1. DESIGNATION AND FUNCTIONS OF THE DATA PROTECTION OFFICER

    2. The Data Protection Delegate will be the person designated by SIMETRIK, who can be contacted by e-mail at datospersonales@simetrik.com

    The functions of the Data Protection Officer are, but are not limited to, the following:

    1. Inform, supervise and advise the Controller or the Person in Charge of the treatment of Personal Data on compliance with this Personal Data Treatment Policy and other applicable regulations.
    2. Cooperate with the Data Protection Authority and be the point of contact/communication with the Data Protection Authority.
    3. Guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data.
    4. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
    5. Timely update, rectification or deletion of data under the terms of Law 1581 of 2012 and other concordant and current regulations.
    6. Update the information reported by the data controllers within five (5) business days from its receipt.
    7. To process the queries and claims formulated by the Data Subjects under the terms indicated in thispolicy.
    8. Adopt an internal manual of policies and procedures to ensure proper compliance with the law and, in particular, for the attention of inquiries and complaints by the Data Subjects.
    9. Allow access to information only to those who can access it.
    10. Verify that the Data Controller has the authorization for the treatment of personal data of the Data Subject.

  2. INFORMATION TREATMENT

    3. All the processes of the organization, when carrying out their own activities, will assume the responsibilities and obligations regarding the proper handling of personal information, from its collection, storage, use, circulation and even its final disposal.

    1. USE OF INFORMATION

      2. In the event that any area identifies new uses different from those described in this personal data treatment policy, it must inform the person responsible for the treatment of Personal Data, who will evaluate and manage, when applicable, its inclusion in this policy. Likewise, the following assumptions should be taken into consideration:

      1. In the event that an area other than the one that initially collected the personal data requires the use of the personal data that has been obtained, this may be done provided that it is a foreseeable use for the type of services offered by Simetrik and for a purpose contemplated in this Personal Data Treatment Policy.
      2. Each area must ensure that no confidential information or personal data is disclosed.
      3. Process Leaders may not make decisions that have a significant impact on personal information, or that have legal implications, so they must validate the information directly from the data owner, in cases where it is necessary.
      4. Only authorized personnel may enter, modify or delete data contained in the databases or documents subject to protection. User access permissions are granted in accordance with the access control policy, according to the established profiles, which will be previously defined by the leaders of the processes where the use of personal information is required.
      5. Any use of the information different from that established will be previously consulted with the Responsible for Personal Data Protection.
    2. INFORMATION STORAGE

      3. The storage of digital and physical information is done in media or environments that have adequate controls for data protection. This involves physical and technological security controls in authorized and properly managed repositories.

    3. DESTRUCTION

      4. The destruction of physical and electronic media is carried out through mechanisms that do not allow their reconstruction. This is done in accordance with the retention time established for the information.

  3. PROCEDURE FOR HANDLING INCIDENTS, COMPLAINTS, PETITIONS, INQUIRIES AND CLAIMS FROM OWNERS

    4. In case of any inquiry, claim, complaint or request regarding the treatment of personal data of the Data Subjects, they may contact us by e-mail. datospersonales@simetrik.com or at the following physical address: calle 91 # 11 - 29 Piso 6 in the city of Bogotá, D.C.

    1. INCIDENT MANAGEMENT WITH PERSONAL DATA

      2. An incident is understood as any eventuality that affects or could affect the security of the databases or information contained therein.

      In the event that the user becomes aware of any incident that has occurred, he/she must communicate it to the Data Protection Officer who will take the appropriate measures to deal with the reported incident.

      The Personal Data Protection Officer shall inform the SUPERINTENDENCIA DE INDUSTRIA Y COMERCIO, within 15 days from the knowledge of the incident.

      Incidents can affect both digital and physical databases and will generate the following activities:

      1. Incident Notification: It is the responsibility of the personnel, when it is presumed that an incident may affect or have affected databases with personal information personal data or any suspicious event, weakness or violation of policies that may affect the confidentiality, integrity and availability of assets and personal information must be reported to the Head of Personal Data Protection who will manage its report in the National Registry of Databases.
      2. Containment, Investigation and Diagnosis: The Personal Data Protection Officer must ensure that actions are taken to investigate and diagnose the causes that generated the incident,
      3. Solution: The IT process, as well as any compromised areas and those directly responsible for personal data management, must prevent the security incident from reoccurring by correcting all existing vulnerabilities.
      4. Incident Closure and Follow-up: The IT and Information Security Manager and the Personal Data Protection Officer shall document the actions that were taken to remediate the security incident. The Personal Data Protection Officer will prepare an analysis of the reported incidents.
    2. COMPLAINTS

      3. The Data Subject, his assignees, his representative and/or attorney-in-fact, or whoever is determined by stipulation in favor of another; may only file a complaint before the Superintendence of Industry and Commerce for the exercise of his rights once he has exhausted the process of Consultation or Claim directly before the company.

    3. UPDATE AND/OR RECTIFICATION REQUESTS

      4. SIMETRIK will rectify and update, at the request of the Data Subject, the information that is inaccurate or incomplete, in accordance with the procedure and terms indicated above, for which the Data Subject must submit the request according to the channels provided by the company, indicating the update and rectification of the data and in turn must provide the documentation supporting such request.

    4. REVOCATION OF AUTHORIZATION AND/OR DELETION OF PERSONAL DATA

      5. The Data Subject may revoke at any time the consent or authorization given for the treatment of his/her Personal Data, as long as there is no impediment enshrined in a legal or contractual provision.

      Likewise, the Data Subject has the right to request SIMETRIK at any time the deletion or elimination of his/her Personal Data.

      Such deletion implies the total or partial elimination of the personal information, as requested by the owner in the records, files, databases or treatments carried out by SIMETRIK.

      The right of cancellation is not absolute and therefore SIMETRIK may deny revocation of authorization or deletion of Personal Data in the following cases:

      1. The Data Subject has a legal or contractual duty to remain in the database.
      2. The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
      3. The data is necessary to protect the legally protected interests of the Data Subject; to carry out an action in thepublic interest, or to comply with an obligation legally acquired by the Data Subject.

    5. INQUIRY

      6. The personal information of the Data Subject contained in SIMETRIK's databases may be consulted, and the companywill be responsible for providing all the information contained in the individual record or that is linked to the identification of the applicant, using in any case a clear and simple language.

      The consultation once received by the company will be answered within a maximum term of ten (10) business days from the date of receipt of the same. The information requested by the Data Subject. may be provided in writing, by e-mail or by any other means as requested by the Data Subject.

      When it is not possible to attend the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the new date on which such consultation will be attended, which in no case may exceed five (5) working days following the expiration of the first term.

      The Data Subject may consult his or her Personal Data free of charge at least once every calendar month, and in the events in which there are substantial modifications to the Information treatment Policies that motivate new consultations.

      However, in the event that the periodicity of the consultations is greater than one per calendar month, the Data Subject may be charged for the costs of sending, reproduction and, if applicable, certification of documents

    6. CLAIMS

      7. When it is considered that the information contained in a SIMETRIK database should be corrected, updated or deleted, or when the alleged breach of any of the duties contained in the Habeas Data Law is noticed, a claim may be filed before SIMETRIK, which will be processed under the following rules:

      1. The claim shall be formulated by means of a written communication addressed to SIMETRIK, with the identification of the Data Subject, the description of the facts that give rise to the claim, the address, and accompanying the documents to be asserted.
      2. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the request, if the applicant does not submit the required information, it will be understood that the claim has been abandoned.
      3. In the event that SIMETRIK receives a Claim that it is not competent to resolve, the company will transfer the Claim to the appropriate person within a maximum term of two (2) business days and will inform the Data Subject.
      4. Once the complete claim is received, the company will include in the respective database a legend that says "claim in process" and the reason for this, in a term not greater than two (2) days. working days. The company will keep such legend on the data under discussion until the claim is decided.
      5. The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to attend the claim within said term, the company will inform the Data Subject the reasons for the delay and the new date on which the claim will be attended, which in no case may exceed eight (8) working days following the expiration of the first term.

  4. CONSEQUENCES ACCEPTANCE OF THE POLICY

    5. By accepting this Policy, each Data Subject expressly authorizes SIMETRIK to carry out the treatment of the same, partially or totally, including the collection, storage, recording, use, circulation, treatment, suppression, transmission under the terms of this Policy and/or transfer within the country or to third countries of the data provided for the purposes described in the Privacy Policies of the third parties to whom such personal data is transferred. With the acceptance of this Policy, in your capacity as Owner of the Information and Personal Data collected, you authorize the treatment of such data for all the purposes set forth in this Policy and especially for:

    1. Use the Information and Personal Data provided to perform a conflict check in databases that gather information sources, such as the FATF Sanctions lists containing information from OFAC, former Clinton List, United Nations, European Union, FBI, Interpol and other international lists.
    2. To use the Information and Personal Data provided to establish and maintain the commercial relationship; to send information regarding the legal, commercial, contractual or obligatory relationship; to collect accounts receivable; to pay accounts payable; and for any other purpose resulting from the development of the relationship that arises.
    3. Use the Information and Personal Data provided to send commercial information or information that SIMETRIK considers may be of interest to the Data Subject.
    4. Use the Information and Personal Data provided to make it available to the personnel in charge of the corresponding work, within the company, without excluding the possibility of being transferred to managers, consultants, advisors, persons and external offices as necessary.
    5. Use the Information and Personal Data provided for marketing purposes of SIMETRIK's services, and the products and services of third parties with whom SIMETRIK maintains a business relationship.
    6. Use the Information and Personal Data provided for the request of surveys and after-sales follow- up to establish the satisfaction of the services provided by SIMETRIK for statistical and continuous improvement purposes, or for qualitative and quantitative evaluations of the levels of services received by SIMETRIK.
    7. For the transfer of data to third parties in the same sector or sectors related to SIMETRIK, so that the owners can know and have access to other options of products and services.
    8. Use the Information and Personal Data provided to maintain records as required by law.
    9. Use the Information and Personal Data provided to consult and update personal data.
    10. Use the Information and Personal Data provided to issue certifications required by the Data Subject.
    11. Use the Information and Personal Data provided to make accounting records.
    12. To publish announcements and/or report the participation and work of SIMETRIK in the provision of services to the Registrant and/or the work of the Registrant in the development of work performed with or
    13. For SIMETRIK, in SIMETRIK presentations and SIMETRIK's website, as well as in national or international publications related to SIMETRIK's areas of practice, for which SIMETRIK may, among others, disclose the name of the Registrant and the natural persons, legal entities and entities associated with the same, the advice provided, and include a link to SIMETRIK's web page. For this purpose, SIMETRIK may, among others, disclose the name of the Data Subject and the natural persons, legal entities and entities associated with the same.
    14. To provide the Information and Personal Data to the control and surveillance, administrative, police and judicial, national and international authorities, by virtue of a legal or regulatory requirement.
    15. To allow access to the Information and Personal Data to auditors or third parties hired to carry out internal or external auditing processes proper to the commercial activity that SIMETRIK develops.
    16. To consult and update the Information and Personal Data.
    17. To contract with third parties the storage and/or treatment of the Information and Personal Data for the correct execution of the contracts entered into with SIMETRIK, under the security and confidentiality standards to which SIMETRIK is bound.

    Third parties may be involved in the aforementioned activities and that such activities may take place in countries different from the place where the service is contracted, and without prejudice to other purposes that have been informed in this Policy and in the terms and conditions of each of the services contracted with each Data Subject.

  5. MODIFICATION OF POLICIES

    6. SIMETRIK reserves the right to modify the treatment and Protection of Personal Data Policy at any time. However, any modification will be communicated in a timely manner to the owners of the Personal Data through the usual means of contact ten (10) business days prior to its entry into force.

    In the event that a Data Subject does not agree with the new General or Special Policy and with valid reasons that constitute a just cause for not continuing with the authorization for the treatment of Personal Data, the Data Subject may request the company to withdraw his/her information through the channels indicated in Title V of this document. However, Data Subjects may not request the removal of their Personal Data when the company has a legal or contractual duty to process the data.

  6. CURRENT

    7. This Policy is effective as of the date of its publication. The latest updated version is dated November 01, 2022.

    Santiago Gómez González
    LEGAL REPRESENTATIVE



Page 2 of 2

Previous page