PERSONAL DATA PROCESSING POLICY OF TOWER CONSULTING WORLDWIDE S.A.S.

Publication Date: July 2013
Update date: July 2024

1. INTRODUCTION

TOWER CONSULTING WORLDWIDE S.A.S. (hereinafter “The Company”), identified for tax purposes under NIT 800.180.241-1, is a simplified stock company legally constituted by Public Deed No. 3017 of November 6, 2022, duly registered with the Bogotá Chamber of Commerce , whose registered office is in the city of Bogotá, at Carrera 7 No. 127- 48 Office 1107.

The Company, in order to guarantee the constitutional right of habeas data, as well as the good name, privacy, intimacy and good name of its clients, suppliers, workers, contractors, whether active or inactive, occasional or permanent, has created the following policy, which contains the guidelines for the use of information management that the Company has in its databases, in order to allow the adequate exercise and protection of the rights of the Information Owner, so that at any time , may request correction, clarification, modification and/or deletion thereof.

2. OBJECT

Through this policy, the Personal Data Processing Policy Manual of TOWER CONSULTING WORLDWIDE S.A.S. is established, which has been prepared in accordance with the guidelines indicated in the applicable and current regulations on the matter; and its purpose is to provide the necessary and sufficient information to the different interest groups, as well as to establish the guidelines that guarantee the protection of personal data that are subject to processing through the procedures of TOWER CONSULTING WORLDWIDE S.A.S., in order to in this way , comply with the law, policies and procedures for attention to the rights of the owners, criteria for collection, storage, use, circulation and deletion that will be given to personal data.

3. SCOPE

This Personal Data Treatment and Protection Policy will apply to all physical, digital and hybrid databases and files that contain personal data and that are subject to processing by TOWER CONSULTING WORLDWIDE S.A.S., considered responsible or in charge of the processing of personal data, providing protection to the interests and needs of the owners of the personal information processed by the Company.

4. RECIPIENTS

This policy is aimed at all public and/or private persons as owners of personal data who have a relationship of any nature with the Company.

This policy is mandatory for all natural and legal persons responsible for the administration and management of the Company’s personal databases, especially those responsible for managing the databases, especially the company’s administrators, employees of the Company and contractors or third parties who have a contractual or any other relationship with the Company.

5. SPECIFIC PRINCIPLES

This Personal Data Processing Policy that The Company has will be governed by the following principles:

• Principle of truthfulness or quality. The information contained in the databases must be true, complete, accurate, up-to-date, verifiable and understandable. The registration and disclosure of partial, incomplete, fragmented or misleading data is prohibited;
• Principle of purpose. The treatment must obey a legitimate purpose in accordance with the constitution and the law, which must be informed to the owner.
• Principle of Necessity: The personal data processed must be those strictly necessary for the fulfillment of the purposes pursued with the database.
• Principle of legality in matters of data processing. The Treatment referred to in this policy must be subject to what is established in it and in the other provisions that develop it.
• Principle of freedom: Treatment can only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that requires consent.
• Principle of temporality of information. The owner’s information may not be provided to users or third parties when it no longer serves the purpose of the data bank;
• Principle of truthfulness or quality. The information subject to Treatment must be true, complete, accurate, updated, verifiable and understandable. The Processing of partial, incomplete, fragmented or misleading data is prohibited;
• Principle of transparency. In the Treatment, the right of the Owner to obtain from The Company or the Processor, at any time and without restrictions, information about the existence of data that concerns him or her must be guaranteed;
• Principle of restricted access and circulation. The Treatment is subject to the limits derived from the nature of the personal data, the Constitution and the Law. Personal data, except public information, may not be available on the Internet or other means of dissemination or mass communication, except that access is technically controllable to provide knowledge restricted only to the Owners or authorized third parties.
• Security principle. The information subject to Treatment by The Company or Data Processor must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access;
• Principle of confidentiality. All persons involved in the Processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks included in the Processing has ended, and may only supply or communicate of personal data when this corresponds to the development of activities authorized in current regulations.
• Comprehensive interpretation of constitutional rights: The rights will be interpreted in harmony and in balance with the right to information provided for in Article 20 of the Constitution and with the applicable constitutional rights.

6. DEFINITIONS

For the purposes of interpreting this Personal Data processing policy, the following definitions will be adopted:

• Authorization: Prior, express and informed consent of the owner to carry out the Processing of personal data.
• Privacy notice: Verbal or written communication generated by the Controller, addressed to the Owner for the Processing of their personal data, through which they are informed about the existence of the information Processing policies that will be applicable to them, the form of access them and the processing purposes intended for personal data.
• Database: Organized set of personal data that is subject to Processing.
• Personal data: Any information linked or that can be associated with one or several specific or determinable natural persons. This data can be public, semi-private and/or private in nature.
• Public data: This is data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade and their status as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality.
• Semi-private data: Semi-private data is data that is neither intimate, reserved, nor public and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or society in general, such as financial and credit data. of commercial activity or services.
• Private data: This is data that, due to its intimate or reserved nature, is only relevant to the owner.
• Sensitive data: Sensitive data is understood to be data that affects the privacy of the Owner or whose improper use may generate discrimination, such as that which reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions. , social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
• Owner of the information: It is the natural or legal person to whom the information stored in a data bank refers. This person is subject to the right of habeas data.
• Transfer: The transfer of data takes place when the Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is Responsible for the Treatment and is located within or outside the country.
• Transmission: Processing of personal data that involves the communication of these within or outside the territory of the Republic of Colombia when its purpose is to carry out a Processing by the Processor on behalf of the Controller.
• Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

7. LEGAL FRAMEWORK

The data processing policy of TOWER CONSULTING WORLDWIDE S.A.S. is developed based on the following legal framework.

• Political Constitution, article 15
• Law 1266 of 2008
• Law 1581 of 2012
• Regulatory Decree 1727 of 2009
• Regulatory Decree 2952 of 2010
• Partial Regulatory Decree No. 1377 of 2013
• Single Regulatory Decree 1074 of 2015
• External Circular No. 02-2015. Superintendence of Industry and Commerce
• Rulings of the Constitutional Court C -1011 of 2008 and C – 748 of 2011.

8. TYPOLOGY OF DATA.

In accordance with applicable regulations, the Company will use the following types of data:

8.1. Datos sensibles.

In accordance with what is established in the Definitions section, Sensitive Data is data that affects the privacy of the Owner or whose improper use may generate discrimination, such as data that reveals racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sexual life and biometric data.

The Company may only process this type of data when:

1. The Owner has given explicit authorization to said Treatment, except in cases where the granting of said authorization is not required by law;
2. The Treatment is necessary to safeguard the vital interest of the Owner and the Owner is physically or legally incapacitated. In these events, the legal representatives must grant their authorization;
3. The Treatment is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or union, provided that refer exclusively to its members or to people who maintain regular contacts due to their purpose. In these events, the data cannot be provided to third parties without the authorization of the Owner;
4. The Treatment refers to data that is necessary for the recognition, exercise or defense of a right in a judicial process;
5. The Treatment has a historical, statistical or scientific purpose. In this event, measures must be adopted leading to the deletion of the identity of the Holders.

In any case, and given the nature of this type of data, The Company must comply with the following obligations:

1. Inform the Owner that, since it is sensitive data, he is not obliged to authorize its Treatment.

2. Inform the Owner explicitly and in advance about which of the data that will be subject to Treatment are sensitive and the purpose of the Treatment, as well as obtain their express consent and the general requirements of authorization for the collection of any type of personal data.

8.2. Datos Públicos

In accordance with what is established in the definitions section, public data is data that is not semi-private, private or sensitive. Public data are considered, among others, data relating to the marital status of people, their profession or trade, and their status as a merchant or public servant. Due to its nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed judicial rulings that are not subject to confidentiality.

Whenever data of this nature is involved, the Company may process it, in accordance with current legal requirements.

8.3. Datos Semiprivados y Datos Privados

To process this type of data, The Company must have the corresponding authorization from the owner of the information, given its nature. This authorization will be carried out based on what is established in the Constitution and current regulations, as well as what is determined in section 5.4 of this Information Processing Policy Manual.

8.4. Autorización del Titular

Without prejudice to the exceptions provided for in the law, the Treatment requires the prior and informed authorization of the Owner, which must be obtained by any means that can be subject to subsequent consultation and verification.

In the following cases, the authorization of the Owner is not required:

• When the information is required by a public or administrative entity in the exercise of its legal functions or by court order;
• Regarding data of a public nature;
• In cases of medical or health emergency;
• In cases where information processing is authorized by law for historical, statistical or scientific purposes;
• Regarding data related to the Civil Registry of Persons.

9. RIGHTS OF CHILDREN AND ADOLESCENTS.

When processing data on the rights of children and adolescents, when permitted, the Company must comply with the following requirements and parameters:

1. That the treatment responds to and respects the best interests of the children and adolescents.
2. That respect for your fundamental rights is ensured in the treatment.
3. The Company must have the authorization of the minor’s legal representative.
4. The Company must listen to the minor, respecting in all cases their opinion, which must be valued taking into account their maturity, autonomy and ability to understand the matter.

Now, in order for the Owner to know in which cases it is possible to process the data of children and adolescents, these cases are data of a public nature, which are defined in the section on definitions of this Manual.

10. DUTIES OF TOWER CONSULTING WORLDWIDE S.A.S. AS RESPONSIBLE FOR THE DATA PROCESSING.

When the Company acts as Data Controller, it will have the following obligations:

1. Have prior authorization when provided for in the applicable regulation.
2. Classify the requested data.
3. File and manage the authorization given by the owner.
4. Comply with the principles related to this Policy.
5. Address queries, complaints or claims presented by the owner.
6. Secure the data provided through procedures related to information security.
7. Furthermore, whenever The Company, acting as responsible for the processing of the Owner’s Data, has information that may be subject to modification, verification, rectification, consultation and/or elimination, it must comply with the duties stipulated in article 17. of Law 1581 of 2012

11. PURPOSES OF DATA PROCESSING.

The Company will process Personal Data for the purposes informed at the time the Personal Data is collected and which are expressly consented to.

That said, it is necessary to mention that the Company is committed to safeguarding the confidentiality of Personal Data in such a way that its privacy and, therefore, its content, is protected under the terms of Colombian law. Personal Data will only be used to:

1. Keep you informed about tax, accounting and legal news.
2. Keep you informed of products and/or services that may interest you from our Company
3. Keep you informed about opening hours and logistical issues regarding the provision of our services.
4. Invite you to the events that our firm holds.
5. Maintain permanent contact with our clients and/or suppliers.
6. Manage all the information necessary to comply with tax obligations and commercial, corporate and accounting records of the company.
7. Comply with the company’s internal processes regarding supplier and contractor management.
8. Provide services in accordance with the particular needs of the Firm’s clients, in order to fulfill the service contracts entered into.
9. Use Personal Data for marketing and/or commercialization of new services or products.
10. Carry out activities to carry out the control and prevention of fraud, money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction, including, but not limited to, consultation on binding lists, and all the necessary information required. to comply with the regulations for the prevention of fraud, money laundering, financing of terrorism, financing of the proliferation of weapons of mass destruction.
11. Use and/or reveal personal information and data, in order to defend the rights and/or property of the company, its clients, website or its users for the detection and prevention of fraud and for the detection, apprehension or prosecution of criminal acts.
12. Allow access to personal data to auditors or third parties hired to execute and carry out internal or external audit processes, typical of the commercial activity carried out by the Company, always within the framework of confidentiality.
13. The process of filing, updating systems, protecting and custody of information and Company Databases.
14. Processes within the Company, for development or operational and/or systems administration purposes.
15. The transmission and transfer of data to third parties with whom contracts have been entered into for this purpose, for commercial, administrative, marketing and/or operational purposes, including, but not limited to, the issuance of cards, personalized certificates and certifications to third parties, in accordance with current legal provisions. In any case, third parties will be bound by the terms of this Policy and the confidentiality of the information.
16. Maintain and process by any means, all types of information related to the client’s business in order to provide the relevant services and products.
17. The other purposes determined by those responsible in processes of obtaining personal data for processing, in order to comply with legal and regulatory obligations, as well as the internal policies of the company and the development of its commercial activity.

12. RIGHTS OF PERSONAL DATA HOLDERS

The Owners of the Information that appear in the Company’s databases may exercise the following rights at any time:

1. Know, update and rectify your personal data before The Company or the Data Processor. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data, or those whose Processing is expressly prohibited or has not been authorized;
2. Request proof of the authorization granted to The Company except when expressly excepted as a requirement for Treatment, in accordance with the provisions of section 5.5.1 of this Policy Manual.
3. Be informed by The Company or the Data Processor, upon request, regarding the use that has been given to your personal data;
4. Go before the Superintendency of Industry and Commerce to file complaints for violations of the provisions of current regulations, provided that the internal complaint or consultation process referred to in this Policy Manual is previously exhausted, which, in accordance with the prescriptions of law, is a requirement of procedure.
5. Revoke the authorization and/or request the deletion of the data when the processing does not respect constitutional and legal principles, rights and guarantees.
6. Be aware that the review of your personal data may be consulted free of charge, under the conditions indicated in this Policy Manual and the law.
7. The right not to be conditioned in any case, for the development of any activity with The Company, to be obliged to provide your sensitive personal data.

The Owner of the Personal Data may limit the use or disclosure thereof, as well as the possibility of canceling the sending of messages through the different means that the Company uses, for which the procedure will be as indicated in this Treatment Policy. of Personal Data, which can be consulted on the website www.tower-consulting.com

In turn, as mentioned, the Owner of the Personal Data has the right to rectify them if what is recorded there is inaccurate or incomplete and cancel them when they are unnecessary for the purposes for which they were obtained. The mechanisms implemented by the Company in compliance with current regulations to exercise such prerogatives are those indicated in the PERSONAL DATA PROCESSING POLICY, which you will find on the website www.tower-consulting.com. Likewise, if you require more information, please contact the phone number (601) 3828085 or the email comercial@tower-consulting.com

If the Personal Data are those that, in light of current law, are considered sensitive, the Owner has the power to deliver them or refuse to do so.

When accessing our website, files called “Cookies” may be generated, which contain information that is sent to your computer terminal, the content of which could have Personal Data, which is stored. These types of files expire after a certain time; However, the Owner can delete them directly or ask his internet browser to give an alert when he receives this type of files so that he can save, accept or reject it.

Additionally, the Company may disclose Personal Data when required by law or when requested by competent entities in terms of current regulations.

13. AUTHORIZATIONS AND CONSENT.

All information that The Company may collect, store, circulate, use, modify, rectify and/or delete with respect to its owners, must have the express, prior, free and informed consent of the Information Owner.

It will be understood for all purposes that the authorization by the Owner of the information may be recorded in any physical or electronic medium, or any medium or instrument that can be considered in light of current regulations as a data message, which is why , the authorization may come from any of the following sources: web pages, emails, phone calls, text messages or any other format that guarantees subsequent consultation. The foregoing in accordance with the provisions of Law 527 of 1999, as well as the regulations that modify, complement, regulate, repeal or replace it.

Once authorization has been granted by the Owner of the information, based on any of these mechanisms, The Company will guarantee to the Owner of the information the possibility of being able to verify its status at any time.

14. INQUIRIES AND CLAIMS BY THE OWNER
14.1. Procedure for making inquiries
The Owners or their successors may consult the personal information of the Owner that resides in any database owned by The Company. For its part, the Company or Data Processor must provide them with all the information contained in the individual record or that is linked to the identification of the Owner.

The query will be formulated through the means authorized by the Company or Data Processor, as long as proof of this can be maintained.

The query will be answered within a maximum period of ten (10) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be attended to, which in no case may exceed five (5) business days following the expiration of the first term.

14.2. Procedimiento para la realización de reclamos

The Owner or his successors who consider that the information contained in a database should be corrected, updated or deleted, may file a claim with The Company or the Data Processor, which will be processed under the following rules:

14.2.1. El reclamo se formulará mediante solicitud dirigida a La Empresa o al Encargado del Tratamiento, con la identificación del Titular, la descripción de los hechos que dan lugar al reclamo, la dirección, y acompañando los documentos que se quieran hacer valer. Si el reclamo resulta incompleto, se requerirá al interesado dentro de los cinco (5) días siguientes a la recepción del reclamo para que subsane las fallas. Transcurridos dos (2) meses desde la fecha del requerimiento, sin que el solicitante presente la información requerida, se entenderá que ha desistido del reclamo.
14.2.2. En caso de que quien reciba el reclamo no sea competente para resolverlo, dará traslado a quien corresponda en un término máximo de dos (2) días hábiles e informará de la situación al interesado.
14.2.3. Una vez recibido el reclamo completo, se incluirá en la base de datos una leyenda que diga “reclamo en trámite” y el motivo de este, en un término no mayor a dos (2) días hábiles. Dicha leyenda deberá mantenerse hasta que el reclamo sea decidido.
14.2.4. El término máximo para atender el reclamo será de quince (15) días hábiles contados a partir del día siguiente a la fecha de su recibo. Cuando no fuere posible atender el reclamo dentro de dicho término, se informará al interesado los motivos de la demora y la fecha en que se atenderá su reclamo, la cual en ningún caso podrá superar los ocho (8) días hábiles siguientes al vencimiento del primer término.

14.3. Supresión de la Información

The Owner of the information may, at any time, request the Company to delete their personal data, provided that:

14.3.1. En el tratamiento no se respeten los principios, derechos y garantías constitucionales y legales.
14.3.2. Cuando la Superintendencia de Industria y Comercio así lo determine,
14.3.3. Sin perjuicio de lo anterior, es preciso tomar en consideración que La Empresa solamente podrá suprimir la información de El Titular, siempre que ello no conlleve al incumplimiento de normas legales y/u obligaciones que le competan conforme a la normatividad vigente. Valga decir, no podrán ser objeto de supresión los datos de El Titular, cuando quiera que:
14.3.4. El Titular de la información tenga un deber legal o contractual con La Empresa y, para lograr su cabal cumplimiento se requiera la información que consta en la base de datos
14.3.5. La supresión de los datos por parte de La Empresa implique la obstaculización del desarrollo de las investigaciones judiciales a ejecutar por parte de las autoridades competentes.

14.4. Revocación de la Autorización

The Information Owner may, at any time, revoke the authorization granted to The Company for the processing of their personal data. For these purposes, The Company will create mechanisms that allow the Information Owner to revoke the authorization granted. These mechanisms must be easily accessible and will be free in the cases established by law.

15. CONTACT AND VALIDITY

The Company will act for all legal purposes as the Data Controller.

For its part, for all those determined in the current regulations and, with the essential purpose of determining the person responsible for the Treatment of the Information that appears in its database, in order to allow the proper exercise of the rights by the Owner of the information, he/she may submit all his/her doubts, clarifications and additional information to the following contact:

Name: María Enuer Chavarro
Telephone: (601) 3828085.
Address: Carrera 7 No. 127- 48 Office 1107.
Email: judicial@tower-consulting.com

Now, this Personal Data Processing Policy TOWER CONSULTING WORLDWIDE S.A.S. is in force as of July 3, 2024.

16. INFORMATION SECURITY MEASURES

TOWER CONSULTING WORLDWIDE S.A.S. It will have mandatory security protocols for all personnel who have access to personal data and information systems. The procedure must consider, at a minimum, the following aspects: a) Training of personnel entering the organization about the Personal Data Processing Policy and the security mechanisms and protocols for their processing. b) Scope of application of the procedure with detailed specification of the protected resources. c) Measures, norms, procedures, rules and standards aimed at guaranteeing the level of security required in Law 1581 of 2012 and Decree 1377 of 2013. d) Functions and obligations of personnel. e) Structure of personal databases and description of the information systems that process them. f) Procedure for notification, management and response to incidents. g) Procedures for making backup copies and data recovery. h) Periodic controls that must be carried out to verify compliance with the provisions of the security procedure that is implemented. i) Measures to be adopted when a support or document is transported, discarded or reused. j) The procedure must be kept updated at all times and must be reviewed whenever relevant changes occur in the information system or its organization. k) The content of the procedure must be adapted at all times to the current provisions regarding the security of personal data.

17. MECHANISMS FOR THE OWNER TO KNOW THE INFORMATION PROCESSING POLICY.
At any time, the Owner may access the website www.tower-consulting.com by following the Link named “PERSONAL DATA PROCESSING POLICY MANUAL”, or failing that, he/she may request that it be sent to him/her in writing via email. by contacting the telephone line 0571 2132500 or requesting it through the email comercial@tower-consulting.com

18. UPDATES TO THE PERSONAL DATA PROCESSING POLICY

The current Personal Data Processing Policy of Tower Consulting Worldwide S.A.S. has had the following versions to date, with version 2 currently being valid on July three (3), two thousand twenty-four (2024).

WE WILL GLADLY ATTEND ANY CONCERNS.

WE ARE GGI MEMBERS

www.ggi.com

Don’t forget to follow us on social networks

www.tower-consulting.com

Version Date Changes made
1 07/29/2013 Personal data processing policy manual – original document
2 07/03/2024 Modifications regarding the introduction, object, scope, recipients, applicable legal framework, definitions, principles, purposes of the databases, information security measures, duties and annexes that are an integral part of it.