AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA

The processing of personal data must be carried out in compliance with general and specific regulations on the matter and for activities permitted by law. Consequently, for the purposes of this policy, the following principles apply:

• Principle of Legality: Data processing is a regulated activity that must comply with the law and other provisions that develop it.

• Principle of Purpose: The processing must be for a legitimate purpose in accordance with the Constitution and the Law.

• Principle of Freedom: Data processing can only be carried out with the prior, express, and informed consent of the data subject. Personal data cannot be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that exempts consent.

• Principle of Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented data, or data that may lead to error is prohibited.

• Principle of Transparency: The processing must guarantee the right of the data subject to obtain from the data controller, at any time and without restrictions, information regarding the existence of data concerning them.

• Principle of Access and Restricted Circulation: The processing is subject to the limits derived from the nature of the personal data, the provisions of the law, and the Constitution. In this regard, processing can only be carried out by persons authorized by the data subject and/or by persons provided for by law.

• Principle of Security: The information subject to processing by the data controller or the data processor referred to in this law must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, avoiding their alteration, loss, consultation, unauthorized use, or fraudulent access.

• Principle of Confidentiality: All individuals involved in the processing of personal data, which is not public in nature, are obligated to ensure the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing. They may only disclose or communicate personal data when it corresponds to the development of activities authorized by this law and within its terms.

• Right to know, update, rectify, and consult their personal data at any time with Hotel Las Islas regarding data that they consider partial, inaccurate, incomplete, fragmented, or misleading.
• Right to request proof at any time of the authorization granted to Hotel Las Islas, except in cases where the Data Controller is legally exempt from having authorization to process the data of the data subject.
• Right to be informed by Hotel Las Islas, upon request from the data subject, about the use given to their data.
• Right to file complaints with the Superintendency of Industry and Commerce regarding matters that are relevant to assert their Habeas Data rights.
• Right to revoke the authorization and/or request the deletion of any data when the data subject believes that Hotel Las Islas has not respected their rights and constitutional guarantees.
• Right to freely access the personal data that they voluntarily decide to share with Hotel Las Islas.

• The Hotel informs data subjects, clients, suppliers, and employees that the data will be used for the following purposes:
• To support the contractual relationship established with the Hotel.
• To provide services related to the products and services offered.
• To carry out all activities related to the service or product, which will include being added to an email list for sending the newsletter.
• To send information about changes in the conditions of the services and products purchased, and notify about new services and products.
• To carry out all tax, accounting, fiscal, and billing procedures.
• To manage requests, clarifications, and investigations.
• To develop studies and programs necessary to determine consumption habits.
• To refine security filters and business rules in commercial transactions; to confirm and process such transactions with your financial institution, with our service providers, and with you.
• To conduct periodic evaluations of our products and services in order to improve their quality.
• To send, by traditional and electronic means, technical, operational, and commercial information about products and services offered by the Hotel, its affiliates, or providers, both currently and in the future.
• To request satisfaction surveys, which are not mandatory to answer.
• To carry out the transmission and/or transfer of data to other companies or business alliances in order to fulfill our corporate purpose.
• To comply with obligations contracted by the Hotel with its clients when acquiring our services and products, and in particular, to manage hotel registration and care during the stay.
• To respond to inquiries, petitions, complaints, and claims made by control agencies and other authorities who, by virtue of applicable law, are entitled to receive personal data.
• Any other activity of a similar nature to the ones described above that is necessary to develop the Hotel's corporate purpose.
• To fulfill obligations contracted by the Hotel with employees regarding salary payments, social benefits, and other obligations established in the employment contract and current labor regulations.
• To inform the employee of any changes during the employment contract and after its termination.
• To evaluate the quality of the services we provide.
• To conduct internal studies on employee habits or request personal information for the development of programs or management systems.
• To make authorized payroll deductions by the employee.
• To manage requests, administration of activities, clarifications, and investigations.
• Marketing and sale of our products and services.
• To request surveys, which the employee is not obligated to answer.
• To consult various databases and authorized sources (such as OFAC lists, UN, among others) necessary for fraud control and prevention or crimes related to money laundering, in accordance with our risk management and prevention policies – SARLAFT.
• In the event that we receive health-related documentation (medical records, disabilities, and similar documents), this information will be used exclusively to process refunds or similar procedures required with contracted providers. This information will be kept confidential and safeguarded with the utmost care.

• To ensure that the data subject always fully and effectively exercises their right to habeas data.
• To request and keep, in accordance with the provisions of this law, a copy of the authorization granted by the data subject.
• To properly inform the data subject about the purpose of data collection and the rights that they have by virtue of the authorization granted.
• To store the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access.
• To process inquiries and complaints within the terms set out in this law.
• To adopt an internal manual of policies and procedures to ensure proper compliance with this law, especially for handling inquiries and complaints.
• To inform the data subject, upon request, about the use given to their data.
• To inform the data protection authority when there are violations of security codes and risks in the management of the data subject’s information.
• To comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

• To ensure that the data subject always fully and effectively exercises their right to habeas data.
• To store the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access.
• To update, rectify, or delete the data in a timely manner according to the terms of this law.
• To update the information reported by the data controllers within five (5) business days from receipt.
• To process the inquiries and complaints made by the data subjects according to the terms set out in this law.
• To adopt an internal manual of policies and procedures to ensure proper compliance with this law, especially for handling inquiries and complaints from data subjects.
• To refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendency of Industry and Commerce.
• To allow access to the information only to those individuals who are authorized to access it.
• To inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in managing the data subjects' information.
• To comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

For the purpose of receiving requests, complaints, and inquiries related to the handling and processing of personal data, Hotel Las Islas has designated the email address privacidad@lasislas.com.co to channel, study, and respond to them. Therefore, you can send your requests to this address, which will be processed in accordance with Law 1581:

A. Inquiries: Data subjects or their successors may inquire about the personal information held in our database. Hotel Las Islas will provide all information contained in the individual record or related to the identification of the data subject. The inquiry will be addressed within a maximum term of ten (10) business days from the date of receipt. If it is not possible to respond to the inquiry within this term, the interested party will be informed and a date will be set when the inquiry will be addressed, which may not exceed five (5) business days after the expiration of the initial term.

B. Complaints: Data subjects or their successors who believe that the information contained in a database should be corrected, updated, or deleted, or who notice a presumed non-compliance with any of the duties contained in the law, may file a complaint with Hotel Las Islas, which will be processed under the following rules:

The complaint will be submitted by a request directed to Hotel Las Islas with the identification of the data subject, a description of the facts leading to the complaint, the address, and any documents the data subject wishes to present. If the complaint is incomplete, Hotel Las Islas will request the interested party to correct the deficiencies within five (5) days after receipt of the complaint. If the requested information is not provided within two (2) months from the date of the request, it will be understood that the complainant has withdrawn the complaint.

Once the complete complaint is received, a note will be included in the database stating "Complaint in process" along with the reason for it, within a term of no more than two (2) business days. This note must remain until the complaint is resolved.

The maximum term for addressing the complaint will be fifteen (15) business days, starting the day after its receipt. If it is not possible to address the complaint within this term, the interested party will be informed and a date will be set when the complaint will be addressed, which may not exceed eight (8) business days after the expiration of the initial term.

In any case, the data subject or their successor may only file a complaint with the Superintendency of Industry and Commerce once the inquiry or complaint process with Hotel Las Islas has been exhausted.

The department responsible for receiving and processing complaints is the Information Security Management.

The request for the deletion of information and the revocation of authorization will not be processed if the data subject has a legal or contractual obligation to remain in the database.

If you have any questions or inquiries regarding the process of collecting, processing, or transferring your personal information, or if you believe that the information contained in a database should be corrected, updated, or deleted, you may do so by emailing: privacidad@lasislas.com.co.