Personal data protection policy

1. Objective

This Personal Data Processing Policy (the "Policy") regulates the collection, storage, use, circulation and deletion (the "Processing") of personal data carried out by Fundación Santo Domingo (the "Foundation" or the "Responsible"), identified with NIT: 890.102.129-9, as the responsible party, in accordance with the provisions contained in the Statutory Law 1581 of 2012, Law 1266 of 2008, Decree 1377 of 2013, Decree 1074 of 2015, and other rules that complement or modify them, through which the protection of personal data in the national territory is regulated, in order to provide security to our internal and external users in relation to the handling of the information provided.

2. Definitions

• Allies: natural or legal persons that enter into contracts or agreements with the Foundation that involve Transmissions and/or Transfers of Personal Data.
• Authorization: prior, express and informed consent of the Data Subject to carry out the Processing of Personal Data.
• Database: organized set of Personal Data that is subject to Processing.
• Personal data: any information linked or that can be associated to one or several determined or determinable natural persons.
• Private Data: Data that, due to its intimate or reserved nature, is only relevant to the Data Subject.
• Public Data: is the Data qualified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private or private. Data contained in public documents, duly executed court rulings that are not subject to confidentiality and those relating to the civil status of persons, among others, are public.
• Sensitive data: are those that affect the privacy of the Data Subject or whose improper use may generate discrimination.
• Semi-private data: semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of persons or to society in general, such as financial and credit data of commercial or service activity.
• Data Processor: natural or legal person, public or private, that by itself or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller.
• Financial, commercial, credit and service information: information related to the creation, execution and extinction of monetary obligations, regardless of the nature of the contract that gives rise to them, protected by Law 1266 of 2008.
• Data Protection Officer: natural person, employee of the Foundation, who is responsible for ensuring compliance with the Policy.
• Data Controller: natural or legal person, public or private, who by himself or in association with others, decides on the Database and/or the Data Processing.
• Data Subject: natural person whose Personal Data is the object of Processing.
• Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion.
• Transfer: The Transfer of data takes place when the Controller and/or Processor of Personal Data, located in Colombia, sends the information or Personal Data to a recipient, which in turn is the Data Controller and is located inside or outside the country.
• Transmission: Processing of Personal Data that involves the communication of the same within or outside the territory of the Republic of Colombia when the purpose is the performance of a Processing by the Processor on behalf of the Controller.

3. Description of guidelines

3.1. Information of the Data Controller

The Foundation is located at Carrera 53 No. 106 - 280 Piso 4 Edificio Centro Empresarial Buena Vista in the city of Barranquilla, Colombia, telephone (605) 371 0707, e-mail address [email protected].

3.2. Legal Framework

The Policy follows the guidelines of Statutory Law 1581 of 2012, which was regulated by Decree 1377 of 2013, Law 1266 of 2008, sentences C-1011 of 2008 and C-748 of 2011 and other concordant norms and decrees.

3.3. Principles

In order to achieve an effective protection of personal data, the Foundation will adopt the following principles, in the light of which the operations tending to the collection, processing, transfer and transmission of such data must be carried out.

a. Principle of legality in matters of Data Processing: The Processing of Personal Data shall be subject to the provisions of the rules that regulate the protection of Personal Data. Notwithstanding the existence of other rules that regulate the matter, the main applicable rules are set forth below:

• Law 1581 of 2012
• Decree 1377 of 2013
• Decree 886 of 2014
• Chapter 25 and 26 of Decree 1074 of 2015.
• Sole Circular (Title V) of the Superintendency of Industry and Commerce

b. Principle of finality: The Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject.

c. Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior Authorization, or in the absence of legal or judicial mandate that relieves the consent.

d. Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.

e. Principle of transparency: The right of the Data Subject to obtain from the Controller or the Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the Processing.

f. Principle of restricted access and circulation: The Processing is subject to the limits derived from the nature of the Personal Data, the provisions of the Law and the Constitution. In this sense, the Processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for in the Law.

Personal Data, except for public information, may not be available on the Internet or other means of mass dissemination or communication, unless access is technically controllable to provide restricted knowledge only to Data Controllers or authorized third parties in accordance with the provisions set forth in the Law.

g. Safety principle: The information subject to Processing by the Data Controller or Data Processor shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.

h. Principle of confidentiality: All persons involved in the Processing of Personal Data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks included in the Processing, and may only provide or communicate Personal Data when this corresponds to the development of the activities authorized by law.

i. Principle of demonstrated responsibility (accountability): Data controllers shall be able to demonstrate, at the request of the Superintendence of Industry and Commerce ("SIC"), that they have implemented appropriate and effective measures to comply with the obligations set forth in Law 1581 of 2012 and Decree 1377 of 2013.

3.4. Processing to which the Personal Data will be submitted

The Foundation will collect, store, organize, use, circulate, transmit, transfer, update, rectify, delete, eliminate and manage the Personal Data of its candidates and employees, suppliers, natural persons who are part of the programs developed by the Foundation and users of the website according to the nature of such Data and in accordance with the purposes set forth in this Policy.

In execution of the corporate purpose of the Foundation, the Personal Data will be processed in accordance with the nature of the Data Subject and the purposes of each processing, as described below:

3.4.1. Candidates & Employees

Personal Data of applicants and employees processed by the Foundation includes, but is not limited to:

• General identification data of family members, beneficiaries or third parties as part of the employee's resume and portfolio;
• Contact information;
• Sensitive data such as data related to the employee's health, medical tests of income, occupational accidents, health assessment in general, medical disability information, and other related, height, weight, complexion, biometric data such as fingerprints and photographs;
• Professional information of the worker including academic and professional background, trajectory, work history of the person, work experience, position, dates of entry and retirement, annotations, calls for attention, etc., educational level, training and/or academic history of the person etc.;
• Socioeconomic data (stratum, tax information, economic activity, net worth, general data related to affiliation and contributions to the integral social security system. E.g.: EPS, IPS, ARL, dates of entry and retirement, AFP, etc.); and
• Other personal information that may be required or obtained by the Human Resources area for the correct execution of the labor relationship.

The Personal Data of candidates and employees will be processed by the Foundation for the following purposes:

• Review and confirmation of the information contained in the candidates' resumes.
• Verification of employment references, restrictive lists and criminal records.
• Make a first contact with the candidates, with the purpose of communicating the Foundation's interest in the candidate's professional profile.
• To sign the labor contract in accordance with the parameters established in Colombian labor legislation.
• Make payroll payments.
• To comply with the labor obligations of the Foundation in its capacity as employer, established in the labor legislation, the employment contract, the Internal Work Regulations, such as: affiliation to the Integral Social Security System and payment of contributions, affiliation to the Compensation Fund and payment of contributions, payment to the DIAN of the amounts withheld by legal provision, issue certificates of income and withholdings and labor certificates, and provide information to an entity or national authority that requires access to the Personal Data, in accordance with the applicable rules.
• To contract life and/or medical insurance, or for the granting of any other benefit derived from the employment relationship with the Foundation.
• Notify family members in case of emergencies during working hours or in the course of work.
• Maintain the safety and health of workers in the workplace, in accordance with the standards applicable to the Occupational Safety and Health Management System ("SG-SST") and keep the documents indicated in Article 2.2.4.6.13. of Decree 1072 of 2015.
• Evaluate the employee's job performance.
• Collect information and evidence in order to carry out labor disciplinary procedures.
• Store personal data in the Foundation's databases;
• Send information about products and services offered by the Foundation to its employees;
• Conduct Foundation events with its employees and their families.
• Review and verification of information on the academic development of FSD employees.
• Collect information for statistical purposes, historical and measurement of compliance with the objects of the Human Resources unit required on workers.
• The transfer of Personal Data in the framework of the definition, structuring and execution of strategic transactions, such as the sale of assets in case the Company or parts of its business are sold, merged or acquired by third parties.
• Share, transmit and/or transfer information related to Personal Data with Clients of the Foundation and/or third parties to participate in public and/or private bidding processes and/or attend labor and/or tax compliance audits and/or audits related to a project/service within and outside the Colombian territory in projects/services with national and/or international scope.
• Share, transmit and/or transfer information related to all Personal Data, including sensitive content, in compliance with legal, contractual, pre- and post-contractual and/or commercial obligations.
• Transmission of Personal Data to be processed by third parties, as Agents, located in Colombia or outside the country, for the aforementioned purposes.
• And in general, for the fulfillment of legal obligations and in particular, of the obligations that assist the Foundation in its condition of employer of its workers.

Employees' Personal Data will be subject to Processing, even after the termination of the contract with the Company, in order to maintain historical and/or statistical information regarding the fulfillment of certain obligations, if applicable, such as:

• (i) Issue labor certifications.
• (ii) Payment of contributions to the Integral Social Security System.
• (iii) Payment of salaries, social benefits and other legal and extra-legal rights.
• (iv) Compliance with occupational health and safety standards.
• (v) Reports of occupational diseases and accidents.
• (vi) Any other necessary for the Foundation to demonstrate that it complied with its labor, legal and/or contractual obligations.

3.4.2. Suppliers

Supplier Personal Data processed by the Foundation includes, but is not limited to:

• Contact information
• Identification information
• Information of a sensitive nature, understood as information that may affect your privacy or whose improper use may generate some type of discrimination.

The personal data of suppliers will be processed by the Foundation for the following purposes:

• Store suppliers' personal data in the Foundation's databases.
• Place purchase orders for products or services, according to the needs of the Foundation.
• Make payments on purchase orders placed by the Foundation with suppliers.
• Request quotations for products and/or services in compliance with your purchasing process.
• Generate purchase statistics.
• Verify and confirm the identity and information provided.
• Perform relevant searches in restrictive, binding and non-binding lists of ML/FT, anti-corruption and fraud, PEP, among others.
• Perform administrative management related to the negotiation, formalization and execution of contracts for the provision of goods and services, purchase orders and similar.
• Register as (supplier) in the Foundation's internal information systems.
• Process payments.
• To issue or request invoices, or information related to them, withholding tax certificates, peace and salvos and any other necessary document that must be subscribed in the commercial relationship with the supplier.
• Contact by any means for the provision of the services required.
• To know and process the personal data of the employees and contractors it employs for the provision of such services.
• Evaluate compliance with the provision of contracted services.
• Perform statistical analysis and marketing reports.
• Transfer this information to different areas of the Foundation and its related entities to evaluate compliance with the provision of services or the supply of contracted goods; and the suitability of the supplier; or when necessary for the development of its operations.
• To demand the fulfillment of the contracted services.
• Authorize the entry of contractors and employees of the Supplier, to the Foundation's facilities.
• Register personal data in the Foundation's information systems and in its commercial and operational databases.
• Establish a permanent communication channel to provide information on promotions, activities, events, news and commercial and marketing information about the services provided by the Foundation or third party allies.
• Share information at national or international level with suppliers, third party allies, or with those who collaborate for the proper functioning of the Foundation.
• Implement adequate industrial safety measures for entering the facilities.
• Manage the provision of emergency medical care, if required.
• Capture through video surveillance cameras images and sounds that will be stored by the Foundation for the safety of its visitors and collaborators.
• Any other activity of a similar nature to those described above that are necessary to develop the corporate purpose of the Foundation.
• Transfer of Personal Data of suppliers and contractors in the framework of defining, structuring and executing strategic transactions, such as the sale of assets in case the Foundation or parts of its business are sold, merged or acquired by third parties.
• Transmission of Personal Data of suppliers and contractors to be processed by third parties, as Agents, located in Colombia or outside the country, for the aforementioned purposes.
• Other purposes necessary and provided in the context of the contractual relationship for the purpose of fulfilling the object and obligations arising therefrom.

3.4.3. Individuals who are part of the programs developed by the Foundation.

Personal Data processed by the Foundation includes, but is not limited to:

• General identification data of family members, beneficiaries or third parties as part of the execution of the benefit granted and to execute the programs developed by the Foundation;
• Contact information;
• Sensitive data such as data related to racial or ethnic origin, political orientation, religious or philosophical convictions, social organizations, health, sex life and biometric data such as, but not limited to fingerprint, image, voice, videos, recordings, among others;
• Professional information;
• Socioeconomic data (stratum, tax information, economic activity, net worth, etc.); and
• Other personal information that may be required or obtained for the execution of the program developed by the Foundation.

The Personal Data of persons who are part of programs developed and implemented by the Foundation will be processed for the following purposes:

• Identification of the people who are part of the programs developed by the Foundation;
• Implementation of the programs developed by the Foundation;
• Perform internal management and performance reporting for the Foundation;
• Conduct academic and research studies, in order to make internal decisions of the Foundation and programs developed with its partners;
• Judicial background check;
• Perform study and verification of credit history;
• Make loan disbursements;
• Follow up on the credit to the beneficiaries;
• Development of statistics to manage new tailor-made credit products;
• Provide results of the statistics carried out by the Foundation to other entities belonging to the guild to which the Foundation belongs;
• Providing career technical counseling;
• Referral to job opportunities and business creation;
• Reception of situation reports and situations to be processed before the Ministry of Housing, City and Territory;
• Invitation to events and workshops organized by the Foundation and its Allies;
• Any other purposes necessary and provided in the context of the development of the program in order to comply with the purpose and obligations arising therefrom.

3.4.4. Users of the Financing and Business Development Unit: credit granting

Customer Personal Data processed by the Foundation includes, but is not limited to:

• General identification data;
• Contact information;
• Socioeconomic data (stratum, tax information, economic activity, net worth); and
• Other personal information that may be required for the correct execution of the contractual relationship.
• Financial, commercial and credit information.

The Personal Data of the Foundation's clients will be processed for the following purposes:

• Request for personal information in order to enter into the credit agreement.
• Send information about the Foundation's products and services.
• The development of its corporate purpose and of the binding contractual relationship, which implies the exercise of its rights and duties, including, but not limited to, the attention of requests, the generation of account statements, the performance of collection activities on its own or through third parties, among others;
• The administration of the credits granted by the Foundation to the holder or his co-signer;
• The structuring of commercial offers and the sending of commercial information about services through the channels or media that the Foundation establishes for such purpose;
• The adoption of measures aimed at preventing illegal activities.
• Transfer of Customer Personal Data in the context of defining, structuring and executing strategic transactions, such as the sale of assets in the event that the Foundation or parts of its business are sold, merged or acquired by third parties.
• Transmission of the Client's Personal Data to be processed by third parties, as Agents, located in Colombia or outside the country, for the aforementioned purposes.
• Other purposes necessary and provided in the context of the contractual relationship for the purpose of fulfilling the object and obligations arising therefrom.
• As an element of analysis to establish, maintain and terminate a contractual relationship;
• As an element of analysis for market research or commercial or statistical research;
• To carry out any procedure before a public authority or a private person, in respect of which such information is relevant.
• To provide its clients and commercial allies in Colombia with analyses, studies, reports, products or services derived from the legitimate use of the information collected.
• Update financial, commercial, credit and customer contact information on a regular basis.
• Develop or use tools that allow to know the financial and credit behavior.
• Consult and report to database consulting entities or Information Operators, including credit bureaus, everything related to financial, commercial and credit information.

3.4.5. Website users

The Personal Data of the users of the website, processed by the Foundation include, but are not limited to:

• General identification data;
• Contact information;

The Foundation respects the privacy of all users who visit its website. In general, the information or Personal Data of users or customers collected through the different formats of the page are used to respond to inquiries made and future contacts if necessary to follow up on inquiries. In particular, the purposes of the processing of Personal Data collected through the website are as follows:

• Improve the browsing experience on the Foundation's website, as well as perform maintenance and support of the website.
• To respond to inquiries or requests made to the Foundation.

Additionally, the Foundation collects personal data from users of the website through cookies. A cookie is a small information file that is downloaded to the user's computer when accessing certain web pages to store and retrieve information about the navigation that is made from that computer. Through cookies, web pages remember information about the user's visit, which allows them to provide a better and safer browsing experience.

The Foundation's website uses "cookies" as online tracking technology. By enabling cookies or keeping that feature enabled, the user authorizes the Foundation to automatically collect and store information including, but not limited to: IP address or device ID assigned to the end device, the identification of the platform, computer, mobile device, or any other device or mechanism through which you access the website, text content and images, as well as data files provided for download, user activities on the website, the type of browser browsing, as well as the date and time of login and use, cookies, fingerprints, web logs, web logs, web becons, web crawlers, among others. However, the user or visitor may choose not to authorize the use of cookies to the Foundation directly on the website.

The Foundation uses cookies for the following purposes: (i) to perform performance measurement exercises; (ii) to maintain the reliability and security of our website; (iii) marketing and advertising purposes; (iv) to design personalized service experiences.

3.5. Processing of Sensitive Data

The Foundation may process sensitive data. For these purposes, the Foundation shall apply the legal provisions on the Processing of Sensitive Data established in Law 1581 of 2012, and other complementary rules, including the following:

• Obtain explicit authorization from the owner for the processing, informing the optional nature of the authorization and the data considered sensitive. This authorization shall be implemented in all collection of sensitive data, except in the following cases in which authorization is not required by law.
• The treatment is necessary to safeguard the vital interest of the holder and he/she is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.
• The processing is carried out in the course of legitimate activities and with due guarantees by the foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that they refer exclusively to its members or to persons who maintain regular contacts by reason of their purpose. In these events, the data may not be provided to third parties without the owner's authorization.
• The processing relates to data that are necessary for the recognition, exercise or defense of a right in legal proceedings.
• The processing has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Data Controllers must be adopted.

In the event that the Foundation processes Sensitive Data of employees or natural persons who are part of the programs developed by the Foundation, it shall strictly observe the limitations and obligations established by Law 1581 of 2012, its regulatory decrees and other concordant norms.

3.5.1. Processing of sensitive employee data

The Foundation may process sensitive data of its employees, such as: employee's health, medical tests for admission, occupational accidents, health assessment in general, medical disability information, and other related information, height, weight, complexion, biometric data such as fingerprints and photographs. This sensitive data will be processed by the Foundation for the following purposes:

• Verify whether the person meets the physical requirements necessary to perform the position for which he/she is applying or was hired.
• To have the necessary information to deal with any medical emergency that may arise during the course of their work with the Foundation.
• Comply with occupational safety and health standards and implement the SG-STT, and any other program, system and/or plan that seeks to protect the health of the worker and people in the workplace.
• Identify personnel who access the Foundation's facilities or who carry out any work activity with the Foundation.
• To comply with the legal obligations arising from the employment relationship, such as carrying out all the necessary procedures for the registration of beneficiaries before the Social Security System, or any other activity derived from the applicable legislation.

3.5.2. Processing of sensitive data of individuals who are part of programs developed by the Foundation.

The Foundation may process sensitive data of its employees and natural persons with whom it performs tasks and activities implemented and developed by the Foundation, such as: health status, gender, racial origin, marital status, place of residence, socioeconomic status, origin of housing resources, housing characteristics, income, housing expenses, family expenses, level of education, fingerprints, photographs, videos, among others. For these purposes, the Foundation will apply the legal provisions on the treatment of sensitive data.

The sensitive data of employees and natural persons with whom the Foundation performs work and activities implemented and developed by it, will be processed for the following purposes:

• Verification of the ownership of personal data.
• Identification and analysis of intervention focuses.
• Design internal and third party intervention projects.
• Perform internal management and performance reporting.
• Conduct diagnoses of socioeconomic characterization of the territory.
• Conduct academic and research studies.
• Affiliation to health systems.
• Identification of target populations for intervention by the Foundation, as well as vulnerable groups for health affiliations.
• Judicial background check.
• Perform diagnostics and impact measurement processes.
• Conduct research projects for academic purposes.
• Updating of data provided by the natural persons who are part of the different programs developed by the Foundation.

3.6. Data processing of children and adolescents

The Foundation may process the personal data of children and adolescents. This information must be processed with the authorization of the parents or the persons legally empowered for them. The treatment of the data must respond to and respect the best interests of children and adolescents and must ensure respect for their fundamental rights.

3.6.1. Treatment of children of employees

The Foundation may process information of children and adolescents in accordance with the applicable regulations and in accordance with the following purposes:

• Identification of the children of the Foundation's employees for the purpose of complying with the legal obligations arising from the employment relationship, such as carrying out all the necessary procedures for the registration of beneficiaries with the authorities and the Social Security Health System.
• Communicate to employees the wellness activities that the Foundation has organized for their families.
• Conduct wellness activities that the Foundation organizes for employees' families.

3.7. Treatment of children and adolescents belonging to programs developed by the Foundation.

The Foundation may process information of children and adolescents belonging to the programs developed and implemented by the Foundation. The Foundation will strictly observe the limitations and obligations established in Law 1581 of 2012, its regulatory decrees and other concordant norms. Therefore, in case of processing Personal Data of children and/or adolescents, the Foundation will ensure the following:

• a) That the treatment responds to and respects the best interests of children and adolescents.
• b) That the treatment ensures respect for the fundamental rights of children and adolescents.
• c) Value the opinion of the minor when he/she has the maturity, autonomy and capacity to understand the matter.

The treatment of children and adolescents will be carried out in accordance with the following purposes:

• Management of school quotas by the Foundation together with the Secretaries of Education.
• Management of quotas in ecological, dance, theater, music and percussion groups.
• Attendance control at events organized by the Foundation.
• Develop early childhood care and attention programs.
• Conduct research projects for academic purposes.

3.8. Transfer and Transmission of Personal Data

3.8.1. Transmission of Personal Data

The Foundation carries out the Transmission of Personal Data of the Data Controllers to third parties located in Colombia, as Agents, to carry out the Processing of Personal Data on behalf of the Foundation in order to develop the purposes indicated above in chapters 7 and 8. For such purposes, with the acceptance of this policy it is understood that the transmission of Data is accepted in accordance with the Colombian Regime for the Protection of Personal Data.

The Foundation may transfer the Personal Data in its possession or even the complete Databases to Agents located inside or outside Colombia, provided that:

• a. It has obtained authorization from the Holders; or
• b. Have a Personal Data Transmission contract, under the terms established in Article 25 of Decree 1377 of 2013.

Notwithstanding the fact that the Transmission is to be made to any of the Countries with Adequate Levels of Protection, in order to comply with the principle of proven responsibility and according to the position of the SIC on the matter, it is recommended the execution of a Personal Data Transmission contract or documents with similar legal effects.

In the event that the Foundation were to make Transmissions of Personal Data of the Data Controllers to third parties located outside Colombia, in order to collaborate in the development and implementation of programs with the communities, carry out events in conjunction with the Foundation and develop the purposes indicated above in chapters 5.4., 5.5. and 5.6, such transmissions shall be understood as authorized with the acceptance of this policy according to the Personal Data Protection Law.

3.8.2. Transfer of Personal Data

The Foundation may make Transfers of Personal Data of the Data Controllers to third parties located within Colombia to collaborate in the development and implementation of programs with the communities and to carry out events in conjunction with the Foundation and in order to develop the purposes indicated above in chapters 5.4., 5.5. and 5.6.

For such purposes, with the acceptance of this policy, it is understood that the transfer of Data is accepted in accordance with the Colombian regime of Personal Data protection.

In the event that the Foundation were to transfer Personal Data of the Data Controllers to third parties located outside Colombia, in order to collaborate in the development and implementation of programs with the communities, carry out events in conjunction with the Foundation and develop the purposes mentioned above in chapters 5.4, 5.5 and 5.6, such transfers shall be understood as authorized with the acceptance of this policy according to the Personal Data Protection Law.

3.9. Rights of Owners

The Data Subject shall have the following rights:

• To know, update and rectify their personal data against the data controllers or data processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
• Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the processing, in accordance with the provisions of the law.
• To be informed by the Data Controller or the person in charge of the processing, upon request, regarding the use that has been made of his or her personal data.
• File complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other regulations that modify, add or complement it.
• To revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the processing. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that the Controller or Processor has incurred in conduct contrary to Law 1581 of 2012 and the Constitution.
• Access free of charge to your personal data that has been processed.

3.10. Persons authorized to exercise the holder's rights

Personal data processed by the Foundation may only be provided to the following persons:

• To the owners, who must prove their identity sufficiently, their successors in title or their legal representatives.
• To public or administrative entities in the exercise of their legal functions or by court order.
• To third parties authorized by the owner or the law.

3.11. Procedures

3.11.1. Inquiries

The holders or their successors in title may consult the personal information of the holder in the Foundation's databases.

Inquiries may be made in the following manner:

I. Escrita

Inquiries made in writing must be submitted to the offices of the Santo Domingo Foundation located at Carrera 53 No. 106 - 280 Piso 4 Edificio Centro Empresarial Buena Vista in the city of Barranquilla, Colombia, and must include at least the following information:

• a. Name and identification of the owner.
• b. Brief summary of the facts alleged.
• c. Mailing address.
• d. Simple copy of the citizenship card.

II. Electronics:

Applications can be made through the website www.fundacionsantodomingo.org.co or by e-mail to [email protected].

Consultations shall contain at least the following information:

• a. Name and identification of the owner.
• b. Brief summary of the facts alleged.
• c. Mailing address.
• d. Simple copy of the citizenship card.

III. Verbal

These requests must be made at the Foundation's offices. In these cases, the competent official will take note of the request submitted and will provide the applicant with a record of submission of his inquiry.

In all the above cases, the consultation will be answered within a maximum term of ten (10) working days from the date of receipt thereof. When it is not possible to attend the consultation within such term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the consultation will be attended, which in no case may exceed five (5) business days following the expiration of the first term.

3.11.2. Claims

The Data Subject or his/her assignees who consider that the information contained in the databases of the Foundation should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in the law, may file a claim before the same, which will be processed under the following rules:

• The claim shall be formulated by means of a request addressed to the Foundation or to the person in charge of the treatment, with the identification of the holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that the claimant wishes to assert. If the claim is incomplete, the interested party will be required within five (5) days of receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned. In the event that the person receiving the claim is not competent to resolve it, he/she will transfer it to the appropriate person within a maximum term of two (2) business days and will inform the interested party of the situation.
• Once the complete claim has been received, a legend will be included in the database stating "claim in process" and the reason for the claim, within a term no longer than two (2) business days. Said legend shall be maintained until the claim is decided.
• The maximum term to address the claim will be fifteen (15) business days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

3.11.3. Data Suppression

The Data Subject has the right, at any time, to request to the Foundation the deletion (removal) of his/her Personal Data, however, the right of deletion is not absolute and the Controller may deny the exercise of the same when:

• a. The Data Subject has a legal or contractual duty to remain in the Foundation's database.
• b. The suppression of Personal Data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.
• c. The Personal Data is necessary to protect the legally protected interests of the Data Subject, to carry out an action in the public interest, or to comply with an obligation legally acquired by the Data Subject.

3.11.4. Revocation of the Authorization.

The Personal Data Subject may revoke the consent to the Processing of his/her Personal Data at any time, as long as it is not prevented by a legal provision.

3.12. Allies

Within the development of the Foundation's purpose, it makes a series of agreements, contracts and alliances with natural and legal persons, with the purpose that these are aligned with the protection of Personal Data in accordance with the Colombian legal system.

In this sense, the delivery of information by the Foundation to the Allies shall be made in compliance with this Policy, in particular in accordance with the rules of transfers and transmissions as the case may be.

In order for Allies to have access to information provided by the Foundation, they must meet at least the following requirements:

• Allies must have computer security systems that allow the protection of the information that may be delivered through the network.
• Prior to the delivery of the information, a confidentiality agreement must be signed by the Ally and the Foundation or, within the contract signed between the Foundation and the Ally, a confidentiality clause of the information must be included.
• The information provided by the Foundation to the Allies shall only be for their exclusive use, and the transfer of such information to third parties is forbidden.
• The Allies that carry out portfolio collection on behalf of the Foundation must guarantee the privacy of the information, in addition to compliance with this Policy and the established collection policy.

3.13. Validity

This personal data protection policy is effective for all employees, partners, suppliers, candidates, people who are part of the foundation's programs, and credit users and website users who must comply with it, from September 28, 2018.