Privacy Policy

MANUAL OF PROCEDURES AND POLICIES FOR THE PROTECTION OF PERSONAL DATA OF MULTISERVICIOS Y ABOGADOS REYKUT S.AS.

I. INTRODUCTION.

The purpose of this manual is to comply with the provisions of section k) of article 17 of Statutory Law 1581 of 2012, which regulates the duties of those responsible for processing personal data of natural persons, including the adoption of the corresponding internal manual of policies and procedures, which must guarantee the correct and timely compliance with this Law and specifically, for the handling of inquiries and complaints made by the data subjects.

MULTISERVICIOS REYKÚT SAS, within the development of its corporate purpose, complies with the provisions of Statutory Law 1581 of 2012 to be considered as responsible for Processing, a condition that is applicable to any natural or legal person, public or private, who by himself or in association with others, decides on the databases and/or the Processing of the data.

II. AIM

The procedures manual for the protection and use of data of MULTISERVICIOS REYKÚT SAS, has the purpose of improving the transparency, security and responsibility of our company in the handling of the personal data of our clients, regarding the data collected by us and in this way we also comply with the provisions of Colombian legislation.

III. REGULATORY FRAMEWORK

Law 1581 of 2012, Regulatory Decrees 1727 of 2009 and 2952 of 2010, Partial Regulatory Decree 1377 of 2013, Judgments C – 1011 of 2008, and C - 748 of 2011, of the Constitutional Court.

The objective of Law 1581 of 2012 is to protect the privacy rights of individuals in relation to the processing of their personal data by public and private entities, and to update and rectify the information collected about them in databases or files. It also protects the rights, freedoms, and guarantees enshrined in Article 15 of the Political Constitution of Colombia, as well as other regulations related to the protection of personal data.

IV. DATA CONTROLLER

Company name : MULTISERVICIOS REYKÚT SAS

Tax Identification Number: 901735218-1
Address: Calle 8 # 11 – 47

City: Socorro, Santander, Colombia

WhatsApp: 3212129048

Email: reykutpqrs@gmail.com

Web page: ________________

V. SCOPE

This manual applies to the personal data of natural persons registered in the databases relating to customers who purchase any of our offered products and which are subject to processing.

VI. GENERALITIES, APPLICATION, DEFINITIONS AND PRINCIPLES

· GENERAL INFORMATION

Law 1581 of 2012, which establishes general provisions for the protection of personal data in Colombia, sets out measures to protect the privacy of personal data owners, ensuring that their data is processed securely and protected against misuse or unauthorized disclosure, and therefore this data must be subject to processing.

Therefore, MULTISERVICIOS REYKÚT SAS will use this manual to ensure legal compliance regarding the protection of personal data, promote transparency and customer trust in the company, protect the privacy and security of customers' personal data, establish clear responsibilities for the handling of personal data by company employees, and allow for the continuous review and updating of policies and procedures to adapt to regulatory changes and customer needs.

· APPLICATION

This Manual is intended to apply to the processing of personal data that is not expressly excluded by law. The following are excluded from the application of the law:

a) Databases and files related to national security and defense, as well as the prevention, detection and monitoring of money laundering or terrorist financing activities.

b) Databases containing intelligence and counterintelligence information

c) Databases and archives of journalistic information and other editorial content.

d) Databases and files regulated by the financial and credit habeas data regime.

e) Databases related to population and housing censuses.

· DEFINITIONS

For the processing of personal data, MULTISERVICIOS REYKÚT SAS will take into account the following:

a) Authorization: is the manifestation of will by the data subject to allow the processing of his personal data for a specific purpose and previously informed by the entity responsible for the processing.

b) Database: refers to a structured set of personal data that is processed by an entity or person, which is susceptible to processing.

c) Personal data: any information relating to a natural person that identifies or makes him or her identifiable.

d) Public data is data that is available for access and consultation by anyone, without restrictions or limitations. It is considered public data when it can be obtained through legitimate sources accessible to the general public, such as public records, government databases, telephone directories, and others. Public data is not subject to personal data protection, as it does not allow for the identification of a particular person, and can be used freely as long as fundamental human rights are respected.

e) Data processor: natural or legal person who processes personal data on behalf of the data controller.

f) Data controller: This is the natural or legal person, public or private entity, that decides on the processing of personal data of data subjects. The data controller is responsible for ensuring the protection of personal data and complying with legal obligations regarding data protection, such as obtaining the data subject's consent, adhering to processing principles, adopting security measures, and responding to data subject requests, among others. The data controller must act responsibly and ethically in the processing of personal data and guarantee the rights of data subjects.

g) Data Subject: natural person whose personal data is subject to Processing.

h) Processing: any operation or set of operations performed on personal data, whether automated or not, such as collection, storage, use, transfer, modification, or deletion of such data. The processing of personal data must be lawful, respecting the rights of data subjects and adhering to data protection principles such as purpose limitation, lawfulness, proportionality, and transparency.

· BEGINNING

For development and application, MULTISERVICIOS REYKÚT SAS will take into account the following guiding principles:

a) Legality : The processing of information contained in the databases held by MULTISERVICIOS REYKÚT SAS will be subject to the provisions of Law 1581 of 2012 and other provisions that develop, modify and/or complement it.

b) Consent: The processing of personal data must be carried out with the prior, explicit and informed consent of the data subject.

c) Purpose: Personal data must be collected and processed only for legitimate and specific purposes, and may not be used in a manner incompatible with the purpose for which it was collected.

d) Proportionality: The processing of personal data must be adequate, relevant and limited to what is necessary to fulfill the intended purpose.

e) Quality: Personal data must be accurate, up-to-date and complete, and reasonable steps must be taken to maintain it in this way.

f) Transparency: The data subject must be informed about the processing that will be carried out with their personal data, and the necessary means must be provided so that they can exercise their rights.

g) Security: The information subject to processing referred to in Law 1581 of 2012 will be handled with the technical, human and administrative measures necessary to ensure the security of the records, preventing their alteration, loss, consultation, use or unauthorized or fraudulent access.

h) Responsibility: The data controller must be responsible for ensuring compliance with data protection principles, and mechanisms must be established to monitor and evaluate compliance.

i) Confidentiality: the personal data of the data subjects will be treated with the utmost confidentiality, especially when it comes to sensitive information such as biometric data, criminal records, etc.

j) Access : Data subjects must have the right to access, rectify, delete or limit the processing of their personal data, and the necessary means must be provided to enable them to exercise these rights.

k) Proportionality : the processing of personal data must be limited to what is necessary to fulfill the intended purpose, and data that is not relevant to the process contracted by the client will not be collected or used.

l) Principle of freedom: Processing may only be carried out with the prior (or concurrent) express and informed consent of the Data Subject. It should be noted that personal data may not be obtained or disclosed without authorization, unless permitted or ordered by law or by the authorities.

m) Principle of Temporality: the retention period of Personal Data will be that necessary to achieve the purpose for which it has been collected and/or while the Holder has outstanding obligations, direct or indirect responsibility, for the additional time required by special rules or for the limitation periods.

n) Principle of veracity: The information subject to processing by MULTISERVICIOS REYKÚT SAS will be truthful, complete, accurate, up-to-date, verifiable, and understandable. Partial, incomplete, fragmented, or misleading data will not be processed.

VII. PROCESSING OF SENSITIVE DATA AND DATA OF MINORS

In accordance with the terms of the Law, there are different categories of personal data. Therefore, MULTISERVICIOS REYKÚT SAS considers it of great importance to embrace, implement, and acknowledge the existence, scope, and content of the concept of sensitive data.

In accordance with data protection regulations, sensitive data is personal data that reveals information about intimate aspects or that may lead to discrimination, such as sexual orientation, health, trade union membership, religious beliefs, ethnicity, among others. This data has a higher level of protection due to its nature and, in many cases, requires the express consent of the data subject for its processing, such as:

a) Racial or ethnic origin of the Holder.

b) The political orientation of the Holder.

c) The religious or philosophical convictions of the Holder.

d) Membership in unions, NGOs, human rights organizations, that promote political interests or opposition groups.

e) Information relating to the Holder's health.

f) Biometric data of the Holder.

MULTISERVICIOS REYKÚT SAS, relies on the general rule that the processing of sensitive data is prohibited by law except in the following cases:

a) When the data subject has expressly authorized the processing

b) When the processing is necessary to safeguard the vital interests of the data subject.

c) When the treatment is carried out by a foundation, NGO, association or any non-profit organization, whose purpose is political, philosophical, religious or trade union.

d) The treatment is necessary for the recognition, exercise or defense of a right in a judicial process.

e) When the processing is for historical, statistical or scientific purposes, the identities of the data subjects must be suppressed.

f) When the processing is necessary for compliance with a legal or contractual obligation of the controller.

g) When the processing is necessary to protect the vital interests of the data subject, and the data subject is physically or legally incapacitated.

h) When the processing has a judicial or administrative purpose and the suppression of the identity of the data subjects is guaranteed.

Although the processing of personal data of children and adolescents is prohibited, as long as it is not data of a public nature, however, MULTISERVICIOS REYKÚT SAS takes into account that the Law does not impose an absolute prohibition on the processing of personal data of children and adolescents, as this would lead to the denial of other superior rights of this population.

Therefore, MULTISERVICIOS REYKÚT SAS will direct the processing of personal data of minors to recognize, ensure and monitor all the fundamental rights of this population, which also includes the right to habeas data.

In short, the data of children and adolescents may be processed by MULTISERVICIOS REYKÚT SAS, provided that this does not jeopardize the prevalence of their fundamental rights and unequivocally responds to the fulfillment of the principle of the best interests of the child, the application of which will depend on each particular case.

VIII. AUTHORIZATION, DUTY TO INFORM, RIGHTS OF THE DATA SUBJECTS.

Whenever MULTISERVICIOS REYKÚT SAS intends to process personal data, it must obtain the prior (or concurrent) and informed consent of the data subject. This consent must be obtained by any means that can be subsequently verified; that is, it may be requested or collected electronically, by telephone, or in person.

· AUTHORIZATION

In the following cases, MULTISERVICIOS REYKÚT SAS will not need the data subject's authorization for data processing:

a) Information required by a public, administrative or judicial entity in the exercise of its functions.

b) Data of a public nature.

c) Cases of medical or health emergencies.

d) Data processing carried out for historical, statistical or scientific purposes.

e) Data related to the Civil Registry of people.

MULTISERVICIOS REYKÚT SAS will keep a copy and proof of compliance with the duty to inform, as well as compliance with the duty to request authorization from the Owner.

· RIGHTS OF THE HOLDERS

In fulfilling its duty to inform, MULTISERVICIOS REYKÚT SAS will expressly inform the data subjects that their rights are:

a) Right of access : Data subjects have the right to know, update and rectify their personal data.

b) Right of rectification: Data subjects have the right to request the correction, updating or deletion of their personal data when it is incomplete, inaccurate, or when it is not being processed in accordance with the law.

c) Right of cancellation: Data subjects have the right to request the deletion or erasure of their personal data.

d) Right to object : Data subjects have the right to object to the processing of their personal data, except where there is a legal obligation that requires it.

e) Right to restriction of processing : Data subjects have the right to request the restriction of the processing of their personal data in certain circumstances.

f) Right to portability: Data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format, and to transmit it to another data controller.

g) Right to erasure: Data subjects have the right to request the definitive deletion of their personal data in cases where the processing of said data is unlawful or the purpose for which it was collected has been fulfilled.

h) Right to consultation: Data subjects have the right to consult their personal data that has been processed, free of charge.

i) Right to request proof of the authorization granted for the Treatment.

j) Right to request information : Data subjects may request information regarding the use that has been made of their personal data.

k) Right to file complaints: with the Superintendency of Industry and Commerce. Right to revoke the authorization granted or to have the data deleted.

IX. PROCEDURES FOR INQUIRIES AND COMPLAINTS

In compliance with the provisions of Law 1581 of 2012 and its regulatory decrees, MULTISERVICIOS REYKÚT SAS undertakes to address in a timely and effective manner the claims and requests submitted by the owners of personal data, or their heirs, or their representatives, so that they may verify the existence of the personal information that is registered in the databases of MULTISERVICIOS REYKÚT SAS, and thus be able to consult the treatment that has been given to said information, as well as know the purposes that justify this data processing and request the updating, rectification or deletion of said personal data.

The information will be provided in its entirety and proof of the effective attention given to the inquiry or complaint will be kept.

The holder or their representative may submit a claim, request or inquiry verbally or in writing, indicating their full name, identification number, email address and/or physical contact address, description of the facts that give rise to the claim, request or inquiry and documents that they wish to use.

The area responsible for handling complaints and requests will be the Personal Data Protection Department, to which requests can be addressed through the following means:

WhatsApp : ______________

Email: reykutpqrs@gmail.com

Web page : ____________________

Physical address: Calle 8 # 11 – 47 Socorro, Santander, Colombia

Consultations

MULTISERVICIOS Y ABOGADOS REYKÚT SAS Database , after validation and accreditation of their identity according to MULTISERVICIOS REYKÚT SAS procedures. The consultation will be addressed within a maximum period of ten (10) business days from the date of receipt. If it is not possible to address the consultation within said period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their consultation will be addressed, which in no case may exceed five (5) business days following the expiration of the first period.

Complaints

The Data Subject or their successors who consider that the information contained in the Database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in Law 1581, may file a claim, which will be processed under the following terms:

· The claim will be made by means of a request addressed to MULTISERVICIOS REYKÚT SAS , with the identification of the Holder, the description of the facts that give rise to the claim, the physical and electronic address, telephone, accompanying the documents that you want to assert through the established channels.

· If the claim is incomplete, the interested party will be required to correct the deficiencies within five (5) days of receiving the claim. If the applicant fails to submit the required information within two (2) months of the date of the request, it will be understood that they have withdrawn the claim.

· If the person receiving the complaint is not competent to resolve it, they will forward it to the appropriate person within a maximum of two (2) business days and inform the interested party of the situation.

· The maximum time to address the claim will be fifteen (15) business days, starting from the day after the date of receipt. If it is not possible to address the claim within this period, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the initial period.

It is important to note that the data subject may exercise their personal data protection rights free of charge and that, in the event of a claim or request that does not fall within the scope of competence of MULTISERVICIOS REYKÚT SAS, the data subject will be informed in a timely manner and will be directed to which entity or person they can address their request, and will also be forwarded within two (02) business days to the competent entity and the interested party will be informed of this situation.

Complaint to the Superintendency of Industry and Commerce:

The Holder or successor may only file a complaint with the Superintendency of Industry and Commerce once the consultation or claim process with MULTISERVICIOS REYKÚT SAS has been exhausted.

Revocation of authorization and/or deletion of data:

The Holders may at any time request MULTISERVICIOS REYKÚT SAS, the deletion of their Personal Data and/or revoke the Authorization granted for the Processing thereof, by submitting a claim, in accordance with the provisions of article 15 of Law 1581 of 2012.

The request for deletion of information and revocation of authorization will not be granted when:

a) When it is a legal or contractual obligation to retain such data, that is, the Data Subject has a legal or contractual duty to remain in the Database.

b) When preserving the data is essential to safeguard the interests of the data subject or the public interest.

c) When the suppression hinders or impedes the exercise of the functions of the administrative or judicial authorities.

When requesting the revocation of authorization, the interested party must specify whether the revocation is total or partial. It is partial when the interested party states that they wish to revoke the processing of personal data for certain specific purposes. The revocation is total when the interested party requests that the processing of personal data cease for all authorized purposes.

MULTISERVICIOS REYKÚT SAS will only provide information to the following people:

1. The owners, successors or their legal representatives.

2. Public or administrative entities in the exercise of their legal functions or by court order.

3. To third parties authorized by the owner or by law.

MULTISERVICIOS REYKÚT SAS will implement the necessary measures to guarantee access to information once the identity of the interested party has been verified. Access to the information will be free, simple, and quick, and will also allow for the correction and updating of data.

X. DUTIES OF THOSE IN CHARGE AND IN CHARGE

MULTISERVICIOS REYKÚT SAS is obligated to strictly comply with the following duties according to the quality it holds regarding the processing of data in the specific case.

As the data controller	As Data Controller
Guarantee the data subject's right to habeas data.	Guarantee the data subject's right to habeas data.
Define the purpose and legal basis for the processing of personal data	Process personal data following the instructions of the data controller and comply with the obligations established in the service agreement.
Obtain authorization from the data subject for the processing of their data, when necessary	Inform the responsible party about any security risks or incidents that occur in the processing of personal data.
Implement appropriate security measures to protect personal data	Use personal data only for the purpose authorized and established in the commission contract.
Ensure that the information collected is truthful, complete, up-to-date, relevant, and necessary for the stated purpose	To guarantee the confidentiality and privacy of personal data in the processing it carries out.
To ensure that the owners of personal data can exercise their rights of access, rectification, deletion, revocation and other rights contemplated in the law.	Inform the data controller of any changes or updates to the personal data they hold.
Register the databases and report any modifications made to them.	Process personal data only for as long as necessary and for the purpose established in the service agreement.
Train your staff in the proper handling of personal data	Carry out the deletion or destruction of personal data in cases where necessary, following the instructions of the data controller.
Respond to requests, complaints or claims submitted by the owners of personal data and guarantee due process in addressing them.	Return or deliver to the responsible party the personal data and any media containing information about them, once the commission contract has ended.

It is important to add:

Duties as controllers and processors of personal data	Description
Safety principle	To guarantee the security of personal data, adopting the necessary technical, human and administrative measures to protect them against possible alterations, losses, unauthorized consultations, uses or access.
Demonstrated responsibility	Demonstrate that compliance with personal data protection regulations has been achieved and that measures have been taken to ensure compliance.
Security breach notification	Notify the data protection authority and data subjects in the event of a security breach that may affect their rights and freedoms.
Protection of sensitive data	Take special measures to ensure the protection of sensitive data and obtain the explicit consent of the data subject before processing it.
Handle requests from account holders	Respond to requests from data subjects exercising their rights within a period not exceeding 15 business days.
International data transfers	Ensure that, in the event of transfer of personal data to foreign countries, international standards for the protection of personal data are met.
Training and awareness	Train employees and suppliers on personal data protection regulations and raise awareness of the importance of protecting personal data.
Data retention	Retain personal data only for the time necessary to fulfill the purposes established in the authorization granted by the owner, unless there is a legal obligation that requires its retention.

Duty of Secrecy and Confidentiality: All collaborators, employees, contractors, and third parties who have access to personal data processed by the company are obligated to maintain secrecy and confidentiality with respect to such data. This obligation shall remain in effect even after the termination of their relationship with the company. In this regard, they agree not to use personal data for purposes other than those authorized by the data subject, nor to disclose, publish, transfer, modify, or destroy personal data, unless expressly authorized by the data subject or required by a competent authority in the exercise of its functions. The company will take the necessary measures to guarantee compliance with this duty, including the execution of confidentiality agreements with its collaborators, employees, contractors, and third parties who have access to personal data.

XI. PURPOSES OF INFORMATION PROCESSING

The company "MULTISERVICIOS REYKÚT SAS" has the following purpose when processing personal data:

1. Compliance with contractual or legal obligations.

2. Human resources management.

3. Customer or user management.

4. Provision of services.

5. Conducting statistical studies and analyses.

6. Carrying out marketing and advertising activities.

7. Maintenance and management of commercial and business relationships.

8. Supplier and contractor management.

9. Conducting research and development activities.

10. Product and service improvement.

11. Conducting personnel selection processes.

12. Billing and collection process management.

13. Performing internal control and audit activities.

14. Information security management.

15. Maintenance and management of accounting and financial records.

16. Handling requests and complaints from data subjects.

17. Compliance with tax and fiscal obligations.

18. Enterprise risk management.

19. Compliance with labor and social security obligations.

20. Carrying out merger, acquisition or sale processes of the company.

In addition to the purpose described above, MULTISERVICIOS Y ABOGADOS REYKÚT SAS may use personal data for any other purpose related to the company's corporate purpose and that complies with the provisions of the Personal Data Protection Law.

XII. INFORMATION PROCESSING POLICIES

General information regarding the authorization:

MULTISERVICIOS REYKÚT SAS collects personal information from data subjects, such as their name, identification number, address, telephone number, passwords, and email addresses. This information is obtained through the completion of forms and is used to reschedule visa appointments with the embassy for the earliest possible dates.

We are committed to ensuring the privacy and security of personal information. Therefore, this information will be retained for the duration of the business relationship between the data subjects and our company, always respecting applicable policies and regulations in Colombia, including the Habeas Data Law.

In the event that the data subject requests the deletion of their personal data, the procedure established in the personal data processing policies and procedures manual will be followed, guaranteeing the effective and secure deletion of said information.

Right of access:

In compliance with Law 1581 of 2012 and its implementing decrees, MULTISERVICIOS REYKÚT SAS is committed to guaranteeing the right of access to personal data for data subjects, their heirs, or their representatives. To this end, data subjects will be given the opportunity to verify the existence of their personal information registered in the MULTISERVICIOS REYKÚT SAS databases, and to consult how that information has been processed, as well as to understand the purposes that justify this data processing.

Likewise, data subjects may request the updating, rectification, or deletion of their personal data if it is inaccurate, incomplete, or outdated. MULTISERVICIOS REYKÚT SAS undertakes to respond to these requests within a maximum of fifteen (15) business days from the date of receipt of the claim or request. If it is not possible to address the request within this timeframe, the data subject will be informed of the reasons for the delay and the date on which a final response will be provided, which may not exceed ten (10) business days.

On the right to rectification and updating of data

In compliance with Law 1581 of 2012 and its implementing decrees, MULTISERVICIOS REYKÚT SAS guarantees the right of personal data owners to request the updating and rectification of their data if it is inaccurate, incomplete, or outdated. To exercise this right, data owners must send a written and substantiated request to MULTISERVICIOS REYKÚT SAS through the designated channels, specifying the data to be updated or rectified and attaching the supporting documentation.

MULTISERVICIOS REYKÚT SAS will have a maximum of fifteen (15) business days to process the request and carry out the corresponding update or correction. If it is not possible to carry out the update or correction within the established timeframe, the data subject will be informed of the reasons for the delay and the date on which said update or correction will be carried out, which may not exceed ten (10) additional business days beyond the initial timeframe.

Right to erasure of data

The data subject has the right, at any time, to request MULTISERVICIOS REYKÚT SAS to delete their personal data, provided that such data is not contained in public records, which are subject to special regulations. For all other data, the following conditions will apply:

· That the data is not being processed in accordance with the principles, duties and obligations established in the current regulations on the protection of personal data.

· That the data are no longer necessary or relevant for the purpose for which they were collected.

· That the period necessary for the fulfillment of the purposes for which they were collected has been exceeded.

In the event that the deletion of data is requested, MULTISERVICIOS REYKÚT SAS will proceed to the total or partial elimination of the personal information, in accordance with what is requested by the owner, in the records, files, databases or processing carried out by the company.

However, it is important to note that the right to erasure is not absolute and MULTISERVICIOS REYKÚT SAS may deny or limit the exercise of this right in the following cases:

· When the data subject has a legal or contractual obligation to remain in the database.

· When the deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.

· When the data is necessary to protect the legally protected interests of the data subject, to carry out an action based on the public interest, or to comply with a legally acquired obligation of the data subject.

· When the data is of a public nature and corresponds to public records, which are intended for publicity.

MULTISERVICIOS REYKÚT SAS guarantees compliance with the rights of data subjects to erasure of their personal data and is committed to providing a timely and effective response to all requests submitted. The maximum response time will be fifteen (15) business days, starting from the date the request is received. If it is not possible to address the request within this timeframe, the data subject will be informed of the reasons for the delay and the date on which a final response will be provided, which may not exceed ten (10) business days.

Right to revoke authorization:

MULTISERVICIOS REYKÚT SAS acknowledges that all data subjects have the right to revoke their consent to the processing of their personal data at any time, provided that no legal or contractual provision prevents it. To facilitate this process, we have implemented simple and free mechanisms that allow data subjects to revoke their consent.

However, it is important to note that this right of revocation does not apply to data contained in public records, which are governed by the corresponding special regulations.

In those cases where revocation is possible, the following procedures will be followed:

· Total revocation : regarding all consented purposes, which implies that MULTISERVICIOS REYKÚT SAS must completely cease processing the data of the holder.

· Partial revocation: regarding certain consented purposes, such as advertising or market research. In this case, MULTISERVICIOS REYKÚT SAS must partially suspend the processing of the data subject's data, but other processing purposes that the controller may carry out in accordance with the authorization granted remain in effect.

However, it is important to note that the right of revocation is not absolute, and MULTISERVICIOS REYKÚT SAS may deny or limit the exercise of this right when:

ü The data subject has a legal or contractual obligation to remain in the database.

ü The revocation hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.

ü The data is necessary to protect the legally protected interests of the data subject, to carry out an action based on the public interest, or to comply with a legally acquired obligation of the data subject.

ü The data must be of a public nature and correspond to public records, which are intended for publicity.

At MULTISERVICIOS REYKÚT SAS, we are committed to complying with current regulations on Personal Data Protection and protecting the rights of personal data owners.

Transfer of data to third countries:

MULTISERVICIOS REYKÚT SAS is committed to protecting the privacy and security of its users' and clients' personal data. Therefore, any transfer of personal data to third countries will be carried out in compliance with all applicable rules and regulations.

Before any international transfer, an assessment will be made as to whether the destination country offers an adequate level of protection for personal data, in accordance with the standards established by the regulatory authorities. If this adequate level is not met, additional measures will be implemented to ensure the protection of the transferred personal data.

Furthermore, MULTISERVICIOS REYKÚT SAS guarantees that any transfer of personal data will be carried out solely for specific and legitimate purposes, and only the personal data necessary to fulfill those purposes will be transferred. Under no circumstances will there be any mass or indiscriminate transfers of personal data.

If a user or customer of MULTISERVICIOS REYKÚT SAS has any questions or concerns about the transfer of their personal data to third countries, they can contact us through our customer service channels for more information and to clarify any doubts.

XIII. INFORMATION PRESERVATION

MULTISERVICIOS REYKÚT SAS understands the importance of preserving the personal data of its clients, and therefore commits to adopting all necessary measures to guarantee its protection and security for as long as necessary to fulfill the purposes for which it was collected.

Data will be retained only for as long as strictly necessary and in accordance with applicable legal provisions. Once this period has elapsed, personal data will be securely and permanently deleted, unless there is a legal requirement to retain it for an additional period.

Likewise, if the owners of the personal data request its deletion, it will be deleted immediately, unless there is a legal obligation that prevents such deletion.

We are committed to keeping a record of processing activities that contains detailed information on the retention of personal data, so that we can demonstrate compliance with our legal obligations and respond effectively to any requests from data subjects.

XIV. DELETION OF INFORMATION

Personal data will be deleted in the following cases:

· When the purpose for which the data was collected has been fulfilled.

· When the data subject exercises their right to erasure, revocation or limitation of processing.

· When the company ceases to provide services to the owner of the personal data and there are no legal or contractual obligations that require its retention.

· When the period established by law for the retention of the data has been fulfilled.

In the event that personal data must be deleted, this will be done securely and effectively, using appropriate technical and physical processes to ensure that the information cannot be recovered later. Furthermore, a record of all deletions will be kept to guarantee traceability and transparency in the personal data processing.

XV. INFORMATION SECURITY

MULTISERVICIOS REYKÚT SAS will adopt all the technical, human and administrative measures that are necessary to provide security to its databases, preventing their alteration, loss, consultation, unauthorized or fraudulent access.

Among others, the security measures adopted include, but are not limited to:

a) Restricted access: limit access to information only to those employees who need to know it to perform their duties.

b) Password policies : Establish strong password policies and renew them regularly.

c) Data encryption: encrypting data so that it cannot be read by unauthorized persons.

d) Mobile device protection : Implement security measures on mobile devices that contain information about the owners.

e) Software update: Keep software and security systems up to date to avoid vulnerabilities.

f) Backups: Perform regular backups of information to ensure its availability in case of an incident.

g) Information destruction policies: Establish clear information destruction policies to ensure that information is securely disposed of when it is no longer needed.

h) Employee training: train employees on data protection and security measures.

i) Security audits: Conduct regular security audits to identify and correct potential vulnerabilities.

j) Risk assessment: conduct regular risk assessments to identify potential threats and take preventative measures.

k) Confidentiality Clauses: Establishment of contractual confidentiality clauses with employees that go beyond the duration of the contract itself.

l) Security processes: Implementation of security processes to verify the identity of people accessing information, whether physically or electronically.

m) Continuous review of information: Periodic monitoring of suspicious activities and physical and electronic maintenance of databases.

n) Restriction on the use of information: Internal restriction of access to databases only to authorized personnel.

XVI. AREA IN CHARGE OF THE PROTECTION OF PERSONAL DATA.

MULTISERVICIOS REYKÚT SAS will designate an area responsible for the processing of personal data, ensuring compliance with the legal and regulatory provisions governing personal data protection. This area will be called the “Personal Data Protection Department.” Consequently, it must ensure the proper handling and safeguarding of data subjects' personal information, as well as the application of appropriate security measures to protect such information from loss, alteration, unauthorized access, or any other type of misuse.

The specific functions of the area responsible for processing personal data include the following:

v Manage and coordinate the implementation of the policies and procedures established in this manual for the processing of personal data.

v Provide advice and support in the management of personal data to all employees and collaborators of the company.

v Perform risk assessment and identify potential vulnerabilities in the processing of personal data.

v Coordinate the implementation and maintenance of technical, physical and administrative security measures necessary to guarantee the protection of personal data.

v Perform constant monitoring and tracking of the processing of personal data to ensure compliance with established policies and procedures.

v Investigate and manage security incidents related to the processing of personal data, and take the necessary measures to prevent their recurrence.

v Manage requests from data subjects regarding their rights of access, correction, updating, deletion or revocation of the authorization for processing their personal data, in coordination with the area responsible for customer service and personal data protection.

v Conduct training and education of staff regarding the policies and procedures established in the personal data protection manual.

The department responsible for processing personal data must maintain an up-to-date record of all personal data processing activities carried out by the company, as well as any security incidents and requests from data subjects. It must also coordinate with the department responsible for customer service and personal data protection to address complaints and inquiries submitted by data subjects.

XVII. GENERAL POLICY ON INFORMATION SECURITY AND PRIVACY AND DIGITAL SECURITY

MULTISERVICIOS REYKÚT SAS , in compliance with its functions and understanding the importance of proper information management, has committed to protecting, preserving and managing the confidentiality, integrity, availability and non-repudiation of the Entity's information, through comprehensive risk management, implementation of physical and digital controls, preventing incidents and complying with legal and regulatory requirements, aimed at continuous improvement.

To ensure strategic direction, the compatibility of the information security policy and information security objectives is established as follows:

v Implement, operate and continuously improve the Information Security Management System, supported by clear guidelines aligned with business needs and regulatory requirements.

v Minimize the risk of vulnerability in information security during the execution of the entity's mission processes.

v Comply with the principles (Availability, Integrity and Confidentiality) of information security.

v Maintaining the trust of employees, collaborators, and third parties.

v Protect information assets.

v Establish policies, procedures, and instructions regarding information security.

v Periodically verify compliance with information security policies.

v To ensure that all employees, contractors, and third parties comply with the information security policies, guidelines, and best practices established in the Information Security Policy Manual.

XVIII. APPLICABLE LEGISLATION AND VALIDITY

The policies contained in this document were developed taking into account Article 15 of the Political Constitution, the provisions contained in Articles 15 and 20 of the Political Constitution, Law 1266 of 2008, Law 1581 of 2012, Regulatory Decrees 1727 of 2009, 2952 of 2010 and Regulatory Decree No. 1377 of 2013, and the Constitutional Court Judgments C - 1011 of 2008, and C -748 of 2011.

This manual of policies and procedures for the processing of personal data of MULTISERVICIOS REYKÚT SAS, will come into effect upon its approval by the company and will remain in effect indefinitely until it is modified or updated in its entirety, which will be done as necessary to ensure compliance with applicable laws and regulations regarding the protection of personal data.

Prepared

He reviewed

approved

Name

Daniel Reyes Maldonado

Position: Administrator

Name

Carmen Elisa Maldonado Porras

Position: Administrative Assistant

Name

Daniel Reyes Maldonado

Position: Legal Representative

This manual is effective from the fifteenth (15th) of January of the year 2024