DATA PROTECTION LAW

• Personal database.Es todo conjunto organizado de datos de carácter personal, cualquiera que fuere la forma o modalidad de su creación, almacenamiento, organización y acceso.
• Automated database.It is the organized set of personal data that are created, processed and/or stored through computer programs or software.
• Non-automated database.It is the organized set of personal data that are created, processed and/or stored manually, in the absence of computer programs or software.
• Transfer of data
  Processing of data that involves its disclosure to a person other than the data owner or other than the person who is authorized as the transferee.
• Custodian of database. It is the natural person who has custody of the personal database within SUAREZ.
• Personal data.It is any data and/or information that identifies a natural person or makes him/her identifiable. It can be numerical, alphabetical, graphic, visual, biometric, auditory, profiling or any other type of data.
• Sensitive personal data.It is a special category of personal data specially protected, because it concerns health, sex, political affiliation, race or ethnic origin, biometric fingerprints, among others, which are part of the intimate being of the person and can be collected only with the express and informed consent of the owner and in the cases provided by law.
• Data Processor.It is the natural or legal person, public or private authority, which by itself or in association with others, performs the processing of personal data on behalf of the controller.
• Sources accessible to the public.Refers to those databases containing personal data that may be consulted by any person, which may or may not include the payment of a fee in exchange for the service of access to such data. Telephone directories, industry or sectorial directories, among others, have this condition of sources accessible to the public, as long as the information is limited to personal data of a general nature or containing legal generalities. The printed media, official gazette and other means of communication shall have this status.
• Habeas Data.The fundamental right of every person to know, update, rectify and/or cancel the information and personal data collected and/or processed in public or private databases, in accordance with the provisions of the law and other applicable regulations.
• Procedure for analysis and creation of information.It is the creation of information regarding a person, from the analysis and processing of personal data collected and authorized, for the purpose of analyzing and extracting profiles or behavioral habits, which generate an added value on the information obtained from the owner of each personal data.
• Dissociation procedure.Refers to any processing of personal data in such a way that the information obtained cannot be associated with an identified or identifiable person.
  Principles for data processing are the fundamental rules, of legal and/or jurisprudential order, that inspire and guide the processing of personal data, from which actions and criteria are determined to solve the possible collision between the right to privacy, habeas data and protection of personal data with the right to information.
• Database owner.In SUAREZ business processes, the owner of the database is the area that has under its responsibility the treatment of them, manages them and has them under its control. The concept of database owner shall be understood in the terms of ISO 27001.
• Responsible for the treatment.It is the natural or legal person, of public or private nature, who collects personal data and decides on the purpose, content and use of the database for processing.
  Personal data subject is the natural person whose data are subject to processing. With respect to legal persons, the name is predicated as a constitutionally protected fundamental right.
• Data processing.Any operation or set of operations and technical procedures, whether automated or not, performed on personal data such as collection, recording, storage, conservation, use, circulation, modification, blocking, cancellation, among others.
  It is the natural or legal person who has an interest in the use of personal information.
• Violation of personal data.It is the crime created by Law 1273 of 2009, contained in Article 269 F of the Colombian Criminal Code. The criminal offense is as follows: "Whoever, without being authorized to do so, for his own benefit or that of a third party, obtains, compiles, subtracts, offers, sells, exchanges, sends, buys, intercepts, discloses, modifies or uses personal codes, personal data contained in files, archives, databases or similar means, shall incur a prison sentence of forty-eight (48) to ninety-six (96) months and a fine of 100 to 1000 legal monthly minimum wages in force".

This Standard adopts and establishes the rules applicable to the processing of personal data collected, processed and / or stored by SUAREZ in the development of its corporate purpose either as responsible and / or in charge of the treatment.

The rules contained in this Standard are issued in compliance with the provisions of Article 15 of the Political Constitution of Colombia and Law 1581 of 2012, regarding the guarantee of privacy of individuals, exercise of habeas data and protection of personal data, in accordance with the right to information, so that these rights are regulated proportionally in SUAREZ and can prevent the violation of them.

The rules adopted in this standard by SUAREZ are consistent with international standards on protection of personal data.

The provisions contained in this Standard shall apply to the processing of personal data carried out in Colombian territory, or when the controller and/or processor is located outside Colombian territory, under international treaties, contractual relations, among others.

The principles and provisions contained in this standard of security of personal information, shall apply to any personal database that is in custody of SUAREZ, either as responsible and / or in charge of the treatment.

All SUAREZ organizational processes involving the processing of personal data, shall be subject to the provisions of this Standard.

This Standard shall apply to and thereby bind the following persons:

• 1.Legal representative.
• 2.SUAREZ internal staff, managerial or not, who have custody and treat personal databases.
• 3.Contractors and natural or legal persons who provide their services to SUAREZ under any type of contractual modality, under which any processing of personal data is made. This provision must be included in all contracts.
  Those other persons with whom there is a legal relationship of statutory order, contractual, among others.
• 4.Public and private persons as users of personal data.
• 5.Other persons established by law.

The protection of personal data in SUAREZ will be subject to the following principles or fundamental rules based on which the internal processes related to the processing of personal data will be determined; such principles will be interpreted in a harmonious, comprehensive and systematic manner to resolve conflicts that arise in this area; the principles applicable to these rules are those enshrined in international standards, in Colombian law and in the jurisprudence of the Constitutional Court that has developed the fundamental rights related to personal data in addition to the following.

5.1. Informed consent or principle of freedom.
The processing of personal data within SUAREZ, can only be done with the prior, express and informed consent of the holder. Personal data may not be obtained, processed or disclosed without the authorization of the holder, except by legal or judicial mandate that supersedes the consent of the holder.

5.2. Legality.
The processing of personal data in Colombia is a regulated activity and therefore the business processes and recipients of Law 1581 of 2012 must be subject to its provisions.

5.3. Purpose of the data.The processing of personal data must obey a legitimate purpose, in accordance with the Political Constitution and the law, which must be informed in a concrete, precise and prior manner to the owner so that he/she may express his/her consent.

5.4. Quality or veracity of the data.
The personal data collected by SUAREZ must be truthful, complete, accurate, verifiable, understandable and kept up to date. The processing of partial, fractional, incomplete or misleading data is prohibited.

5.5. Transparency.
In the processing of personal data, the holder's right to obtain and know from the data controller and/or data processor, at any time and without restrictions, information about the existence of data concerning him/her shall be guaranteed.

5.6. Relevance of the data.
The personal data collected by SUAREZ must be adequate, relevant and not excessive, taking into account the purpose of the treatment and / or database. The collection of personal data disproportionate to the purpose for which they are obtained is prohibited.

5.7. Restricted access and circulation.
The personal data collected or treated by SUAREZ will be used by SUAREZ only within the scope of the purpose and authorization granted by the owner of the personal data, therefore, may not be accessed, transferred, transferred or communicated to third parties.

Personal data in the custody of SUAREZ may not be available on the Internet or any other means of mass dissemination, unless access is technically controllable and secure, the above in order to provide restricted knowledge only to holders or authorized third parties as provided by law.

5.8. Temporality of the data.
Exhausted the purpose for which the personal data was collected and / or treated, SUAREZ must cease its use and therefore take appropriate security measures to that end.

5.9. Data security.
SUAREZ, as responsible or in charge of the processing of personal data, as appropriate, will adopt the physical, technological and/or administrative security measures necessary to ensure the attributes of integrity, authenticity and reliability of personal data. SUAREZ, according to the classification of personal data, will implement security measures of high, medium or low level, applicable as appropriate, in order to prevent tampering, loss, leakage, consultation, use or unauthorized or fraudulent access.

5.10. Confidentiality.
SUAREZ and all persons involved in the processing of personal data, have a professional obligation to keep and maintain the confidentiality of such data, an obligation that subsists even after the end of the contractual relationship. SUAREZ will implement, in its contractual relationships, data protection clauses in this regard.

5.11. Duty of information.
SUAREZ will inform the holders of personal data, as well as those responsible and in charge of the treatment, the data protection regime adopted by the organization, as well as the purpose and other principles governing the processing of this data. It will also inform about the existence of the personal data bases it keeps, the rights and the exercise of habeas data by the owners, proceeding to the registration required by law.

5.12. Special protection of sensitive data.
SUAREZ will only collect personal data of a sensitive nature when it is necessary and relevant for the development of its corporate purpose. In each case it must obtain express authorization from the owner, or verify that its treatment originates and legitimizes within the framework of a contractual and / or business relationship, or comes from legal authorization. Sensitive personal information that may be obtained from a personnel selection process will be protected through high security measures.

The holders of personal data contained in databases that rest in the information systems of SUAREZ, have the rights described in this section in compliance with the fundamental guarantees enshrined in the Constitution and the law.

The exercise of these rights will be free and unlimited by the owner of the personal data, without prejudice to legal provisions regulating the exercise thereof.

The exercise of Habeas Data, expressed in the following rights, constitutes a very personal power and shall correspond to the owner of the data in the first place, except for the exceptions provided by law.

6.1. Right of access.
This right includes the right of the data owner to obtain all the information regarding his own personal data, whether partial or complete, the processing applied to them, the purpose of the processing, the location of the databases containing his personal data and the communications and/or transfers made with respect to them, whether authorized or not.

6.2. Right to update.
This right includes the right of the data owner to update his personal data when they have undergone any change.

6.3. Right of rectification.
This right includes the right of the data owner to modify the data that turn out to be inaccurate, incomplete or non-existent.

Right of cancellation.
This right includes the right of the data owner to cancel his personal data or delete them when they are excessive, irrelevant or the processing is contrary to the rules, except in those cases provided for as exceptions by law or contractually agreed otherwise.

6.5. Right to revoke consent.
The holder of the personal data has the right to revoke the consent or authorization that enables SUAREZ for a treatment for a particular purpose, except in those cases provided as exceptions by law or contractually agreed otherwise.

6.6. Right of opposition.
This right includes the right of the data owner to oppose the processing of their personal data, except in cases where such right does not apply by law or because it violates general interests overriding the particular interest. The Legal Department of SUAREZ, based on the legitimate rights argued by the owner of the personal data, will make the relevant decision.

6.7. Right to file complaints and claims or to exercise actions.
The owner of the personal data has the right to file before the Superintendence of Industry and Commerce, or the competent entity, complaints and claims, as well as the actions that may be pertinent, for the protection of his/her data. Prior to this, he must have exhausted the exercise of his right against SUAREZ in accordance with Law 1581 of 2012.

6.8. Right to grant authorization for the processing of data.
In developing the principle of informed consent, the owner of the data has the right to grant their authorization, by any means that may be subject to subsequent consultation, to process their personal data in SUAREZ.

Exceptionally, this authorization will not be required in the following cases:
1.8.1. When required by public or administrative entity in compliance with its legal functions, or by court order.
1.8.2. When dealing with data of a public nature.
1.8.3. In cases of medical or health emergency.
1.8.4. When the processing of information is authorized by law for historical, statistical or scientific purposes.
1.8.5. When dealing with personal data related to the civil registry of persons.
In these cases, although the authorization of the owner is not required, the other principles and legal provisions on personal data protection shall apply.

7.1. Duties for data controllers.
When SUAREZ or any of the recipients of this rule, assumes the quality of responsible for the processing of personal data in their custody, shall comply with the following duties, without prejudice to the other provisions of the law and others governing their activity:
(a) Guarantee the holder, at all times, the full and effective exercise of the right of Habeas Data.
b) Request and keep, under the conditions provided for in this Rule, a copy of the respective authorization granted by the holder.
c) Duly inform the holder about the purpose of the collection and the rights he/she has by virtue of the authorization granted.
d) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
e) Guarantee that the information provided to the data processor is truthful, complete, accurate, updated, verifiable and understandable.
f) Update the information, communicating in a timely manner to the data processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to the data processor is kept up to date.
g) Rectify the information when it is incorrect and communicate the pertinent to the data processor.
h) To provide the data processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of the law.
i) To require the data processor to respect at all times the security and privacy conditions of the data owner's information.
j) To process the queries and claims formulated in the terms set forth in this regulation and in the law.
k) Adopt an internal manual of policies and procedures to ensure proper compliance with the law and especially for the attention of inquiries and complaints. SUAREZ complies with this obligation through the adoption of this Standard.
1) Inform the data processor the circumstance that certain information is under discussion by the holder, once the claim has been filed and has not completed the respective process.
m) To inform, at the request of the data owner, about the use given to his/her data.
n) Inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the owners.
o) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

7.2. Duties of those responsible for the processing of personal data.
When SUAREZ or any of the recipients of this rule, assumes the quality of person in charge of the processing of personal data in their custody, must comply with the following duties, without prejudice to other provisions of the law and others governing their activity:
(a) Guarantee the holder, at all times, the full and effective exercise of the right of Habeas Data.
b) Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
c) Update, rectify or delete data in a timely manner according to the terms of the law.
d) Update the information reported by the data controllers within five (5) business days from its receipt.
e) To process the queries and claims formulated by the owners under the terms set forth in this Rule and in the law.
f) Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, for the attention of inquiries and claims by the Holders. SUAREZ complies with this obligation through the adoption of this Rule.
g) Register in the database the legend "HABEAS DATA CLAIM IN PROCESS" in relation to personal information that is discussed or questioned by the holders, according to the way it is regulated by law.
h) Insert in the database the legend "INFORMATION ON HABEAS DATA UNDER JUDICIAL DISCUSSION" once notified by the competent authority about judicial proceedings related to the quality of the personal data.
i) Refrain from circulating information that is being disputed by the owner and whose blocking has been ordered by the Superintendence of Industry and Commerce or by another competent authority.
j) Allow access to the information only to those persons who may have access to it.
k) Inform the Superintendence of Industry and Commerce when there are violations to the "Security Codes" and there are risks in the administration of the information of the owners. 1) Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

7.3. Common duties of data controllers and data processors.
In addition to the duties described above in the head of SUAREZ and any other person who assumes their status as responsible or in charge of the treatment, in a complementary manner shall assume the following duties whatever their condition:
a) Implement security measures according to the classification of personal data that SUAREZ treats.
b) Adopt disaster recovery procedures applicable to the database containing personal data.
c) Adopt backup procedures or back up of the database containing personal data.
d) Periodically audit compliance with this Standard by the recipients of the same.
e) Securely manage databases containing personal data.
f) Implement this Standard on the protection of personal data in harmony with the "Information Security Policy.
g) Keep a central registry of the databases containing personal data that includes the history since its creation, processing of the information and cancellation of the database.
h) Securely manage access to the personal databases contained in the information systems in which it acts as data controller or data processor.
i) To have a procedure for managing security incidents with respect to databases containing personal data.
j) Regulate in contracts with third parties the access to databases containing personal data.

In development of the constitutional right of Habeas Data regarding the rights of access, updating, rectification, cancellation and opposition by the holder of personal data, or legally entitled interested party, that is, their successors and legal representatives, SUAREZ adopts the following procedure:

1.1 The owner of the data and / or interested in exercising one of these rights, shall prove this condition by means of a copy of the relevant document and his identity document, which may be provided by physical or digital means. In the event that the data owner is represented by a third party, the respective power of attorney must be provided, which must have its content acknowledged before a notary, taking into account that the exercise of the Fundamental Right to Habeas Data is involved. The proxy must also prove his or her identity in the terms indicated.
2.2 The request to exercise any of the aforementioned rights must be made in writing, either physically or digitally. The request to exercise the aforementioned rights may be addressed to the main address or email enabled by SUAREZ for the exercise of Habeas Data. SUAREZ may have other means for the holder of the personal data to exercise their rights.
3.3 The request for exercise of any of the above rights shall contain the following information:
4.3.1. Name and identification of the holder of the personal data, and their representatives, if applicable.
5.3.2. Specific and precise request for information, access, updating, rectification, cancellation, opposition to processing and/or revocation of consent. In each case the request must be reasonably grounded for SUAREZ to proceed, as responsible for the database, to respond.
6.3.3. Physical and / or electronic address for notifications.
7.3.4. Documents supporting the request, if applicable.
If any of the requirements listed here are missing, SUAREZ will so inform the person concerned within 5 days of receipt of the request, so that they are corrected, then proceeding to respond to the request for Habeas Data submitted. If after two (2) months without submitting the required information, it will be understood that the request has been abandoned. SUAREZ may have physical and/or digital formats for the exercise of this right and will indicate whether it is a consultation or a claim of the interested party. Within two (2) business days following the complete receipt of the request, SUAREZ will indicate that it is a claim in process. In the respective database (PQR) a box must be entered in which the following legends appear: "CLAIM FOR HABEAS DATA IN PROCESS" and "CLAIM FOR HABEAS DATA RESOLVED".

SUAREZ, when responsible for the personal data base contained in its information systems, will respond to the request within ten (10) days if it is a consultation; and fifteen days (15) days if it is a claim. In the same previous terms SUAREZ will be pronounced when it verifies that its information systems do not have personal data of the person concerned exercising any of the rights indicated.

In case of a claim, if it is not possible to respond within the term of (15) fifteen days, the interested party will be informed of the reasons for delay and the date on which the claim will be addressed, which in no case may exceed eight (8) working days following the expiration of the first fifteen (15) days.

SUAREZ, in cases where it holds the status of data processor will inform such situation to the holder or interested in the personal data, and will communicate to the person responsible for the personal data the request, in order for it to respond to the request for consultation or claim filed. Copy of such communication will be addressed to the owner of the data or interested party, so that he is aware of the identity of the person responsible for the personal data and consequently the main obligor to ensure the exercise of his right.

SUAREZ will document and store the requests made by the data owners or data subjects in exercise of any of the rights, as well as the answers to such requests. This information will be treated in accordance with the rules applicable to the correspondence of the organization. In order to resort to the Superintendence of Industry and Commerce in the exercise of the legal actions contemplated for data owners or interested parties, the process of consultations and/or claims described herein must be previously exhausted.

SUAREZ, as responsible for the processing of personal data under its custody, in the course of its business, as well as those in which it has the quality of processor, will have a central registry in which it will list each of the databases contained in their information systems and other files of SUAREZ.
The central registry of personal databases will allow:

1.1 Register all personal data base contained in the information systems and other files of SUAREZ. Each base will be assigned a registration number.

1. 2 The registration of personal databases will indicate: (i) The type of personal data it contains; (ii) The purpose and intended use of the database; (iii) Identification of the area of SUAREZ that makes the processing of the database; (iv) Processing system used (automated or manual) in the database; (v) Indication of the level and security measures that apply to the database under the type of personal data it contains; (vi) Location of the database in the information systems of SUAREZ; (vii) The group of persons or group of interest whose data are contained in the database; (viii) The status of SUAREZ as RESPONSIBLE or IN CHARGE of the processing of databases; (ix) Authorization for communication or transfer of the database, if any; (x) Origin of the data and procedure for obtaining consent; (xi) SUAREZ employee custodian of the database; (xii) Other requirements that are applicable under the regulations of the law that may be issued.
2. 3 On a monthly basis will be recorded, for purposes of compliance and audit, the changes made in the personal databases in relation to the above requirements. In the event that the databases have not undergone any such changes, a record shall be made by the custodian thereof.
3. 4 The occurrence and history of security incidents that occur against any of the personal databases guarded by SUAREZ, will be documented in this central register.
4. 5 The record will indicate the sanctions that may be imposed with respect to the use of the personal database, indicating the origin of the same.
5. 6 The cancellation of the personal database will be registered indicating the reasons and technical measures adopted by SUAREZ to make the cancellation effective.

The operations that constitute processing of personal data by SUAREZ, as responsible or in charge of them, shall be governed by the following parameters.

10.1. Personal data related to human resource management.
SUAREZ will treat the personal data of its employees, contractors, as well as those who apply for vacancies, at three times: before, during and after the employment relationship and / or services.

10.1.1. Treatment prior to the employment relationship.
SUAREZ will inform, in advance, to persons interested in participating in a selection process, the rules applicable to the processing of personal data provided by the person concerned, as well as those obtained during the selection process; and will obtain the required authorization to deliver such information to third parties and for any other purpose other than to participate in this process.

SUAREZ, once the selection process is exhausted, will inform the negative result and will return to the non-selected persons the personal data provided; when this is not possible, it will proceed to its destruction for which it will have previously informed the holder. The information obtained by SUAREZ regarding those who were not selected, specifically the results of the psycho-technical tests and interviews, will be removed from their information systems, thus complying with the principle of purpose.

SUAREZ when contracting personnel selection processes with third parties will regulate in the contracts the treatment to be given to the personal data provided by the interested parties, as well as the destination of the personal information obtained from the respective process in compliance with this rule. The personal data and information obtained from the selection process regarding the personnel selected to work in SUAREZ, will be stored in files determined for the purpose, applying to this information high levels and security measures, under the potential that such information contains sensitive data.

The purpose of the delivery of the data provided by those interested in SUAREZ vacancies and personal information obtained from the selection process, is limited to participation in the same; therefore, its use for different purposes is prohibited.

10.1.2. Processing of data during the employment relationship.
SUAREZ will store personal data and personal information obtained from the selection process of employees in a folder identified with the name of each of these. The treatment and access to this information, in physical or digital format, will be in accordance with the procedures established by the Human Management Unit.

The use of employee information for purposes other than the administration of the contractual relationship is prohibited in SUAREZ. The different use of data and personal information of employees will only proceed by order of competent authority, provided that it lies such power. It will be up to the Legal Department to assess the competence and effectiveness of the order of the competent authority, in order to prevent unauthorized transfer of personal data.

Data processing after termination of the contractual relationship.
Upon termination of the employment relationship, whatever the cause, SUAREZ will proceed to store the personal data obtained from the selection process and documentation generated in the development of the employment relationship in a central file, subjecting such information to high security measures and levels of security, under the potential that labor information may contain sensitive data.

SUAREZ is prohibited from transferring such information to third parties, since such a fact can configure a deviation in the purpose for which the personal data were delivered by their owners.

The above, unless prior written authorization documenting the consent of the owner of the personal data.

10.2. Processing of personal data of suppliers.
SUAREZ will only collect from its suppliers the data that are necessary, relevant and not excessive for the purpose of selection, evaluation and execution of the contract. When SUAREZ is required, by its legal nature, the disclosure of data of the supplier -individual- as a result of a selection process, this will be done with the provisions that comply with the provisions of this standard and that warn third parties about the purpose of the information that is disclosed.

SUAREZ will collect from its suppliers the personal data of its employees, which are necessary, relevant and not excessive, which for security reasons must analyze and evaluate, according to the characteristics of the services that are contracted with the supplier. The personal data of employees of suppliers collected by SUAREZ, will have the sole purpose of verifying their suitability and competence of such employees; therefore, once verified this requirement, SUAREZ may return such information to the supplier, except when it is necessary to preserve this data.

When SUAREZ delivers data of its employees to its suppliers, they must protect the personal data provided, as provided in this Standard. For this purpose, the respective audit provision will be included in the contract or document that legitimizes the delivery of personal data. SUAREZ will verify that the requested data are necessary, relevant and not excessive with respect to the purpose underlying the request for access to them.

10.3. Processing of personal data in hiring processes.
Third parties in contracting processes, alliances and cooperation agreements with SUAREZ access, use, treat and / or store personal data of SUAREZ employees and / or third parties related to such contractual processes, shall adopt the relevant provisions of this Standard, as well as the security measures indicated by SUAREZ according to the type of personal data processed.

For this purpose, the respective verification provision will be included in the contract or document that legitimizes the delivery of personal data. SUAREZ will verify and control that the data requested are necessary, relevant and not excessive with respect to the purpose of treatment.

10.4. Processing of personal data of SUAREZ buyers.
SUAREZ with respect to the personal data of the buyers will collect and treat them for contractual, commercial and advertising purposes of the existing relationship with them.

The direct purchase process will define the treatment according to the particular needs arising from the commercial dynamics with the buyers, applying the provisions herein.

10.5. Processing of consumers' personal data.
The personal data of consumers that are collected as a result of a consumer relationship will be treated according to the authorization and purposes authorized by the consumers. The corresponding area within the company will define the treatment of these personal data within the framework of the needs of marketing, advertising and marketing SUAREZ, applying the provisions herein.

10.6. Processing of personal data of the community in general.
The collection of data of individuals that SUAREZ treats in the development of actions related to the community, either as a result of the development of its corporate purpose or any other activity, shall be subject to the provisions of this standard. For this purpose, SUAREZ previously inform and obtain the authorization of the owners of the data in the documents and instruments used and that are related to these activities.

In each of the cases described above, the areas of the organization that develop business processes in which personal data are involved, should consider in their action strategies the formulation of rules and procedures to comply with and enforce the provisions adopted herein, in addition to preventing possible legal sanctions.

In development of this standard of security of personal information of SUAREZ, the following prohibitions and penalties are established as a result of its breach.

1.1 SUAREZ prohibits access, use, management, transfer, communication, storage and any other processing of sensitive personal data without the authorization of the owner of the personal data and / or SUAREZ.incurring in this prohibition by employees of SUAREZ will result in the penalties that may apply in accordance with the law.incurring in this prohibition by suppliers who contract with SUAREZ will result in the consequences provided for such purposes, without prejudice to the actions that may apply. In contracts with suppliers, in which the contracted object is related to personal data, a provision will be agreed in relation to the damages that may be caused to SUAREZ as a result of the imposition of fines, operating penalties, among others, by the competent authorities and as a result of imprudent or negligent behavior of the supplier.

2.2 SUAREZ prohibits the transfer, communication or circulation of personal data, without the prior, written and express consent of the owner of the data or without authorization from SUAREZ. The transfer or communication of personal data must be registered in the central registry of personal data of SUAREZ and have the authorization of the custodian of the database.

3.3 SUAREZ prohibits access, use, transfer, communication, processing, storage and any other processing of personal data of a sensitive nature that come to be identified in an audit procedure in application of the standard on the proper use of the computer resources of the organization and / or other rules issued by SUAREZ for these purposes.sensitive data that come to be identified in the audit process, will be informed to the user of the computer resource, so that it proceeds to eliminate them; if this option is not possible, SUAREZ will proceed to remove them safely.

4.4 SUAREZ prohibits the recipients of this standard any processing of personal data that may give rise to any of the behaviors described in the law of computer crimes 1273 of 2009. Unless you have the authorization of the owner of the data and / or SUAREZ, as appropriate.

5.5 SUAREZ will only proceed with the processing of personal data of children and adolescents under age with the express, prior and informed consent of their representatives and / or persons holding the representation of the minor, for the purposes required in connection with the exercise of its business activity and in any case must ensure the prevailing rights that the Constitution recognizes these, in harmony with the Code of Children and Adolescents.

The transfer of personal data to any person whose seat is in a country that is not safe for data protection is prohibited. Safe countries are understood as those that meet the standards set by the Superintendence of Industry and Commerce.

Exceptionally, international transfers of data may be made by SUAREZ when:

• 1.The owner of the data has granted its prior, express and unequivocal authorization to carry out the transfer.

• The transfer is necessary for the execution of a contract between the holder and SUAREZ as responsible and / or responsible for the treatment.

• In the case of banking and stock market transfers in accordance with the legislation applicable to such transactions.
  In the case of transfer of data under international treaties that are part of the Colombian legal system.

• Transfers legally required to safeguard a public interest.
  At the time of an international transfer of personal data, prior to sending or receiving them, SUAREZ will sign agreements that regulate in detail the obligations, burdens and duties that arise for the parties involved.

The agreements or contracts entered into shall comply with the provisions of this rule, as well as in the legislation and jurisprudence that were applicable in the field of personal data protection.

It is the responsibility of the Legal Department of SUAREZ to give a favorable opinion on the agreements or contracts involving an international transfer of personal data, taking into account as guidelines the applicable principles and contained in this standard. It will also correspond to make the relevant consultations with the Superintendence of Industry and Commerce to ensure the circumstance of "safe country" in relation to the territory of destination and / or origin of the data.

The responsibility for the proper treatment of personal data within SUAREZ, is in the head of all employees.

Consequently, within each area that manages business processes involving personal data processing, must adopt the rules and procedures for the implementation and enforcement of this standard, given their status as custodians of personal information that is contained in the information systems of SUAREZ.

In case of doubt regarding the legal treatment of personal data, they will go to the Legal Department to indicate the guideline to follow, as appropriate.

In the processing of personal data by SUAREZ, the permanence of the data in their information systems will be determined by the purpose of such treatment. Consequently, exhausted the purpose for which the data were collected, SUAREZ will proceed to its destruction or return, as appropriate, or to keep them as provided by law, taking technical measures to prevent inappropriate treatment.

In the processing of personal data subject to regulation in this standard, SUAREZ will adopt physical, logical and administrative security measures, which are classified into high, medium and low level, according to the risk that may arise from the criticality of the personal data processed. In developing the principle of security of personal data, SUAREZ will adopt a general guideline on these measures, which will be mandatory for the recipients of this standard.

SUAREZ communicates to the recipients of this Rule the sanctions regime provided by Law 1581 of 2012 in its Article 23, which materializes the risks assumed by an improper processing of personal data:

"ARTICLE 23. Sanctions. The Superintendency of Industry and Commerce may impose the following sanctions on the Controllers and Processors:
(a) Fines of a personal and institutional nature up to the equivalent of two thousand (2,000) legal monthly minimum wages in force at the time of the imposition of the sanction. The fines may be successive as long as the non-compliance that originated them persists.
b) Suspension of the activities related to the Treatment for a term of up to six (6) months. The act of suspension shall indicate the corrective measures to be adopted.
c) Temporary closing of the operations related to the Processing once the term of suspension has elapsed without the corrective measures ordered by the Superintendence of Industry and Commerce having been adopted.
d) Immediate and definitive closure of the operation involving the Processing of sensitive data".
The notification of any investigation procedure by any authority, related to the processing of personal data, must be communicated immediately to the Legal Department of SUAREZ, in order to take measures to defend the actions of the entity and avoid the imposition of penalties under Colombian law, in particular those set forth in Title VI, Chapter 3 of Law 1581 of 2012 described above.

Consequence of the risks assumed by SUAREZ either as responsible and / or in charge of the processing of personal data, the breach of this rule by its recipients will result in sanctions and / or measures provided for in the applicable rules.

When the State authorities request SUAREZ access and / or delivery of personal data contained in any of its databases, the legality of the request will be verified, the relevance of the requested data in relation to the purpose expressed by the authority, and the delivery of the requested personal information will be documented providing that it complies with all its attributes (authenticity, reliability and integrity), and warning the duty of protection on these data, both the official who makes the request, who receives it, as well as the entity for which they work. The authority that requires the personal information will be warned about the security measures that apply to the personal data provided and the risks involved in its improper use and inadequate treatment.