AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA

The Data Protection Policy of Unión Temporal Hotel Las Islas aims to regulate the processing of personal data collected in the course of its activities, in compliance with the applicable regulations in force. This policy sets out the principles, rights, purposes, and procedures applicable to the processing of such data, as well as the mechanisms through which data subjects may exercise their rights.

Personal Data: Information that makes it possible to identify a natural person.

Sensitive Data: Information that affects the data subject’s privacy or whose misuse may lead to discrimination (e.g., health, sexual orientation, ethnic origin).

Public Data: Data that is not semi-private, private, or sensitive.

Data Subject: The natural person whose data are subject to processing.

Database: An organized set of personal data that is subject to processing.

Processing: Any operation performed on personal data (collection, storage, use, circulation, or deletion).

Data Controller: The person/entity that decides on the database and its processing (Unión Temporal Hotel Las Islas).

Data Processor: The person/entity that carries out the processing of data on behalf of the controller.

Transfer: Occurs when the controller and/or processor of personal data located in Colombia sends the information or personal data to a recipient which, in turn, is a controller and is located inside or outside the country.

Transmission: Processing of personal data that involves communicating such data within or outside the territory of the Republic of Colombia for the purpose of processing by the processor on behalf of the controller.

Principle of Legality in Data Processing: The processing referred to by the Law is a regulated activity that must adhere to the provisions set forth therein and in any other applicable regulations.

Principle of Purpose: Processing must pursue a legitimate purpose in accordance with the Constitution and the Law, and such purpose must be disclosed to the data subject.

Principle of Freedom: Processing may only be carried out with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that waives consent.

Principle of Truthfulness or Quality: Information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

Principle of Transparency: Processing must guarantee the data subject’s right to obtain, at any time and without restriction, information from the data controller or data processor regarding the existence of data concerning them.

Principle of Restricted Access and Circulation: Processing is subject to the limits derived from the nature of personal data and from the provisions of the Law and the Constitution. Accordingly, processing may only be carried out by persons authorized by the data subject and/or by those provided for in the Law. Personal data—except public information—may not be available on the Internet or other mass dissemination channels unless access is technically controllable to provide restricted knowledge solely to the data subjects or third parties authorized under the Law.

Principle of Security: Information processed by the controller or processor, as referred to by the Law, must be handled with the technical, human, and administrative measures necessary to ensure the security of the records and prevent their alteration, loss, consultation, use, or unauthorized or fraudulent access.

Principle of Confidentiality: All persons involved in the processing of personal data that are not public in nature are obligated to maintain the confidentiality of the information—even after their relationship with any of the tasks comprising the processing has ended—and may only provide or communicate personal data when it corresponds to the execution of activities authorized by the Law and under its terms.

Unión Temporal Hotel Las Islas informs personal data subjects that information collected from customers, users or guests, contractors or suppliers, employees, candidates, and visitors—or any person who has a commercial and/or contractual relationship with Unión Temporal Hotel Las Islas—may be subject to Processing in order to fulfill specific purposes according to their status as data subjects.

Processing may be carried out directly by Unión Temporal Hotel Las Islas or by authorized third parties such as contractors, consultants, advisors, or data processors, who may perform operations including collection, storage, use, circulation, deletion, classification, transfer, or transmission—whether in whole or in part—of personal data, in accordance with the purposes established for each category of data subject.

Processing of sensitive data and data of minors

Unión Temporal Hotel Las Islas will refrain, to the extent possible, from collecting or processing sensitive data and data relating to minors. However, if it should become indispensable to continue or initiate a relationship with the data subject, processing will be carried out in accordance with applicable legislation, subject to prior authorization from the legal representative in the case of minors, or from those who hold parental authority, pursuant to Article 7 of Law 1581 of 2012. Likewise, the Entity will ensure that the data subject is clearly informed about the sensitive data to be processed, the specific purposes of such processing, and their right to freely decide whether or not to provide such information.

Customers

When are your Personal Data collected?

Process: MANAGEMENT SYSTEMS

Version: 1

Effective date: November 5, 2025

HOTEL LAS ISLAS

When data subjects voluntarily provide their personal data, for example, by completing digital forms.

When data subjects visit the website and register.

When data subjects access, book, or purchase additional services offered by Unión Temporal Hotel Las Islas through any of its customer service or sales channels.

When data subjects share their personal data via social networks.

Data processed for customers

Among others, the Entity may collect information regarding:

General identification data of the person: First and last names; identification type such as citizenship ID, foreigner ID, passport, identity card (NUIP), Civil Registry; identification number; gender.

Specific identification data of the person: Signature, nationality, family data, other identification documents, date of birth.

Location data related to the person’s commercial or professional activity: Address, telephone number, email, occupation.

Personal location data related to private activity: Country/Region, address, city, postal code, telephone number, email.

Personal data for access to information systems: IP address, device fingerprint.

Sensitive data:

Biometric data of the person: Voice, video, images of identification documents such as passports and national IDs.

Financial/economic data of the person: Credit-related data such as debit or credit card numbers, expiration date, cardholder name, verification code (CVV/CVC), and card type.

Health-related data of the person, including test results: Medical certificates, general or specialized.

Sources of collection

The mechanisms used by Unión Temporal Hotel Las Islas to collect data include: the website lasislas.com.co, digital forms, the Hotel’s corporate email, phone calls, messaging apps (WhatsApp or any similar medium), and social networks (Instagram, Facebook).

Purposes — Customers

Hotel Service Management and Provision

Process, confirm, and fulfill acquired services such as reservations, lodging, food and beverage, itineraries, rental of halls or spaces, recreational activities, and other services offered directly or through commercial partners. Likewise, comply with rights and obligations arising from the contractual relationship—either through the hotel or through third-party processors—including payment and booking management.

Send confirmations, reminders, notifications, updates, or changes related to contracted services, and inform about modifications to terms or news through authorized means such as email, phone calls, among others.

Contact the data subject to gather or confirm acquired services via the available channels, ensuring effective communication and the proper provision of the services offered.

Legal basis: Performance of the contractual relationship.

Marketing and Promotion

Design personalized marketing strategies by recording and analyzing customer information in order to offer special plans for services.

Provide commercial information about products and services of Unión Temporal Hotel Las Islas, its affiliates, and strategic partners with whom commercial agreements are in place.

Assess and segment customers based on purchasing behavior, preferences, and needs, with the aim of optimizing commercial strategies.

Register and manage customer surveys to evaluate perceptions of the products and services offered by Unión Temporal Hotel Las Islas.

Carry out advertising campaigns directed at current customers through various communication channels such as email and WhatsApp, among others.

Organize and classify customers according to commercial criteria to optimize marketing and sales strategies.

Legal basis: Legitimate interest; Data subject’s consent.

Service Analysis and Improvement

Analyze lodging trends and consumption behavior based on booking data and services used, in order to optimize internal processes, improve service quality, and strengthen the hotel offering.

Conduct statistical and operational studies to enhance the customer experience and improve the quality of products and services.

Legal basis: Legitimate interest; Data subject’s consent; Performance of a contractual relationship.

Financial and Accounting Management

Draft and execute contracts, issue invoices, manage collections, make payments, and fulfill accounting and financial obligations associated with contracted services.

Record and manage commercial transactions, payments, and collections.

Manage financial information related to reservations, including payments, refunds, credit notes, reconciliations, among others.

Generate, store, and manage invoices, reports, and other accounting, tax, and fiscal documents in order to comply with obligations established by current regulations and respond to requests from authorities.

Legal basis: Legal obligation.

Customer Service

Handle, record, and follow up on petitions, complaints, and claims related to the services acquired.

Respond to requests, inquiries, complaints, or claims from judicial, administrative, migration, customs, security, banking, or other competent authorities—national or international.

Legal basis: Legal obligation; Performance of the contractual relationship.

Legal Compliance and Security

Collect and store information about guests and their companions to comply with requirements established by the National Tourism Registry (RNT), Migración Colombia, and other competent authorities.

Verify information against restricted lists (such as OFAC, UN, among others) as part of anti-fraud, anti–money laundering, and counter–terrorist financing policies (SAGRILAFT - PTEE).

Refine security filters and business rules in commercial transactions; confirm and process such transactions with your financial institution, with our service providers, and with you.

Legal basis: Legal obligation; Legitimate interest.

Archiving and Retention

Preserve historical records of commercial interactions, transactions, and communications with customers, ensuring their traceability and availability.

Legal basis: Legal obligation; Legitimate interest.

Transmit and/or Transfer Data to Third Parties

Carry out the transmission and/or transfer of personal data to companies within the Aviatur Group, commercial partners, or third parties—including abroad—when necessary for the execution of contracted services, under the conditions permitted by law.

Legal basis: Data subject’s consent; Performance of a contractual relationship.

Perform Complementary Activities Related to the Corporate Purpose

Execute additional activities that are necessary to fulfill the corporate purpose of Unión Temporal Hotel Las Islas, provided they are related to the purposes described above.

Legal basis: Performance of a contractual relationship.

Purposes for Processing Customers’ Sensitive Data

Record and monitor telephone communications in order to assess, supervise, and improve the quality of the service provided.

Legal basis: Explicit consent; Legitimate interest.

Monitor facilities for the purpose of preventing and controlling risks that may affect the safety of individuals, property, and infrastructure, solely during the time the data subject is present on Unión Temporal Hotel Las Islas premises.

Legal basis: Implied consent via notice; Legitimate interest.

Collect, consult, and use images or copies of personal identification documents such as national ID cards, passports, visas, and driver’s licenses in order to manage reservations, coordinate contracted tourism services, and comply with legal or contractual requirements imposed by national or foreign authorities and tourism service providers.

Legal basis: Performance of a contractual relationship; Legal obligation.

Support and formally handle reservation or hotel service cancellation/modification processes when there are duly certified health situations, including refunds or other applicable adjustments.

Legal basis: Explicit consent; Performance of a contractual relationship.

In public health emergencies, sensitive personal data may be requested and processed—such as medical certificates, vaccination cards, or similar documents—solely for the purpose of complying with legal provisions, health regulations, or measures adopted by competent authorities, and to protect the health of guests, staff, and third parties.

Legal basis: Legal obligation; Health measures mandated by a competent authority; Explicit consent.

6.2. Users or Guests

When are your Personal Data collected?

When data subjects voluntarily provide their personal data, for example, by completing digital forms.

When data subjects visit the website and register.

When data subjects access, book, or purchase tourism products and services offered by Unión Temporal Hotel Las Islas through any of its customer service or sales channels.

When data subjects share their personal data via social networks.

Data processed for users or guests

General identification data of the person: First and last names; type of identification such as citizenship ID, passport, identity card (NUIP), driver’s license, foreigner ID, Civil Registry; identification number; kinship; gender.

Specific identification data of the person: Nationality, other identification documents, date of birth.

Sensitive data:

Biometric data of the person: Voice, video, images of identification documents such as passports, national IDs, visas, and driver’s licenses.

Health-related data of the person, including test results: General or specialized medical certificates.

Sources of collection

The mechanisms made available by Unión Temporal Hotel Las Islas include: the website www.lasislas.com.co/es-co, digital forms, the organization’s email, phone calls, messaging apps (WhatsApp or any similar medium), and social networks (Instagram, Facebook).

Purposes for users or guests

Provision and Management of Tourism Services

Process, confirm, and fulfill acquired services such as reservations, lodging, food and beverage, itineraries, rental of halls or spaces, recreational activities, and other services offered directly or through commercial partners.

Send confirmations, reminders, notifications, updates, or changes related to the contracted services, and inform about modifications to terms or news via authorized means such as email and phone calls, among others.

Contact the data subject for the purpose of collecting, updating, retaining, processing, and using their personal information or documentation, through the enabled channels, to ensure effective communication and the proper provision of the services offered.

Legal basis: Performance of a contractual relationship.

Service Analysis and Improvement

Analyze travel trends and consumption behavior based on booking data, in order to optimize internal processes and improve service quality and the tourism offering.

Conduct statistical and operational studies to strengthen the user experience and improve the quality of products and services.

Legal basis: Legal obligation; Performance of a contractual relationship.

User Service and Follow-up

Handle, record, and follow up on requests, complaints, claims, refunds, and inquiries related to the services acquired.

Respond to requests, inquiries, complaints, or claims from judicial, administrative, migration, customs, security, banking, or other competent authorities—national or international.

Legal basis: Legal obligation; Performance of a contractual relationship.

Legal Compliance and Security

Verify information against restricted lists (such as OFAC, UN, among others) as part of policies for the prevention of fraud, money laundering, and terrorist financing (SAGRILAFT – PTEE).

Legal basis: Legal obligation; Legitimate interest.

Archiving and Retention

Preserve historical records of commercial interactions, transactions, and communications with customers, ensuring their traceability and availability.

Legal basis: Legal obligation; Legitimate interest.

Transmit and/or Transfer Data to Third Parties

Transmit and/or transfer personal data to companies within the Aviatur Group, commercial partners, or third parties—including abroad—when necessary for the execution of contracted services, under the conditions permitted by law.

Transmit or transfer personal data to third parties, within or outside the country, when necessary to provide the service, comply with legal obligations, or perform a contract.

Legal basis: Data subject’s consent; Performance of a contractual relationship.

Perform Complementary Activities Related to the Corporate Purpose

Carry out additional activities necessary to fulfill the corporate purpose of Unión Temporal Hotel Las Islas, provided they are related to the purposes described above.

Legal basis: Performance of a contractual relationship.

Purposes for Processing Users’ and Guests’ Sensitive Data

Record and monitor telephone communications in order to assess, supervise, and improve the quality of the service provided.

Legal basis: Explicit consent; Legitimate interest.

Monitor facilities for the purpose of preventing and controlling risks that may affect the safety of individuals, property, and infrastructure, exclusively while the data subject is present on Aviatur premises.

Legal basis: Implied consent via notice; Legitimate interest.

Collect, consult, and use images or copies of personal identification documents such as national ID cards, passports, visas, and driver’s licenses in order to manage reservations, comply with legal or contractual requirements imposed by national or foreign authorities, and fulfill the contracted service.

Legal basis: Performance of a contractual relationship; Legal obligation.

Support and formally handle reservation or hotel service cancellation/modification processes when there are duly certified health situations, including refunds or other applicable adjustments.

Legal basis: Explicit consent; Performance of a contractual relationship.

In public health emergencies, sensitive personal data may be requested and processed—such as medical certificates, vaccination cards, or similar documents—solely for the purpose of complying with legal provisions, health regulations, or measures adopted by competent authorities, and to protect the health of guests, staff, and third parties.

Legal basis: Legal obligation; Health measures ordered by a competent authority; Explicit consent.

Data of Minors

In all cases involving the personal information of minors, Unión Temporal Hotel Las Islas will request the express authorization of parents, legal representatives, or those who hold parental authority, in accordance with Article 7 of Law 1581 of 2012.

Manage, confirm, fulfill, and provide the services or products acquired, either directly by Unión Temporal Hotel Las Islas or with the support of third parties involved in their provision.

Make reservations, as well as manage requests for changes, cancellations, or adjustments to the itinerary of the contracted service.

Legal basis: Explicit consent from the holder’s legal representative; Performance of a contractual relationship.

Suppliers

When are your Personal Data collected?

When suppliers voluntarily provide their personal data, for example, by completing onboarding forms, compliance questionnaires, or registering in internal systems or platforms enabled for supplier management.

When documentation or personal information is received during selection, evaluation, contracting, and execution of commercial agreements—such as résumés/CVs, certificates, references, Tax ID (RUT), identification documents, among others.

When contractual relationships are established and it is necessary to collect and store personal data to manage purchase orders, payments, and compliance with tax, legal, or contractual obligations.

When partners, subcontractors, or authorized third parties share personal data of their representatives, employees, or collaborators within the framework of a joint service relationship with Unión Temporal Hotel Las Islas.

When suppliers use Unión Temporal Hotel Las Islas’ digital, physical, or telephone channels to register, update, or manage their information, or as part of administrative, logistics, or financial processes.

Data processed for suppliers

General identification data: First name, last name, type of identification (citizenship ID, passport, RUT, foreigner ID), identification number, date and place of issuance, full name, marital status, gender.

Specific identification data: Signature, nationality, electronic signature, other identification documents, place and date of birth, age.

Business/professional contact data: Address, telephone number, email.

Asset/estate data: Movable and immovable property, income, expenses, investments.

Economic activity data: Merchant, investor, rentier.

Financial/economic data: Bank account number, financial institution name, salary, asset information, payment history with other providers.

Judicial/disciplinary background data.

Social security contributions: Social security payment slip.

Biometric data: Images of identification documents such as passports and national IDs.

Sources of collection

Information obtained from authorized third parties (such as legal representatives, administrative, technical, or operational staff, among others), provided by the supplier to manage the commercial relationship. The collection instruments used by Unión Temporal Hotel Las Islas are:

Organization email and Contracts.

Purposes for suppliers

Supplier selection and onboarding

Manage the selection, contact, and hiring of suppliers, contractors, or strategic partners necessary for the activities of Unión Temporal Hotel Las Islas.

Legal basis: Performance of a pre-contractual or contractual relationship.

Contract execution and management

Administer and perform the subscribed contracts and agreements, and exercise rights and fulfill obligations arising from established or prospective commercial/contractual relationships, including accounting, legal, tax, and regulatory matters.

Legal basis: Performance of a contractual relationship.

Monitoring of contractual commitments

Monitor and ensure appropriate compliance with commitments undertaken in contracts and agreements with suppliers, contractors, or partners.

Legal basis: Performance of a contractual relationship.

Regulatory compliance and internal policies

Verify compliance with our internal policies and applicable regulations during selection, onboarding, performance evaluation, and throughout the entire term of the contractual relationship.

Legal basis: Performance of a contractual relationship.

Consultation and Processing of Financial and Credit Information

Consult, collect, store, process, update, exchange, report, and retain information related to the commercial, financial, and credit behavior of data subjects with legally authorized information operators, including those located outside the national territory.

Legal basis: Legitimate interest.

Participation in Institutional Activities

Enter into strategic alliances with third parties for the development of promotional, marketing, event, and institutional programs, when the supplier or partner is part of these initiatives.

Legal basis: Explicit consent of the data subject.

Monitoring the Use of Communication Channels

Monitor and control the use and access of the communication channels established within the framework of contractual relationships.

Legal basis: Legitimate interest.

Publication for Informational or Transparency Purposes

Legal basis: Explicit consent of the data subject.

Access for Audit Purposes

Legal basis: Compliance with a legal obligation or legitimate interest.

Purposes for Processing Suppliers’ Sensitive Data

Images of Identification Documents

Publish, when lawful and necessary, the supplier’s/contractor’s/partner’s contact information on official channels for informational, transparency, or verification purposes by authorized third parties.

Allow access to information and personal data by auditors or third parties hired to conduct internal or external audits inherent to our commercial activity.

Capture, store, and consult images of personal identification documents such as national ID cards or passports in order to verify the supplier’s identity, validate their legal and contractual suitability, and comply with legal, accounting, and security requirements established by Unión Temporal Hotel Las Islas for the formalization of commercial relationships.

Legal basis: Performance of a contractual relationship.

6.4. Workers

When are your Personal Data collected?

When applicants, candidates, or employees voluntarily provide their personal data, whether by completing résumé/CV forms, submitting physical or digital documents, participating in selection processes, or during the performance of the employment relationship.

When employees use corporate communication or administrative management channels, such as internal HR systems, corporate email, payroll management applications, welfare platforms, social security systems, among others.

When Unión Temporal Hotel Las Islas collects information arising from compliance with legal and contractual obligations, such as reports to social security system entities, occupational risk administrators (ARL), pension funds, family compensation funds, financial entities, or labor/tax authorities.

When Unión Temporal Hotel Las Islas obtains personal or employment references, or results of psychotechnical or medical evaluations, as part of the employee’s selection, onboarding, tenure, or offboarding process, always within the applicable legal framework.

When information related to the employee’s well-being, health, performance, or professional development is collected within the framework of institutional programs for talent management, workplace well-being, occupational health, or occupational safety and health.

Data processed for workers

General identification data: First name, last name, type of identification (citizenship ID, passport, RUT, identity card—NUIP, driver’s license, foreigner ID, Civil Registry), identification number, date and place of issuance, full name, marital status, gender, kinship.

Specific identification data: Signature, nationality, family data, electronic signature, other identification documents, place and date of birth, age.

Health-related data, including test results: Laboratory results, studies, diagnoses; general or specialized medical records; psychological or psychiatric records; psychotechnical tests; medications; and/or medical or therapeutic treatments of any kind.

Personal location/contact data related to private activity: City of residence, address, neighborhood, telephone number, email address.

Data related to the person’s employment history: Work experience, position, dates of hire and termination, notes, warnings.

Data related to educational level: Training and/or the person’s academic record.

General data related to affiliation and contributions to the comprehensive social security system: EPS, IPS, ARL, dates of enrollment/withdrawal from EPS, AFP, Family Compensation Funds.

Economic/financial data: Financial data such as savings account number, name of financial institution, salary.

Judicial and/or disciplinary background data.

Personal data for access to information systems: Usernames, IP addresses, passwords, profiles.

Sensitive data

Data on persons with disabilities.

Biometric data: Body geometry, photographs, videos, fingerprints, voice.

Data related to membership/affiliation: Trade unions.

Data on particular tastes and interests: Sports, leisure, gastronomy, tourism, fashion.

Data of minors.

Sources of collection

Data may be provided directly by the data subject through the different collection mechanisms made available by Unión Temporal Hotel Las Islas, including: organization email, interviews, physical or digital forms, employment contract, internal surveys (physical or digital), résumés/CVs (physical or via job platforms), and social security enrollment forms.

Purposes — Workers

Fulfill obligations arising from employment contracts with worker data subjects, including payment of salaries, social benefits, and other obligations established in the employment contract and applicable labor regulations.

Legal basis: Employment relationship; regulatory compliance; explicit consent where sensitive data are involved.

Inform each worker of developments arising during the performance of the employment contract and even after its termination.

Legal: Employment relationship; Regulatory compliance

Conduct studies on employee habits for the development of programs or management systems.

Legal: Employment relationship; Legitimate interest; Explicit consent.

Carry out entry and exit controls for employees at Group company premises.

Legal: Employment relationship; Legitimate interest.

Make payroll deductions authorized by each employee.

Legal: Employment relationship; Regulatory compliance.

Handle employee requests, manage activities, clarifications, and investigations.

Legal: Employment relationship; Regulatory compliance.

Marketing and sale of Group products and services.

Legal: Data subject’s consent.

Send, by traditional and electronic means, technical, operational, and commercial information about products and services offered by partners or suppliers, now and in the future.

Legal: Data subject’s consent.

Transmit or transfer data to other companies, commercial alliances, or third parties in order to fulfill legal and contractual obligations. Such transmission or transfer may be made to third countries when necessary for the Group’s obligations, ensuring that data exports are carried out with appropriate security measures.

Legal: Employment relationship; Regulatory compliance; Legitimate interest.

Surveys that employees are not obliged to answer.

Legal: Legitimate interest; Data subject’s consent.

Provide (by transmission or transfer) the information received to all judicial or administrative authorities when necessary to fulfill employer duties related to labor obligations, social security, pensions, occupational risk administrators, family compensation funds (Comprehensive Social Security System), and taxes.

Legal basis: Regulatory compliance.

Provide the employee’s personal information to third parties that legitimately have the authority to access such information, including—but not limited to—companies within the Aviatur Group.

Legal basis: Employment relationship; Regulatory compliance; Legitimate interest.

Use of images and videos in the course of recreation and well-being activities within Aviatur Group companies.

Recording by cameras located in offices and CCTV installed on company premises for the following legitimate purposes:

Security and crime prevention: To ensure the safety of employees, visitors, and customers on the organization’s premises, including the prevention of theft, robbery, vandalism, or other crimes that may affect the integrity of persons or company property.

Access control and security: Monitoring employees via CCTV helps ensure compliance with security protocols and control access to restricted or sensitive areas, protecting personal and company documents and other items located on the premises.

Customer service verification: Cameras may be used to monitor interactions between staff and customers to verify service quality, including assessments via “mystery shopper” programs, resolution of complaints/claims, and compliance with established service standards.

Legal basis: Legitimate interest; Administrative and regulatory compliance (crime prevention and security).

Make inquiries in various databases and authorized sources (such as OFAC, UN lists, among others) as necessary for the control and prevention of fraud or crimes related to money laundering, in accordance with our risk prevention and management policies—SAGRILAFT and PTEE.

Legal basis: Legitimate interest; Regulatory compliance.

Any other activity of a similar nature to those described above that is necessary to carry out the corporate purpose of the Aviatur Group companies and their labor obligations arising from the execution of the employment contract or by operation of law.

Legal basis: Employment relationship; Regulatory compliance.

Purposes for processing workers’ sensitive data

Validate the employee’s identity, comply with legal and contractual obligations, and support Unión Temporal Hotel Las Islas’s administrative, labor, and security processes.

Data concerning persons with disabilities

Comply with current labor regulations, adopt reasonable accommodations, guarantee inclusion, and implement appropriate occupational health and safety measures for the benefit of the employee.

Biometric data

Record, store, and process biometric data such as photographs, videos, fingerprints, or voice recordings for purposes of identification, physical and logical access control, internal security, and to document institutional activities and those related to the employee’s work within Unión Temporal Hotel Las Islas through official channels. Body geometry data may also be collected in order to take measurements needed to provide uniforms or other items required for the performance of job functions.

Trade union membership or similar organizations

Record and retain information regarding an employee’s union membership, when voluntarily provided, for the purpose of complying with labor rights.

Personal tastes and interests

Design and implement wellness programs, integration activities, incentives, internal campaigns, or personalized benefits aimed at strengthening the organizational climate.

Data of minors

Process personal and sensitive data of minors relating to employees’ children, dependents, or beneficiaries exclusively to manage labor benefits, enroll them in family welfare, health, or education programs, and comply with legal regulations and human resources policies.

Legal basis: Legitimate interest; Regulatory compliance; Data subject’s consent.

6.5. Candidates

When are your Personal Data collected?

When applying to a vacancy, where the candidate submits a résumé/CV, application form, or any documentation required to participate in the selection process.

During interviews and assessments, when the candidate provides additional information requested to evaluate their profile, experience, education, employment references, or any other relevant data.

When conducting verifications and validations to confirm background, references, certifications, or any information necessary for decision-making.

At the hiring stage, when documents and personal information necessary to formalize the employment contract, enrollments, and other onboarding procedures are requested.

Data processed for candidates

General identification data: First name, last name, type of identification (citizenship ID, passport, RUT, identity card—NUIP, driver’s license, foreigner ID, Civil Registry), identification number, date and place of issuance, full name, marital status, gender, kinship.

Specific identification data: Signature, nationality, family data, electronic signature, other identification documents, place and date of birth, age.

Personal location/contact data related to private activity: City of residence, address, neighborhood, telephone number, email address.

Health-related data, including test results: Laboratory results, studies, diagnoses; general or specialized medical records; psychological or psychiatric records; psychotechnical tests; medications; and/or medical or therapeutic treatments of any kind.

Employment history data: Work experience, position, dates of hire and termination, notes, warnings.

General data related to affiliation and contributions to the comprehensive social security system: EPS, ARL.

Education-related data: Training and/or the person’s academic record.

Judicial and/or disciplinary background data.

Sensitive data

Data on persons with disabilities.

Biometric data: Photograph, videos.

Data on particular tastes and interests: Sports, leisure, gastronomy, tourism, fashion.

Data of minors.

Sources of collection

Data may be provided directly by the data subject through the different collection mechanisms made available by Unión Temporal Hotel Las Islas, including: organization email, interviews, physical or digital forms, internal surveys (physical or digital), résumés/CVs in physical form or via job platforms and social networks such as LinkedIn or similar.

Manage and carry out recruitment, evaluation, and selection processes needed to fill vacancies at Unión Temporal Hotel Las Islas.

Legal basis: Legitimate interest.

Perform security analyses and background checks to protect the agency’s interests and those of its clients.

Legal basis: Legitimate interest; Administrative compliance (prevention and security).

Establish clear and timely communication with the applicant regarding progress, results, or requirements of the selection process.

Legal basis: Legitimate interest.

Review and assess the candidate’s academic training, employment history, and professional experience in relation to the position profile.

Legal basis: Legitimate interest.

Corroborate the authenticity and accuracy of information provided by the applicant in their résumé/CV, interviews, or submitted documents.

Legal basis: Legitimate interest.

Ensure compliance with internal talent selection policies and guidelines.

Legal basis: Legitimate interest; Administrative and regulatory compliance (crime prevention and security).

Purposes for processing candidates’ sensitive data

Data concerning persons with disabilities

Assess the possibility of making reasonable accommodations during the selection process and ensure conditions of equality and non-discrimination in accordance with current regulations.

Biometric data

Capture and use the candidate’s photographs and videos exclusively for internal records of the selection process, for access control to physical facilities during interviews or in-person tests, and as documentary support for activities related to onboarding.

Data on tastes and interests

Process information on the applicant’s personal interests or preferences, when provided in the context of psychotechnical tests, interviews, or forms, for the purpose of understanding aspects of the candidate’s profile.

6.6. Visitors

When are your Personal Data collected?

When you visit our offices or branches—whether for personal, commercial, labor, contractual, or institutional reasons—and regardless of the duration or frequency of the visit, we may need to collect and record some of your Personal Data.

Data processed for visitors

General identification data: First name, last name, type of identification (citizenship ID, passport, foreigner ID).

Specific identification data: Signature; other identification documents such as a card accrediting you as a contractor.

Personal contact data related to private activity: Telephone number.

Parafiscal affiliations: ARL.

Sensitive data

Biometric data: Video.

Sources of collection

Personal data may be provided directly by the data subject through the different collection mechanisms made available by Unión Temporal Hotel Las Islas, including:

Logs/entry sheets, CCTV (video surveillance) cameras.

Purposes — Visitors

Control and record the entry and exit of individuals on the premises.

Legal basis: Legitimate interest.

Purposes for processing visitors’ sensitive data

Biometric data

Safeguard the integrity of individuals and protect the Entity’s property.

Supervise and control security conditions within the Entity’s facilities in order to prevent risk situations.

Conduct internal investigations in the event of incidents or events that may affect the safety of individuals, assets, or processes.

Retain evidentiary materials to support the handling of claims filed by data subjects regarding incidents occurring on the Entity’s premises.

Respond in a timely manner to requests issued by administrative and/or judicial authorities within the scope of their legal functions.

Facilitate access to information to authorized third parties, when necessary, to ensure proper fulfillment of the purposes described herein (e.g., security or monitoring companies).

Detect, analyze, and manage risks or incidents that may compromise the safety of individuals or the normal development of activities on the premises.

Legal basis: Legitimate interest; Data subject’s consent.

7. Authorization for the collection and processing of personal information

Method of obtaining authorization

Unión Temporal Hotel Las Islas will inform the data subject about the purposes of processing their personal data and will obtain their prior, express, and informed consent.

Unión Temporal Hotel Las Islas will obtain the data subject’s authorization before initiating the processing of their personal data, and in any case no later than at the time of initial collection. Such authorization may be granted in writing, verbally, through unequivocal conduct, or by any means that ensures its preservation and subsequent consultation. This requirement is excepted only in those cases provided by law in which authorization is not required for processing.

When personal data are provided by any of the Aviatur Group companies, a partner, supplier, or contractor, Unión Temporal Hotel Las Islas will verify that the third party has the data subject’s authorization permitting them to share the information with Unión Temporal Hotel Las Islas, or that such transfer is covered by a legal basis that authorizes it.

Rights afforded to you as the data subject.

Unión Temporal Hotel Las Islas recognizes and guarantees every individual’s right to exercise control over the processing of their personal data. Accordingly, the data subject may, at any time, free of charge and through the channels provided for that purpose, exercise the following rights:

a. Request the updating of your personal information when it is incomplete, outdated, inaccurate, or fragmented.

b. Request the rectification or correction of your data when you detect errors, inconsistencies, or information that could lead to misinterpretation.

c. Request the deletion of your personal data from our databases when you consider that processing is not required for the authorized purposes, or when the relationship that gave rise to such processing has ended. This request will be honored insofar as there is no legal or contractual obligation that justifies its retention.

d. Revoke the authorization granted for the processing of your data, unless doing so would result in the noncompliance of legal or contractual obligations by Unión Temporal Hotel Las Islas.

e. Consult, clearly and at no cost, the personal data held in our databases, as well as the uses that have been made of such data.

f. File claims when you believe the information is being processed improperly or contrary to the provisions of this policy.

Unión Temporal Hotel Las Islas guarantees that all rights described herein will be addressed in a timely, transparent manner and without undue restrictions, in accordance with the principles of legality, purpose, freedom, truthfulness, security, and restricted access and circulation.

8.2. Procedure for Data Subjects to Exercise Their Rights

Inquiries

The personal data subject may exercise their right to know the information recorded about them in the databases managed by Unión Temporal Hotel Las Islas. To do so, they may submit a formal inquiry, which will be answered within a maximum period of ten (10) business days from the date of receipt.

If, for any reason, it is not possible to respond within this period, Unión Temporal Hotel Las Islas will promptly inform the data subject of the reasons for the delay and will respond within an additional period of up to five (5) business days following the end of the initial term.

Claims

When a data subject believes that the information contained in a database should be corrected, updated, deleted, or is being processed improperly, they may file a claim with Unión Temporal Hotel Las Islas, which will be handled under the following procedure:

The claim shall be submitted by means of a request addressed to Unión Temporal Hotel Las Islas, including the data subject’s identification, a description of the facts giving rise to the claim, an address, and any supporting documents the claimant wishes to invoke. If the claim is incomplete, Unión Temporal Hotel Las Islas will request the claimant, within five (5) days following receipt, to remedy the deficiencies. If two (2) months elapse from the date of the request without the required information being provided, it will be understood that the claimant has withdrawn the claim.

Once a complete claim has been received, a note stating “claim in process” and the reason for it will be added to the database within no more than two (2) business days. This note shall remain until the claim is decided.

The maximum period for addressing the claim will be fifteen (15) business days from the day after its receipt. If it is not possible to address the claim within this term, the claimant will be informed and given a date for response, which in no case may exceed eight (8) business days following the expiration of the initial term.

In any case, the data subject or their successor in title may only file a complaint with the Superintendence of Industry and Commerce once they have exhausted the inquiry or claim process with Unión Temporal Hotel Las Islas.

The area responsible for receiving and processing claims is the Data Security Management department.

Requests for deletion of information and revocation of authorization will not proceed when the data subject has a legal or contractual duty to remain in the database.

Documents and information to be submitted with an Inquiry and/or Claim

The request must be accompanied by the following documents, as applicable:

a. Data subject: A copy of a valid identity document.

b. Successor in title: A copy of the identity document; a document proving their capacity; the civil registry or death certificate of the data subject; and the data subject’s identification number.

c. Legal representative or proxy: A copy of the identity document; a power of attorney or document evidencing representation; together with the data subject’s identification number.

Information the data subject must provide

For inquiries and claims, the request must contain at least the following:

a. Full name of the data subject.

b. Type and number of identification.

c. Clear description of the right the data subject wishes to exercise.

d. Contact method to receive a response.

8.4. Channels Enabled for Exercising Habeas Data Rights

To exercise these rights, you may contact Unión Temporal Hotel Las Islas through the following channels:

Email: privacidad@lasislas.com.co

Address: Ciénaga de Cholón, Barú, Cartagena de Indias.

Telephone: (605) 6517123

Website: www.lasislas.com.co

8.5. Data Protection Officer / Responsibility

Unión Temporal Hotel Las Islas is the data controller. The Legal Representative manages, supervises, and oversees all actions related to the processing of personal data, ensuring compliance with the principles and duties established in the applicable regulations. Additionally, the Customer Service area—or a delegate appointed by the Legal Representative—handles inquiries, requests, and claims from data subjects.

For any questions, requests, or to exercise your rights, data subjects may contact: privacidad@lasislas.com.co

 or (605) 6517123.

Guarantee the data subject, at all times, the full and effective exercise of the right of habeas data.

Request and retain, under the conditions set forth in this law, a copy of the corresponding authorization granted by the data subject.

Duly inform the data subject about the purpose of the collection and the rights that assist them by virtue of the authorization granted.

Keep the information under the necessary security conditions to prevent its alteration, loss, consultation, use, or unauthorized or fraudulent access.

Handle inquiries and claims submitted within the time limits established by this law.

Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, to address inquiries and claims.

Inform the data subject, upon request, about the use given to their data.

Inform the data protection authority when security codes are breached and risks arise in the administration of data subjects’ information.

Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

Unión Temporal Hotel Las Islas may share information with partners, technology service providers, advertising agencies, government entities, or other parties, provided that applicable legislation is complied with and the protection of shared data is ensured.

It may transmit or transfer the necessary information to companies within the Aviatur Group, allied operators, airlines, hotels, transportation companies, insurance companies, tour operators, or other third parties involved in the provision of contracted services and assumed obligations, solely for the purpose of facilitating the proper execution of the assignment entrusted to the Controller. This includes managing reservations, purchasing ancillary services (such as additional baggage or seat selection) and related activities, as well as processing orders, requests, claims, or any type of petition or inquiry made by the data subject through any available contact channel.

Transmission and transfer may be carried out even to third countries that may have a level of protection different from that of Colombia, when necessary to fulfill our obligations.

Unión Temporal Hotel Las Islas may transmit personal data to processors, in Colombia or abroad, to fulfill the purposes established in the Data Processing Policy. This includes the use of cloud platforms and storage services, always ensuring contractual, technical, and organizational measures that protect the information in accordance with the law.

Transfers: The transfer of your data to third-party providers located within or outside the national territory will be carried out solely to process the tourism service you have contracted and, according to your authorization, to process, update, and manage the data supplied and incorporated into various databases or electronic repositories used by Unión Temporal Hotel Las Islas. Processing may be carried out by Unión Temporal Hotel Las Islas directly or through its contractors, consultants, or advisors, who may perform any operation or set of operations—such as collection, storage, use, circulation, deletion, classification, transfer, and transmission (the “Processing”)—on all or part of your personal data.

Security Measures

Unión Temporal Hotel Las Islas implements technical, human, and administrative measures to protect personal data against unauthorized access, loss, or misuse. Industry-recognized security practices are applied, such as the use of encryption, secure protocols, access controls, periodic backups, and secure software development.

The organization maintains policies and procedures designed to guarantee the confidentiality, integrity, and availability of information, regardless of its format, means of transmission, or location. Any third party with access to personal data must sign confidentiality agreements that define their obligations regarding the responsible handling of such information.

In addition, ongoing training programs are conducted for authorized personnel to strengthen their competencies in data protection and foster an organizational culture based on responsibility and regulatory compliance.

While measures are adopted to minimize risks, it is recognized that there are inherent vulnerabilities associated with the use of the Internet that cannot be completely eliminated. Nevertheless, the protection of personal data is a priority for Unión Temporal Hotel Las Islas, and in the event a security incident occurs, all necessary actions will be taken to contain it, mitigate its effects, and minimize any negative impact.

Unión Temporal Hotel Las Islas uses technologies such as cookies and device fingerprinting to enhance users’ browsing experience, deliver a more efficient service, personalize interactions, and recognize repeat visits.

Cookies are text files that store preferences or browsing history.

They may be used for statistical purposes, security, authentication, and third-party advertising.

They do not directly collect personal data unless the user registers with their profile.

The user may disable cookies at any time; however, some services may then require manual authentication on each visit.

This policy takes effect as of its publication and will be reviewed annually or whenever significant changes occur in the law or in the company’s processes. Modifications will be communicated in a timely manner on our website and will be updated on our site.

Effective date: November 5, 2025.

The databases will remain in force indefinitely, in accordance with the purposes and uses of the information.

Unión Temporal Hotel Las Islas reaffirms its commitment to complying with Colombian legislation and protecting the privacy of personal data subjects.

Notification of Changes to the Policy

Any material change to this policy will be communicated to data subjects via the website www.lasislas.com.co/es-co

, by electronic notice, or through customary contact channels. Such modifications will take effect as of their publication.