AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA

With the implementation of this policy, the aim is to guarantee the confidentiality of information and the security of its processing for all clients, suppliers, employees, and third parties from whom HOTEL LAS ISLAS has legally obtained personal information and data, in accordance with the guidelines established by the regulatory law on the right to Habeas Data. Likewise, through the issuance of this policy, compliance is ensured with the provisions set forth in literal K of Article 17 of the aforementioned law.

Authorization: Prior, express, and informed consent of the data subject to carry out the processing. This may be written, verbal, or through unequivocal conduct that reasonably allows one to conclude that the data subject granted authorization.

Database: The organized set of Personal Data that is subject to Processing, whether electronic or not, regardless of the method of its creation, storage, organization, and access.

Inquiry: Request made by the data subject or by persons authorized by him/her or by law to know the information stored about him/her in databases or files.

Personal Data: Any information linked or that can be associated with one or more identified or identifiable natural persons. These data are classified as sensitive, public, private, and semi-private.

Sensitive Personal Data: Information that affects a person’s privacy or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in trade unions, social or human rights organizations, or that promote the interests of any political party or safeguard the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data (fingerprints, among others).

For the purposes of this policy, the Hotel warns that the provision of this type of information by the personal data subject is optional in cases where it may eventually be requested.

Public Personal Data: Data classified as such by law or the Political Constitution and all those that are not semi-private or private. Public data include, among others, information contained in public documents, public records, official gazettes and bulletins, and duly enforceable judicial rulings that are not subject to confidentiality, as well as those relating to civil status, profession or occupation, and the status of merchant or public servant. Personal data contained in the commercial registry of Chambers of Commerce (Article 26 of the Commercial Code) are also considered public. Likewise, public data are those that, by decision of the data subject or by legal mandate, are found in freely accessible files. Such data may be obtained and provided without restriction, regardless of whether they refer to general, private, or personal information.

Private Personal Data: Data that, by its intimate or reserved nature, is relevant only to the data subject. Examples: merchants’ accounting books, private documents, information obtained from home inspections.

Semi-private Personal Data: Data that is neither intimate, reserved, nor public, and whose knowledge or disclosure may be of interest not only to the data subject but also to a specific sector, group of people, or society in general. For example, data regarding compliance or non-compliance with financial obligations, or data related to relationships with social security entities.

Data Controller: The person who, alone or jointly with others, decides on the database and/or the processing of the data.

Data Processor: The person who processes data on behalf of the data controller.

Being “Authorized”: Refers to the Hotel and all persons under its responsibility, who, by virtue of the authorization and this Policy, are legally entitled to process the personal data of the data subject. The Authorized also includes those “Enabled.”

“Enabling” or being “Enabled”: The legitimacy expressly and in writing, through a contract or equivalent document, granted by the Hotel to third parties, in compliance with applicable law, for the processing of personal data, thereby converting such third parties into data processors of the personal data provided or made available.

Claim: Request made by the data subject or by persons authorized by him/her or by law to correct, update, or delete his/her personal data, or when they notice an alleged breach of the data protection regime, according to Article 15 of Law 1581 of 2012.

Data Subject: The natural person to whom the information refers.

Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion of that information.

Transmission: Processing of personal data that involves their communication within Colombia (national transmission) or outside Colombia (international transmission), and whose purpose is for processing to be carried out by the processor on behalf of the controller.

Transfer: Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is responsible for processing and is located inside or outside the country.

Requirement of Procedural Admissibility: The data subject or successor may only file a complaint with the Superintendence of Industry and Commerce once the consultation or claim process has been exhausted before the data controller or processor, in accordance with Article 16 of Law 1581 of 2012.

The processing of personal data must be carried out in compliance with general and specific regulations on the matter and for activities permitted by law. Consequently, for the purposes of this policy, the following principles apply:

• Principle of Legality: Data processing is a regulated activity that must comply with the law and other provisions that develop it.

• Principle of Purpose: The processing must be for a legitimate purpose in accordance with the Constitution and the Law.

• Principle of Freedom: Data processing can only be carried out with the prior, express, and informed consent of the data subject. Personal data cannot be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate that exempts consent.

• Principle of Truthfulness or Quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented data, or data that may lead to error is prohibited.

• Principle of Transparency: The processing must guarantee the right of the data subject to obtain from the data controller, at any time and without restrictions, information regarding the existence of data concerning them.

• Principle of Access and Restricted Circulation: The processing is subject to the limits derived from the nature of the personal data, the provisions of the law, and the Constitution. In this regard, processing can only be carried out by persons authorized by the data subject and/or by persons provided for by law.

• Principle of Security: The information subject to processing by the data controller or the data processor referred to in this law must be handled with the necessary technical, human, and administrative measures to ensure the security of the records, avoiding their alteration, loss, consultation, unauthorized use, or fraudulent access.

• Principle of Confidentiality: All individuals involved in the processing of personal data, which is not public in nature, are obligated to ensure the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing. They may only disclose or communicate personal data when it corresponds to the development of activities authorized by this law and within its terms.

• Right to know, update, rectify, and consult their personal data at any time with Hotel Las Islas regarding data that they consider partial, inaccurate, incomplete, fragmented, or misleading.
• Right to request proof at any time of the authorization granted to Hotel Las Islas, except in cases where the Data Controller is legally exempt from having authorization to process the data of the data subject.
• Right to be informed by Hotel Las Islas, upon request from the data subject, about the use given to their data.
• Right to file complaints with the Superintendency of Industry and Commerce regarding matters that are relevant to assert their Habeas Data rights.
• Right to revoke the authorization and/or request the deletion of any data when the data subject believes that Hotel Las Islas has not respected their rights and constitutional guarantees.
• Right to freely access the personal data that they voluntarily decide to share with Hotel Las Islas.

• The Hotel informs data subjects, clients, suppliers, and employees that the data will be used for the following purposes:
• To support the contractual relationship established with the Hotel.
• To provide services related to the products and services offered.
• To carry out all activities related to the service or product, which will include being added to an email list for sending the newsletter.
• To send information about changes in the conditions of the services and products purchased, and notify about new services and products.
• To carry out all tax, accounting, fiscal, and billing procedures.
• To manage requests, clarifications, and investigations.
• To develop studies and programs necessary to determine consumption habits.
• To refine security filters and business rules in commercial transactions; to confirm and process such transactions with your financial institution, with our service providers, and with you.
• To conduct periodic evaluations of our products and services in order to improve their quality.
• To send, by traditional and electronic means, technical, operational, and commercial information about products and services offered by the Hotel, its affiliates, or providers, both currently and in the future.
• To request satisfaction surveys, which are not mandatory to answer.
• To carry out the transmission and/or transfer of data to other companies or business alliances in order to fulfill our corporate purpose.
• To comply with obligations contracted by the Hotel with its clients when acquiring our services and products, and in particular, to manage hotel registration and care during the stay.
• To respond to inquiries, petitions, complaints, and claims made by control agencies and other authorities who, by virtue of applicable law, are entitled to receive personal data.
• Any other activity of a similar nature to the ones described above that is necessary to develop the Hotel's corporate purpose.
• To fulfill obligations contracted by the Hotel with employees regarding salary payments, social benefits, and other obligations established in the employment contract and current labor regulations.
• To inform the employee of any changes during the employment contract and after its termination.
• To evaluate the quality of the services we provide.
• To conduct internal studies on employee habits or request personal information for the development of programs or management systems.
• To make authorized payroll deductions by the employee.
• To manage requests, administration of activities, clarifications, and investigations.
• Marketing and sale of our products and services.
• To request surveys, which the employee is not obligated to answer.
• To consult various databases and authorized sources (such as OFAC lists, UN, among others) necessary for fraud control and prevention or crimes related to money laundering, in accordance with our risk management and prevention policies – SARLAFT.
• In the event that we receive health-related documentation (medical records, disabilities, and similar documents), this information will be used exclusively to process refunds or similar procedures required with contracted providers. This information will be kept confidential and safeguarded with the utmost care.

• To ensure that the data subject always fully and effectively exercises their right to habeas data.
• To request and keep, in accordance with the provisions of this law, a copy of the authorization granted by the data subject.
• To properly inform the data subject about the purpose of data collection and the rights that they have by virtue of the authorization granted.
• To store the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access.
• To process inquiries and complaints within the terms set out in this law.
• To adopt an internal manual of policies and procedures to ensure proper compliance with this law, especially for handling inquiries and complaints.
• To inform the data subject, upon request, about the use given to their data.
• To inform the data protection authority when there are violations of security codes and risks in the management of the data subject’s information.
• To comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

• To ensure that the data subject always fully and effectively exercises their right to habeas data.
• To store the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized use, or fraudulent access.
• To update, rectify, or delete the data in a timely manner according to the terms of this law.
• To update the information reported by the data controllers within five (5) business days from receipt.
• To process the inquiries and complaints made by the data subjects according to the terms set out in this law.
• To adopt an internal manual of policies and procedures to ensure proper compliance with this law, especially for handling inquiries and complaints from data subjects.
• To refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the Superintendency of Industry and Commerce.
• To allow access to the information only to those individuals who are authorized to access it.
• To inform the Superintendency of Industry and Commerce when violations of security codes occur and there are risks in managing the data subjects' information.
• To comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

For the purpose of receiving requests, complaints, and inquiries related to the handling and processing of personal data, Hotel Las Islas has designated the email address privacidad@lasislas.com.co to channel, study, and respond to them. Therefore, you can send your requests to this address, which will be processed in accordance with Law 1581:

A. Inquiries: Data subjects or their successors may inquire about the personal information held in our database. Hotel Las Islas will provide all information contained in the individual record or related to the identification of the data subject. The inquiry will be addressed within a maximum term of ten (10) business days from the date of receipt. If it is not possible to respond to the inquiry within this term, the interested party will be informed and a date will be set when the inquiry will be addressed, which may not exceed five (5) business days after the expiration of the initial term.

B. Complaints: Data subjects or their successors who believe that the information contained in a database should be corrected, updated, or deleted, or who notice a presumed non-compliance with any of the duties contained in the law, may file a complaint with Hotel Las Islas, which will be processed under the following rules:

The complaint will be submitted by a request directed to Hotel Las Islas with the identification of the data subject, a description of the facts leading to the complaint, the address, and any documents the data subject wishes to present. If the complaint is incomplete, Hotel Las Islas will request the interested party to correct the deficiencies within five (5) days after receipt of the complaint. If the requested information is not provided within two (2) months from the date of the request, it will be understood that the complainant has withdrawn the complaint.

Once the complete complaint is received, a note will be included in the database stating "Complaint in process" along with the reason for it, within a term of no more than two (2) business days. This note must remain until the complaint is resolved.

The maximum term for addressing the complaint will be fifteen (15) business days, starting the day after its receipt. If it is not possible to address the complaint within this term, the interested party will be informed and a date will be set when the complaint will be addressed, which may not exceed eight (8) business days after the expiration of the initial term.

In any case, the data subject or their successor may only file a complaint with the Superintendency of Industry and Commerce once the inquiry or complaint process with Hotel Las Islas has been exhausted.

The department responsible for receiving and processing complaints is the Information Security Management.

The request for the deletion of information and the revocation of authorization will not be processed if the data subject has a legal or contractual obligation to remain in the database.

If you have any questions or inquiries regarding the process of collecting, processing, or transferring your personal information, or if you believe that the information contained in a database should be corrected, updated, or deleted, you may do so by emailing: privacidad@lasislas.com.co.