balances, discounts; managing the inventory of purchased goods; attention to and compliance with fiscal, tax, legal and any other requirements with national, district or municipal government entities; the categorization and classification of the supplier according to the goods or services offered, price, quality; support internal or external audit processes. The authorization for the use of the information or data provided that is collected, collected or stored in accordance with these policies expressly includes the authorization for the data and information to be shared, processed, transmitted, transferred, updated and/or deleted with the purpose defined in these policies, to be used in the established manner. 3.3.- Sensitive data and data corresponding to children and adolescents. In no event and under any circumstances will data considered sensitive or data corresponding to children or adolescents be processed. The collection of data from providers is not aimed at collecting sensitive information or information from children or adolescents.

3.4.- Duties of the person responsible for processing the information. Those responsible for the information, and/or responsible and in charge of the processing of personal data, are obliged to: a) Guarantee to the Owner, at all times, the full and effective exercise of the right of habeas data; b) Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Owner; c) Duly inform the Owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted; d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access; e) Guarantee that the information provided to the Data Processor is true, complete, exact, updated, verifiable and understandable; f) Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it remains updated; g) Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor; h) Provide the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of this law; i) Demand that the Data Processor at all times respect the security and privacy conditions of the Owner's information; j) Process queries and claims made in the terms indicated in the law; k) Inform the Data Processor when certain information is under discussion by the Owner, once the claim has been submitted and the respective process has not been completed; l) Inform at the request of the Owner about the use given to their data; m) Inform the data protection authority when violations of security codes occur and there are risks in the administration of the Owners' information. n) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. FOURTH: RIGHTS AND POWERS OF THE OWNER: 4.1.- Rights of the owner. Once authorization has been granted by the Owner for the corresponding treatment, he has the right to: a) Know, update and rectify his personal data. This right may be exercised against partial, inaccurate, incomplete, fragmented, misleading data, or those whose Processing is expressly prohibited or has not been authorized; b) Request proof of the authorization granted, except when it is expressly excepted as a requirement for Treatment, in accordance with the provisions of article 10 of law 1581 of 2012; c) Be informed by the person responsible and/or in charge of personal data, upon request, of the use that has been given to your personal data; d) Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of the law; e) Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees. The revocation and/or suppression will proceed when the Superintendence of Industry and Commerce has determined that the Treatment has incurred conduct contrary to this law and the Constitution; f) Request, at all times, from the person responsible or in charge, the deletion of your personal data and/or revoke the authorization granted for the Treatment thereof, by submitting a claim, will not proceed when the Owner has a legal or contractual duty. to remain in the database. g) Access free of charge to your personal data that has been processed: (i) at least once every calendar month, and (ii) every time there are substantial modifications to the Information Processing Policies that motivate new queries. . In the case of requests whose frequency is greater than one for each calendar month, the person responsible and/or in charge may charge the Owner the costs of shipping, reproduction and, where appropriate, certification of documents. 4.2.- Legitimation for the exercise of the rights of the owner. The following people are also entitled to exercise the rights that assist the owner of the information: a). The owner himself, who must sufficiently prove his identity by the means made available to him by the person responsible; b). Their successors, who must prove such quality; c). The representative and/or attorney-in-fact of the Owner, prior accreditation of the representation or power of attorney; d). By stipulation in favor of another or for another. 4.3.- Procedure to exercise the rights to know, update, rectify or delete information and revoke authorization. The procedures for access, updating, deletion and rectification of personal data, and revocation of authorization, may be carried out through queries or complaints, addressed to the email contactenos@ghlhoteles.com or to the address Avenida Calle 72 No. 6 - 30 Bogotá, Colombia, according to the object pursued, establishing at least the legitimacy that is available to make the request and stating in a clear and concrete manner what is intended. All requests, suggestions and recommendations related to the processing of information must be sent to the email contactenos@ghlhoteles.com and a response will be given no later than within ten (10) business days following receipt. The owner of the information or the legitimate person must accompany his/her writing with proof of the quality in which he/she acts, and must provide the data and documents necessary to account for his/her identity and quality. The email must specify the reason or object of the communication, and to do so it will be enough for the text to indicate that the right to know, update, rectify, delete or revoke the authorization granted is being exercised. 4.4.- Procedure for correcting, updating or deleting data and for submitting complaints and claims. Whoever is legitimized by law, and considers that the information contained must be corrected, updated or deleted; or when you consider that the treatment given to personal data violates legal regulations, you may submit, in accordance with article 15 of Law 1581 of 2012, complaints to the email contactenos@ghlhoteles.com. Complaints and claims will be processed under the following rules: 4.4.1.- The claim will be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Owner, the description of the facts that give rise to the claim and the address, accompanying the documents that you want to assert. . If the claim is incomplete, the interested party will be required within five (5) business days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claim has been abandoned. In the event that the person receiving the claim is not competent to resolve it, it will be transferred to the appropriate party within a maximum period of two (2) business days and the interested party will be informed of the situation. 4.4.2.- Once the complete claim is received, a legend that says "claim in process" and the reason for it will be included in the database, within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided. 4.4.3.- The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. 4.5.- Consultation and access to information. Queries regarding personal data contained in the database will be answered by written request via email contactenos@ghlhoteles.com. Queries will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed before the expiration of ten (10) business days, expressing the reasons for the delay and indicating the date on which the query will be attended to, which in no case may exceed five (5) business days following the expiration of the first term. FIFTH: SECURITY. 5.1.- Security in the management of information. The data collected will always be treated within a framework of confidentiality, so it will not be provided, transferred or delivered to persons other than or unrelated to those responsible or in charge of the treatment. 5.2.- Data transfer and transmission. In the event that a contract is signed with a third party who is professional and experienced in the management and use of databases, the person responsible will sign the contract for the transmission of personal data referred to in article 25 of decree 1377 of 2013. SIXTH: DISSEMINATION AND VALIDITY. 6.1.- Means of dissemination of the information processing policies and the privacy notice. This document, which establishes the policies for processing information on personal data collected, will be permanently published on the link www.ghlhoteles.com so that it can be consulted by whoever is interested. When requesting the Owner's express authorization for data processing, you will be informed of the specific purposes for which consent is obtained and you will be made aware of the Treatment Policy and the rights that assist you as the Owner. 6.2.- Entry into force of the information processing policies. The collection, storage, use and circulation of personal data, in development of the considerations established here, will be carried out and maintained as long as the needs and purposes established and proposed by the Treatment remain in force. If the purpose cannot be achieved through the Processing of personal data, they will be permanently deleted from the database. This document comes into force on February 22, 2016. 6.3.- Procedure for policy modification events. In the event that modifications are made to the personal data processing policies established here, they will be notified and communicated through this same website, prior to their entry into force. 6.4.- Incorporation of the conditions of use of the website www.ghlhoteles.com. In accordance with applicable regulations, the information processing policy is an integral part of the terms and conditions of use of the website www.ghlhoteles.com. 6.5. - Responsible for information. The company LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA, with NIT 90076001-06, is responsible and in charge of processing personal data. The companies will be responsible for the information and personal data collected. When the information has been received or collected by any of the companies listed, with express authorization to be transferred, LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA will be responsible for the treatment. Any communication can be directed to Calle 72 # 6-30, 13th floor of Bogotá, or to the email contactenos@ghlhoteles.com. POLICIES FOR THE PROCESSING OF PERSONAL INFORMATION OF EMPLOYEES, OFFICERS AND COLLABORATORS FIRST: GENERALITIES In developing our commercial relationships, we have a special interest in protecting and respecting your information and personal data and that is why we have designed these information processing policies, within the framework of law 1581 of 2012 and regulatory decree 1377 of 2013. 1.1.- Introduction. The GHL SAS Logistics company and the affiliated companies that operate the “a GHL experience” hotels and those responsible for processing the information may collect personal data from their employees, officials and/or collaborators, regardless of the contractual relationship and nature. The collection will be done under the express authorization of the data owner and the processing of the data will be subject to the provisions of the law and this policy. Personal information will be collected directly from employees, officers and/or collaborators and will be related to the activity they carry out. 1.2- General principles. The obtaining and collection of personal data, as well as the use, treatment, processing, exchange, transfer and transmission of these, will always be guided by principles of legality, freedom, veracity, transparency, security, confidentiality, principle of access and circulation. restricted. 1.3- Legal definitions. In accordance with Law 1581 of 2012 and Decree 1377 of 2013, the following definitions will govern the personal information processing policies. 1.3.1.- Authorization: Prior, express and informed consent of the Owner to carry out the Processing of personal data. 1.3.2.- Database: Organized set of personal data that is subject to Treatment; 1.3.3.- Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons; 1.3.4.- Data Processor: The data processor is the natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of personal data on behalf of the Data Controller; 1.3.5.- Responsible for the Treatment: The person responsible for the treatment is the natural or legal person, public or private, who, by themselves or in association with others, decides on the database and/or the Processing of the data. ; 1.3.6.- Sensitive data: Sensitive data is understood to mean data that affects the privacy of the Owner or whose improper use may lead to discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data. . 1.3.7.- Public data: It is data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade, and their status as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality. 1.3.8.- Owner: Natural person whose personal data is the subject of Treatment. 1.3.9.- Transfer: The transfer of data takes place when the Controller and/or Person in Charge of the Processing of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is Responsible for the Treatment and is located inside or outside the country 1.3.10- Transmission: Processing of personal data that implies the communication of the same within or outside the territory of the Republic of Colombia when its purpose is to carry out a Processing by the Processor on behalf of the Controller. 1.3.11.- Treatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion. SECOND: AUTHORIZATION OF THE OWNER: The data provided will be subject to authorized processing, granted in advance, expressly and informed by the Owner thereof. . In any case, data collection will be limited to those personal data that are relevant and appropriate for the purpose pursued. THIRD: INFORMATION PROCESSING: 3.1- Data collected. The collection of data for the development of the Treatment and the purposes pursued by it will fall on the personal data received in the development or execution of the relationship between the parties. Without prejudice to the fact that in some cases it is public data, the information collected and processed will be that corresponding to that provided in the resume, name, citizenship card or passport number, academic experience, professional experience, related information. with the execution of the contractual relationship, that corresponding to the management of salary payments, remuneration fees, social security as the case may be, and that corresponding to basic health data such as HR or allergies in cases in which such is provided. information. 3.2- Treatment to which the data will be subjected and its purpose. The data and information obtained will be used only for the purpose established in these information processing policies. The treatment that will be given to the data consists of the management and disposition of the data to have the information that allows advancing the activities, processes and procedures of human talent; to establish payroll status; fees or any other remuneration, as the case may be; to manage the information corresponding to social security and family compensation funds; to meet the information requirements of government entities and comply with legal reporting obligations in fiscal, tax and any other nature; support internal or external audit processes; maintain efficient communication with employees, officials or collaborators; manage and report changes that may occur in the development of the contractual relationship; conduct internal studies on habits; Allow employee access to computing resources. The authorization for the use of the information or data provided that is collected, collected or stored in accordance with these policies expressly includes the authorization for the data and information to be shared, processed, transmitted, transferred, updated and/or deleted with the purpose defined in these policies, to be used in the established manner. 3.3.- Sensitive data and data corresponding to children and adolescents. In no event and under any circumstances will data considered sensitive or data corresponding to children or adolescents be processed. The collection of data from employees, officials or collaborators is not aimed at collecting sensitive information or information from children or adolescents. 3.4.- Duties of the person responsible for processing the information. Those responsible for the information, and/or responsible and in charge of the processing of personal data, are obliged to: a) Guarantee to the Owner, at all times, the full and effective exercise of the right of habeas data; b) Request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Owner; c) Duly inform the Owner about the purpose of the collection and the rights granted to him by virtue of the authorization granted; d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access; e) Guarantee that the information provided to the Data Processor is true, complete, exact, updated, verifiable and understandable; f) Update the information, communicating in a timely manner to the Data Processor, all the news regarding the data that you have previously provided and adopt the other necessary measures so that the information provided to it remains updated; g) Rectify the information when it is incorrect and communicate the pertinent information to the Data Processor; h) Provide the Data Processor, as the case may be, only data whose Processing is previously authorized in accordance with the provisions of this law; i) Demand that the Data Processor at all times respect the security and privacy conditions of the Owner's information; j) Process queries and claims made in the terms indicated in the law; k) Inform the Data Processor when certain information is under discussion by the Owner, once the claim has been submitted and the respective process has not been completed; l) Inform at the request of the Owner about the use given to their data; m) Inform the data protection authority when violations of security codes occur and there are risks in the administration of the Owners' information. n) Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce. FOURTH: RIGHTS AND POWERS OF THE OWNER: 4.1.- Rights of the owner. Once authorization has been granted by the Owner for the corresponding treatment, he has the right to: a) Know, update and rectify his personal data. This right may be exercised against partial, inaccurate, incomplete, fragmented, misleading data, or those whose Processing is expressly prohibited or has not been authorized; b) Request proof of the authorization granted, except when it is expressly excepted as a requirement for Treatment, in accordance with the provisions of article 10 of law 1581 of 2012; c) Be informed by the person responsible and/or in charge of personal data, upon request, of the use that has been given to your personal data; d) Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions of the law; e) Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees. The revocation and/or suppression will proceed when the Superintendence of Industry and Commerce has determined that the Treatment has incurred conduct contrary to this law and the Constitution; f) Request, at all times, from the person responsible or in charge, the deletion of your personal data and/or revoke the authorization granted for the Treatment thereof, by submitting a claim, will not proceed when the Owner has a legal or contractual duty. to remain in the database. g) Access free of charge to your personal data that has been processed: (i) at least once every calendar month, and (ii) every time there are substantial modifications to the Information Processing Policies that motivate new queries. . In the case of requests whose frequency is greater than one for each calendar month, the person responsible and/or in charge may charge the Owner the costs of shipping, reproduction and, where appropriate, certification of documents. 4.2.- Legitimation for the exercise of the rights of the owner. The following people are also entitled to exercise the rights that assist the owner of the information: a). The owner himself, who must sufficiently prove his identity by the means made available to him by the person responsible; b). Their successors, who must prove such quality; c). The representative and/or attorney-in-fact of the Owner, prior accreditation of the representation or power of attorney; d). By stipulation in favor of another or for another. 4.3.- Procedure to exercise the rights to know, update, rectify or delete information and revoke authorization. The procedures for access, updating, deletion and rectification of personal data, and revocation of authorization, may be carried out through queries or complaints, addressed to the email contactenos@ghlhoteles.com or to the address Avenida Calle 72 No. 6 - 30 Bogotá, Colombia. according to the object they pursue, establishing at least the legitimacy that is available to make the request and stating in a clear and concrete manner what is intended. All requests, suggestions and recommendations related to the processing of information must be sent to the email contactenos@ghlhoteles.com, and a response will be given no later than within ten (10) business days following receipt. The owner of the information or the legitimate person must accompany his/her writing with proof of the quality in which he/she acts, and must provide the data and documents necessary to account for his/her identity and quality. The email must specify the reason or object of the communication, and to do so it will be enough for the text to indicate that the right to know, update, rectify, delete or revoke the authorization granted is being exercised. 4.4.- Procedure for correcting, updating or deleting data and for submitting complaints and claims. Whoever is legitimized by law, and considers that the information contained must be corrected, updated or deleted; or when you consider that the treatment given to personal data violates legal regulations, you may submit, in accordance with article 15 of Law 1581 of 2012, complaints to the email contactenos@ghlhoteles.com. Complaints and claims will be processed under the following rules: 4.4.1.- The claim will be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Owner, the description of the facts that give rise to the claim and the address, accompanying the documents that you want to assert. . If the claim is incomplete, the interested party will be required within five (5) business days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claim has been abandoned. In the event that the person receiving the claim is not competent to resolve it, it will be transferred to the appropriate party within a maximum period of two (2) business days and the interested party will be informed of the situation. 4.4.2.- Once the complete claim is received, a legend that says "claim in process" and the reason for it will be included in the database, within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided. 4.4.3.- The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. 4.5.- Consultation and access to information. Queries regarding personal data contained in the database will be answered by written request via email contactenos@ghlhoteles.com. Queries will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed before the expiration of ten (10) business days, expressing the reasons for the delay and indicating the date on which the query will be attended to, which in no case may exceed five (5) business days following the expiration of the first term. FIFTH: SECURITY. 5.1.- Security in the management of information. The data collected will always be treated within a framework of confidentiality, so it will not be provided, transferred or delivered to persons other than or unrelated to those responsible or in charge of the treatment. 5.2.- Data transfer and transmission. In the event that a contract is signed with a third party who is professional and experienced in the management and use of databases, the person responsible will sign the contract for the transmission of personal data referred to in article 25 of decree 1377 of 2013. SIXTH: DISSEMINATION AND VALIDITY. 6.1.- Means of dissemination of the information processing policies and the privacy notice. This document, which establishes the policies for processing information on personal data collected, will be permanently published on the link www.ghlhoteles.com so that it can be consulted by whoever is interested. When requesting the Owner's express authorization for data processing, you will be informed of the specific purposes for which consent is obtained and you will be made aware of the Treatment Policy and the rights that assist you as the Owner. 6.2.- Entry into force of the information processing policies. The collection, storage, use and circulation of personal data, in development of the considerations established here, will be carried out and maintained as long as the needs and purposes established and proposed by the Treatment remain in force. If the purpose cannot be achieved through the Processing of personal data, they will be permanently deleted from the database. This document comes into force on February 22, 2014. 6.3.- Procedure for policy modification events. In the event that modifications are made to the personal data processing policies established here, they will be notified and communicated through this same website, prior to their entry into force. 6.4.- Incorporation of the conditions of use of the website www.ghlhoteles.com. In accordance with applicable regulations, the information processing policy is an integral part of the terms and conditions of use of the website www.ghlhoteles.com. 6.5. - Responsible for information. The company LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA, with NIT 90076001-06, is responsible and in charge of processing personal data. The companies will be responsible for the information and personal data collected. When the information has been received or collected by any of the companies listed, with express authorization to be transferred, LOGÍSTICA GHL SOCIEDAD POR ACCIONES SIMPLIFICADA will be responsible for the treatment. Any communication can be directed to Calle 72 # 6-30, 13th floor of Bogotá, or to the email contactenos@ghlhoteles.com.